Q&A With COSO's New Chairman

No comments

This profile features Larry Rittenberg, chairman of the Committee of Sponsoring Organizations (COSO), and accounting professor at the University of Wisconsin.

How did you come to be chairman of COSO?

[Laughs.] Bad luck? Hard work? Well, I’ve been at the University of Wisconsin almost all my career, and been active in the profession both through the academy and through the American Accounting Association. I’ve been active in the Institute of Internal Auditors; not only have I done a lot of research for them, but I was on their guidance task force that crafted the new definition of internal auditing. I was also in charge of professional practices, and helped develop the framework for standards in internal auditing.

With that, the American Accounting Association asked me to serve as their representative on COSO three years ago, just as they were debating whether to go forward with the enterprise risk management projects … I was fairly active in the enterprise risk project, and [former chairman] John Flaherty extended his term to stay through the project. At that point, the board chose to elect a new chair, and I was the one.

Your term is three years. What goals do you want to pursue?

The big thing right now is developing guidance for small businesses. Second is to continue to promote and gain widespread understanding of the enterprise risk management model. Third is to look at areas where COSO could find more efficiencies in applying the COSO frameworks; maybe not just guidance for small businesses, but guidance for all businesses. Last is to continue to think strategically on the future of COSO.

Detail those priorities for us. For example, what guidance do you want to give to small businesses?

Well, we’re working under a very tight timeline; we want to have guidance out by mid-summer. We have an advisory group and a task force put together, and an outstanding chair of the task force who’s agreed to come on and chair our activities on this particular project. She’s a partner at a smaller CPA firm, and works a lot with smaller businesses.

We want to identify more explicitly the unique characteristics of small businesses. We all think we know what small businesses are like, but we’re going to spend time identifying those unique characteristics and how they help us understand the difficulty small business may have implementing the COSO internal control framework. For example, there are tradeoffs in various controls throughout the framework: that if you have, say, weaknesses in the management governance structure, it might require changes in responsibilities for an audit committee. We’re trying to work through those to identify efficient ways to achieve the control objectives in the COSO model.

And promotion of the risk frameworks? Many executives appreciate the idea, but aren’t sure how to approach it.

We had a bit of a campaign when it came out, and that was the same that occurred in 1992 when the internal control framework came out. We understand that businesses are overwhelmed this year with compliance for Sarbanes-Oxley. We started this project before Sarbanes (and it took us a while to get done) but it was not influenced by the development of Sarbanes-Oxley per se. It was more influenced by what we saw of organizations consistently failing to address risk and therefore some issues of governance … We saw some really bad decisions and bad consequences for a lot of businesses.

Our idea is that enterprise risk is a broader concept than the internal control framework, and it encompasses the internal control framework; it’s a much richer setting. What we’d like to see as a first step is for organizations to consider how they might embed this risk framework into the culture of their organization and how to make it more explicit.

You’d agree, then, that Section 404 is almost a minor league version of enterprise risk management?

Yes, I do think there’s a lot of consistency there. As we move forward, we must develop an understanding of this more as a systems process. If you stop and think about it—and this is in the original controls framework—why do controls exist? They don’t exist because some auditing professor one day said, 'Here are some controls we’re going to put into the textbook.' They exist to address risk. If you’re going to get more efficient in looking at controls, and educating people about what I would call more “principles-based controls,” then you need to understand the risks they’re trying to address.

How many executives do you think really see it at that deep level?

I think there’s some education to get there, and I personally think what will get them there is understanding that it will lead to more effective operations in the company. When we get to that point, it becomes much more widely accepted.

You mentioned bad decisions made thanks to poor risk management. Examples?

Just look at the history of mergers and acquisitions that we’ve had in the last decade. It’s clear people didn’t use risk management while looking at these things; AOL-Time Warner is a good example of that. If you look at the financial areas, you’ve seen situations where—oh, for example, Procter & Gamble lost a great deal of money on derivatives, because they did not understand the risk and did not look at risk in a control framework …

One aspect of the enterprise risk model that COSO is up front about is that enterprise risk management and strategy are intertwined. You look at risk and then you feed that back into strategic decision-making.

And you had mentioned that COSO wants to examine new areas where it can find efficiencies. What do you mean?

We haven’t committed to any of these, so this is my opinion only. But from what I see and what I gather in talking with people, there are two elements of the COSO risk model that maybe are not as well understood or are as well implemented as they need to be: the information and communication and the monitoring aspects of the COSO model.

As we go forward, as we consider monitoring controls, we need not only research but also other work that COSO can do on evaluating the effectiveness of monitoring controls … How do we develop an effective information system and effective monitoring controls that tell us when the system is failing, so that we immediately can take corrective action? If we can get to that point, then we can generate more benefits from the 404 process, not only for external reporting but also internal decision-making and operations.

You’re an accounting professor. Are we doing a good job training future executives to think in these terms?

I think some schools are, but I’d have to say the bulk of schools are not. I hope to publish a study soon that colleagues of mine are doing on lessons learned from Section 404. One thing they’ve kept seeing over the last two years is more principles-based accounting. I found it interesting when I started looking at the results of this study: everyone was saying they wanted more principles-based accounting, but by 2-to-1, they wanted more detailed guidance.

To me it’s the education and early implementation culture. If we’re going to get there, we’ve got to get to the point where we trust these individuals’ judgment. Of course that’s a huge task for a large company or a Big Four firm, which needs consistency across all their people. We get mired a little too much in checklists, and as we do that we miss some of the fundamental concepts—as in, asking, 'Why is this control necessary? What risk is this control addressing? Would another control be more effective in addressing this risk?'

Many executives say business regulation has now gone too far, and wonder what sin they committed in a past life to endure Section 404 in this one. How do you answer that?

My rebuttal would be that I agree with a speech [SEC Chief Accountant] Don Nicolaisen gave in October. He said this is about winning back investor confidence, and I think it is … We needed a fundamental change in culture.

I tend to think it was much broader than just a few companies, and that’s my personal opinion. Just look at the emails that come from your own publication, listing internal control deficiencies—those are pretty overwhelming; there’s a lot of them … Companies are now talking about ways to improve their operations because of what they’re finding in evaluating these processes. I think it’s something they’ll get through, and what they ought to be saying is, 'We’ve set the foundation, now let’s move it to the next level.'

Thanks, Larry.

Topics

Internal Controls

No comments

Q&A With COSO's New Chairman

Topics

Interested in writing for CW?

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact the CW Editor.

Related articles

Balancing Risk, Lawsuits And Good ERM

Internal Control, IT Frameworks Converging On ERM

Survey: Most Execs Unhappy With Their ERM

No comments yet

Only registered users can comment on this article.

“For tracking litigation, enforcement, and regulatory developments, Compliance Weekshould be your prime source.”

Q&A With COSO's New Chairman

Topics

Interested in writing for CW?

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact the CW Editor. googletag.cmd.push(function() { googletag.display('div-gpt-ad-B'); });

Related articles

Balancing Risk, Lawsuits And Good ERM

Internal Control, IT Frameworks Converging On ERM

Survey: Most Execs Unhappy With Their ERM

No comments yet

Only registered users can comment on this article.

“For tracking litigation, enforcement, and regulatory developments, Compliance Week
should be your prime source.”

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact the CW Editor.