Can you use an ERM standard or framework to assess internal controls over financial reporting?
The short answer is “no”, because SEC rules require that the evaluation of internal control over financial reporting be based on a “suitable evaluation framework”. They have only recognized a limited number of internal control guides, including the COSO Internal Controls Framework (not the COSO ERM Framework, although it had been published when the SEC published its rules), the Canadian Institute of Chartered Accountants’ Guidance on Assessing Control (also known as ‘COCO’), and the Institute of Chartered Accountants in England and Wales’ Internal Control: Guidance for Directors on the Combined Code (known as the Turnbull Report). They have not recognized any risk management standard or framework to my knowledge.
But should we be able to use the COSO ERM Framework, the ISO 31000:2009 risk management standard, or another risk management framework/standard? What if the restriction was lifted?
Certainly, the assessment is supposed to be based on a top-down, risk-based approach. It should assess whether the risk of a material misstatement is very low (perhaps 5%). In other words, management’s risk tolerance (or criteria) is less than 5% likelihood for an impact that is material to the financial statements.
The typical approach includes:
a) Understanding the business
b) Identifying the potential sources of risk: accounts and disclosures that might include a material misstatement
c) Identifying and assessing the combination of controls that ensure that the likelihood of a material misstatement is very low
d) Obtaining evidence that those controls were operating effectively as of the end of the year such that the likelihood of a material misstatement was very low
This approach is certainly consistent with the guidance in a risk management standard or framework.
But the better question is whether that risk management standard or framework provides sufficient guidance for management in assessing internal control over financial reporting.
The answer is “no” (again).
A risk management standard, such as ISO 31000:2009, talks about understanding the internal and external context. It certainly does as least as much as the COSO Internal Control Framework when it comes to identifying potential sources of risk. But it doesn’t provide the detailed and practical guidance necessary to understand how internal controls address those risks.
It is true that COSO has evaluation tools but lacks (IMHO) useful guidance on how to select an effective and efficient combination of controls to address each potential source of risk. But that’s not sufficient reason to discard it. It does explain the nature of internal controls and how they can be found within the organization – and that has value.
I have yet to see a risk management framework or standard that provides sufficient detail about how internal controls operate to be used as the sole basis for an evaluation of internal control over financial reporting. While some may assert that because the COSO ERM Framework incorporates and extends the COSO Internal Control Framework, it can be used. But I think too much has been lost in the translation into an ERM framework and that the SEC was right only to recognize the COSO Internal Control Framework.
I am fine sticking with COSO Internal Controls Framework, supplemented by SEC guidance and other works (see below).
Do you agree?
If you are interested in optimizing your SOX program, please have a look at this new book from the IIA. It is the significantly expanded third edition of my Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners that has been downloaded about 200,000 times since the first edition was published in 2006.