Comments on the COSO draft update of the internal controls framework
I uploaded my comments on the draft yesterday. Unfortunately, it does not seem possible to view the comments yet, so I am copying them below.
I welcome your feedback and encourage you to submit your own comments to COSO (www.coso.org).
Comments on the draft COSO update of the Internal Controls Framework
Norman Marks, CPA, CRMA
February 10, 2012
My compliments go to COSO and its leaders for undertaking an update of the excellent 1992 internal controls guidance. It made a significant and necessary contribution by bringing people together around a shared definition of internal control.
Overall, the update has shown some imagination but I am not persuaded that it has been successful. I fear that it may have added fuel to the existing perception that this is a control framework for accountants and financial auditors, and will lead to a checklist approach to assessing the adequacy of internal control. I also regret that the opportunity to collaborate with risk practitioners to converge guidance for risk management has been allowed to pass.
I will share my comments in four sections: on the process for the project; high level issues; more detailed concerns; and, some concluding remarks and recommendations. These are my personal comments, which may not be consistent with that of my employer or of the professional associations of which I am a member.
While I have heard complaints about the choice of PwC (my former firm), I don’t have a problem with their selection and respect the project leaders, some of whom I know personally. The role of the Advisory Council is key to ensuring a quality product, and it also includes a number of individuals I know and respect.
However, the internal control framework is not a product only for accountants and auditors. Internal controls are a major element in the management of risk, optimization of performance, and achievement of compliance. The users of and stakeholders in a quality internal control framework are a diverse and broad group. Unfortunately, while a few of the project team and council have experience beyond accounting and financial auditing, the voice of the larger risk management and compliance practitioner communities – let alone the governance community – does not appear to have been solicited or incorporated.
As is well known by COSO, a large number of risk management practitioners do not favor the COSO ERM Framework, which is built on, expands, and extends the internal control framework. There is also a perception, right or wrong, that the internal controls framework is by and for accountants and financial auditors.
This update of the internal control framework was an opportunity to remedy the situation and move towards a convergence with other interested groups. Significant contributions to thought leadership in risk management, in particular, have been made since COSO released the ERM framework. However, this project does not appear to have considered, learned from, and incorporated that thinking.
That is unfortunate and I have reservations that unless changes are made to the draft and in the process, many of the leaders in risk management and compliance will not endorse and use it. The framework will end up satisfying the needs of external auditors, accountants, and (to some limited extent) internal auditors, but not the needs of the larger community.
On a second point, I do not feel that it is appropriate to assess the readiness of the updated internal controls framework now and provide guidance related to the assessment of internal control over financial reporting later. Only when we see the latter can we assess the former, because a major use of the internal controls framework as the foundation of management’s assessment of internal control over financial reporting.
Finally as regards process, I am personally disturbed to see webcasts and other presentations on the draft as if it were final or close to being so. I believe the product is flawed – in ways that can be addressed – and it is too early and disrespectful to the process to advocate it as if it were other than a first draft for discussion.
High Level Issues
I have a few significant issues that strike to the heart, in my opinion, of the value and use of the draft.
- A checklist approach to assessing the system of internal control
The new version suggests that an effective system of internal control is achieved if the principles and related attributes for each of the components of the model are present and functioning.
Not only is this concept highly questionable, but it encourages a checklist approach to assessing internal control rather than the use of judgment and risk management principles.
My view: the system of internal control is effective if it provides reasonable assurance that the more significant objectives will be achieved. Reasonable assurance is achieved if the risk of non-achievement is acceptable (based on the organization’s defined risk criteria, which include its risk appetite). Judgment is necessary to reach that conclusion, not the completion of a checklist as presented in the draft.
Reasonable assurance requires, in most cases, a combination of controls across a range of COSO components. It does not always need controls in every component, satisfying every attribute listed in the draft. For example, the effect of a defect in one attribute may be mitigated by a compensating control elsewhere, such that the risk of non-achievement of objectives is within acceptable levels.
I commented on the process for evaluating the system of internal control on my blog. I was pleased to see a level of agreement with my position, but dismayed at the number of people who preferred a checklist to being asked to exercise judgment. This should be a caution against providing people with what appears to be, in not in fact is, a checklist.
- Limitations to the system of internal control
The draft excludes from the system of internal control activities – which are clearly controls – within governance processes that ensure that the board and top management define appropriate objectives and provide oversight of risk management, performance, and more. While I would not advocate changing the definition of internal controls (the 1992 definition has stood the test of time and this issue can be addressed with explanatory text), if the organization is heading in the wrong direction it will fail. Controls are required to ensure that the right individuals are responsible for governing the organization, hiring and overseeing management, and approving objectives and strategies. They should do so based upon reliable, complete and current information, and the objectives and strategies should be communicated once approved across the organization and integrated into individual department and manager objectives.
Similarly, there is no assurance that controls are suitable for the organization if the risks they are designed to modify are not part of an effective risk management program/process, and acceptable risk limits are not set and approved by the board – and then communicated across the organization.
The relationship between risk management and internal control is not explained well in the draft, and some of the text is actually conflicting. In particular, risk management is not only (as described in the draft) about addressing the potential negative effects of uncertainty. It is also about addressing the opportunities for positive effects on performance and the achievement of objectives.
Controls help ensure actions are taken to optimize performance; they don’t just mitigate the potential negative effects of uncertainty.
- The language of risk management
As noted earlier, risk management is about more than the potential negative effects of uncertainty. But the draft reflects other ‘errors’ in discussions of risk management. For example, there is discussion of a risk response being needed, but additional actions (such as additional controls) should only be taken if the level of risk after consideration of the effect of existing controls (i.e., the residual risk) is above acceptable levels. Another example is the idea that there is a control deficiency even if the level of risk is acceptable.
In another example, when considering the achievement of objectives it is not sufficient to set a ‘risk tolerance’ of 90% achievement. The likelihood of non-achievement of the objective should be paramount; for example, is management willing to accept a 20% likelihood that the objective will not be attained? Is management willing to accept a 10% likelihood that the objective will be achieved at the 90% level?
My recommendation is that risk practitioners, especially individuals active in the ISO 31000:2009 community of practice, and professional risk management associations (such as RIMS, GARP, and IRM) be added to the project. The language of risk can then be upgraded to the latest thinking and the value of the internal control framework to the larger community enhanced.
- The efficiency of the system of internal controls
The draft focuses exclusively on what will constitute an effective system of internal control. There is inadequate guidance on designing and operating an efficient system of internal controls.
While the 1992 version appropriately comments that a combination of controls is required, and that controls can operate at different levels within the organization (such as at the entity level as well as the activity level), there is little if anything to help the control designer in the new draft. For example, the framework should discuss, inter alia:
- Preventative vs. detective controls, based on the (generally higher) level of risk when reliance is placed on detective controls.
- Entity-level vs. activity-level controls.
- Automated vs. manual controls.
- The risk that certain controls may not operate reliably.
- The combination of controls that will provide, at acceptable cost, reasonable assurance that risks are managed at acceptable levels.
Detailed concerns and comments
The balance of this document is a list of comments, in addition to those above, in order of their appearance in the draft. They are necessarily brief, and I would be happy to review them in a call as necessary.
- It is not enough to have a commitment to hire good people if the processes are lacking. Either the discussion in the Control Environment component is lacking or it needs to be linked to related controls in other components.
- IT general control activities don’t need to be separated from control activities. They are control activities and should be assessed in combination with all controls relied upon for the achievement of objectives (see the IIA’s GAIT Methodology for Business Risk).
- There is too much emphasis on formal policies and procedures, as if controls are necessarily lacking of not documented.
- In 34, why say ‘understands’ and not something more positive?
- ‘Selects and develops’ (in principles) does not include ‘operates’.
- #70-72 should relate to the risk of non-achievement of objectives being acceptable.
- The definition of material weakness in #85 is not consistent with that in AS5. The existence or non-existence of a material misstatement is not conclusive of their being a material weakness. Internal control only provides reasonable assurance and isolated errors can occur.
- Consider technology on mobile devices. While it is challenging for a framework to stay current as technology changes, it is clear that enterprise applications (not just data) are increasingly on smart phones and tablets.
- In the Costs section, consider the level of controls required to manage risk within acceptable limits.
- While Control environment is “sometimes seen as synonymous with internal control culture” it is not – it is more. #118 should be so modified.
- The guidance of “at least one outside director” in #142 is worse than saying nothing. To be effective, the board needs to be able to act in the interests of the owners and stakeholders when those are different from the interests of management. The COSO ERM Framework states that for risk management to be effective (see #497), “the board must have at least a majority of independent outside directors.” Oversight of the actions of management, which is a key control, cannot be effective otherwise.
- #144 on board compensation is a challenge. This comes to close to disqualifying many directors who have equity holdings.
- The example objectives in #205-206 are not specific, measurable, or time-bound.
- The Internal Reporting discussion should be extended to include the analytics used in decision-making and more. The draft focuses only the products (e.g., the dashboards) rather than the processes behind them.
- External financial reporting objectives should explicitly include the preparation and publication of all information filed with the regulators and provided to other third parties, including information not subject to audit.
- There are not always standards for external non-financial reporting. A better example (than ISO) would be corporate sustainability reporting.
- Compliance deals only with mandated compliance. However, organizations desire assurance that their desired standards of business conduct are met – which may be a different level or be in anticipation of regulation.
- #247 discussion of segregation of duties makes no sense; it should be clarified or removed.
- The discussion of fraud risk is not complete. It focuses on fraudulent reports and safeguarding of assets. However, fraud can also involve falsification of information (such as records of safety incidents, customer complaints, etc.), changes to pay records, collusion with vendors, and more.
- The section on corruption should be expanded to include an explanation of what is included, presumably bribes and facilitation payments. This is not clear as written.
- The discussion and chart on page 71 is not helpful. It is confusing and unclear as to its meaning.
- The discussion of technology-related controls is thin. Consider using some of the content of the SEC guidance for SOX and the IIA’s GAIT family of methodologies. For example, sometimes the accuracy and completeness of a key report may be ensured by the normal operation of a manual control; in this case, there is no reliance on technology-related controls.
- The reliance on restricted access to ensure only the defined individuals perform control activities is overlooked.
- When considering segregation of duties, it is important to assess the risk to objectives if individuals have combinations of functions. I don’t believe this is discussed.
- The discussion of technology controls should include ensuring the value from technology is obtained. Work with ISACA on this issue.
- The quality of information in #346 should include the useful presentation of the information: so it can be used effectively in performing internal control activities.
- In #349-350, include communication of risk tolerance, standards, policies, and procedures.
- In the Monitoring section, distinguish between monitoring that provides assurance that controls are in place and operational, and monitoring of transactions that identifies exceptions that may indicate defects in the system of internal control.
- Discuss the role of internal audit and the extent to which management can rely on internal audit for monitoring. Many believe that management is responsible for monitoring controls, and internal audit can assess management’s monitoring activities.
- Monitoring should ensure the controls are sufficient to manage risks within organizational tolerances. The description of monitoring controls are present is inadequate.
- Discuss the relationship between monitoring controls and detective controls.
- Discuss supervision and reviews (such as reviews of account reconciliations) as forms of ongoing monitoring.
- Disagree that deficiencies should always be reported to a level of management above those responsible for performing the controls and/or taking corrective action. When deficiencies are identified by one manager, it is generally sufficient to communicate directly to the individual responsible for taking action.
- If management identifies a temporary breakdown in controls that is corrected immediately, there is generally not a need to share that with the board. The discussion in #401 should focus on material or significant deficiencies that are either (a) in internal control over financial reporting and exist at the end of a reporting period, impacting certifications, (b) not resolved promptly such that there is no significant impact on objectives, (c) unresolved, especially of long standing, (d) the cause of material errors in information provided to third parties or the board, or of compliance failures that are of significance, (e) involve the actions or behavior of senior executives or the board, (f) the cause of failures in employee or community safety,, (g) indicative of a generalized failure of internal control in a significant part of the organization, or similar.
- Discuss the need to report control failures of significance to the internal and external auditors.
- Be very specific and state that you can have errors due to internal control issues and still have an effective system of internal control. Considerations in making that assessment will include the frequency and number of errors, the significance of the errors, whether controls mitigated the effect of the errors within tolerances, the period of time during which errors occurred, and whether the risk of non-achievement of objectives remained acceptable.
- #416 and #418. Internal control is also effected by individuals external to the organization, such as in service providers or third parties performing periodic monitoring of controls. They do more than provide information: they perform controls.
- The section at #420 on does not state that the board is responsible for oversight of the system of internal controls. Aspects, such as controls relating to compliance, may be delegated to committees focused on that area.
- The CEO is responsible for ensuring the organization is structured and resourced to achieve objectives and perform internal controls.
- Risk officers are responsible for reporting to management and the board whether the more significant risks to the business are being managed within organizational tolerances, and this requires that the internal controls are sufficient.
- Compliance personnel are responsible for ensuring that compliance requirements (the laws and regulations) are understood and communicated to those responsible for the controls that ensure compliance.
- All personnel are responsible for understanding risk tolerances relating to their duties. They are also responsible for sharing information needed by others.
- There should be a discussion on efficiencies through the elimination of duplicate or redundant controls.
- Managers are responsible for ensuring that individuals performing controls are adequately resourced, trained, and have sufficient expertise to perform their duties.
- Why are the areas for internal audit in #444 different from the three categories of internal control? If they are to be different, they should be stated as governance, risk management, and related controls.
- Combine #454 and #455.
- Application controls also ensure validity.
- When I read the summary of changes, they seem to indicate more has been achieved (such as discussions of governance and the relationship between risk and performance) than is present in the actual draft. Another example is that the summary of changes talks about a risk-based approach to internal control, while the detailed does not reflect that.
Thank you for the opportunity to provide comments, and I am available for additional discussions as needed.
My recommendation is that:
- The current draft is considered preliminary and COSO accepts the need for significant revision and an extended timeline.
- The guidance on the use of the framework to evaluate the system of internal control over financial reporting is completed and issued as a draft for review together with the next draft of the controls framework.
- The project team and advisory council is augmented with representatives from the worlds of (at least) risk management, compliance, and governance.
- COSO starts the process of convergence of its risk management language and approach with that of the ISO 31000:2009 community.
- An open discussion is held on the future of the ERM framework and its relationship to the internal control framework.
- A second draft is prepared and issued for additional comment, with the expectation that a third draft may be necessary.
- Given that stakeholders in its products extend beyond the accounting, finance, and audit professions, COSO expands its membership to include professional organizations in other disciplines.