Risk & Compliance

COSO Needs a Cookbook

The standards-setter comes out with guidance on how finance execs can monitor internal controls. What's lacking? Practical detail.
David KatzSeptember 18, 2007

At the end of May, the Securities and Exchange Commission finally weighed in with a guide to help corporations comply with Sarbanes-Oxley’s internal-controls proviso. When the SEC followed that up in July by okaying a revised dictum on how auditors should comply, those two documents seemed to be the guidances to end all guidances when it came to Section 404.

Not so. As it happened, COSO, the private-sector standards setter, had been toiling all along on improving its own pronouncements on how to make internal controls work better. On Monday, as part of that effort, the committee The Committee of Sponsoring Organizations of the Treadway Commission, as it’s called, announced its release of a document called Guidance on Monitoring Internal Control Systems”.

Much narrower than the SEC’s and the Public Company Accounting Oversight Board’s efforts, the COSO documents homes in only on helping executives keep a sharp eye out for glitches in their companies’ internal control systems, both human and mechanized. In an extensively elaborated framework on internal controls begun in 1992, COSO sees “monitoring” as just one of five key elements of internal controls, along with control environment, risk assessment, control activities, and information and communication.

Still, the SEC seemed to have covered that ground pretty well in its 77-page guidance on 404, discussing the concept of monitoring in depth — even, at times, citing earlier COSO encyclicals on the subject. So why the need for yet more guidance?

While the COSO draft doesn’t conflict with the SEC and PCAOB directives, it goes further, suggests COSO chairman Larry Rittenberg, an accounting professor at the University of Wisconsin at Madison’s business school. To be sure, both the commission’s 404 guidance and AS5 “both refer to monitoring as way of achieve greater efficiency,” he says, noting that COSO’s guidance isn’t only aimed at aiding companies in the regulatory arena, but also at helping them smooth their operations and cut costs.

The report’s 39 pages, however, contains some familiar truisms. It asserts, yet again, the need for “a tone at the top” for good monitoring to work and the need for competent and objective people throughout a company. In language similar to that of the guidance from the SEC and PCAOB, the writers of the COSO paper recommend that company officials “prioritize monitoring with an appropriate risk-based focus.” It also speaks in the broad generalities of systems theory, speaking about the need to set a “control baseline,” a “change identification process,” and a “change management process” — because, well, things change.

When it comes to practical considerations, about the best the authors can do is offer an adage: “You get what you inspect, not what you expect.” To be sure, the authors say that the document “is not intended to be a ‘cookbook’ for how to monitor. Rather, it is designed to help organizations take a holistic view of monitoring, recognize elements critical to effectiveness, and identify specific points in their own monitoring where weaknesses might be mitigated or eliminated.”

The absence of recipes, is of course, in line with the current thinking in this principles-based era. To cut down on costs and excessive procedures, companies need to rely not on rules but on the judgment of executives and auditors, the reasoning goes. And, to be fair to COSO itself, the organization’s guidance on controls was helping managers to find their way through the long period of uncertainty years before the SEC saw fit to deliver its own pronouncement.

The question now, however, is this: How can a private-sector effort like COSO’s help with internal-controls compliance now that the regulators have weighed in? Perhaps the answer will come in the response to the paper, which the organization, after all, presents as only “a discussion document.” The organization is asking for feedback on it via its website
before October 31, 2007. COSO will use the feedback to put together an exposure draft, that includes tools, case studies, and implementation guidance. Final publication is slated for release during the first quarter of 2008.

Much-needed specifics may therefore be on the way. That would be a helpful thing because, as Rittenberg suggests, many corporations have a far piece to go in putting together top-flight internal-controls monitoring systems. “We have felt monitoring is underutilized by many of the companies,” he says, noting that the discussion paper could be a spur to such activity.

In particular, while most companies do a fair job on separate, periodic checks of their internal controls, many haven’t done so well on ongoing monitoring , the professor says. In the latter case, companies can get double duty out of internal-controls software, using it to operate the controls and monitor them at the same time. For instance, if a company’s software shows that duplicate payments are being made, that also shows that there’s a system in place to monitor duplication on an ongoing basis, according to Rittenberg.

The human factor can also be a key to ongoing monitoring. The CEO of a small computer company can, for instance, be steeped in customers’ contracts, he says. In that role, the executive has a good idea of what systems have been shipped at the end of month. Because he’s likely to be involved in the accounting, he can check his knowledge of shipments against the books to see that both accounts match — and thus avoid mistakes in how much credit the company can take for the shipments and when to take them.

By supplying such practical details in its final revision, COSO could turn its dull discussion document into the cookbook that finance executives can bring into their controls kitchen. While it’s all very well to instruct managers to use their judgments, a solid — and interesting — roadmap through the terrain wouldn’t hurt.