COSO Framework: Breaking Down the Silos and Bringing Everyone Together (Part II of II)
The COSO framework contains important principles for structuring a global organization and its internal controls, including compliance policies and procedures. Compliance officers have to learn and use the COSO framework when communicating and convincing the CFO to embrace a new world with both compliance and financial controls within an effective governance framework.
Global companies are recognizing (sometimes slowly) that management silos in a company prevent information sharing and coordination. In most organizations, employees are organized around regulatory operations, function, market or geographic locations. This mindset makes it difficult for compliance, finance, human resources, procurement, and risk management to coordinate, share information and operate efficiently.
To illustrate my point, it is rare for audit, compliance and operations executives to have visibility into each others’ respective operations, ready access to information generated by each and specific information by location and function. Data systems are rarely integrated across an organization, and operating objectives are not consistent across functions, locations and the entire organization. Individual units may have different performance metrics. As a result, top management and the company’s board cannot readily gain access to reliable information about the company’s operations or its overall compliance performance.
The compliance function depends on coordination from the top of an organization. A compliance system is built on consistent guidance from the top to operations throughout the organization. Moreover, without a consistent message and set of standards, a company cannot determine of compliance objectives are being met. If a government enforcement action is initiated and the company is required to undertake an internal investigation, the company will have difficulty producing accurate and complete responses and documentation of activities. As a result, a company may not be able to validate that its governance system is operating effectively.
A compliance program has to be built consistently and integrated into the operations and financial controls of the company. If not, the compliance program will stumble and falter, with little documentation and verification of its operations.
A basic outline of compliance program standards includes:
- A centralized compliance function with tiered staffing in regional and local operations;
- Assignment of adequate resources;
- A consistent set of policies and procedures;
- A standard platform or compliance performance metrics in each operating unit;
- A consistent and equivalent set of performance standards across management, financial and compliance functions. For example, financial performance should not have priority over management or compliance functions.
- A standard third-party risk management system is deployed throughout the organization;
- The integration of financial, compliance and operational controls into a single set of internal controls for reporting, measurement and monitoring.
The COSO framework pushes organizations to integrate compliance functions into the company’s internal controls and key performance indicators. Most global companies have used the COSO framework for managing financial controls and enterprise risk. The new COSO framework implemented in 2013 expanded to support an increased focus on compliance and reporting objectives that surround risk.
A single governance framework helps a company to ensure that compliance is transparent, properly monitored, and built on accountability. In this framework, companies can build out a compliance structure that is centralized and includes regional and local compliance functions that fully integrated. By adopting the new COSO framework, a company is sending an important message to stakeholders that managing compliance risk is a high-priority to the company.