Failures within the COSO Framework community

In 1992, COSO released its original COSO Internal Control – Integrated Framework. This framework was in response to the requirements of the US Foreign Corrupt Practices Act of 1977. Stakeholders of the framework have raised the following issues in their comments on the COSO 2012 draft update:

1. Most companies at the center of the global financial crisis were following SEC regulations, which included having effective internal control over financial reporting (ICFR). All of the companies’ SEC filings claimed to have effective ICFR under COSO. His ICFR evaluations were failures.

2. COSO has not defined or declared the problems with the existing COSO Framework materials. It has started to create an updated fix for a set of undisclosed issues.

3. The COSO 2012 framework update was developed primarily from a framework.

4. The development approach of this review did not follow a “Good Judgment Workflow” process. The timing of the process does not allow for adequate review, discussion, and consensus building among the various stakeholders with different frames of reference.

COSO created a summary definition for an internal control framework that contains three categories of control objectives: operations, financial reporting, and compliance. It has also divided the principles relating to controls into five summarized components:

1. Risk assessment

2. Control Environment – Tone at the Top

3.Control Activities

4. Information and Communication

5.Monitoring

COSO followed up its original framework documentation with additional documentation on the principles and their attributes. In 2004, COSO produced guidance on how to design and implement an enterprise-wide risk management framework. In 2006, COSO issued its guidance for smaller public companies on the principles and attributes of an ICFR framework. This document was used extensively by the SEC and PCAOB in their auditing and guidance standards in 2007. A set of principles-based documentation has been created for ICFR evaluation. COSO is to be commended for avoiding the use of a rules-based approach.

Several commenters ask COSO to accomplish the following:

1. Public companies governed by SEC regulation should be provided with reliable guidance on how to apply the principles to address business opportunities and risks with a single and effective set of internal controls. The guide must provide a comprehensive methodology for the evaluation of the SCIIF.

2. COSO should clearly indicate problems with the current Framework materials and their use in creating controls. There are many problems with the creation, maintenance, and evaluation of COSO frameworks by management. There have been significant corporate governance failures related to the review of management assessments. It does not appear that external auditors have received clear instructions from regulators on how to carry out their assurance function. The SEC has a focus on ICFR.

3. COSO needs to directly address quality control improvements for Corporate Governance and Risk Assessment. A better Corporate Governance and a Risk Assessment are essential to prevent and reduce the excesses of executive management. The initial SOX regulations and the reactions to those SOX regulations did not address the corporate governance and risk management issues that Congress was trying to address with Sarbanes-Oxley. Auditing Standard 2 and the preponderance of management’s internal control frameworks extended to detailed transaction processing while ignoring entity-level risk assessments. This left the door open for Corporate Governance and Risk Management failures: ie AIG, Fannie/Freddie, Lehman Brothers, Country Wide, Merrill Lynch, MF Global, Lehman Brothers, etc.

4. COSO must implement a “Good Judgment Workflow” process for approval of revisions to its materials. COSO must recognize that developers are dominated by a single frame of reference: the experience of large audit firms. Those of us who have been external auditors, internal auditors, CFOs, CEOs, SEC-registered firm consultants, and framework educators understand how limited this framework has been in presenting a viable comprehensive framework.

5. COSO needs to establish a strategic plan and a tactical plan for its activities related to “Quality Controls” on Corporate Governance and the issuance of audited financial statements. The Foreign Corrupt Practices Act of 1977 was the first federal mandate for the use of the internal control framework. The current COSO framework was created to address this requirement. Most stakeholders did not take this requirement seriously until the Sarbanes-Oxley Act was passed. In this 25-year period, COSO did little work to improve the art of ICFR.

Confidence in COSO 2.0

Stakeholders are confident that COSO can move forward to produce a better set of guidance on establishing, maintaining, and evaluating internal control frameworks. Historically, COSO has created a series of guidance documents that have contributed to the improvement of internal control frameworks. Many practitioners have achieved a basic level of proficiency in the components of a framework by using the COSO materials as part of their guidance. Audit firms have greatly expanded their ICFR audit and documentation of this proof in their working papers. Audit quality control systems are improving in most companies. Current COSO members are motivated to improve the guidance provided.

COSO needs:

1. Establish a strategic and technical plan for updating the original COSO Framework, which is a quality control methodology that covers corporate governance, financial reporting, and compliance.

2. Within the short-term tactical period:

has. Enhance your current development team with additional frameworks.

b. Define a clear ‘good judgment workflow’ for comments, discussion and approval that creates a new base document.

Con Issue a clear problem statement that supports improvement efforts.

3. Recognize that if private stakeholders don’t create a comprehensive set of guidelines, we will still have Congress and regulators setting the guidelines.

4. Add COSO membership and governance of stakeholders to provide frameworks including risk management, corporate governance, legal, information technology, quality control methodologies, operations, regulators, etc.

COSO will find that if all stakeholders are involved in the process, we can advance the state of the art in frameworks. If we can do this, we will create value for society as a whole.