In Praise of the COSO 1992 Internal Controls Framework

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


I have been a fan of the COSO Internal Control–Integrated Framework since it first appeared in draft. It's not perfect, but there is a great deal for which we should commend the authors (a team from PricewaterhouseCoopers).

  1. At that time, there was no common understanding of what internal control was. The public accounting firms used the term exclusively for financial processes and reporting, although internal auditors used it far more broadly. While it is not perfect, the definition of internal control provided a basis for a common language, which found its way into accounting and auditing rules and regulations.
  2. There was also a common misconception that internal auditors "owned" internal controls. The COSO framework set this straight, making it abundantly clear that management and the board owned internal control.
  3. The definition of internal control relates to the achievement of objectives. This takes the discussion from the detail of accounts payable to how you run the organization.
  4. It also talked about "reasonable assurance." This is an incredibly important concept, that even when you have effective internal control systems, errors can occur. (This is still something many auditors fail to understand)
  5. The framework has five components. The Control Environment is the foundation for effective internal control, shown as such in the COSO cube. Risk Assessment has to occur before you know what you need Control Activities for, and without Information and Communication, controls that rely on judgment and knowledge will founder. Monitoring, which is a more difficult concept, helps management and the board know that all the other components are working as desired.
  6. While few people have paid attention to the Control Environment other than the tone at the top aspect, I think the most important discussion in that component focuses on the people who perform the controls. You cannot expect to have effective controls, risk management, or operational performance without the right, skilled, and experienced people.

When the SEC recognized this framework for companies to use for SOX compliance, I was a little concerned. While the framework does a nice job of explaining what internal control is, it is less effective in helping assess internal control effectiveness. It was also not limited or focused exclusively on external financial reporting. However, if companies follows the COSO 1992 steps of identifying risks to financial reporting and then identifying controls to address them, then the framework can be considered useful.

Unfortunately, many ignored that Risk Assessment component and ended up with a set of controls (pre AS5) that was not based on risks to the financial statements that exceeded acceptable levels, i.e., materiality.

So now COSO is updating the framework. As I wrote in another post, I encourage everybody to review it and provide comments.

I think we should consider these questions:

  1. Will the framework, if published as drafted, guide management to design effective and efficient internal controls that provide reasonable assurance that the risk to objectives (operational, strategic, financial, operational, and compliance) is at acceptable levels?
  2. Will it enable an assessment to be made of whether the system of internal control is effective: providing reasonable assurance that the risk to objectives (operational, strategic, financial, operational, and compliance) is at acceptable levels?
  3. Will it enable an assessment to be made of whether the system of internal control is efficient?

I have separately commented on the SOX-specific guidance, and the way in which the framework assesses internal control effectiveness.

Overall, the new draft adds value to the 1992 framework. However, I have reservations about how it says you should evaluate internal control effectiveness, and the absence of meaningful discussion of efficiency. I would also like to see more about the interrelationship of the components, such as I explained above.

What do you think? What do we need in the 2013 framework?

Posted on Nov 6, 2012 by Norman Marks

Share This Article:    

  1. Norman;
    Glad to see you are working to drum up some interest to get people to provide feedback to the over 500 pages that represents COSO 2013.  It is almost certain the SEC will force U.S. listed company CEOs and CFOs to represent that they conform to the 17 principles articulated in the re-exposure so it's definitely important.   As you know I am not as big a fan as you are on the 1992 COSO framework but do think the 1991 exposure draft of the COSO framework was a major innovation at the time.  Unfortunately, the Sept 2012 re-exposure is better but still not as good as the 1995 Canadian CoCo, the OCEG GRC Maturity Framework or the King III principles out of South Africa.

    As a Coopers & Lybrand alumni I think it's also important to clarify that COSO was authored by C&L long before PwC was born. 

    The key question I will be raising in my response to the Sept COSO re-exposure is whether a "control criteria centric" model (which is what COSO 2013 will be) is really what boards of directors need to evaluate management's risk appetite and tolerance - a responsibility Commissions and director's associations have all stated boards should be doing.  COSO has stated it is a control framework and people should look elsewhere for broader goals of ERM.

    I believe the answer is that COSO 2013 isn't capable of providing that information to help boards .  That applies to risk oversight generally and financial statement reliability specifically. 

    On the positive side I can see how COSO 2013 will generate millions of chargeable hours for auditors and consultants.  

  1. Tim , when you say "

    On the positive side I can see how COSO 2013 will generate millions of chargeable hours for auditors and consultants.  "

    I just hope you are just cynical as otherwise  I get as sick of this as from high tax rates  (as they destroy more value rather than create value )


  1. Jan:

    You are correct when you read my comment as cynical.  One of my concerns with COSO since the SEC cast the 1992 framework in to the spotlight as a global standard for SOX 404 reporting is that no attempt has been made to study its actual effectiveness as a predictive framework,  Since SOX 404 came in to effect many thousands of companies and their auditors have certified their financial controls are effective and capable of preventing even a single material error in accordance with COSO 92  and been proven wrong by the need to restate.  

    In addition to all the financial service companies at the heart of the 2008 global financial crisis that all had effective control systems in accordance with COSO 92  per their CEOs, CFOs and external audtiors per recent news reports  MF Global was certified as having effective ICFR by PwC.  This is now part of a major lawsuit launched by depositors that have suffered harm.

    We all need to make a living but it would be a lot more fulfilling if we could use tools and processes that actually provide real value to stakeholders..  Somebody needs to study why thousands of companies using COSO 92 of ICFR opinions reached wrong conclusions. This should happen before COSO 2013 is put in to force.

  1. I agree with the comments regarding auditors as stated above. However, my observations include appreciation for the removal of the word "financial" in the reporting objective. I think this removes any doubt that operational reporting is a critical part of the internal control equation, since operational processes and reports ultimately create the financial environment. I am sad to see a reduced discussion on the effectiveness and efficiency objective; in fact, I detect a diminished emphasis on the objectives of internal controls in this iteration.
  1. Take a look at J-SOX ppl, its really more pragmatic and cost-effective comparing to its source (US SOX), as the scope covers 70% of company operations excluding HR dept. Of course, due to its much flexible regulation, japanese companies are not required to be comprehensively covered by SOX. I think its definitely much more reasonable as it reduces or eliminates the chargeable hours of auditors(not that im against them but merely stating the facts).

Leave a Reply