Given how quickly business leaders are mobilizing to address regulatory compliance requirements these days, it's not surprising that more and more companies are now engaging - as a disciplined framework for internal controls - the COSO model established by the Committee of Sponsoring Organizations of the Treadway Commission in 1992.
COSO represents the most broadly accepted internal control framework against which organizations can assess or design their internal control systems - a framework, by the way, that has also been incorporated as a basis for U.S. auditing standards.
The problem is that as companies begin to put the components of a COSO framework in place, many decision-makers and planners are just not pushing this new discipline all the way down to what effectively represents the fundamental core of the COSO model: the quality of the underlying data.
This oversight obscures a very promising opportunity for companies to significantly increase their return on a COSO-aligned investment. That's because when a comprehensive data management program is properly embedded within a COSO implementation, planners may be able to establish a sustainable, long-term stream of business and IT-related benefits to the organization. These benefits can extend well beyond ensuring the organization's financial reporting objectives are being achieved to also ensuring the achievement of operational efficiency and effectiveness objectives.
The COSO Internal Control - Integrated Framework is a structured road map to an internal control system that provides reasonable assurance regarding the achievement of objectives in three categories: 1) effective and efficient operations, 2) reliable financial reporting, and 3) compliance with applicable laws and regulations.
Consider just how integral data is to the following five components of internal control that the COSO framework stipulates must be present and functioning.
Control Environment: Data quality must be an explicit priority. According to COSO, the control environment establishes the discipline and structure for the organization, as well as the values, management philosophy and operating style expected to support the internal control system. As a foundational platform for internal controls, data management as a process - and information quality as an outcome - must be accorded a priority status within the control environment through key activities such as the explicit assignment of roles and responsibilities for data, and the identification of metrics that facilitate data governance and control.
Risk Assessment: How you address data impacts risk. The COSO standard defines risk assessment as including the full set of tasks supporting management's identification and analysis of risks to the organization's achievement of predetermined objectives. Either directly or indirectly, data quality can have a tremendous impact not just on the achievement of these objectives, but also, much more broadly, on the extent of the risks that threaten that achievement. Poor quality data at any point in the internal control process can increase operational risk and financial risk as well as regulatory compliance and legal risk.
Control Activities: Data represents the means of control. If you can't measure it, you can't manage it. The COSO framework describes control activities as the policies and procedures necessary to ensure that management objectives are achieved and risk mitigation strategies are carried out. It's important to remember, however, that data represents the granular means of control - it enables efficient, effective control across the established COSO processes. In order to perform that function, policies and procedures supporting rigorous data management must be identified and documented as an important part of a COSO deployment.
Information and Communication: It's data that enables reporting and action. Naturally, the COSO system requires that relevant information supporting all control functions and responsibilities be communicated in a form and time frame that allows those responsible to carry out their duties. However, the effectiveness of communications and the impact of decision making will be severely compromised if the data isn't up to par.
Monitoring: Data either drives or compromises its effectiveness. This set of tasks addresses the oversight of internal controls either by management, by independent parties outside the organization or by a combination of the two. Because monitoring depends centrally on measuring the difference between actual performance and accepted operating ranges for specified activities, the data examined by the monitoring process must be as accurate, timely and secure as possible.
While the five elements described address the important components of an internal controls capability, by themselves they don't clarify the opportunities that can unfold when a COSO implementation is deployed in alignment with a data management initiative. In effect, a COSO-aligned data management program pays out two sets of dividends. First, it ensures that COSO controls are based on solid data. Second, it ensures that the same coordinated set of data-focused processes, controls and technologies that underlie COSO are now available to support other opportunities throughout the enterprise to increase efficiencies, lower costs and improve bottom-line performance.
As many of you know too well, company initiatives championed at first as having great promise tend to come and go. Those that last do so in large part because they're implemented in a manner that is sustainable. On the one hand, as its broad and accelerating market acceptance seems to indicate, the COSO standard appears well positioned to endure as a guiding framework for internal control. On the other hand, however, the value that the COSO framework represents for any single organization or division rises or falls depending on whether or not the quality of the underlying data is recognized and addressed as a critical success factor at the core of the COSO architecture.
Many corporate leaders think data management, like internal control, should start in the boardroom. However, can they imagine an organization where the effectiveness of either one of these wasn't fundamentally dependent on the other?
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access