COSO Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission
Principle 15: The organization communicates with external parties regarding matters affecting the functioning of internal control.
The following points of focus highlight important characteristics relating to this principle:
-
Communicates to External Parties—Processes are in place to communicate relevant and timely information to external parties including shareholders, partners, owners, regulators, customers, and financial analysts and other external parties.
-
Enables Inbound Communications—Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information.
-
Communicates with the Board of Directors—Relevant information resulting from assessments conducted by external parties is communicated to the board of directors.
-
Provides Separate Communication Lines—Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective.
-
Selects Relevant Method of Communication—The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations.
Communication occurs not only within the entity, but with those outside as well. With open external communication channels, important information concerning the entity's objectives may be provided to shareholders or other owners, business partners, customers, regulators, financial analysts, government entities, and other external parties. Outbound communication should be viewed distinctly from external reporting as discussed in Chapter 2 Objectives, Components, and Principles.
The organization develops and implements controls that facilitate external communication. These may include policies and procedures to obtain or receive information from external parties and to share that information internally, allowing management and other personnel to identify trends, events, or circumstances that may impact the achievement of objectives. For example, customer or supplier complaints or inquiries about shipments, receipts, billings, or other unusual activities may indicate operating problems, fraudulent activities, or errors.
Communication to external parties allows them to readily understand events, activities, or other circumstances that may affect how they interact with the entity. Management's communication to external parties sends a message about the importance of internal control in the organization by demonstrating open lines of communication. Communication to external suppliers and customers supports the entity's ability to maintain an appropriate control environment. Suppliers and customers need to fully understand the entity's values and cultures. They are informed of the entity's code of conduct and recognize their responsibilities in helping to ensure compliance with the code of conduct. For example, management communicates its controls relating to business dealings with vendors upon approval of a new vendor and requires the vendor to acknowledge its adherence prior to the approval of an initial purchase order with the vendor.
Technology and communication tools enable external parties to have access to public forums to post and discuss an entity's business, activities, and controls. When an organization uses, or authorizes its employees to use public forums, such as social media and similar unrestricted communication tools, management develops and implements controls that guide expectations for proper use to avoid jeopardizing the entity's objectives.
Communications from external parties may also provide important information on the functioning of the entity's internal control system. These can include:
-
An independent assessment of internal controls at an outsourced service provider related to the organization's objectives
-
An independent auditor's assessment of internal control over financial or non-financial reporting of the entity
-
Customer feedback related to product quality, improper charges, and missing or erroneous receipts
-
New or changed laws, rules, regulations, standards, and other requirements of standard- and rule-setting bodies
-
Results from regulatory compliance reviews or examinations such as banking, securities, or taxing authorities
-
Vendor questions related to timely or missing payments for goods sold
-
Postings on organization-sponsored or supported social media websites or communication tools
Information resulting from external assessments about the organization's activities that relate to matters of internal control are evaluated by management and, where appropriate, communicated to the board of directors. For example, management has entered into an arrangement that allows the organization to periodically use externally managed technology services to perform transaction processing in lieu of hiring personnel and purchasing and implementing additional hardware and software internally. The organization uses sensitive customer data in certain processes. To maintain compliance with the entity's policies and external laws, regulations, and standards, an assessment of internal control over the security and privacy of externally transmitted data (including data transmitted over the Internet) is performed by a third party. The results of the assessment reveal weaknesses in internal control that could impact the security and privacy of data. Management assesses the significance of the weaknesses and reports information necessary to enable the board of directors to carry out its oversight responsibilities.
The interdependence of business processes between the entity and outsourced service providers can blur the lines of responsibility between the entity's internal control system and that of outsourced service providers. This creates a need for more rigorous controls over communication between the parties. For example, supply chain management in a global retail company occurs through a dynamic, interactive exchange of activities between the company, vendors, logistics providers, and contract manufacturers. Internal control over the end-to-end processes becomes a shared responsibility, but there may be uncertainty about which entity is responsible at a particular stage of the process. Communicating with outsourced service providers responsible for activities supporting the entity's objectives may facilitate the risk assessment process, the oversight of business activities, decision making, and the identification of responsibility for internal control throughout the process regardless of where activities occur.
Complexity of business relationships between the entity and external parties may arise through service provider and other outsourcing arrangements, joint ventures and alliances, and other transactions that create mutual dependencies between the parties. Such complexity may create concerns over how business is being conducted by or between the parties. In this case, the organization makes separate communication channels available to customers, suppliers, and outsourced service providers to allow them to communicate directly with management and other personnel. For example, a customer of products developed through a joint venture may learn that one of the joint venture partners sold products in a country that was not agreed to under the joint venture arrangement. Such a breach may affect the customer's ability to use or resell the products, impacting the customer's business. The customer needs a channel in which it can communicate concerns to others in the organization without disrupting its ongoing operations.
The means by which management communicates externally affects the ability to obtain information needed as well as to ensure that key messages about the organization are received and understood. Management considers the method of communication used, which can take many forms, taking into account the audience, the nature of the communication, timeliness, and any legal or regulatory requirements. For example, customers who regularly access entity information through a customer portal may receive messages through postings on the corporate website.
Press and news releases issued through investor or public relations channels are often effective for reaching a broad audience of external parties, ensuring wide distribution and increasing the likelihood that information is received. Blogs, social media, electronic billboards, and email are also common forms of external communication because they can be tailored and directed to the specific party, help to control the information obtained by external parties, and support expectations that information can be sent and received quickly with greater use of mobile communication devices.
| Generated November 9, 2014 22:46:48 |