Is COSO the real problem with Sarbanes-Oxley?

When it comes to financial controls, COSO is an article of faith among accountants. For years, it has been the de facto standard for creating these critical controls, and few audit firms would even consider an alternative approach. It's just too risky, and when it comes to client work, why take a risk? 

But that doesn't mean that COSO is perfect. In fact, some think it contains a number of "fatal flaws" that render it a less than optimal framework for the Sarbanes-Oxley era and beyond. One chief critic is Tim Leech, who penned a long critique for the SEC (SEC news) and has put his views into a detailed article in Cost Management. He's now a consultant in the field of ERM and GRC. 

In an editorial in Compliance Week, he writes: "We need a new organization--call it the 'International Accounting Control Standards Board' for starters--that should be formally established, adequately funded, and charged with producing new guidance for management and auditors on how to report on the effectiveness of the controls in place to manage risks to the reliability of financial statements. This new body should be required to revisit the guidance it produces at intervals of no less than every four years, to analyze results, and improve the overall reliability and usefulness of the guidance they issue." 

In his mind, the 20-year-old Internal Control Integrated Framework, the brainchild of the old Committee of Sponsoring Organizations of the Treadway Commission--most call it COSO--is "dated and dangerously obsolete." The real crime, he argues, is that the SEC essentially makes it hard to use another framework. The result has been thousands of materially wrong control conclusions since the issuance of the most recent version, way back in 1992.  

Whether the SEC forces companies to use COSO is not really an issue. For whatever reason, it has indeed become the standard. The use of alternatives like the Canadian CoCo and UK Turnbull framework seems rare. The real issue is whether COSO can adequately address modern accounting and reporting needs. Leech cites data from Audit Analytics that show since Sarbanes-Oxley 404 was implemented, "thousands of public companies and their external auditors that initially reached conclusions that companies had 'effective' internal controls, as defined by the SEC materiality criteria and using COSO 92, were subsequently proven wrong by the need to correct material errors." The culprit in most cases was a faulty control. 

His list of 'fatal flaws' include: 

1. An inadequate focus on "commitment" controls, which aim to align employee action and organizational objectives.
2. An inadequate focus on "defining and communicating objectives."
3. An inadequate focus on "measurement" or "continuous learning" controls.
4. An inadequate focus on the obligation of senior management and the board to oversee risk.  

So what's his solution? He recommends zero-ing in on critical areas--like fraud and IT security controls--and relying on other frameworks. So he would in essence supplement COSO with guidance from RedBook, ISO 31000 and other sources. This would make for a more a financial process that draws on risk and other experts, not just accountants. Part of this process would entail more quantitative risk measures. In a way, the entire exercise seems geared to transition companies from focusing merely on compliance, when risk management and governance cannot be ignored. In his view, GRC ought to be the overall guiding principle, one that wraps in financial reporting as one prong. 

He would certainly like to see more nuanced thinking from the SEC. But the historic auditor-centric process may make that more difficult. - Jim