A reader asked me for a source of guidance on best governance practices, which she wanted for her U.S. company. Before I discuss how I answered, it is worth considering the plethora of frameworks and guidance.
COSO Internal Control–Integrated Framework and Enterprise Risk Management–Integrated Framework
The first thought when it comes to frameworks and guidance for U.S. companies is The Committee of Sponsoring Organizations of the Treadway Committee, commonly called COSO.
This group of five auditing and accounting associations (American Institute of Certified Public Accountants, American Accounting Association, Financial Executives International, The IIA, and the Institute of Management Accountants) has published two frameworks.
The internal control framework, released in 1992 and updated in 1994, provided a common definition and understanding of internal control. It is famous for its "COSO cube," which shows how activities related to internal control operate at different layers and relate not only to financial reporting, but also to operational effectiveness and legal/regulatory compliance. The framework was recognized by the U.S. Securities and Exchange Commission as suitable for adoption by a company in assessing its system of internal control over financial reporting.
Can the internal control framework be used as a guide for best governance practices? While it includes discussion of certain aspects of governance (e.g., the operation of the board and its committees), the focus is on internal controls. I wouldn't use it as a guide to establishing or perfecting governance processes.
The enterprise risk management framework was published in 2004. COSO asserts that it is an extension of the internal control framework, but focused one step above controls — on risk management. I say "one step above" because the purpose of controls is to manage risks.
Can this be used as a guide for governance practices? I don't think so. In fact, I find the internal control framework to be richer with respect to the activities of the board and its committees.
There are other issues with COSO, which I discuss separately.
OECD Governance Principles
The Organisation for Economic Co-operation and Development published its Principles of Corporate Governance in 1999, and they were revised in 2004. The OECD is a highly respected global organization, and these principles merit careful consideration. My opinion is that because the collective and different member countries had to agree, the resulting document is not as aggressive as it should be in defining best practices.
A better document is the 2009 publication, Corporate Governance Lessons From the Financial Crisis. I highly recommend this for any practitioner or student of corporate governance.
The Combined Code
In the United Kingdom, a series of committees (starting in 1992 with the report of the Cadbury Committee and continuing through the Hampel (1998) and Turnbull (1999) committees) has provided some excellent information and guidance on corporate governance. The result of their work is the Combined Code on Corporate Governance. It is principles-based, including guidelines for best practice.
The Combined Code is definitely a good source, but is not as updated as others.
Many nations have their own internal control frameworks (such as the Criteria for Control in Canada) and/or governance frameworks (for example, the Malaysia Code on Corporate Governance (PDF). I recommend these for individuals in those countries.
The National Association of Corporate Directors has a campaign to improve corporate governance, with Key Agreed Principles and White Paper Series. This is my second choice for those looking for best practices in governance.
The NYSE and NASDAQ include a number of governance requirements (e.g., the role of independent directors) in their listing standards. For me, the requirements are weak and don't seem to be enforced in practice (especially the ones concerning risk oversight), so I don't find them useful.
ISACA and the IT Governance Institute have developed guidance for governance in IT — but I don't favor defining how IT or finance should be governed without first establishing how governance should operate within the company. In any event, IT governance is arguably a management function and not really "governance" at all — but that's another debate.
King Code III
This is my clear favorite. The new King Code is up-to-date (published in 2009) and has some radical guidance, particularly as it relates to the critical need for board oversight of risk management and the role of internal auditing. There is a good review of it in the February issue of Internal Auditor magazine.
But where is the generally-accepted U.S. and international governance framework? It simply doesn't exist. We now have a global risk management standard (ISO 31000), although COSO has not declared its support or the obsolescence of its own risk management framework.
I think it is time for one to be developed. It is time for interested parties to come together and work on a framework of best governance practices — for the United States, if not for the global economy. The interested parties should include representatives of at least:
- Risk practitioners.
- Auditors (external and internal).
What is your opinion? What do you think of the various frameworks and guidance?