Failures Within the COSO Framework Community
In 1992, COSO released its original COSO Internal Control – Integrated Framework. This framework was in response to the requirements of the 1977 U.S. Foreign Corrupt Practices Act. The framework’s stakeholders have raised the following issues in their comments to the draft COSO 2012 update:
1. The majority of the firms at the center of the global financial crisis were following the SEC regulations which included having an effective internal control over financial reporting (ICFR). The firms’ SEC filings all claimed to have effective ICFR under COSO. Their ICFR assessments were failures.
2. COSO has not defined and declared the problems with the existing COSO Framework materials. It has embarked on creating to an updated solution to an undisclosed set of issues.
3. The COSO 2012 update of the framework was developed primarily from one frame of reference.
4. The development approach to this revision did not follow a “Good Judgment Workflow” process. The timing of the process does not provide for adequate review, discussion and consensus development among diverse stakeholders with differing frames of reference.
COSO created a summary definition for an internal control framework containing three control objective categories: operations, financial reporting and compliance. It has also divided the principles concerning controls into five summary components:
1. Risk Assessment
2. Control Environment – Tone at the Top
3. Control Activities
4. Information and Communication
COSO followed up on its original framework documentation with additional documentation on the principles and their attributes. In 2004, COSO produced guidance on how to design and implement an enterprise-wide risk management framework. In 2006, COSO issued its guidance for smaller public companies on the principles and attributes of an ICFR Framework. This document was used extensively by the SEC and the PCAOB in their guidance and audit regulations in 2007. A based set of principles-based documentation has been created for the evaluation and assessment of ICFR. COSO must be congratulated for avoiding use of a rules-based approach.
Various commenters are calling on COSO to accomplish the following:
1. Public companies that fall under the regulation of the SEC need to have creditable guidance on how to apply the principles to address the business opportunities and risks with an effective and unique set of internal controls. The guidance needs to provide a comprehensive methodology for the assessment of ICFR.
2. COSO must state clearly the problems with the current Framework materials and their usage in creating controls. There are extensive issues with the creation, maintenance and assessment of COSO frameworks by management. There have been significant corporate governance failings concerning the review of management’s assessments. It does not appear that the external auditors are yet clearly instructed by the regulators on how to play their assurance role. The SECs has a focus on ICFR.
3. COSO needs to directly address the quality control enhancements for Corporate Governance and Risk Assessment. Better Corporate Governance and Risk Assessment are essential to prevent and lessen executive management excesses. The initial SOX regulations and reactions to those SOX regulations did not address the Corporate Governance and Risk Management issues that Congress was trying to address with Sarbanes-Oxley. Auditing Standard 2 and the preponderance of management’s internal control frameworks ran to the detail processing of transactions ignoring entity -level risk assessments. This left open the door for the Corporate Governance and Risk Management failures: i.e. AIG, Fannie/Freddie, Lehman Brothers, Country Wide, Merrill Lynch, MF Global, Lehman Brothers, etc.
4. COSO must implement a “Good Judgment Workflow” process for the approval of the revisions to its materials. COSO needs to recognize that the developers are dominated by a single frame of reference: Big Auditing Firm Experience. Those of us who have been external auditors, internal auditors, CFO’s, CEO’s, consultants to SEC registered firms and educators on frameworks understand how limiting this frame of reference has been to presenting a workable comprehensive framework.
5. COSO needs to establish a strategic plan and a tactical plan for its activities concerning “Quality Controls” over Corporate Governance and the issuing of audited financial statements. The 1977 Foreign Corrupt Practices Act was the first federal mandate for internal control framework usage. COSO’s current Framework was created for addressing this requirement. Most stakeholders did not take this requirement seriously until the Sarbanes-Oxley Act was passed. In this 25 year period little work was accomplished to enhance the art of ICFR by COSO.
Confidence in COSO 2.0
Stakeholders are confident that COSO can move forward to produce a better set of guidance concerning the establishment, maintenance and assessment of internal control frameworks. Historically, COSO has created a number of guidance documents that have contributed to the improvement of internal control frameworks. Numerous professionals have reached a base level of competence in the components of an framework by using the COSO materials as part of their guidance. Auditing firms have greatly expanded their auditing of ICFR and the documentation of this testing in their workpapers. Audit quality controls systems are improving on most firms. The current members of COSO are motivated to the enhancement of the guidance being provided.
COSO needs to:
1. Establish a strategic and technical plan for the updating of the original COSO Framework which is a quality control methodology covering corporate governance, financial reporting and compliance.
2. Within the short-term tactical period:
a. Enhance the current development team with additional frames of reference.
b. Define a clear “good judgment workflow’ for comments, discussion and approval that creates a new base document.
c. Issue a clear problem statement that supports the enhancement efforts.
3. Recognize that if the private stakeholders do not create a comprehensive set of guidelines we will continue to have Congress and Regulators setting the guidelines.
4. Add to the membership and governance of COSO stakeholders that bring frames of reference including risk management, corporate governance, legal, information technology, quality control methodologies, operations, regulators, etc.
COSO will find that if all the stakeholders take part in the process, we can advance the state of the art in frameworks. If we can do this, we will create value for the society as a whole.