At the end of last month, the period of public consultation of the redraft of COSO’s internal control framework closed. COSO received around 90 comments, or around 1 comment for every 90 SEC filers who have to live with the current framework as the basis for their internal control assessments under §404 of the Sarbanes-Oxley Act and related SEC regulations.
COSO impacts the perspective on internal control of many of the world’s largest firms – those who participate in US equity markets or issue US debt securities. Also, because of its pervasiveness in that arena, it has become the de facto standard for internal control for all firms across sectors globally. That represents a considerable authority and power. As the second President Roosevelt would have observed if he had lived a few days longer, ‘great power involves great responsibility’.
It is open to debate whether or not COSO has discharged its ‘great responsibilities’ robustly and diligently. In our extensive submission to COSO, we identified a series of problems which existed prior to the recent redraft and a range of issues with the redraft itself. Given the enormous impact of COSO, we believe these problems must be addressed by COSO, PCAOB and SEC as a matter of priority.
Simply put, the recent financial crisis and corporate failures have shown that our understanding of internal control is partial and frequently overstated. COSO is at the heart of this dilemma. These problems must be understood, addressed and (preferably) resolved before further requirements and the costs associated with them are foisted on the business community.
Over a series of 7 brief posts, including this one, we will examine:
- COSO’s problems of role (2/7, now posted here)
- COSO’s problems of evidence (3/7, now posted here)
- COSO’s problems of structure (4/7, now posted here)
- COSO’s problems of linearity (5/7 now posted here)
- COSO’s problems of behaviour (6/7 now posted here)
as well as what regulators and firms can and should do about them (7/7, now posted here).
Our aim is to provoke and promote debate among interested and affected groups on the effectiveness of approaches to internal control and management of risk. This topic is too important to leave to what would, some years ago, have been called ‘smoke-filled rooms’. Please join the debate.
The redraft of COSO can be viewed at here
Our submission on the COSO framework is available at our website.
The list of submissions to COSO can be viewed here.