Since one of the three components of the COSO internal control over financial reporting is effectiveness and efficiency of operations – which includes financial performance measures and safeguarding of assets – one would think those involved in manufacturing operations would know about the COSO Internal Control Framework. That does not seem to be the case.
By Steven Ulmer, CPA (inactive), CISA, CIRM
In an admittedly unscientific sample, I have not found one person in manufacturing operations who knows about the COSO Internal Control Framework. I contacted several prominent people, and not one knew what I was talking about. All of them had to google COSO before we could continue our discussion.
Since one of the three components of the COSO internal control over financial reporting (ICFR) is effectiveness and efficiency of operations – which includes financial performance measures and safeguarding of assets – one would think what I found in my sample should not be the case.
Since the three COSO objectives overlap, a siloed approach creates concerns. One significant concern would be whether there is enough information and communication to carryout internal control responsibilities for meeting business objectives. There may be inconsistencies in design and implementation of controls without overall coordination. In doing research, I came across mention of significant control issues requiring coordination, including difficulties in getting data within department, across enterprise, from customers and suppliers, and a lack of IT/OT (information technology/operating technology) interaction. All this results in digital transformation failures.
One of my finance contacts offered his opinion that operations would be more effective and efficient using COSO ICFR. His feedback was a restatement of the various components, such as clear objectives, assessing risks to objectives, controls in place to facilitate achievement of objectives, right information/key performance indicators in place, and monitoring to determine that as things change the objectives, risks, controls, and information requirements change accordingly. I do not think operations would argue with the need for any of the above. Instead, their response would be that they believe this is what they are already doing. Such a view may indicate a lack of understanding on the part of finance of the operational part of the business.
I am not expressing an opinion as to whether I agree or disagree with the reasons cited by my finance and manufacturing operations contacts for the lack of knowledge or support from operations. With that caveat, here are the more prominent reasons they mentioned:
The purpose of this blog is to start a conversation. I realize some people may not perceive a problem with the status quo while others may believe the COSO ICFR is not appropriate for manufacturing operations, but there needs to be better coordination. In my judgment, there is value in conversations between finance and operations. I encourage COSO to reach out to organizations such as those cited earlier in the article to determine if there is an opportunity to work together on an issues paper. If nothing else, there is benefit in getting different viewpoints because it may lead to outcomes that are different than the way things have been done in the past (diversity of thought). It may be worthwhile to explore the value of concepts such as design thinking, lean, and agile on the way internal controls are designed, implemented, and coordinated.
Key questions to address are as follows:
I would be interested in your comments and constructive feedback.
Steven Ulmer, CPA (inactive), CISA, CIRM, is a part-time adjunct associate professor of accounting. He can be reached at sulmer13@gmail.com.
Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.
Statements of fact and opinion are the authors’ responsibility alone and do not imply an opinion on the part of PICPA officers or members. The information contained in herein does not constitute accounting, legal, or professional advice. For professional advice, please engage or consult a qualified professional.