External Communication

“External Communication” under COSO Principle 15 sits in the Information and Communication component of internal control. The requirement is straightforward: communicate with external parties about matters that affect the functioning of internal control. ¹ The operational challenge is not writing a policy; it’s building a repeatable, low-friction process that prevents two failure modes: (1) silence when disclosure is expected (regulators/auditors surprised by control failures, incidents, or reporting issues), and (2) uncontrolled or inconsistent statements (business teams describing control posture differently across customers, auditors, and regulators).

For a Compliance Officer, CCO, or GRC lead, the fastest path is to treat external communication as a control in its own right: define scope, define triggers, define approvers, define channels, and define what evidence must be retained. Then connect that workflow to the systems and teams that already “see” control issues first—Internal Audit, Security, Finance controllership, Privacy, and third-party risk management—so external messaging is accurate and consistent.

This page gives requirement-level implementation guidance you can apply immediately, with artifacts and audit questions to expect, plus a practical execution plan.

Regulatory text

Regulatory excerpt: “The organization communicates with external parties regarding matters affecting the functioning of internal control.” ¹

What the operator must do: Establish and operate a controlled process that identifies internal-control matters that need external communication, routes communications through appropriate review and approval, and records what was communicated. External parties can include regulators, external auditors, shareholders, and other stakeholders, as appropriate. ¹

Plain-English interpretation

If something happens that changes your internal control reality, your external communications must reflect it. That includes:

• Control deficiencies that affect financial reporting, operational objectives, compliance obligations, or safeguarding of assets.
• Changes to control design or operation that external parties rely on (for example, material changes to processes that support reporting).
• Findings or issues that will be tested or relied upon by external auditors or regulators.
• Representations you make to customers, partners, or other third parties about your control environment (for example, contractual commitments or assurance responses), where those representations relate to internal control.

The practical standard: you need a consistent “single story” about controls, backed by evidence, and approved by the right functions before it leaves the organization.

Who it applies to

Entity scope: Any organization using COSO as its internal control framework, including organizations with Internal Audit functions. ¹

Operational context where this shows up:

• Financial reporting and external audit: communications with external auditors about control changes, deficiencies, remediation status, and management representations.
• Regulatory supervision: examination requests, matters requiring attention, incident notifications where control breakdown is relevant, follow-up reporting.
• Shareholders/board stakeholders: disclosures and governance communications where internal control over reporting or other material controls are in scope.
• Third-party ecosystem: responses to customer due diligence, RFPs, and contractual attestations that describe internal controls (especially where Legal/Compliance signs off).

What you actually need to do (step-by-step)

1) Define “control-relevant external communications” (scope and taxonomy)

Create a short scope statement and categories. Keep it operational:

• Category A: Auditor communications (control design/operation, deficiencies, remediation).
• Category B: Regulator communications (exam responses, notifications, remediation commitments).
• Category C: Investor/shareholder communications (internal control related disclosures).
• Category D: Third-party assurance communications (customer security/compliance questionnaires, certifications/attestations you issue, contract representations).

Deliverable: a one-page “External Communication Scope & Categories” standard owned by Compliance or Controllership, with Internal Audit input. ¹

2) Set trigger criteria that force the workflow

Write “if-then” triggers that prevent judgment calls from living in someone’s inbox. Examples:

• If Internal Audit rates an issue above your defined severity threshold, route to the external communication triage group.
• If there is a control failure affecting a regulatory obligation, route to Regulatory Affairs/Compliance for external notification decisioning.
• If Sales/Procurement wants to send a control-related claim to a customer (including third-party questionnaires), route to the assurance response process for review.

Avoid trying to list every possible scenario. List the triggers that historically caused pain: inconsistent customer answers, auditor surprises, regulator follow-ups, and public statements that drift from actual controls.

3) Assign owners and approvers (RACI that matches reality)

Minimum roles:

• Process owner: Compliance, Controllership, or Internal Audit (pick one; document it).
• Content owner (facts): the team closest to the control (Security, Finance Ops, IT, Risk).
• Approval: Legal for external statements that create obligations; Compliance for regulatory alignment; Internal Audit for accuracy about audit issues; Finance/Controller for ICFR-related items.
• Sender: a controlled mailbox or designated function (Regulatory Relations, Investor Relations, External Audit liaison).

Deliverable: a RACI and an “approval matrix” by category (A–D).

4) Standardize the message packages (so reviewers can approve quickly)

Create templates that force completeness:

• Issue summary template: what happened, impacted control/objective, timeframe, interim mitigations, remediation plan, current status, and evidence references.
• External auditor update template: same structure, plus testing status and management assertions.
• Regulator response template: scope of request, authoritative answer, attachments list, and a commitment tracker (who owes what by when).
• Third-party assurance response template: standard control descriptions, approved language, and a “deviation log” for exceptions.

If you use Daydream (or a similar GRC workflow tool), implement these templates as form-driven workflows with required fields and approval routing so “external communication” is captured as an auditable process rather than email archaeology.

5) Control the channels (where statements are allowed to originate)

Put guardrails around:

• Who can respond to auditors and regulators.
• Who can submit customer due diligence responses.
• Who can make control-related statements in marketing, sales decks, or public-facing materials.

Practical control: a “no ad hoc commitments” rule for control-related claims, enforced by requiring approvals and storing approved response snippets.

6) Implement recordkeeping and traceability

For each external communication event, retain a packet:

• Trigger/source (audit finding, incident ticket, exam letter, customer request).
• Drafts and approvals (who reviewed, when, what changed).
• Final sent version and delivery proof (email, portal submission, letter).
• Supporting evidence list (tickets, test results, remediation plan).
• Follow-ups and commitments, with closure evidence.

If you cannot reconstruct the “who/what/when/why” within a reasonable review window, you do not have a working control.

7) Test the process (tabletop + sampling)

Run a tabletop exercise using a real past issue:

• Can teams identify it as an external communication trigger?
• Can they produce an approved message quickly?
• Can they produce an evidence packet after the fact?

Then sample completed communications quarterly (or on a cadence you can sustain) for completeness and approvals.

Required evidence and artifacts to retain

Use this checklist as your audit-ready folder structure:

• External Communication Policy/Standard (scope, categories, roles) ¹
• Trigger register (documented triggers and intake paths)
• RACI + approval matrix
• Templates (auditor, regulator, shareholder, third-party assurance)
• Communication log (date, category, external party, subject, owner, approvers, status)
• Evidence packets for each logged event (final message, approvals, supporting artifacts)
• Commitment tracker for regulator/auditor commitments and closure proof
• Training/enablement materials for front-line teams (Sales, Security, Finance Ops) on “what must be routed”

Common exam/audit questions and hangups

Expect auditors/examiners to probe for:

• “Show me how you decide what must be communicated externally.” Tie back to triggers and examples. ¹
• “Who is authorized to communicate with regulators/external auditors?” Provide RACI and channel controls.
• “How do you ensure statements are accurate and consistent across teams?” Show templates, approval matrix, and a sample packet.
• “How do you track and close external commitments?” Provide the commitment tracker and closure evidence.
• “Show me a recent control issue and the external communications around it.” This is where missing drafts, missing approvals, or conflicting messages appear.

Hangup to avoid: treating customer due diligence answers as “sales ops” work. They are external communications about internal control and should be controlled the same way. ¹

Frequent implementation mistakes and how to avoid them

1. No defined triggers, only “use judgment.”
   Fix: write specific triggers tied to common events (audit issues, incidents, exam requests, customer questionnaires).

2. Approvals exist but are optional in practice.
   Fix: require workflow-based approval before sending, and restrict who can send externally.

3. One-off responses that drift from approved language.
   Fix: maintain approved control statements/snippets and a deviation log with Legal/Compliance approval.

4. Recordkeeping is scattered across email and chat.
   Fix: central communication log and evidence packet standard. Make “store the packet” a required step for closure.

5. Internal Audit and Compliance operate separately.
   Fix: give Internal Audit a defined role in verifying statements about audit issues and control effectiveness.

Enforcement context and risk implications

No public enforcement cases are provided in the source catalog for this requirement. The risk still maps cleanly to outcomes compliance leaders recognize:

• Audit risk: inconsistent or unsupported statements can undermine reliance, expand testing, or create follow-up issues.
• Regulatory risk: missed or late communications can damage credibility and lead to heightened supervision.
• Contractual risk with third parties: inaccurate assurances can trigger breach claims, termination rights, or remediation demands.
• Governance risk: leadership and boards make decisions based on the organization’s stated control posture; external messaging that contradicts internal reality creates accountability gaps.

Practical 30/60/90-day execution plan

First 30 days (stabilize and stop ad hoc external statements)

• Name the process owner and publish the scope/categories aligned to COSO Principle 15. ¹
• Stand up a basic intake: a shared mailbox or ticket queue for control-relevant external communications.
• Create the approval matrix and enforce “no send without approval” for auditors, regulators, and third-party questionnaires.
• Start a simple communication log (spreadsheet is acceptable early).

Next 60 days (standardize and make it repeatable)

• Implement templates for the main categories and train front-line teams on triggers.
• Build evidence packet requirements into the workflow (attachments required to close).
• Add commitment tracking for regulator/auditor follow-ups, with owners and status reporting.
• Run one tabletop exercise and remediate gaps found.

Next 90 days (make it auditable and scalable)

• Move from ad hoc storage to a system of record (GRC/workflow tool). Daydream fits well here if you need routing, approvals, and evidence retention tied to issues, audits, and third-party requests.
• Add periodic sampling/testing of completed communications and report results to the control owner.
• Tune triggers based on what slipped through during the first cycles.
• Align Internal Audit’s issue management and Compliance’s external communication log so one event cannot produce conflicting narratives.

Frequently Asked Questions

Does “external communication” only mean regulators and external auditors?

No. COSO Principle 15 covers communication with external parties about matters affecting internal control, which can include shareholders and other stakeholders as appropriate. ¹

Are customer security questionnaires and RFP responses in scope?

If your responses describe or commit to internal controls, treat them as external communications about internal control. Route them through the same approval and recordkeeping process. ¹

Who should own the process: Compliance, Internal Audit, or Finance?

Pick the function that already owns external-facing control assertions in your environment (often Compliance for regulators, Finance for ICFR, or Internal Audit for issue accuracy). Document the owner and approval matrix so responsibilities are explicit. ¹

What evidence do auditors expect to see?

They look for a repeatable process: triggers, approvals, a communication log, and complete packets showing the final communication and its supporting facts. If you cannot reproduce the approval trail, the control is weak. ¹

How do we prevent inconsistent statements across teams?

Use approved templates and a controlled library of standard control descriptions, then require Legal/Compliance approval for deviations. Centralize the log so you can spot conflicting narratives early.

We have multiple regulators. Do we need separate processes?

You can keep one core process with regulator-specific templates and approver sets. The key is consistent triggers, controlled approvals, and retained evidence across all external parties. ¹

Footnotes

1. COSO IC-IF (2013)