Will the Updated COSO Internal Control Framework Create Problems for the External Auditors?

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


The talk around the updated Internal Control–Integrated Framework has been around how it will impact management teams. For example, have a look at a blurb on the AICPA’s Insights page: 3 Ways the New COSO Framework May Affect Your Business. It asserts that “The new modernized COSO framework will affect businesses in three big ways by: 

    • “Articulating the role of a company when outsourcing. While today's businesses can outsource many activities, they can never outsource responsibility. 
    • “Putting fraud right out in the forefront. A business's control structure must now address issues of fraud directly.  
    • “Highlighting the critical nature of IT. Information technology is a needed component that cannot be avoided in today's business environment. Let's face it, we simply don't use manual ledgers anymore!”
With all due respect to the people behind this post, this is nothing new! The real impact of the updated framework should be renewed attention to corporate culture, staff competency, and the other root causes of risk management and control failures. 

Let’s turn our attention to whether the updated framework will affect the work of the external auditor.

Look at a recent study by Mark Beasley, Joe Carcello, Terry Neal, and Dana Hermanson that was commissioned by the Center for Audit Quality (CAQ). A summary in CFO.com described the results of their study of 87 cases where investigations of fraudulent financial reporting by the SEC led to sanctions against the external auditors. Their conclusion was that “the failure to gather ‘sufficient competent audit evidence’ was the top audit deficiency.”

Now these are eminent professors, but does their conclusion make sense?

When there is fraudulent financial reporting, the root cause almost always lies in the integrity of the organization’s leaders, their ability to override internal controls, and so on. As Lord Smith of Kelvin (chair of the Smith Report (PDF) on audit committees) said in a keynote speech at The IIA’s International Conference in Kuala Lumpur, “the fish rots from the head down.” Just reflect on what happened in the major public cases that have hit the papers. Without exception, there have been questions (if not prosecutions) around the integrity of the organizations’ leaders.

Did the external auditors of these companies do sufficient work and obtain (as suggested by the CAQ-commissioned study) sufficient evidence related to corporate culture and the integrity of leadership?

How do you ever get positive evidence that the culture is appropriate and that the leaders have integrity? It is easy to see red flags when they are waved in your face (such as whistleblower complaints), but that is rarely the case. True, there were whistleblowers at some of these companies, but the complaints were few and generally well after the frauds started.

Should the external auditors be required to obtain positive evidence that culture and integrity are appropriate? The absence of red flags is hardly conclusive.

The updated COSO framework should provide fresh impetus to this question. The framework asserts that its 17 principles need to be present and functioning before the system of internal control can be assessed as effective — and the external auditors are required, for all U.S.-listed larger companies, to assess the system of internal control over financial reporting.

These are the very first of those principles:

  1. The organization demonstrates a commitment to integrity and ethical values.
  2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

How will the external auditors assess whether these principles are present and functioning? Is it possible for them to obtain sufficient, credible, and persuasive evidence?

They are outsiders and don’t really know how management operates or whether the board meetings include frank discussions and oversight.

How often has any external auditor included comments on either of these issues and discussed them as serious matters with the audit committee? How many external auditor reports have included material weaknesses related to either point?

Somehow, if the external auditors are going to base their assessment on the 2013 framework, as no doubt they will be required to do, they will need to figure out an approach that is both practical and credible.

The same observation hold true for the 4th principle: “The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.” When has the external auditor ever commented about the competency of the CFO or corporate controller?

These will be major problems, in my opinion. But they are problems for the external auditor more than they are for management. Management can simply (and I believe will) assert that they have integrity and competence. 

The board will have a problem, as they too have a very limited view of how management operates. They may rely on internal audit, but is that department up to the challenge? It is not easy to go to the audit committee and tell them that any of these principles are lacking.

I welcome your comments.

Posted on Jun 18, 2013 by Norman Marks

Share This Article:    

  1. Thank you Norman for the post. I've worked with the COSO framework for over 10 years and I've read the Updated Framework. The Update seems to provide more structure for what external auditors will be required to document and understand in their client management, organization structures, and Boards. However, from an internal audit and risk management standpoint, I don't see real improvements in the Update that will help management improve internal controls or give stakeholders greater assurance.


    The Update provides more structure to hold external auditors accountable for litigation (great), but auditors can't effectively assess how well management meets some of these principles and the auditors become the scapegoats. 

    Yes, auditors need to be held accountable for what they can and should be doing, but management and boards need to be the real focus of accountability and I just don’t see the Update improving on this.

  1. Norman: I think the question of whether the new COSO framework will have any impact on external auditors is a good one but needs to be tempered with reality - external auditors have regularly arrived at wrong opinions on internal control over financial reporting using COSO 92 for SOX 404(b) and suffered very few negative consequences. The likelihood is they will continue to arrive at hundreds even thousands of wrong opinions opining against the 17 control attributes in COSO 2013 with few serious consequences beyond those that generally flow with materially wrong financial statements with clean audit opinions. In my response to the COSO 2013 re-exposure draft I describe why I believe at "control criteria centric" approach is not optimal. Those interested can read it at: http://www.coso.org/documents/IC_COSO_COMMENTS/2Tim%20Leech_RO%20Leech%20Response%20to%20September%202012%20Reexposure%20Draft.pdf As you correctly point out, it is currently very difficult for external auditors to report their real concerns as they are often very sensitive and put the engagement annuity at risk
  1. I can't help but still believe, when stepping back, that COSO has become part of the problem not the solution. If we wanted a real solution it would be focused on creating standard expectations of management in executing oversight and operations development duties to accomplish objectives. That is the largest risk to shareholders. Instead, COSO bypassed the issue of poor management (I am not sure why) and continued to build from financial nuance forcing inefficient activities on management that do very, very little in the end. "We are lost in the monster of our own creation..."
  1. Tim, when the external auditors have issued "wrong opinions" the root cause (IMHO) is that they are outsiders and don't understand the business and its people as well as they need.

    Some years ago, a wise CFO told the audit committee that the (external) audit opinion was a commodity they purchased. But if they really wanted to know what was happening within the company, they should ask the internal auditor (me).

    My expectation is that the regulators will want to know, now that the requirement is explicit in COSO 2013, how the external auditors reached their assessment on these key principles.

    Yes, the external audit firms are sensitive to losing the engagement - and that can be put at risk if they question management's integrity. But they have been pushing management's buttons on audit adjustments (many of which detract from a true and fair view) for decades.

    The question now is whether the PCAOB will update AS/5. Frankly, I hope they do not. The top-down and risk-based approach continues to be the best way to assess nternal control over financial reporting.

  1. Dan, thanks for the comment.

    My view is that the external auditors have not really been following COSO '92. They follow PCAOB standards and their own internal processes.

    Now that these principles are required for effective internal control by COSO (and written that way by PwC), the game may well have changed.

    The external auditors are likely to ask management for their assessment of these principles. But they cannot rely entirely on management's assessment. What additional work can and should they do?

  1. I think you are right on with this assessment.  When the external auditors documentation on company culture and management integrity consists of a standardized form filled out by staff person with a few years of work experience, you can see the emphasis they have placed on it. If you asked that staff person how they considered COSO principles when filling out the form, what sort of answer do you think you would get?  Short of documented fraud in management, I don't think you will find many negative responses in these forms.  They may well need to update their approach.

  1. Norman, S&P & ISS already rate management and governance.  Very few are strong.  would suggest many company internal  control frameworks already have failed? At least a significant deficiency and for many a material weakness.

    While noble, these principles are not workable for the BOD, management, internal audit or external audit.  It is all in the eye of the beholder (or who is paid)  What is the scale?

    I continue to ask the question without one positive example, who has publically acknowledged that they have adopted the COSO framework other than to comply with SEC financial reporting and accounting requirements? 


  1. Norman: I think you are right on with the view that the COSO 17 key principles will at least focus management/the SOX 404(a) team and the external auditor (the SOX 404(b) team) to document evidence to support how they assessed each of them, including documenting any testing done to substantiate answers. I agree this is a step in the right direction and the PCAOB has signalled they will be increasing scrutiny on this element in their inspections of external audit firm files. RE AS 5, I don't share your view that it isn't in need of an update. I think it would benefit greatly from a full overhaul.

Leave a Reply