Some thoughts on COSO in 2010
A number of colleagues are taking pot shots at the COSO organization and its publications. Are they justified? Are the COSO internal control and enterprise risk management frameworks valuable and relevant? What is the role of COSO in 2010?
My view is not based on any insider insights into how COSO operates, and what it plans for itself. But I have the following thoughts:
- The internal control framework was last updated in 1994. Should it not be reviewed every few years to determine whether events indicate it should be revised?
- The risk management framework was never my favorite. I did not like it nearly as much as the ANZ: 4360 standard. Now we have ISO 31000. Isn’t it time for COSO to consider removing its ERM framework and embracing ISO 31000?
- COSO is a committee with five member associations – all accountants and auditors. That was fine in the past, but shouldn’t guidance on controls and risk management include a broader set of contributors, including risk practitioners, governance experts, investors, and board members?
- Do we still need internal control and risk management frameworks? Isn’t it time to have a governance framework, incorporating risk and internal control?
I think it is time for COSO and its members to sit back and reflect on these and (I am sure) other issues of the day. What should the role of COSO be in 2010? Is it time to end it, or to broaden the membership and its contribution to effective governance?