Week 7 Discussion
JOURNAL OF MANAGEMENT ACCOUNTING RESEARCH American Accounting Association Vol. 31, No. 1 DOI: 10.2308/jmar-51891 Spring 2019 pp. 63–83
Finding Common Ground: COSO’s Control Frameworks and the Levers of Control
Ramji Balakrishnan The University of Iowa
Ella Mae Matsumura University of Wisconsin–Madison
Sridhar Ramamoorti University of Dayton
ABSTRACT: We examine the extent to which the 2013 COSO Internal Control—Integrated Framework (ICIF) succeeds in the goal to expand its application beyond a compliance framework. We do so by mapping the points of
focus in the 2013 ICIF to the principles articulated in the Levers of Control (LOC) framework advocated by Simons
(1995). The analysis shows how the revision achieves partial success. This identification of areas in which the
frameworks overlap promotes an integrated view of organizational control and aids assessment of the efficacy of a
firm’s control over its strategic and operational processes. We also examine the extent to which the 2016 COSO
Enterprise Risk Management (ERM) Exposure Draft captures non-overlapping areas between the 2013 ICIF and the
LOC, and highlight implications for future work in this evolving area.
Keywords: COSO; ICIF; enterprise risk management; Levers of Control.
I. INTRODUCTION
E xercising control over strategy and operations is a complex task because the underlying risks vary on multiple
dimensions, such as their scope (strategic, operational), nature (fraud, legal, competitive, reputation), and scale (entity,
division, individual). Not surprisingly, scholars and professional organizations have developed several approaches
aimed at helping managers conceptualize and systematize this task (Simons 1995; COSO 2013). Some, such as the Levers of
Control (LOC), approach control from the viewpoint of implementing strategy. Others, such as the Internal Control— Integrated Framework (ICIF) from the Committee of Sponsoring Organizations (COSO), have more of an operational focus.
In this paper, we map the 2013 COSO ICIF to the Levers of Control (LOC) framework. This exercise is useful for two
reasons. First, practitioners think of the ICIF as relating to compliance, as evidenced by its use to meet the requirements of
Section 404 in the Sarbanes-Oxley Act. By understanding the overlap between COSO and LOC, a firm could leverage the ICIF
to implement a strategic control system. Such an expansion means that efforts invested in satisfying SOX requirements are
beneficial beyond protecting the company from fraud, financial misreporting, legal liabilities, and misappropriation of assets. 1
Second, a major goal for COSO in its 2013 revision of the ICIF is to expand the framework beyond internal control and
We thank In Gyun Baek, Andrew Bailey, Dorsey Baskin, Kevin Den Adel, Shane Dikolli, Audrey Gramling, Bob Hirth, Matt Kaufman, Eva Labro, David Landsittel, Raef Lawson, Theresa Libby, Brian Mayhew, Mark Penno, Jeff Thompson (IMA), Larry Rittenberg, Adam Vitalis, and Sally Widener for comments. We are especially indebted to two anonymous reviewers and Michael G. Williamson (associate editor) for invaluable input in refining our thoughts. We also acknowledge guidance from workshop participants at Creighton University, University of Dayton, and the University of Northern Colorado–Greeley.
Supplemental material can be accessed by clicking the link in Appendix C.
Editor’s note: Accepted by Michael G. Williamson, under the Senior Editorship of Karen L. Sedatole.
Submitted: January 2017 Accepted: July 2017
Published Online: September 2017
1 We thank an anonymous reviewer for suggesting this linkage.
63
financial reporting to more managerial uses. This expansion is consistent with the idea that the internal audit function has to
evaluate and assess controls over strategy, operations, and compliance to promote and support organizational governance
(Anderson et al. 2017). The goal includes better illustrating operational and compliance objectives, and the associated controls
for meeting them. (See, for example, Landsittel and Rittenberg interviews in Tysiac [2012].) By mapping the ICIF to a well-
established managerial accounting framework (LOC), we assess the extent to which the 2013 revision not only delivers on its
mission of internal control over financial reporting, but also helps a firm select and implement the appropriate business strategy.
Our methodology has three steps. First, we identify a few broad contexts for each of the four levers of control. For
example, we identify ‘‘specify the values and goals of the organization,’’ ‘‘reinforce organizational values and goals,’’ and ‘‘hire and retain personnel’’ as the key contexts within the realm of beliefs controls. Next, we map each of the ICIF’s 17 principles, and associated points of focus, to one or more contexts. Consistent with the 2013 ICIF, we group the principles into the five
components of the COSO cube. This mapping generates a table with the four levers (each with three to five contexts) as rows
and the five components of the ICIF as columns. In this table, cell entries represent the specific principles and points of focus
that relate to a given context and control component. Finally, we examine this table to ascertain how well the updated ICIF
succeeds in its implicit goal of helping to ensure that internal controls help managers make better decisions. We also examine
unfilled cells or sparse rows/columns to identify areas that deserve further investigation. In additional analysis, we check the
extent to which the 2016 Enterprise Risk Management Exposure Draft (ED) directly or indirectly addresses these gaps. 2
Our analysis supports the conjecture that, as an operational tool, the ICIF does not fully integrate the impact of strategy on
controls. However, the concepts and ideas in the 2016 ERM ED seem to lie between the two approaches and explicitly consider
control over strategic and operational decisions. Taken together, the 2013 ICIF and the forthcoming ERM framework appear to
span controls in the context of strategic, operational, financial, and compliance objectives and associated contexts. Even so, our
analysis shows that the LOC framework provides a complementary and yet broader approach for understanding the linkages
among cultural, operational, and strategic controls.
We make three contributions. First, we add to the literature on strategic control by expanding the LOC framework to attach
specific contexts to each of the four levers. This expansion highlights both planning and control decisions, thereby relating the
LOC framework to the more general plan-do-check-act (PDCA) cycle popularized by Deming (1986 ). Second, we bridge the
literature on internal controls and managerial control. Our mapping of the 2013 ICIF to the expanded LOC framework helps
highlight the revised ICIF as being broader than a checklist of features to ensure the adequacy of internal controls. Finally, we
explicate how the COSO (2016, }12, p. 5) ERM ED extends the scope and reach of the 2013 ICIF to fulfill its desired role as a bridge between operational and strategic control.
3 In particular, we document how the to-be-finalized ERM supplements the
ICIF in its consideration of the implications of strategic decisions for achieving internal control.
We organize the remainder of this paper as follows. In Section II, we provide an overview of the 2013 ICIF and the LOC
frameworks. We also provide a brief conceptual discussion of how the two approaches address similar issues at their core. In
Section III, we develop the mapping of the ICIF to the contexts/strategy setting grouped by the category of control mechanisms.
Subsequently, we introduce the 2016 ERM ED and examine the extent to which it captures non-overlapping areas between the
2013 ICIF and the LOC. In Section IV, we interpret this comprehensive mapping in an attempt to integrate the literatures in
internal control and managerial accounting, as well as highlight implications for the 2016 ERM ED and future work in this
evolving area.
II. BACKGROUND4
Internal Control—Integrated Framework (1992 and 2013)
Founded in 1985, COSO aims to provide thought leadership through the development of frameworks and guidance on
internal control, enterprise risk management, and fraud deterrence. 5
COSO originally issued Internal Control—Integrated Framework in 1992. The ICIF gained prominence following the passage of the Sarbanes-Oxley Act (SOX) in 2002. In particular, the implementing rules of the Securities and Exchange Commission (SEC) required public companies to adopt a
2 In Section III, we discuss the strengths and weaknesses of our approach.
3 Our analysis highlights the tension between implementable and conceptual approaches (equivalently, the influence of theory and practice on each other). COSO deals with this issue both by having the AAA as one of the COSO Sponsoring Organizations and by having key committees include academic members of professional organizations such as the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA).
4 Readers familiar with the COSO framework and/or the LOC can skip the related parts of this section without loss of continuity.
5 COSO is a joint initiative of five private sector organizations; the sponsoring organizations are AAA, AICPA, FEI, IIA, and IMA. See Landsittel and Rittenberg (2010) for a brief history of COSO.
64 Balakrishnan, Matsumura, and Ramamoorti
Journal of Management Accounting Research Volume 31, Number 1, 2019
well-established control framework when evaluating their internal controls over financial reporting. Rules set forth in Section
404 of this Act mandate that management of public companies assess the effectiveness of their firm’s internal controls over
financial reporting. Although the SEC rules do not mandate COSO’s ICIF, public companies in the U.S. have predominantly
adopted the ICIF as the default framework to satisfy this compliance requirement. 6
In 2010, the COSO board decided to update the ICIF to make it and related evaluation tools more relevant in the
increasingly complex business environment. 7
The motivation included a clear emphasis on expanding ICIF to consider issues
related to management control as well as a desire to maintain professional jurisdiction. The topics of discussion that triggered
an update to the original ICIF include expanding the financial reporting objective to include broader consideration of
management reporting and external reporting, providing more detail on the alignment of incentives, and expanding the
discussion on risk assessment. Speaking about the expanded role for the ICIF, David Landsittel, chairman emeritus of COSO,
states:
Internal control is so important in a broader way, specifically in assuring the accomplishment of the organization’s
objectives as Larry [Rittenberg, past chair of COSO] and others have alluded to. In the updated document, there’s an
additional focus on operational and compliance controls and how they are beneficial in helping assure the
accomplishment of operational and compliance objectives. In this regard, the document responds to some current
concerns that in recent years some organizations haven’t been fully ‘‘under control’’ in a broad sense. We believe that focusing on operational controls and their positive impact on the accomplishment of operational objectives adds
assurance of the longer-term success of an organization. (Tysiac 2012)
The 2013 ICIF describes three key objectives: (1) effectiveness and efficiency of operations, (2) reliability of (financial)
reporting, and (3) compliance with applicable laws and regulations. It classifies the internal controls for achieving these
interrelated objectives into the following five components, which apply both from the perspective of designing and
benchmarking internal control.
� Control Environment—the cultural and structural foundation of the organization. � Risk Assessment—identification and analysis of risk. � Control Activities—policies, procedures, and technology used. � Information and Communications—information flow within the organization. � Monitoring—independent verification of the effectiveness of other components.
Finally, the ICIF considers these objectives and components across multiple levels: entity, division, operating unit, and
function. To succinctly summarize the ICIF, COSO uses the cube diagram (objectives 3 components 3 levels) shown in Panel
A of Figure 1.
In terms of usage, many practitioners have developed assessment checklists to identify the risks to mitigate and controls
that are required to be in place. Many of these checklists are tailored to individual business processes such as order-to-cash,
procure-to-pay, and plan-to-fulfill. As businesses increasingly employ enterprise systems such as SAP, SAS, and Oracle,
information-technology based controls feature prominently in these checklists, and firms with core competencies in software
design and application dominate the arena (e.g., see http://www.procognis.com/ and https://www.protiviti.com/US-en). A brief
review suggests that the focus of the application is on verifying the sufficiency of fiduciary controls and oversight for a given
set of business processes.
We believe that COSO’s broadening view of internal control from ‘‘compliance’’ to ‘‘organizational’’ controls (see CMA Canada 2008, 29) reflects at least three trends. First, there is a growing acknowledgement for embedding control within a
framework for identifying and managing internal and external risks. Second, there is recognition of controls as learning and
adaptive tools rather than as static mechanisms for monitoring and measuring processes. Finally, there is greater importance
6 Indeed, the executive summary to the now-superseded COSO (2006, 1) Guidelines for Small Businesses stated that the ICIF ‘‘provides an overview of internal control over financial reporting in smaller businesses.’’ Alternate frameworks exist, of course. Within the U.S., COBIT 5 (control objectives for information and related technology), a framework for the governance and management of enterprise IT, issued by the ISACA (formerly the Information Systems Audit and Control Association) is the available alternative. While used widely by IT departments and professionals, few others use this framework for Sarbanes-Oxley Section 404 compliance. Competing international frameworks include those from the Criteria of Control Board (CoCo) in Canada; the Cadbury Report and the Turnbull Guidance in the U.K.; the King Committee Reports I, II, III, and now IV in South Africa; and ISO 31000 on risk management. Outside the U.S., the 2013 ICIF is most popular in Japan and China, where translated versions are used. Since April 2008, when Japan introduced its own version of the Sarbanes-Oxley Act (‘‘J-SOX’’), the interest in consulting and applying COSO’s ICIF and related guidance has intensified.
7 Other professional organizations also adopt an expansive view of internal control. The Canadian CoCo document, Guidance on Control, views control as including ‘‘the identification and mitigation of risks,’’ with these risks including both the known risks related to the achievement of a specific objective and the fundamental risks to the viability and success of the organization. The latter category includes failure to maintain capacity to identify and exploit opportunities, and to maintain resilience (SMA Canada 1999).
Finding Common Ground: COSO’s Control Frameworks and the Levers of Control 65
Journal of Management Accounting Research Volume 31, Number 1, 2019
FIGURE 1 COSO Frameworks
Panel A: The Updated 2013 ICIF/ ‘‘COSO Cube’’
Panel B: The 2016 ERM ED Framework
Source: COSO (2016 ). Used with permission. The full-color version of Figure 1 is available for download, see Appendix C for the link.
66 Balakrishnan, Matsumura, and Ramamoorti
Journal of Management Accounting Research Volume 31, Number 1, 2019
attached to organizational culture and values as well as individual integrity as critical parts of the control environment,
particularly from an internal audit perspective (Ramamoorti and Siegfried 2016; Ramamoorti, Siegfried, and White 2017).
These environmental parameters are particularly salient in the context of decentralized decisions.
Levers of Control
The Levers of Control (LOC) framework has its basis in managerial accounting and strategic control. As detailed in
Simons (1995), which results from a ten-year examination of control systems in over 50 U.S. businesses, this framework
groups controls into four interwoven categories (levers or systems) according to their fundamental nature. Simons (1995) labels
these categories as beliefs systems, boundary systems, diagnostic control systems, and interactive control systems controls (see
Figure 2). For simplicity, we at times abbreviate the terms in this paper and refer to the four groups as controls. The LOC
framework illustrates how a portfolio of controls helps firms monitor decision outcomes as well as identify and manage the
various sources of the associated risks. As such, it is a widely accepted and popular approach for evaluating managerial control
systems (Simons 1994; Widener 2007). 8
We next briefly describe the four levers.
� Beliefs systems are ‘‘the explicit set of organizational definitions that senior managers communicate formally and reinforce systematically to provide basic values, purpose, and direction for the organization’’ (Simons 1995, 34). In a broad sense, the role of beliefs systems (or ‘‘controls’’) is to define and gain adherence to organizational culture. Usual avenues include the formulation of mission and vision statements to communicate the core values of the organization.
The impact of these controls is often visible in hiring and training protocols. For example, consider the boot camp that
every marine experiences, the immersion in seminaries, or the attention that top consulting firms pay to ‘‘fit’’ when hiring individuals.
� Boundary systems channel the vision by delineating ‘‘the acceptable domain of strategic activity for organizational participants’’ (Simons 1995, 39). Organization structures that define decision rights (Zimmerman 2010) are examples of boundary systems. Boundary systems exist both to exclude undesirable actions and to specify expected behavior (codes
of conduct). Boundary systems exist at the strategic level (e.g., what kinds of business opportunities shall be avoided or
FIGURE 2 Role of Internal Controls in the Levers of Control Framework
Source: Adapted from Simons (1995, 86 ).
8 We view the term ‘‘corporate governance’’ as relating more to mitigating the agency conflict between shareholders and management (Berle and Means 1967). Thus, we do not interpret the LOC in the context of corporate governance and instead interpret it as a framework for management control.
Finding Common Ground: COSO’s Control Frameworks and the Levers of Control 67
Journal of Management Accounting Research Volume 31, Number 1, 2019
pursued), at the business level (e.g., the protocol followed for submitting a bid or a grant proposal to a government
agency), and at the individual level (e.g., prohibited behaviors). As both beliefs and boundary controls are strategy-
focusing mechanisms, there is some overlap in the two categories. For example, one might view a code of conduct as a
boundary control but, in addition to emphasizing compliance with legal requirements such as the Foreign Corrupt
Practices Act of 1977, codes of conduct arguably also articulate the core beliefs of organizations. Some authors
characterize beliefs controls as positive controls that promote desired behaviors and goals, and boundary controls as
negative controls that restrict and channel managers’ action choices (Widener 2007). � Diagnostic systems aim to motivate employees to execute their assigned responsibilities and to align their behavior
with organizational objectives. These controls serve both to communicate a firm’s critical success factors to its
employees and to monitor implementation of those factors. In this way, managers can focus their attention on the
underlying drivers that enable a firm to realize its intended strategy. Most accounting performance measures, such as
variances, profitability analysis, and return on investment, fall under the realm of diagnostic controls. � Interactive systems serve to validate strategy in changing environments. The associated controls are forward-looking
and are characterized by active and frequent dialogue among top managers. This system of controls aims to help
managers search for new ways to strategically position the firm in an evolving and dynamic market. The focus is on
identifying ‘‘risks and opportunities’’ and on shaping emergent strategy—adapting to a changing business environment—as opposed to intended strategy. In this way, interactive systems are the strategic direction-setting
and boundary-scanning controls that organizations employ.
We can relate Simons’ (1995) framework to other conceptualizations of managerial accounting and control, such as the
analogy of the three-legged stool (Zimmerman 2010). We view the first leg, allocation of decision rights (which maps into
organization structure, both formal and informal), as being part of boundary controls. The second leg, performance
measurement, includes diagnostic controls that communicate goals, motivate effort, and measure outcomes. We relate the
third leg, incentive systems, also to diagnostic systems because as Simons (1995) notes, ‘‘One of the main purposes of diagnostic measurement systems is to eliminate the manager’s burden of constant monitoring. Once goals are established and
people have performance targets on which their rewards will be based, many managers believe they can move on to other
issues, knowing that employees will be working diligently to meet the agreed-upon goals.’’ The LOC framework is arguably broader than the Balanced Scorecard (Kaplan and Norton 1996 ). We view the Balanced Scorecard as containing aspects of
diagnostic controls (which tend to be backward-looking) and interactive controls (which are forward-looking). Describing
the conceptual foundation for the Balanced Scorecard, Kaplan (2009) describes his initial approach to the Balanced
Scorecard as a diagnostic system, but then describes the evolution to using the Balanced Scorecard and associated strategy
map as an interactive system.
Connections
Unsurprisingly, we are not the first to see the connections between the LOC and internal control. While discussing this
link, Simons (1995) frames the role of internal controls within the LOC narrowly. Viewing internal control as standardized
protocols that pertain to accounting and auditing, Simons (1995) considers their primary role to be ensuring reliable accounting
information, catching unintentional errors, and discouraging behavior that could lead to misappropriation of assets and fraud.
He accordingly classifies internal controls into structural, system, and staff-related safeguards. Thus, while the LOC framework
advocates continually adapting controls to manage risks and develop opportunities within an organization’s strategic vision,
internal controls, by themselves, appear to play a limited role.
The official literature on COSO initiatives does not reveal documentation that links it to the LOC. The literature (e.g.,
TCF Working Group 2008; Auditing Standards Committee of the Auditing Section of the American Accounting Association
2003) does recognize the links between the two frameworks, but the discussion is modest (e.g., see Romney and Steinbart
2011, Chapter 6 ). Further, providing feedback on the exposure draft of the 2004 COSO ERM guidelines, the Auditing
Standards Committee of the Auditing Section of the American Accounting Association (2003) recommends ‘‘[e]xpanding this discussion to focus more directly on strategic and operational control activities. For example, Simons’ (1995) Levers of Control discusses types of strategic controls that include elements of the control activities and internal environment components of the framework.’’ Further, our review suggests the view that the 2013 ICIF specifies a list of actionable properties of control systems especially from the operational viewpoint of being able to assess and test them for continued effectiveness. This view is consistent with the primary use of the ICIF as a checklist to assess the adequacy of internal
controls, particularly for small, publicly held companies (in compliance with SOX, see Ramamoorti and Sonnelitter [2012]).
For example, COSO advisory task force member and Director of Accounting for AT&T William Schneider asserted that the
principles provide a ‘‘much more formulaic process to’’ examine if a firm’s internal control practices comply with the ICIF (Tysiac 2012).
68 Balakrishnan, Matsumura, and Ramamoorti
Journal of Management Accounting Research Volume 31, Number 1, 2019
In summary, there is limited exploration of the commonalities in the approaches, although viewed broadly, all share the
aim of identifying and managing operational and strategic risk. 9
However, such integration requires that we relate both the ICIF
principles and the LOC to a common set of questions. Thus, we choose to relate both to decisions (strategic and operational)
that are an integral part of managing a firm. We turn to this task in the next section.
III. MAPPING
Methodology
There are many ways to map the links between the ICIF and the LOC in order to identify commonalities. Such mapping
can take place at a broad conceptual or at a granular level. We choose to adopt the latter because we believe that it has greater
potential to identify points of similarities and differences. Such granularity is already present in the 2013 ICIF, which specifies
three to five principles for each of the five components. Each of the 17 principles, in turn, lists multiple associated points of
focus. However, the LOC framework only provides the four categories of levers, which are necessarily aggregate descriptions
of control mechanisms. Thus, to match the level of detail, we choose to provide greater granularity to the LOC framework.
Several options to achieve this goal exist. One avenue is to list the kinds of controls that belong in each category. For example,
we could list controls such as budgets and variance analyses in the category of diagnostic controls, and items such as codes of
conduct and job descriptions in boundary controls. However, such a list is necessarily incomplete as the number of possible
control mechanisms is large. Moreover, by virtue of its specificity, this approach potentially limits our ability to generalize any
insights. A second approach is to parse controls based on their location—input, process, or output—in a business process and
then use a business process as a core unit of analysis. We believe that, while generalizable, this approach is limited in its ability
to aid in the ensuing mapping process. The primary obstacle is that none of the three frameworks is suited to think about
individual processes. We therefore chose a third approach. Specifically, we put flesh on each category of control by focusing on
associated contexts. This choice is appealing because, following the well-known plan-do-check-act (PDCA) cycle (Deming
1986), the approach emphasizes that control decisions follow planning decisions. Further, most organizations encounter many
of the same contexts, albeit with variation in dimensions such as frequency, complexity, and magnitude.
We issue two caveats. First, the approach relies on judgment. While the number of contexts is infinite, we have to deal with
a manageable set. There is room for disagreement regarding the number of contexts to consider. For each lever, we pick a few
broadly worded contexts that we believe capture its primary domain. The trade-off here is between getting granularity in terms
of contexts and the risk of losing the forest for the trees. There also is room for legitimate disagreements about the ‘‘governing’’ lever of control for any given context. Judgment again comes into play when mapping the ‘‘relevant’’ principles of an ICIF to a given context. Drawing inferences requires yet more judgment, even if one is willing to concede that the mapping is perfect. A
second potential objection to the method is the seeming primacy afforded the LOC framework. We devise contexts as a drill-
down of a lever in the LOC. Thus, by construction, one of the controls of the LOC maps into every context we consider. 10
In
contrast, the mapping of the ICIF takes the contexts as given. The result is that one or more of the contexts might remain
‘‘uncovered’’ by any of the principles of the ICIF. Thus, at first glance it might appear that the LOC is a more ‘‘complete’’ framework than is the ICIF. However, conceptually, one can flip the sequence and seek to map the LOC levers into some
‘‘context’’ associated with each principle of the ICIF, which would potentially reverse the conclusion. We chose our approach because the ICIF is more granular than the LOC. Accordingly, given the goal of identifying control regions with different
emphasis, it is fruitful to impose structure on a general framework and map it to a more detailed rendition than to aggregate a
set of principles.
The effects of judgments on these decisions and the seeming primacy afforded the LOC framework would matter greatly if
we were trying to conduct a ‘‘horse race’’ between competing frameworks. The number, framing, and mapping of constructs could then easily tilt the balance one way or the other. However, such a race is not our goal. Instead, we seek to assess the
salience of the points of contact between the LOC and the ICIF. The greater the salience, even in a crude mapping, the greater
the probability that both approaches consider the same underlying control issues. Conversely, difficulty in mapping some cells
likely indicates settings in which the frameworks do not overlap. Our goal is simply to identify these regions and provide a
picture of the commonalities and distinctions between these frameworks. We believe that the pervasiveness of judgement in our
method does not negate the validity of the broad inferences we draw in this context.
9 In an interview reported in Tysiac (2012), Larry Rittenberg, COSO chair emeritus, indicates that one motivation for updating the ICIF is to address this criticism by providing more operational examples, such as outsourcing.
10 On the other hand, the mapping does not give recognition to the idea that multiple levers might apply to the same context. We also considered and rejected the approach of generating a list of ‘‘exogenous’’ contexts and mapping the frameworks. Due to the general wording of the LOC, at least one lever would apply to virtually any context. Thus, such an approach might again create the impression that the LOC is more complete than the ICIF.
Finding Common Ground: COSO’s Control Frameworks and the Levers of Control 69
Journal of Management Accounting Research Volume 31, Number 1, 2019
Adding Contexts to the LOC Framework
In this section, we expand the LOC framework by describing some business contexts managed best by a particular lever.
Of course, a firm might use more than one lever to exercise control over a particular decision; our focus is on the primary
mechanism that a firm is likely to employ. Figure 3 lists all of the contexts that we consider for a particular lever.
Recall that beliefs controls are the ‘‘set of organizational definitions that senior managers communicate formally and reinforce systematically to provide basic values, purpose and direction for the organization’’ (Simons 2000, 276). These controls help organizations manage their risk by telling people what to do, thereby aligning employee and organizational values. Mission and vision statements usually accomplish this aspect. However, it is equally important to walk the talk—by their everyday actions and decisions, senior management must emphasize and reinforce organizational values. The latter aspect
(aligning values) is particularly important in organizations (e.g., research labs, religious orders) in which difficulty in measuring
output and/or relating it to inputs renders ineffective the use of output-based controls. Indeed, while technical qualifications are
a necessary condition, cultural fit is the deciding ingredient in the hiring decisions of many high-performing organizations (e.g.,
Google LLC, McKinsey & Company, and Goldman Sachs). Accordingly, we specify three contexts on which beliefs controls
have primary influence. These are (1) specify the values and the goals of the organization, (2) reinforce and formalize
organizational values and goals, and (3) hire and retain personnel.
As noted earlier, boundary controls work primarily by telling people what not to do. These controls are effective because they define the scope of operations. At the business level, these controls help managers avoid product markets that do not leverage core competencies, a strategic risk. Such boundaries are particularly useful in terms of allocating managerial
capacity—a high value resource that is in short supply—and in ensuring what Simons (1995) terms a high return on
management. The allocation of decision rights, a central feature in organization design (Zimmerman 2010), is another boundary control. The organization structure defines the scope of authority available to each organizational unit. Such an
allocation manages risk both by making sure that there is accountability for every potential problem (‘‘everyone’s problem is no one’s problem’’) and by employing the right resources to address the issue. These controls also reduce the risks created by organizational conflicts triggered by uncertain responsibility. In addition to these macro policies, boundary controls also
include prescriptions on individual behavior. Sweeney and Siers (1990) report that over 75 percent of large U.S. firms employ
codes of business conduct, which prescribe off-limit behaviors such as conflicts of interest, illegal acts, and breach of confidentiality. Of course, policies and procedures are not likely to be effective unless there are penalties for crossing the boundaries. In sum, we capture these roles for boundary controls in four contexts: (1) define position in market, (2) specify organization structure, (3) develop policies and procedures, and (4) monitor adherence and specify penalties for deviations.
Diagnostic controls help management with the classic issue of motivating and measuring performance. Thus, in line with
the well-known roles for performance measures (Atkinson, Kaplan, Matsumura, and Young 2011, Chapter 9), we consider the
following contexts: (1) communicate goals, (2) motivate performance, (3) measure performance, (4) evaluate performance, and
(5) take corrective actions. Each of these decisions influences risk. For example, goal setting (a part of motivating performance)
creates performance pressures, and the use of subjectivity (in evaluating performance) raises concerns about perceptions of
FIGURE 3 Contexts Considered: Categorized by Primary Method of Control
70 Balakrishnan, Matsumura, and Ramamoorti
Journal of Management Accounting Research Volume 31, Number 1, 2019
equity and transparency. Further, in the latter contexts, we note that diagnostic controls begin to blur with interactive controls in
that they serve as the early warning systems that alert management to emerging risks and identify the nature of these threats.
Interactive controls ‘‘stimulate and guide emergent strategy’’ (Simons 2000, 304). Senior management accomplishes this goal by scanning for external and internal threats. Monitoring of key measures (often from the diagnostic system) helps evaluate whether the firm is progressing in the desired strategic direction. Management also combats emerging threats and
reinforces desirable strategies by their resource allocation decisions about where to deploy physical, financial, managerial, and
intellectual capital. Accordingly, we consider the following contexts under this group of control: (1) scan for external threats,
(2) scan for internal threats, (3) monitor adherence to strategy execution, (4) evaluate strategic direction, and (5) allocate
resources. Note that we distinguish between whether the current strategy is being implemented and whether the current strategy
is the correct strategy (i.e., allow for emergent strategy). This distinction is important because responses to environmental
changes might cause emergent strategy to differ from intended strategy.
Mapping the Principles in the 2013 ICIF
In this section, we consider the 17 principles and associated points of focus listed in the updated 2013 ICIF. For the
reader’s ready reference, we reproduce an abbreviated listing of the principles and points of focus in Appendix A. As denoted
there, and consistent with Figure 1, the 2013 ICIF groups these principles into five components.
Table 1 summarizes our mapping. The first two columns in this table summarize the levers of control and the associated
contexts/strategy settings, respectively. The next five columns correspond to the components in the ICIF. Cell entries reflect our
judgment regarding the context addressed by a relevant principle and associated points of focus. 11
For example, the notation P1
(F1) in the table refers to point of focus 1 of Principle 1; as indicated in the table, this point of focus of ‘‘set the tone at the top,’’ corresponds to the context, ‘‘specify values and goals.’’
Control Environment
The 2013 ICIF describes the control environment as ‘‘the set of standards, processes and structures that provide the basis for carrying out internal control across the organization,’’ and lists five principles under this component (COSO 2013).
The first principle naturally maps into beliefs controls, as it deals with the ‘‘tone at the top.’’ Reflecting the fuzzy boundary between beliefs and boundary controls, the points of focus listed under this principle include items (‘‘establish standards of conduct’’) that arguably fall into the realm of boundary controls. The principle also provides for periodic monitoring of ethical standards and penalties for deviations. It is important to recognize that this principle and the associated set of attributes do not
cover organizational priorities and vision. That is, they do not chart where management wants the firm to go. Rather, the
principle focuses on commitment to integrity and ethical values, independent of context.
The second principle deals mostly with structural issues of board independence. The principle articulates the appropriate
allocation of decision rights, a boundary control relating to the context ‘‘specify organization structure.’’ However, the principle also requires board oversight of internal control. Accordingly, we view this as another boundary control dealing with the
context ‘‘monitor adherence and specify penalties for deviations.’’ The third principle deals more directly with designing organizational structure, such as establishing reporting relationships
and delineating authorities and responsibilities. We therefore map this control directly to a context—specify organization
structure—within boundary controls.
The fourth principle relates to the management of human resources. At a narrow level, this principle establishes policies
and procedures that comply with labor laws (e.g., designing and implementing a policy of nondiscrimination). This aspect of
the principle therefore deals with boundary controls. At a broader level, we interpret this control as dealing with management
philosophy: What do we believe about people—the key input in any organization—and, what kinds of people do we wish to
attract and retain? We note that the principle hints at the role of organizational objectives (e.g., strategic positioning) in defining
‘‘competent individuals’’ but does not elaborate on this match in the listing of attributes. However, the evaluation aspect seems to imply motivating, measuring, and evaluating performance, and addressing shortcomings corresponds to taking corrective
actions.
The final principle in this component deals with establishing performance measures and linking the measures to incentive
compensation. Thus, this principle primarily maps into the realm of diagnostic controls. Of import, we note for Principle 5, the
point of focus 4 specifically considers threats that arise due to excessive performance pressures, an internal threat. Thus, the
principle recognizes the interactive nature of the performance measurement and incentives process. There also is recognition
11 We do not consider the ‘‘objectives’’ or ‘‘scale’’ sides of the cube; the objectives delineate the goals for the controls and the scale reflects the degree of detail. Perhaps, for this reason, the 2013 ICIF only groups the principles and points of focus by the components.
Finding Common Ground: COSO’s Control Frameworks and the Levers of Control 71
Journal of Management Accounting Research Volume 31, Number 1, 2019
T A
B L
E 1
M a
p p
in g
th e
2 0
1 3
IC IF
P r in
c ip
le s
a n
d P
o in
ts o
f F
o c u
s to
F o
u r
L e v
e r s
o f
C o
n tr
o l
a n
d A
ss o
c ia
te d
C o
n te
x ts
L ev
e r s
o f
C o
n tr
o l
C o
n te
x ts
C o
m p
o n
e n
ts o
f C
O S
O In
te rn
a l
C o
n tr
o l—
In te
g ra
te d
F ra
m e w
o rk
C o
n tr
o l
E n
v ir
o n
m e n
t R
is k
A ss
e ss
m e n
t C
o n
tr o
l A
c ti
v it
ie s
In fo
r m
a ti
o n
a n
d C
o m
m u
n ic
a ti
o n
M o
n it
o r in
g
B e li
e fs
S p
e c if
y V
a lu
e s
a n
d G
o a ls
P 1
(F 1
) P
1 4
(F 1
)
R e in
fo rc
e V
a lu
e s
a n
d G
o a ls
P 1
(F 2
, F
3 ,
F 4
) P
6 (F
3 -R
)
H ir
e a n
d R
e ta
in P
e rs
o n
n e l
P 4
(F 2
, F
3 )
P 1
2 (F
3 )
B o
u n
d a ry
D e fi
n e
P o
si ti
o n
in M
a rk
e t
S p
e c if
y O
rg a n
iz a ti
o n
S tr
u c tu
re P
2 (F
1 ,
F 2
) P
3 (F
1 -F
3 )
P 5
(F 1
)
P 7
(F 1
, F
2 )
P 1
0 (F
6 )
P 1
6 (F
5 )
D e v
e lo
p P
o li
c ie
s a n
d P
ro c e d
u re
s P
1 (F
2 )
P 4
(F 1
) P
6 (F
2 -O
, F
2 -R
, F
1 -C
,
F 2
-C )
P 1
2 (F
1 ,
F 2
, F
6 )
P 1
4 (F
3 )
P 1
5 (F
3 )
M o
n it
o r
A d
h e re
n c e
a n
d S
p e c if
y
P e n
a lt
ie s
fo r
D e v
ia ti
o n
s
P 1
(F 4
) P
2 (F
1 ,
F 4
)
P 5
(F 2
, F
5 )
P 1
1 (F
3 )
P 1
2 (F
4 ,
F 5
) P
1 6
(F 6
, F
7 )
D ia
g n
o st
ic C
o m
m u
n ic
a te
G o
a ls
P 6
(F 1
-O ,
F 3
-0 ,
F 5
-O )
P 1
4 (F
1 ,
F 4
)
M o
ti v
a te
P e rf
o rm
a n
c e
P 4
(F 3
) P
5 (F
2 )
P 1
6 (F
3 )
M e a su
re P
e rf
o rm
a n
c e
P 4
(F 3
) P
1 0
(F 4
) P
1 1
(F 2
) P
1 3
(F 1
– F
4 )
P 1
4 (F
3 )
E v
a lu
a te
P e rf
o rm
a n
c e
P 4
(F 3
) P
5 (F
2 ,
F 3
) P
1 0
(F 5
) P
1 5
(F 1
) P
1 6
(F 1
, F
7 )
P 1
7 (F
1 )
T a k
e C
o rr
e c ti
v e
A c ti
o n
s P
4 (F
2 )
P 5
(F 5
) P
1 7
(F 3
)
In te
ra c ti
v e
S c a n
fo r
E x
te rn
a l
T h
re a ts
P 7
(F 3
) P
9 (F
1 ,
F 2
) P
1 0
(F 1
, F
3 )
P 1
5 (F
2 )
P 1
6 (F
2 )
S c a n
fo r
In te
rn a l
T h
re a ts
P 5
(F 4
) P
7 (F
3 )
P 8
(F 1
– F
5 )
P 9
(F 2
, F
3 )
P 1
0 (F
2 ,
F 3
) P
1 1
(F 1
) P
1 4
(F 2
) P
1 5
(F 4
) P
1 7
(F 1
, F
2 )
M o
n it
o r
A d
h e re
n c e
to S
tr a te
g y
E x
e c u
ti o
n
P 1
6 (F
6 ,
F 7
)
(a rg
u a b
ly )
E v
a lu
a te
S tr
a te
g ic
D ir
e c ti
o n
P 4
(F 3
) P
6 (F
1 -O
, R
, C
) P
7 (F
4 )
A ll
o c a te
R e so
u rc
e s
P 6
(F 4
-O )
P 7
(F 5
) P
1 1
(F 4
) P
1 3
(F 5
) P
1 5
(F 5
)
T h e
n o ta
ti o n
P 1
(F 1 )
re fe
rs to
p o in
t o f
fo c u s
1 o f
P ri
n c ip
le 1 .
C o n si
st e n t
w it
h th
e 2 0 1 3
IC IF
, w
e g ro
u p
p ri
n c ip
le s
a s
p e r
c o n tr
o l
c o m
p o n e n ts
(s e e
A p p e n d ix
A fo
r a
su m
m a ry
li st
in g ).
U n d e r
th e
c o m
p o n e n t ‘‘
R is
k A
ss e ss
m e n t, ’’
th e
a d d it
io n a l
le tt
e rs
c la
ri fy
th e
sp e c ifi
c k in
d o f
ri sk
— O
p e ra
ti o n a l
(O ),
R e p o rt
in g
(R ),
a n d
C o m
p li
a n c e
(C )—
th a t
re la
te to
a g iv
e n
p o in
t o f
fo c u s.
72 Balakrishnan, Matsumura, and Ramamoorti
Journal of Management Accounting Research Volume 31, Number 1, 2019
that the measures need to be ‘‘relevant’’ with respect to the pursuit of objectives, hinting at the linkage between strategy and performance measures (Kaplan and Norton 1996 ).
Risk Assessment
Identifying and managing the sources of risk is the focus of the four principles in this component of the COSO cube. We
view this step, which identifies risk, as a precursor to the other steps that manage the risks. The broadly specified Principles 6
and 7 perhaps have the clearest link to strategic and operational decisions. Principle 6 requires that organizations have clarity of
purpose in their goals. 12
While the nature of the goal and the ability to quantify it will vary across contexts and organizational
levels, the principle underscores that evaluating risk requires that we specify a relevant goal or benchmark. We observe that this
principle relates closely to the notion of establishing an organization’s risk appetite (Rittenberg and Martens 2012).
Principle 7 builds on this idea and examines whether the controls are sufficient to manage the risk. However, the principle
does not speak to the general source of the risk, especially if it is a strategic risk—whether it deals with asset impairment,
retention of key personnel, and/or franchise risk stemming from noncompliance or loss of market reputation. In our view, it is
likely useful to expand this principle to require that organizations have appropriate processes in place for cataloging the sources
of risk and prioritizing them as to their significance. 13
Principle 8 focuses on a specific kind of internal threat—fraud—that might undermine achieving organizational objectives.
Thus, the focus of this principle is to test the various controls for the opportunity and ease of subverting them. Such testing is
obviously the focus of much of the verification activities pertaining to internal controls over financial reporting performed
under Section 404 of SOX. However, we note that while fraud can be potentially catastrophic, the principle ignores other
aspects, such as risks stemming from overreliance on people, complacency resting from nothing having gone wrong, and the
competitive disadvantage from lack of product innovation and missed opportunities (e.g., Research in Motion, the Canadian
maker of the Blackberry).
Principle 9 considers external aspects of risk and focuses on how changes in the external environment affect internal
control processes. It is mute regarding processes for considering the effect of a change on organizational objectives (and the
associated strategy for accomplishing these changed objectives).
Control Activities
Control activities are ‘‘the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out’’ (COSO 2013). Thus, the three principles in the control activities relate to execution of decisions. As such, they primarily map into diagnostic and interactive controls, which
deal with the implementation of strategic control. Principle 10 is the most general of the three principles and requires the
organization to develop a related set of controls. However, while there is a requirement to integrate the controls with risk
assessments, the link to strategic organizational directives and vision is weak. For example, the principle requires integration
with business processes and the mitigation of risks to acceptable levels; however, the acceptable risk for any given business
process will depend on the overall strategic positioning of the organization and cannot even be specified absent the strategic
context.
Principle 11 deals with the control of (information) technology. While such control is relevant and important, the
associated attributes have more to do with efficient execution and control of business processes than their inherent effectiveness
in supporting strategy. In a similar vein, Principle 12 asks for appropriate people, structures, and policies to be in place for the
efficient execution of processes, and the imposition of appropriate penalties for breach. Accordingly, these principles primarily
relate to the development and monitoring of policies and procedures, which are boundary controls.
Information and Communication
Collecting data, transforming them to information, and communicating them to relevant parties in a timely and cost-
effective fashion is the focus of the three principles related to this component of the COSO cube. We interpret the first principle
(Principle 13) as dealing mostly with diagnostic controls because we see it as devising appropriate performance measures.
12 For this principle, following the ICIF classification, we include additional designations for the specific kind of risk in the ICIF—Operational (O), Reporting (R), and Compliance (C), and subdivide the reporting category into external financial reporting, internal nonfinancial reporting, and internal reporting.
13 In private correspondence, Professor Larry Rittenberg, past chairman, provides insight into COSO’s thinking. He states, ‘‘[COSO] stayed away from specifying too much detail for two reasons: (a) things change over time and we want the Framework to continue to be robust over time—and allow guidance to become more specific, and (b) too much detail hinders the ability of organizations to innovate and determine the best way to meet the objectives and principles. As things change, we don’t pretend to know what the best controls are in each instance.’’
Finding Common Ground: COSO’s Control Frameworks and the Levers of Control 73
Journal of Management Accounting Research Volume 31, Number 1, 2019
Without such measures, it is difficult to evaluate operations or to assess risk (a major role for management control). However,
the principle recognizes that control is costly, and puts the onus on management to review the cost effectiveness of the gathered
information periodically. This task is an interactive control as it relates to allocating limited organizational resources to most
effective uses. 14
Principle 14 deals with the communication of information. As such, this principle touches on all four categories of control.
For instance, it requires that firms communicate objectives to personnel. In the context of communicating core values, this
requirement is a beliefs control, but the communication of budget targets falls more into the realm of ‘‘communicate goals,’’ a diagnostic control. The principle also specifies the establishment of separate communication lines (a boundary control), and the
need for involvement by the board regarding internal threats (an interactive control). In sum, this principle recognizes the need
to transfer a wide array of information up, down, and across the organizational hierarchy.
The final principle in this group primarily relates to the communication of performance to external parties and the use of
inbound information to ‘‘scan for external threats’’ (an interactive control). Of course, as with internal communications, the Board plays an important role in the process, and the decision makers consider cost-benefit trade-offs when selecting the
relevant forms of communication.
Monitoring
This component refers to the periodic review to ensure that the internal control system itself is functioning well. Such
review is critical because an unmonitored system degrades over time, exposing the organization to internal and external threats
(Ramamoorti 2009). Reflecting this feedback role, the two principles fall primarily in the realm of diagnostic and interactive
controls. The first principle related to monitoring (Principle 16 ) focuses on developing measures and processes for monitoring
the other components of internal control. Accordingly, the thrust of this control relates to the contexts of measuring and
evaluating performance under the realm of diagnostic controls. However, the principle recognizes the need to adjust the scope
and frequency of such monitoring of internal controls. Thus, we map these two points of focus (7 and 6, respectively) to the
contexts ‘‘monitor adherence’’ in the category of boundary controls. We note that such monitoring has to be dynamic and the outcome of deliberate managerial action—thus, arguably, we could map these points of focus to the context of ‘‘monitor strategy execution’’ in interactive controls provided we broadly view the ‘‘components of internal control’’ as including strategic objectives.
The second principle related to monitoring (Principle 17) emphasizes firms that control deficiencies should identify,
communicate, and act upon control deficiencies. More importantly, the principle underscores the need to monitor the
implementation of corrective actions ( point of focus 3). Thus, we place the identification of weaknesses under diagnostic
controls for ‘‘evaluating performance (of internal controls).’’ The major thrust of this principle, however, relates to the context of ‘‘scanning for internal threats’’ under the category of interactive controls.
Comparison
The mapping exercise in the previous section indicates that the 2013 ICIF partially succeeds in its goal to expand the
framework beyond internal control and financial reporting to more managerial uses. This expansion is consistent with the idea
that the internal audit function has to evaluate and assess controls over strategy, operations, and compliance to promote and
support organizational governance (Anderson et al. 2017). Further, as noted earlier, one of the primary reasons for updating the
original ICIF issued in 1992 is to expand the financial reporting objective to include consideration of management reporting.
This goal included better illustrating operational and compliance objectives, and the associated controls for meeting them (see
the Landsittel and Rittenberg interviews in Tysiac [2012]). One indicator of the success in meeting this goal, at least
directionally speaking, is the extent to which the guidelines map to the individual contexts within the LOC framework. Of
course, it is neither required nor desirable that every component in the COSO cube map to every context—unfilled cells do not
automatically indicate need for improvement. 15
Inspection of Table 1 shows that the guidelines collectively map into virtually every broad context as we conceptualize the
LOC. Moreover, even with the caveat about a count of cells, the proportion of ‘‘filled’’ cells indicates that multiple principles address the same context. Such a multifaceted view of decisions is welcome because we view these contexts as embedded
within larger organizational processes. For example, consider the context ‘‘develop policies and procedures’’ within the realm
14 Simons (1995) uses the word ‘‘interactive’’ in a special way (see Section II) and not in the sense that the levers are interrelated and thus, interactive. COSO seems to adopt the traditional definition and views the five components as interactive in the sense that they rely on each other.
15 For this reason, we do not compute a ‘‘coverage ratio.’’ Such a computation would treat the ICIF 2013-LOC 1995 correspondence table as a sparse matrix, with many cells having small or even no associations (empty cells). Rather, in Section IV, we show how the 2016 ERM systematically fills many of these cells.
74 Balakrishnan, Matsumura, and Ramamoorti
Journal of Management Accounting Research Volume 31, Number 1, 2019
of boundary controls. Not surprisingly, four of five ICIF control components address this integral feature of internal control.
The ICIF considers that policies and procedures take center stage in translating organizational culture into a control
environment, thereby setting an ‘‘actionable’’ stage for audit and assessment. It also underscores the importance of having procedures in place for assessing risk and for communicating the assessments. However, the ICIF does not appear to specify
any monitoring activity that pertains directly to this context, although these control activities should be the subject of periodic
and systematic review.
The expansion of the ICIF to consider external and internal risks is also quite evident. Consider the contexts ‘‘scan for external threats’’ and ‘‘scan for internal threats’’ within the realm of interactive controls. We find that Principle 7 is devoted to assessing risks not only to the viability of internal controls but also to the entity. Moreover, rather than just identifying risks, the
guidelines emphasize developing processes to achieve the ‘‘mitigation of risks to the achievement of objectives to acceptable levels’’ (Principle 10), and emphasizes that the process should ‘‘consider the rate of change’’ (Principle 16, point of focus 2). The ICIF also emphasizes the importance of timely and accurate communication to the board of directors and senior
management (Principle 15, point of focus 3). That said, we find limited emphasis on how the organizational environment and
strategy might contribute to the prevalence of the risk (and thus the need to over- or under-weight this aspect of internal
controls). Moreover, the ICIF appears to construe the object of the risk (e.g., survival, processes, and assets) narrowly. While
Principle 7 is broad in its scope and speaks about ‘‘risks to the achievement of [the organization’s] objectives,’’ Principle 9 (one of the four in the section on risk assessment) appears to narrow the definition of risk to the functioning of internal controls. In
sum, our analysis suggests that the revision of the ICIF has largely been successful in expanding the framework to consider
‘‘managerial’’ issues over and above ensuring the integrity of financial reporting and disclosure.
IV. DISCUSSION AND CONCLUSION
It is easy to argue that the gaps that we identify above are the outcomes of deliberate choices. In particular, COSO arguably
intends an operational role for the ICIF, reserving the ‘‘strategy’’ dimension for the risk management framework, with the two frameworks operating as complements (Chesley, Pett, and Martens 2016 ). We next consider how the Enterprise Risk
Management (ERM) framework relates to the ICIF and the LOC. We begin by providing a brief historical overview of the
ERM.
Enterprise Risk Management (2004 and 2016 Exposure Draft)
COSO recognizes that the original COSO (1992) ICIF considers only operational, financial reporting, and compliance
objectives. The first ERM document (COSO 2004) paves the road for a broader, enterprise-level view by adding another
slice—strategy—to the objectives side of the COSO cube. It also replaced the ‘‘control environment’’ component with three components labeled ‘‘objective setting,’’ ‘‘event identification,’’ and ‘‘risk response.’’ However, many practitioners saw the COSO (2004) ERM framework as overly complex and theoretical, leading to limited acceptance and use in practice (Beasley,
Branson, and Hancock 2010). Accordingly, COSO (2016 ) released the exposure draft (ED) Enterprise Risk Management:
Aligning Risk with Strategy and Performance in June 2016. This document defines enterprise risk management as ‘‘the culture, capabilities, and practices, integrated with strategy and execution that organizations rely on to manage risk in creating,
preserving, and realizing value’’ (COSO 2016 ). The foreword to the ED, referring to the 2013 ICIF, states that ‘‘[T]he two publications are distinct from each other and provide a different focus; neither supersedes the other. However, they do overlap’’ (COSO 2016 ).
16 The executive summary and a sidebar, ‘‘Clearing up a few misconceptions,’’ emphasizes the following points
(COSO 2016 ):
(1) Enterprise risk management is more than a listing of risks; it includes practices that management puts in place to
actively manage risk to appropriate levels.
(2) Enterprise risk management addresses more than internal control to consider issues such as setting strategy,
governance, communicating with stakeholders, and measuring performance.
(3) Enterprise risk management is not a checklist. Organizations can use this set of principles to build specific processes
and to develop a system for monitoring, learning, and improving performance.
(4) Organizations of any size can use the ERM framework. Enterprise risk management applies if an organization has a
mission, a strategy, and objectives—and the need to make decisions under uncertainty.
16 Given its expansive view of objectives, one might view the 2013 ICIF as attempting to reflect all of these sources of risk. However, we argue that it is only the 2016 ERM ED that truly addresses strategic risk, including competitive and franchise risk (i.e., risks to core competencies or processes, which threaten survival) systematically.
Finding Common Ground: COSO’s Control Frameworks and the Levers of Control 75
Journal of Management Accounting Research Volume 31, Number 1, 2019
The rationale for updating the ERM 2004 Framework and issuing the 2016 ERM ED included, among other things, (1) the
recognition that frameworks for assessing control have the potential for broader use, (2) that certain aspects would benefit from
more depth and clarity, and (3) greater insight into the links among strategy, risk, and performance. Indeed, while the ERM ED
notes that the benefits of integrating enterprise risk management with strategy setting and performance management will vary
by entity, it mentions five general benefits for organizations. They are (1) increase the range of opportunities, (2) identify and
manage entity-wide risks, (3) reduce surprises and losses, (4) reduce performance variability, and (5) improve resource
deployment (COSO 2016, }14). Overall, the claim is that implementing ERM ‘‘will generally help an organization achieve its performance and profitability targets and prevent or reduce the loss of resources’’ (COSO 2016, 4). Thus, we view the ERM as the ‘‘umbrella framework’’ that subsumes the 2013 ICIF.
Interestingly, in a major departure from the 2004 ERM Framework, the 2016 ERM ED has dispensed with the expanded
ERM cube graphical presentation (see Panel B of Figure 1). Further, reflecting its strategic thrust, the 2016 ERM ED clarifies
that the ICIF addresses some common aspects of internal control and therefore, the ERM ED does not discuss them (COSO
2016, }12, p. 5). These aspects include assessment of fraud risk relating to financial reporting objectives, control activities relating to compliance objectives, and the need to conduct ongoing and separate evaluations relating to operations objectives.
However, the ERM ED does develop other aspects of internal control, such as the governance aspects of enterprise risk
management. See Appendix B for a listing of the principles in the 2016 ERM ED.
The Role for the 2013 ERM Exposure Draft
The above discussion supports the perception that there are some control contexts not well addressed by the ICIF. During
the comment period for the COSO ICIF exposure draft (2011–2012), many practitioners commented about the exclusion of
strategic objectives from the ICIF. Lindorff (2012) cites Tim Leech, a managing director at Canadian Consultancy Risk
Oversight, as stating, ‘‘It [the revised ICIF] doesn’t deal at all with forward risk.’’ In its comment letter on the revised ICIF, the Institute of Internal Auditors (IIA 2012, 1) states, ‘‘the first concern is the decision not to further integrate strategic objectives and risk management into the framework.’’ The ERM ED appears to fill in many of these ‘‘gaps,’’ underscoring that the two COSO frameworks are to be read together (Chesley et al. 2016 ).
The ‘‘strategy gap’’ in the ICIF is clearly seen both in the general lack of entries in the general realm of belief controls, defining market position (under boundary controls), and the lack of controls for monitoring strategy (under interactive
controls). The concern is not over how to pick strategy but the implications of the chosen strategy on the criticality and form of
various controls. In this way, this area of need speaks directly to the achievement of objectives. In particular, the principles
enumerated in the control environment seem general in nature, although the nature of the required control depends on, and
flows from, organizational strategy and culture. The COSO (2016, }84, p. 21) ERM ED appears to recognize this when it argues for cataloguing and prioritizing the sources of risk. The COSO (2016, 30) ERM ED also addresses this matter directly in
ERM Principle 2: ‘‘The organization establishes governance and operating structures in the pursuit of strategy and business objectives.’’ For example, relating to belief controls, the organizational culture (‘‘tone at the top’’) and the nature of the external and internal threats differ vastly for a firm that is competing in cloud-computing versus another that competes in a more
established and well-worn product market space (e.g., bricks-and-mortar utilities). The one-person-focused culture of
innovation that makes firms such as Facebook, Inc. and Apple Inc. successful would doom retail firms like Walmart Inc. or Best
Buy Co., Inc. that compete on cost leadership and operational excellence. Thus, we argue that in addition to ‘‘aligning risk with strategy and performance,’’ perhaps the COSO (2016 ) ERM ED should elevate consideration of ‘‘risk culture’’ as well.
The ICIF does not appear to deal directly with the linking of strategy with structure. Management theory indicates that
strategy drives structure (Chandler 1962), has strong effects on the mix of the levers of control (Simons 1995), and determines
the performance measures used (Kaplan and Norton 1996 ). Each of these linkages alters the nature of the problem solved and
thus shapes the nature of the required internal control. One important aspect here is the nature of the firm’s product market. For
example, the process for obtaining and maintaining FDA approval is mission critical for a firm in the medical devices industry,
but maintaining strong brand value is of relatively lower importance. The weightings on regulatory approvals and brand
recognition likely reverse for a garment manufacturer. The 2016 ERM ED addresses the link between strategy and structure in
Principle 10 (‘‘considers risk while establishing business objectives at various levels that align and support strategy’’). It appears beneficial to flesh out this principle to indicate how organization structure aids strategy implementation.
Third, few of the desired set of controls in the ICIF relate to examining the nature of the firm’s ‘‘position in the market’’ (see the first row in boundary controls). However, strategic positioning—identifying and occupying the correct product-market
space or being in the ‘‘blue ocean’’ (Kim and Mauborgne 2004)—is perhaps the greatest driver of value, and missing this aspect is perhaps the greatest threat to a firm. The 2016 ERM ED addresses strategic risk in Principle 7 (‘‘considers potential effects of business context on risk profile’’). Again, providing more context for this principle might help sharpen the linkages with the setting of strategic boundaries.
76 Balakrishnan, Matsumura, and Ramamoorti
Journal of Management Accounting Research Volume 31, Number 1, 2019
Finally, the ICIF does not deal directly with monitoring the execution of strategy (see the interactive controls rows in Table
1). Thus, whether the firm is delivering on the promise is, at best, implicit in the specification of objectives. However, we
believe that ERM Principle 11 (‘‘defines acceptable variation in performance’’), when combined with ERM Principles 22 and
23 devoted to ERM monitoring activities, is an interesting way to bring accountability to strategic performance (Kaplan and
Mikes 2012). We also note that, perhaps reflecting its broader scope, the COSO (2016 }62, p. 16 ) ERM ED also addresses the notion of creating value through ‘‘its ability to repeatedly deliver innovative products.’’ The ERM also addresses this aspect in
the context of a healthcare company (COSO 2016, Figure 3.2, p. 13) confronting an external/environmental influence such as
healthcare legislation reform (COSO 2016, }55, p. 15) and how that would affect business objectives. Our mapping exercise suggests that the 2016 ERM ED acts as a bridge framework that aligns the operational focus of the
2013 ICIF with the conceptual view espoused in the LOC. Consistent with its title, the ERM framework focuses on identifying
and managing both internal and external risks. The emphasis on the processes for identifying risk are similar to the focus of the
ICIF, while the broad conceptualization of risk is more akin to the (implicit) view in the LOC. Specifically, Principles 12–21
(under the subheadings of risk in execution and risk information, communication, and reporting) appear to provide an
actionable basis for developing processes for evaluating risk. Equally, we view Principles 1–11 (under the headings of risk
governance and culture, and risk, strategy, and objective setting) as taking a broader conceptual view of identifying risks
inherent in the strategy formulation process and managing risks via ‘‘soft’’ processes such as culture. It also underscores the
need to identify, monitor, and manage a risk profile arising from a portfolio view of the many sources of risk. Overall, there
appears to be a preference for risk management over risk mitigation. That is, this framework arguably views not having
adequate processes itself rather than deviations from established processes as a source of risk.
However, the mapping does show areas where the ERM appears to fall short in its quest for ‘‘strategic control.’’ Consider
the risks stemming from operational decisions. (See the cells under the column for risk assessment for the rows relating to
interactive controls.) Ideally, controls compel managers to be proactive in ensuring the alignment of operating decisions with
overall strategy. For instance, an effective control system might proactively spur management to optimize its supply chain
rather than focus on having a consistent, documented, and repeatable process for selecting the best supplier. Here, from an
operational perspective, the focus of the ICIF is on the appropriate identification and management of risk related to extant processes (Principles 6 and 7), the prevention/deterrence of fraud (Principle 8), and a reactive approach of asking if internal
controls help managers assess the impact of a change in environment (Principle 9). The ERM ED seems to acknowledge this
observation but arguably does not go far enough. While ERM Principle 2 requires that organizations establish governance and
operating structures in the pursuit of strategy and business objectives, it does not highlight the need for proactive management
of business processes to mitigate risk.
Next, consider the monitoring of controls. An unmonitored system degrades over time, both in terms of effectiveness and
efficiency. Due to its operational focus, the updated ICIF still focuses on controls that pertain to incremental rather than
disruptive change in organizations; it also gives scant attention to monitoring strategy. Our analysis shows that the principles
related to monitoring (see the last column in Table 1) cluster around diagnostic and interactive controls. These controls aid the
execution of the vision outlined in beliefs controls and channeled in boundary control systems. However, even if they occur
infrequently, disruptive changes (or a failure to anticipate and proactively manage such a change) can doom a firm with
otherwise excellent internal controls. Examples include Eastman Kodak Company (failure to understand the impact of digital
cameras on film sales), Blockbuster Entertainment, Inc. (effect of streaming video on DVD rentals), Kmart Corporation
(decimated by big box stores), and Borders Group, Inc. (underestimated the power of e-books). Kaplan and Mikes (2012)
categorize risks as being ‘‘preventable, strategic and external’’ in nature. Disruptive innovations and unpredictable political
events (e.g., Brexit) clearly belong in the category of unpreventable external risks. A key role for management is to identify
such risks speedily and to mitigate their impact. However, while the ERM speaks to processes that contain the adverse effects
of risk, it seems to ignore the idea that environmental shocks also present new opportunities. It would be ideal if the ERM
explicitly identifies processes for assessing risks and opportunities, in concert. After all, as Norman Marks notes in his
comments about the ERM ED, good decisions balance risk and reward. To be fair, the LOC framework also only touches upon
this idea in its discussion of interactive controls, and its distinction between intended and emergent strategy. A similar emphasis
in the ED seems important.
Finally, while the ICIF does discuss performance measures, our reading of the underlying text reveals another issue. The
ICIF appears to view performance measures in isolation. That is, there is a measure for every process but the connections
among processes (across both organizational units and time) do not seem to play a central role. In other words, the ICIF does
not emphasize that strategic risks inform the choice of performance measures. In this context, it is instructive to note that the
very title of the 2016 ERM ED speaks directly to this issue: Enterprise Risk Management: Aligning Risk with Strategy and
Performance. This view is a natural step toward the ideas that performance measures derive directly from the processes required
to implement strategy, as implicit in the LOC framework and as explicated in the Balanced Scorecard.
Finding Common Ground: COSO’s Control Frameworks and the Levers of Control 77
Journal of Management Accounting Research Volume 31, Number 1, 2019
Concluding Remarks
In this paper, we link three approaches for evaluating organizational control—the 2013 ICIF, the LOC, and the 2016 ERM
ED— that approach the control problem from different vantage points. Such integration is important because it underscores the
commonalities in the three approaches. The integration also underscores that internal auditors, as part of their role to provide
assurance on information used for strategic decisions, arguably are positioned ideally to assess and evaluate internal controls
over strategy, operations, reporting, and compliance.
Our contributions lie in expanding the LOC framework to contexts, mapping to these contexts the principles in the 2013
ICIF, and using the mapping to ascertain areas addressed by the 2016 ERM ED. We view this work as part of the process to
further help refine COSO’s framework for designing, implementing, assessing, monitoring, and reporting on internal control
systems and their effectiveness over time, as well as advance efforts to help organizations in aligning risk with strategy and
performance.
REFERENCES
Anderson, U. L., M. J. Head, S. Ramamoorti, C. Riddle, M. Salamasick, and P. J. Sobel. 2017. Internal Auditing: Assurance and Advisory Services. 4th edition. Lake Mary, FL: Internal Audit Foundation.
Atkinson, A., R. Kaplan, E. M. Matsumura, and S. M. Young. 2011. Management Accounting: Information for Decision Making and Strategy Execution. 6th edition. Upper Saddle River, NJ: Pearson-Prentice Hall.
Auditing Standards Committee of the Auditing Section of the American Accounting Association. 2003. RE: Invitation to Comment on the Enterprise Risk Management Framework. Sarasota, FL: American Accounting Association.
Beasley, M., B. Branson, and B. Hancock. 2010. Current State of Enterprise Risk Oversight and Market Perceptions of COSO’s ERM Framework. Available at: https://www.coso.org/Documents/COSO-Survey-Report-FULL-Web-R6-FINAL-for-WEB-POSTING- 111710.pdf
Berle, A. A., and G. C. Means. 1967. The Modern Corporation and Private Property. 2nd edition. New York: Harcourt, Brace and World. Canada CMA. 2008. Internal Control. Ontario, Canada: CMA. Chandler, A. D., Jr. 1962. Strategy and Structure: Chapters in the History of the American Industrial Enterprise. Cambridge, MA: MIT
Press.
Chesley, D., J. Pett, and F. Martens. 2016. Powerful Complements: The Value of ERM and Internal Control Together. Available at: https:// www.pwc.com/gx/en/services/advisory/consulting/risk/resilience/publications/value-of-erm-and-internal-control-together.html
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1992. Internal Control—Integrated Framework. New York, NY: COSO.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2004. Enterprise Risk Management—Integrated Framework. Available at: https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2006. Internal Control over Financial Reporting: Guidance for Smaller Public Companies. New York, NY: COSO.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2013. Internal Control—Integrated Framework (Framework). Available at: https://www.coso.org/Pages/ic.aspx
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2016. Enterprise Risk Management—Aligning Risk with Strategy and Performance. Available at: https://www.coso.org/documents/COSO-ERM-draft-Post-Exposure-Version.pdf
Deming, W. E. 1986. Out of the Crisis. Boston, MA: MIT Press. Institute of Internal Auditors (IIA). 2012. Response E-Mailed to COSO RE: COSO Internal Control—Integrated Framework Public
Exposure Feedback Questions, December 2011. Available at: https://global.theiia.org/standards-guidance/Public%20Documents/ IIA%20Response%20to%20COSO%20Draft%20Update%20ICFR%20March%2031%202012.pdf
Kaplan, R. S. 2009. Conceptual foundations of the Balanced Scorecard. In Handbook of Management Accounting Research, Volume 3, edited by C. Chapman, A. Hopwood, and M. Shields, 1253–1269. New York, NY: Elsevier.
Kaplan, R. S., and A. Mikes. 2012. Managing risks: A new framework. Harvard Business Review (June): 49–60. Kaplan, R. S., and D. P. Norton. 1996. The Balanced Scorecard. Boston, MA: Harvard Business School Press. Kim, W. C., and R. Mauborgne. 2004. Blue ocean strategy. Harvard Business Review (October): 76–85. Landsittel, D. L., and L. Rittenberg. 2010. COSO: Working with the academic community. Accounting Horizons 24 (3): 455–469. https://
doi.org/10.2308/acch.2010.24.3.455
Lindorff, D. 2012. Building a better ERM. Treasury and Risk Magazine (February). Ramamoorti, S. 2009. 2009 COSO monitoring guidance: Frequently asked questions (FAQs). New Perspectives on Healthcare Risk
Management, Control, and Governance 28 (3): 14–16. Ramamoorti, S. and A. N. Siegfried. 2016. Promoting and Supporting Effective Organizational Governance: Internal Audit’s Role. 2015
IIA Common Body of Knowledge (CBOK) Core Report. Altamonte Springs, FL: Institute of Internal Auditors (IIA) Research Foundation.
78 Balakrishnan, Matsumura, and Ramamoorti
Journal of Management Accounting Research Volume 31, Number 1, 2019
Ramamoorti, S., and R. Sonnelitter. 2012. Sarbanes-Oxley Section 404 for Small, Publicly Held Companies. Chicago, IL: CCH. Ramamoorti, S., A. N. Siegfried, and P. A. White. 2017. Auditing organizational governance. Internal Auditor (February): 57–61. Rittenberg, L. R., and F. Martens. 2012. Understanding and Communicating Risk Appetite. Available at: https://www.coso.org/
Documents/ERM-Understanding-and-Communicating-Risk-Appetite.pdf
Romney, M., and P. Steinbart. 2011. Accounting Information Systems. 12th edition. Upper Saddle River, NJ: Pearson-Prentice Hall. Simons, R. 1994. How new top managers use control systems as levers of strategic renewal. Strategic Management Journal 15 (3): 169–
189. https://doi.org/10.1002/smj.4250150301
Simons, R. 1995. Levers of Control. Boston, MA: Harvard Business School Press. Simons, R. 2000. Performance Measurement and Control Systems for Implementing Strategy. Upper Saddle River, NJ: Prentice Hall. Society of Management Accountants of Canada (SMA Canada). 1999. Corporate Governance: The Role of Internal Control. Emerging
Issues Paper. Mississauga, ON: The Society of Management Accountants of Canada. Sweeney, R. B., and H. L. Siers. 1990. Survey: Ethics in corporate America. Management Accounting 71 (12): 34–40. TCF Working Group. 2008. Tax Control Framework: From a Focus on Risks to Being in Control: A Different Approach. Heerlen, The
Netherlands: Netherlands Tax and Customs Administration.
Tysiac, K. 2012. Internal control, revisited. Journal of Accountancy 213 (3): 24–29. Widener, S. 2007. An empirical analysis of the levers of control framework. Accounting, Organizations and Society 32 (7-8): 757–788.
https://doi.org/10.1016/j.aos.2007.01.001
Zimmerman, J. 2010. Accounting for Decision Making and Control. 7th edition. Chicago, IL: McGraw-Hill/ Irwin.
APPENDIX A
The 17 Principles (P) and Related Points of Focus (F) in the 2013 ICIF17
Control Environment
P1. The organization demonstrates a commitment to integrity and ethical values.
F1. Sets the Tone at the Top
F2. Establishes Standards of Conduct
F3. Evaluates Adherence to Standards of Conduct
F4. Addresses Deviations in a Timely Manner
P2. The board of directors demonstrates independence of management and exercises oversight for the development and
performance of internal control.
F1. Establishes Oversight Responsibilities
F2. Applies Relevant Expertise
F3. Operates Independently
F4. Provides Oversight for the System of Internal Control
P3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and
responsibilities in the pursuit of objectives.
F1. Considers All Structures of the Entity
F2. Establishes Reporting Lines
F3. Defines, Assigns, and Limits Authorities and Responsibilities
P4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment
with objectives.
F1. Establish Policies and Practices
F2. Evaluates Competence and Addresses Shortcomings
F3. Attracts, Develops, and Retains Individuals
F4. Plans and Prepares for Succession
P5. The organization holds individuals accountable for their internal control responsibilities in pursuit of objectives.
F1. Enforces Accountability through Structures, Authorities, and Responsibilities
F2. Establishes Performance Measures, Incentives, and Rewards
F3. Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance
F4. Considers Excessive Pressures
F5. Evaluates Performance and Reward or Disciplines Individuals
17 Derived from COSO (2016 ). Used with permission.
Finding Common Ground: COSO’s Control Frameworks and the Levers of Control 79
Journal of Management Accounting Research Volume 31, Number 1, 2019
Risk Assessment
P6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risk
relating to the objectives. (Note: The ICIF maps each of the attributes in P6 to three separate categories:
Operational, Reporting, and Compliance, where the reporting category is further subdivided into external financial
reporting, internal nonfinancial reporting, and internal reporting.)
Operations Objectives F1. Reflects Management’s Choices
F2. Considers Tolerance for Risk
F3. Includes Operations and Financial Performance Goals
F4. Forms a Basis for Committing of Resources
External Financial Reporting Objectives F1. Complies with Applicable Accounting Standards
F2. Considers Materiality
F3. Reflects Entity Activities
External Nonfinancial Reporting Objectives F1. Complies with Externally Established Standards and Frameworks
F2. Considers the Required Level of Precision
F3. Reflects Entity Activities
Internal Reporting Objectives F1. Reflects Management’s Choices
F2. Considers the Required Level of Precision
F3. Reflects Entity Activities
Compliance Objectives F1. Reflects External Laws and Regulations
F2. Considers Tolerances for Risk
P7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis
for determining how the risk should be managed.
F1. Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels
F2. Analyzes Internal and External Factors
F3. Involves Appropriate Levels of Management
F4. Estimates Significance of Risks Identified
F5. Determines How to Respond to Risks
P8. The organization considers the potential of fraud in assessing risks to the achievement of objectives.
F1. Considers Various Types of Fraud
F2. Assesses Incentives and Pressures
F3. Assesses Opportunities
F4. Assesses Attitudes and Rationalizations
P9. The organization identifies and assesses changes that could significantly impact the system of internal control.
F1. Assesses Changes in the External Environment
F2. Assesses Changes in the Business Model
F3. Assesses Changes in Leadership
Control Activities
P10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement
of objectives to acceptable levels.
F1. Integrates with Risk Assessment
F2. Considers Entity-Specific Factors
F3. Determines Relevant Business Processes
F4. Evaluates a Mix of Control Activity Types
F5. Considers at What Level Activities Are Applied
F6. Addresses the Segregation of Duties
P11. The organization selects and develops general control activities over technology to support the achievement of
objectives.
80 Balakrishnan, Matsumura, and Ramamoorti
Journal of Management Accounting Research Volume 31, Number 1, 2019
F1. Determines Dependency between the Use of Technology in Business Processes and Technology General
Controls
F2. Establishes Relevant Technology Infrastructure Control Activities
F3. Establishes Relevant Security Management Process Control Activities
F4. Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities
P12. The organization deploys control activities through policies that establish what is expected and in procedures that
put policies into action.
F1. Establishes Policies and Procedures to Support the Deployment of Management’s Directives
F2. Establishes Responsibility and Accountability for Executing Policies and Procedures
F3. Performs in a Timely Manner
F4. Takes Corrective Action
F5. Performs Using Competent Personnel
F6. Reassesses Policies and Procedures
Information and Communication
P13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal
control.
F1. Identifies Information Requirements
F2. Captures Internal and External Sources of Data
F3. Processes Relevant Data into Information
F4. Maintains Quality throughout Processing
F5. Considers Costs and Benefits
P14. The organization internally communicates information, including objectives and responsibilities for internal control,
necessary to support the functioning of other components of internal control.
F1. Communicates Internal Control Information
F2. Communicates with the Board of Directors
F3. Provides Separate Communication Lines
F4. Selects Relevant Method of Communication
P15. The organization communicates with external parties regarding matters affecting the functioning of internal control.
F1. Communicates to External Parties
F2. Enables Inbound Communications
F3. Communicates with the Board of Directors
F4. Provides Separate Communication Lines
F5. Selects Relevant Method of Communication
Monitoring Activities
P16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the
components of internal control are present and functioning.
F1. Considers a Mix of Ongoing and Separate Evaluations
F2. Considers Rate of Change
F3. Establishes a Baseline Understanding
F4. Uses Knowledgeable Personnel
F5. Integrates with Business Processes
F6. Adjusts Scope and Frequency
F7. Objectively Evaluates
P17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties
responsible for taking corrective action, including senior management and the board of directors, as appropriate.
F1. Assesses Results
F2. Communicates Deficiencies
F3. Monitors Corrective Actions
Finding Common Ground: COSO’s Control Frameworks and the Levers of Control 81
Journal of Management Accounting Research Volume 31, Number 1, 2019
APPENDIX B
The 23 Principles in the 2016 ERM ED18
Risk Governance and Culture (Mission, Vision, and Core Values)
1. Exercises Board Risk Oversight. The board of directors provides oversight of the strategy and carries out risk governance responsibilities to support management in achieving strategy and business objectives.
2. Establishes Governance and Operating Model. The organization establishes governance and operating structures in the pursuit of strategy and business objectives.
3. Defines Desired Organizational Behaviors. The organization defines the desired behaviors that characterize the entity’s core values and attitudes toward risk.
4. Demonstrates Commitment to Integrity and Ethics. The organization demonstrates a commitment to integrity and ethical values.
5. Enforces Accountability. The organization holds individuals at all levels accountable for enterprise risk management, and holds itself accountable for providing standards and guidance.
6. Attracts, Develops, and Retains Talented Individuals. The organization is committed to building human capital in alignment with the strategy and business objectives.
Risk, Strategy, and Objective Setting (Enhanced Performance)
7. Considers Risk and Business Context. The organization considers potential effects of business context on risk profile.
8. Defines Risk Appetite. The organization defines risk appetite in the context of creating, preserving, and realizing value.
9. Evaluates Alternative Strategies. The organization evaluates alternative strategies and impact on risk profile. 10. Considers Risk while Establishing Business Objectives. The organization considers risk while establishing the
business objectives at various levels that align and support strategy.
11. Defines Acceptable Variation in Performance. The organization defines acceptable variation in performance relating to strategy and business objectives.
Risk in Execution (Mission, Vision, and Core Values)
12. Identifies Risk in Execution. The organization identifies risk in execution that impacts the achievement of business objectives.
13. Assesses Severity of Risk. The organization assesses the severity of risk. 14. Prioritizes Risks. The organization prioritizes risks as a basis for selecting responses to risks. 15. Identifies and Selects Risk Responses. The organization identifies and selects risk responses. 16. Assesses Risk in Execution. The organization assesses operating performance results and considers risk. 17. Develops Portfolio View. The organization develops and evaluates a portfolio view of risk.
Risk Information, Communication, and Reporting (Strategy and Business Objectives)
18. Uses Relevant Information. The organization uses information that supports enterprise risk management. 19. Leverages Information Systems. The organization leverages the entity’s information systems to support enterprise
risk management.
20. Communicates Risk Information. The organization uses communication channels to support enterprise risk management.
21. Reports on Risk, Culture, and Performance. The organization reports on risk, culture, and performance at multiple levels of and across the entity.
18 Derived from COSO (2013). Used with permission.
82 Balakrishnan, Matsumura, and Ramamoorti
Journal of Management Accounting Research Volume 31, Number 1, 2019
Monitoring Risk Management Performance (Enhanced Performance)
22. Monitoring Substantial Change. The organization identifies and assesses internal and external changes that may substantially impact strategy and business objectives.
23. Monitors Enterprise Risk Management. The organization monitors enterprise risk management.
APPENDIX C
jmar-51891_Figure 1: http://dx.doi.org/10.2308/jmar-51891.s01
Finding Common Ground: COSO’s Control Frameworks and the Levers of Control 83
Journal of Management Accounting Research Volume 31, Number 1, 2019
Copyright of Journal of Management Accounting Research is the property of American Accounting Association and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.