COSO needs to clarify whether it is a quasi-regulator of internal control over the limited focus of corporate financial reporting or whether it is an innovator in frameworks for corporate risk and control. The innovator role is incompatible with its status as a quasi-regulator and, if that is the road COSO wishes to take, it should separate the quasi-regulatory and ‘competitive’ / innovative functions. Failure to do so crowds out other, better thinking in frameworks for corporate risk and control. The initial COSO document Internal Control – Integrated Framework issued in 1992 represented a landmark contribution to the debate on internal control. However, it was not definitive and contained some conceptual limitations and flaws. But, relative to the knowledge at the time, it was a diligent and valid contribution to the state of knowledge internationally on internal control.
COSO came out of a group of professional (or ‘sponsoring’) organizations picking up the recommendations of the US National Commission on Fraudulent Financial Reporting, known also by the name of its chairman, James Treadway. The whole thing – Treadway and COSO – was a way of the professional bodies and industry heading off congressional threats to regulate internal control over financial reporting in the wake of the savings & loans crisis and a string of accounting scandals. Sound familiar?
In the years immediately following publication of the original COSO, the ‘internal control as process’ approach of COSO gained considerable support and momentum. Although originally intended to focus on minimization of erroneous or fraudulent financial reporting, its focus broadened considerably to encompass compliance and effectiveness and efficiency of operations.
Following publication of COSO, a number of other, similar control initiatives emerged. These included:
- in the UK, the Financial Reporting Council, the London Stock Exchange, and the accountancy profession established the Committee on the Financial Aspects of Corporate Governance, chaired by Sir Adrian Cadbury (1992) and a series of publications including the 1999 Internal Control: Guidance for Directors (the 'Turnbull Guidance') which drew heavily on COSO;
- in Canada, the CICA published in 1995 a report called Criteria of Control (CoCo) which emphasized entity-level control and human factors in control – reflected in its emphasis on commitment and capability;
- in 1996, the US-based Information Systems Assurance & Control Association (ISACA) published Control Objectives for Information Technology (CObIT) for use in evaluation of control over information systems development and operation:
- in 1995, Standards Australia and Standards New Zealand collaborated to publish a standard purporting to cover risk management: AS/NZS 4360. Although not focused on internal control, the terminology of COSO – ‘risks’ to the achievements of objectives – lent itself to being conflated into the debate on internal control
There were also unrelated initiatives in the decade following the publication of COSO relating to:
- internal control as a substitute for ineffective market disciplines for corporate control
- broadening of the concept of control and use of corporate routines and information to direct attention, intention and action around strategic and behavioural control
- integrating knowledge from engineering control disciplines to management control and behavioural control
And then Enron collapsed. Amid a flurry of accounting scandals, Congress’ patience was exhausted; the Sarbanes-Oxley Act of 2002 was the result. One section, §404, required attestations by management and auditors on internal control. The standard adopted by the PCAOB (itself a product of SOX) and promulgated by the SEC for defining and assessing internal control over financial reporting was COSO. This was a game-changer for COSO, or should have been.
PCAOB defined standards for acceptance of internal control frameworks. COSO passed. So did a range of others – CoCo and the 1999 UK guidance on internal control – but it is COSO that has prevailed universally. COSO is now the dominant, if not the only, operating internal control framework for major companies internationally. Geographically its reach circled the globe.
As is so often the case with regulatory initiatives, the PCAOB endorsement of COSO has had an unintended consequence: since 2002, there has been little or no serious development on other frameworks for internal control or alternative conceptualizations of internal control emerging; the SEC and PCAOB have unintentionally killed innovation in internal control.
Whether COSO (the organization) likes it or not, COSO (the framework) is now captured wholly by its association with SOX §404. COSO (the organization) has become a ‘quasi-regulator’: its framework’s primary application is to give effect to the statutory provisions of §404, narrowed by PCAOB to relate to internal control over financial reporting. In doing so, its principal focus has narrowed back to the function originally intended by the Treadway Commission: “internal controls that provide reasonable assurance that fraudulent financial reporting will be prevented or subject to early detection.”
COSO (the organization or ‘quasi-regulator’) presumably expects that its revised internal control framework will receive regulatory endorsement via PCAOB and SEC. Hence, there are four fundamental problems with COSO in relation to its role:
- The framework of internal control cannot be separated meaningfully from the work of COSO the organization. COSO has failed to recognize the new, quasi-regulatory status bestowed on it by PCAOB and SEC and has continued to act as if it were merely a grouping of professional organizations free to attempt and, possibly, fail at innovation.
- COSO (the framework or ‘quasi-regulatory instrument’) is no longer free to pursue priorities independently from the regulation it serves – i.e. multiple objectives; it must focus on the primary regulatory purpose of internal control over financial reporting to the exclusion of other, potentially conflicting objectives around compliance, operations or higher, firm-level objectives of strategy or value.
- As a result of its regulatory status, COSO (the framework) has crowded out other potentially useful frameworks and initiatives to enhance understanding and/or performance of organizational internal control which might include those higher-level objectives and whether the firm is 'in control'.
- COSO’s ill-judged, poorly executed and unsuccessful foray in to enterprise risk management (ERM), based on a framework lifted from the internal control framework, has irreparably muddied the waters of what COSO is and does relating to risk and what its work can be used for.
Unhappily, COSO (the organization) shows no sign of recognizing the implications of its status as de facto producer of regulatory standards. It continues to operate as a professional club. Not only has the review of COSO (the framework) fallen to successors of its original authors (PwC), but also – in one very major sense – to the principal financial beneficiaries of PCAOB’s mandate that COSO be used for §404 attestations of internal control. It is the largest accounting firms that have benefited most from these regulations.
Simply put, PwC is not objective about the utility of COSO and has no incentive to be so. From their perspective, the more compliance work required by SEC filers in internal control, the better. It is difficult to escape the conclusion that PwC has treated the redraft of COSO’s internal control framework as a scarcely-veiled marketing exercise: no fewer than 37 partners and staff are referred to in the document by name. Given the regulatory fiat from PCAOB and the SEC, this represents an abuse of a de facto regulatory monopoly that should attract the ire of the real regulators (who, sadly, appear to have been complicit in the exercise).
COSO must figure out what it is and intends to be in the future. If it wishes to remain the quasi-regulator of the approach to assessment of internal control over financial reporting for SEC filers, it must recognize that it will be incompatible to use that position to develop frameworks for other purposes under the same banner. Doing so simply crowds out other, broader and better thinking.
If, however, it wishes to pursue the role of innovator of frameworks for corporate internal control and risk management, it should de-couple these activities from an entity with quasi-regulatory responsibilities and let its initiatives stand or fall over time on their merits. That would be the competitive and intellectually honest approach.
Before introducing changes to COSO (the framework) likely to result in additional compliance costs for SEC filers, COSO (the organization) needs to clarify its role and make whatever changes are needed to put that role in to effect. More importantly, failure to do so will continue to limit SEC filers’ (and thus major firms') performance by inhibiting the emergence and application of more useful and operable frameworks (note the use of the plural) for corporate internal control and risk management.
Time for a rethink of role, not a redraft of the document!
See our introductory blog here.
Our submission on the COSO framework is available at our website.
The redraft of COSO can be viewed at here.
The list of submissions to COSO can be viewed here.