Talking about COSO (7/7): Petition to COSO, PCAOB & SEC

Before COSO amends with its internal control framework– adding cost and extra effort to filers without any guarantee of control improvement – the authors need to understand its efficacy: what works and what does not any why.  COSO has made no robust attempt to understand the efficacy of its current framework or its effect on filers’ broader internal control performance.  In a petition to COSO, PCAOB and SEC, we call on COSO to make its regulatory activity more evidence-based: to withhold publication of the redrafted COSO internal control framework until it has completed a properly-independent, methodologically robust and comprehensive review of COSO’s effectiveness at promoting internal control more broadly than merely over financial reporting.  


. . .

Identifying problems is one thing; suggesting solutions is another.

Over the last few weeks, I have outlined a series of problems with COSO under five broad headings: what I have termed problems of (i) role, (ii) evidence, (iii) structure, (iv) linearity and (v) behaviour.  Together, these problems demonstrate that the current exercise to redraft COSO is premature and misfocused.

Research published by the SEC in April 2011 suggests that the total cost of compliance with SOX §404 may be in the order of $9.5 billion per annum with audit fees attributable to SOX §404(b) of in excess of $2.1 billion (figures imputed from SEC research data).  The report notes that per annum costs are declining, a trend which is likely to have continued since the research was undertaken in 2009-10.

The SEC research is far more detailed and empirically grounded than the research COSO appears to have conducted prior to the re-draft of COSO by PwC.  Chartered accounting firms have a colorful recent history of describing opinion surveys as research.  They are, but only of opinion.  And there are many reasons opinions may differ systematically from reality.

As re-drafted, the revised COSO will add another layer of cost and present an additional opportunity for chartered accounting firms to impose reductionist approaches on to their client base for which they will recover fees (or through which they will reduce their costs of attestation).   The additional requirements will impose additional costs on to SEC registrants.  The costs are real; the benefits, supposed at best.

Many of the changes in the re-drafted COSO are focused on internal control defined more broadly, outside the ambit of internal control of financial reporting.  And yet, COSO (the organization) has presented no evidence of the efficacy of COSO (the framework) at enhancing organizational control outside the area of financial reporting.  If the framework is not significantly contributory outside internal control over financial reporting, its use in SOX §404 attestations will mean that costs associated with changes to broader elements of internal control will be materially amplified throughout the SEC filer community without signficant benefit.  At present, there is no evidence of such a benefit.

A more responsible approach to regulation would be to begin the process of regulation with evidence of the performance of the current framework and of the problem the changes are intended to solve.  In an e-petition to COSO, PCAOB and the SEC, we call on COSO to gather and consider the relevant evidence of efficacy of the COSO internal control framework.  Our hope is that COSO and the regulatory bodies will undertake a responsible level of evidence-gathering and consideration before imposing additional and unsubstantiated costs on SEC filers.

The preamble to the e-petition reads:

COSO has yet to demonstrate that its internal control framework is effective.  It costs SEC filers hundreds of millions of dollars [make that billions] each year to comply with the current framework, without any evidence that it enhances internal control or improves corporate performance. 

COSO has recently issued for public submission an exposure draft revising its 1992 document Internal Control – Integrated Framework.  The period allowed for public submissions has now closed.  The redraft does not represent a substantive change from the 1992 document.

Neither COSO nor the authors of the redraft on behalf of COSO have undertaken or cited any systemic attempt to review the efficacy of COSO’s approach to internal control.  Before proceeding to issue the re-draft, COSO must demonstrate clearly and systematically that the present framework is broadly effective at BOTH (i) its original purpose – improving internal control of financial reporting – and (ii) its broader purpose of promoting internal control in other areas of organizations’ activities.  Asking executives their opinion is, in itself, a valuable exercise but does not demonstrate efficacy empirically.  We believe it is responsible to question the COSO framework’s performance against these sets of objectives in light of the financial crisis and its impact of the value of SEC filers from the financial sector and the impact of the subsequent economic crisis on filers in other sectors, across jurisdictions.

Please read and sign the e-petition at

We will submit the e-petition to COSO, PCAOB and SEC in June 2012.


2 thoughts on “Talking about COSO (7/7): Petition to COSO, PCAOB & SEC

  1. Pingback: We need to talk about . . . COSO « The risk debate

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s