Why was The Committee of Sponsoring Organizations of the Treadway Commission (COSO) formed?
HIRTH COSO was formed in 1985 in response to several instances of fraudulent financial reporting by U.S. stock exchange-listed companies. COSO went on to form the Treadway Commission, led by Jim Treadway, a former U.S. Securities and Exchange Commission commissioner, to determine the cause of this fraudulent reporting and what to do about it. In addition to his findings, Treadway recommended that COSO develop integrated guidance on internal controls. In response, COSO hired Coopers & Lybrand to develop guidance, which resulted in the 1992 Internal Control–Integrated Framework.
CHAMBERS The formation of COSO is an extraordinary example of the business community recognizing the need for improvement and devising an internal control framework that has proven to be an invaluable tool to thousands of organizations over the past 30 years. COSO’s internal control framework is a testament to what can be accomplished when the business community and industry organizations pool their collective knowledge and resources. The joint efforts of The IIA, the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, and the Institute of Management Accountants not only produced the groundbreaking, globally recognized 1992 and 2013 internal control frameworks, but also the 2004 Enterprise Risk Management–Integrated Framework.
What has COSO meant to internal auditing?
CHAMBERS COSO’s two frameworks provide internal auditors worldwide a common structure and approach when providing assurance to key stakeholders on internal control and risk management. COSO also provides significant thought leadership on internal control, enterprise risk management (ERM), and fraud deterrence, consistent with its mission to provide guidance to the global marketplace, inclusive of all internal audit practitioners.
HIRTH COSO’s definitive guidance and overall evaluation framework design for effective internal control and ERM has provided significant structure, terminology, and guidance to assist internal auditors around the globe. The COSO frameworks have helped to create a common vocabulary and understanding of these two topics so that internal auditors can be more effective in applying them at their organizations. A key word here, of course, is “effective.” This means not just existence but effective operation so that the objectives of ERM and internal control are met and organizational value is protected or enhanced.
Where has COSO had the biggest impact?
HIRTH Today, every U.S. listed company except one — British Petroleum, which uses the Turnbull framework — uses the 1992 or 2013 COSO internal control framework to comply with Section 404 of the U.S. Sarbanes-Oxley Act of 2002. In addition, the U.S. Office of the Inspector General recently reissued its Green Book Guidance on internal control and adopted the COSO 2013 framework as part of this update. COSO clearly has had a big impact on internal control over financial reporting. The framework has been translated into seven major languages, and China, Japan, South Korea, and India have all mentioned or used aspects of the COSO framework in their respective financial reporting related regulations.
With respect to ERM, studies have shown that the COSO ERM framework is one of the two most commonly used ERM frameworks in the world — the other being ISO 31000 — with about 50 percent of global market share.
CHAMBERS I can’t imagine a major business issue that hasn’t been affected by COSO in some way — primarily because of the widespread acceptance of the internal control and ERM frameworks. The internal control framework, for example, has become almost synonymous with regulated assessment and assertions on controls over financial reporting in the U.S. as a response to Sarbanes-Oxley.
Why did COSO decide to update the ERM framework?
CHAMBERS The nature of business risk is evolving in complexity and speed. Consistent with its mission, COSO must provide an ERM framework that reflects and responds to that evolution. Consequently, an update to COSO’s Enterprise Risk Management–Integrated Framework was announced in 2014 and currently is in process. The update is designed to address the key challenges presented by an increasingly complex business environment and to help organizations worldwide attain better value from their ERM programs.
HIRTH In October, we announced our intention to determine through a broad stakeholder survey whether the ERM framework should be revised, and what should stay the same. We received a fantastic level of response from people around the world, giving us some great comments on potential areas for change and improvement, as well as strong feelings about what should not change. Since then, we have formed our advisory committee and appointed official observers. Our principal author, PricewaterhouseCoopers, has completed several rounds of research, and we have held two advisory council meetings in New York and Chicago. Our project plan contemplates issuing our public exposure draft later in 2015.
What has been the impact of the 2013 Internal Control–Integrated Framework?
HIRTH So far the COSO board is very pleased with the results of the 2013 revised framework. Feedback from around the world has been overwhelmingly positive. People and organizations seem to like the principles-based structure and the Points of Focus, as well as the updated wording and context. Approximately 75 percent of all companies subject to Sarbanes-Oxley with fiscal years ending Dec. 31 have transitioned to the 2013 framework, and a large majority of the comments from those companies have been that the transition to the 2013 framework was not significant in terms of effort but that it did identify some impactful areas for improvement in internal control over financial reporting. Many organizations are now looking at how they can expand the use of the 2013 framework in areas such as nonfinancial reporting, operations, and compliance. We also expect several countries that have mentioned COSO in their respective financial reporting regulations to consider changes as a result of issuance of the revised framework.
CHAMBERS That question may be a bit premature. COSO ended its support of the 1992 internal control framework at the end of 2014, which was just a little more than six months ago. But the COSO board has received positive feedback from many organizations that have made the transition. It is our hope that all our 1992 framework users make the transition and apply the new framework, not just to financial reporting, but to other aspects of their organizations as well, including all internal and external reporting, compliance, and operations.
What are the next steps for COSO?
CHAMBERS We are eager to move forward with our ERM integrated framework update and subsequently roll out the updated framework globally. Also, we are constantly looking for opportunities to offer new thought leadership such as our white paper on the interrelationship between the COSO internal control framework and the Three Lines of Defense model. COSO will continue to monitor financial reporting and other aspects of organizational operations. With the growing changes in business complexity and dynamics, COSO may see the need to create additional frameworks.
HIRTH There’s always “next steps” for COSO. After the ERM framework revision is released, some issues we will tackle include: making sure the ERM framework is translated into other major languages and that it is widely explained, promoted, and marketed through presentations globally; developing additional thought papers to support both the internal control and ERM frameworks; and considering developing additional frameworks. We will continue to challenge ourselves to ensure we are meeting our mission around thought leadership for internal control, ERM, and fraud deterrence.