We need your comments to upgrade the draft COSO internal control framework
COSO has released a draft for public comment of an updated Internal Controls Framework. You can see some of the highlights and links in this Journal of Accountancy article.
While I am pleased that COSO has been working to update and upgrade the framework, I am frankly disappointed with this draft.
I encourage you strongly to review the draft and submit your comments. A loud voice may be needed to persuade COSO to make changes.
I especially encourage compliance, risk, and governance experts and practitioners to comment. COSO membership is primarily composed of accounting and audit bodies, and a team from PwC is responsible for developing this draft.
My primary concerns at this point (I haven’t completed my review and will share my comments on this blog when they are finalized) include:
- The relationship between risk management and internal control is not explained well. The definition of risk only includes the adverse effect and is not consistent with the COSO ERM definition of risk management let alone the more current ISO 31000:2009 standard. Controls are needed to ensure that opportunities are identified and realized.
- I don’t believe the authors have represented accurately the relationship between residual risk and internal controls. The existence of internal controls are considered in the assessment of residual risk, but the draft says you only need controls if the residual risk is above tolerances.
- The draft suggests that you have an effective system of internal control if 17 principles are met across the 5 components of internal control. I disagree. You have an effective system of internal control if the risk of non-achievement of objectives is within organizational tolerances. You may fail to achieve one of the 17 principles in one of the 5 components without the risk of non-achievement being above acceptable tolerances.
- The draft states that strategy-setting is not included within the system of internal control, but does not address the fact that you need controls within the strategy-setting process: to ensure that the right people are making the decisions around strategy using reliable information.
- I simply don’t understand how board oversight of risk management is not a critical element of the Control Environment.
- Consistently through the draft, the need for controls to manage risks within tolerances is omitted. In fact, the draft says you can have a (minor) control deficiency even if there is no risk to objectives! The correct explanation is that deficiencies exist when the risk of non-achievement of objectives is higher than acceptable.
- Organizations have to, in many cases, work with governance codes/frameworks and risk management frameworks/standards as well as internal control frameworks. The draft should explain the inter-relationships and how organizations can manage compliance with multiple frameworks.
- There is insufficient emphasis on the need for an effective combination of controls to manage risks.
- The definition of a material weakness in internal control over financial reporting is inconsistent with guidance from the SEC and PCAOB!
- The draft says that there should be a minimum of 1 (yes, one) outside director for the board to have an independent voice. This is absurd.
- Guidance on technology-related controls and on the existence of controls at every level in the entity (including intermediate levels) is thin. The SEC and IIA both have better, more detailed guidance than is included in the draft.
- The discussion of Compliance is limited to mandated rules and regulations. However, companies need controls to ensure that business is conducted to their own standards, which may be more restrictive.
Please provide your comments here, which I will consider in my response to the public exposure. But, again, I strongly encourage you to be heard and submit your own comments.
Happy Holidays and thank you for your support in 2011.