Is Internal Audit Meeting the Challenge? Perhaps Not!

EY has just released an important study on Internal Audit’s Evolving Role. I strongly recommend a careful read, then separate discussions with your top executives and audit committee members.

Before getting into the substance, it is critical to understand who were surveyed. This was not a typical survey of CAEs or audit committee members. The survey (by Forbes Insight) obtained feedback from:

·         CEOs (40%)
·         CFOs (27%)
·         Audit Committee chairs (17%)
·         Audit Committee members (16%)

Executives and audit committee members typically have different expectations of internal audit. As the function reports to the latter, I suggest that the report be read carefully and validated with your primary stakeholders before confirming that the conclusions are appropriate and applicable to your organization.

Here are the key findings:

1.       96% believe that internal audit has an important part to play in the management of risk
2.       BUT, 74% believe there a need for short-term improvement, AND
3.       Only 37% involve internal audit in business decisions and strategy

Frankly, the last one does not worry me much. Internal audit should be independent of management, so I am surprised that as many as 37% involve internal audit in making decisions or setting strategy.

Yet, the premise of the EY paper is that internal audit should have a role as “strategic advisor”!

Do you agree? Or do you join me in saying that we should:

1.       Provide assurance on the effectiveness of governance processes, risk management, and the related controls
2.       Contribute through our audit recommendations and consulting services to the improvement of the above
3.       Be a leader and advocate for change and improvement in each of these areas?

Posted on Nov 2, 2010 by Norman Marks

Share This Article:    

  1. I agree with all of the above. I think involving the internal audit department when introducing new products or processes, especially early on can be valuable and prevents us from coming along behind the decision-makers and finding deficiencies with the newly implemented policies. I hope the 37% is acting in a consultative role and not actively involved in making decisions or designing strategies.

  1. Norman:

    I believe that Internal Auditors should  have a role as a "strategic advisor" but not in the sense that you imply.  

    The original COSO exposure draft issued in  March of 1991 included OBJECTIVES as a full standalone control category. (1 of 9 categories versus the 5 categories in the final release)  The definition of the control category was as follows:

    "Objectives must be set at an entity-wide level and be linked to objectives set at the functional or unit level.  These established objectives provide the organization's targets, and strategies provide the directions for getting there. Objectives and strategies must be clearly communicated and reasonably attainable, or control breakdowns can occur."

     The final COSO framework issud in 92 and still  in use today concluded and formally stated that objectives and objective setting is not part of a control framework.  

    If internal auditors aren't doing much in this area the blame must surely lie with the COSO members, including the IIA, who endorsed the COSO 92 decision that objectives and objective setting are not part of a control framework.  It is not surprising that given a whole generation of auditors and managers are trained to audit using COSO 92, with more auditors being trained using this old framework every day,  that strategy and objectives gets little attention.   

    The IIA needs to take a lead role addressing this "fatal flaw" in COSO 92 to prevent  the profession becoming increasingly irrelevant in the minds of key customers.  The IIA should take the findings in this EY survey very seriously.

  1. The question I have for Tim is: where does the loop start and where does it end?  I'm more comfortable with the idea that business or organisational objectives are purpose of what we do.  The system of internal controls (which includes everything you do to make sure you meet your objectives - risk mgt, governance, compliance, etc before anyone asks) is there to ensure the organisation achieves its objectives.  Therefore, I don't think it should be part of the control framework.  However, I do agree that internal auditors need to understand the organisations objectives, which form the context for their work.  RM and controls and everything else is effective ONLY if it helps the organisation achieve its objectives.

    Comment to Norman: I would really like to see the results of the Forbes Insight survey. E&Y's brochure doesn't present many results, mostly an explanation of their market positioning of internal audit, which is interesting, but not as interesting as what our stakeholders actually think.  It would be great to compare the questions and answers of this survey with those that IIA - UKI had (working with Deloitte) in 2001 in the Value Agenda.

    To your question, I think that the way IA contributes to the organisation is by providing assurance (that's our USP) and by working to help the organise improve.  But we should do it strategically, ie being aware of the mission, vision and strategy of the organisation.

  1. Jackie:

    Thanks for your input but  I can't agree with your conclusion that objective setting is not, and shouldn't be considered, a key element of an "integrated" control framework.  It is interesting to note that COSO itself included objective setting as a key element of the COSO 2004 ERM -Integrated framework but didn't explain why it was excluded in the 1992 integrated control framework.  

    COSO ERM Integrated Framework states:Objective Setting - Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite. 

    I recognize that for whatever reason the IIA, AICPA, FEI and AAA don't seem to want to reopen the old COSO 92 framework for review and improvement.  It would seem that the COSO sponsors do not support a continuous improvement philosophy. This shoud be of great concern to all countries in the world since COSO 92 has been granted special status by the SEC. The largest companies in the world are forced to use it and whole generations of auditors and management are required to study it.  

    It may be that, ironically, the leading control framework is one of the  biggest risks to good governance.  

  1. All the COSO frameworks treat objectives the same way - that having clear objectives is an essential component of internal control (and hence a part of all COSO frameworks). Establishing those objectives, that is, determining exactly what those objectives are, is a management function and not part of internal control.

    It's like Info and Communications - the control frameworks say to have good controls an organization must be able to move information. That's the control - the mechanisms to move information. What information needs to be moved is not part of internal control, or the frameworks.

    I agree with Norman, and do not think that internal audit should have a role as “strategic advisor” -  we have our hands full with an assurance role.


  1. I agree with your position Norman.– Internal audit works best when it focuses on the elements you describe.

    I have seen some instances where the audit function has dominated advice to boards and decision makers with some detrimental effects. 

     Some observations:
    ·         Internal Audit (while important) is but one means of assurance.  IA need to keep the role of different assurance options in perspective .
    ·         When Auditor’s enter into the area of providing advice – they are biting off way too much – they are attempting to be all things to all people, and they certainly leave themselves open to scrutiny and lose their independence.  
    ·         Finally, over-reliance on IA for advice, strategy and decision making can disempower employees, and other service providers, which in fact can create an unhealthy risk aversion in an organisation.
    Food for thought.
    Good issue. Thankyou.
  1. Thank you, all, for the comments.

    The point on Objectives is interesting. my view:

    1. You need controls within the process of setting strategies and objectives, to ensure they are based on an understanding on stakeholder needs and value; reliable and current information; reliable understanding of risks; etc. You also need controls over the cascading of strategies and objectives throughout the organization, to ensure activities at all levels are in sync with the direction set from the top.

    2. You also need controls to ensure the strategies and objectives are met.

    Rather than speculate about the intent of the COSO authors, I will see if I can get one of them to comment.

  1. Dear Mr. Marks

    I read through the issue. It is good. But my simple observations on the issues discussed are as follows.

    Tone at the Top for a transparent reporting system to the Audit Committee and the independent drive to have those established requirements for a Company are the basic pre-requistes for these aspects to work diligently. I think most of the companies worldwide, do not encourage even enforced by law and compliance.

    Having said that, governance has to be evolved right through the bottom of the organogram rather than it being imposed. The best example would be a case study on whether remuneration payable to the Top management (Working Directors) is to be regulated or not.

    So I strongly believe the control gaps in the Top most organogram should be identified and drilled down to the transactions that are being processed in an organisation. This will establish, refine and question the purpose statement of the very existence of the Organisation from the bottom.

    Good article.


  1. So, I  checked with somebody from the COSO ICF team. He said that the determination of objectives is absolutely part of the internal control framework. You will find it in the Risk Assessment layer.

  1. 10 years after the introduction of the term "Consulting" to the Standards, we are still struggling to define what it really means and where we draw the line. This question of providing "strategic advice" falls into the same category. The SOX and COSO ERM didn't help our cause in that sense either because everyone has been looking at us for help in implementing them (and if we don't, we are allegedly not aligning our priorities with those of management!). I fully agree that we need a seat on the table and that we are an important leg of corporate governance, but it would be about time for the profession to come up with a practice guide or position paper outlining the do's and the dont's of consulting/advice, as well as an explanation of the management versus internal audit roles when it comes to the COSO attributes.

  1. Internal Auditor to act as strategic advisor in the business decision and strategy. Internal Auditor being acting as management representative, is a trust in decision making of the management. It is proven or trusted taking internal auditor a part in business decision, what the internal auditor should prove his understanding towards the management role , while he is entrusted all the checkings for on behalf of the management. A professional with all business understanding he must to possess with him just not subjectively but also objectively, an internal auditor should be asked to be a strategic advisor too, to evaluate how much his understanding is practical to business decision and strategy.

  1. Norman, You might want to have whoever you checked with from the COSO ICF team explain the statements on page 110 of the September 92 Framework volume which states;

    "The “objectives” component has been eliminated as a separate component. The view expressed by some respondents that the establishment of objectives is part of the management process but is not part of internal control, was adopted. The final report recognizes this distinction, and discusses objective setting as a precondition to internal control. "  (page 110)Page 29 in the Risk Assessment category of the Framework volume states:
    "Objective setting is a precondition to risk assessment. There must first be objectives before management can identify risks to their achievement and take necessary actions to manage the risks. Objective setting, then, is a key part of the management process. While not an internal control component, it is a prerequisite to and enabler of internal control. "

     Given the confusion betweeen the COSO 92 text I am quoting and what your COSO ICF person has stated as their personal view of what was meant, perhaps COSO should clarify whether the process used to set and refine objectives over time is, or is not, part of an “integrated control framework” per COSO 92 and rewrite the framework.    
    Every management control textbook I have read discusses planning and budgetting as key elements of control.  Does COSO want to assert that strategic planning processes and budgeting processes are not part of an "integrated control framework"??????
  1. Norman- I agree with your comments that internal audit should be independent of management. Interesting remarks that 37% involve internal audit in making business decisions or setting strategy. We do not know exactly what is inferred by this statement. Perhaps is it just the control aspect and not the making of decisions. I am alway wary of these surveys that seem to have a self interest motivation perhaps behind their publication. But it is what it is.

    Jennifer- I agree with your remarks as noted above

    Tim - I agree with a good part of what you are saying and frankly your last comment that "the leading control framework is one of the biggest risks to good governance" is the most important statement in this blog and one which I concur with 100%. It is a waste of time to revisit COSO because it will require too much work to redo. There are much better risk frameworks out there that should have been in place in the US but for a variety of reasons were kept off of the market. I don't believe that books should be burned but buried is another matter. COSO should have been buried a long time ago and has served our various constitutents poorly especially over the past five years. Does it have good things about it? Sure it does. Can our various members take it and work with it practically. Not at all from what I have seen. 

    We are still waiting after so many years to see one comprehensive COSO ERM case because there is none and nobody except for a few folks would be capable of creating one. Put your energies into ISO 31000, ISO 31010, AS/NZS 4360:2004, HB 436, HB 158, HB 158 for ISO 31000, CoCo, King 3, Combined Code



  1. Tim, I checked again and his reply was that he was not on the core team but on the project review and oversight team. So, I think you are right and he is wrong: objective-setting is not an activity within COSO ICF. Instead it is a pre-requisite. You can't identify risks to the business unless you know its objectives.

    I prefer to think that objective-setting is a governance activity, and there are controls within the related goverance processes to ensure appropriate objectives are set based on correct and reliable information, established by the appropriate people, approved by the board, etc.

    In other words, just as sales is an essential business activity and there are controls over it, so is objective-setting.

  1. By the way, I do not believe there is a "fatal flaw" (as Tim puts it) in COSO ICF. Auditors should, if they adhere to the Standards and the Definition of Internal Audit, audit the governance processes and its related controls. That would embrace auditing the controls over governance-setting.

    Those controls may exist at several layers of the COSO ICF model, including the entity level (board activities), control activity level (within business processes such as the financial close), risk assessment, and information/communications.

    Internal audit can be a strategic advisor with consulting advice on risk and controls, advocating improvements in management's processes for governance, risk management, and the related internal controls.

    They should not be expected to be a strategic advisor in the way the EY study seems to advocate: that would involve them becoming involved as a part of management and losing their independence.

    I wonder if the author of the study understands the essential role of internal audit, or sees us (incorrectly) as part of management.

  1. Also by the way, we should not confuse COSO Internal Controls Framework (which is pretty solid) with the COSO Enterprise Risk Framework. Just because people may have issues with the ERM Framework does not mean there are similar issues with ICF.

    I like COSO ICF; it fills a critical need for defining and explaining internal control. But I prefer the ISO risk framework to the COSO ERM framework.

  1. Norman:

    You seem to be of the view that COSO ICF should primarily be a tool for internal and external auditors. While I agree that that is primarily how it has been used in real life, the goal of a framework claiming to be an "integrated internal control framework" should be to have senior management and work units use it to help them do a better job managing a business.  If the goal of being a useful framework for boards, senior management, and work units was accepted by COSO, I have difficulty believing they wouldn't conclude objective setting should be part of an "integrated control framework".  

    If as you imply COSO 92 was mainly created for auditors, I still assert that evaluating the effectiveness of objective setting is a key step.  Claiming objective setting is a governance activity but not part of an integrated control framework relegates IC to the back of the bus.

  1. Norman:

    Given that you aparently fully support the position taken in COSO 92 that setting objectives is not part of an integrated control framework, is it fair to say that you also believe that strategic planning, where setting objectives is a key element, is also not part of an integrated control framework?

    On the same vein, do you also support that the budget process,  which includes setting of thousands of objectives, is also not part of an integrated control framework?

  1. I agree with Norman's remarks further above on the distinction between the COSO ICF and COSO ERM and preferences. I just agreed with Paul Sobel to write an article for Feb IIA magazine which may be one or two parts on risk assessment. I am going to try and address in this article objectives and strategic planning and the myriad of those items up front that are not so touchy feely in the overall process but which are critical. Hopefully this can be helpful material.

    I say leave these frameworks alone for better or worse. Use the material from them especially COSO 1, some decent research from COSO 2 on ERM but not great for implementation, use some aspects of COSO 3 primarily the principles and use the executive summary of COSO 4 on monitoring but not the rest and then let's just move on to try and make things better.



  1. Tim,

    I don't include procurement, sales, inventory management, financial reporting, compliance, or governance in the "internal controls framework". But I do have internal controls within those processes.

    in other words, internal control is about ensuring the business is run the way it should, not actually running the business.

    I agree with this, which you will recognize:

    Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:  

    § effectiveness and efficiency of operations

    § reliability of financial reporting

    § compliance with applicable laws and regulations


  1. Norman:

    I am familiar with the quote but suggest it implies that the process used to establish objectives isn't part of an integrated control framework, which is exactly the position COSO 92 took in the final release after rejecting the exposure draft framework produced by the original C&L authors that inclused objectives. 

    I can't accept that view and I still haven't heard your answer on whether strategic planning processes and budget processes are also excluded from your view of what an integrated control framework is since they involve establishing and refining objectives..

    Senior officers at some companies consciously established objectives to deceive regulators and investors through their financial disclosures.   Would you suggest auditors should accept these objectives and assist in determining if controls are "effective" to achieve those aims????  What about companies that consciously prioritize profits over safety and/or profits over environmental stewardship?

    Would you not need to "audit" the objective setting process to determine if it was appropriately designed to ensure the board of directors concurs with the objectives set by senior management?

  1. Tim, I see strategic planning and budgeting as business processes over which there are controls.

  1. Norman:

    I see producing selling goods and acquiring goods and services to produce goods as business processes.  I can't disagree that semantically budgeting is a "business process" but suggest to you that companies like SAP don't exist to do strategic planning and budgetting but do exist to design, build and sell software, generate profits and increase shareholder value.  Strategic planning and budgetting are "ways to achieve objectives" as opposed to end result business objectives just as IT control manuals, reconciliations, training, board oversight are all "ways to achieve" not end result business objectives..

    Extending your argument, is Internal Auditing a business process in your mind over which there are controls that is not part of an integrated control framework or is IA an element of an integrated control framework?  It is the term "integrated control framework" that is key to the position I am taking.

  1. Tim, COSO ICF includes internal audit as a monitoring control. I agree with that, if the board and management use it that way.

    By the way, sales is a way to achieve the business objective of making money for the shareholders.

    How about thinking of controls as disciplines over the processes involved in setting and achieving objectives?

  1. Norman:

    When I was trained at C&L in 1979 (almost 30 years ago) the framework  used terminology that included "basic controls" and "disciplines over basic controls".  The C&L control framework was a breakthrough at the time that was helpful,but it isn't terminiology that resonates with management and  boards and I don't is consistent with the claim to being an  "integrated control framework". 

    Unfortunately for investors  tens of thousands of SOX 404 assessments are done each year without asking the fundamental question of whether clear  financial reporting objectives have been established, clearly communicated, and cascaded down.  An important issue is whether a company's objective is to be in compliance iwth GAAP or "fairly present" .   Is reliable disclosure of related parties an objective and who owns it?  Is it just assumed the objective exists as a precondition to good control but formally articulating it isn't part of an integrated control framework???  Why auditors don't  addreess the existence and communication of financiall reportng objectives is because it isn't part of the  COSO 92.the framework the SEC forces them to use. The SOX 404 opinion error rate using COSO 92 shows it needs improvment.

  1. Tim,

    As you know, I am also an alumnus of C&L and very much aware of the difference between basic controls and disciplines over basic controls. It's an interesting distinction that I continue to use from time to time.

    You will recall that when COSO introduced the first drafts of the ICF, the definition of internal control they used was not new to people like you and me. However, it succeeded in extending a common understanding of internal control among external auditors (who had limited it to controls over financial activities), internal auditors, management, and boards. That was its primary purpose, and it did it well.

    Tim, you talk about defining the objectives of financial reporting and offer an interesting choice: "according to GAAP" and "fairly presents". This was and is not a choice! Companies are forced to report according to GAAP. The "fairly presents" concept, which requires non-GAAP information, has effectively been suppressed by the SEC. Most companies report non-GAAP results, because they are more representative of actual performance than GAAP, but then have to reconcile the two. Furthermore, the non-GAAP results cannot be too prominent.

    You talk about "SOX 404 opinion error-rate" as if it is at a high level. As far as I can see, you and perhaps a handful of others, are the only ones who believe that. You blame restatement levels (which are low now and generally nothing to do with SOX) on failures by management and auditors to adequately assess controls over financial reporting. I think that is a gross over-simplification. When you look at the root causes, many come from changes in interpretation of tax regulations and prior period errors that were detected by improved internal controls in the current period.

    - Continued below

  1. If there is a failure in how companies and auditors have assessed internal control for SOX, it has been in the level of attention paid to the Control Environment. This layer of the ICF was described well by COSO and ethical behavior has been the root cause of almost every fraudulent financial reporting case. It also addresses the competence of managers and staff involved in financial reporting - a major root cause of errors. Yet, scant attention has been placed on it.

    If the COSO framework had been employed better, with appropriate attention to the Control Environment, then that error-rate you love to talk about would be very much reduced.

  1. Norman:

    You are right that I like to simplify and distill.  With respect to your view on the definition of internal control, I believe the definition proposed by C&L in the 1991 COSO draft to be a much better definition, one that had much better chance of resonating with senior management and boards. It was rejected by the old guard on the COSO committee.  Few senior managers or boards use COSO 92 to help them achieve important business objectives, beyond financial reporting.  A survey done by the IMA and Professor Parveen Gupat confirmed this.  The final definition of control and the COSO IC framework represents 1970s thinking, thinking that is unfortunately endorsed by the AICPA, IIA, FEI, AAA and the SEC.

    My questions to you are simple - Do you believe that COSO 92 is so perfect in its current form it couldn't and shouldn't be improved? 

  1. Tim:

    A large number of managers around the world use the definition of internal control and find it useful. I am not sure how you would use a definition or document like COSO ICF to "achieve important business objectives". The framework doesn't do that; instead, it helps you understand how internal controls work to do that.

    On your simple question:

    1. I believe in continuous improvement and agree with you that COSO should re-examine both ICF and ERM.

    2. COSO should re-assess the purpose and value of both frameworks in the current environment.

    3. Once it has completed the re-assessment and, perhaps, re-definition, it should objectively assess whether or not those objectives are being achieved.

    4. Necessary improvements should be drafted and, together with the purpose and value statements, opened for comment.

  1. BTW, Tim, the number of unclean SOX opinions is at its lowest level ever. Perhaps this is an indication that SOX error rate is mythical? See:

  1. Norman:

    Thanks for clarifying your position on the need for COSO 92 reform. Have you conveyed your view on the need for a framework improvement process to the COSO Committee?

    My point re SOX error rate is that, although restatements and SOX 404 management/auditor errors have dropped significantly they are still in the hundreds per year in the US and in the thousands globally. It would seem to me that COSO and the SEC should be interested in understanding why the application of COSO 92 produced inaccurate effectiveness opinion from both management and the companies external auditors. Was it how it was applied or the framework itself?  

     Would you buy a car from a car company that was disinterested when their cars failed sometimes resulting in major safety risks even deaths? e.g. Toyota recall.  Some of the SOX 404 opinion errors have related to financial statements that had to have massive adjustments to correct and resulted in share devaluation in the billions.

  1. Tim,

    You have drawn (IMHO) an unjustified conclusion that because there were errors the system of internal control at those companies did not provide reasonable assurance.

    As it says in COSO ICF, and you and I know very well from experience, internal control systems do not provide perfect assurance that errors - even those of material proportion - will be prevented or detected.

    That is why it is essential to look at the reasons for the restatements.

    1. As the PCAOB stated, the external audit firms went too far in requiring restatements for errors that were not material to the investor. Many restatements were made due to technical accounting errors that were immaterial but, according to regulations, required a restatement.

    2. Perhaps the second leading cause for restatements was errors in technical accounting or tax treatments in prior years. I suggest to you, as I have to the firms and the SEC/PCAOB, that when a reasonable determination is made (even if wrong in hindsight) and the external auditor agrees (note that situation), a reasonable level of assurance is being provided by the system of internal control.

    When you take these factors into account, the number of situations indicating that the system of internal control did not provide reasonable assurance and that fact was not discovered during either management's or the external auditor's assessment, is low,

  1. Tim,

    Consider something else we learned at C&L: there is a difference between a control breakdown and isolated exceptions. A single journal entry error, even if material, among thousands in a quarter is not a control breakdown. A single control failure regarding an accounting treatment, is not generally indicative of a control breakdown.

    We have had a battle getting external auditors to accept that a single error of material size does not mean that the system of internal control does not provide reasonable assurance. Your coming around in support would be helpful.

  1. Norman:

    I don't disagree with the points you make re legitimate causes of restatements that shouldn't be attributed to "ineffective" IC. Unfortunately the SEC/PCAOB haven't accepted your view which confuses users.

    The point I have made repeatedly is that COSO and/or the SEC and/or the IIA should study instances where there has been a restatement or another form of material control failure and COSO was used as the criteria to gauge effectiveness.  Ruling out defined situations that are not considered to be "ineffective" IC can then be done and instances where model failure or application of model failure defined. My point is don't ignore control breakdowns as a major opportunity to improve going forward.

    If as you say there are many instances that management and their audtors misapplied COSO 92 for SOX 404 it would seem to me that COSO should attempt to identify patterns in the misapplication and provide application guidance.  My sense is that in many of the instances wrong opinions were arrived at it wasn't that COSO 92 didn't include the area that was the root cause, it underemphasized it and that resulted in evaluators underemphasizing the attribute or ignoring it altogether.

  1. Tim, the SEC and PCAOB have stated that judgment should be applied to determine whether there has been a material weakness, and the fact of a material error should not mandate the existence of a material weakness. I have spoken to the SEC and PCAOB and know that they understand and (unofficially) agree with the position I laid out.

    I have not said and will not say that anybody misapplied COSO. Why? Because I don't believe that is the case. The determination of whether there is a material weakness has to follow SEC standards, not anything in COSO ICF.

    I believe the SEC should study the root causes of material misstatements and ensure the guidance for management and the standards for auditors address them - and that will mean increased attention to the Control Environment.

  1. Norman:

    I agree that COSO 92 was not intended to be, and is not a framework capable of forming reliable effectiveness opinions using SEC defined materiality for what constitutes "effective".  A statistically significant error rate should be expected.  Has COSO communicated formally to the SEC that COSO 92 was never intended to provide, and is not capable of providing assurance at the SEC defined level, i.e.  capable of detecting even one material accounting error, however created? 

    Accepting what you have laid out above, it would seem to me that investors should simply be told to expect randomly distributed control effectiveness opinions where management and external auditors indicate effective ICFR in accordance with COSO 92 but restatements are later required to correct material accounting errors.  The opinions given by management and external auditors today are that control is effective in accordance with SEC materiality using COSO 92 as the assessment framework.  Do you believe that COSO 92 is not capable of assuring the level of effectiveness the SEC has defined????  if this is true, and it almost certainly is, clear disclosure of this fact would appear to be something that would be useful to investors.

  1. Tim, I don't sit on the COSO board and can't tell you what they have discussed with the SEC.

    What I can say is that the definition of internal control in COSO ICF is that internal control is a process that provides reasonable assurance. The SEC defines what reasonable assurance is.

    I believe you are unfairly castigating COSO ICF for failing to deliver something it was not designed to do. You want it to be a vehicle for designing internal control. It is a vehicle for understanding what internal control is. There is an appendix that can be used to facilitate control assessments, but it is not very good and needs to be tailored for every organization.

    You are blaming a hammer for its inability to screw in a nail. Is it up to the manufacturer of the hammer to tell the user not to use it to screw in a nail?

    If you want to blame anybody for failures in the scope and extent of SOX assessments, blame the SEC and PCAOB. They have essentially defined the work to be done in AS5 and the SEC guidance for management.



    Tim, the COSO ICF Executive Summary lists a few misconceptions about internal control. Here is one:
    “Internal control can ensure the reliability of financial reporting and compliance with laws and regulations.
     “This belief is also unwarranted. An internal control system, no matter how well conceived and operated, can provide only reasonable—not absolute—assurance to management and the board regarding achievement of an entity's objectives. The likelihood of achievement is affected by limitations inherent in all internal control systems. These include the realities that judgments in decision-making can be faulty, and that breakdowns can occur because of simple error or mistake. Additionally, controls can be circumvented by the collusion of two or more people, and management has the ability to override the system. Another limiting factor is that the design of an internal control system must reflect the fact that there are resource constraints, and the benefits of controls must be considered relative to their costs.”
  1. Good discussion. If you go back to the three bullets at the bottom of your blog you state that IA should provide assurance on governance, risks and controls, shuld contriobute through recommendations and consulting activities as well as be a leader for change. Different recent studies have shown that the biggest risks companies run are strategic and operational failures, not financial reporting errors. Should IA then skip the biggest risks, the strategic ones? Could IA not be independent and at the same time comment on the strategic decisions as well as on the strategy process? Given their independent positioning they should to my opinion identify such processes as tunnel vision. That is when IA can really start to make a difference. That does not say that they should determine the companies strategy. That still is a Boards game.

  1. Carl, I agree to a degree. IA should build the periodic plan to address the more significant risks to the organization - which are very often strategic and operational. My disagreement is probably semantic: I would ask IA to assess management's processes and controls for identifying, assessing, managing and responding to these risks. I would not expect IA to comment on the decisions themselves.

  1. Norman:  You state: "You are blaming a hammer for its inability to screw in a nail. Is it up to the manufacturer of the hammer to tell the user not to use it to screw in a nail?" 

    The SEC has said a "suitable" framework for SOX must be capable of producing reasonably consistent quantitative and qualitative conclusion on control effectiveness and set three other key suitability criteria.  I don't blame COSO for producing a framework in 1992 that isn't capable of producing reasonably consistent quantitative or qualitative conclusions or not having built it specifically for ICFR. 

     I do blame the COSO committee for not candidly and publicly advising the SEC of that fact. Their silence is interpreted by the SEC as agreement with all four IC framework "suitability" criteria.  I do beieve it is up to the manufacturer in an instance as globally critical and costly as SOX 404 to tell the SEC what COSO 92 is, and isn't capable of.  You make many good points above on what COSO 92 isn't capable of and shouldn't be used for.


  1. Norman and Tim, while I love a good heated debate I want to focus on Carl and Norman. We recently studied Internal Audit's Strategic Role and semantics aside(there has been some debate on the semantics) executives would generally like Internal Audit more involved in assessing management's processes and controls for identifying, assessing, managing, and responding to strategic risk (Norman's words). The only problem is the majority of executives in the study didn't think Internal Audit had the capability (skills, process, experience) to add value.  So which comes first, Internal Audit completing the strategic assessment or executive management's confidence in the assessment? I think the answer may circle back to Norman's most recent blog on the Strategic Plan for Internal Audit.

  1. Steve, I think the problem is that too few internal audit functions have tackled the processes and controls around strategic risk. If they did, they would demonstrate their value to management.

    Internal auditors are bright, intelligent, curious people who - when permitted by their CAE to think and use their imagination - can deliver valuable insights and suggest improvements. Their ability to has yet to be tapped by many audit functions.

    I have hired many auditors over the years who were not permitted to think. They were provided audit programs and told to follow them.

    I removed their chains and required them to unshackle their minds.

    We can do so much, including assessing controls over strategic risk, if we use our native intelligence.

    Perhaps the most important task for an audit executive is to challenge the staff to think, exercise, and grow their imagination.

  1. Norman, I think you have missed the mark on commenting on strategic decisions. Where we auditors find a transaction materially in error we report it right away (along with the gaps in controls that led to it, if any) thus when we find a strategic decision materially in error we should do the same thing. Sometimes there won't be totally objective and clear errors (though sometimes there will be - e.g. failure to consider the responses of a competitor) but where we see what we believe is a material error we have a duty to report that. If the board and management over-rule us after listening to and assessing our concerns that is fine but what is not fine is keeping to ourselves when we see something that we believe could hurt the organization.

Leave a Reply