In Praise of the COSO 1992 Internal Controls Framework
Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.
I have been a fan of the COSO Internal Control–Integrated Framework since it first appeared in draft. It's not perfect, but there is a great deal for which we should commend the authors (a team from PricewaterhouseCoopers).
- At that time, there was no common understanding of what internal control was. The public accounting firms used the term exclusively for financial processes and reporting, although internal auditors used it far more broadly. While it is not perfect, the definition of internal control provided a basis for a common language, which found its way into accounting and auditing rules and regulations.
- There was also a common misconception that internal auditors "owned" internal controls. The COSO framework set this straight, making it abundantly clear that management and the board owned internal control.
- The definition of internal control relates to the achievement of objectives. This takes the discussion from the detail of accounts payable to how you run the organization.
- It also talked about "reasonable assurance." This is an incredibly important concept, that even when you have effective internal control systems, errors can occur. (This is still something many auditors fail to understand)
- The framework has five components. The Control Environment is the foundation for effective internal control, shown as such in the COSO cube. Risk Assessment has to occur before you know what you need Control Activities for, and without Information and Communication, controls that rely on judgment and knowledge will founder. Monitoring, which is a more difficult concept, helps management and the board know that all the other components are working as desired.
- While few people have paid attention to the Control Environment other than the tone at the top aspect, I think the most important discussion in that component focuses on the people who perform the controls. You cannot expect to have effective controls, risk management, or operational performance without the right, skilled, and experienced people.
When the SEC recognized this framework for companies to use for SOX compliance, I was a little concerned. While the framework does a nice job of explaining what internal control is, it is less effective in helping assess internal control effectiveness. It was also not limited or focused exclusively on external financial reporting. However, if companies follows the COSO 1992 steps of identifying risks to financial reporting and then identifying controls to address them, then the framework can be considered useful.
Unfortunately, many ignored that Risk Assessment component and ended up with a set of controls (pre AS5) that was not based on risks to the financial statements that exceeded acceptable levels, i.e., materiality.
So now COSO is updating the framework. As I wrote in another post, I encourage everybody to review it and provide comments.
I think we should consider these questions:
- Will the framework, if published as drafted, guide management to design effective and efficient internal controls that provide reasonable assurance that the risk to objectives (operational, strategic, financial, operational, and compliance) is at acceptable levels?
- Will it enable an assessment to be made of whether the system of internal control is effective: providing reasonable assurance that the risk to objectives (operational, strategic, financial, operational, and compliance) is at acceptable levels?
- Will it enable an assessment to be made of whether the system of internal control is efficient?
Overall, the new draft adds value to the 1992 framework. However, I have reservations about how it says you should evaluate internal control effectiveness, and the absence of meaningful discussion of efficiency. I would also like to see more about the interrelationship of the components, such as I explained above.
What do you think? What do we need in the 2013 framework?
Posted on Nov 6, 2012 by Norman Marks
Share This Article: