When I was younger, I was often unpleasantly surprised to find out that responsibilities have layers. I thought I had gone through the final step… but no! Instead I realized there was another step, another layer of complexity that needed to be embraced. And then I found another layer and another layer.
I remember one moment of frustration regarding my ‘dream’ car vividly. When I was 16 I wanted a cool car so I could have more freedom, but first I had to pass the driving test. Check. Then I had to learn how to change a tire and add water and oil. Check. Next, Dad withholds cool car and instead buys me a junky car because he imagined that I would bang up my first car (he was right). Check.
Dad decides I can handle a somewhat cooler car when I am 18. Sweet! Check. Proceed to drive the somewhat cooler car slowly through a notorious speed trap in Houston only to get a ticket for having an expired inspection sticker. What? Wait. What the heck is an inspection sticker? Nobody told me about annual inspections. How much does that cost?
Well, I don’t want you finishing up this book about internal controls and then gasp, “Inspection stickers! No one told me about inspection stickers!” My dad’s response to my complaint was, “What did you think that big square thing with the date on it in the driver’s side window was?” No good answer for that.
So I want to pause to cover another important layer of the COSO model that you may not have considered yet – although it sits right in the introduction of the Green Book– the requirement that the controls work together in an integrated manner.
Green Book: OV2.04 … The five components of internal control must be effectively designed, implemented, and operating, and operating together in an integrated manner, for an internal control system to be effective.
Integrate the controls
What does ‘integrate’ mean? Integrate means that various parts are linked together or coordinated.
Maybe an example will demonstrate what integrated controls look like. Let’s say that your control objective is to prevent unallowable charges on credit cards issued to the buildings and maintenance folks.
The ideal controls sound like they both help satisfy the control objective AND belong together. See if you can see how these controls fit together:
Control Environment: Hire accountants skilled at performing reconciliations
Control Activity: Require buildings and maintenance employees submit receipts and invoices to support credit card charges
Monitoring: Accountants match receipts to invoices each month and evaluate charges for allowability.
Information and communication: Accounting emails a report detailing unallowable charges and un-reconciled/undocumented charges to the executive team each month
Several people have been very proud to show me their tricked out, ‘dream’ Green Book spreadsheet. One of my favorites was a spreadsheet that listed the 17 principles along the left hand side as row titles. And then the 12 compliance items for federal programs were listed along the top as column headers. The controls in place were the contents of the cells. But I had to inform the proud creator that simply listing a control in a cell wasn’t all that needed to be done, the controls also needed to be integrated. They were not happy. Layer, layer, layer.
Just like learning how to take care of a car, the process of creating controls is long and full of little surprises. Whenever I see the word iterative, I now know what they really mean is you are now embracing the ‘never ending quest for improvement’. Iterative also means that it will never be perfect, which is hard for some folks to tolerate. Anybody who has tried to design a control process, document a control process, and implement a control process can attest to it being imperfect and never, ever done.
And the Green Book goes on to say that simply copying other people’s control system probably isn’t going to work either. Bummer.
Green Book: OV2.13 Internal control is a dynamic, iterative, and integrated process in which components impact the design, implementation, and operating effectiveness of each other. No two entities will have an identical internal control system because of differences in factors such as mission, regulatory environment, strategic plan, entity size, risk tolerance, and information technology, and the judgment needed in responding to these differing factors.
Where we have been and where we are going
I hope you have been enjoying the book so far. First we had to learn what the top, side, and front of the cube meant, from a very broad view. Then we took a deep dive into risk assessment. Next it is time to mitigate the risks we have identified. We will endeavor to embrace our responsibilities and avoid unpleasant surprises by layering on controls for the remaining four components of the COSO model: control activities, information and communication, monitoring, and control environment.
If you would like to catch up on what I have written so far about the Green Book, please see these article/chapters.
The next chapter should sound very familiar if you have every worked on controls before. We will use concepts like ‘segregation of duties’ and ‘authorization.’ We are far from done. Iterate, integrate, iterate, integrate….