Home > Uncategorized > Comments on the COSO draft update of the internal controls framework

Comments on the COSO draft update of the internal controls framework

February 11, 2012 Leave a comment Go to comments

I uploaded my comments on the draft yesterday. Unfortunately, it does not seem possible to view the comments yet, so I am copying them below.

I welcome your feedback and encourage you to submit your own comments to COSO (www.coso.org).

==================================================================

Comments on the draft COSO update of the Internal Controls Framework

Norman Marks, CPA, CRMA

Norman.marks@sap.com

February 10, 2012

My compliments go to COSO and its leaders for undertaking an update of the excellent 1992 internal controls guidance. It made a significant and necessary contribution by bringing people together around a shared definition of internal control.

Overall, the update has shown some imagination but I am not persuaded that it has been successful. I fear that it may have added fuel to the existing perception that this is a control framework for accountants and financial auditors, and will lead to a checklist approach to assessing the adequacy of internal control. I also regret that the opportunity to collaborate with risk practitioners to converge guidance for risk management has been allowed to pass.

I will share my comments in four sections: on the process for the project; high level issues; more detailed concerns; and, some concluding remarks and recommendations. These are my personal comments, which may not be consistent with that of my employer or of the professional associations of which I am a member.

Process

While I have heard complaints about the choice of PwC (my former firm), I don’t have a problem with their selection and respect the project leaders, some of whom I know personally. The role of the Advisory Council is key to ensuring a quality product, and it also includes a number of individuals I know and respect.

However, the internal control framework is not a product only for accountants and auditors. Internal controls are a major element in the management of risk, optimization of performance, and achievement of compliance. The users of and stakeholders in a quality internal control framework are a diverse and broad group. Unfortunately, while a few of the project team and council have experience beyond accounting and financial auditing, the voice of the larger risk management and compliance practitioner communities – let alone the governance community – does not appear to have been solicited or incorporated.

As is well known by COSO, a large number of risk management practitioners do not favor the COSO ERM Framework, which is built on, expands, and extends the internal control framework. There is also a perception, right or wrong, that the internal controls framework is by and for accountants and financial auditors.

This update of the internal control framework was an opportunity to remedy the situation and move towards a convergence with other interested groups. Significant contributions to thought leadership in risk management, in particular, have been made since COSO released the ERM framework. However, this project does not appear to have considered, learned from, and incorporated that thinking.

That is unfortunate and I have reservations that unless changes are made to the draft and in the process, many of the leaders in risk management and compliance will not endorse and use it. The framework will end up satisfying the needs of external auditors, accountants, and (to some limited extent) internal auditors, but not the needs of the larger community.

On a second point, I do not feel that it is appropriate to assess the readiness of the updated internal controls framework now and provide guidance related to the assessment of internal control over financial reporting later. Only when we see the latter can we assess the former, because a major use of the internal controls framework as the foundation of management’s assessment of internal control over financial reporting.

Finally as regards process, I am personally disturbed to see webcasts and other presentations on the draft as if it were final or close to being so. I believe the product is flawed – in ways that can be addressed – and it is too early and disrespectful to the process to advocate it as if it were other than a first draft for discussion.

High Level Issues

I have a few significant issues that strike to the heart, in my opinion, of the value and use of the draft.

  1. A checklist approach to assessing the system of internal control

The new version suggests that an effective system of internal control is achieved if the principles and related attributes for each of the components of the model are present and functioning.

Not only is this concept highly questionable, but it encourages a checklist approach to assessing internal control rather than the use of judgment and risk management principles.

My view: the system of internal control is effective if it provides reasonable assurance that the more significant objectives will be achieved. Reasonable assurance is achieved if the risk of non-achievement is acceptable (based on the organization’s defined risk criteria, which include its risk appetite). Judgment is necessary to reach that conclusion, not the completion of a checklist as presented in the draft.

Reasonable assurance requires, in most cases, a combination of controls across a range of COSO components. It does not always need controls in every component, satisfying every attribute listed in the draft. For example, the effect of a defect in one attribute may be mitigated by a compensating control elsewhere, such that the risk of non-achievement of objectives is within acceptable levels.

I commented on the process for evaluating the system of internal control on my blog. I was pleased to see a level of agreement with my position, but dismayed at the number of people who preferred a checklist to being asked to exercise judgment. This should be a caution against providing people with what appears to be, in not in fact is, a checklist.

  1. Limitations to the system of internal control

The draft excludes from the system of internal control activities – which are clearly controls – within governance processes that ensure that the board and top management define appropriate objectives and provide oversight of risk management, performance, and more. While I would not advocate changing the definition of internal controls (the 1992 definition has stood the test of time and this issue can be addressed with explanatory text), if the organization is heading in the wrong direction it will fail. Controls are required to ensure that the right individuals are responsible for governing the organization, hiring and overseeing management, and approving objectives and strategies. They should do so based upon reliable, complete and current information, and the objectives and strategies should be communicated once approved across the organization and integrated into individual department and manager objectives.

Similarly, there is no assurance that controls are suitable for the organization if the risks they are designed to modify are not part of an effective risk management program/process, and acceptable risk limits are not set and approved by the board – and then communicated across the organization.

The relationship between risk management and internal control is not explained well in the draft, and some of the text is actually conflicting. In particular, risk management is not only (as described in the draft) about addressing the potential negative effects of uncertainty. It is also about addressing the opportunities for positive effects on performance and the achievement of objectives.

Controls help ensure actions are taken to optimize performance; they don’t just mitigate the potential negative effects of uncertainty.

  1. The language of risk management

As noted earlier, risk management is about more than the potential negative effects of uncertainty. But the draft reflects other ‘errors’ in discussions of risk management. For example, there is discussion of a risk response being needed, but additional actions (such as additional controls) should only be taken if the level of risk after consideration of the effect of existing controls (i.e., the residual risk) is above acceptable levels. Another example is the idea that there is a control deficiency even if the level of risk is acceptable.

In another example, when considering the achievement of objectives it is not sufficient to set a ‘risk tolerance’ of 90% achievement. The likelihood of non-achievement of the objective should be paramount; for example, is management willing to accept a 20% likelihood that the objective will not be attained? Is management willing to accept a 10% likelihood that the objective will be achieved at the 90% level?

My recommendation is that risk practitioners, especially individuals active in the ISO 31000:2009 community of practice, and professional risk management associations (such as RIMS, GARP, and IRM) be added to the project. The language of risk can then be upgraded to the latest thinking and the value of the internal control framework to the larger community enhanced.

  1. The efficiency of the system of internal controls

The draft focuses exclusively on what will constitute an effective system of internal control. There is inadequate guidance on designing and operating an efficient system of internal controls.

While the 1992 version appropriately comments that a combination of controls is required, and that controls can operate at different levels within the organization (such as at the entity level as well as the activity level), there is little if anything to help the control designer in the new draft. For example, the framework should discuss, inter alia:

  • Preventative vs. detective controls, based on the (generally higher) level of risk when reliance is placed on detective controls.
  • Entity-level vs. activity-level controls.
  • Automated vs. manual controls.
  • The risk that certain controls may not operate reliably.
  • The combination of controls that will provide, at acceptable cost, reasonable assurance that risks are managed at acceptable levels.

Detailed concerns and comments

The balance of this document is a list of comments, in addition to those above, in order of their appearance in the draft. They are necessarily brief, and I would be happy to review them in a call as necessary.

  1. It is not enough to have a commitment to hire good people if the processes are lacking. Either the discussion in the Control Environment component is lacking or it needs to be linked to related controls in other components.
  2. IT general control activities don’t need to be separated from control activities. They are control activities and should be assessed in combination with all controls relied upon for the achievement of objectives (see the IIA’s GAIT Methodology for Business Risk).
  3. There is too much emphasis on formal policies and procedures, as if controls are necessarily lacking of not documented.
  4. In 34, why say ‘understands’ and not something more positive?
  5. ‘Selects and develops’ (in principles) does not include ‘operates’.
  6. #70-72 should relate to the risk of non-achievement of objectives being acceptable.
  7. The definition of material weakness in #85 is not consistent with that in AS5. The existence or non-existence of a material misstatement is not conclusive of their being a material weakness. Internal control only provides reasonable assurance and isolated errors can occur.
  8. Consider technology on mobile devices. While it is challenging for a framework to stay current as technology changes, it is clear that enterprise applications (not just data) are increasingly on smart phones and tablets.
  9. In the Costs section, consider the level of controls required to manage risk within acceptable limits.
  10. While Control environment is “sometimes seen as synonymous with internal control culture” it is not – it is more. #118 should be so modified.
  11. The guidance of “at least one outside director” in #142 is worse than saying nothing. To be effective, the board needs to be able to act in the interests of the owners and stakeholders when those are different from the interests of management. The COSO ERM Framework states that for risk management to be effective (see #497), “the board must have at least a majority of independent outside directors.” Oversight of the actions of management, which is a key control, cannot be effective otherwise.
  12. #144 on board compensation is a challenge. This comes to close to disqualifying many directors who have equity holdings.
  13. The example objectives in #205-206 are not specific, measurable, or time-bound.
  14. The Internal Reporting discussion should be extended to include the analytics used in decision-making and more. The draft focuses only the products (e.g., the dashboards) rather than the processes behind them.
  15. External financial reporting objectives should explicitly include the preparation and publication of all information filed with the regulators and provided to other third parties, including information not subject to audit.
  16. There are not always standards for external non-financial reporting. A better example (than ISO) would be corporate sustainability reporting.
  17. Compliance deals only with mandated compliance. However, organizations desire assurance that their desired standards of business conduct are met – which may be a different level or be in anticipation of regulation.
  18. #247 discussion of segregation of duties makes no sense; it should be clarified or removed.
  19. The discussion of fraud risk is not complete. It focuses on fraudulent reports and safeguarding of assets. However, fraud can also involve falsification of information (such as records of safety incidents, customer complaints, etc.), changes to pay records, collusion with vendors, and more.
  20. The section on corruption should be expanded to include an explanation of what is included, presumably bribes and facilitation payments. This is not clear as written.
  21. The discussion and chart on page 71 is not helpful. It is confusing and unclear as to its meaning.
  22. The discussion of technology-related controls is thin. Consider using some of the content of the SEC guidance for SOX and the IIA’s GAIT family of methodologies. For example, sometimes the accuracy and completeness of a key report may be ensured by the normal operation of a manual control; in this case, there is no reliance on technology-related controls.
  23. The reliance on restricted access to ensure only the defined individuals perform control activities is overlooked.
  24. When considering segregation of duties, it is important to assess the risk to objectives if individuals have combinations of functions. I don’t believe this is discussed.
  25. The discussion of technology controls should include ensuring the value from technology is obtained. Work with ISACA on this issue.
  26. The quality of information in #346 should include the useful presentation of the information: so it can be used effectively in performing internal control activities.
  27. In #349-350, include communication of risk tolerance, standards, policies, and procedures.
  28. In the Monitoring section, distinguish between monitoring that provides assurance that controls are in place and operational, and monitoring of transactions that identifies exceptions that may indicate defects in the system of internal control.
  29. Discuss the role of internal audit and the extent to which management can rely on internal audit for monitoring. Many believe that management is responsible for monitoring controls, and internal audit can assess management’s monitoring activities.
  30. Monitoring should ensure the controls are sufficient to manage risks within organizational tolerances. The description of monitoring controls are present is inadequate.
  31. Discuss the relationship between monitoring controls and detective controls.
  32. Discuss supervision and reviews (such as reviews of account reconciliations) as forms of ongoing monitoring.
  33. Disagree that deficiencies should always be reported to a level of management above those responsible for performing the controls and/or taking corrective action. When deficiencies are identified by one manager, it is generally sufficient to communicate directly to the individual responsible for taking action.
  34. If management identifies a temporary breakdown in controls that is corrected immediately, there is generally not a need to share that with the board. The discussion in #401 should focus on material or significant deficiencies that are either (a) in internal control over financial reporting and exist at the end of a reporting period, impacting certifications, (b) not resolved promptly such that there is no significant impact on objectives, (c) unresolved, especially of long standing, (d) the cause of material errors in information provided to third parties or the board, or of compliance failures that are of significance, (e) involve the actions or behavior of senior executives or the board, (f) the cause of failures in employee or community safety,, (g) indicative of a generalized failure of internal control in a significant part of the organization, or similar.
  35. Discuss the need to report control failures of significance to the internal and external auditors.
  36. Be very specific and state that you can have errors due to internal control issues and still have an effective system of internal control. Considerations in making that assessment will include the frequency and number of errors, the significance of the errors, whether controls mitigated the effect of the errors within tolerances, the period of time during which errors occurred, and whether the risk of non-achievement of objectives remained acceptable.
  37. #416 and #418. Internal control is also effected by individuals external to the organization, such as in service providers or third parties performing periodic monitoring of controls. They do more than provide information: they perform controls.
  38. The section at #420 on does not state that the board is responsible for oversight of the system of internal controls. Aspects, such as controls relating to compliance, may be delegated to committees focused on that area.
  39. The CEO is responsible for ensuring the organization is structured and resourced to achieve objectives and perform internal controls.
  40. Risk officers are responsible for reporting to management and the board whether the more significant risks to the business are being managed within organizational tolerances, and this requires that the internal controls are sufficient.
  41. Compliance personnel are responsible for ensuring that compliance requirements (the laws and regulations) are understood and communicated to those responsible for the controls that ensure compliance.
  42. All personnel are responsible for understanding risk tolerances relating to their duties. They are also responsible for sharing information needed by others.
  43. There should be a discussion on efficiencies through the elimination of duplicate or redundant controls.
  44. Managers are responsible for ensuring that individuals performing controls are adequately resourced, trained, and have sufficient expertise to perform their duties.
  45. Why are the areas for internal audit in #444 different from the three categories of internal control? If they are to be different, they should be stated as governance, risk management, and related controls.
  46. Combine #454 and #455.
  47. Application controls also ensure validity.
  48. When I read the summary of changes, they seem to indicate more has been achieved (such as discussions of governance and the relationship between risk and performance) than is present in the actual draft. Another example is that the summary of changes talks about a risk-based approach to internal control, while the detailed does not reflect that.

 

Conclusion

Thank you for the opportunity to provide comments, and I am available for additional discussions as needed.

My recommendation is that:

  1. The current draft is considered preliminary and COSO accepts the need for significant revision and an extended timeline.
  2. The guidance on the use of the framework to evaluate the system of internal control over financial reporting is completed and issued as a draft for review together with the next draft of the controls framework.
  3. The project team and advisory council is augmented with representatives from the worlds of (at least) risk management, compliance, and governance.
  4. COSO starts the process of convergence of its risk management language and approach with that of the ISO 31000:2009 community.
  5. An open discussion is held on the future of the ERM framework and its relationship to the internal control framework.
  6. A second draft is prepared and issued for additional comment, with the expectation that a third draft may be necessary.
  7. Given that stakeholders in its products extend beyond the accounting, finance, and audit professions, COSO expands its membership to include professional organizations in other disciplines.
About these ads
  1. February 11, 2012 at 12:07 PM | #1

    Hi Norman,

    I read a large number of blogs and comments by a variety of ‘professionals’.

    By and large most seem to be cursory and lacking in real understanding and depth of comprehension – I would like to congratulate you on the obvious understanding and depth of knowledge in your comments.

    I would encourage you to keep providing insight and knowledge, I always make a point of reading and digesting your comments

  2. February 11, 2012 at 8:28 PM | #2

    My understanding and respect over the sweep of meaningful experiences and practical wisdom of Norman Marks has enhanced exponentially after reading these focused, no-nonsense and direct observations. Convergence of standardization cannot be disputed. Further, against the drop of the Globalization that has altered the governance and organizational structures vis-a-vis the needs and requirements for addressing effectively upon the emerged and still emerging business risks and technology changes in the last two decades or so, especially since the conception of COSO 1992, I simply go with the sagacious conclusions and reccomendations of Marks. A perceptibly known COSO without comprehensive framework of on-going approach to changes, will prove to be a singular injustice, if not disaster to the central objectives of COSO itself as another Polar Star like Guide on internal controls for, say, another decade or two ahead. The real key to success lies in inculcating the knowledge to the men on Board and as part of decision-making Top Management that COSO, ISO 31000 2009, any other statutory and or regulatory mandates, have been conceived as primary ‘enablers’ for furthering the main interests of business goals such as efficiency, profitability, solvency rather than merely as Compliance ‘Dictates’..!!
    Hearty congratulations to Norman Marks, whom I admire for clarity and rich wisdom.

    With best personal regards and Love
    Prof.Subramanian
    Ex-Senior Central Banker and Ex-Bank Director

  3. Norman Marks
    February 12, 2012 at 2:07 PM | #3

    This was left on one of the LinkedIn groups:

    Norman – thank you for sharing your comments. I fully agree and support your comments.

    I raised a question in another discussion few days back and will raise it again here. Shouldn’t COSO combine the ERM and Internal Controls guidance into a single document, so the combined document reflects guidance which can be used by risk managers, compliance officers, auditors etc? Having two separate guidance creates this perception that ERM guidance is for Risk Managers and Internal Control guidance is for Auditors. Both these guidance historically evolved at different times and hence having these separate may be acceptable in past. However, if these guidance are being updated now – doesn’t it make sense to integrate ERM and Internal Control guidance into a single framework? It will he informing to hear views of other members on this.

  4. ARNOLD SCHANFIELD
    February 13, 2012 at 8:17 AM | #4

    Arnold Schanfield, CIA, CPA • I would like to build on Norman Marks’ comments on the recent COSO draft on internal controls. I am quite supportive of his remarks and believe he has assessed the situation correctly- sad as it is- but optimistic that things could be still turned around- and they will –one way or another. These are my remarks, paraphrasing off of the excellent remarks Norman has already made. We should also appreciate that he has taken the time to read this 168 page document which is a tedious but an important read. My commentaries will not only be lodged on this site—— but as well across several different LinkedIn sites that cater to governance, risk management, internal audit and internal control. In addition, I will communicate such remarks directly to COSO as they have established a mechanism to do so.

    First- whereas it is an accurate statement made that COSO has updated the 1992 internal controls guidance, it was an excellent document for its time in 1992. Over the past several years, many risk practitioners have lobbied unsuccessfully to get it changed and there is established thinking to support our position further articulated below. So while we should be thankful that an initiative has been undertaken, it has not in our opinion been done “willingly”. It has been moved along through external pressure. However, more importantly, the execution, as Norman articulates through the document, has not been well done. It has been poorly executed.

    Second- it has been known since 1995, that Canada has issued an internal control document that is principles based and is 30 some pages in length. Not only is it considered world class outside of the United States, but the document itself even has gone so far as to align the principles to those of COSO. My opinion is that had this document been introduced to the United States by not only the Big 4, but the professional service organizations, the debacle known as the Sarbanes Oxley Act, would have been so much less the disaster than it was. That is because this brief document represents a top down approach to risk focused on principles. In my opinion, this document was intentionally never introduced because it did not bear the seal of the professional services organizations pushing the COSO brand. Finally, it is interesting to note that the principles promulgated by COSO in its current draft, look eerily similar to many of the principles in the CoCo document. I see no footnotes in the COSO draft giving recognition to this.

    Third, to Norman’s point that “it will indeed add fuel to the fire to the perception that this is a control framework for accountants and financial auditors, and will lead to a checklist approach to assessing the adequacy of internal control”, I say that this is precisely correct.

    Fourth, yes it is true that the “opportunity to collaborate with risk practitioners to converge guidance for risk management has been allowed to pass”. However, there are now 850 million face book users with 400 million on line every day and growing. There are 125 million members on LinkedIn with two new members joining every second. Surely the group that published this document was quite naïve to believe that existing practitioners who are experts in this field and have been excluded from this document, would let this pass. The multi million dollar marketing budgets of the Big 4 and specifically of COSO/PwC will not carry much weight against world opinion on this document which will be forthcoming almost immediately from Norman’s blog columns and other criticisms that will be lodged promptly on various sites. Furthermore, there were many opportunities for collaboration over the past several years and the risk practitioners out in the marketplace, have been shunned repeatedly. This is not by coincidence but by design.

    Continued below

  5. ARNOLD SCHANFIELD
    February 13, 2012 at 8:18 AM | #5

    Arnold Schanfield, CIA, CPA • Continued from above
    We start in 1999/2001 whereas risk guru Felix Kloman communicated in articulate fashion to the IIA changes that needed to be made to the programs in risk management. Such communications were put into the wastebasket. We continue in 2002-2004 time frame where the roll out of COSO for Sarbanes Oxley ignored requests to consider other documents. We continue to 2004 where the rollout of COSO ERM specifically ignored three versions of AS/NZS 4360 that were already in the marketplace. For those of you not in the know, AS/NZS 4360:2004 is the DNA of ISO 31000 which Norman has referred to in his commentary. We move forward to 2010 whereas a risk summit was held in Florida by the IIA at which risk practitioners were invited to attend including partners from the Big 4 and other large service providers. The summit which focused on COSO ERM versus ISO 31000 concluded with many viable recommendations made by the risk practitioners. Not one of our recommendations has been viably embraced aggressively, yet we continue to witness nonsensical documents being issued along the COSO lines. More recently, as well, we have witnessed such a document from COSO- “Understanding and Communicating Risk Appetite” (2012) also falling in line with the same criticisms as Norman lodges in this communication.

    Fifth- whereas Norman does not have a problem with the choice of PwC to conduct this project, I do. That is because this needs to be viewed as a world project to enhance internal controls around the globe for the betterment of all and not a project of a Big 4 accounting firm to continue to promote their stature. Most of the members of the writing team, have never worked in industry sufficiently to appreciate all of the nuances of risk management that would be critical to this. So to Norman’s point that “while a few of the project team and council have experience beyond accounting and financial auditing, the voice of the larger risk management and compliance practitioner communities – let alone the governance community – does not appear to have been solicited or incorporated.”, he is absolutely correct. And might I suggest that there is only one reason for this: commercial greed and arrogance.

    Sixth- as Norman stated “ a large number of risk management practitioners do not favor the COSO ERM Framework, which is built on, expands, and extends the internal control framework. “ This is an accurate statement. It is well known that Grant Purdy from Australia has published “The ten deadly sins of COSO ERM.” I have added an additional four “sins” to that batch. I myself have 4,000 hours of solid experience in working with COSO ERM. I have challenged repeatedly various authors, implementers of this document and no one has been able to build a convincing case for its usefulness. This document, which was issued in 2004, made the identical blunders that the authors of the current COSO internal control framework have made. They made two cardinal sins: (a) they neglected to include practitioners that are experts in this field beyond the narrow confines of the public accounting profession; and (b) they neglected to reach out and incorporate other risk management frameworks from around the globe. So not only does the current COSO document miss important contributions to the field since 2004, it as well neglects the important contributions prior to that time.

    final below

  6. ARNOLD SCHANFIELD
    February 13, 2012 at 8:19 AM | #6

    Seventh –to Norman’s point that leaders will not endorse the framework- this is correct and not only will they not endorse it but we will make sure that all business leaders understand the document for what it really represents- a wonderful piece of minutiae- that will not even satisfy the needs of the external auditors. There is a new game in town and that game is called “providing assurance to a wide variety of stakeholders”. This document falls far short of that standard. The game is much more than about internal controls over compliance, operations and financial areas.

    Eighth- I am not surprised to see the webcasts on this document. They remind me in football analogy of trying to “do an end run” or a “Hail Mary”. It is a desperate attempt to try and stay in control of a losing franchise.

    I will not get into the detail of the commentaries but can easily do so. Norman has done a great job with that and I second his final recommendations in the document. As I stated earlier- either change to the document will come voluntarily or involuntarily. The latter will occur if the former does not because the power of the social media will make sure of that.

  7. Norman Marks
    February 14, 2012 at 6:33 AM | #7

    This was posted on LinkedIn:

    Norman, this is a very penetrating and insightful analysis. As audit professionals, we are frequently reminding management that they are the owners of internal control. Yet, if the generally accepted framework for controls (COSO) is oriented mainly towards accountants and auditors, then this undermines our assertion that management is the primary owner of controls, since the authoritative guidance is not “user friendly” to those in management. I agree with your basic premise that the revision to the COSO framework is too important to rush the process. I hope your comments are taken to heart by those overseeing the update

  8. Norman Marks
    April 5, 2012 at 6:33 AM | #8

    The IIA has submitted comments, which are well worth reading: :http://www.ic.coso.org/Lists/UploadedFiles/Attachments/101/f198c63d-c55c-4466-abb9-c9fb8251f314_Institute%20of%20Internal%20Auditors%20Headquarters%20COSO%20Response.pdf

    The FEI response is another good one: http://www.ic.coso.org/Lists/UploadedFiles/Attachments/117/FEI%20%20comment%20letter%20to%20COSO%204.2.12.pdf

    For a totally different view, from one of the risk management gurus (Grant Purdy), see http://www.ic.coso.org/Lists/UploadedFiles/Attachments/71/e31b30cb-be18-404a-9860-c0fc14015eaa.pdf

    Tim Leech, who has been a vocal critic of the ’92 draft – especially as a basis for SOX assessments – commented at http://www.ic.coso.org/Lists/UploadedFiles/Attachments/43/f9bfa636-bffa-4abd-b014-ed27b64c75cc_Risk%20Oversight%20Response%20-%20COSO%2020%20year%20Update.pdf

    Personally, I was disappointed by the responses from the AICPA (ahttp://www.ic.coso.org/Lists/UploadedFiles/Attachments/63/4ea352da-1b8b-4776-950f-4574e526452a_AICPA%20COSO%20IC-IF%20ED%20comment%20letter%20-%20FINAL%20-%20March%2029%202012.pdf) and CAQ (http://www.ic.coso.org/Lists/UploadedFiles/Attachments/85/119080c6-61c3-4ce3-b73b-1fd84e32fb45_CAQ%20Comment%20Letter%20-%20COSO%20IC%20-%20Integrated%20Framework%203.30.12.pdf). Perhaps their focus on additional guidance rather than emphasizing judgment is understandable, given their role as financial statement auditors.

  1. February 14, 2012 at 3:45 AM | #1
  2. April 26, 2012 at 10:54 PM | #2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 4,625 other followers

%d bloggers like this: