M A N A G E M E N T

not-for-profit organizations

COSO’s Updated Internal Control and

Enterprise Risk Management
Frameworks
Applying the Concepts to Governments and Not-for-Profit Organizations
By Jill M. D’Aquila and Robert Houmes

n May 2013, the Committee of Sponsoring Organizations Control–Integrated Framework: Updating the Original Concepts

I (COSO) published its revised edition of the Internal

Control–Integrated Framework (IC Framework). COSO’s
actions were in direct response to the changing demands of
the business environment over the 20 years since the original
framework was issued in 1992 (see “COSO’s Internal
for Today’s Framework” by Jill M. D’Aquila in the October 2013
CPA Journal for a complete description of the IC Framework).
A noticeable change in the updated IC Framework is the inclu-
sion of 17 principles to provide detail on applying existing com-
ponents. PricewaterhouseCoopers has stated that “these principles

54 MAY 2014 / THE CPA JOURNAL

are relevant for a variety of entities, pub-
lic, private, not-for-profit” (PWC Dataline,
May 14, 2013). Accordingly, while the
business community is paying attention to
the updated COSO Framework, not-for-
profit organizations (NFPO) and govern-
ments are also focusing on it.
The IC Framework is intended to pro-
vide a conceptual blueprint for a variety of
NFPOs. COSO explicitly points out that
reliable financial reporting, one of three
objectives of internal control, also applies
to NFPOs. COSO states “since these enti-
ties’ purpose is other than realizing and
generating a profit, they may prepare other
financial reporting for donors, government
agencies, or other third parties in order to
raise funds to support stated causes, not
necessarily in accordance with specific
standards or regulations” (COSO, Internal
Control–Integrated Framework, public
exposure draft, 2012). In addition, NFPOs
may be required to file annual reports (IRS
Form 990, Return of Organization Exempt
from Income Tax).
The IC Framework is applicable also
to governmental entities at all levels. The
current economy requires governments to
do more with fewer resources.
Governments face growing budget pres-
sures, as well as other internal and exter-
nal pressures. Competing priorities can
have a negative impact on the govern-
ment’s efficiency; in fact, 85% of federal
managers surveyed in a 2012 study from
the Government Business Council, spon-
sored by Deloitte (“Cutting Costs, Inside
the Effort to Improve Efficiency”), said that
competing priories are the most significant
impediment to reducing inefficiency in
their agency. Only 29% of federal man-
agers surveyed graded their own agency’s
overall efficiency at least a B, and only
16% gave the federal government at least
a B. Governmental entities are also expect-
ed to improve operations and implement
new technologies. Thus, there is a strong
focus on internal control tools that can
adapt to such demands and changes.
Updating the Green Book for
Modernized Internal Control Standards
In response to challenges facing gov-
ernmental entities, as well as NFPOs, the
Government Accountability Office (GAO)
in September 2013 proposed changes to
Standards of Internal Control in the
MAY 2014 / THE CPA JOURNAL
Federal Government, also known as the
Green Book. The proposed revisions are
designed to represent a modernized version
of internal control standards. It is the third
such revision since the GAO first issued
these standards in 1983 as a result of the
Federal Manager’s Financial Integrity Act
COSO explicitly points out that reliable financial
reporting, one of three objectives of internal control,
also applies to NFPOs.
(FMFIA), which requires the GAO to issue
standards for internal control. The GAO
retains the same standards conceptually,
because it includes the same five internal
control components. It now also introduces
the IC Framework’s 17 principles. COSO
indicated that the principles are broad
because they are intended to apply to a
wide variety of organizations, including
governmental organizations and NFPOs.
Accordingly, the GAO adapted these prin-
ciples for the government environment.
Risk as the Primary Criteria: ERM
An overall objective of internal control
is to help entities achieve their mission,
including the best outcome at the best value
for taxpayers and donors. Deloitte, in its
“2013 Federal CFO Insights,” states,
“Given that consideration of risk is the pri-
mary design criteria for internal controls,
CFOs should fully leverage the organiza-
tion’s Enterprise Risk Management (ERM)
Framework and risk assessment results to
routinely assess the effectiveness of exist-
ing internal controls and provide a basis
for moderating their design for optimum
cost and efficiency.” COSO issued the
ERM Framework in 2004 in order to
enhance risk management and improve the
internal control process. ERM was
intended to be more comprehensive and,
among other things, enhance the important
risk assessment component of the original
framework. Specifically, ERM expands the
“Risk Assessment” component of COSO’s
IC Framework into “Objective Setting,”
“Event Identification,” and “Risk
Assessment,” and it also adds a “Risk
Response” component (see the Exhibit).
The IC Framework defines risk assess-
ment as follows: “Risk assessment involves
a dynamic and iterative process for iden-
tifying and analyzing risks to achieving the
entity’s objectives, forming a basis for
determining how risks should be man-
aged.” Principles 6 through 9 address risk
assessment:
n Principle 6: The organization specifies
objectives with sufficient clarity to enable
the identification and assessment of risks
relating to objectives.
n Principle 7: The organization identifies
risks to the achievement of its objectives
across the entity and analyzes risks as a
basis for determining how they should be
managed.
n Principle 8: The organization considers
the potential for fraud in assessing risks
to the achievement of objectives.
n Principle 9: The organization identifies
and assesses changes that could significant-
ly impact the system of internal control.
Ultimately, COSO’s ERM Framework
deals with risk avoidance, acceptance, shar-
ing, and reduction, whereas COSO’s IC
Framework deals primarily with risk reduc-
tion. In COSO’s Internal Control–
Integrated Framework executive summa-
ry, chair David L. Landsittel states that “the
ERM Framework and recently updated
55
Internal Control–Integrated Framework are
intended to be complimentary, and nei-
ther supersedes the other.”
While corporations are increasingly focus-
ing on risk oversight, the AICPA pointed out
in a “Government Accountability Brief”
(February 2010) that all types of organiza-
tions, including governmental entities, need
to focus on risk. “No organization is immune
to risks affecting the entity’s existence and
its ability to fulfill mission critical objectives.”
Government agencies face unique, and, at
times, new risks as they oversee programs.
The ERM Framework, which is sometimes
thought of as a corporate-focused paradigm,
is also relevant for governmental entities and
NFPOs. “It’s merely the context that cre-
ates differences in how governments imple-
ment key ERM concepts at the tactical level:
governments don’t have stockholders, but
they have stakeholders (e.g., taxpayers, fund-
EXHIBIT
Relationship of ERM and Internal Control
Source: Adapted from “Improving Organizational Performance and Governance: How the COSO Frameworks Can Help,”
http://www.coso.org/documents/2014-2-10-COSO%20Thought%20Paper.pdf
56
ing agencies, Congress, etc). Similarly,
governmental entities don’t seek to maxi-
mize profits for stockholders, but they do
seek to deliver mission critical services for
stakeholders.” The same can be said for
NFPOs.
Don Dixon, director, Deloitte & Touche
LLP, also noted the following:
Like other enterprises, federal agencies are
under intense pressure to manage strate-
gic, regulatory, security and reputational
risks, just for starters. But in some ways,
federal risk oversight can be even more
complex than the challenge faced by pri-
vate corporate boards. How do cabinet
secretaries and other senior leaders gain
the clear view they need to uphold pub-
lic trust and congressional expectations
when departmental risk management is
widely dispersed among large, often inde-
pendent administrations? (“Federal
CFO Insights: Aligning Internal Controls
and Enterprise Risk Management
Frameworks,” Deloitte, 2013)
Seven Risk Areas
Deloitte identified the following seven major
areas of risk affecting federal agencies:
n Reputation
n Political
n Key infrastructure
n Human capital
n Compliance and regulatory
n Transparency and accountability
n Information technology. (Deloitte 2013)
Some of these risks are also applicable
to other areas of government and NFPOs.
Examples of how the COSO frameworks
apply are detailed below.
Reputation risk. An impaired reputation
can significantly impact both government
entities and NFPOs. Both frameworks
MAY 2014 / THE CPA JOURNAL
begin with the control environment (IC
Framework) or internal environment (ERM
Framework), the foundations for all other
components. In fact, the first Principle of
the IC Framework (Control Environment)
relates to the integrity and ethical values
of an organization. A central element is the
ethical disposition of senior managers. The
reputation of an entity is a function of the
reputation of its leadership. In a recent
interview on the updated IC Framework
transition, PricewaterhouseCoopers partner
Chuck Harris stated that, for many orga-
nizations, the focus to date has been on
control activities. Hence the principles-
based updated IC Framework may promote
the softer side of COSO, including the con-
trol environment component (http://www.
pwc.com/us/en/cfodirect/standard-
setters/coso/index.jhtml).
Political risk. Government agencies face
unique challenges in managing risks relat-
ed to changing political priorities that
may affect funding, as well as overall
performance. NFPOs are impacted as well,
given the numerous government grants
many rely upon. Changing political prior-
ities can affect the availability of funds.
Principles 7 and 9 of the IC Framework,
described earlier, are particularly relevant
here, as both refer to external factors,
such as economic and regulatory factors.
An entity needs to adapt to these changes
by adjusting their priorities and business
processes. Although political risk may
largely be beyond an entity’s ability to
directly control, organizations should
attempt to forecast potential events that
could impact its mission and objectives.
“By enhancing capability to identify poten-
tial events and establish responses,” COSO
has stated, “the organization reduces the
risk of unwanted surprises and their asso-
ciated cost or losses” (“Improving
Organizational Performance and
Governance, How the COSO Frameworks
Can Help,” 2014). Rather than reacting to
the effects of adverse political events after
the fact, entities should proactively man-
age political risk using the concepts from
both COSO frameworks.
Key infrastructure risk. Government
agencies must identify and manage risks
associated with key infrastructure.
Principles relating to “Control Activities”
(IC Framework) are particularly relevant.
These principles relate to selecting and
MAY 2014 / THE CPA JOURNAL
developing controls to mitigate risk;
selecting and developing general controls
over technology; and implementing these
controls through policies that establish
expectations. Governments must protect
critical installations and facilities. For
example, only authorized employees
should have access to key facilities,
such as electric utilities, water treatment
Government agencies must identify and manage
risks associated with key infrastructure. Principles
relating to “Control Activities” (IC Framework) are
particularly relevant.
plants, and ports of entry. Management
must maintain policies and procedures to
monitor and regulate key infrastructure
operations. Governments with typically
large IT infrastructures must secure the
privacy and integrity of information. The
IC Framework specifically states that
restricted access is critical whenever tech-
nology is an integral part of an entity’s
operations.
Human capital risk. Human capital can
account for a large portion of operating
costs and can significantly impact an orga-
nization’s bottom line. Risks include
managing issues related to sufficient
knowledge and training; an aging employ-
ee base; decreases in retirement funding;
underfunded defined benefit pension plans;
and employee morale. A key principle of
the Control Environment (IC Framework)
is an organization’s commitment, as
described in Principle 4, to attract, devel-
op, and retain competent individuals in sup-
port of the organization’s objectives.
Principle 4 addresses such issues as men-
toring and training programs, as well as
evaluating competence across the organi-
zation. Similarly, human resources are a
key element of “Internal Environment”
(ERM Framework). The integrity and com-
petency of employees is one of the most
effective controls for reducing risk.
Entities should forecast the need for
future human capital. Trends in popula-
tion affect both the needs of citizens for
government-provided services, as well as
the tax revenues received from these cit-
izens. These trends share a critical con-
sideration for acquiring the necessary
resources to meet future demand, as well
as manage human capital risks. Similarly,
NFPOs should attempt to predict the
effects of demographic changes on mis-
sion-related capabilities. For example,
charities should attempt to identify and
estimate economic and social factors
affecting a population’s philanthropic
propensity to donate.
Compliance and regulatory risk.
Compliance is especially important for
governments since laws and regulations
often determine their mission and struc-
ture. NFPOs are also subject to unique
compliance and reporting requirements.
In order to qualify for tax-exempt status,
NFPOs must comply with relevant tax
provisions. An important component of
both COSO frameworks is the require-
ment that entities comply with applica-
ble regulations, rules, and laws. To miti-
gate the effects of risks associated with
compliance and regulatory risk, entities
must first be knowledgeable about the
rules, regulations, laws, and reporting
requirements, as clearly stated in the IC
57
Framework. Funding from the U.S. gov-
ernment can also require audits, as per the
Single Audit Act and OMB Circular
A-133. To reduce regulatory and com-
pliance risk, however, NFPOs should con-
sider obtaining audits regardless of their
legal requirements. “The Guide to Not-
for-Profit Governance” is a useful sum-
mary of tax and other governance issues
from Weil, Gotshal & Manges LLP
(http:// www.pbpatl.org/ wp-content/
uploads/2012/10/NFPGuide_2012.pdf).
Transparency and accountability risk.
Because governments exist for the pub-
lic good and derive their financing from
taxpayers, transparency and accountabil-
ity regarding finances is paramount.
When discussing proposed changes to the
Green Book, Jim Dalkin, director of the
financial management and assurances
team at the GAO, stated—
the bottom line really is about account-
ability and transparency. I think inter-
nal controls are critical if you think of
any of the major events that happened
during the course of a year where maybe
government funds have to be spent very
quickly. It’s very important to have those
internal controls so you do have account-
ability.
In a similar sense, NFPOs that compete
for voluntary donations and grants benefit
from increased visibility regarding their use
of donated funds.
Principle 2 of the IC Framework
(Oversight Responsibility) states that the
board of directors should provide oversight
for internal controls. It also points out that
transparency reinforces accountability of
senior management and the board. The
AICPA points out that the audit committee
of a government unit plays a very impor-
tant role in helping to ensure accountability
and compliance:
At no time in recent memory is the need
for an effective audit committee in
government more important than now.
With looming budget shortfalls, program
cuts and employee layoffs, government
units are wrestling with maintaining ser-
vices with fewer resources. Government
officials need to diligently assess the
need for expenditures and ensure that
revenues are received timely and man-
aged correctly. (“Audit Committee
Brief,” Jul. 15, 2011).
Principles 14 (Internal Communication)

COSO’S SUGGESTIONS ON USING BOTH FRAMEWORKS

AND EXAMPLES IN PRACTICE

COSO’s Suggestions Examples in Practice

Ensure ERM is integrated with core management processes.
Improve the dialogue about risk tolerance between senior
management and the board of directors, as well as
downward throughout the organization.
Strengthen the risk culture by improving the control
environment (IC Framework) or internal environment
(ERM Framework).
Improve the identification, prioritization, and response to risk
by structuring risk assessment according to characteristics
of risks being assessed and by assigning risk assessment
to appropriate management.
Strengthen internal controls using COSO’s 17 principles.
Integrate both frameworks in the organization.
The Department of Homeland Security has a Risk Steering
Committee to ensure that risk management is consistent
throughout the agency.
The Information Analysis and Infrastructure Protection (IAIP)
Directorate developed benchmark threat scenarios to analyze
potential attacks relating to critical infrastructure assets.
The Department of Health and Human Services created a
“Secretary’s Council on Program Integrity” to look at areas,
including Medicare, and public health grants, and conduct risk
assessments of those programs most vulnerable to fraud or abuse.
The Department of Energy has a “Risk Management Guide” that
defines key roles relating to risk, as well as a chain of authority
and communication for risk management decisions.
The GAO proposed revisions to the Green Book that incorporate
these 17 principles.
The Centers for Disease Control implemented a risk management
framework which partially resembles COSO’s ERM Framework.
The CDC Internal Controls Program is a bottom-up strategy for
assessing risk and supports the broader, top-down approach to ERM.

58 MAY 2014 / THE CPA JOURNAL

and 15 (External Communication) of the
IC Framework are also relevant.
Voluntarily published reports can reduce
transparency and accountability risk. For
example, reports that document the per-
centage of donated dollars that go to vic-
tims reduce the risks associated with a
lack of transparency. Reports that improve
decision making or identify variances
from standards can provide evidence to
support and justify funding needs. In light
of the recent impetus to reduce budgets
at state and local levels, this objective may
be particularly significant for govern-
ments. Principle 10 (Selecting and
Developing Control Activities) identifies
a number of business process control
activities that relate to transparency and
accountability risk for both governments
and NFPOs. These controls relate to
authorizations, verifications, physical con-
trols, controls over standing data, recon-
ciliations, and supervisory controls.
Information technology risk. The
increased use of information technology leads
to increased risks. As municipalities grow,
information systems must adapt to meet
future requirements. Online donors to NFPOs
should assume that their information is secure.
Information technology risk exposure is espe-
cially great for large federal agencies that pro-
cess large amounts of data. Both COSO
frameworks play a key role with information
technology risk. Principle 11 (General Control
Activities over Technology) of the IC
Framework includes a discussion of tech-
nology general controls, technology infras-
tructure, security management processes, and
technology acquisition, development, and
maintenance processes. Steve Shafer, IT
administrator of finance for the Nebraska state
chief information officer, points out that
although most of the literature on internal
controls focuses on financial systems, orga-
nizations can also apply internal control
concepts to information technology; for
example, an application development team
can use these strategies to identify weaknesses
relating to cost overruns. The team can
address cost overruns using a system that
tracks resources used versus deliverables. In
addition, risk assessment can be used to iden-
tify weaknesses that could potentially lead
to a loss of information technology services.
Improving Performance
and Governance
In February 2014, COSO released
“Improving Organizational Performance
and Governance: How the COSO
Frameworks Can Help,” which illustrates
how both frameworks can enhance orga-
nizational performance and governance for
sustainable success. COSO provides spe-
cific suggestions (summarized in the side-
bar, COSO’s Suggestions on Using Both
Frameworks and Examples in Practice) on
using both frameworks. Several of these
suggestions are already in place at gov-
ernment agencies.
COSO described the frameworks as follows:
Robust enough to be applied inde-
pendently on their own, the two COSO
frameworks have a common pur-
pose—to help the enterprise achieve
its objectives and to optimize the
inevitable tension between the enter-
prise’s value creation and value pro-
tection activities. Therefore, both
[frameworks] facilitate and support the
governance process when implement-
ed effectively (p. 6).
While applications will vary accord-
ing to the particular risk profiles of each
entity, both frameworks provide a con-
ceptual foundation from which govern-
ments and NFPOs may proactively
design, implement, and sustain efficient
and effective risk management initiatives,
including the application of appropriate
controls that mitigate the risk to mis-
sions and objectives. q
Jill M. D’Aquila, PhD, CPA, and Robert
Houmes, PhD, CMA, are both associate
professors of accounting in the Davis
College of Business at Jacksonville
University, Jacksonville, Fla.

Let Us Hear From You

The CPA Journal welcomes letters from readers in response to articles
published in the magazine as well as those concerning issues of general
interest to the accounting profession. Although we receive more letters than
we are able to publish, all letters receive consideration.
The editors reserve the right to edit letters for clarity and length. Writers
should include their contact information, including a daytime telephone
number and an e-mail address, if possible.
Letters may be addressed to Letters to the Editor, The CPA Journal, 3 Park
Avenue, 18th Floor, New York, N.Y., 10016, or to cpaj-editors@nysscpa.org.

MAY 2014 / THE CPA JOURNAL 59

Reproduced with permission of the copyright owner. Further reproduction prohibited without
permission.