Home > Risk > Some thoughts on COSO in 2010

Some thoughts on COSO in 2010

February 14, 2010 Leave a comment Go to comments

A number of colleagues are taking pot shots at the COSO organization and its publications. Are they justified? Are the COSO internal control and enterprise risk management frameworks valuable and relevant? What is the role of COSO in 2010?

My view is not based on any insider insights into how COSO operates, and what it plans for itself. But I have the following thoughts:

  • The internal control framework was last updated in 1994. Should it not be reviewed every few years to determine whether events indicate it should be revised?
  • The risk management framework was never my favorite. I did not like it nearly as much as the ANZ: 4360 standard. Now we have ISO 31000. Isn’t it time for COSO to consider removing its ERM framework and embracing ISO 31000?
  • COSO is a committee with five member associations – all accountants and auditors. That was fine in the past, but shouldn’t guidance on controls and risk management include a broader set of contributors, including risk practitioners, governance experts, investors, and board members?
  • Do we still need internal control and risk management frameworks? Isn’t it time to have a governance framework, incorporating risk and internal control?

I think it is time for COSO and its members to sit back and reflect on these and (I am sure) other issues of the day. What should the role of COSO be in 2010? Is it time to end it, or to broaden the membership and its contribution to effective governance?

  1. February 14, 2010 at 11:13 PM

    Couldn’t agree more.

    I always did like CoCo better as it took the next step and spoke in the language of management rather than accounting and external audit. And in a concise way too, whereas COSO can be hard going.

    Worth noting that COSO is made up of US organisations, but is attempted to be applied internationally.

    Lastly, controls tend to operate in a static environment. These days given the rate and size of change, concepts of dynamic systems might be more pertinent. Would love to see / be part of some thinking on that.

  2. Bahia TITRI
    February 15, 2010 at 5:17 AM

    Could you tel me please what is the best framwork to be adopted to set up processes and to establish procedures of Telecom operator in launch phase? COSO? COCO? etc?

    • Norman Marks
      February 15, 2010 at 6:52 AM

      When you ask “what is the best framwork “, what are you referring to? Are you talking about setting up governance processes, risk management processes, your SOX program?

  3. February 15, 2010 at 8:28 AM

    I agree it is time to re-visit and perhaps update the framework.

    COSO was originally developed for a specific purpose, in response to continued financial reporting related failures. One impetus for developing the framework was to put forth something to head off congressional desire for “excessive” regulation in the early 1990s.

    Given all that has happened in the markets since that time, an fresh look at the framework and potentially redefining its purpose is in order.

  4. February 15, 2010 at 3:10 PM

    Are the COSO internal control and enterprise risk management frameworks valuable and relevant? What is the role of COSO in 2010?


    I had a big argument with a CFO in 2004 when he insisted that SOX had to be first COSO compliant. I told him that this was only an outdated old reference out of courtesy by the profession but SOX was going to be something bigger and I questioned the role of COSO then in 2004.

  5. Putri
    February 15, 2010 at 9:44 PM

    Agree with You,

    COSO becomes a basic guidelines to understanding business process in company.
    I think COSO have to rebuild and adjust with condition in nowadays (and maybe have to synchronize with SOX).

  6. nmarks
    February 16, 2010 at 2:20 PM

    Comment made by Dan Clayton:
    The more I think through it, the more I believe COSO frameworks have become outdated. Not in principle, but because of weaknesses that promote incorrect implementation choices. I do see the future of risk management and control based on an integrated framework that draws from good Business Management Models and from Internal Audit and Consulting Analysts ability to quantify, measure and report against desirable criteria. COSO pays verbal tribute to the need to define what management already does, but then creates self-defining tools that when implemented became inefficient additions to management processes already in place. Or, in lucky instances, they are stopped by good managers and integrated into good business process that already exist.

  7. nmarks
    February 16, 2010 at 2:21 PM

    More from Dan Claytton:
    You can have the best of intentions and great principles, but if the tool is complicated and terms unfamiliar minor tweaking may not save it. I am afraid that COSO developed tools exciting to the engineers, but challenging to the users (Governance and Management) leading to wide variation in implementation and diluted value.

    We need user-provisioned framework in common language…

  8. nmarks
    February 16, 2010 at 2:24 PM

    And from Dan again:
    In short we need a framework not only focused on good governance, but good management as well. It needs to illustrate the fluid accountability connection from governance to management to operational results. The end result [and goals] of such an addition (which I would believe would require alteration to COSO’s frameworks) would be as follows:
    • Standardized expectations of governance and management in a common language (the other side of the ERM coin)
    • A context form which to define, value and prioritize risk
    • Organizational vulnerability reporting which adds another dimension to the conversation of risk and control.
    • A risk management, vulnerability and control language common to the Board, Managers and Assurance Providers

    Next Steps (Big not small)
    • Identify Governance and Management professional organizations to bring to the table, begin the conversation
    • Create a treatise on the ideal framework, goals, and expected results, share it with ISO, OECD, COSO and others with an ability to provide sponsorship
    • Define and organizational sponsor
    • Create a commission and open applications for participation

  9. nmarks
    February 16, 2010 at 2:25 PM

    Finally, from Dan Clayton:
    As has been quoted here in the DG before: Albert Einstein noted, “Any fool can make things bigger, more complex, and more violent. It takes a touch of genius – and a lot of courage – to move in the opposite direction.” That alone is enough reason for a new framework. A framework is the skeleton of an objectives potential success. The problem IS the very existence of too many frameworks from too many perspectives to enable successful oversight. I see the following two objectives/needs for a new Governance Framework as a much needed beginning.

    • Movement towards international view of risk, risk management, and financial reporting portends an international governance framework needs
    • Unification of Good Governance and Management methodologies (COSO left them out) and Effective Assurance Frameworks to provide clear insight to organizational objective vulnerability (which would inform in a standard way, Governance’s ability to manage risk decisions at a strategic level)

  10. nmarks
    February 16, 2010 at 2:45 PM

    Comment by Ron Kral:
    I still continue to be a big fan of COSO Frameworks and relating guidance. However, implementation has widely been horrible. The main culprit is a tendency to take many, if not all aspects literally and attempt to force it into written policies and procedures, which the culture rarely embraces. The COSO has gone to great lengths to remind users that these are simply frameworks to be used as a starting point, but are intended to be significantly tailored to fit the company’s landscape. Easier said than done as many implementers and auditors alike would rather default to explicit (i.e., rules-based) directions rather than injecting creativity into the process (i.e., principles-based). My belief is that no matter which framework is used, you will always run into implementation issues since no two companies are exactly alike.

  11. nmarks
    February 16, 2010 at 2:45 PM

    Also from Ron:
    a comprehensive governance, risk & control framework should be simple, international in scope, and built by a wide variety of professional disciplines. However, let’s be honest – who is capable of leading this effort to help ensure that it would be accepted as credible and independent of self-serving interests? I can’t think of any such organization or plausible alliances.

  12. nmarks
    February 16, 2010 at 2:46 PM

    More wisdom from Ron:
    I have spoken very favorably about COSO through my years of speaking across the US. I continue to believe it is the best framework with regards to SEC regulatory requirements. This is reinforced by the fact that the 92 framework is cited as the recognizable framework followed, per Item 308 of SEC Regulation S-K, in every 10-K I have ever read over the last several years. Is anyone aware of a US public company citing something other than the COSO framework?

    Still, it would be hard to argue that either a new one, or a revised one, would not be beneficial based on the stream of comments on this topic. But I am back to my original question, who could reasonably take the reins to author such a comprehensive framework covering governance, risk and controls? An international organization would theoretically be a good choice, but even IASB is struggling on multiple fronts in authoring accounting standards (e.g., questionable organizational clout, politics, funding, etc.). While XBRL and IFRS is pushing us towards a standardized global response, we are a far ways off. Just look at all the different versions of IFRS in existence today. If one country does not like a certain aspects of IFRS (e.g., related parties disclosure), the governmental organization responsible for accounting standards simply carves it out. We are back to governments and politics, and there simply is no easy answer when you mix political egos into the equation. The only solution I see is creating something outside of government and political influences that is so compelling companies would be foolish to ignore it on the basis of value creation, not regulatory compliance.

  13. nmarks
    February 16, 2010 at 3:47 PM

    From Thomas Heller:
    I would hope that Richard Chambers (President of The IIA) takes the lead in assembling an international team of contributors that includes the leading authors of major international & regional initiatives Charles LeGrande, Sir David Walker, Lindie Engelbrecht, etc., as well as the senior officers responsible for listing standards from the globe’s major financial exchanges.

    I favor the emergence of an office of Co-Chairs that would result from Richard’s leadership in catalyzing an initial effort to synthesize a global Framework from the elements in common to existing Standards. The resulting apparent “gaps” or “incongruities” could then also be published by the Co-Chairs for public comment so that closures might commence in a fashion that is loosely analogous to how the FASB & IASB are working things out (with regulatory and market pressures bearing on them). It will not be an easy “road to travel”, but it would be a formative & constructive step forward.

    As a separate matter, I would think that the leading practioners & standards setters for governmental accounting & auditing would want to contribute to an IIA initiative pertaining to Framework entity-wide GRC due to the emergence of rising concerns about soverign debt defaults.

  14. February 17, 2010 at 9:05 AM

    I wonder if it is really time to revise the standard. This field is already suffering from a ‘Problem of Plenty’, given the many standards and publications competing for mindspace.

    Personally, and without reference to COSO in particular, I would vote for the final bullet point in your post. I think the time is ripe for an Integrated Governance Framework that also incorporates risk and internal control.

  15. Vigne
    February 18, 2010 at 4:58 AM

    Correct me if I am wrong but I thought COSO 2 ERM was only introduced in 2004?
    For sure there is time for a GRC framework which could be applied worlwide. Could be a task for G20?

  16. Lalit
    February 18, 2010 at 5:07 AM

    I have a question to ask all the gurus in this field. Why can’t all the organizations associated with internal audit/compliance come up with one single framework/standards? As a professional who has just started learning the art of compliance, I feel that there are too many frameworks which confuses me immensely. Why can’t we have a standard setting body like the IASB/FASB for internal audits and compliance too or am I missing something here?

    • nmarks
      February 18, 2010 at 6:55 AM

      Lalit, the Institute of Internal Auditors has its International Professional Practices Framework, which includes standards for the professional practice of intrnal auditing. ISACA has a few standards that apply only to IT audits. ISACA and the IT Governance Institute have COBIT, VAL/IT and Risk IT.

      I wish ISACA and the IIA would collaborate on a single set of standards – but there are issues at the top in terms of relationships.

      On the broader view of governance and risk frameworks, these are for management rather than for internal audit. The IIA is one of the members of COSO, and has also been involved through its country affiliates with King and other frameworks.

  17. nmarks
    February 18, 2010 at 3:27 PM

    Posting on behalf of Mal Schwartz, who was on the team that developed the original COSO internal controls framework:

    I do not believe the original COSO framework to be outdated. It has worked – as a framework, but not as a tool — for me and my clients for some twenty years. As Norman Marks said, I do not find much value in the ERM report, as it seems basically to repeat the original framework, and to search for some differentiation in order to make the report worth issuing; so I ignore that ERM framework report. Below are my related views (I underline this, so that I do not have to repeat continually that these are my views, and are not necessarily facts as such)

    • The ICF is not overly oriented to accountants. The evaluation tools are; but they are noted by COSO in the attachment to the ICF as “purely illustrative;” I have never used them. I was selected to be one of the leaders of the C&L team because I am not an accountant or an auditor (although I have supervised both), and have held senior general executive positions, and have consulted to senior general executives and boards; furthermore, we (The ICF team) did a number of interviews of general executives, and incorporated their thinking; and we also had a commentary period, from which the responses were made public and COSO’s responses in turn were made public. The framework brings a general management – and an integrated business – perspective to the issues of control, risk and governance. I did have to develop tools that supported that perspective, and have applied – and refined – those tools since shortly after ICF was issued. I also have integrated those tools and ICF with other frameworks and tools as they were issued and revised – ISACA, ISO, and various country issuances. Many people – and some of you respondents – are confusing the illustrative tools – and the misuse made of them and of ICF by many practitioners responding to SOX issues and opportunities – with the framework itself. Considered properly, ICF has no “self-defining tools”. COSO is a reasonable organization, and produced, in the context of its intent, a reasonable framework; it has regularly sought the views of practitioners and business people, and I can attest to that regarding my involvement in both ICF and the small business report. And ICF incorporates a governance evaluation element – when the framework is elaborated with the proper tools – so there is no gap. Similarly, ICF incorporates management processes as well – and the other matters that you recommend. Expanding COSO internationally is quite easy, as I did that in my tools to serve my global clients.

    • A framework, according to Webster’s New College Dictionary, is “a skeletal support”…. “a basic arrangement….” Many of you are confusing a framework with tools. Some of you might need better tools (I am quite comfortable with mine, as have been clients and regulators), but you would be hard-pressed to develop a better framework.

    • COSO got “drafted” by the SEC, and for a much more limited application than was originally defined by ICF. SOX required a framework, the SEC had to find one, and ICF was handy; but the SEC only considered the control-related (one of three) objectives of the framework, and that has led to a lot of the skewed thinking about ICF.

    • Coordinating professional organizations is a pipe dream. Each has an agenda, and each has a point of view. That is why ICF works so well, as it does include perspectives on strategy (the use of the Porter framework), operations (its reliance on a business process perspective), risk (one of the five components of control), governance (discussed in four of the five components of the control framework), compensation and rewards, and on and on. Of course COSO as an organization is financially (not auditing and not accounting) focused, as that is the reason it came to be, and that is the composition of its five member organizations. So what? We cannot make any international organization comprising members with different agendas work, so why bother to speculate (as many of you are now doing) on how to organize such an effort? Stay with a workable framework – ICF – and apply it to the differentiated situations – location, function, industry, and so on (all of which is reflected by the idea of the cube)

    • If the goal is to have “standards and frameworks that we can use” then do not replace a workable framework, but develop the standards, tools and whatever else you want that elaborate that framework. That is what I did with my tools, as elaborations of ICF, and that is why they work so well. Again, replace the tools (I did), but be very careful about replacing the framework – and the two are different work-guiding components.

    • We need better training, and more professional capability, and not new frameworks. I have attended enough conferences and heard enough speeches incorrectly stating what ICF is, and trying to sell services and not solutions, that I really would like to see a halt on framework design and a start on training, on better professional standards and their application, on meaningful continuing professional education (I just sat through a terribly designed session, which was little more than an attempt to sell services), and more people development and less framework development. The framework is fine – its application needs improvement none of my clients has found the COSO cube to be a “vague abstraction”.

  18. nmarks
    February 18, 2010 at 3:31 PM

    Mal also answered my specific questions:

    • The internal control framework was last updated in 1994. Should it not be reviewed every few years to determine whether events indicate it should be revised?
    ANSWER: In effect, COSO has treated its reviews for further issuances as those periodic updates, and those have occurred every few years, with EREM, small business, and monitoring.

    • The risk management framework was never my favorite. I did not like it nearly as much as the ANZ: 4360 standard. Now we have ISO 31000. Isn’t it time for COSO to consider removing its ERM framework and embracing ISO 31000?
    ANSWER: I suggest that this is a tools issue and not a framework issue. ICF is the framework in question, not ERM.

    • COSO is a committee with five member associations – all accountants and auditors.
    ANSWER: Actually, not exactly correct, inasmuch as FEI members are financial executives, many of whom never were auditors, and some of whom (including me) never were accountants; and IMA also has many members who were not auditors and many of whom were not accountants. That was fine in the past, but shouldn’t guidance on controls and risk management include a broader set of contributors, including risk practitioners, governance experts, investors, and board members? As I noted, contributors to ICF and other COSO documents included risk practitioners, governance experts, investors and board members, some of whom are members of COSO member organizations, and some of whom were contributors as such.

    • Do we still need internal control and risk management frameworks? Isn’t it time to have a governance framework, incorporating risk and internal control?
    ANSWER: I contend that ICF does this

    OVERALL COMMENT: What is missing is any questions dealing with practitioner competency, motivation and professionalism

  19. February 18, 2010 at 10:30 PM

    Thanks for this Norman. Useful debate and great to be able to get a perspective from one of the founding fathers.

  20. Thomas Heller
    February 19, 2010 at 2:04 PM

    Great or (in Peters & Waterman’s language) ‘Excellent’ Chairmen/women & Chief Executive Officers who have lead admired global concerns know how to get things done; and, they’ve got all of the necessary and sufficient wherewithal and the personal relationships, credibility and power to lead the timely & efficient creation and the effective deployment of an international GRC Framework.
    Those Chrm/CEOs have actual hands-on experience supporting the effective discussion and reporting inter-relationships between and among the Board of Directors, its subcommittees, and the CAEs, CFOs, COOs, etc. And, they know the policies, practices and procedures that ‘do/did things right’.
    Further, the mindset of those select few is, frankly, above the fray that would ensure among any professionals with vested interests in the GRC Framework that would be created & deployed. They are uniquely well-qualified to forge consensus among an esteemed group of executive GRC (so to speak) “peers” with variant experiences & perspectives.
    So, I would encourage Richard Chambers, President of The IIA, to persuade a highly-esteemed and retired Chrm/CEOs to “take the lead” here. Consider, for example, Jack Welch (GE) or Lou Gerstner (IBM).

  21. February 20, 2010 at 10:39 AM

    Interesting comments re COSO and IC frameworks
    I was on COSO for a little over a year, as FEI rep – and before that followed COSO for ISACA and as FEI president; so many things that have been said peaked my interests based on this close up view.

    I believe the original COSO framework was very good and that there will always be a wide interpretation in implementation. IC is very different at every organization I have seen; add to that a wide variation in managements IC knowledge and dedication to good controls, and you will have different IC systems, even based on the same framework. I think professional judgment is a good thing, especially in the case of IC.

    At COSO I was pushing for an international focus, letting other organizations join in, better accountability (COSO does have funds from sales and licensing, but Governance needs improvement), more independent studies of IC (VS accounting firms, as has been noted), better focus on IT, and an update and or codification of original and 2006 guidance.

    For simplicity I will not comment on COSO ERM now, except to say COSO is composed of 5 groups of accountants, PhDs etc. but no one that has actually run a company that I can recall, so we have an accountants and consultants view of risk management.

    In 2007/8 we (COSO) had a roundtable in DC with NACD, SEC, FDIC, PCAOB and other thought leaders invited. Much to my surprise, there was not much interest in changing anything organizationally. There was some interest in updating the framework. Missing was any international focus -ie: US folks (accountants) were talking to US folks.

    One point I kept making was that in 10Ks we have an opinion based on GAAP (FASB & IASB) subject to oversight, to some degree by SEC and others. FASB & IASB have public meetings, publish financials and otherwise have excellent governance. However, we have another opinion in most 10Ks now based on IC Frameworks and while I believe the Office of the Chief Accountant, is responsible for IC frameworks – they appear to be satisfied with COSO framework, organization, due process and governance, as is. Or they are too busy to open up the issue!

    I could go on… but I think your idea of an international commission would be great and the timing with the slow but steady move to IFRS is good. If you look at IPO activity, which is recently mostly outside the US, all of US governance (as well as accounting standards) must converge over time. While President of FEI I asked any non -US body (I.e. ICAEW, CIMA, IASB FEI Canada, FEI Mexico) I met with, what they thought of COSO and most had little to say and looked first to their local IC frameworks, unless working for a US multinational.


    Michael P Cangemi CPA
    President & CEO
    Cangemi Company LLC
    732 662 4868

  22. February 16, 2011 at 3:54 PM


    I know this debate is a bit dated, but I’ll be speaking on frameworks and particualry 31000 next month and am doing some research. To your rhetorical question: do we indeed need a GRC Framework now or should 31000 be embraced?

    Do you see 31000 as superior to all other frameworks as of now?

    Any good whtie papers on this subject that you know of?

  23. Norman Marks
    February 16, 2011 at 9:49 PM


    GRC is much broader than ERM, and there is no GRC framework that I am familiar with. GRC instead talks about the need for the different parts of GRC, which include risk management, to work together; of the need to address fragmantation; and the necessity to eliminate silos of information.

    If the topic is risk management, then my favorite framework is ISO 31000:2009, although COSO ERM and BIS 31100 merit mention. I would also nmention ISACA’s Risk IT.

    When it comes to governance frameworkks, there is a lot of choice. I like South Africa’s King III Code.

    I hope that helps.


  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: