The Auditors Report

American Accounting Association — Auditing Section
Auditing Standards Committee

October 1, 2003

Committee of Sponsoring Organizations of the Treadway Commission

PricewaterhouseCoopers LLP

RE: Invitation to Comment on the Enterprise Risk Management Framework

Dear COSO and PwC:

The Auditing Standards Committee (ASC) of the Auditing Section of the American Accounting Association welcomes the opportunity to comment on the proposed COSO Enterprise Risk Management (ERM) Framework. We commend COSO and PwC for pursuing this ambitious project, and we believe that the final document will have a significant positive impact on a wide range of entities.

The comments below are organized as follows: Substantive Comments on the Framework Itself, Significant Editorial Comments, and Other Comments. Note that many of the comments have “carry-through effects” due to wording that appears in both the Executive Summary and the larger Framework document. Generally, we refer only to the page numbers within the Executive Summary for such items.

Substantive Comments on the Framework Itself

  1. Type of reasonable assurance / Apparent inconsistency with Internal Control – Integrated Framework – The definition of ERM on page 3 of the Executive Summary mentions providing “reasonable assurance regarding the achievement of entity objectives.” Given this definition, we were surprised to see on page 6 that for the strategic and operational objectives, this means only reasonable assurance of understanding “the extent to which the objectives are being achieved” (not reasonable assurance of actually achieving the strategic and operational objectives). We appreciate the discussion in the document about strategic and operational outcomes being less controllable, but we question whether this reduced controllability is so significant that it is necessary to back completely away from providing reasonable assurance of achieving strategic and operational goals. Even in reporting and compliance, there are many uncontrollable factors, including rogue employees, employee error, changes in regulators’ enforcement strategies, changing interpretations of laws and regulations, etc. If there is a compelling reason to be very cautious with respect to defining reasonable assurance in the strategic and operational areas, then we question whether the definition of ERM on page 3 (“reasonable assurance regarding the achievement of entity objectives”) is consistent with relatively weaker language on page 6 regarding strategic and operational objectives. Should the ERM definition be clarified to address this issue?

    Even more importantly, we question whether the weakened level of assurance for operational objectives on page 6 is consistent with COSO’s Internal Control – Integrated Framework (1992). Specifically, COSO (1992) states that an effective system of internal control is “designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations …” Is the message that ERM provides less assurance than internal control for operational objectives? We are unclear as to the reason for the “disconnect” between the operational assurance level in the present ERM document and that in the 1992 internal control publication, and we believe that this represents a significant conceptual obstacle. In particular, we are unclear whether compliance with the ERM framework implies compliance with the internal control framework. Based on the above conflict, this does not appear to be the case, for internal control appears to go beyond ERM in terms of the assurance provided for operational objectives. However, ERM apparently “encompasses” internal control, which appears to us to be inconsistent. Further, the issue of differing types of reasonable assurance for operational objectives is not addressed in Appendix B, where an attempt is made to discuss the relationship between ERM and internal control.
  2. Risk appetite issues – The document appropriately notes “risk appetite” as a fundamental component of an entity’s internal environment. Given that an entity’s risk appetite presumably drives much of its strategy, and therefore the subsequent risks that will ultimately be encountered by the entity, we believe that more discussion should be provided regarding risk appetite, including:
    1. What is the most appropriate way to measure risk appetite? Are there any “best practices” that could be cited in the document to provide guidance to users in this regard?
    2. Possibly one of the pitfalls that entities encounter is that they believe that their decisions are consistent with “x” risk appetite, whereas their decisions are actually consistent with a “greater than x” risk appetite. In other words, it seems sensible that entities might unintentionally underestimate their risk appetite. We believe that the document should comment on ways to avoid measurement error in determining risk appetite.
    3. What is the possible impact of conflicting interests on the risk appetite? For example, should the risk appetite reflect the preferences of diversified shareholders, institutional investors, board members, top management, employees, or others? Research suggests that managers typically are more risk-averse than are diversified shareholders. In such cases, whose risk appetite should prevail, and what role should the board play in resolving conflicting preferences regarding the risk appetite?
  3. The ERM diagram – Exhibit 2 presents the ERM framework largely as a sequential process. However, we believe that the ERM framework is interconnected and consists of multiple feedback loops and interconnections. Although a framework presented as a linear process may be easier to understand initially, we believe that adopters might behave in a linear fashion. Such behavior detracts from viewing risk management from a holistic perspective. To illustrate, consider whether an internal environment is established prior to objective setting. One of the components of the internal environment, commitment to competence, normally is dependent upon strategic and operational objective setting. Should an organization decide to be a high-volume, moderate-quality producer that utilizes alliance partners to achieve many operational objectives, commitment to competence might receive a low priority for some aspects of the business model (while others certainly will receive a high priority). Risk management is a complex process, and we believe that the ERM framework might overly simplify it in an effort to enhance initial understandability.

    To address this issue, we recommend at a minimum that in the discussion related to Exhibit 2 COSO strongly caution the reader about viewing the ERM framework as being sequential in nature. Alternatively, providing a diagram that moves away from a linear, sequential process could be considered.
  4. Definition of ERM effectiveness – On page 18, ERM effectiveness is defined as “a subjective judgment resulting from an assessment of whether all eight components are present and functioning properly.” In other words, this is a process definition where one subjectively rates the components of the process. An alternative definition could focus on the outcomes—“ERM is effective when the entity has achieved reasonable assurance of meeting its objectives in the four areas.” By this we mean that the entity either has met the objectives, or management at least understands what “less controllable factors” caused the entity not to meet them. While the process approach and the outcome approach each have advantages and limitations, we encourage either:
    1. Consideration of an outcome component in the ERM effectiveness definition (or discussion of why this approach was not used), or
    2. Additional guidance on how one would determine that each of the eight components is functioning “properly.” Are there specific ways to measure “functioning properly” for each of the eight components?

Significant Editorial Comments

  1. Need for succinct synopsis – We believe that one key to the success and acceptance of the framework is its accessibility to the CEO and board of director audiences. Accordingly, we encourage COSO to pay particular attention to providing a very succinct and direct summary of the definition of ERM, the basic framework, the framework’s key components, and ERM’s potential advantages and limitations—perhaps in a 3–4 page top-level synopsis at the very front of the document, or in a re-crafting of the Executive Summary. Such a synopsis should include Exhibits 1 and 2 to better communicate the overall model from the start. As currently written, we are concerned that the Executive Summary may not maximize the chances of securing CEO and director interest. Among our concerns are:
    1. The Executive Summary does not present a diagram of the ERM process until pages 16 and 17. As a result, readers may have difficulty envisioning the framework as they read through the majority of the Executive Summary.
    2. The Executive Summary does not define ERM until page 3—after the relevance and benefits of ERM have been presented. We believe that the definition should be provided up front. Similarly, Chapters 1 and 2 of the Framework document probably should be reversed.
    3. The sections discussing each component of the framework (pages 7–15) are quite detailed and lengthy. We suggest significantly shortening these sections in the Executive Summary and elaborating on the components in the larger Framework document.
  2. Need for greater discussion of strategic and operational objectives – We are concerned that the framework does not provide sufficient depth and details related to objectives in two of the four categories delineated in the document—strategic and operational. The framework illustrates that all steps of the framework should apply to all four categories. However, many of the examples throughout the document, particularly in the control activities section, focus primarily on reporting and compliance issues. These two categories are more commonly understood by the document’s audience than the other two categories, strategic and operational. We suggest specifically walking through each step of the framework for each of the categories.
  3. Need to soften or clarify basis for claims – Pages 2–3 of the Executive Summary describe many benefits of ERM. These culminate with the claim that ERM “helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.” Earlier on page 2, it says that ERM “facilitates management’s ability to both create sustainable value and communicate the value created to stakeholders.” We appreciate the need to communicate the relevance of ERM to professional audiences, but we suggest softening the “selling” of ERM unless there is solid evidence (compelling case studies, large sample studies of companies, etc.) documenting the various advantages of ERM. If such evidence exists, we strongly suggest citing relevant research on the advantages of ERM.
  4. Additional tools/Comprehensive example – The entire document would benefit from further illustrative examples like those found in Exhibit 5.1. Perhaps what the authors could do is to include an appendix at the end of the document that lists resources for entities interested in following the framework (e.g., books, research articles, examples of companies that illustrate important parts of the framework). Also, has COSO considered a second stage of this project in which a comprehensive example of the ERM development process could be illustrated? Such an example could be based on a case study or simply a fictitious entity. In either case, we believe that providing a comprehensive, practical example would further enhance the message. Anything that could be added to the document that would bring it from its currently very qualitative, non-specific focus down to a more concrete, example-driven focus would be helpful in making the document more useful.
  5. Expansion of chapters on risk assessment, risk response, and control activities (Chapters 6–8) – Risk assessment and risk response are essential components of the framework, since they represent the heart or “how-to” portion of risk management. We believe that the framework would benefit by including more in-depth discussion of these components, linking the issues to prior research and theory, and providing specific examples to illustrate the key points. In particular, Chapter 6 appeared to us to be relatively light in its discussion of risk assessment tools and techniques. In addition, we believe that there is not enough guidance related to risk correlations, and any expanded discussion should distinguish among interactions, causal chains, and correlations.

    We believe that the control activities section, Chapter 8, is the least developed in the document. We recommend expanding this discussion to focus more directly on strategic and operational control activities. For example, Simon’s (1995) Levers of Control discusses types of strategic controls that include elements of the control activities and internal environment components of the framework. As currently written, we believe that most adopters of the framework will view control activities much the same as was described in COSO (1992) and not focus nearly enough on control activities for strategic and operational risks.

    We also recommend expanding the control activities and risk response sections to discuss the specific costs associated with the choices made for risk reduction (and other responses). Although there currently is a discussion in the document relating to risk assessment being likelihood x impact, there is no discussion of impact costs for risk-response choices and specific costs associated with control activities. We do not believe that basic statements about the trade-off of costs and benefits provide enough guidance. Costs associated with risk management activities can be highly material, but are sometimes necessary. Only after consideration of specific costs associated with risk reduction and sharing can wise decisions about accepting or avoiding risks be made.

Other Comments

  1. Exhibits – Throughout the document, we suggest including a title with each exhibit to clearly identify the contents of the exhibit.
  2. Contents – We suggest expanding the Table of Contents to include various subheadings in each of the chapters.
  3. Paragraphs – We encourage consideration of numbering the document’s paragraphs to assist in referring to specific sections.
  4. Executive Summary (ES), Page 3 – Should “rationalize capital” be “ration capital”?
  5. ES, Page 5 – We encourage clarifying the paragraph “Applied in Strategy Setting.” The message of this paragraph was not clear to us. Is the paragraph saying that ERM involves assessing the riskiness of different strategies?
  6. ES, Page 6 – We believe that generating a desired return from a strategy does not always equal the achievement of strategic goals. We recommend adding goal achievement to illustrate the framework’s reach beyond accounting and financial measures.
  7. ES, Pages 9–10 – We suggest defining “events” (now at the top of page 10) before discussing event identification.
  8. ES, Page 11 – We believe that viewing risks from the perspective of long term and short term could be detrimental. Perhaps this section could be bolstered by adding the notion of precursors to a disease. Long-term risks should be studied for precursors so that monitoring mechanisms can be identified to effectively manage these risks by addressing them before they occur.
  9. Main Framework (MF), Pages 17–18 – We question whether the discussion on ERM and the Management Process adds value to the report, for it raises a number of questions. For example, we disagree that establishing mission and values is not part of ERM. These items serve as belief systems (e.g., Simon 1995, Levers of Control) that help in guiding behaviors of managers and operational employees to help in achieving strategic objectives. Also, we believe that setting performance measures is part of ERM—such measures serve as diagnostic strategic controls. Finally, the discussion indicates that selecting a specific risk response is not part of ERM. Doesn’t the selected response need to be appropriate for the entity’s selected risk appetite? Wouldn’t then the selection of a risk response be part of ERM? Overall, we question whether this discussion should be included at all. Do the benefits of this discussion outweigh the potential confusion that might be created?
  10. MF, Page 22 – The term “corporate culture” is introduced in this section. Is corporate culture a component of Internal Environment? We believe that some additional discussion on the concept of corporate culture is warranted.
  11. MF, Page 29 – The report indicates that the following words are being used interchangeably: mission, vision, purpose. In general, we are concerned whether the whole discussion on strategies, goals, objectives, mission, and vision ties nicely to the strategy literature. For example, does the sentence indicating that “strategic objectives are high-level goals, aligned with and supporting the entity’s mission/vision” have support in the strategy literature? Further, these strategy-related terms appear to be important to much of the discussion in the report, yet they are not defined in the Glossary.
  12. MF, Page 30 – We found Exhibit 4.1 somewhat confusing. We believe that each strategic objective should link to one or more strategies, and each strategy should link to operational objectives that have associated reporting and compliance objectives.
  13. MF, Pages 38–46 – We question why there are so many specific factors listed for event identification (also see Exhibit 5.2). We suggest that adopters be directed to the well-established management literature (e.g., PEST factor literature, Michael Porter’s (1985) Five Forces, industry guides such as Standard & Poor’s or Moody’s) for examples. We believe that the Framework document does not need to be all-inclusive. These exhaustive lists of examples potentially limit the extent of probing that adopters might pursue related to the uniqueness of their businesses. The method utilized in Exhibit 6.1 for impacts of risk assessment likely is a better approach than exhaustive lists.
  14. MF, Page 39 – The subheading is titled “Factors Influencing Strategy and Objectives.” What is the difference between factors and events? Do factors lead to events? Additional discussion may be warranted to clarify the term “factors.”
  15. MF, Page 61 – The term “business objectives” is used. How do business objectives relate to the objectives that are the focus of ERM (i.e., strategic, operational, reporting, and compliance objectives)?
  16. MF, Page 62 – Exhibit 8.1 does not demonstrate clearly that strategic and operational controls are much broader than accounting system controls described in COSO (1992). Again, describing each framework component for strategic, operational, reporting, and compliance objectives would be more effective for making this important distinction.
  17. MF, Page 67 – Concepts of preventative and detective controls are in Exhibit 8.4, but are not well articulated in the body of the framework. We believe that this section would be improved by emphasizing this categorization and its relationship to likelihood and impact in risk assessment (i.e., detective controls reduce impact, and preventive controls reduce likelihood).
  18. MF, Page 76 – We question why a discussion of Prospect Theory was included here, but discussions of broader and perhaps more relevant theories are not included throughout the framework. For example, the ERM framework discussed in this document and other risk management programs heavily emphasize organizational architecture, agency model, and systems theory literature. As an example of how this literature is imbedded in a risk management framework, we recommend consulting the University of Illinois’ Project Discovery curriculum. Their accounting program is grounded in viewing accounting from a holistic risk management framework and heavily utilizes these theories.
  19. MF, Page 82 – We found the discussion under the subheading of “The Evaluation Process” to be a bit disconnected. First, there is a list of activities that might be performed to evaluate the process. We assume that these activities are tests, yet they are not referred to as such. However, the next paragraph goes on to talk about the results of tests performed. If the list of activities is meant to describe tests to be performed, then they should be labeled as such. The two tests listed could be described as inquiry and examination of documentation. Would it also be appropriate to include such common tests of controls as observation and re-performance?
  20. MF, Page 93 – We found the characteristics of effective board members (i.e., objective, capable, and inquisitive) to be somewhat inconsistent with the corporate governance literature. Authors typically refer to director independence, diligence, and expertise as the cornerstones of board effectiveness.
  21. MF, Page 96 – We wonder whether the Chief Information Officer should be included in this discussion. This individual has a great deal of responsibility related to the achievement of the objectives listed in the report (in particular, reporting and compliance objectives).
  22. MF, Page 99 – The discussion of the auditor’s responsibilities related to internal control effectiveness should be updated to reflect Section 404 of the Sarbanes-Oxley Act. We realize that the first paragraph on page 100 is likely meant to address this change, but we are not sure if it is sufficient.
  23. MF, Page 102 – Based on the discussion included in this paragraph, it is not clear to us what actions regulators should take as a result of this report. We suggest being more specific about the implications for regulators.
  24. MF, Shaded boxes with examples – Throughout the chapters, several examples are provided in shaded boxes. While we found these examples to be interesting, it was not always clear to us the specific point that is being made. However, in a couple places the report does a nice job of clearly stating the point that the shaded box is intended to convey (for example, see Exhibit 7.1 on pages 53–54; page 61; page 72). Further, the example in the shaded box at the bottom of page 76 may be too abstract. Could the example be modified to be more specific to a business setting?
  25. MF, End of each chapter – We support the intended goal of including end of chapter exhibits summarizing the key ideas in each chapter (see Chapters 3–10). However, we believe that some improvements to them could be made. For example, in Exhibit 3.1, we are not sure that the descriptive words for each of these components do a good job of summarizing the narrative. If a one- or two-sentence summary were provided for each item, this might be more valuable than a bullet list of terms. In other cases, the tie between the chapter narrative and the end-of the-chapter exhibit is somewhat loose (e.g., Exhibit 6.2 uses subheadings that are similar, although not identical, to the subheadings contained in the narrative; Exhibit 7.2 deletes a subheading that was included in the text—Iterative Process).
  26. Appendix B – Is the internal environment comprised of the control environment, as well as additional items? If so, we suggest including an explicit reference to the term control environment.

We hope that our suggestions are helpful and will assist in your development of the ERM framework. Please feel free to contact our committee Chair for elaboration on or clarification of any comment.

Respectfully Submitted,

Auditing Standards Committee
Auditing Section, American Accounting Association

Committee Members:
Dana R. Hermanson, Kennesaw State University (Chair)
770.423.6077, Dana_Hermanson@coles2.kennesaw.edu
Audrey Gramling, Georgia State University (Vice Chair)
Brian Ballou, University of Illinois (Past Chair)
Karla Johnstone, University of Wisconsin–Madison
Roger Martin, University of Virginia
Stephen Asare, University of Florida
Stuart Turley, University of Manchester

Back to Contents Page