Failures within the COSO framework community

In 1992, COSO launched its original Integrated Internal Control Framework. This framework was in response to the requirements of the United States Foreign Corrupt Practices Act of 1977. Stakeholders of the framework have raised the following issues in their comments on the draft COSO 2012 update:

1. Most of the companies at the center of the global financial crisis were following SEC regulations, which included having effective internal control over financial reporting (ICFR). All of the firms’ SEC filings claimed to have an effective ICFR under COSO. His evaluation approaches were failures.

2. COSO has not defined or disclosed problems with the existing COSO Framework materials. He has embarked on creating an updated fix for a set of undisclosed issues.

3. The COSO 2012 update of the framework was developed primarily from a reference framework.

4. The development approach for this review did not follow a “good judgment workflow” process. The timing of the process does not provide adequate review, discussion and consensus among the various stakeholders with different frames of reference.

COSO created a summary definition for an internal control framework that contains three categories of control objectives: operations, financial reporting, and compliance. It has also divided the principles related to controls into five summary components:

1. Risk assessment

2. Control environment: tone on top

3. Control activities

4. Information and communication

5. Follow-up

COSO followed up on its original framework documentation with additional documentation on the principles and their attributes. In 2004, COSO produced a guide on how to design and implement an enterprise-wide risk management framework. In 2006, COSO issued its guide for smaller public companies on the principles and attributes of an ICFR framework. This document was used extensively by the SEC and PCAOB in their 2007 audit guidance and regulations. A principles-based set of documentation has been created for the evaluation and assessment of the ICFR. COSO is to be commended for avoiding the use of a rules-based approach.

Several commenters are asking COSO to accomplish the following:

1. Public companies that fall under the regulation of the SEC must have accredited guidance on how to apply the principles to address business opportunities and risks with a unique and effective set of internal controls. The guidance should provide a comprehensive methodology for ICFR evaluation.

2. COSO should clearly state problems with the current Framework materials and their use in creating controls. There are many problems with the creation, maintenance and evaluation of COSO frameworks by management. There have been significant corporate governance failures in connection with the review of management evaluations. Regulators do not appear to have clearly instructed external auditors on how to perform their assurance function. The SEC focuses on the ICFR.

3. COSO should directly address quality control improvements for corporate governance and risk assessment. Better corporate governance and better risk assessment are essential to prevent and reduce executive management excesses. The initial SOX regulations and reactions to those SOX regulations did not address the corporate governance and risk management issues that Congress was trying to address with Sarbanes-Oxley. Auditing Standard 2 and the dominance of management’s internal control frameworks addressed detailed transaction processing ignoring entity-level risk assessments. This left the door open for corporate governance and risk management failures: i.e. AIG, Fannie / Freddie, Lehman Brothers, Country Wide, Merrill Lynch, MF Global, Lehman Brothers, etc.

4. COSO must implement a “good judgment workflow” process for approval of reviews of its materials. COSO must recognize that developers are dominated by a single framework: the experience of a large audit firm. Those of us who have been external auditors, internal auditors, CFOs, CEOs, consultants to SEC-registered firms, and framework educators, understand how limited this framework has been to present a viable comprehensive framework.

5. COSO needs to establish a strategic plan and a tactical plan for its activities related to “Quality Controls” on corporate governance and the issuance of audited financial statements. The Foreign Corrupt Practices Act of 1977 was the first federal mandate for the use of the internal control framework. The current COSO framework was created to address this requirement. Most stakeholders did not take this requirement seriously until the Sarbanes-Oxley Act was passed. In this 25-year period, COSO did little work to improve the art of the ICFR.

Trust in COSO 2.0

Stakeholders trust that COSO can move forward to produce a better set of guidance on establishing, maintaining, and evaluating internal control frameworks. Historically, COSO has created a series of guidance documents that have contributed to improving internal control frameworks. Many professionals have reached a basic level of proficiency in the components of a frame using COSO materials as part of their orientation. Audit firms have considerably expanded their audit of the ICFR and documentation of this evidence in their working papers. Audit quality control systems are improving in most companies. Current COSO members are motivated to improve the guidance provided.

COSO needs:

1. Establish a strategic and technical plan for updating the original COSO Framework, which is a quality control methodology that covers corporate governance, financial reporting and compliance.

2. Within the short-term tactical period:

to. Enhance your current development team with additional frameworks.

B. Define a clear “good judgment workflow” for comments, discussion, and approval that creates a new base document.

vs. Issue a clear statement of the problem that supports improvement efforts.

3. Recognize that if private stakeholders do not create a complete set of guidelines, we will continue to have Congress and Regulators establish the guidelines.

4. Add to the membership and governance of COSO stakeholders that provide frameworks including risk management, corporate governance, legal, information technology, quality control methodologies, operations, regulators, etc.

COSO will find that if all stakeholders are involved in the process, we can advance the state of the art in frameworks. If we can do this, we will create value for society as a whole.

Leave a comment

Your email address will not be published. Required fields are marked *