Home > Risk > We need your comments to upgrade the draft COSO internal control framework

We need your comments to upgrade the draft COSO internal control framework

December 21, 2011 Leave a comment Go to comments

COSO has released a draft for public comment of an updated Internal Controls Framework. You can see some of the highlights and links in this Journal of Accountancy article.

While I am pleased that COSO has been working to update and upgrade the framework, I am frankly disappointed with this draft.

I encourage you strongly to review the draft and submit your comments. A loud voice may be needed to persuade COSO to make changes.

I especially encourage compliance, risk, and governance experts and practitioners to comment. COSO membership is primarily composed of accounting and audit bodies, and a team from PwC is responsible for developing this draft.

My primary concerns at this point (I haven’t completed my review and will share my comments on this blog when they are finalized) include:

  1. The relationship between risk management and internal control is not explained well. The definition of risk only includes the adverse effect and is not consistent with the COSO ERM definition of risk management let alone the more current ISO 31000:2009 standard. Controls are needed to ensure that opportunities are identified and realized.
  2. I don’t believe the authors have represented accurately the relationship between residual risk and internal controls. The existence of internal controls are considered in the assessment of residual risk, but the draft says you only need controls if the residual risk is above tolerances.
  3. The draft suggests that you have an effective system of internal control if 17 principles are met across the 5 components of internal control. I disagree. You have an effective system of internal control if the risk of non-achievement of objectives is within organizational tolerances. You may fail to achieve one of the 17 principles in one of the 5 components without the risk of non-achievement being above acceptable tolerances.
  4. The draft states that strategy-setting is not included within the system of internal control, but does not address the fact that you need controls within the strategy-setting process: to ensure that the right people are making the decisions around strategy using reliable information.
  5. I simply don’t understand how board oversight of risk management is not a critical element of the Control Environment.
  6. Consistently through the draft, the need for controls to manage risks within tolerances is omitted. In fact, the draft says you can have a (minor) control deficiency even if there is no risk to objectives! The correct explanation is that deficiencies exist when the risk of non-achievement of objectives is higher than acceptable.
  7. Organizations have to, in many cases, work with governance codes/frameworks and risk management frameworks/standards as well as internal control frameworks. The draft should explain the inter-relationships and how organizations can manage compliance with multiple frameworks.
  8. There is insufficient emphasis on the need for an effective combination of controls to manage risks.
  9. The definition of a material weakness in internal control over financial reporting is inconsistent with guidance from the SEC and PCAOB!
  10. The draft says that there should be a minimum of 1 (yes, one) outside director for the board to have an independent voice. This is absurd.
  11. Guidance on technology-related controls and on the existence of controls at every level in the entity (including intermediate levels) is thin. The SEC and IIA both have better, more detailed guidance than is included in the draft.
  12. The discussion of Compliance is limited to mandated rules and regulations. However, companies need controls to ensure that business is conducted to their own standards, which may be more restrictive.

Please provide your comments here, which I will consider in my response to the public exposure. But, again, I strongly encourage you to be heard and submit your own comments.

Happy Holidays and thank you for your support in 2011.

Norman Marks

  1. Leo Alonso
    December 22, 2011 at 8:25 AM

    Norm, I have not read the exposure draft as yet, but I completely concur with your comments.

  2. December 22, 2011 at 11:54 AM

    Thanks Norman for your thoughtful (yet admittedly incomplete) assessment of the proposed COSO framework. One thing that we can both agree on is the need for a vigorous public discourse on the proposal. I too, encourage auditing, accounting, risk, control, and governance professionals to completely review the document and provide their comments through the mechinism that COSO has established for such feedback. As The IIA’s Board member on COSO, I voted for its release with the full expectation that professionals from around the world would weigh in with contstructive feedback on the document. I fully expect that such feedback will help us strengthen the framework prior to its final release.

  3. December 22, 2011 at 11:55 AM


    I am very pleased with your comments. I agree that this draft (at a first look) is not really more than refreshing the 1992 Framework with some conceptual elements of the COSO ERM and the 2006 Guidance. My argument is that we can hardly expect that control frameworks – with their non-business driven structures and literatures – will attract necessary board level attention without linking their elements to the business-driven (enterprise specific) setting of risk tolerance and risk appetite. So I suggest to consider two areas of improvement potentials:

    1. Extending the Framework with board level view of governance objectives and risks. Additionally to those objectives which are targeted by the internal control system (e.g. Risk Awareness, Accountability, Competency, Accuracy, Process Integrity, Data Protection, Commitment and Control Efficiency) the sustainable business related objectives (e.g. Competitiveness, Exploitability and Satisfaction) should be also considered during board level risk assessment. These objectives are more applicable to set the enterprise and business environment specific risk tolerances than simply mapping the COSO principles covered by the 5 component to the COSO objective categories. You can hardly sell COSO framework based setting of risk tolerance at any real board meeting (independently how many competent or independent members are involved).

    2. Using understandable measures for risk appetite. Setting (or approval) of the enterprise (and business environment) specific risk appetite will be also difficult if appropriate (understandable and meaningful) measurement is not applied. One potential solution is using the framework(s!) driven approaches as best practices, and the board can select (or approve) a relevant set of these practices as minimum control requirements for implementation by the management in order to keep formerly set risk tolerances.

    Joyful Holidays!

    János Ivanyos

  4. Bonnie Trowbridge
    December 29, 2011 at 7:04 AM

    Thanks for your thoughts Norman. I printed it out last week but haven’t had time to read it. I’ll take you comments as a guide during my read. Hope you had a wonderful holiday.

  5. Matti Mattila
    January 6, 2012 at 8:00 AM

    To Norman:

    1. Controls alone cannot enforce that opportunities are identified. Controls can help therein that there is information [gathered and analyzed] for identifying opportunities.
    2. Residual risk is end result from applying controls and other elements of internal controls. Framework is framework, and its application is another matter. Make difference between the frame work and its application to keep things understandable.
    3. I prefer making difference between risk management and internal control. Risk of non-achievement of organization’s objectives is not solely dependent on internal control, but the factors that commonly bring success to organizations: good ideas, devoted employees, much enough capital etc. Internal control’s possibilities are limited to ensure that basic processes of an organization work well enough.
    4. Internal control has only limited possibilities to save the board and top management from making mistakes in making wrong selections between alternatives to head to the future. It is true that there should be elements of internal control to ensure that strategy setting process passes all the tests.
    5. It is a board’s job to examine risk management, and it could be counted as control, if controls are seen very widely. Seen more narrowly, oversight by the board is nothing else one of board’s job normally. Not everything that happens in an organization is internal control or risk management; there is meaningful work, too! The way a board examines risk management is a matter of control.
    6. A good example how internal control and risk management can be mixed. Controls are mixed with risk treatment measures. Other elements of internal control are discussed not at all. As far as internal control is concerned, there is no risk appetite, and no tolerance for deviations from that.
    7. Why? One framework is for one area, another for another area. Why should any framework explain application of other frameworks?
    8. Combination of controls to manage risks; isn’t that evident. Controls have limitations; other controls are needed to compensate deficiencies of the selected primary control.
    9. Material weakness belongs to terminology of financial audit. Material weakness in internal control framework can have different meaning than it has in audit of financial statements. Having the same informational contents is aspiration to language that does not exist. There are no exact words for phenomena of business and life.
    10. Organization vary in many respects, and their boards as well. I myself cannot see that composition of the board is core matters in any internal control frame work.
    11. Likely true, but does all need to be gathered in one framework – referring to that said in 7 above.
    12. This is a matter of perspective: do you put emphasis on deeds with legal consequences that have effect on “rights and obligations” management assertion as a consideration of true and fair view of financial statement or on all deeds that could be blamed.

    However, I agree that drafted new COSO IC is a disappointment, ECAR internal control framework looks much more understandable to me.

    Axel Couza

  6. Buddy Rojek, CPA
    January 8, 2012 at 4:12 PM

    If organisations employed intelligent staff, who understood the business and are employed for a sufficient period to pick up errors based on experience and instinct, then we would not have the problems we have.

    Instead they use cheap grad labour, outsource, or sack experienced managers to cut costs. As a result errors will always occur.

    I have concluded that the head honchos expert problems, because it costs less to have 100% compliance. Auditors just bash their heads reporting what Management already know.

  7. Norman Marks
    February 11, 2012 at 8:22 AM
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: