The talk around the updated
Internal Control–Integrated Framework has been around how it will impact management teams. For example, have a look at a blurb on the AICPA’s Insights page:
3 Ways the New COSO Framework May Affect Your Business. It asserts that “The new modernized COSO framework will affect businesses in three big ways by:
“Articulating the role of a company when outsourcing. While today's businesses can outsource many activities, they can never outsource responsibility.
“Putting fraud right out in the forefront. A business's control structure must now address issues of fraud directly.
“Highlighting the critical nature of IT. Information technology is a needed component that cannot be avoided in today's business environment. Let's face it, we simply don't use manual ledgers anymore!”
With all due respect to the people behind this post, this is nothing new! The
real impact of the updated framework should be renewed attention to corporate culture, staff competency, and the other root causes of risk management and control failures.
Let’s turn our attention to whether the updated framework will affect the work of the
Look at a recent study by Mark Beasley, Joe Carcello, Terry Neal, and Dana Hermanson that was commissioned by the Center for Audit Quality (CAQ).
A summary in CFO.com described the results of their study of 87 cases where investigations of fraudulent financial reporting by the SEC led to sanctions against the external auditors. Their conclusion was that “the failure to gather ‘sufficient competent audit evidence’ was the top audit deficiency.”
Now these are eminent professors, but does their conclusion make sense?
When there is fraudulent financial reporting, the root cause almost always lies in the integrity of the organization’s leaders, their ability to override internal controls, and so on. As Lord Smith of Kelvin (chair of the
Smith Report (PDF) on audit committees) said in a keynote speech at The IIA’s International Conference in Kuala Lumpur, “the fish rots from the head down.” Just reflect on what happened in the major public cases that have hit the papers. Without exception, there have been questions (if not prosecutions) around the integrity of the organizations’ leaders.
Did the external auditors of these companies do sufficient work and obtain (as suggested by the CAQ-commissioned study) sufficient evidence related to corporate culture and the integrity of leadership?
How do you ever get positive evidence that the culture is appropriate and that the leaders have integrity? It is easy to see red flags when they are waved in your face (such as whistleblower complaints), but that is rarely the case. True, there were whistleblowers at some of these companies, but the complaints were few and generally well after the frauds started.
Should the external auditors be required to obtain positive evidence that culture and integrity are appropriate? The absence of red flags is hardly conclusive.
The updated COSO framework should provide fresh impetus to this question. The framework asserts that its 17 principles need to be present and functioning before the system of internal control can be assessed as effective — and the external auditors are required, for all U.S.-listed larger companies, to assess the system of internal control over financial reporting.
These are the very first of those principles:
- The organization demonstrates a commitment to integrity and ethical values.
- The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
How will the external auditors assess whether these principles are present and functioning? Is it possible for them to obtain sufficient, credible, and persuasive evidence?
They are outsiders and don’t really know how management operates or whether the board meetings include frank discussions and oversight.
How often has any external auditor included comments on either of these issues and discussed them as serious matters with the audit committee? How many external auditor reports have included material weaknesses related to either point?
Somehow, if the external auditors are going to base their assessment on the 2013 framework, as no doubt they will be required to do, they will need to figure out an approach that is both practical and credible.
The same observation hold true for the 4th principle: “The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.” When has the external auditor ever commented about the competency of the CFO or corporate controller?
These will be major problems, in my opinion. But they are problems for the external auditor more than they are for management. Management can simply (and I believe will) assert that they have integrity and competence.
The board will have a problem, as they too have a very limited view of how management operates. They may rely on internal audit, but is that department up to the challenge? It is not easy to go to the audit committee and tell them that any of these principles are lacking.
I welcome your comments.