MAY 2014 / THE CPA JOURNAL 54In May 2013, the Committee of Sponsoring Organizations (COSO) published its revised edition of the Internal… [614314]

MANAGEMENT
not-for-profit organizations
MAY 2014 / THE CPA JOURNAL 54In May 2013, the Committee of Sponsoring Organizations
(COSO) published its revised edition of the Internal
Control–Integrated Framework (IC Framework). COSO’s
actions were in direct response to the changing demands of
the business environment over the 20 years since the original
framework was issued in 1992 (see “COSO’s InternalControl–Integrated Framework: Updating the Original Conceptsfor Today’s Framework” by Jill M. D’Aquila in the October 2013CPA Journal for a complete description of the IC Framework).
A noticeable change in the updated IC Framework is the inclu-sion of 17 principles to provide detail on applying existing com-ponents. PricewaterhouseCoopers has stated that “these principlesCOSO’s Updated Internal Control and
Enterprise Risk ManagementFrameworks
Applying the Concepts to Governments and Not-for-Profit Organizations
By Jill M. D’Aquila and Robert Houmes

MAY 2014 / THE CPA JOURNAL 55are relevant for a variety of entities, pub-
lic, private, not-for-profit” (PWC Dataline,May 14, 2013). Accordingly, while thebusiness community is paying attention tothe updated COSO Framework, not-for-profit organizations (NFPO) and govern-ments are also focusing on it.
The IC Framework is intended to pro-
vide a conceptual blueprint for a variety ofNFPOs. COSO explicitly points out thatreliable financial reporting, one of threeobjectives of internal control, also appliesto NFPOs. COSO states “since these enti-ties’ purpose is other than realizing andgenerating a profit, they may prepare otherfinancial reporting for donors, governmentagencies, or other third parties in order toraise funds to support stated causes, notnecessarily in accordance with specificstandards or regulations” (COSO, Internal
Control–Integrated Framework, publicexposure draft, 2012). In addition, NFPOsmay be required to file annual reports (IRSForm 990, Return of Organization Exemptfrom Income Tax).
The IC Framework is applicable also
to governmental entities at all levels. Thecurrent economy requires governments todo more with fewer resources.Governments face growing budget pres-sures, as well as other internal and exter-nal pressures. Competing priorities canhave a negative impact on the govern-ment’s efficiency; in fact, 85% of federalmanagers surveyed in a 2012 study fromthe Government Business Council, spon-sored by Deloitte (“Cutting Costs, Insidethe Effort to Improve Efficiency”), said thatcompeting priories are the most significantimpediment to reducing inefficiency intheir agency. Only 29% of federal man-agers surveyed graded their own agency’soverall efficiency at least a B, and only16% gave the federal government at leasta B. Governmental entities are also expect-ed to improve operations and implementnew technologies. Thus, there is a strongfocus on internal control tools that canadapt to such demands and changes.
Updating the Green Book for
Modernized Internal Control Standards
In response to challenges facing gov-
ernmental entities, as well as NFPOs, the
Government Accountability Office (GAO)in September 2013 proposed changes toStandards of Internal Control in theFederal Government, also known as theGreen Book. The proposed revisions aredesigned to represent a modernized versionof internal control standards. It is the thirdsuch revision since the GAO first issuedthese standards in 1983 as a result of theFederal Manager’s Financial Integrity Act
(FMFIA), which requires the GAO to issue
standards for internal control. The GAOretains the same standards conceptually,because it includes the same five internalcontrol components. It now also introducesthe IC Framework’s 17 principles. COSOindicated that the principles are broadbecause they are intended to apply to awide variety of organizations, includinggovernmental organizations and NFPOs.Accordingly, the GAO adapted these prin-ciples for the government environment.
Risk as the Primary Criteria: ERM
An overall objective of internal control
is to help entities achieve their mission,including the best outcome at the best valuefor taxpayers and donors. Deloitte, in its“2013 Federal CFO Insights,” states,“Given that consideration of risk is the pri-mary design criteria for internal controls,CFOs should fully leverage the organiza-tion’s Enterprise Risk Management (ERM)Framework and risk assessment results toroutinely assess the effectiveness of exist-ing internal controls and provide a basisfor moderating their design for optimumcost and efficiency.” COSO issued theERM Framework in 2004 in order toenhance risk management and improve theinternal control process. ERM wasintended to be more comprehensive and,among other things, enhance the importantrisk assessment component of the originalframework. Specifically, ERM expands the“Risk Assessment” component of COSO’sIC Framework into “Objective Setting,”“Event Identification,” and “RiskAssessment,” and it also adds a “Risk
Response” component (see the Exhibit).
The IC Framework defines risk assess-
ment as follows: “Risk assessment involves
a dynamic and iterative process for iden-tifying and analyzing risks to achieving theentity’s objectives, forming a basis fordetermining how risks should be man-aged.” Principles 6 through 9 address riskassessment:
nPrinciple 6: The organization specifies
objectives with sufficient clarity to enablethe identification and assessment of risksrelating to objectives.
nPrinciple 7: The organization identifies
risks to the achievement of its objectivesacross the entity and analyzes risks as abasis for determining how they should bemanaged.
nPrinciple 8: The organization considers
the potential for fraud in assessing risksto the achievement of objectives.
nPrinciple 9: The organization identifies
and assesses changes that could significant-ly impact the system of internal control.
Ultimately, COSO’s ERM Framework
deals with risk avoidance, acceptance, shar-ing, and reduction, whereas COSO’s ICFramework deals primarily with risk reduc-tion. In COSO’s Internal Control–
Integrated Framework executive summa-
ry, chair David L. Landsittel states that “theERM Framework and recently updatedCOSO explicitly points out that reliable financial
reporting, one of three objectives of internal control,
also applies to NFPOs.

MAY 2014 / THE CPA JOURNAL 56Internal Control–Integrated Framework are
intended to be complimentary, and nei-
ther supersedes the other.”
While corporations are increasingly focus-
ing on risk oversight, the AICPA pointed outin a “Government Accountability Brief”(February 2010) that all types of organiza-tions, including governmental entities, needto focus on risk. “No organization is immuneto risks affecting the entity’s existence andits ability to fulfill mission critical objectives.”Government agencies face unique, and, attimes, new risks as they oversee programs.The ERM Framework, which is sometimesthought of as a corporate-focused paradigm,is also relevant for governmental entities andNFPOs. “It’s merely the context that cre-ates differences in how governments imple-ment key ERM concepts at the tactical level:governments don’t have stockholders, butthey have stakeholders (e.g., taxpayers, fund-ing agencies, Congress, etc). Similarly,governmental entities don’t seek to maxi-mize profits for stockholders, but they doseek to deliver mission critical services forstakeholders.” The same can be said forNFPOs.
Don Dixon, director, Deloitte & Touche
LLP, also noted the following:
Like other enterprises, federal agencies areunder intense pressure to manage strate-gic, regulatory, security and reputationalrisks, just for starters. But in some ways,federal risk oversight can be even morecomplex than the challenge faced by pri-vate corporate boards. How do cabinetsecretaries and other senior leaders gainthe clear view they need to uphold pub-lic trust and congressional expectationswhen departmental risk management iswidely dispersed among large, often inde-pendent administrations? (“Federal CFO Insights: Aligning Internal Controlsand Enterprise Risk ManagementFrameworks,” Deloitte, 2013)
Seven Risk Areas
Deloitte identified the following seven major
areas of risk affecting federal agencies:
nReputation
nPolitical
nKey infrastructure
nHuman capital
nCompliance and regulatory
nTransparency and accountability
nInformation technology. (Deloitte 2013)
Some of these risks are also applicable
to other areas of government and NFPOs.Examples of how the COSO frameworksapply are detailed below.
Reputation risk. An impaired reputation
can significantly impact both governmententities and NFPOs. Both frameworks
EXHIBIT
Relationship of ERM and Internal Control

Source: Adapted from “Improving Organizational Performance and Governance: How the COSO Frameworks Can Help,”
http://www.coso.org/documents/2014-2-10-COSO%20Thought%20Paper.pdf

begin with the control environment (IC
Framework) or internal environment (ERMFramework), the foundations for all othercomponents. In fact, the first Principle ofthe IC Framework (Control Environment)relates to the integrity and ethical valuesof an organization. A central element is theethical disposition of senior managers. Thereputation of an entity is a function of thereputation of its leadership. In a recentinterview on the updated IC Frameworktransition, PricewaterhouseCoopers partnerChuck Harris stated that, for many orga-nizations, the focus to date has been oncontrol activities. Hence the principles-based updated IC Framework may promotethe softer side of COSO, including the con-trol environment component (http://www.pwc.com/us/en/cfodirect/standard-setters/coso/index.jhtml).
Political risk. Government agencies face
unique challenges in managing risks relat-ed to changing political priorities thatmay affect funding, as well as overallperformance. NFPOs are impacted as well,given the numerous government grantsmany rely upon. Changing political prior-ities can affect the availability of funds.Principles 7 and 9 of the IC Framework,described earlier, are particularly relevanthere, as both refer to external factors,such as economic and regulatory factors.An entity needs to adapt to these changesby adjusting their priorities and businessprocesses. Although political risk maylargely be beyond an entity’s ability todirectly control, organizations shouldattempt to forecast potential events thatcould impact its mission and objectives.“By enhancing capability to identify poten-tial events and establish responses,” COSOhas stated, “the organization reduces therisk of unwanted surprises and their asso-ciated cost or losses” (“ImprovingOrganizational Performance andGovernance, How the COSO FrameworksCan Help,” 2014). Rather than reacting tothe effects of adverse political events afterthe fact, entities should proactively man-age political risk using the concepts fromboth COSO frameworks.
Key infrastructure risk. Government
agencies must identify and manage risksassociated with key infrastructure.Principles relating to “Control Activities”(IC Framework) are particularly relevant.These principles relate to selecting anddeveloping controls to mitigate risk;selecting and developing general controlsover technology; and implementing thesecontrols through policies that establishexpectations. Governments must protectcritical installations and facilities. Forexample, only authorized employeesshould have access to key facilities,such as electric utilities, water treatment
plants, and ports of entry. Management
must maintain policies and procedures tomonitor and regulate key infrastructureoperations. Governments with typicallylarge IT infrastructures must secure theprivacy and integrity of information. TheIC Framework specifically states thatrestricted access is critical whenever tech-nology is an integral part of an entity’soperations.
Human capital risk. Human capital can
account for a large portion of operatingcosts and can significantly impact an orga-nization’s bottom line. Risks includemanaging issues related to sufficientknowledge and training; an aging employ-ee base; decreases in retirement funding;underfunded defined benefit pension plans;and employee morale. A key principle ofthe Control Environment (IC Framework)is an organization’s commitment, asdescribed in Principle 4, to attract, devel-op, and retain competent individuals in sup-port of the organization’s objectives.Principle 4 addresses such issues as men-toring and training programs, as well asevaluating competence across the organi-zation. Similarly, human resources are akey element of “Internal Environment”(ERM Framework). The integrity and com-petency of employees is one of the mosteffective controls for reducing risk.
Entities should forecast the need for
future human capital. Trends in popula-tion affect both the needs of citizens forgovernment-provided services, as well asthe tax revenues received from these cit-
izens. These trends share a critical con-
sideration for acquiring the necessaryresources to meet future demand, as wellas manage human capital risks. Similarly,NFPOs should attempt to predict theeffects of demographic changes on mis-sion-related capabilities. For example,charities should attempt to identify andestimate economic and social factorsaffecting a population’s philanthropicpropensity to donate.
Compliance and regulatory risk.
Compliance is especially important forgovernments since laws and regulationsoften determine their mission and struc-ture. NFPOs are also subject to uniquecompliance and reporting requirements.In order to qualify for tax-exempt status,NFPOs must comply with relevant taxprovisions. An important component ofboth COSO frameworks is the require-ment that entities comply with applica-ble regulations, rules, and laws. To miti-gate the effects of risks associated withcompliance and regulatory risk, entitiesmust first be knowledgeable about therules, regulations, laws, and reportingrequirements, as clearly stated in the IC
MAY 2014 / THE CPA JOURNAL 57Government agencies must identify and manage
risks associated with key infrastructure. Principles
relating to “Control Activities” (IC Framework) are
particularly relevant.

MAY 2014 / THE CPA JOURNAL 58Framework. Funding from the U.S. gov-
ernment can also require audits, as per theSingle Audit Act and OMB CircularA- 133. To reduce regulatory and com-pliance risk, however, NFPOs should con-sider obtaining audits regardless of theirlegal requirements. “The Guide to Not-for-Profit Governance” is a useful sum-mary of tax and other governance issuesfrom Weil, Gotshal & Manges LLP(http:// www.pbpatl.org/ wp-content/uploads/2012/10/ NFPGuide_2012.pdf).
Transparency and accountability risk.
Because governments exist for the pub-lic good and derive their financing fromtaxpayers, transparency and accountabil-ity regarding finances is paramount.When discussing proposed changes to theGreen Book, Jim Dalkin, director of thefinancial management and assurancesteam at the GAO, stated—
the bottom line really is about account-ability and transparency. I think inter-nal controls are critical if you think ofany of the major events that happenedduring the course of a year where maybegovernment funds have to be spent veryquickly. It’s very important to have thoseinternal controls so you do have account-ability. In a similar sense, NFPOs that compete
for voluntary donations and grants benefitfrom increased visibility regarding their useof donated funds.
Principle 2 of the IC Framework
(Oversight Responsibility) states that theboard of directors should provide oversightfor internal controls. It also points out thattransparency reinforces accountability ofsenior management and the board. TheAICPA points out that the audit committeeof a government unit plays a very impor-tant role in helping to ensure accountabilityand compliance:
At no time in recent memory is the needfor an effective audit committee ingovernment more important than now.With looming budget shortfalls, programcuts and employee layoffs, governmentunits are wrestling with maintaining ser-vices with fewer resources. Governmentofficials need to diligently assess theneed for expenditures and ensure thatrevenues are received timely and man-aged correctly. (“Audit CommitteeBrief,” Jul. 15, 2011). Principles 14 (Internal Communication)
COSO’s Suggestions Examples in Practice
Ensure ERM is integrated with core management processes. The Department of Homeland Security has a Risk Steering
Committee to ensure that risk management is consistent
throughout the agency.
Improve the dialogue about risk tolerance between senior The Information Analysis and Infrastructure Protection (IAIP) management and the board of directors, as well as Directorate developed benchmark threat scenarios to analyze downward throughout the organization. potential attacks relating to critical infrastructure assets.
Strengthen the risk culture by improving the control The Department of Health and Human Services created a environment (IC Framework) or internal environment “Secretary’s Council on Program Integrity” to look at areas, (ERM Framework). including Medicare, and public health grants, and conduct risk assessments of those programs most vulnerable to fraud or abuse.
Improve the identification, prioritization, and response to risk The Department of Energy has a “Risk Management Guide” that by structuring risk assessment according to characteristics defines key roles relating to risk, as well as a chain of authority
of risks being assessed and by assigning risk assessment and communication for risk management decisions. to appropriate management.
Strengthen internal controls using COSO’s 17 principles. The GAO proposed revisions to the Green Book that incorporate
these 17 principles.
Integrate both frameworks in the organization. The Centers for Disease Control implemented a risk management
framework which partially resembles COSO’s ERM Framework.
The CDC Internal Controls Program is a bottom-up strategy for assessing risk and supports the broader, top-down approach to ERM.COSO’S SUGGESTIONS ON USING BOTH FRAMEWORKS
AND EXAMPLES IN PRACTICE

MAY 2014 / THE CPA JOURNAL 59and 15 (External Communication) of the
IC Framework are also relevant.Voluntarily published reports can reducetransparency and accountability risk. Forexample, reports that document the per-centage of donated dollars that go to vic-tims reduce the risks associated with alack of transparency. Reports that improvedecision making or identify variancesfrom standards can provide evidence tosupport and justify funding needs. In lightof the recent impetus to reduce budgetsat state and local levels, this objective maybe particularly significant for govern-ments. Principle 10 (Selecting andDeveloping Control Activities) identifiesa number of business process controlactivities that relate to transparency andaccountability risk for both governmentsand NFPOs. These controls relate toauthorizations, verifications, physical con-trols, controls over standing data, recon-ciliations, and supervisory controls.
Information technology risk. The
increased use of information technology leadsto increased risks. As municipalities grow,information systems must adapt to meetfuture requirements. Online donors to NFPOsshould assume that their information is secure.Information technology risk exposure is espe-cially great for large federal agencies that pro-cess large amounts of data. Both COSOframeworks play a key role with informationtechnology risk. Principle 11 (General ControlActivities over Technology) of the ICFramework includes a discussion of tech-nology general controls, technology infras-tructure, security management processes, andtechnology acquisition, development, andmaintenance processes. Steve Shafer, ITadministrator of finance for the Nebraska statechief information officer, points out thatalthough most of the literature on internalcontrols focuses on financial systems, orga-nizations can also apply internal controlconcepts to information technology; forexample, an application development teamcan use these strategies to identify weaknessesrelating to cost overruns. The team canaddress cost overruns using a system thattracks resources used versus deliverables. Inaddition, risk assessment can be used to iden-tify weaknesses that could potentially leadto a loss of information technology services.
Improving Performance
and Governance
In February 2014, COSO released
“Improving Organizational Performance
and Governance: How the COSOFrameworks Can Help,” which illustrateshow both frameworks can enhance orga-nizational performance and governance forsustainable success. COSO provides spe-cific suggestions (summarized in the side-bar, COSO’s Suggestions on Using BothFrameworks and Examples in Practice) onusing both frameworks. Several of thesesuggestions are already in place at gov-ernment agencies.
COSO described the frameworks as follows: Robust enough to be applied inde-pendently on their own, the two COSOframeworks have a common pur-pose—to help the enterprise achieveits objectives and to optimize theinevitable tension between the enter-prise’s value creation and value pro-tection activities. Therefore, both[frameworks] facilitate and support thegovernance process when implement-ed effectively (p. 6). While applications will vary accord-
ing to the particular risk profiles of eachentity, both frameworks provide a con-ceptual foundation from which govern-ments and NFPOs may proactivelydesign, implement, and sustain efficientand effective risk management initiatives,including the application of appropriatecontrols that mitigate the risk to mis-sions and objectives. q
Jill M. D’Aquila, PhD, CPA, and Robert
Houmes, PhD, CMA, are both associate
professors of accounting in the DavisCollege of Business at JacksonvilleUniversity, Jacksonville, Fla.
The CPA Journal welcomes letters from readers in response to articles
published in the magazine as well as those concerning issues of general
interest to the accounting profession. Although we receive more letters than
we are able to publish, all letters receive consideration.
The editors reserve the right to edit letters for clarity and length. Writers
should include their contact information, including a daytime telephone
number and an e-mail address, if possible.
Letters may be addressed to Letters to the Editor, The CPA Journal, 3 Park
Avenue, 18th Floor, New York, N.Y., 10016, or to cpaj-editors@nysscpa.org.Let Us Hear From YouLet Us Hear From You

Copyright
of
CPA
Journal
is
the
property
of
New
York
State
Society
of
CPAs
and
its
content
may
not
be
copied
or
emailed
to
multiple
sites
or
posted
to
a
listserv
without
the
copyright
holder's
express
written
permission.
However,
users
may
print,
download,
or
email
articles
for
individual
use.