COSO 2013: Control Environment

COSO 2013: Control Environment

Last week we introduced readers to the changes taking place as a result of the COSO 2013 framework superseding its predecesor, COSO 1992, on December 15th. In this post, we’ll tackle the first of the five components of internal control.coso cube

When you look at the COSO cube, one of the first sections to jump out is the “Control Environment” row sitting at the top.  COSO likely puts this here to illustrate how a Control Environment presides over the entire risk management

program.  However, a strong Control Environment is really the foundation for setting up a successful compliance program.


What does “Control Environment” mean?

The 2013 framework defines Control Environment as, “the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.”  In other words, the Control Environment is the governance structure in your organization.

COSO defines five key principles within the Control Environment:

As found in (Internal Control — Integrated Framework (2013), Issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO))

  1. The organization demonstrates a commitment to integrity and ethical values.
  2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
  3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
  4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
  5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

These principles ensure that there is an appropriate tone at the top, and that companies have the proper management structure in place to support the control objectives. Additionally, the Control Environment component requires companies to assess competency, as well as performance of control owners and performers. The principles outlined in this section not only apply to companies, but also their Vendors as well. When selecting and managing vendors, these should be properly evaluated.


COSO 2013’s Major Impacts on the Control Environment:

Much of the Control Environment component remains unchanged from the COSO 1992 requirements.  However, the 2013 revision includes additional guidance that, depending on the current state of your Control Environment, may have an impact. The main points of that additional guidance include the following.

  1. Monitoring adherence to and deviations from established codes of conduct.
  2. Evaluation of all structures of the entity (including operating units, legal entities, geographic distribution, and outsourced service providers).
  3. Evaluation of management’s skills and ability to carry out assigned responsibilities.
  4. Definition of limitations on authority (including segregation of duties).
  5. Evaluation of Control Environment performance and aligning compensation.


How can ServiceNow Help with your Control Environment?

As stated earlier, COSO’s Control Environment is essentially the creation of a strong governance structure in your organization.  Much of what is required for a strong Control Environment is non-tangible and requires a corporate culture that promotes and rewards ethical behavior.  Because these types of principles are intangible and do not relate directly to specific processes, they do not and cannot live natively on the ServiceNow platform (or any platform for that matter).  However, there are many Control Environment principles that can be implemented using ServiceNow.  Here are a few.

Policy & Document Management

Policies, standards, and procedures are a key component of a strong Control Environment.  The ServiceNow platform provides a centralized repository to house all of your organizations various policies and procedures.  Using document management, you can even automate the annual updates and approvals to these policies.  Best of all, the GRC application relates controls to their associated policies, so you can track policy compliance in real time.

Configuration Management

The Configuration Management Database (CMDB) is an ITIL concept used to map the logical relationships that link all of an organization’s IT Infrastructure components to services that are provided to the business.  Using this functionality in ServiceNow, CMDB can be extended to map all of an organization’s processes, functions, operating units, and divisions.  Thus illustrating all of the structures of the entity.  This provides greater insight into the operations, reporting, and compliance risks that exist throughout the entity.

HR Service Management

HR Service Management in ServiceNow is the perfect repository for HR policies, codes of conduct, and similar information.  And the same policy and document management workflows can be used to ensure that these documents are updated and approved regularly.  In addition, HR Service Management provides an mechanism for users to report HR incidents (such as breaches of policy), and for the HR department to collaborate with other departments to investigate the issue.

Read:  IT and HR Strategies for HR Case Management in ServiceNow

Governance, Risk, and Compliance

The GRC application in ServiceNow is the central repository of all risk, control, and compliance information that pertains to your organization.  Using ServiceNow GRC, control activities are explicitly assigned to the groups or individuals responsible for their successful execution.  Using the ServiceNow SLA and reporting engines, it’s easy to report on the individuals and groups who have not completed control tests in a timely manner.  These metrics can improve the entities ability to align Control Environment to personnel performance reviews and compensation.

Read: Four ReasonsWhy You Can (and Should) Enable Your ITSM & GRC Objectives on One ServiceNow Platform


Next week our experts will tackle the changes to COSO’s guidance regarding Risk Assessments.


About the authors

“Life is too short to have only one OS” - nathan dupirack
VIEW FULL PROFILENate Photo - Circular

About the author

“Life is too short to not hit the ground running” - john linamen

View full profile
John Linamen

Stay informed, wherever you are

Interested in what's happening in Service Management, and Risk & Compliance?
Sign up to receive content curated by Intréis, delivered to your inbox.

Cunjo ID: 111