We need to talk about COSO (6/7): Assumptions about behaviour

Japanese umbrellas

The revised COSO draft uses the world ‘culture’ 12 times.  The document refers variously to culture, to control culture and to internal control culture.  At no time are these defined, explained or differentiated; it is left to the reader to imprint his or her perceptions, associations, biases and misapprehensions on to the meaning of the text in each case.  There is no glossary entry for culture, or any of the other usages. The term first appears at para. 118 as internal control culture which is related as being synonymous with control environment, the first of the five, major elements of COSO.  It must, therefore, be both a structurally and a semantically important construct.  The same paragraph talks about “establishing a strong culture,” again without definition or explanation.  As leading risk thinker John Adam observes, the term is like a Rorschach inkblot: any reader is free to project his or her understanding on the phrase.

As the authors of COSO are no doubt aware, the term ‘culture’ and its attendant phrases are used extensively by practitioners of internal control and of risk, frequently in relation to control environment or tone at the top, both of which phrases originated with the Treadway Commission.  No other concept displays as clearly that the authors of the revised COSO document are either happy to exceed their knowledge or unaware of the limits of their knowledge or both.

Culture is a useful descriptive phenomenon but has definite limits, as Gareth Morgan suggests:

There is an important distinction to be drawn between attempts to create networks of shared meaning that link key members of an organisation around vision, values, and codes of practice so essential to self-organisation . . . and the use of culture as a manipulative tool.  To the extent that the insights of culture are used to create and Orwellian world of “corporate newspeak”, where culture controls rather than expresses human character, the metaphor may prove quite manipulative and totalitarian in its influence.  The message: observer beware.  There is often more to culture than meets the eye and our understanding is a usually much more fragmented and superficial than the reality itself.  [However,] many management theorists view culture as a phenomenon with clearly defined attributes.  Like organisational structure, culture is often reduced to a set of discrete variables such as values, beliefs, stories, norms, and rituals that can be documented in manipulated in instrumental way.

None of the caution Morgan urges is evident in the way the term ‘culture’ is used within COSO.  The result may not be an “Orwellian world of corporate newspeak” but is neither elucidatory nor even meaningful.  The difficulty the COSO authors face is that they cannot explain the term without exposing the limits of their understanding of the term and its practical utility.  Yet no term in the internal control lexicon causes more misapprehension or introduces more erroneous assumptions.  This is the Catch-22 at the heart of the COSO initiative.  Without defining culture and using it consistently, correctly and with humility, COSO causes confusion; defining it introduces diffidence and ambiguity.  Both these attributes – diffidence and ambiguity – belong in the mix of a human behavioural system; neither is admissible in to the strictures of internal control over financial reporting.  Yossarian was right: “That’s some catch, that Catch-22”.

COSO shows the limits of its authors’ understanding again in the assumptions they make about what control means to people, to users, and how they will use the resulting analysis and output.

A key subset of the problems of application of COSO in practice is the illusion of control.  The phrase has its origins in personal psychology.  In relation to corporate control, one prominent author uses the phrase to refer to the presentation by the corporate system that it is ‘in control’ when its corporate assurance routines have no means properly of supporting the assertion which is, nonetheless, required of management and, by extension, the firm’s internal auditors.  Examples of the control illusion phenomenon – the assumption that a firm is ‘in control’ because its assurance processes fail to report major accounting control failures – litter recent corporate history.

In another context, US essayist William Langewiesche has written about:

the creation of an entire pretend reality that includes unworkable chains of command, unlearnable training programs, unreadable manuals, and the fiction of regulations, checks, and controls. Such pretend realities extend even into the most self-consciously progressive large organizations . . . The systems work in principle, and usually in practice as well, but the two may have little to do with each other.

In a both cases, the underlying problem the authors refer to is the failure of those responsible for the design of the routine or process to consider how the control (or control processes) will be used ‘in anger’ or in the mess of busy and resource-constrained practice.  In the case of COSO, it is clear that, if any thought were given to this issue at all, it would have been thought applied by the principal beneficiaries of the expanded practice that would result from its implementation.  The outcome of the internal-control-as-process approach was always going to be a greatly expanded role for practice firms whose expertise in control of financial reporting is considerable but limited in other areas of control and, in the vastly more complex area of risk, typically disciplinarily narrow and paltry.

Control is at the heart of COSO as a document and as a mission.  Yet its authors display scant regard for its practical application, outside a narrow, accounting-type definition of internal control over financial reporting.  In thinking about risk, COSO authors display little or no mastery of the complexities of risk as a construct or of the behavioural complexities of dealing with uncertainty individually or in groups.  They use behavioural terms with which they clearly are only cursorily technically familiar and with none of the humility or caution that knowledgeable practitioners must apply to get results.

In its behavioural assumptions and semantic confusion, COSO (both in the original and in re-draft) shows itself to be the worst sort of unsubstantiated theory: using terms loosely and outside the technical knowledge of its authors; urging expansion of its influence without any clear demonstration of its efficacy.  That regulators have endorsed a document and an organization with such obvious behavioural flaws and clear conflicts of interest does not reflect positively on their awareness of the challenges with which they have been tasked.  It is not time for a re-draft; it is time for a re-conceptualization, a major rethink of what internal control is and does and how people make it happen.  Without such a rethink, control and related risk disciplines will continue their drift towards compliance-driven irrelevance.

The redraft of COSO can be viewed at here.

Our submission on the COSO framework is available at our website.

The list of submissions to COSO can be viewed here.

Feel free to subscribe to the blog to get our messages direct to your Inbox!