A fish can’t survive if the water it’s living in is dirty. The same goes for your control environment. Your controls can only thrive in the right environment.
Ten years ago, the approach to achieving that “right environment” shifted with the concept of Entity Level Controls (or “ELCs”), signaled by COSO 2013, led the profession to adopt a uniform framework for governance practices that covered areas including policies, management oversight, board independence, and risk management. The model remains the gold standard for governance practices to support internal control programs. But at times, it can be overwhelming and confusing to know how to apply the framework and get the most value out of it.
Happy 10th Birthday COSO 2013!
To mark the 10-year anniversary of COSO 2013, we wanted to share our reflections, guidance, and adaptations based on a decade of using the model in our work with Risk Oversight clients of all sizes, industries, and levels of maturity.
Whether you are Management looking to implement better governance or are an internal control practitioner looking to evaluate your ELCs (be it for SOX, CSOX, ICFR, or other internal control programs), we hope our insights are helpful to you.
So, today, let’s take a fresh look at ELCs and explore better ways to use the model to support your organization and internal control program.
What are Entity Level Controls and COSO 2013 (a Refresher!)
ELCs are a lot more than setting the “tone” from the top. They are the foundation, or supporting structures, that allow all other controls, processes, and programs to function effectively.
Developed by the Committee of Sponsoring Organizations (COSO), the COSO 2013 framework effectively presents a collection of governance concepts (or “best practices”) around risk management, human resources, board oversight, management reporting, and more. What changed 10 years ago wasn’t necessarily that these concepts were new, but that internal control practitioners now had a comprehensive, accessible set of principles to assess their organizations against.
As early as 1992, COSO created the original principles known as the COSO Framework, but the model was revamped in 2013. The modernized version uses 17 principles, each with associated characteristics called “points of focus” (with 4 to 6 per principle) to assist in assessing whether the principles are working or not.
There have been a few additions to COSO over the last few years — a new Enterprise Risk Integrated Framework in 2017 and two recent 2023 publications on Sustainable Reporting and on Fraud Risk Management, though these updates are not nearly as substantial as the COSO 2013 update to the Internal Control — Integrated Framework.
3 Priorities for Stronger ELC Work
From our extensive practice (and trial and error), we have come to rely on three overarching priorities in our ELC work to tackle the overwhelm and focus on the most important steps. You don’t want to let the “comprehensiveness” (or “vigilance”!) of the model detract from putting it to use quickly, efficiently, and effectively.
1. Use ELCs as a gauge of your organization’s maturity.
ELCs should be an ongoing, living assessment based on the size of the organization, regulatory environment, risk level, industry, and economic environment.
Use ELCs as an opportunity to “step back” and look at your organization’s maturity level. For example:
- For the size of our organization now – and given our recent acquisitions – is our Budget and Forecasting process serving our needs?
- For our current risk level, are our internal control, risk management and fraud management practices appropriate?
- For the current maturity of our company and the nature of our workforce, are our HR practices reasonable?
A small organization doesn’t need as sophisticated a risk management, information management, or IT governance program as Walmart or the Department of Defence. ELCs are about being reasonable and pragmatic.
When we work with organizations that are going through growth spurts, for example — often through acquisitions, new projects or capital programs, or increased contracts or sales — it is normal and expected that ELCs also need to “grow up” at the same time. You will “raise the ELC bar” as you grow and mature.
2. Group your questions into logical buckets and use a great template.
One common pitfall that organizations fell into in the early days of applying the COSO 2013 model was the tendency to take a check-the-box, laundry-list approach to get through it. Unwieldy COSO 2013 templates spread like weeds across organizations while management lamented how much time their ELC assessment felt like a game of whack-a-mole just to get through them. (This trend has thankfully reversed over the last 5 years.)
The model was never designed to be prescriptive: by design, you are supposed to use professional judgment when applying it.
Rather than attempting to attack all the concepts in the model, adopt a lean template focused on core concepts that let you approach ELCs by asking the bigger, more important questions (e.g., “Is our Management Reporting effective?” or “Are our HR practices meeting our business needs?”).
Today, at Risk Oversight we use a 13-point approach (though there are 17 principles in COSO 2013) as a starting point for ELCs.
If you don’t have a good template or example, below is an example we use in our work with clients. (And if you’d like the full template to see how the mapping aligns with the COSO 2013 principles and points of focus, please reach out.)
NOTE: Before you get too excited about reducing your scope and using a lean approach to working through the model: it is considered best practice to consider every point of focus periodically. This is a good exercise especially if there are changes in your organization like significant growth or decline, acquisitions or divestitures, going public or moving to a new exchange (e.g., TSXv to TSX, or as a CSOX filer to SOX-404).
A 13-Point ELC Review Template
Control No. |
Control Area |
Control Description (generic as a starting point only) |
Areas to Review |
ELC1 |
Budgeting and Forecasting |
There is a defined process around the annual Annual Budget that includes review of assumptions and inputs, approval, and supporting documentation. The Forecast is prepared monthly/quarterly and supports Management’s review and assessment of the performance of the organization. |
|
ELC2 |
Board and Committee Mandates and Planning |
There is a competent and independent Board and appropriate Committees in place. The Board and Committee planning process contemplates the mandates and other key topics to be discussed throughout the year. |
|
ELC3 |
Board and Committee Meetings and Minutes |
The Board and Committees meet quarterly and maintain appropriate minutes which support the discussions held. The minutes meet the Business Judgement Rule and other documentation standards (e.g., attaching supporting documents). |
|
ELC4 |
Management Oversight and Reporting |
Management has formal reviews and reporting in place to review and monitor financial and operating results. |
|
ELC5 |
Code of Ethics and Professional Conduct Policy |
There is a Code of Ethics that outlines acceptable business practices and expected standards for ethical behavior. Employees and contractors are required to sign-off on the Code when starting with the company, in addition to annually. |
|
ELC6 |
Corporate Policies Framework |
There is a policy framework and related program in place that ensures that corporate policies are appropriately identified, created, updated, revised and enforced. There is an accountable owner(s) for policies. |
|
ELC7 |
Risk Management |
There is a Risk Management program in place that includes defining enterprise risks, strategies for mitigating these risks, and accountable owners. Annually, the risk assessment is reviewed and updated. As part of this program, there is an ongoing assessment of changes that could significantly impact the business. |
|
ELC8 |
Fraud Assessment |
There is a Fraud Program in place to ensure that Management has reasonable and appropriate controls to mitigate the risk of fraud. |
|
ELC9 |
Human Resources |
The organization has appropriate Human Resource (HR) function and related practices for its size. This covers areas including hiring, termination, onboarding, performance evaluations, skills management, succession planning, and compensation. |
|
ELC10 |
Internal Controls Program |
There is an Internal Controls Program in place to ensure that controls to support financial reporting are adequately designed and operating effectively. The program includes a plan, design effectiveness review, testing, and reporting. |
|
ELC11 |
Whistleblower/ Ethics Hotline |
There is a Whistleblower or Ethics Hotline in place. All complaints through the Hotline are handled through a controlled manner. |
|
ELC12 |
Information Management and Knowledge Management |
Organizational information and knowledge is managed appropriately. There is an Information Management/Knowledge Management program in place to ensure quality information to support internal controls and the functioning of the business. |
|
ELC13 |
IT Governance |
There is appropriate IT Governance in place to govern IT controls, technology decisions, change management, and IT security. |
|
3. Focus on continuous improvement, not pass/fail.
The challenge in the traditional way that audit and compliance programs are taught is that there is an overfocus on deficiencies, issues, errors, and “fails.” Instead of narrowly focusing on “pass/fail,” reframe your ELC assessment as an opportunity to think about what to do differently and an opportunity to make your organization better every year.
In our experience with clients, when Management takes the time to reflect on where they are going and tangible steps they want to take to improve their ELCs (e.g., policies, insurance program, internal control assessment) year over year, they will get the most value out of the exercise.
For example:
- How can we strengthen our policy program over the next year?
- What area of ELCs do we want to improve the most?
- How can we mature our risk program given the shifting nature of our industry?
A Few of Our Favorite Questions to Test (or “Boost”) Your Entity Level Controls
While what you focus on will shift depending on the needs of your organization and your management and board — here are six of our favorite questions to boost or complement your ELC work. While these won’t solve every aspect of your ELC program (including all 17 principles and points of focus), they will give you practical, easy-to-execute ideas that give you the most bang out of your internal control dollar and resources.
POLICIES: Are your policies smart, effectively managed, and enforceable?
Policies set the guardrails of acceptable behavior or not and are foundational to good governance. Evaluating your policy program isn’t about every policy being “perfect”. Rather, we recommend that you first make sure there is an accountable owner over the policy program (or multiple owners, if appropriate). Policies should be clear, resonate with users, and be enforceable. (Check out Risk Oversight’s article on policies if you are looking for more ideas.)
BUDGETING AND FORECASTING: How strong are budget and forecasting to underpin your management reporting and P&L controls?
Budget and forecasting underpin so much of your internal control environment and financial processes including around cash management, management reporting, profit & loss (P&L) analysis, and general controls over the income statement. A strong understanding of budget and forecast is an efficient way to add value and even reduce work) for other areas of your business.
BOARD AND COMMITTEE MINUTES: Do your minutes follow best practice – and what do they say about your control environment?
Board and Committee minutes are a goldmine of evidence to support your ELCs and governance practices. You want to first assess the quality of your minutes against the Business Judgement Rule and the Goldilocks Principle (which you can read about in this article). Reviewing minutes is also a great way of understanding issues impacting the control environment such as policies, whistleblower complaints, transactions, and much more.
BOARD AND COMMITTEE PLANNING: Do your board and committees have a planning process to cover off the mandates and “hot” topics?
The Board planning process is a critical but often overlooked part of ELCs. The Board and Committees should have a documented plan of their discussions to be held throughout the year. Planning should include:
- Alignment of discussion topics with the Board and Committee mandates.
- Topics that Board and Committee members want to discuss.
- “Hot” topics (like cyber, risk, ESG) relevant to the current year.
(If you need help with Board or Committee planning or related templates, please reach out to us for examples too.)
RISK MANAGEMENT: What are your formal and informal practices for monitoring and managing risk?
Risk management is a tricky nut to crack because every company’s requirements vary substantially depending on its industry and circumstances. More formality and reporting in areas like risk matrices, heat maps, reports, and tools are expected as a company grows. But formal programs aside, risk management is actually more about how risk is ingrained into the everyday operations and culture of the business. Just a few areas that risk management touches include: management oversight, insurance, health and safety, board minutes, legal, and documentation practices overall.
INFORMATION MANAGEMENT (IM) AND KNOWLEDGE MANAGEMENT (KM): How do information and documentation support your internal control environment?
IM and KM are by far the most nebulous part of ELCs, and by far the hardest to evaluate. (Which is why most programs leave them out.) In today’s age of information abundance (not to mention, overkill), no organizations manage their information perfectly with many large and established organizations still at their infancy when it comes to IM and KM. But your information management practices — from your contracts, accounting records, decision records, intellectual property — are undeniably a key part of your internal control environment. Even if IM and KM are tricky, even sensitive, to evaluate, they are worth taking a look at.
*****
ELCs are a recurring, living assessment. When it is done correctly, there is so much opportunity for your ELC work (and COSO 2013) to support not only your internal controls but help your organization too. A focus on ELCs can reveal blindspots, areas for continuous improvement, and help prepare your organization for the future.
With the dramatic changes to our business environments in recent years — from COVID and WFH (work from home) to the Silicon Valley Bank failure, rampant inflation, swings in the economy, the rise of the gig economy, AI and ChatGPT, and so much more — we’d hesitate to guess that a new model may be due in the not too distant future.
For now, we hope that this article gives you a good starter or refresh on how to attack your ELCs more effectively. If you have any questions on your ELCs or how to apply these concepts in practice, please don’t hesitate to reach out for further information. We’d love to help.