The Trouble with COSO

Critics say the Treadway Commission's controls framework is oudated, onerous, and overly complicated. But is there an alternative?
Helen ShawMarch 15, 2006

Well, it seemed like a good idea at the time.

Last year, the nonprofit Institute of Management Accountants (IMA) announced plans to host a conference in December. Apparently, the IMA wanted to preview a fledgling internal-controls framework — one aimed at helping publicly traded companies cope with tough new monitoring requirements mandated by the Sarbanes-Oxley Act. The IMA’s offering, devised in conjunction with Paisley Consulting, was intended to be an alternative to the well-established COSO controls framework. That framework, used by the majority of Sarboxers, was first promulgated in 1992 by the Treadway Commission’s Committee of Sponsoring Organizations (hence, COSO).

But when word got out that the IMA, one of the five sponsoring organizations, was offering a rival framework, things turned ugly. Attendees quickly began pulling out of the event. One source close to the situation claims government regulators — many of whom have publicly backed COSO — refused to attend, because they didn’t want to give the appearance of endorsing a rival system. Ultimately, the IMA had little choice but to cancel the event. Larry Rittenberg, COSO’s chairman, says he advised IMA executives to delay the unveiling until he had a chance to talk to them. “We think everyone ought to look for ways to better implement the COSO model,” he explains. “But we should work within the COSO structure.”

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Seemingly chastened by the incident, in late January IMA officials agreed to work on developing a management-focused system within the COSO framework. Jeffrey Thomson, vice president for research and applications development at the group, says the template (called Collaborative Assurance & Risk Design: Management Edition, or, unfortunately, CARD: ME) will allow managers, rather than external auditors, to take the lead in setting internal controls. But the IMA’s near-defection speaks volumes about the troubles with COSO. Critics claim that the framework is a broad, principles-based document not particularly suited to internal-controls monitoring. Parveen Gupta, an accounting professor at Lehigh University (who is helping the IMA form a CARD: ME advisory panel), likens COSO to a lifestyle guide for a healthy heart. It’s helpful, he says, but specific cholesterol counts would be even more useful in determining the exact health of a patient.

COSO is also complicated — some say too complicated for midlevel managers. It’s no snap, that’s for sure. The framework has three key objectives (operations, finance, and compliance) mapped across five components, in a manual that runs 353 pages.

Malcolm Schwartz, a member of the IMA, says some managers have assumed the 203-page “Evaluation Tools” section at the end of the book is part of the framework. It isn’t.

The somewhat confusing nature of the COSO framework may explain, in part, why many public issuers have struggled so mightily with Section 404. Then again, it’s not entirely clear if any current controls template adequately addresses the laborious task of documenting and monitoring thousands of internal controls. Finance managers do appear to be searching for alternatives, though. In a poll conducted by CFO in January (see “Standard Deviation” at the end of this article), three-quarters of the respondents said they relied upon various frameworks in addition to, or other than, COSO when mapping internal controls. About a third of the surveyed executives cited the use of COBIT (Control Objectives for Information and Related Technology), a technology-governance model now published by the IT Governance Institute.

In addition, 28 percent of the surveyed executives indicated that they have based their Section 404 programs, at least in part, on Auditing Standard No. 2 — a guideline for external auditors put out by the Public Company Accounting Oversight Board (PCAOB). By scoping out the auditor-aimed AS2, public issuers are attempting to anticipate what their auditors will look for, thus limiting the work they must perform. In a sense, they are gaming the Sarbox system. Acknowledges one finance executive: “The biggest factor is pleasing your external auditors.”

Pleasing external auditors may not have been what legislators had in mind when they passed Sarbox. The guessing game, while understandable, worries some. “The absence of guidance is a call to regulators, stakeholders, and external audit committees,” insists Joe Atkinson, operations leader of the governance risk and compliance practice at PricewaterhouseCoopers. “They need to help managers understand what effective internal controls look like.”

Everything in Triplicate

COSO was intended to provide that sort of help. First released in the wake of the savings-and-loan scandals of the late 1980s, the Coopers & Lybrand–developed framework was largely ignored by the corporate world until Congress passed Sarbox a decade later. Suddenly facing a looming deadline to report on the effectiveness of their controls over financial-reporting systems, executives at publicly traded companies began scrambling for guidance.

Many glommed on to COSO. For some, it was an obvious choice — particularly since the Securities and Exchange Commission and the PCAOB soon recommended (but did not require) the use of the framework. Recalls Dominique Vincenti, chief advocacy officer at The Institute of Internal Auditors: “If you were already using COSO, the only new piece [as a result of Section 404] was the disclosure.”

Few companies were in that position, however. Instead, IMA board member Malcolm Schwartz says many finance managers applied the “audit” approach during the first year of Sarbox compliance — that is, they tried to record every single control. That has proven costly. The SEC’s initial projections indicated that each public company would spend less than $100,000 to meet internal-controls reporting requirements. Later surveys showed the actual costs were, on average, 20 times that amount.

Eric Balzer, CFO of Colorado Springs, Colorado-based Ramtron International, says that when he joined the semiconductor-device company just over a year ago, it did not have its internal-controls procedures set up for Sarbox. Since then, Ramtron has mapped many of its controls to the COSO template in flow charts, with headers that list the activity’s control objectives and risks. This practice puts Ramtron in the process-focused risk-assessment camp. As opposed to the more backward-looking coverage approach (examining financial account numbers and then attempting to document controls related to them), the process-focused approach targets work activities that might generate accounting errors. That, in theory, enables problems to be fixed before they land in the financial statements.

In Ramtron’s case, the objectives and risks of an activity are linked to related compliance requirements. When purchasing services and supplies, for instance, the Sarbox-based objective of paying appropriate prices is listed with the risk of outdated or incomplete price information. By monitoring the performance of controls through a process approach, employees become responsible for controls. Thus, the monitoring component of COSO gets linked to the control environment. “If you do that,” argues IMA’s Schwartz, “you can substantially reduce the amount of separate evaluations by the internal-audit department.”

Reducing separate evaluations would be a good thing. Finance chiefs have complained bitterly about the huge duplication of work among finance departments, internal audit, and external auditors in the pursuit of 404 compliance. Those complaints were not lost on members of the PCAOB: in May, they issued a statement encouraging auditors to exercise more judgment and to rely on the work of others. So far, that doesn’t seem to be happening. Defenders of the COSO model, however, insist such duplication is inevitable, particularly in the early stages of Section 404 compliance. “Implementing [Sarbox] and the PCAOB’s Auditing Standard No. 2 was like any other new venture,” says Nick Cyprus, senior vice president, controller, and chief accounting officer at Interpublic Group. “Start-up costs and the learning curve were high. Everyone was learning.”

The White-Elephant Reference

The difficulties may have stemmed in part from a lack of advice from external auditors. Spooked by the demise of rival Arthur Andersen — and the subsequent rise of the PCAOB — the remaining Big Four firms have reportedly adhered strictly to the letter of the law in maintaining their independence during audits.

Even with some auditor input, mapping COSO to Sarbox can be nettlesome. One of the biggest problems: limiting internal audits to one of the three key objectives of the framework. In the COSO model, those objectives are applied to five key components (monitoring, information and communication, control activities, risk assessment, and control environment).

Given the number of possible matrices, it’s not surprising that the number of audits can get out of hand. Celanese Corp., an industrial-chemicals company, is creating a risk-and-controls matrix that revolves around the Treadway Commission’s model. But eager to reduce the amount of documentation and testing, the company is focusing only on implementing the COSO components that relate directly to Section 404.

Selecting the key areas related to financial reporting was no easy task, recalls Paul Peters, Celanese’s Sarbanes-Oxley project director. “As a framework, COSO has value,” he says. “But CFOs must be careful of this white elephant. It is more than what is required in Sarbanes-Oxley.”

Tim Leech, chief methodology officer at Paisley, argues that while the COSO standard was groundbreaking at the time, it was not meant to be a marking guide for controls. Leech, who has been working on the CARD: ME system since 1986, believes that COSO is akin to a book on grammar principles — it doesn’t help you evaluate a fourth-grader’s writing and determine whether the student should pass or fail. Consequently, the model does not permit reasonably consistent and repeatable measurements of a company’s control over financial reporting.

Small companies have had a particularly hard time applying COSO. In the past, finance managers at many of these businesses relied upon external auditors to provide advice on financial systems. Section 404 changed all that. With few options, executives at some of these businesses have besieged officials at COSO, seeking help. The committee responded, releasing an exposure draft of a guidance initiative for small businesses in October. At press time, the group was readying the final version of the guidance for public release.

Mapping, Digging

In the meantime, the debate over COSO rages on. George Honig, audit manager and Sarbox-compliance head at Sears Holdings, believes there is a need for a management-centric framework, not just guidance for management. That sort of framework might develop organically over time. As companies go through the 404 drill several times, they will likely refine their approach to certifying controls. “Management-centric guidance is already coming about by virtue of what is happening in the marketplace,” notes Eric Hespenheide, managing partner of global internal-audit service at Deloitte & Touche LLP. Hespenheide also believes regulators such as the SEC and the PCAOB are clarifying what is expected of public issuers. “I think we will continue to see further speeches by SEC commissioners and [the release of] frequently asked questions,” he predicts. “And they will be data points for what is acceptable.”

For the moment, however, expect to see more mapping to COBIT and more digging through the details of AS2 — anything to help managers divine what their independent auditors will come looking for. Says Atkinson: “It’s a difficult way to go about building an internal-controls environment.”

Helen Shaw is a staff writer at

Standard Deviation
In a CFO magazine poll, respondents were asked to name the framework — or frameworks — they use for internal controls. Here’s what they said:
COSO (Committee of Sponsoring Organizations, Treadway Commission) 82%
AS2 (Auditing Standard No. 2, PCAOB) 28%
COBIT (Control Objectives for Information and Related Technology) 33%
SAS 55/78 (AICPA) 13%
Other 2%
Comply with Me
A breakdown of the rather lengthy COSO manual
Section Length
Executive Summary 7 pages
Reporting to External Parties 25 pages
Framework 118 pages
Evaluation Tools 203 pages
Total 353 pages