The 'Other' Rules ~ Internal Control and the Influence of COSO
Leading business rule practitioners Ronald Ross and Gladys Lam advise that core business rules -- those that directly support the organization's strategy -- comprise only about 2 to 3 percent of all of the organization's business rules.
So, where do the rest of the business rules come from? Many are a result of the external requirements imposed by regulators -- and for good reason. Recent corporate failures have seen heavyweight organizations such as Enron, Arthur Andersen, and MCI Worldcom disappear, affecting not only the American corporate landscape, but also the global economy. Other recent examples of corporate failure from around the world include Parmalat in Europe and HIH Insurance in Australia.
This article aims to provide an introduction to the COSO Framework, the basis for internal control and reporting standards now being adopted across developed economies, and to discuss how COSO translates into policies, procedures, and business rule sets in organizations, using state government agencies in New South Wales, Australia, as an example. The article ends with the presentation of a case for an organization to put in place a business rules management tool.
The failures of the U.S. companies mentioned above led to a crisis of confidence in the American economy and saw resultant action by President Bush with the introduction of the Sarbanes-Oxley Act in 2002. This legislation applies not only to US-based firms but also to foreign companies trading in the USA. Australia has seen the introduction of legislation governing board and executive actions and the compulsory adoption of International Financial Reporting Standards to align more closely with UK and European standards.
This all supports the continuing trend for global internal control and reporting standards, with timelines for their introduction now being set by accounting bodies and governments.
As a result of current legislation, both the public and private sectors have experienced a rise in accountability requirements that are causing them to adopt techniques to raise their level of performance in assessment, evaluation, and reporting. And this improvement has had to occur from the board level, down.
When drafting the internal control requirements of the Sarbanes-Oxley Act, the PCAOB (Public Company Accounting Oversight Board -- the entity established under the Act to oversee auditors) relied heavily on work done in the early 1990's by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
COSO defines internal control as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations"
The two sections in the Sarbanes-Oxley Act that should concern IT executives the most are 302 and 404(a). These sections deal with the internal controls that a company has in place to ensure the accuracy of their data. This relates directly to the software systems that a company uses to control, transmit, and calculate the data that is used in their financial reports.
In particular, Section 404(a) requires companies to identify the framework used by management to evaluate the effectiveness of their internal control and then to attest to the effectiveness of these controls in the year-end financial report.
Since the vast majority of data that makes up financial reports is generated by IT and related processes, it is critical that the effectiveness of these processes can be verified.
The COSO publications describe an internal control framework of five interrelated components, which were derived from the way management runs a business and are integrated with the management process:
- Control Environment -- the people and the environment in which they operate
- Risk Assessment -- the establishment of mechanisms to identify, analyze, and
manage risks related to objectives
- Control Activities -- control policies and procedures to ensure that the actions
identified by management as necessary to address risks to achievement of the entity's
objectives are effectively carried out
- Information and Communication -- to enable the entity's people to capture and
exchange the information needed to conduct, manage, and control its operations
- Monitoring -- the entire process must be monitored so that the system can react dynamically, changing as conditions warrant
In volume 2 of their original publication (Internal Control -- Integrated Framework), COSO published a toolkit, using the above framework, which can be used for evaluation of an entity's internal control system. Activities covered are
- Manage Information Technology,
- Manage Risks,
- Manage Legal Affairs,
- Marketing and Sales,
- Process Accounts Payable,
- Process Accounts Receivable,
- Human Resources,
- Process Funds,
- Technology Development,
- Process Fixed Assets,
- Analyze and Reconcile,
- Manage Finance,
- Process Benefits and Retiree Information,
- Manage the Enterprise,
- Process Payroll,
- Manage External Relations,
- Process Tax Compliance,
- Provide Administrative Services,
- Process Product Costs, and
- Provide Financial and Management Reporting.
So, how does the COSO Framework manifest itself? To illustrate, I'll use the example of procurement in a government agency.
In 2004, I had the opportunity to manage a project for the devolvement of the purchasing process from the Finance branch to other branches in the State Library of New South Wales, located in Sydney, Australia. This project also involved the introduction of electronic signing of purchase orders, so I needed to become familiar with the work of COSO, as the New South Wales (NSW) state government had issued guidelines to its Agencies based on COSO's work.
Initial interviews with Library personnel disclosed some knowledge of necessary processes and rules, and an awareness of NSW government websites where they could "look up the detail," if necessary.
Following the guidelines of Ron Ross and Gladys Lam, I organized a 'Policy Charter' meeting, involving both management and staff representatives, so that a full understanding of the Library's current procurement rules could be compiled and agreed.
It became clear that branch personnel in the Library took advice from Finance staff on the process and rules for procurement. This was most often provided verbally, with only the rules for 'not in contract' procurements documented for a widespread audience (on the reverse of the 'Requisition for Equipment, Supplies and Service' form -- an internal form used to initiate a purchase order to a supplier).
The Policy Charter meeting attendees commissioned me to establish the current situation as decreed by the legislation and NSW Treasury and Department of Commerce guidelines.
The Finance staff saw this as an opportunity to query the need to raise purchase orders for small dollar acquisitions. They advised that there was currently an informal figure of $200, above which it was felt that purchase orders needed to be issued. The staff had queried this with previous management but had not received a definitive ruling. Finance branch were reluctant to make a change, as they were unsure where this figure originated and whether it was set by the NSW Government or by Library management. This article will use the case of this rather straightforward business rule as an example of one of the many operational rules that procurement activities necessitate in medium- and large-sized organizations.
My findings from the NSW Government websites were:
- Firstly, it is necessary for an Agency's management to be aware of legislation passed by State parliament. In NSW, a number of parliamentary acts touch on procurement. However the primary legislation is contained in the Public Finance & Audit Act (1983).
- Parliamentary acts are typically succinct and cannot easily be translated into operational rules. Rather, the legislation sets the reference for secondary directives (Section 9 of the NSW Public Finance & Audit Act provides for Treasurer's Directions to be issued from time to time).
- It is the responsibility of individual Agencies to provide their procurement personnel with guidance on detailed policies, procedures, and guidelines that reflect the Agency's particular needs and circumstances.
These secondary directives include primary documents such as an overarching NSW Government Procurement Policy, which is supported by a suite of guidelines that comprise the NSW Government Procurement Manual. Further clarification of the legislation is also published by the Government Procurement Agency, an agency within the Department of Commerce super ministry. (NSW Treasury provide a full list of their publications, by policy area, at .)
The procurement guidelines are built on the Statement of Best Practice Internal Control and Internal Audit and an Internal Control Assessment, both issued in 1995 and a Risk Management and Internal Controls Toolkit, published in 1997. These publications utilise the work of COSO as a basis.
As can be seen, it is not a clear path from legislation and the work of COSO to operational rules. For example, neither the legislation nor COSO mention dollar figure amounts. And the few dollar amounts mentioned in Treasury/Department of Commerce procurement guidelines concern either the steps that need to be followed if a project/acquisition is over a certain dollar limit, or the steps that are required for a 'not in contract' acquisition. To relate back to the small dollar acquisition issue raised during the Policy Charter meeting, there is no pronouncement in the guidelines specifying the dollar value of acquisitions after which purchase orders must be raised. It is the task for individual Agency management to set this rule, and the many others that are required to clearly implement the guidelines and COSO risk management / internal controls framework.
Rule Recording and the Challenge of Change
COSO's publications call for the rules to be documented in policies and procedures. This does not always occur, due to various reasons, such as resourcing. COSO recognized that the 'tone at the top' -- i.e. the attitude of the organization's board and senior management -- sets the real guideline for internal control and risk management. As such there is still scope for varying efforts, and the need remains for auditors, both internal and external, to check an organization's compliance.
So, how does an organization implement, manage, and make transparent in IT systems the many rules that emanate from the activities covered by the COSO Framework? Particularly as, whilst frameworks and legislation remain in effect for some time, the guidelines are easily changeable. For example, the key legislation described above (the Public Finance and Audit Act) was enacted in 1983, and the COSO Framework was published in 1992; however the NSW Treasury has reissued a revised NSW Government Procurement Policy in July 2004 -- which in fact was half way through my devolution project at the State Library! This revision replaced a Treasury Policy issued in 1999, which had replaced a draft Treasury Policy issued in 1998. Prior to this, procurement guidelines had been issued by the NSW Premier's Department (last issued 1995).
State Library of NSW has in place guidelines for the format for the publication of policies. The organization does not have a formal format for documenting procedures and business rules. What was discovered was that interpretations of part of the NSW Treasury procurement policy and guidelines were contained in emails from various managers. Clarification of the instructions, and the motivation behind them, was not possible, as the individuals were no longer with the organization. Also, no guideline or rule was found regarding the need to raise purchase orders for acquisitions over a particular dollar amount.
The other potential source for documented rules, the Accounting Manual made available to Finance branch staff, repeated the rules for 'items not in contract.' The additional operational rules it disclosed were contained in the process descriptions for the entry and management of purchase orders in the Library's Oracle Financial Management Information System.
As can be seen from this example, the many operational rules that are necessary in an organization of size can be subject to change as a result of initiatives by the organization's management, as well as from initiatives by external parties such as parent organizations, accounting bodies, and government departments.
The regularity of change in today's business world means that the recording of the business and systems context that can be linked to business rules can have great benefits for an organization later down the track. This recording of motivation is best captured at the time a rule is originated.
A solution for capturing business and systems context that is available today is the use of a business rule management tool. At the same time, this tool provides the mechanism to implement, manage, and make transparent business rules in IT systems.
Business rule management tools provide easy search and reporting capabilities, and the more comprehensive products provide access to rules via the six key questions of the Zachman Framework (What, How, Where, Who, When, Why). The tool should also allow rule-to-rule connections, rule grouping, vocabulary management, and party/role specification. Integration with the business rule engine and business process management system in use by the organization is also of great benefit.
A business rules management tool -- used in conjunction with the Business Rule Approach foundations as advocated by leaders like Ron Ross, Gladys Lam, and others -- will provide the documented set of internal rules that will stand up to audit scrutiny of how data is generated, manipulated, recorded, and reported.
Smart business and IT managers will appreciate the benefits of the Business Rule Approach and associated tools. Most importantly, their CEO's and CFO's will appreciate these managers when it comes time to sign the financial reports, especially when they consider the multimillion-dollar fines, ruined reputations, and even possible jail time for top executives, as is possible under the Sarbanes-Oxley legislation!
 Public Company Accounting Oversight Board (PCAOB), Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements, March 9, 2004. URL: www.pcaobus.org/rules_of_the_board/documents/release-20040308-1a.pdf
 American Institute of Certified Public Accountants (AICPA), COSO Enterprise Risk Management -- Integrated Framework. URL: www.aicpa.org/pubs/tpcpa/nov2004/coso.htm
 NSW Treasury, NSW Government Procurement Policy , July 2004. URL: www.treasury.nsw.gov.au/pubs/tpp2004/tpp04-1.pdf
 NSW Department of Commerce, NSW Government Procurement Manual. URL: www.dpws.nsw.gov.au/Government+Procurement/
 NSW Department of Commerce Office of Government Procurement. URL: www.dpws.nsw.gov.au/Home.htm
 NSW Treasury provide a full list of their publications, by policy area, at URL: www.treasury.nsw.gov.au/indexes/pubs_by_pol.htm
 NSW Treasury, Statement of Best Practice Internal Control and Internal Audit , June 1995. URL: www.treasury.nsw.gov.au/pubs/tpp95a/tpp95a.htm
 NSW Treasury, Internal Control Assessment, July 1995. URL: www.treasury.nsw.gov.au/pubs/tpp95b/icassess.htm
 NSW Treasury, Risk Management and Internal Controls Toolkit . URL: www.treasury.nsw.gov.au/pubs/rmic/rmicfram.htm
# # #