Home > Risk > Can you use an ERM standard or framework to assess internal controls over financial reporting?

Can you use an ERM standard or framework to assess internal controls over financial reporting?

The short answer is “no”, because SEC rules require that the evaluation of internal control over financial reporting be based on a “suitable evaluation framework”. They have only recognized a limited number of internal control guides, including the COSO Internal Controls Framework (not the COSO ERM Framework, although it had been published when the SEC published its rules), the Canadian Institute of Chartered Accountants’ Guidance on Assessing Control (also known as ‘COCO’), and the Institute of Chartered Accountants in England and Wales’ Internal Control: Guidance for Directors on the Combined Code (known as the Turnbull Report). They have not recognized any risk management standard or framework to my knowledge.

But should we be able to use the COSO ERM Framework, the ISO 31000:2009 risk management standard, or another risk management framework/standard? What if the restriction was lifted?

Certainly, the assessment is supposed to be based on a top-down, risk-based approach. It should assess whether the risk of a material misstatement is very low (perhaps 5%). In other words, management’s risk tolerance (or criteria) is less than 5% likelihood for an impact that is material to the financial statements.

The typical approach includes:

a)      Understanding the business

b)      Identifying the potential sources of risk: accounts and disclosures  that might include a material misstatement

c)       Identifying and assessing the combination of controls that ensure that the likelihood of a material misstatement  is very low

d)      Obtaining evidence that those controls were operating effectively as of the end of the year such that the likelihood of a material misstatement was very low

This approach is certainly consistent with the guidance in a risk management standard or framework.

But the better question is whether that risk management standard or framework provides sufficient guidance for management in assessing internal control over financial reporting.

The answer is “no” (again).

A risk management standard, such as ISO 31000:2009, talks about understanding the internal and external context. It certainly does as least as much as the COSO Internal Control Framework when it comes to identifying potential sources of risk. But it doesn’t provide the detailed and practical guidance necessary to understand how internal controls address those risks.

It is true that COSO has evaluation tools but lacks (IMHO) useful guidance on how to select an effective and efficient combination of controls to address each potential source of risk. But that’s not sufficient reason to discard it. It does explain the nature of internal controls and how they can be found within the organization – and that has value.

I have yet to see a risk management framework or standard that provides sufficient detail about how internal controls operate to be used as the sole basis for an evaluation of internal control over financial reporting. While some may assert that because the COSO ERM Framework incorporates and extends the COSO Internal Control Framework, it can be used. But I think too much has been lost in the translation into an ERM framework and that the SEC was right only to recognize the COSO Internal Control Framework.

I am fine sticking with COSO Internal Controls Framework, supplemented by SEC guidance and other works (see below).

Do you agree?

If you are interested in optimizing your SOX program, please have a look at this new book from the IIA. It is the significantly expanded third edition of my Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners that has been downloaded about 200,000 times since the first edition was published in 2006.

  1. Frans
    May 24, 2012 at 9:54 PM

    A framework is a kind of abstract model. Should it contain details to the level you are pointing at, it will no longer be a framework, but a checklist. Such a checklists always need customisation because financial systems are different (e.g. SAP versus Oracle) and may be differently implemented in different companies (see SAP industry solutions).
    Second, by using ‘fair value’ over historic data (costs, expenses) the financial statements have become very susceptible to estimates and manipulations. Na higher level framework can deal with that.

  2. Oliver
    May 29, 2012 at 2:03 AM

    Normans answer is correct, but is it the right question? – Is it the aim of an enterprise risk management standard to deeply address internal controls? The answer is “no” 😉

    The intension of ISO 31000 is different from COSO. While COSO is mainly focusing on ensuring correct financial reporting, the ISO standard addresses the management cycle of handling risk: “While all organizations manage risk to some degree, this international standard establishes a number of principles that need to be satisfied to make risk management effective. This international standard recommends that organizations develop, implement and continuously improve a framework whose purpose is to integrate the process for managing risk into the organizations overall governance, strategy and planning, management, reporting processes, policies, values and culture”. – Taken from the ISO 31000, page V.

    It is the nature of any international standard that its postulates leave room for adoption. ISO 31000 calls itself a “generic standard” and there is explicitly no certification program available. Concerns of CPAs or regarding the fulfillment of requirements for internal controls where not the drivers for ISO31000, but a general management approach, not limited to financial reporting (in the “real world” many non-financial risks exist ;))

    Basis for ISO 31000 is the Austrian standard ONR49000. Large parts of the ISO standard are adopted from the Austrian ONR 4900x series.

    ONR49000 offers a certification program for Risk Management Systems as well as the popular Australian / New Zeeland standard AS/NZS4360.

    Conclusion: ISO31000 was not made to define internal control structures.

    From my understanding, COSO ERM enhances COSO IC with a risk management framework. While IC focuses solely on financial reporting, ERM addresses also non-financial and not only internal, but also external reporting demands. COSO ERM has a broader scope, but as far as I can assess and as it is common sense in literature, ERM is the further development of IC, with a different scope, but incorporating the contents of IC.

    So, if an organization is searching for an internal controls standard over financial reporting, COSO IC is one of the things to look after. If they need to apply a RM process, COSO IC is not sufficient.

    • Norman Marks
      May 29, 2012 at 2:25 AM

      Well said!

      Norman D. Marks, CPA, CRMA
      OCEG Fellow, Honorary Fellow of the Institute of Risk Management
      Vice President, Evangelist
      Better Run Business

  3. Andy
    June 6, 2012 at 6:23 AM

    Norm: I would suggest that a slight revision to your question adds additional insight to the analysis. My recommendation would be: “Can ERM standards or frameworks enhance the assessment of Internal Control under the COSO IC framework when evaluating financial reporting controls?”

    Since internal control assessment is based on the underlying risk, it would seem that consideration of both factors should result in an increasingly robust result. To support this assertion, I point to certain situations where the evaluation of the adequacy of the internal control structure in numerous actual experiences have reverted to an ERM structure for further analysis:

    First and foremost, the evaluation of the adequacy of the Control Environment under a pure internal control model has often resulted in inadequate or even misleading results. Evaluation of the full spectrum of risks to the organization often discloses threats to the internal control structure with financial reporting implications which do not become clear when exclusively financial reporting risks are evaluated.

    Secondly, areas of extensive management judgment are difficult to assess from the point of view of pure financial reporting risks. Two specific examples of this manifestation have proven particularly problematic: areas of extensive management judgment in selection of financial statement estimates and where management has chosen risk transference as its primary mitigation technique. Both of these situations create environments where systematic application of an ERM framework generates a much more persuasive argument as to the adequacy of the internal control structure. Let’s evaluate an example of each to enhance this point. When evaluating the adequacy of and allowance for uncollectible receivables, application of an ERM framework using established risk appetites and statistical techniques to evaluate the valuation selected, enhances the evaluation by adding evidence of the application of broader economic and business assumptions, and generates a statistically based indication of the percentage of the time the valuation will ultimately prove adequate, subject to the appropriateness of the assumptions and modeling approach. In a like manner, when looking at transferred risks, such as insurance purchasing, determination of adequacy of insurance coverage when loss has occurred becomes not just a legal issue, but also an exercise in exposure estimation. A consistent exposure estimation technique applied through most ERM frameworks provides a much more robust evaluation of the adequacy of the financial reporting than simple application of accounting techniques.

    Finally, management of organizations with strong ERM programs increasing rely on them to document both the design and operation of all risks the organization faces (including those of financial statement errors). This provides both management and the auditor a comprehensive picture of how management sees their risks. The application of an ERM framework or standard therefore provides context and parameters to the internal control assessment. At the same time, recent history has shown the existence of this type of analysis should not be mistaken for accuracy of it. The impact of erroneous assumptions and poor modeling techniques can significantly increase the risk to the organization and under too many circumstances result in financial reporting impacts being masked or magnified.

    In summary, I agree with your premise that ERM standards and frameworks cannot on a standalone basis serve as the exclusive assessment tool for internal controls over financial reporting. I believe, however that assessing these controls within the context of both and ERM framework or standard and an internal control framework provides a greatly enhances assessment.

    • Norman Marks
      June 6, 2012 at 7:50 AM

      Andy, I admit to being in disagreement with some of what I think you are saying. For example, why do you suggest focusing on other than financial reporting risks? You can certainly do that, but it is more than what the regulators require. For example, if you assess compliance risks you might identify the fact that penalties are likely that are not reflected in the financials. The SEC has specifically excluded that as a controls issue for SOX.

      In the example of AR reserves, the issue is whether the controls are sufficient to avoid a material error. I think you are making the assessment more complex when you start bringing models into the discussion.

      However, I agree with your basic point: that you need internal controls frameworks and risk management techniques can be a useful supplement in a number of situations, such as assessing deficiencies.

      Thanks for the comments

      Norman D. Marks, CPA, CRMA OCEG Fellow, Honorary Fellow of the Institute of Risk Management Vice President, Evangelist Better Run Business SAP

  4. Andy
    June 6, 2012 at 9:22 AM

    Norm: While I understand your concern and the consequences of applying my observations without an appropriate eye to materiality. I believe the simplistic approach has been at the root of a series of internal and external audit failures with respect to appropriately analyzing these risks. It also strikes me that this group itself an effort to appreciate and appropriately deal with the complexity of these issues. Not doing things, which make good business sense simply because the regulators don’t require it, has never seemed logical reasoning to me.

    As we have identified through a couple of our previous dialogs, my perspectives coming from the insurance industry tend to be driven by the nature of our business, but for the last 20 years, most insurance industry developments in ERM have been precursors to those of other industries.

  1. July 15, 2012 at 5:50 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: