March 22, 2012 Mr. Roger Tabor Chair Professional Accountants in Business Committee (PAIB) International Federation of Accountants (IFAC) 545 Fifth Avenue, 14th Floor New York, New York 10017 USA Submitted online: www.ifac.org/paib
Dear Mr. Tabor,
Re.:
Exposure Draft of International Good Practice Guidance “Evaluating and Improving Internal Control in Organizations”
We would like to thank you for the opportunity to provide the Professional Accountants in Business Committee (PAIB) with our comments on the Exposure Draft of the International Good Practice Guidance “Evaluating and Improving Internal Control in Organizations” (hereinafter referred to as the “draft”). All of the members of our organization, the Institut der Wirtschaftsprüfer in Deutschland [Institute of Public Auditors in Germany] (IDW), are in public practice and therefore are not professional accountants in business. However, our members are entrusted with audits of financial statements prepared by management with internal control over financial reporting, are engaged to perform assurance engagements in relation to risk management and internal control, and are engaged to perform consulting work in matters related to risk management and control of organizations. Furthermore, through its standards setting boards and committees, the IDW issues standards and guidance on
page 2/15 to the comment letter to the PAIB dated March 22, 2012
matters such as accounting, internal control and risk management systems (in particular, in an IT context) and on assurance engagements in relation to these. For these reasons, we have a particular interest in the development of standards and guidance for internal control and risk management at an international level. We would like to applaud the PAIB for addressing issues in relation to governance, risk management and internal control. The IDW has long taken the stance that IFAC needs to be at the forefront of these areas central to the work of professional accountants in business and in practice. We believe that in terms of providing good principles of internal control and additional guidance to professional accountants that apply these matters in practice, the PAIB has met its goals. However, we do have a number of concerns that we have described below. We have provided our comments of a general nature in the body of this letter, and have included our responses to the questions posed in the exposure draft in Appendix 1 to this letter. Other comments by paragraph in the exposure draft are addressed in Appendix 2 to this letter.
Issuance of Pronouncements for Governance, Management, Risk Management, and Internal Control We note that there is no internationally recognized standards setter for governance, management, risk management and internal control. Nonetheless, COSO pronouncements are used widely around the world for risk management and internal control, because of their application in the largest economic jurisdiction, the U.S. However, COSO has not achieved the status of international standards setter in these areas because it needs to: 1. broaden its international base sufficiently, 2. establish an adequate due process similar to that of the IASB or IAASB, and 3. to develop a semi-permanent pool of technical standards setting individuals. There does not appear to be an international organization other than IFAC with the interest or the potential resources in this area to address this “pronouncements-gap” at an international level. We therefore believe that it is appropriate that IFAC issue pronouncements for these matters to help facilitate international convergence beyond providing practical guidance. By including definitions and principles, etc. the PAIB is effectively issuing pronouncements
page 3/15 to the comment letter to the PAIB dated March 22, 2012
beyond just guidance. We were impressed by the quality of the principles and guidance from a practitioner’s point of view. However, we also note that having the expertise in these areas is not sufficient to issue pronouncements: a body issuing pronouncements must apply, to some degree, the principles of legal drafting to write good pronouncements and be able to conceptualize abstract concepts for practitioners, which is a different skill-set from that of most professional accountants in business, who know much about governance, management, risk management, and control, but do not have professional “standards setting” skills. In this context, our review of the definitions and the text of the draft indicates that, aside from the technical problems with the definitions in themselves, the definitions do not articulate with one another, and the text is not aligned with the definitions. We have not taken the trouble to determine whether the draft articulates with the PAIB publication “Evaluating and Improving Governance in Organizations”, but, based on the inconsistencies identified in this draft, we surmise this may be a problem. We also believe that further practical guidance beyond pronouncements issued by the PAIB in relation to internal control ought to build on the work done by COSO to provide professional accountants implementation support. Examples of matters that could be addressed in this respect might include addressing the role of business processes and their impact on IT-supported control processes, and the development of benchmarks to enable professional accountants to evaluate the degree of maturity of control systems relative to the size, complexity and growth velocity of entities, which also enables professional accountants to address the proportionality and scalability of internal control.
Governance, Risk Management and Internal Control vs. Management We would like to point out that risk management and internal control are not only a subset of governance, but also a subset of management or management systems: not all management activities (e.g., planning, organizing, directing, and execution) are covered by risk management and internal control. It seems to us that at some point, the PAIB may need to develop a framework that explains the interrelationship between governance, management, risk management, and internal control. For example, the diagram showing the relationship between governance, risk management and internal control could be supplemented by
page 4/15 to the comment letter to the PAIB dated March 22, 2012
another ellipse for “management”, as a subset of governance, that encompasses risk management and internal control
Definitions The attempt to “enrich” the definitions appears to us to cause more problems than it solves. A definition should explain what a term represents and describe the characteristics that distinguish the term from other terms. This means that all characteristics needed to delineate that term from others are included in a definition and that Occam’s razor be applied to eliminate any characteristics or explanations that are not necessary for such a delineation. For example, if an internal control is not understood by management (as is posited in the definition of the draft), does that mean it is not an internal control, or does it just mean that the control is not likely to be effective? We recognize that the definitions in COSO may suffer from the same ailments, but COSO’s example may not worthy of emulation in this respect. Furthermore, definitions need to articulate with one another and defined terms need to be used in a consistent way in the text. A quick check to determine whether definitions articulate with one another is to substitute, within a definition, another defined term used within that definition with the definition of that other defined term. If the result is unintelligible, the definitions do not articulate with one another. The same applies to the use of defined terms within the text. In Appendix 1 to this comment letter we address in our response to Question 2 the matters that have come to our attention with respect to the definitions.
Reasonable assurance and costs vs. benefits The narrative in F7 addresses the concept of the benefits of controls needing to exceed their cost. We believe that this is fundamental to the concept of internal control and should be set forth in a separate principle. A corollary of this principle is that internal control can therefore only provide reasonable assurance that an organization meets its control objectives.
page 5/15 to the comment letter to the PAIB dated March 22, 2012
We hope that our views will be helpful to the PAIB in its deliberations about the contents of this proposed IGPG. If you have any questions relating to our comments in this letter, we would be pleased to be of further assistance.
Yours truly,
Klaus-Peter Feld Executive Director 494/584
Wolfgang P. Böhm Director, International Affairs
page 6/15 to the comment letter to the PAIB dated March 22, 2012
APPENDIX 1: Responses to Questions Posed in the Exposure Draft The terminology 1. Does the title Evaluating and Improving Internal Control in Organizations, as well as the term internal control, fit in the context of this IGPG, or should it be replaced by a different or more refined title or term? Our review of the draft indicates that the key principles included in the draft establish what the key principles of good internal control are and provide guidance on the application of these principles. While such principles and guidance consequently reflect the criteria to be used when evaluating existing internal control and to improve it, they do not relate to how such an evaluation and improvement process is performed. For these reasons, we believe that the title is not indicative of the nature of the principles and guidance given. Based on the contents of the draft, we would suggest the title “Principles of Good Internal Control”. A more refined title than this would not be necessary. Furthermore, since internal control is always internal to organizations, the reference to organizations is not necessary.
2. Are the internal control definitions in Appendix A suitable for this guidance? Can or should they be further clarified? We examined the definitions closely and believe that some of them need considerable amendment or further clarification before being suitable. We have not addressed all of the problems with the definitions, but we have provided comments on the major issues in the most important definitions. We will address each definition requiring major amendments or clarification in turn: Internal Control This definition explains that internal control is a part of the organization’s governance and risk management system, and what it is for (to exploit
page 7/15 to the comment letter to the PAIB dated March 22, 2012
opportunities and manage risks), but it does not fulfil the main purpose of a definition: it does not explain what internal control is: a process (see COSO). Therefore the definition should begin with the words: “Internal control is a process that”. The definition includes internal control as “an integral part of an organization’s governance and risk management system”. This is true, but as noted in the definition of “risk management” thereafter and in the COSO Internal Control – Integrated Framework on page 21, internal control is a part of the “management system” (Exhibit 3 in this Framework shows which parts of those processes are internal control, although some of these are a part of risk management). Likewise, not all management processes (e.g., execution of corrective actions) are risk management processes as defined in the COSO Enterprise Risk Management – Integrated Framework. However, all management processes are a part of the governance process. Consequently, the words “…, management system,…” should be inserted in between the words “governance” and “risk management system”. The use of the word “which” after “risk management system” suggests that it is the risk management system that is “affected”, rather than internal control. Consequently, we suggest setting off the explanation of what internal control is a part of with commas and deleting “which is”. The definition also includes the phrase “…, understood, and actively followed by the organization’s governing body, management, and other personnel,…”. The inclusion of this phrase confuses “effective internal control” with “internal control” because having internal control understood and actively followed by these parties is a prerequisite for the effectiveness of internal control, but not a characteristic of internal control per se. Therefore this phrase ought to be deleted. The phrase thereafter speaks of “…to exploit opportunities and to manage the risks…”. The definition for “risk management” thereafter uses a more comprehensive definition of “risk” that encompasses both “threats as well as opportunities – that is, foregone opportunities are also regarded as risks. Furthermore, the use of the phrase “manage the risks” suggests that internal control is the sole instrument for managing risk. However, as noted in paragraph 1.1 of the draft, internal control “mitigates risk”, and, as noted in F6 of the draft, an organization can also manage risks by assuming risk, hedging risk, avoiding risk, or by increasing risk. We therefore suggest that the word “manage” be replaced with “mitigate” to clarify that internal control is only one instrument among several that can be used to manage risks and
page 8/15 to the comment letter to the PAIB dated March 22, 2012
that the role of internal control is to mitigate, as opposed to assume, hedge, avoid or increase risk. We also note that the items listed after the colon refer to all of the matters that internal control might cover. However, if internal control does not cover any one of these, that does not mean it is not internal control. Therefore, either the “and” at the end of item 4 should be “or”, or the text after the colon should be taken out of the definition and included in guidance to the definition. Based on these amendments, the definition (before the colon, if retained) would read as follows: “Internal control is a process, that is an integral part of an organization’s governance, management system and risk management system, effected to mitigate risk (including the risk of foregone opportunities) to contribute to the achievement of an organization’s objectives…” We note that the third item after the colon in relation to “ensuring conformance” refers only to applicable laws and regulations and organizational policies, procedures and guidelines. However, there may be other norms (international or industry standards, professional standards, etc.) that are based on neither legal instruments nor organizational policies, etc. for which internal control may be used to secure conformance. We therefore suggest that the word “…standards,…” be inserted in between the words “regulations” and “as well as” to clarify that not all norms external to the organization need to be based on legal instruments.
Risk Management In line with our comments on the definition of “internal control”, we note that this definition does not clarify up front that risk management is a part of the governance and management system of an organization. Furthermore, the definition includes “planning, organizing, leading, executing”, which are management processes – not risk management processes (see COSO Enterprise Risk Management). The definition also includes the phrase “maximize value and minimize risk”. We would like to point out that maximizing value and minimizing risk are two different strategies that are mutually exclusive (see decision theory). There are other strategies, such as satisficing, too.
page 9/15 to the comment letter to the PAIB dated March 22, 2012
The management of risks involves more than just the possible responses to risk noted in the definition (acceptance, avoidance, insurance or control): it also includes such matters as event identification, risk assessment, control activities, etc. On the whole, the definition is too long, which results in additional difficulties, such as: •
The first three numerical items listed seem to relate to the governance and management system, rather than to risk management and internal control, and do not represent distinguishing characteristics of risk management for a definition thereof.
•
Item 1 in the second two numerical items represents a circular definition because it refers to the organization’s risk management strategy, which presumably would be a part of risk management.
•
In contrast to the assertion in item 2 thereafter, we are not convinced that risk management alone without a well-functioning governance and management process outside of risk management is capable of providing reasonable assurance regarding the achievement of organizational objectives.
On the whole, a shorter definition, with additional guidance in the body of the draft, may be more useful. We suggest a definition of risk management along the following lines: “Risk management is a process, that is an integral part of an organization’s governance and of its management system, effected to manage risk (including the risk of foregone opportunities) in line with the risk preferences of the organization to contribute to the achievement of an organization’s objectives.
Governing body The definition of a governing body in the first sentence appears reasonable, but the third and fourth sentences assume that only one-board systems with executive and non-executive directors exist. A good number of important jurisdictions, such as Germany, have two-board systems in which one board comprises solely non-executive directors (the supervisory board) and the other comprises solely executive directors (the executive board). If further guidance is given beyond the definition in the first sentence, then the
page 10/15 to the comment letter to the PAIB dated March 22, 2012
guidance needs to be expanded to clarify that there are systems of governance with two boards – non-executive and executive.
Conformance Like the definition for internal control (and unlike the other definitions), this definition does not explain what “conformance“ is. If conformance is “compliance”, then why not just use the word “compliance” (which is commonly understood) throughout and dispense with a separate definition of “conformance”? In line with our comments on the third item after the colon in the definition of “internal control”, we note that no reference is made to standards other than those that are legal instruments. The words “best practice” prior to “governance codes” can be deleted, as these words are superfluous at best, or confusing at worst (i.e., what is the difference between best practice and a code?). How can one comply with “accountability” or the provision of “assurances”? The words “factors” and “forces” in (a) and (b), respectively also do not appear to be appropriate, since one cannot comply with “factors” or “forces”. On the whole the definition needs significant reconceptualization and rewording if retained.
Performance First, it is not clear why this definition is needed (indeed, if we were to substitute the definition into the word “performance” as used in paragraph 1.1 or principle C, for example, the definition does not make sense). Second, we do not believe that “performance” is a policy or procedure. Third, it is not clear what the definition is trying to achieve. We suggest that this definition be deleted.
Stakeholder value How stakeholder value is created (creating, implementing, and managing effective strategies, processes, activities, assets, etc.) is not germane to what stakeholder value is: reference to these can be deleted. Furthermore, to state that stakeholder value is an organizational value that is generated for stakeholders is a tautology that provides no definitional value that can also be deleted. We question the insertion of the word “Sustainable” at the beginning of the second sentence because sometimes stakeholders may not
page 11/15 to the comment letter to the PAIB dated March 22, 2012
be interested in “sustainable value”: they could be interested in short-term value creation so that they can “cash-out” quickly. On the whole, this definition needs considerable more work, too.
The principles 3
Do the principles cover all the fundamental areas for evaluating and improving internal control in organizations, especially those areas where internal control is often applied incorrectly in organizations? We believe that the principles cover all of the fundamental areas that characterize good internal control, and in particular, those areas that may often be deficient in some organizations, but for one. A principle noting that the nature and extent of internal control is a cost/benefit decision should be introduced: internal control should only provide reasonable assurance that an organization’s control objectives are met because absolute assurance is impossible to achieve and in many cases the benefits of achieving virtually certainty are not worth the cost. This is in line with the narrative of the draft in F7. However, we do believe that some of the wording describing the other principles need amendment to clarify their meaning. We provide suggestions in this respect in Appendix 2 to this comment letter.
The guidance 4
Is the application guidance for each principle adequate to guide good practice? On the whole, the application guidance for each principle is adequate to guide good practice. In Appendix 2 we address a number of issues that we have identified that may require some clarification or amendment in wording.
5
Are there other resources on internal control that should be considered for inclusion in the appendices? Yes: You may wish to consider including a reference to the IDW Accounting Standard IDW RS FAIT 1 “Grundsätze ordnungsmäßiger Buchführung bei Einsatz von Informationstechnologie” [Principles of Proper Booking When Applying Information Technology”] which is Germany’s generally recognized standard on internal control over financial reporting.
page 12/15 to the comment letter to the PAIB dated March 22, 2012
Other Issues 6
Does there need to be a subsequent IGPG on risk management? We do believe that there needs to be an IGPG on risk management. In line with our comments on the definitions of internal control and risk management, there would also need to be an IGPG on the management system. In this way, there would be an IGPG on all components of governance: Governance Management Risk Management Internal Control However, we are concerned that the pronouncements need to articulate with one another – that is, the definitions and terms used need to be the same or at least be reconcilable.
page 13/15 to the comment letter to the PAIB dated March 22, 2012
APPENDIX 2 Comments by Paragraph 1.1
Internal control on its own does not “add sustainable value” in itself: for example, without execution, which is not a part of internal control, no value would be created. Consequently, internal control “can contribute to enabling an organization to meet its objectives” would be a better phrase to use. We also suggest that the words “long-term sustainable value” be deleted. The word “sustainable” is used in many places throughout the document: we believe it ought to be deleted. Long-term sustainable value might be an appropriate organizational objective (which we believe ought to be true in most cases), but that does not mean that all organizations have this objective: some might be interested in short-term value creation (and cashing out quickly).
1.2
In line with our comments on the definitions of internal control and risk management in Appendix 1, the description of internal control in the first sentence needs considerable revision. The diagram needs to include another ellipse in between governance and risk management for “management system”.
3.2
To A: In line with our comments on the definitions for internal control and risk management, the word “while” should be replaced with “and” and the words “rules and regulations, by managing” should be replaced with “law, regulation, standards and organizational policies, by mitigating…” To G: the word “all” should be replaced by “those assigned internal control objectives”, which would align G with the second sentence of C. To H: since internal control can only provide management with reasonable assurance that control objectives will be achieved, the words “is usually” should be replaced with “can be”.
A2.
The word “manage” in the second-last sentence should be replaced with “mitigate” in line with our comments on the definition of internal control.
A5.
One matter that might be addressed here is the fact that those designing internal control need to consider not just the risk of an event, but also its impact. Consequently, the more potentially catastrophic the event, the more
page 14/15 to the comment letter to the PAIB dated March 22, 2012
stringent the management of the risk of that event must be (i.e., rather than to accept such a risk, the organization should seek to avoid, insure or control that risk). B1.
The description of the responsibilities of the governing body in the first bullet point is not in line with the definition of a governing body in the list of definitions. The definition of a governing body quite correctly refers to a governing body’s “oversight” responsibility: a governing body does not have executive responsibility for internal control, which is, by definition, management’s responsibility. Consequently, some of the responsibilities in the first bullet point need to be transferred to the second, and the first bullet point be reworded to refer to oversight responsibilities. The last bullet point refers to internal and external auditors “providing assurance”. At the IAASB, care is taken to clarify that external auditors do not “provide” assurance: they obtain assurance that is then conveyed by means of a report to users. The wording should be amended appropriately.
C3.
We note the use of the term “and/or”, which is ambiguous because it can mean “and, and, or”, “and, or, or”, and either one or both. This is nonstandard English. We surmise you mean to use “or”, which is inclusive by virtue of not being preceded by “either”. We suggest that you replace “and/or” with “or” throughout the draft.
F2.
An additional consideration for the selection of internal controls that can be added to the bullet points is whether the risk can be accepted, avoided or insured, rather than controlled. With respect to the fourth bullet point, we suggest changing it to read “the cost of the control relative to the benefit of the mitigation of the risk” (this would align the wording with the exposition in F7).
F3.
The “or” at the end of the paragraph needs to be changed to “and” because both technical and economic feasibility is needed.
F8.
The word “continuously” should be replaced with “continually” in the first and second sentences because we presume that the reevaluation, reoptimization and the cycle referred to are not continuous (that is, in real-time without a break). Note: this does not apply to H2.3, where an IT control can be continuous.
H2.4
We refer to our comment on B1 on the use of the phrase “provide assurance”.
page 15/15 to the comment letter to the PAIB dated March 22, 2012
H3.4
We refer to our comments on B1 in relation to the responsibility of the governing body, which is oversight – not ensuring that the internal control system is monitored and evaluated – which is a management responsibility.
