In the latest of our occasional conversations with compliance executives, regulators, and other voices in the governance world, Compliance Week recently caught up with David Landsittel, the new chairman of the Committee of Sponsoring Organizations.

Landsittel, a long-time veteran of auditing firm Arthur Andersen, currently serves as a consultant to accounting firms and others on auditing, financial reporting, corporate governance, and quality control matters. He also serves on the board of directors and chair of the audit committees for Molex Inc. and Burnham Investors Trust for the Burnham Family of Funds.

Readers can also visit our archive of Q&A interviews.

DETAILS

Landsittel

David L. Landsittel was elected chairman of COSO on June 1, 2009. He is currently a consultant to accounting firms and others on auditing, financial reporting, corporate governance, and quality control matters. Landsittel also serves on the board of directors and chair of the audit committees for Molex Incorporated and Burnham Investors Trust for the Burnham Family of Funds.

He began his career and spent 34 years with Arthur Andersen & Co. Landsittel was previously chair of the Illinois CPA Society and more recently chair of CPA Endowment Fund of Illinois—a not-for-profit group that provides scholarships and encourages qualified students to pursue careers in public accounting.

He holds an MBA from the University of Chicago Graduate School of Business and an undergraduate degree from DePauw University.

COMPANY BASICS

Company:

COSO

Headquarters:

Altamonte Springs, Fla.

Website:

http://www.coso.org

Why did you take the job as COSO chairman?

Some people enjoy more traditional retirement activities, like golf, but for some strange reason I continue to seek and enjoy “work.” The COSO leadership opportunity is a good match to my background and prior experience dealing with controls, fraud deterrence, and enterprise risk management. These subjects play such an important role in the success of a business enterprise that it’s exciting on my part to be part of COSO.

So, what do you hope to accomplish during your three-year term?

The COSO mission is to provide thought leadership in the development of guidance dealing with internal controls, enterprise risk management, and fraud deterrence. The COSO guidance to date has been very well respected and well recognized. What I want us to do is to advance the state of the art in the spirit of continuous improvement. It’s such an important area and obviously, in the current environment, there are a lot of challenges that deal with controls, fraud deterrence, and risk management. We need to continue to push the envelope responsive to our mission.

I also recognize that COSO needs to extend our global reach. We’re well recognized in the United States, but our mission is relevant throughout the globe and we need to take more steps to become a global influence.

COSO recently published its final guidance on monitoring internal control. Why is monitoring such a tough concept for companies to grasp in building their internal control framework?

I think COSO needed to clarify the application of that aspect of the original internal controls framework, because there’s been a lack of understanding of the kinds of procedures that can provide information to evaluate control effectiveness and to monitor the effectiveness of controls. I think the recent publication accomplishes that. I’m hopeful it not only will drive effectiveness of monitoring, but also efficiency in monitoring activities as well. The guidance emphasizes building monitoring into the processes and controls, as opposed to building a separate evaluation on top of processes and controls.

Tell us about what COSO is focusing on right now.

There are two things I want to mention that will be released in the not-too-distant future. One is a short paper entitled, “Effective Enterprise Risk Oversight: The Role of the Board of Directors.” It calls attention to guidance in our previously published 2004 ERM framework that deals with the steps the board of directors should take in their role of oversight of ERM. It’s intended to be a reminder and reinforcement of the importance of board oversight in the risk-management area. That should be out in the next month.

We also have a comprehensive research project underway, “Fraudulent Financial Reporting 1997 to 2007.” It’s an analysis of 350 U.S. companies, using Securities and Exchange Commission enforcement actions as a source, that have allegations of fraudulent financial reporting. [The report will] match a company that’s been involved in fraudulent reporting with a similar company that hasn’t, and use that match to compare and identify key factors that are different and that are associated with the fraudulent financial reporting—or, conversely, controls or other attributes that are missing in the companies that had fraudulent financial reporting … We’re hopeful that this will be a significant benefit in terms of giving more insight to us in this important area.

When do you expect that research project to be released?

It’s in its final stages. We hope to release it this fall. Our target is September or October.

COSO has focused on the understanding of enterprise risk management. Where do you think most companies currently are on ERM? Do they get it?

There’s a survey that was spearheaded by one of our board members, Mark Beasley, who is a professor at North Carolina State University and chair of their ERM initiative. They published a survey this spring that called into question the robustness of the risk oversight implementation by various companies. The survey comments that more than 50 percent of public companies haven’t implemented a holistic enterprise risk-management approach. That’s not to say they don’t have an examination of risk, but typically, it’s more ad hoc or is communicated in a more ad hoc way.

What about boards? Is there more focus on ERM at the board level now?

The survey showed that boards are asking for more information and certainly prodding for more comprehensive application of ERM, which is not surprising given the complexity of today’s environment.

Anecdotally, I’m the chair of two audit committees. In that role I’ve participated over the last couple of years in a number of roundtable discussions with other audit committee chairs. The number one topic at any of those roundtables in the last two years has been risk management. For instance, what’s the role of the board, how does the role of the board get delegated down to the audit committee in certain respects, what’s the audit committee’s role, and what’s the extent of implementation by management? So, it’s certainly an area of very high interest … and I’m optimistic that we’re going in the right direction.

In your experience with the boards that you serve on, do you hear more discussion among the full board about ERM?

I do, although I must say it’s more comprehensively a discussion at the audit committee level. I think the audit committee is naturally the committee that can effectively oversee the process. Audit committees are good at dealing with processes, so it’s logically an area the audit committee is well qualified to probe. In terms of the outcomes or the output of those processes, where the output deals with risks that need to be mitigated through controls, it’s a logical extension of audit committee responsibility. Where the outputs are strategic risks that affect the strategy of the company obviously, it’s a board responsibility. I think boards are more than willing to recognize that.

What guidance would you like to give, or would you have given, to help prevent some of the financial crisis mistakes?

The financial crisis is a very complex issue, so there’s no one silver bullet that would’ve avoided it. That said, I think it’s apparent from what’s been disclosed that more thorough risk-management processes would’ve helped mitigate the circumstances that we’ve experienced.

I also think … it illustrates the fact that we need more research on how to identify what I call our “unknown” risks and how to prioritize those—risks that are seemingly remote, but would have a large impact on the enterprise and are therefore risks we can’t ignore. I think that’s an important research lesson that’s emerged from the recent financial difficulties we’ve had. It’s something that COSO hopefully will be able to focus on.

What other needs currently exist that you would like to see COSO address?

The top of the agenda for our next board meeting in September, which will be my first meeting, is to consider possible future projects and potential prioritization of those future projects. So, it’s a little premature for me to definitively respond to that.

What’s on your personal wish list?

In my mind, one area where we need to consider more guidance and research is the control environment. I think we need research to understand more what the really important attributes of the control environment are and how we can better evaluate the quality of the control environment.

Oftentimes, before an incident occurs there’s a view that the control environment is positive. Then, in hindsight, people point to a poor control environment. We need to better understand how to evaluate the quality of the control environment before the fact.

Thanks, David.

Topics