Return
to the Table of ContentsAugust 15, 1996
My remarks today are based on over 35 years of audit, preparer, user and consulting experience. I have been fortunate during this period to also have participated in developing accounting and auditing guidance. Observations I will make are my own not those of any organization I have served.
My activities have included serving as chairman of COSO, the Committee of Sponsoring Organizations of the Treadway Commission on Fraudulent Financial Reporting, and chairman of the task forces which developed COSOís publications, Internal Control - Integrated Framework (the ìFrameworkî) and Internal Control Issues in Derivative Usage (the ìDerivatives Toolî). Since I am no longer chair of COSO, I hope speaking out on related issues will be viewed constructively by all concerned parties.
The Framework and Derivatives Tool were developed during a period when the corporate community was experiencing a continuing stream of publicly embarrassing breakdowns, some of which clearly have involved fraud. While litigation has been a frequent result, businesses have continued pressing forward to restructure and re-engineer. These organizational changes often involve removal of control-related activities and experienced managers that have performed such activities. The resulting elimination of excess costs and improved productivity clearly has benefited shareholders, including employees fortunate enough to also be investors. With extreme cost pressures, there is an understandable reluctance to accept more regulation and standards.
COSOís objective was to help organizations improve controls, not to increase standards and resulting corporate cost pressures and to find more work for auditors or anyone else. COSOís Framework was developed during a period when the United States General Accounting Office (GAO) was pushing for more involvement by the public accounting profession in client internal control processes.
Letís refer to the COSO Framework before we discuss it further. Internal control is a process, effected by an entityís board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effective and efficient operations, reliability of financial reporting, and compliance with applicable laws and regulations. Five interrelated components are identified: control environment, risk assessment, control activities, information and communication, and monitoring.
With the collapse of the savings and loan industry and the huge cost to taxpayers, Congress responded by imposing internal control reporting on large financial institutions. In anticipation of such a requirement, COSO disaggregated internal control into three categories: operations, financial reporting, and compliance. The idea was to limit the cost of public reporting, if it were mandated, by narrowing the scope of reporting to effectiveness of financial reporting controls. Some persons also expressed concern that independent auditors would be unable to attest to the effectiveness of operating control systems due to (1) a lack of standards for such controls and (2) a lack of expertise at the external audit staff level.
Compliance with laws and regulations also was identified as a separate category of control in the Framework, primarily to respond to Congressional and GAO concerns. The important point is, however, that COSO believes that both (2) reporting and (3) compliance is an integral part of an effective operating control process. The Frameworkís focus is on achievement of efficient and effective operations. The Framework is not intended, therefore, to be the exclusive turf of internal auditors, external auditors, or of corporate financial personnel. Operating personnel must play a vital role in establishing and maintaining an effective internal control process.
COSOís Framework has been in place for about four years and is experiencing increased acceptance both domestically and internationally. This is occurring because it is proving to be a viable, value-adding tool. Clearly, use of the Framework is growing slower than it would if Congress mandated that all companies report on and obtain an independent auditorís opinion on the effectiveness of their internal control systems. It is questionable, however, whether or not such mandatory reporting would contribute to major improvements in internal control processes. The adverse reporting risk results from the probability that many organizations would respond by seeking the most inexpensive possible way to comply with a mandated reporting requirement, and that such efforts would be viewed as a responsibility of financial or support staff. If operating personnel fail to take the lead, or if they view the task as compliance rather than a way to improve the business of effectiveness, the resulting improvements in control processes often will be minimal.
There is no way to assure all organizations will improve their control processes. Even if public reporting is mandated, substantive progress will only come if organizations believe that good controls are good business and that the COSO Framework is useful in training personnel and helping them design and monitor effectiveness of control processes. Internal audits often can help this occur, and that professionís Control Self-Assessment initiative holds great promise for constructive change.
The GAO is continuing to push for public reporting on the effectiveness of internal controls. Given the concerns which I have mentioned, voluntary changes in corporate governance processes, not reporting, may be a better answer. If the board and senior executives voluntarily and enthusiastically endorse strengthening control processes, much more will be achieved.
It is also important to focus on the risk management aspects of an effective
control process. With the Frameworkís focus on risk of not
achieving business objectives, personnel at all levels can utilize the
Framework to strengthen processes that reduce the likelihood of
material failures of all kinds, not just those associated with financial
reporting.
The Derivatives Tool
Development of this 1996 publication was an interesting process. While there is no question that the stream and magnitude of derivatives surprises has been incredible, the business community actively resisted the project. Why? Not only did we hear that the COSO project might damage markets for these products and reduce the ability of organizations to utilize them for legitimate risk management purposes, but a loud cry of resistance to more standards was heard. One of the most surprising comments suggested that, if internal control standards were to be set, it should be done by the Financial Accounting Standards Board! Clearly, that would not only be a diversion from that organizationís mission, but it also would elevate resulting guidance to the ìstandardsî level.
As I indicated previously, COSOís objective is and has been to help organizations improve controls. To that end, COSOís most recent report received a complex title, INTERNAL CONTROL ISSUES IN DERIVATIVES USAGE: An Information Tool for Considering the COSO Internal ControlóIntegrated Framework in Derivatives Applications. The Foreword section of the document even went on to state that ìbecause this document is not an authoritative auditing pronouncement, it was not subjected to due-process procedures. Accordingly, the document cannot be cited by end users of derivative products as an internal control standard on which to judge the adequacy or effectiveness of internal controls. Rather, its purpose is to serve as a reference document, illustrating how the Framework can be employed by end users to evaluate the effectiveness of internal controls surrounding use of derivatives products.î While the message seems clear enough, it illustrates the phobia that COSO has faced.
The good news is that the Derivatives Tool publication has been out for several months now without damaging the derivatives market or increasing internal control reporting and attestation costs! The team preparing this report worked very hard over a very short period of time to develop this constructive guidance. COSOís objective was and is publication of information that will prove to be a helpful source of optional guidance that can help organizations reduce the stream of embarrassing control breakdowns. That is good for investors and everyone else involved in the process, with the sole possible exception of the litigation community.
By the way, the unsung heroes in these projects were Coopers & Lybrand,
Deloitte & Touche, and members of the two steering committees that
contributed countless hours and other resources to development of these
publications. All too often we are cynical regarding private sector efforts,
rather than expressing appreciation for participantsí efforts. I
would add that COSOís publications are not being sold with the intent
of generating a profit for the sponsoring organizationsóthey are
priced to recover printing and distribution costs. This is consistent with
my idea of a private sector initiative designed to be constructive and
add value! It is unfortunate that the fear of internal control reporting
and mandated processes interferes with the value adding intent of COSOís
sponsoring organizations and the individuals and public firms that have
contributed to its output.
What Should COSO Be Doing Now?
I am often asked if COSO should go out of business or be tackling other projects. Often I first point out that COSO operates without funding or staff. Out-of-pocket costs are covered by participants and the firms that have agreed to support COSOís initiatives. I then go on to suggest that COSOís sponsoring organizations should continue to focus on adding value by helping their members address internal control issues. It is a big subject and more can be done.
For instance, I have observed a number of failures resulting from re-engineered environments where downsizing eliminated middle layers of management and the new, streamlined organizational structures have failed. A common ingredient seems to be lack of training and tools to facilitate effective risk management and control processes. COSO and/or member organizations could share ideas on how to manage risks better in downsized environments.
Another area that should be addressed is a rehash of the recommendations of Treadway Commission on Fraudulent Financial reporting. Have the recommendations been implemented? Are there additional steps that should be taken to address the fraudulent financial reporting problem? The continuing stream of fraud and other corporate surprises suggest that more remains to be done.
With global investments and competition being an increasing reality, COSO also should expend some effort to share ideas with organizations in other countries dealing with similar issues. Not only should we be concerned that the best ideas are available to the sponsoring organizationsí membership, but we should be concerned that risks to American investors are not disproportionately higher when they are in global markets.
Another area deserving attention is the increasingly fast pace of communications and decision-making processes. COSO and its member organizations should be thinking about unique, changing aspects of control challenges and helping their members address this new environment.
Another tough but important challenge might be to develop another report similar to the Derivatives Tool, but focusing on processes to achieve compliance with laws and regulations. I believe the Framework could be very useful to enterprises as they think about the processes they utilize to identify laws and regulations and communicate internally on how to comply. To perform such a project, one would need to establish an advisory council composed of representatives from the corporate general counsel community as well as those involved in the public practice of law. Also included should be one or more operating executives (perhaps some who have recently retired who may have time and interest in the subject). I believe this could be a very valuable project, and am confident that some high caliber, well-respected persons could be recruited to provide support for such a project.
The focus of a compliance project would be on the business process utilized
to identify and manage risks associated with compliance, not on whether
or not specific laws and regulations have been or are being complied with.
It is important here to emphasize that I strongly resist the idea of external
reporting on compliance. The COSO Framework seems like a natural
way for experienced legal operational executives to reexamine and revise
internal processes. If reports are generated as a result, they should be
privileged and should be directed to senior operating executives and members
of the board of directors. They should not be utilized for public consumption
or available for use by attacking litigators.
Conclusion
I believe the private sector initiative, commonly referred to as COSO, has added value and can continue to do so in a constructive manner. To make it happen, we have to continue pushing forward and do it in a manner that is warmly welcomed, not feared, by business enterprises and other participants, in the process.
Return
to the Table of Contents