Chapter 3: The Face of the Cube

JANUARY 5, 2016 BY LORI

Distinguish between components of internal control

The
COSO
model
has
three
main
dimensions.
Lets talk in this chapter about the dimension most difficult to grasp the
face of the cube which lists the five components of internal control. We will
discuss the side and the top in later chapters.
The five components of internal control
The five components of internal control listed on the face of the cube are:
1. control environment
2. risk assessment
3. control activities
4. information and communication
5. monitoring
I need to admit, right up front, that I have never clicked with face of the
cube. You know how some models just make you say to yourself, Yes, of
course, that is how it is! For instance, the Plan, do, check, act! model.

Those four steps plan, do, check, act are intuitive and sensible. The 5
components of internal control, not so much.
Here is how I make sense of the five components (Warning: this appears
nowhere in COSO literature!):
First, the organization needs to ask what risks it is facing. Once they have
done this risk assessment, they can apply control activities to keep
those risks from occurring. Then valid reports need to be generated that
provide information and communicate with the stakeholders of the
organization who need to know how well the controls are working. The
organization should not just assume, but monitor to ensure, that the control
activities and reports they put in place to tamp down risk are working. And
all of this effort needs to take place within an encouraging, nurturing
environment that appreciates and supports controls.
Does it still sound like Greek? Dont worry. That whacky, un-intuitive model is
what this book is about, and my desire is that you feel more comfortable with
the COSO model when you are done reading. Lets begin with an overview of
the five components starting where the cube starts, with the control
environment.
Do you care about the environment?
The control environment component directly addresses the attitudes of the
leaders of an organization toward controls. You will also hear this component
described as tone at the top. If the leaders of an organization are
uninterested in excellence in operations, strict compliance with laws and
regulations, and accurate and transparent reporting, efforts toward those
objectives by the underlings will fail.
I have seen a wide variety of control environments, as I am sure you have.
Some control environments are strong and reassuring. Others vary from
strong to weak depending on who is in the leadership position at the
moment, and others are crazy disasters that eventually implode. And no
matter the size of your entity, the leaderships attitude permeates the whole
organization.
One of my jumbo clients sells groceries in 28 countries. Since I am also a
customer of this grocery retailer, I was very pleased to hear an executive in
charge of food safety initiatives talk openly and emotionally about his
responsibilities to keep customers safe. He began his presentation by
sharing the pictures of children in his briefcase that he looks at every day.

These were not picture of his children, but children who had died of food
borne illness from all food sellers groceries and restaurants in the United
States. Then he began to share statistics about how vulnerable children are
to food borne illnesses. It was clear from talking to his grocery managers,
that his serious attitude toward a serious risk had impacted controls.
If his powerful message permeated such a large organization, imagine how
much more the viewpoint of a leader in a small organization impacts
controls. Smaller organizations are particularly vulnerable to the attitudes of
the leadership.
Regrettably, I agreed to be the treasurer for a small organization, the local
chapter of the National Speakers Association and served for three years. We
had about 30 members and 6 of them were on the board. The tone at the top
dramatically altered the control environment every time we elected a new
president.
Most of the members of the local chapter were motivational speakers, and
many of them thought that if you just believed something with all your heart
and mind, you could wish anything into existence. So, when I informed them
at our first board meeting that I had carefully looked over the books and that
we were close to bankruptcy, the response from the president was, Well, if
we just think positive thoughts, everything will work out. A few meetings
later, my less-than-positive prognosis came true. We couldnt pay the hotel
after our monthly Saturday meeting.
The chapters president conveniently disappeared after I informed her of this
fact. Luckily, one of our successful and moneyed members named Jim
stepped in and paid the bill.
Our new savior, Jim, was immediately appointed president. Jim was a six-anda-half-foot tall ex-Marine who knew how to lead. At our first board meeting,
he told the group that we were going to set a strict budget, and that we were
going to talk about it at every meeting. All expenditures had to be approved
by me before they were incurred. I silently clapped and cheered in my little
accounting heart! Everyone on the board was paying attention to my
financial presentation at meetings (or at least they looked like they were
paying attention), and I felt great about my role as treasurer. By the end of
Jims term, we had built our bank account balance up to a healthy $14,000.
But, when Jims term was up, the group elected sweet John to be our leader.
John preferred to spend the board meeting hugging and vision casting rather
than worrying about tacky old money. At our first meeting under Johns

leadership, we all discussed relaxation techniques which just happened to

be the focus of Johns signature speech. The group again began to ignore the
budget, and by the end of Johns term, we were again near bankruptcy.
I realized that I would only be successful as a treasurer with the chapter if I
had the strong support of the president. It didnt matter how wonderful and
clear and compelling my budget presentations were (and I tried everything I
could to wake them up to the reality of the situation emoticons, colors,
graphics, dancing, singing.), I was ignored. Only when Jim created an
environment of compliance and fiscal restraint did the controls over our
finances work.
My situation as a powerless underling plays out on larger, more important
scales all the time. Do you remember the financial executive at Enron,
Sherron Watkins, who wrote a memo to the chief executive about Enrons
fraudulent financial statements? The leadership didnt want to hear it and
published the erroneous financial results for public consumption. No matter
how well she did her job, without the support of the organizations
leadership, her efforts meant nothing.
We will talk more about control environment and all of the components of
the COSO model in more detail in later chapters. So for now, lets move on
to risk assessment, and the other remaining components for now.
Controls mitigate risks
Risk assessment is all about making sure we put our resources toward things
that matter. We dont need controls over things we arent worried about.
Controls are created to mitigate or reduce risk.
Here is a personal example: My family has two cars. One represents more
risk to us than the other because it is worth more money. Let me begin by
saying that my husband and I only buy used cars. I was raised in new or
nearly new cars. My father got a new car every few years and still does. But
now that I am paying the bills, I appreciate my husbands view that new cars
waste money.
My husband has been driving the same Toyota Sienna minivan (that we, of
course, bought used) for the past 10 years or so. It has over 200,000 miles
on it and doesnt show any sign of stopping. It looks like a hideous, rolling
pile of retro junk. It is worth about $1000 per the Kelly Blue Book.

Recently, I bought a beautiful, jumbo Lexus sedan with 100,000 miles on it.
The sedan cost us around $18,000. We park my Lexus in the garage and
repair every little ding. The mini-van is always exposed to the weather, and if
it gets a ding, my husband reasons that it only adds to its character. Because
more of our money is at risk in the Lexus (and more of my ego is on the line
with the Lexus), we treat it better, and we endeavor to control what happens
to it. When a hail storm hits as they do at least once a year here in Austin
my husbands first question is, Is the Lexus in the garage?
What do you care about in your organization? Is it that your assets are
safeguarded? Is it that your customers and employees are safe? Maybe you
care the most about making a difference to the disadvantaged? While it
would be nice to have the time and the resources to worry and control
everything, no organization in the history of the world has been able to pull
that off.
What risk assessment does is lay out all of the possible things you might care
about on the table (or in an Excel table!). It gives you a way of ranking them
and deciding where you will to focus your efforts. Controls cost time and
money, and you want to be intentional about applying them.
I have seen a wide variety of risk assessment models and risk assessment
documentation. You can really go nuts refining the risk assessment and
contemplating every eventuality, but at a very basic level, all you have to do
is decide if you care. Simply ask yourself what could go wrong. And if you
dont care about the resulting answer, you dont need any controls over it.
So, if I ask myself if I will care if my Lexus suffers hail damage, I would say
that I care the mini-van, not so much.
What most people think of when they think of controls
The third component control activities is what most people think of when
they think of applying controls. Control activities include such things as
segregation of critical duties, transaction approvals, timely reviews of
transactions, and documentation.
The Green Book contains a fabulous list of control activities that we will
discuss in later chapters.
You arent in this alone!

Information and communication, the fourth component, acknowledges that

you arent in this all by yourself. Various stakeholders need to keep informed
about what is going on.
Any endeavor will generate critical information and this information will
allow stakeholders to evaluate the success of the organizations efforts. The
information and communication component asks the manager who they
need to communicate with, what they need to share, and whether the data
the manager is sharing is valid.
Hopefully, you are being watched, carefully, but not in a creepy way
Just performing a risk assessment, applying control activities, and
communicating with stakeholders is not enough. Unfortunately, we arent
done. We need the final component monitoring.
We cant just set things up and hope that they run on their own forever and
ever. Over time, controls slip away and atrophy. Somehow we need to
monitor to make sure that things are working as intended and make
corrections when they arent working as intended. And, lets be honest here,
things never work exactly as we intend.
What this means is, that if you are following the COSO model, someone will
be watching! It is best if this someone can be honest about what they see
without suffering any consequences, and they might watch continually or
just occasionally.
Summarizing 5 components of control
Lets recap. First you have to decide what you care about and what risks you
are unwilling to tolerate. You then apply controls to the risks you arent
interested in experiencing. You need to share the data your activities
generate with stakeholders and set up a monitoring function to make sure
that everything you have put in place to mitigate the risks is operating as
intended. All of this needs to take place within an environment that values
and supports controls.
You might have noticed that I moved the control environment component to
the end in that last paragraph. This is because, from an implementation
standpoint, you start with risk assessment. After we cover the remaining two
dimensions of the COSO cube that is exactly what we are going to do.