An Important Reminder From COSO

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


The updated COSO Internal Control–Integrated Framework can be used as a reminder that the root cause of most corporate problems comes either from issues relating to integrity or competence. In other words, the root cause is usually people.

The Control Environment component includes important Principles around both integrity and competence.

i recommend that organizations consider these Principles as high risk unless they can demonstrate through the actions they have taken to treat the risks (I.e., controls) that the risks are at acceptable levels.

Unfortunately, the tools available to test integrity and competence are rude and not always conclusive. But if we take the approach that we have to demonstrate they are at acceptable levels, rather than demonstrate they are not, I think we can go a long way.

What do you think?

Posted on May 30, 2013 by Norman Marks

Share This Article:    

  1. Mark. I think that you are correct in that we internal auditors need to check the internal controls which try and ensure that risks threatening integrity and competence are kept to acceptable levels. I think there are two types of control available. The 'system' controls such as approval of expenses, division of duties, defined levels of approval for major expenditure shouldn't be underestimated. These controls are essential keep the risks of integrity and control in check. I believe the major problem comes with a CEO, possibly aided by a weak board, overriding controls. We all know of 'charismatic' CEOs who have charmed and bullied their companies to considerable success, only to find that success is an illusion. This is where we need the second type of control, those over people. But what do they look like? A strong Audit Committee helps but how do we check the CEO's integrity and competence? Good recruitment procedures, not overridden to get the 'exceptional' candidate plus ...? I'd be interested to see other opinions
  1. it is incredibly easy to demonstate lapses in integrity or competence but incredibly difficult to establish whether these exist in robust fashion such that the risks to achieving the strategic objectives are well managed



  1.  Norman

    Excellent issue. All Chief Audit Executives need to master how to deliver a Governance Audit. Unfortunately, some people refer to commitment to competence as one of the so-called "soft" controls.  This creates the false impression that there are not objective measures of competence.  There are.  At Siemens, we often audited Governance before doing any other type of audit in a new area.  Commitment to competence can be audited by testing, among other things: (a) reporting lines for conflicts of interest; (b) hiring and propmotion processes for objectivity; (c) reward measurement (incentive management) for objectivity and consistency; (d) the qualifications and amounts of time spent by individuals in their respective roles and (e) how the company responded to failures in competence.  I include a little more in my latest post; in case anyone is interested:

    Good idea to get this discussion going further.  Best


  1. Let's be clear, COSO 2013 only benefits the Big 4 firms as they already have an oligopoly.  I have never seen any public or private company say in writing or otherwise  they use it other than for financial accounting and reporting assertion purposes.   If I am wrong please let me know.

    COSO 2013 further entrenches the internal control over financial reporting/accounting oligopoly because management cannot defend control rationalization decisions they should make without another BIG 4 advisory backing them up against an already PCAOB beaten-up backdrop that is extending to the next 4 firms.

    Norman/Tim/Arnold, thanks the sane and passionate pleas, but it has just gotten worse.  Time to focus our work on creating shareholder value.





    Norman this makes it worse as no one can challenge

  1.  Hi, Norman:  The principle you discuss reminds me of a parallel situation that we're facing here in America. Are the Declaration of Indepence and Constitution outdated? Should we scrap the separation of powers model including the design of the Senate and House?  In my opinion absolutely not. It's not the model that has lost its efficacy. It's the integrity of the individuals who hold theoffices and their focus on serving "we the people".

Leave a Reply