COSO Does Not Provide Quality Guidance for SOX

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


As part of a new set of draft guidance, including an update to the Internal Controls Framework that I will review later, COSO has published (also in draft, for comment) Internal Control over External Financial Reporting: A Compendium of Approaches and Examples.

I was hoping that this document would show how the COSO Internal Controls Framework can be applied in an organization’s Sarbanes-Oxley program to identify financial reporting risks and the combination of controls to rely on to prevent or detect material misstatements.

The problem is that while it provides some useful language and examples of controls that might be identified as providing assurance on the integrity of financial statements, it fails the test of helping management identify the right controls to rely upon.

It’s one thing to identify a laundry list of controls that fit the profile of COSO’s Principles and Points of Focus.

It’s an entirely different challenge to identify an efficient set of controls that can be relied upon to provide reasonable assurance that the filed financial statements are free of material error.

While the COSO guide talks about risk assessment and the need to identify sources of material error, it fails to flow that down into the identification of key controls in each component. In the process, it makes mistakes that experienced SOX practitioners will recognize:

  • The examples include the use of ‘risk ratings’ where even low risks require some level of work. However, the first test must be whether there is a reasonable likelihood of a material error; it that test is met, the account is in scope. If it is not met, it is not in scope and no work needs to be done for SOX purposes. As simple as that! Only for in-scope accounts is it useful to assess the relative likelihood of a material error or of a controls failure to (a) assist in control identification and (b) influence the testing that will be performed.
  • The discussion of fraud risk is broad and management should, as part of running the business, have an appropriate set of controls to prevent or detect fraud. However, for SOX purposes, the only consideration should be fraud that might result in a material misstatement of the financials! The new COSO guidance fails to point this out.
  • The COSO document ranges far and wide, including many matters hardly likely to be relevant to the material integrity of the financial statements (such as potential changes in senior executives, or the audit committee reviewing the internal audit plan).

The SEC has shared SOX guidance for management (PDF) that can be used as a safe harbor. Any COSO guidance has to be consistent with the SEC’s product, which demonstrates a true top-down and risk-based approach.

The ingredients are present. If COSO (via PwC, the author of the guidance) can reorder the flow to start with Risk Assessment and demonstrate how the SEC guidance can be followed with the assistance of the updated COSO Internal Controls Framework, they will have made a positive contribution.

As it is, if management follows the COSO guidance in defining internal controls over financial reporting for SOX instead of a top-down approach, they will add controls and cost without necessarily improving the quality of controls.

Why? Because this COSO guidance doesn’t help identify the right controls to include in scope. In fact, it suggests controls that are important for the business but irrelevant to preventing or detecting material misstatements.

I welcome your views and comments (I have shared this post with COSO leaders).

Posted on Oct 15, 2012 by Norman Marks

Share This Article:    

  1. Norman:

    Thanks for raising the issue. My fear is that not enough people will care enough to bother responding to the COSO re-exposure draft and the SEC will again endorse the use of a seriously flawed framework that public companies around the world will be forced to use.

    When one analyzes the responses to the original COSO 2010 exposure draft it is clear that a large percentage of respondents believe that there is an urgent need to integrate the COSO ERM and COSO board oversight guidance with what COSO terms an "integrated" control framework. Your comments above are in line with this theme. COSO has rejected this feedback and has also rejected feedback that called for COSO to include objective definition and communication as a core category.

    The COSO chair indicated early on that he felt COSO 92 was "timeless" and the dye was cast for a 3 year expose/re-expose process that looks like it will accomplish little and, in the eyes of many, be a significant backward step in corporate governance history.

    In my opinion the COSO re-exposure is so flawed the IIA should withdraw as a member of COSO rather than being associated with what I can only term one of the worst corporate governance initiatives I have seen in my 30 plus years in the risk and assurance fields.  The IIA owes it to members not to be seen endorsing seriously flawed guidance.  Adopting King III from South Africa or the Canadian 1994 CoCo framework would both be a major improvement over the re-exposure draft.

  1.  Thank you for the comment, Tim. My post is not about the redraft but the SOX guidance. What do you think of that document? I think the redraft of the ICF is greatly improved but still has flaws that I will discuss later.

  1. Everyone is entitled to their opinion and beauty is usually in the eye of the beholder.

    I do not believe COSO's intention was to identify "the one right way" to approach internal control over external financial reporting.  The "right" controls can vary by organization and what is "efficient" in one organization might not be the case in another.  It seems that  potential changes in senior executives (who set the tone at the top) and audit committee's not reviewing/approving the internal audit plan could impact the financial statements if audits are not conducted on controls related to financial reporting.  A compendium is simply a collection of ideas or data and not necessarily the definitive recommended approach to something.

    Tim - Have The IIA withdraw from COSO?  Really?  Do you believe that will help?  Seems like The IIA has a better chance of influencing positive change by being part of COSO.  Not that I'm saying it is as bad as you seem to think, but, can you imagine what it would look like if The IIA did not participate in COSO?  A lot of experienced people representing a broad range of organizations spent a lot of time and effort trying to improve things.  Like most documents written by committee there is some compromise. 

    Like I said at the beginning, everyone is entitled to their opinion, but it might be more helpful to offer suggestions for improvements instead of bashing the document published for comment.

  1. Steve;
    I spent considerable time drafting comments to the COSO exposure draft including many detailed recommendations. I believe my technical concerns re the re-exposure and ICFR guidance are well researched and well founded.  

     My biggest concern after reading a large number of the comments submitted to COSO related to the December 2010 exposure draft is there is little real willingness on the part of COSO to listen.  To the best of my knowledge COSO has invested no time or resources studying why thousands of public companies have reached materially wrong conclusions on control effectiveness using the framework over the past 7 years for SOX 404.

    I believe in being respectful of other people/group's ideas.  I also believe that this is a two way street that requires COSO seriously listen to feedback, not just from me,  but scores of very knowledgeable people and organizations that responded to the exposure draft that see serious concerns in the approach COSO is taking. I also think COSO should show more recognition and respect for excellent work being done around the world related to the key elements of good governance. 

    Re IIA's participation in COSO I agree that there is merit in trying to influence the Committee's direction but am very concerned when I saw very little significant changes in the re-exposure.   The IIA as a full COSO member will have shared responsibility for this work product and the impact on the profession.  

    I recognize these are strong views and also recognize that my efforts have very little chance of success.  At least I can say I tried.

  1.  Tim, while this post is about the SOX portion, I am interested on your views on the redrafted ICF. Have you read it? What are your updated views?

  1. Norman:
    I have read the redrafted ICFR and have been requesting all the participants in the presentations and workshops I have been running for the IIA to read it as well given it will almost certainly become the frameworks companies must use by SEC mandate for SOX 404 representations. 

    It is important to note that the comment period for the reexposure is very short. It closes Nov 16th.

    I have written and blogged extensively and globally  on what I see as the shortcomings of the original 92 framework. I see this update as similar to a renovation on an old house that is done on a rotten foundation.- a recipe for major problems going forward.  I continue to believe the decision that setting and communicating objectives is not part of an integrated control framework but is a "prerequisite" for control is wrong. This view is shared by many around the world. Both Canada and UK rejected the view in the mid 90s.  I also believe it underemphasizes the importance of measurement controls, commitment controls, including the need to align reward systems, and the role of the board of directors. 

    I also believe that not integrating the ICFR with COSO ERM makes no sense and creates confusion.  The purpose of "risk treatments" is to increase certainty objectives are achieved.  The ICFR is COSO's view on what constitutes the right combination of risk treatments at a macro level for it to be deemed "effective". Per the reexposure if an auditors thinks one of the 17 criteria isn't met the organization is deemed to have ineffective control.  This makes no sense to me.  

Leave a Reply