The updated COSO
Internal Control–Integrated Framework can be used as a reminder that the root cause of most corporate problems comes either from issues relating to integrity or competence. In other words, the root cause is usually people.
The Control Environment component includes important Principles around both integrity and competence.
i recommend that organizations consider these Principles as high risk unless they can demonstrate through the actions they have taken to treat the risks (I.e., controls) that the risks are at acceptable levels.
Unfortunately, the tools available to test integrity and competence are rude and not always conclusive. But if we take the approach that we have to demonstrate they are at acceptable levels, rather than demonstrate they are not, I think we can go a long way.
What do you think?