What do we know about how COSO has performed in practice? To address that question, we need to differentiate the ‘practice’ we mean. In the first instance, the question must address the regulatorily-mandated requirement for assessment of internal control over financial reporting. Secondly, we must address whether or not implementation of COSO has assisted companies to enhance their internal control more generally. Or, to put in another way, are firms that have implemented COSO more ‘in control’ as a result? Published GAO data show that, between July 1, 2002, and September 30, 2005 there were 1,390 restatement announcements because of financial reporting fraud and/or accounting errors by SEC filers. By the end of this period, 6.8 percent of filers restated or 1 in every 15 firms. Over the period, on average, almost 1 in every 6 firms restated their financial statements. In the period October 1, 2005, and June 30, 2006, there were 396 restatement announcements.
Yet, here the publicly-available data from GAO cease. Although analyses are available privately, they are expensive to obtain. Remarkably, filers are not required to publish their histories of restatement.
What does the vast number of restatements of financial statements tell us?
Assuming that the period to June 30, 2006 represents the peak of the pressure on firms and audit committees to restate as the capabilities and diligence of reporters and their auditors have steadily improved since 2002, this would suggest prima facie that SOX §404 has been effective at improving control over financial reporting, at least in the absence of counterfactuals – evidence to the contrary.
Unfortunately, beginning in August 2007, and accelerating through the second half of 2008, the US then the world has suffered a banking crisis leading to a global financial crisis. A significant proportion of the 928 firms participating in the US Treasury’s Troubled Asset Relief Program (TARP) under the Emergency Economic Stabilization Act of 2008 which disbursed over $600 billion in temporary capital were or are SEC registrants and were thus covered by SOXA §404 and COSO. This represents a counterfactual of staggering proportions.
At some point prior to the onset of the financial crisis, executives and board members of each of the SEC-registered firms that subsequently required bailing out must have received assurances that the stated value of accounts over which they were required to attest were reliable. And yet they were not.
Therefore, we can conclude that, even if §404 encouraged greater precision in the accounts of filers, in the case of the TARP participants at least, those accounts were precisely wrong. It is, of course, unfair to lay the blame for this at the door of COSO. Clearly, the accounting assumptions used in the valuation of financial instruments were dependent on a raft of assumptions from the economics of mark-to-market and ‘mark-to-model’ accounting that proved erroneous.
However, thinking about efficacy of internal control in this light does expose the fundamental reliance of any assessment on internal control and any assurance thereover on the current state of knowledge at the time. Because that knowledge changes, assumptions underpinning internal control will change and the basis of assessment of control must change with them.
By far the greatest failing of COSO (the organization) in its review of the internal control framework has been that it has made no robust attempt to understand the utility of the framework to corporate users. On the contrary, its popularity and extensive application is seen as evidence of its utility. And perhaps it is. But an equally plausible explanation is that it has been effective at its principal and original task: improving the reliability of financial reporting based on the valuation assumptions that prevail at the time. Outside that limited focus, its utility and efficacy are unproven; worse, they are substantially untested. This matters. If COSO were demonstrably effective in all applicable settings, its dominance could be hailed as a progressive development that contributes positively to the creation of wealth in the US and globally. However, even if COSO were effective at that level, there have been almost no rigorous attempts to assess its effectiveness.
At the very least, COSO should have prepared (and should now prepare) a properly independent, robust and rigorous review of the efficacy and utility of COSO. To have any pretense of intellectual honesty, this must address those areas in which COSO has not worked as originally envisaged or as commonly presumed. The findings of such a review and range of interpretations thereof should drive the scope of amendment of COSO, rather than the presumed range of knowledge and group of people who benefit materially from its existence and current form.
The redraft of COSO can be viewed at here.
Our submission on the COSO framework is available at our website.
The list of submissions to COSO can be viewed here.
Feel free to subscribe to the blog to get our messages direct to your Inbox!