[attach id=259887 size="medium"][/attach]

Hidden exposures in business: these are what effective internal controls can help uncover. In recent years, we have witnessed and suffered the higher costs that can result when these threats remain unchecked.

Where do the blind spots lurk in your business: in high-cost items, hiding fictitious transactions or overspending? In high-frequency trading records that may conceal a staggering loss? In social media, where customer problems brew before a public relations damage limitation becomes necessary?

The 1992 Internal Control-Integrated Framework developed by Coso (The Committee of Sponsoring Organisations of the Threadway Commission) has been widely adopted to support external financial reporting requirements. After 20 years, Coso decided it was time for a refresh.

The 2013 update, authored by PwC, is designed to address reporting, compliance, and operational objectives. This provides businesses and their stakeholders with a common vocabulary for getting a handle on the ever-changing environment.

As business evolves, leading companies evolve their internal control systems. The newly released framework provides the perfect opportunity to consider: Are your controls really keeping up? A fresh look at controls may especially benefit your company if you are going through...

A major change. Your growth, restructurings, or new markets, products, and partners – they introduce new risks. How do your controls adapt to change?

Ongoing regulatory oversight and scrutiny. If you are complying with more regional or global requirements, there may be little room for error.

Greater complexity in your operating model and structure. Taking on new service providers or other partners can create risks that may be far removed from the business.

Expanding reliance on technology. New uses of existing technology and new tech investments may impact risks for internal and external interactions.

New and evolving expectations for non-­financial reporting. Stakeholders and regulators seek greater transparency and confidence in reporting.

Business failures and brand-damaging events. Businesses in many industries need to rebuild trust with customers and stakeholders. What breakdowns have you experienced with existing controls and why didn’t you anticipate them?

How can you be sure your system of control remains up to the task? The Coso Framework was updated in three important ways to make it easier for your controls to evolve with the business:

• Reflective of the current environment. The update reflects how doing business has changed and provides guidance to assess risk and keep related controls current.

• Applicable to more business objectives. The update helps you apply internal control to your growing list of objectives. It now addresses internal reporting, which can satisfy requirements set by senior management and boards. The update also covers external non-financial reporting requirements driven by laws, regulations, or even heightened stakeholder expectations.

Flexible and customisable. The update is principles-based, making it more flexible, adaptable, and broadly applicable than a rules-based framework.

There are key messages that emerge from the updated Coso Framework and its areas of focus:

• Gain comfort around what matters. You can apply internal control to many aspects of your business, but the key is targeting where it is really needed. The update can help you clearly identify and communicate where there are important objectives and select the right controls to apply.

• Remove the blind spots. Without a full view of your business, hidden exposures can put you at risk. The update is designed to help reveal risks you may be unaware of by focusing on objectives, related risks, and controls in all reaches of your business - its legal entities, divisions, operating units, and functions.

• Take control through people, technology, information and processes. Managers with key roles in operating units and functions, like supply chain, IT security, and portfolio management, are closest to the risks and changes that could impact them. They are well-positioned to spot new risks, identify when issues are likely to occur, and select controls to mitigate risks. The update includes principles on how people within organisations are equipped to recognise and address risk. In addition, the update recognises that while technology is the engine of many businesses – connecting employees, partners, and customers – overreliance on technology can introduce risks and mask problems. This is especially true for mobile, social, cloud, and other emerging technologies. The update includes a principle explicitly focused on controls over the use of technology.

The above is based on an interview with Catherine Jourdan, a PwC director that co-authored the Coso Framework document. She will be giving a presentation at the PwC’s Academy on the updated Framework in Malta on June 26.

Anna Camilleri is a senior manager at PwC.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.