When the Securities and Exchange Commission first published guidance on how to comply with the infamous Section 404 of the Sarbanes-Oxley Act, which requires companies to assess and disclose the strength of their internal control over financial reporting, the agency pointed to the Committee of Sponsoring Organizations’ 1992-era Internal Control-Integrated Framework as an example of a “suitable” control assessment framework. At the time, the agency did also state that other control frameworks met its suitability criteria, but the strong endorsement of the SEC (and the Public Company Accounting Oversight Board) has resulted in the now-dated COSO framework becoming, for all intents and purposes, the only official control criteria public companies use to assess the effectiveness of their accounting controls.
The unstated reality is that intentionally or otherwise, the SEC and PCAOB have elevated COSO—a loose committee of U.S.-based accounting associations—to the de facto position of the world’s first accounting control standards body. Neither the SEC nor COSO will admit this obvious fact, nor has anyone objectively examined whether this significant decision about investor protection by the SEC is really appropriate. And in my opinion, forcing the use of a control framework that is outdated and technically flawed for all U.S.-listed companies is a huge risk unto itself.
Now, without question, the COSO internal control framework was a major contribution to the auditing profession at the time of its debut in 1992. But major advances have been made since then in the fields of quality, risk, fraud, ethics, compliance, and IT security management. These advances haven’t been incorporated into the COSO 92 framework, and COSO apparently has no plans to do so any time soon. Every time a company and its auditors conclude that accounting controls are effective in accordance with COSO 92, and are subsequently proven wrong, investors and the companies themselves must shoulder significant, unexpected costs. That can be a direct cost in the form of a restatement of financial results, which can easily run into the millions of dollars; or it can be an indirect cost, such as the erosion of investor confidence in the work auditing firms do. Either way, the damage can be severe.
My vote is that the U.S.-based COSO consortium is not the best organization for the task at hand—namely, creating a solid, modern, reliable, periodically updated framework for assessing corporate accounting controls. COSO has made several major contributions to the auditing profession over the past 25 years, but it was never constituted or resourced to be a global standard setting body. We need a new organization—call it the “International Accounting Control Standards Board” for starters—that should be formally established, adequately funded, and charged with producing new guidance for management and auditors on how to report on the effectiveness of the controls in place to manage risks to the reliability of financial statements. This new body should be required to revisit the guidance it produces at intervals of no less than every four years, to analyze results, and improve the overall reliability and usefulness of the guidance they issue.
And What Does Measure Up?
The SEC has actually spelled out its expectations for a “suitable” control framework. In SEC Release 33-8238, issued in June 2003, the agency specifically said a suitable framework must be “free from bias; permit reasonably consistent qualitative and quantitative measurements of a company’s internal control; be sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company’s internal controls are not omitted; and be relevant to an evaluation of internal control over financial reporting.” The SEC has also stated that the authors of the framework must follow “due process procedures.”
The SEC framework suitability criteria are generally sound. Unfortunately, a critical element that should have been explicitly included in the SEC suitability list (but was not) is that the framework should produce reasonably reliable conclusions on the ability of the company’s accounting controls to produce reliable financial statements.
Unfortunately for investors, a strong argument can be made that the 1992 COSO Internal Control-Integrated Framework doesn’t meet (at least meet in any absolute way) any of the four defined SEC framework criteria. It does not follow any generally accepted procedures for due process that a standards-setting body should. More importantly, the COSO framework still results in a shockingly high error rate for management and auditor opinions about effective controls. (After all, that’s what the sum total of financial restatements actually is.) Details and support for this conclusion can be found in an excerpt from Wiley’s Governance Risk and Compliance Handbook titled COSO: Is It Fit for Purpose?, and the Institute of Management Accountant’s discussion paper, Accounting Control Assessment Standards: The Missing Piece in the Restatement Puzzle.
Is COSO Right for the Task?
COSO is currently comprised of five organizations: the American Institute of Certified Public Accountants, the American Accounting Association, the Financial Executives Institute, the Institute of Internal Auditors, and the Institute of Management Accountants.
And COSO’s current mission is defined on its Website as follows: “to provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance, and to reduce the extent of fraud in organizations.”
COSO’s stated mission is both broad and ambitious, but it doesn’t explicitly acknowledge its SEC-spawned role as an accounting control standards body. To date, COSO has never publicly stated that it believes that the 1992 COSO Internal Control-Integrated Framework actually meets the four control framework suitability criteria set by the SEC. It has no publicly released plans to update and improve the 1992 internal control framework, even though periodic re-evaluation of frameworks is generally considered to be a key element of due process for standards bodies.
COSO also has made no effort to date to study why, since SOX 404 came in to force seven years ago, thousands of public companies around the world have concluded they have effective internal control over financial reporting in accordance with the COSO framework—and subsequently had to restate their financial statements to correct material, and sometimes massive, accounting errors or irregularities.
In short, COSO does not appear to want to accept the formal responsibility of being a national accounting control standards body, but also apparently does not want to relinquish the power and influence that comes with being the author of the SEC’s favoured accounting control framework.
Given the global movement to transition to international accounting standards (even if that movement is somewhat tentative in the united States), it would seem obvious that the International Accounting Standards Board should create a duly chartered sister organization: the International Accounting Control Standards Board I mentioned earlier, or some similarly named group. That organization should be tasked with, and measured against, the simple and focused goal of reducing the frequency of materially wrong audited financial statements.
We face formidable obstacles to get national lawmakers, the SEC, COSO, IASB, and scores of professional accounting and auditing associations around the world to acknowledge the concerns I raise here in this article. Creation of an “IASCB,” and giving it the simple goal of reducing the frequency of materially wrong audited financial statements, should be critically important to lawmakers, securities regulators, investors, and professional auditors. It’s time to make statements about the effectiveness of a company’s internal control over financial reporting more useful, reliable, and respected.
No comments yet