Home Governance Capability Assessment (Governance SPICE)
Evaluating Internal Controls against Governance Frameworks Print E-mail
Corporate Governance is the totality of principles [1] aligned with the shareholders’ interests, which strive for transparency and a well-balanced ratio between leadership and control, whilst retaining decision-making ability and efficiency at the highest level of the company. Internal control system integrated with enterprise risk management includes the policies, procedures, practices and organisational structures, designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.

Regulatory requirements like the Sarbanes-Oxley Act for US SEC registrants and their affiliates (all over the world), the Basel II framework, the Company Law in the EU, the European and national directives for governmental and public sector organizations, etc. require not just the implementation of risk management and internal control systems based on internationally recognized frameworks, but also the periodic disclosure of effectiveness conclusion performed by the executive management. However some of these regulations are still limited to financial reporting, the global crisis showed that wider focus of risk management and internal controls has real business value. In the past 5 years many-many thousands of such periodic assessments were performed worldwide in industry, financial and governmental sectors and the regulators are keen to further develop mandatory rules and guidelines increasing stakeholder’s benefit from disclosures.

The global crisis also reminds that many former periodic assessments concluding positive opinion on effectiveness of internal controls were failed at those companies, where the insularly used economic models for risk assessment were not aligned with the time horizon of the strategic business objectives. Accountability of executive management and oversight boards should be established and supported by using integrated assessment models applicable for both operational and financial processes. Those assessment models which can cover the most activity areas relevant for strategic objectives have added value to line managers, executive management, internal and external auditors and oversight bodies, as they help to optimize monitoring efforts of different operations based on common measurement of achieving objectives.

Major governance scandals, independently from the recent global financial and economic crisis, call the attention that not only the basic business operations (production, sales, supply chain, etc.) need to be assessed, audited or certified to the conformance with specific standards, but all the governance related processes. The Satyam case shows that even those big IT companies, which are committed to quality and process improvement issues, can fail to avoid governance breakdowns such as fraudulent financial reporting.

Taking a more in depth look into the reasons as to why corporate governance has failed in recent years, it can be concluded that these are primarily due to shortcomings in risk management and internal control. Within the context of corporate governance, management therefore needs to concentrate above all on the optimisation of operational processes by improving monitoring and controls.

Risk management and control frameworks contribute to improve corporate governance by principles-based reference models, good practices and evaluation methods.

Process capability and organizational maturity issues have come into the view of the management as the huge cost of regulatory compliance activities request consideration of sustainability and added business value of such efforts. This challenge has been answered by utilizing the ISO/IEC 15504 process assessment standard (also called as SPICE) [2] and its evaluation model concept applicable for the executive managers, the boards of directors, the audit committees, the internal and external auditors and the supervisory bodies for assessing the effectiveness of internal controls even in different business units and activities, IT management and financial reporting processes.

The term of “Governance SPICE” refers to the assessment of Governance, Risk Management and Internal Control processes and is based on different concepts:

  • Corporate Governance Principles (OECD)
  • Recognized Control Frameworks (COSO & COBIT)
  • Risk Tolerance and Risk Appetite (as of COSO ERM)
  • Performance Measurement (as of COBIT)
  • Process Capability Assessment (ISO/IEC 15504-2:2003)
  • Evaluating Process-related Risk (ISO/IEC 15504-4:2004)
  • Organizational Maturity (ISO/IEC TR 15504-7:2008)

Internal and external audit standards (like IIA and ISA) recommend system based evaluation of existing internal controls against internationally recognized control frameworks like COSO (Internal Control – Integrated Framework) [3] and COBIT (Control Objectives for Information and related Technology) [4]. The contents of these frameworks are applicable to set up Process Reference Models in compliance with ISO/IEC 15504-2 requirements.

The COSO and COBIT based Process Reference Models associated with the process attributes defined in ISO/IEC 15504-2 provide a common basis for performing assessments of process capability regarding internal controls and reporting of results by using a common rating scale. ISO/IEC 15504 offers not only transparent method for assessing performance of relevant internal control processes, but also tools for assessing control risk areas based on the gaps between target and assessed capability profiles.

Audit standards define assurance and consulting engagement types of audit work similarly to the process capability determination and process improvement contexts of ISO/IEC 15504 process assessment. Using COSO or COBIT descriptions for process dimension and ISO/IEC 15504 measurement framework for capability dimension provides common methodology for all parties responsible for implementing and monitoring internal controls even at different operational units of an organization. Mapping target capability profiles to business objectives also helps to put internal controls into the perspectives of Enterprise Risk Management (ERM).

Quality requirements of the international internal and external audit standards force to evaluate the assessment skills, procedures and practices of the auditors/audit departments in making opinion about the internal controls of the audited organization. The courses integrated with Governance SPICE and certified by the international training scheme offer transparent ways to auditors/audit departments for acquiring and evidencing relevant skills and knowledge.

References

[1] OECD Principles of Corporate Governance © OECD 2004

[2] ISO/IEC 15504-1:2004 Information technology -- Process assessment -- Part 1: Concepts and vocabulary
ISO/IEC 15504-2:2003 Information technology -- Process assessment -- Part 2: Performing an assessment
ISO/IEC 15504-2:2003/Cor 1:2004
ISO/IEC 15504-3:2004 Information technology -- Process assessment -- Part 3: Guidance on performing an assessment
ISO/IEC 15504-4:2004 Information technology -- Process assessment -- Part 4: Guidance on use for process improvement and process capability determination
ISO/IEC TR 15504-7:2008 Information technology -- Process assessment -- Part 7: Assessment of organizational maturity

[3] The Committee of Sponsoring Organizations of the Treadway Commission (COSO):
Internal Control — Integrated Framework (1992)
Enterprise Risk Management – Integrated Framework (2004)
Internal Control over Financial Reporting — Guidance for Smaller Public Companies (2006)

[4] COBIT - Control Objectives for Information and related Technology, COBIT 4.1 © 2007 IT Governance Institute. www.itgi.org

Attachments:
Download this file (SkillCards_Governance_v2.pdf)Integrated Skill Cards1610 Kb
 

Organisers & Supporters

bgf


ECQA


mlx-logo


ISCN_logo


education and culture


ia-manager-logo