The Trouble with COSO

Well, it seemed like a good idea at the time.

Last year, the nonprofit Institute of Management Accountants (IMA) announced plans to host a conference in December. Apparently, the IMA wanted to preview a fledgling internal-controls framework — one aimed at helping publicly traded companies cope with tough new monitoring requirements mandated by the Sarbanes-Oxley Act. The IMA's offering, devised in conjunction with Paisley Consulting, was intended to be an alternative to the well-established COSO controls framework. That framework, used by the majority of Sarboxers, was first promulgated in 1992 by the Treadway Commission's Committee of Sponsoring Organizations (hence, COSO).

But when word got out that the IMA, one of the five sponsoring organizations, was offering a rival framework, things turned ugly. Attendees quickly began pulling out of the event. One source close to the situation claims government regulators — many of whom have publicly backed COSO — refused to attend, because they didn't want to give the appearance of endorsing a rival system. Ultimately, the IMA had little choice but to cancel the event. Larry Rittenberg, COSO's chairman, says he advised IMA executives to delay the unveiling until he had a chance to talk to them. "We think everyone ought to look for ways to better implement the COSO model," he explains. "But we should work within the COSO structure."

Seemingly chastened by the incident, in late January IMA officials agreed to work on developing a management-focused system within the COSO framework. Jeffrey Thomson, vice president for research and applications development at the group, says the template (called Collaborative Assurance & Risk Design: Management Edition, or, unfortunately, CARD: ME) will allow managers, rather than external auditors, to take the lead in setting internal controls. But the IMA's near-defection speaks volumes about the troubles with COSO. Critics claim that the framework is a broad, principles-based document not particularly suited to internal-controls monitoring. Parveen Gupta, an accounting professor at Lehigh University (who is helping the IMA form a CARD: ME advisory panel), likens COSO to a lifestyle guide for a healthy heart. It's helpful, he says, but specific cholesterol counts would be even more useful in determining the exact health of a patient.

COSO is also complicated — some say too complicated for midlevel managers. It's no snap, that's for sure. The framework has three key objectives (operations, finance, and compliance) mapped across five components, in a manual that runs 353 pages.

Malcolm Schwartz, a member of the IMA, says some managers have assumed the 203-page "Evaluation Tools" section at the end of the book is part of the framework. It isn't.

The somewhat confusing nature of the COSO framework may explain, in part, why many public issuers have struggled so mightily with Section 404. Then again, it's not entirely clear if any current controls template adequately addresses the laborious task of documenting and monitoring thousands of internal controls. Finance managers do appear to be searching for alternatives, though. In a poll conducted by CFO in January (see "Standard Deviation" at the end of this article), three-quarters of the respondents said they relied upon various frameworks in addition to, or other than, COSO when mapping internal controls. About a third of the surveyed executives cited the use of COBIT (Control Objectives for Information and Related Technology), a technology-governance model now published by the IT Governance Institute.

In addition, 28 percent of the surveyed executives indicated that they have based their Section 404 programs, at least in part, on Auditing Standard No. 2 — a guideline for external auditors put out by the Public Company Accounting Oversight Board (PCAOB). By scoping out the auditor-aimed AS2, public issuers are attempting to anticipate what their auditors will look for, thus limiting the work they must perform. In a sense, they are gaming the Sarbox system. Acknowledges one finance executive: "The biggest factor is pleasing your external auditors."

Pleasing external auditors may not have been what legislators had in mind when they passed Sarbox. The guessing game, while understandable, worries some. "The absence of guidance is a call to regulators, stakeholders, and external audit committees," insists Joe Atkinson, operations leader of the governance risk and compliance practice at PricewaterhouseCoopers. "They need to help managers understand what effective internal controls look like."

Everything in Triplicate
COSO was intended to provide that sort of help. First released in the wake of the savings-and-loan scandals of the late 1980s, the Coopers & Lybrand–developed framework was largely ignored by the corporate world until Congress passed Sarbox a decade later. Suddenly facing a looming deadline to report on the effectiveness of their controls over financial-reporting systems, executives at publicly traded companies began scrambling for guidance.

Many glommed on to COSO. For some, it was an obvious choice — particularly since the Securities and Exchange Commission and the PCAOB soon recommended (but did not require) the use of the framework. Recalls Dominique Vincenti, chief advocacy officer at The Institute of Internal Auditors: "If you were already using COSO, the only new piece [as a result of Section 404] was the disclosure."

• 1
• 2
• 3
• next »