Failures within the COSO Framework community

In 1992, COSO released its original COSO Internal Control – Integrated Framework. This framework was in response to the requirements of the US Foreign Corrupt Practices Act of 1977. Framework stakeholders have raised the following issues in their comments on the draft COSO 2012 update:

1. Most companies at the center of the global financial crisis were following SEC regulations, which included having effective internal control over financial reporting (ICFR). All of the companies’ SEC filings claimed to have effective ICFR under COSO. His ICFR assessments were failures.

2. COSO has not defined or stated problems with the existing COSO Framework materials. It has started creating an updated fix for a set of undisclosed issues.

3. The 2012 COSO Framework Update was developed primarily from a reference framework.

4. The development approach for this review did not follow a “Good Judgment Workflow” process. The timing of the process does not allow for proper review, discussion and consensus building among various stakeholders with different frames of reference.

COSO created a summary definition for an internal control framework that contains three categories of control objectives: operations, financial reporting, and compliance. It has also divided the principles relating to controls into five summarized components:

1. Risk assessment

2. Control Environment – Tone at the Top

3. Control Activities

4. Information and Communication

5.Monitoring

COSO followed up on its original framework documentation with additional documentation on the principles and their attributes. In 2004, COSO produced guidance on how to design and implement an enterprise-wide risk management framework. In 2006, COSO issued its guidance for smaller public companies on the principles and attributes of an ICFR framework. This document was used extensively by the SEC and PCAOB in their auditing and guidance standards in 2007. A set of principles-based documentation has been created for ICFR evaluation. COSO is to be commended for avoiding the use of a rules-based approach.

Several commenters call for COSO to accomplish the following:

1. Public companies governed by SEC regulation should have credible guidance on how to apply the principles to address business opportunities and risks with a single, effective set of internal controls. The guide must provide a comprehensive methodology for the evaluation of the ICFR.

2. COSO must clearly state issues with current Framework materials and their use in creating controls. There are many issues with the creation, maintenance, and evaluation of COSO frameworks by management. There have been significant corporate governance failures related to the review of management assessments. It does not appear that external auditors have received clear instructions from regulators on how to carry out their assurance role. The SEC has a focus on ICFR.

3. COSO needs to directly address quality control improvements for Corporate Governance and Risk Assessment. Better Corporate Governance and Risk Assessment are essential to prevent and reduce executive management excesses. The initial SOX regulations and the reactions to those SOX regulations did not address the corporate governance and risk management issues that Congress was trying to address with Sarbanes-Oxley. Auditing Standard 2 and the preponderance of management’s internal control frameworks were extended to detailed transaction processing ignoring entity-level risk assessments. This left the door open for Corporate Governance and Risk Management failures: ie AIG, Fannie/Freddie, Lehman Brothers, Country Wide, Merrill Lynch, MF Global, Lehman Brothers, etc.

4. COSO must implement a “Good Judgment Workflow” process for approval of revisions to its materials. COSO must recognize that developers are dominated by a single frame of reference: the experience of large audit firms. Those of us who have been external auditors, internal auditors, CFOs, CEOs, consultants to SEC-registered firms, and frameworks educators understand how limited this framework has been in presenting a workable comprehensive framework.

5. COSO needs to establish a strategic plan and a tactical plan for its activities related to “Quality Controls” on Corporate Governance and the issuance of audited financial statements. The Foreign Corrupt Practices Act of 1977 was the first federal mandate for the use of the internal control framework. The current COSO framework was created to address this requirement. Most stakeholders did not take this requirement seriously until Sarbanes-Oxley was passed. In this 25-year period, COSO did little work to improve the art of ICFR.

Trust in COSO 2.0

Stakeholders are confident that COSO can move forward to produce a better set of guidance on establishing, maintaining, and evaluating internal control frameworks. Historically, COSO has created a series of guidance documents that have contributed to the improvement of internal control frameworks. Many professionals have achieved a basic level of proficiency in the components of a framework by using the COSO materials as part of their orientation. Audit firms have greatly expanded their ICFR audit and documentation of this testing in their working papers. Audit quality control systems are improving in most companies. Current COSO members are motivated to improve the guidance provided.

COSO needs:

1. Establish a strategic and technical plan for updating the original COSO Framework, which is a quality control methodology that covers corporate governance, financial reporting, and compliance.

2. Within the short-term tactical period:

A. Enhance the current development team with additional frameworks.

b. Define a clear ‘good judgment workflow’ for feedback, discussion and approval that creates a new base document.

vs. Issue a clear problem statement that supports improvement efforts.

3. Recognize that if private stakeholders do not create a comprehensive set of guidelines, we will continue to have Congress and regulators set the guidelines.

4. Add to the membership and governance of COSO stakeholders who provide frameworks that include risk management, corporate governance, legal, information technology, quality control methodologies, operations, regulators, etc.

COSO will find that if all stakeholders are involved in the process, we can advance the state of the art in frameworks. If we can do this, we will create value for society as a whole.