There are two stories of structure in the new COSO draft. The first is the relationship between objectives and control. The second is newly-proposed principles of the COSO redraft. Both are problematic but for very different reasons. Together, these problems demonstrate that the COSO (re-)authors are out of their depth when it comes to understanding and dealing with risk and uncertainty.
Objectives are at the heart of COSO. For the last 20 years, we have lived with the COSO view of control objectives relating to effectiveness and efficiency of operations, compliance and financial control.
Ultimately, companies need have only two objectives: (i) to minimize to an economically-efficient level the physical harm they inflict upon natural persons (hazard-related), and (ii) to maximize, over some horizon, their value to shareholders (value-related). Enlightened firms may also consider some objective relating to minimizing their exploitation of the commons and production of unpriced negative externalities. All other objectives are subordinate to these.
The objectives discussed by COSO feed in to these superordinate objectives. However, the link between the objectives established by COSO – effectiveness and efficiency of operations, reliability of reporting and compliance – is unstated. Clearly, there will be a set of strategies with related objectives by which the firm pursues its superordinate financial return or value objective. Again, the relationship between these and the COSO objective set is unstated.
The logic of COSO is predicated on a comprehensive and effective corporate effort to define sub-ordinate objectives. This is also idealistic and has been shown, by an extensive academic and empirical literature, to be fraught with human and methodological problems. Management by objectives has, long since, been abandoned as a serious effort in strategy and corporate planning, yet it persists without either explicit recognition or explanation in COSO. That does not make it wrong, just divorced from management practice – another layer of activity that must be meshed on to the corporate effort; each layer adds complexity; each layer reduces clarity; each layer adds cost.
That the linkages between objectives are unstated is not a weakness of COSO as written. However, by failing to consider how the framework as written will be applied in practice, the COSO authors made in 1992 and continue to make a series of idealistic assumptions about the depth of insight practitioners seek and obtain before imposing the COSO framework on an unsuspecting firm. While a problem among firm’s control-related employees, this has posed a major and persistent problem among advisors who have wrought untold damage to firms’ understanding of the relationship between corporate performance, subordinate objectives, risk and control. There is a wealth of anecdotal evidence that this has blighted both genuine efforts at strategic and behavioural control and corporate performance.
Worse, the idea of an auditor assessing whether or not management has specified sufficiently robustly across a firm the range of objectives to support comprehensive identification of risks in that firm is either (a) laughable, or (b) an attempt by the authors to fashion a new industry in objectives review to supplement their declining SOX-related audit revenues.
The principal changes from the 1992 COSO appear to be the 17 principles and explanatory text.
The utility of the principles is highly questionable. They are likely to be applied clumsily in practice – to be used as yet another driver of checklists to which registrant firms will be subjected by junior auditors without the knowledge, experience or judgment to apply them interpretively. This will add to registrants’ costs without providing any greater knowledge, insight or assurance over control. They are not wrong per se; the approach is simply wrong-headed.
It is important to ask the question: what are the principles? The exposure draft states (para. 31):
Principles are meant to enable effective operation of the component and the overall system of internal control, with appropriate use of management judgment.
Presumably, the intention of the authors is that the principles will clarify the focus and content of the firm’s internal control approach or framework. However, if management judgment is to be applied, as suggested, why will the judgment of subsequent reviewers be superior? In order to identify failings in the firm’s internal control framework, a reviewer would need to assert superior judgment to that of management. Inherently, the principles, as drafted, imply comparative subjective assessment which will be problematic for auditors, independent or otherwise.
In reality, these ‘principles’ are nothing of the sort. There is no over-arching logic to their derivation or definition. They are more akin to guidelines for practice. The attributes defining each of the ‘principles’ also lack a clear logic or framework and appear to have been assembled heuristically. The collection of observations that form the bulk of the revised text appear to be based on limited, highly rationalistic and mechanistic assumptions about how firms operate.
Most incriminatingly, however, the COSO authors show a very limited understanding of risk, a concept at the heart of their framework and its objectives >> risks >> controls chain. Most revealing is the barely noticeable statement under principle 7 (Identifies & Analyzes Risk):
Risk identification must be comprehensive.
With this simple and definitive statement, COSO shows clearly that its authors have not grasped the nature of risk as it exists beyond financial reporting and highlights the limitations of the authors’ technical understanding of risk. It is not epistemologically possible for risk assessment to be comprehensive. This is not a minor error or an arcane technical point – it represents a fundamental misunderstanding of what risk is and is not and the limits of management practice to address risk.
The glossary defines risk as:
The possibility that an event will occur and adversely affect the achievement of objectives.
While seductively simple, this definition is both misleading and limited. First, events or conditions will always occur that will adversely affect the achievement of objectives. Secondly, not all risks are event-related; for example, customers’ preferences may alter – not an ‘event’, but a shift in operating conditions. Thirdly, risk relates fundamentally to the presence of uncertainty about the future; there is an infinite range of possible future states many or most of which will, relative to current assumptions about the future, “adversely affect the achievement of objectives”. Fourthly, risk can also take the form of complexity or ambiguity or volatility. None of these represents an ‘event’.
The (re-)authors of COSO are simply reaching beyond their knowledge, prescribing an approach to risk and to internal control (broadly-defined) that is neither realistic nor operable. The current COSO framework has done enough damage; COSO (the organization) must reassess its objectives and performance of the framework in practice before it adds another layer of cost and complexity.
The redraft of COSO can be viewed at here.
Our submission on the COSO framework is available at our website.
The list of submissions to COSO can be viewed here.
Feel free to subscribe to the blog to get our messages direct to your Inbox!