Upcoming Events

See Upcoming Events at our New Partner Site
Risk Oversight Inc @ www.riskoversight.ca for future events, risk management resources, and more.
 
Twitter
Want risk knowlege nuggets under 140 characters? Tim Leech and Parveen Gupta offer consise commentary and references.

Check out Risk Oversight Twitters

 

Knowledge Library

Leech GRC Banner - Knowledge Library

Leech & Co founders and principles, Tim Leech and Parveen Gupta, are considered by many to be two of the world’s top GRC authorities.  Both have been recognized and received numerous awards and accolades for their research and practical, leading edge training they have designed and successfully delivered around the world.  Clients that have purchased GRC related training over the past 20 years from Tim and Parveen include major companies, professional associations, big 4 accounting firms, and public sector departments in the U.S., Canada, the EU, Scandinavia, Australia, New Zealand, Africa, the Middle East, South America and Asia.

Significant Papers & Studies                          Sarbanes-Oxley Commentary

Fraud & Ethics                                                   GRC

Internal Audit

Hot Topic: Clarifying COSO’s Raison d'être –  It’s Time To Set Clear Objectives and Report On Progress

Over the past 30 years I have found that one of the most critical elements of good governance is a clear mission statement and set of supporting and aligned end-result objectives. In an ideal world these are accompanied by a set of metrics that establish how progress will be measured. A key role of a company’s Board of Directors is to ensure clear and appropriate objectives exist and to oversee how the organization is doing achieving them, usually by requesting and receiving regular progress reports from management that detail progress. When these fundamental elements of good governance and control are absent, or done poorly, the control deficiency should be seen as, and reported to key stakeholders as, a huge residual risk. The question I raise in today’s blog is this – What are COSO’s objectives and is COSO measuring and reporting progress against those objectives?

My conclusion, for those that don’t like reading long articles, is that the current state of affairs at COSO constitutes, in SOX parlance, a material control weakness, and that this deficiency constitutes a risk of global proportions to investors and regulators around the world.

In the late 1980s, in response to a huge swell in the frequency of fraudulent reporting, a committee called the National Commission on Fraudulent Financial Reporting, better known as the Treadway Commission, was formed, largely as a pre-emptive move to avoid government intervention and regulation. The stated mission of the Treadway Commission in 1987 was a clear one – “Our mission was to identify causal factors that can lead to fraudulent financial reporting and steps to reduce its incidence” (page 1) - a clear and to-the-point mission statement that focuses on the broad goal of reducing the incidence of fraudulent financial reporting.

The sponsoring Committee members in 1987 were as follows:
American Institute of Certified Public Accountants (AICPA)
American Accounting Association (AAA)
Financial Executives Institute (FEI)
Institute of Internal Auditors (IIA)
National Association of Accountants (NAA) (NOTE: The NAA later became the IMA)

Over time this committee became widely known as COSO – Committee of Sponsoring Organizations. COSO still exists today as a well-intending, unfunded, and unincorporated committee. Its membership is unchanged. Progress over the past 25 years on reducing the incidence of fraudulent financial reporting, based on the need for Congressional intervention via SOX in 2002, has not been impressive.
 
COSO’s publicly stated mission today per their website (http://www.coso.org/) is as follows:
 
 

COSO’s mission is to provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations.
 
 

If we focus on the “what is to be achieved” versus the “how to” component of this mission statement we are left with the fact that COSO’s laudable, ambitious, and stated reason for continued existence is to improve organizational performance and governance and reduce the extent of fraud in organizations.
 
It appears that COSO has broadened its mandate significantly since the 80s to one that encompasses improving organizational performance and governance, as well as reducing the incidence of fraud, presumably of all types, including financial reporting fraud.

Since reporting on progress against stated objectives is broadly recognized as a key element of good governance I decided to complete a review of the COSO website to see if I could locate any progress reports over that past 25 years. I was particularly interested in reports describing how COSO has performed against its original mandate of reducing the incidence of fraudulent reporting, as well as its more recent and much broader mission of improving organizational performance and governance of all organizations.
 
 It is worth noting that I don’t consider guidance documents or research reports on specific topics to be progress reports. When I review an organization I want to know a) what is the entity trying to achieve, b) how much progress has been made and how does the organization view its progress against those targets, and, perhaps most importantly, c) what is planned in cases where current performance is below desired levels.  
 
Fortunately for me as an unpaid writer, but unfortunately for members of the organizations that form COSO, the COSO website is miniscule by today’s standards. It took very little time (less than 2 minutes) to review the six core pages that form the backbone of the website. I was unable to locate a single progress report, financial report, business plan or other formal report to stakeholders since the organization’s inception in 1987. If anyone is aware of a report from COSO on progress against its stated mission(s) over the past 25 years I would be very interested.   Please send copies to me at timleech@leechgrc.com or point me to where I can access them.

In the late 1980s, when COSO was largely a well-meaning pre-emptive effort to avoid intrusive government regulation and make a positive difference of any magnitude this form of organizational governance may have been OK. Unfortunately, in 2003, the US Securities and Exchange Commission, via SOX regulation and AS 5, elevated COSO to the de facto global control and risk standards setting organization - an entity that has the ability to make a major difference and global impact on par with the FASB and IASB. Governments, including the US and Canadian governments, and not-for-profits around the world are adopting “SOX-like” regimes that require organizations report on internal control against the criteria set out in the dated and desperately in need of updating 1992 COSO Internal Control Integrated Framework.  COSO’s impact and influence is spreading globally.
 
Tens of thousands, soon to be hundreds of thousands, CEOS, CFOs and their organization’s external auditors each year diligently, and sometimes not so diligently, attempt to form opinions on the effectiveness of internal controls over financial reporting, including controls to prevent material frauds, using the dated 1992 COSO internal control framework. Each year tens of thousands of public companies and their external auditors around the world are stating that the company maintained, in all material respects, effective internal control over financial reporting based on criteria established in Internal Control – Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission. The cost of this assessment work is in the tens of billions of dollars, on its way to hundreds of billions. Unfortunately for investors and others stakeholders, thousands of these opinions from senior management and external auditors are being subsequently proven wrong by restatements to correct material errors and irregularities in those disclosures.  No research is underway that I am aware of by COSO or any other organization to study why.
 
I think it is time members of the COSO sponsoring organizations called on their COSO representative to lobby for major improvements in the control and governance processes in place at COSO. Ask that COSO start by defining some clear and practical objectives and produce publicly available progress reports against those objectives. The current COSO mission statement is akin to wanting to stamp out world hunger and poverty. How about COSO focus all of its energy and resources on the simple and critically important objective of reducing the frequency of materially wrong financial disclosures?
 
As a card carrying member of both the IIA and IMA I am doing just that here today in this paper. I encourage all of you to do the same. Write Richard Chambers, the IIA COSO representative, and let him know what you think. If you are a member of any of the other COSO members, including the AICPA, the FEI, IMA or AAA, write or e-mail your COSO representative. COSO member representatives are listed on the COSO website. Care enough to try and make a difference to improve the reliability of financial reporting on a global level.  Ask for better governance and control processes at COSO, the world’s de facto control standards setting organization – as ironic as that may seem.