Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
Internal Control - Integrated Framework Public Exposure Draft December 2011
Feedback & comments to COSO 29 March 2012
Paradigm Risk | London
1
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
Contents
Executive summary
3
Recommendations 5 Summary of problems with the COSO approach
7
Introduction 9 Historic context
10
The impact of the Sarbanes-Oxley Act 2002
13
Implementation of SOXA §404
14
Generalising on the performance of COSO Problems with the exposure draft
15
The international dimension
21
Issues with the Exposure Draft
22
Integrating risk & internal control
26
Attachments About Paradigm Risk
28
About the author
29
Due to the differences in English & American spellings and US-sourced spell checkers, some variation in spellings may be observed in this document. We have attempted to be consistent with spellings involving proper nouns.
©Paradigm 2012 Paradigm Risk Limited. All rights reserved Risk | London
2
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
Executive summary The initial COSO document Internal Control – Integrated Framework issued in 1992 represented a landmark contribution to the debate on internal control. However, it was not definitive and contained some conceptual limitations and flaws. But, relative to the knowledge at the time, it was a diligent and valid contribution to the state of knowledge internationally on internal control. As a result of its adoption as the de jure standard for assessment of internal control over financial reporting by SEC registrants under guidelines issued by PCAOB under §404 of the Sarbanes-Oxley Act 2002, COSO is now the dominant, if not the only, operating internal control framework for major companies internationally. As is so often the case with regulatory initiatives , the PCAOB endorsement of COSO has had an unintended consequence: since 2002, there has been little or no serious development on other frameworks for internal control or alternative conceptualizations of internal control emerging; the SEC and PCAOB have unintentionally killed innovation in internal control. Whether COSO (the organization) likes it or not, COSO (the framework) is now captured wholly by its association with SOXA §404. It cannot have it both ways: COSO must either (a) be the framework for assessment of internal control over financial reporting for SEC registrants and leave other areas of internal control to other, less ‘captured’ parties, or (b) encourage the PCAOB and SEC to take over the narrower role of definition of internal control in relation to financial reporting under SOXA §404 and focus on developing the concept of internal control more broadly, open to full competition from other potential innovators. The current redraft shows that the two roles are ineluctably incompatible. Put simply, the current redraft of COSO is not a step forward. It has failed to assimilate key areas of knowledge in risk and control that have emerged over the period since the initial publication of COSO. Worse, there has been no considered effort to assess robustly the utility of COSO to effect internal control or to support firms using the framework to manage risk. What empirical evidence is available suggests that it makes little or no positive contribution to either task. Furthermore, almost every institution and entity that has drawn on public funds during the bailouts following the global financial crisis has had its internal control assessed under COSO since 2004. COSO has made no effort to explain the impact of its framework on the failure of these firms or to demonstrate that its framework was neither contributory to the over-confident assumptions of management about control prior to the crisis nor ineffectual in the face of the conditions that led to the crisis. Such an outcome seems unlikely. As a broadly applicable framework for internal control, COSO does not merely require updating; it requires wholesale reconceptualisation. The attempts to ‘update’ COSO on the arbitrary basis of the passage of 20 years since it was originally published appear to be a vanity exercise by COSO (the organization) and a cynical marketing exercise by PwC; no fewer than 37 PwC partners and staff are referred to in the document by name. Given the regulatory fiat from PCAOB and the SEC, this represents an abuse of regulatory monopoly that should attract the ire of the regulators (who, sadly, appear to have been complicit in the exercise). As redrafted (and indeed as originally drafted and encapsulated in regulation), COSO represents an unsubstantiated, wholly theoretical exercise in a defining a rationalist approach to corporate management and internal control. Its contribution to corporate performance has not been tested robustly and, where evidence exists, that evidence suggests it is partially or materially ineffective as an approach to organisational control. Internal control cannot be achieved only through rules.
Paradigm Risk | London
3
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
EXECUTIVE SUMMARY, cont.
That corporate executives whose views were sought in the review exercise expressed broadly a desire to avoid wholesale change suggests only that they are averse to the effort and cost of repeating the exercise of introducing SOXA §404 reviews – if they are averse to change without clear benefit, who can blame them? COSO ERM was a poorly conceived foray in to a complex and evolving field. As intellectual, academic and practical disciplines, internal control (outside accounting controls over financial reporting) and risk management are both immature. To attempt a definitive statement of enterprise risk management, based on the imprimatur of the regulatory fiat afforded to COSO, was unwise, unsuccessful and deleterious to the reputation of COSO (the organization). That it has received limited endorsement or application in practice merely reflects its quality and utility and is unsurprising.
Paradigm Risk | London
4
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
Recommendations In the light of these conclusions, we recommend: 1. That COSO not refine further at present the re-draft of Internal Control–Integrated Framework, ie. the current Exposure Draft, and that its final release be postponed, potentially indefinitely. 2. That COSO (the organization) dedicate itself to its original purpose: to define the routines required to support assessment of internal control over financial reporting, consistent with the mandate afforded it by the PCAOB. 3. That COSO commission, as a matter of urgency, an independent, objective, methodologically robust evaluation (or, preferably, multiple evaluations) of the efficacy of the COSO framework for internal control (a) over financial reporting and (b) more broadly over other aspects of organizational control. 4. That PCAOB grant funding to COSO to commission this work so that it can be completed independently of private firms that will benefit from a particular outcome of the review or reviews. 5.
That, following receipt, assessment and publication of the review(s) commissioned, COSO assess the utility of the current exposure draft and determine its preferred course of action in relation to further amendment and/or publication in relation to internal control over financial reporting.
6. That PCAOB prepare or procure a re-assessment of the essential elements of a framework for internal control over financial reporting (AS2 superceded by AS5) to supplement its existing guidance and publish details of its application of that assessment to any and all frameworks that are and have been submitted to it for evaluation. 7.
That, separately from the review exercise of COSO, PCAOB – as the oversight body of the public accounting firms – procure an independent, multi-disciplinary review (or multiple reviews) of the efficacy and utility of major public accounting firms’ risk advisory activities to publicly listed companies.
8.
That, based on the findings of the review, PCAOB issue guidance to accounting firms on what, if any, limitations that they should place on their advisory activities in corporate risk management.
9. That COSO publicly withdraw its ERM framework or procure and issue an independent, multidisciplinary assessment of its efficacy and utility. 10. That COSO publicly withdraw from further attempts to develop frameworks outside its original purpose of internal control over financial reporting. 11. That COSO expand its governance structure to include representation of all entities affected by its framework through PCAOB and SEC under §404 of the Sarbanes-Oxley Act, including those outside the US. 12. That the current member organizations of COSO establish or consider establishing a separately constituted body, renamed, to assume the role of developing frameworks for corporate internal control more broadly.
Paradigm Risk | London
5
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
RECOMMENDATIONS, cont.
13. That the renamed body proceed with appropriate professional and disciplinary caution in the area of enterprise-level control assessment and assurance, governance and the management of risk. 14. That the renamed body determine the suitability and appropriate of the Exposure Draft for publication in light of its newly established mandate, separated from the quasi-regulatory function of COSO. 15. That the SEC prepare and promulgate requirements that filers state their history of restatement of their financial statements over the preceding 10 year period, including restatements from acquired businesses, where applicable, showing the value of restatement, account (at major account level) and underlying cause(s).
Paradigm Risk | London
6
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
Summary of problems with COSO We believe COSO suffers from some material conceptual and practical limitations. In summary, these are:
PROBLEMS IDENTIFIED
DESCRIPTION
Partial statement of objectives
Higher level objectives are not described; advisors have frequently misunderstood the implicit relationship between higher-level objectives and control objectives
Management by objectives
COSO presumes a comprehensive and effective effort to cascade objectives throughout the firm. This is unrealistic, impractical and fosters bureaucracy
No linkage to causes of corporate failure or under-performance
There has been no robust attempt to link control to the known causes of corporate failure or losses of shareholder value; principal cause of losses are strategic and strategy-related which are not considered in the COSO framework
Over-reach of COSO (as an organization)
With COSO’s initiative on ERM, COSO reached beyond both its key area of focus and its competencies. The result in unimpressive, technically flawed and has resulted in confusion of terms and concepts between the frameworks
No robust attempt to determine utility
COSO has made no robust or systematic attempt to understand the value contribution of its framework outside the area of financial reporting. There is no evidence available that COSO adds to corporate value
Inattentive to empirical evidence of failure
The limited evidence available suggests that COSO may not add value outside financial reporting. This evidence has not been assembled, evaluated or addressed in the Exposure Draft.
Not geared to on-going learning or inculcation of lessons of failure
The framework is not dynamic in the sense of having a built-in learning function or ability to include lessons of failure as they are identified and understood
Inattentive to impact on perception of users
Misuse of COSO has been observed to result in an illusion of control resulting from management perceptions that the internal control framework can represent that the organisation is ‘in control’
Linear control representation
The relationship between objectives risks controls portrayed by COSO is simplistic and misleading. In reality, objectives, risk and controls as well as human behaviours combine in unpredictable ways resulting in outcomes that could not have been foreseen
‘Culture’ and assumptions about knowledge
COSO uses the concept of ‘culture’ inconsistently and fails to describe culture properly. As a result, users apply the term indistinctly resulting in erroneous assumptions about behaviour and control efficacy
Independence and objectivity
COSO has not been sufficiently diligent ensuring the authors are independent from the outcomes of application of the framework or that assessment of the efficacy of its ERM framework is independent and objective
These problems are discussed in greater depth at pages 15 – 20 of this comment paper.
Paradigm Risk | London
7
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
Internal Control - Integrated Framework Public Exposure Draft December 2011
Feedback & comments to COSO 29 March 2012
Paradigm Risk | London
8
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
Introduction In seeking to understand the strengths and weaknesses of COSO (as amended), it is instructive to consider again COSO’s background and its implications for assessment of the document’s utility and the utility of its underlying assumptions. In the twenty years since the publication of the original Internal Control – Integrated Framework, the Committee of Sponsoring Organizations of the Treadway Commission (hereafter ‘original COSO’) has achieved an astonishing degree of acceptance among its target entities, most notably US listed companies and other SEC registrants. This is due, in large part, to its endorsement by the Public Companies Accounting Oversight Board (PCAOB) (itself created by the Sarbanes-Oxley Act) for completion of assertions by management under §404 of the that Act, Public Law 107–204 (hereafter Sarbanes Oxley Act or SOXA), which passed the US Congress in 2002, ten years after the original COSO was published. The utility of the current COSO initiative – to review and update the 1992 text – can only be assessed against a background of the events that have transpired since then and knowledge that has been developed or emerged in the interim. The context of the review must be the application and performance of the COSO framework and tools over that time. Although this material will be familiar to COSO participants, there are many now using the COSO framework and tool who are far aware less of the history of COSO. Also, even those familiar with the history of COSO view history through a lens (as do we all); this comment essay may provide a different lens for their memories of history and experience. As Santayana observed, “those who cannot remember the past are condemned to repeat it.”
Paradigm Risk | London
9
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
Historic context Set up in 1986 in the wake of the Savings & Loans crisis and concerns at the time over bribery and corruption, the National Commission on Fraudulent Financial Reporting was a private-sector initiative intended to head off growing congressional activism, notably from the House Committee on Energy and Commerce’s Subcommittee on Oversight and Investigations which had been conducting an on-going “inquiry into the adequacy of auditing, accounting, and financial reporting practices under the federal securities laws.” Chaired by former SEC Commissioner, James Treadway, the Commission was ‘sponsored’ and funded by a group of accounting- and audit-related organizations, all of whom were represented (among others) on its Advisory Board. The report of the Treadway Commission defined fraudulent financial reporting as: intentional or reckless conduct, whether act or omission, that results in materially misleading financial statements.
Its recommendations for public companies included the following: To set the right tone, top management must identify and assess the factors that could lead to fraudulent financial reporting; all public companies should maintain internal controls that provide reasonable assurance that fraudulent financial reporting will be prevented or subject to early detection – this is a broader concept than internal accounting controls – and all public companies should develop and enforce effective, written codes of corporate conduct. As a part of its ongoing assessment of the effectiveness of internal controls, a company’s audit committee should annually review the program that management establishes to monitor compliance with the code. The Commission also recommends that its sponsoring organizations cooperate in developing additional, integrated guidance on internal controls.
This provided the impetus to convene the Committee of Sponsoring Organizations to develop “integrated guidance on internal controls.” The initial report of COSO in 1992 gained, deservedly, enormous attention internationally. It coincided with similar initiatives in other jurisdictions but, with its considerable depth and the thoroughness of its Evaluation Tools, quickly established itself as a serious contribution to the debate on internal control over financial reporting. Although its ambit was broader, careful reading of the original COSO shows that it does not purport to cover internal control comprehensively; its coverage is limited to effectiveness and efficiency of operations, financial reporting and compliance with applicable laws and regulations. Contemporaneously, in the UK, the Financial Reporting Council, the London Stock Exchange, and the accountancy profession established the Committee on the Financial Aspects of Corporate Governance, chaired by Sir Adrian Cadbury. Reporting in May 1992, just before the original COSO was published, the Cadbury Committee reached a broadly similar set of conclusions in relation to the role of internal control. These were subsequently amplified in 1999 by a committee set up by the FRC and London Stock Exchange, chaired by the finance director of gaming operator Rank Group, Nigel Turnbull. The Turnbull Guidance, as it became known, leaned heavily on the structure for internal control devised by COSO. In Canada, the CICA published in 1995 a report called Criteria of Control (CoCo) which, again, relied on a broad logic similar to COSO, although CoCo’s emphasis on entity-level control and human factors in control – reflected in its emphasis on commitment and capability – represented an interesting and potentially productive departure from the process-based stricture of COSO. In 1996, the US-based Information Systems Assurance & Control Association (ISACA) published Control Objectives for Information Technology (CObIT) for use in evaluation of control over information systems development and operation. A more detailed approach than COSO, CObIT has a much narrower focus but, like COSO, represented control as a cascade of activities from objectives (which it defined for information systems and information technology control), risks to those objectives and control activities to mitigate the risks identified.
Paradigm Risk | London
10
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
HISTORIC CONTEXT, cont.
In 1995, Standards Australia and Standards New Zealand collaborated to publish a standard purporting to cover risk management: AS/NZS 4360. Although not focused on internal control, the terminology of COSO – ‘risks’ to the achievements of objectives – lent itself, at least in the minds of its authors and supporters and a host of consultants in that region and further afield, to being conflated into the debate on internal control. Presenting risk management as a sequential process (though noting narratively that it often does not operate thus) AS/NZS 4360 has generated a host of imitators, each aiming to enhance the stricture of the framework or to broaden its appeal. Hence, in the years immediately following publication of the original COSO, the ‘internal control as process’ approach of COSO gained considerable support and momentum. Although originally intended to focus on minimization of erroneous or fraudulent financial reporting, its focus broadened considerably to encompass compliance and effectiveness and efficiency of operations. Also, geographically its reach circled the globe. However, it would be a profound mistake to think that COSO and the ‘internal control as process’ approach it represents have been the only developments in internal control over that period. Although by no means intended to be a comprehensive review, there were at least three other potentially major streams of thought over that time: Stream 1: Internal control as a substitute for ineffective markets for corporate control In 1993, Michael Jensen gave a presidential address to the American Finance Association1 in which he talked about: the role of the market for corporate control in affecting efficient exit, and how the shutdown of the capital markets has, to a great extent, transferred this challenge to corporate internal control mechanisms . . . [E]vidence indicates (sic), however, . . . that internal control systems have largely failed in bringing about timely exit and downsizing, leaving only the product market or legal/political/regulatory system to resolve excess capacity.
In that paper, citing a wide range of other academic studies, Jensen states Substantial data support the proposition that the internal control systems of publicly held corporations have generally failed to cause managers to maximize efficiency and value. More persuasive than the formal statistical evidence is the fact that few firms ever restructure themselves or engage in a major strategic redirection without a crisis either in the capital markets, the legal-political-regulatory system, or the product and factor markets.
He continued, in relation to corporate control: Throughout corporate America, the problems that motivated much of the control activity of the 1980s are now reflected in lackluster performance, financial distress, and pressures for restructuring . . . We therefore must understand why these internal control systems have failed and learn how to make them work. By nature, organizations abhor control systems, and ineffective governance is a major part of the problem with internal control mechanisms. They seldom respond in the absence of a crisis. It appears that internal control systems have two faults. They react too late and they take too long to effect major change. [In contrast], changes motivated by the capital market are generally accomplished quickly – within one and a half to three years.
This valid and desirable conflation of corporate control (relating to the achievement of owners’ control objectives) and internal control has not been pursued by COSO nor has it formed part of the disciplinarily-narrow debate within accounting circles on internal control. 1
Michael C. Jensen, 1993. ‘The Modern Industrial Revolution, Exit, And The Failure Of Internal Control Systems,’ Journal of Finance, 48 (3), July, p. 831–80
Paradigm Risk | London
11
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
HISTORIC CONTEXT, cont.
Stream 2: Obsolescence of traditional internal control approaches In 1995, another Harvard professor, Robert Simons, published the landmark book Levers of Control: How Managers Use Innovative Control Systems to Drive Strategic Renewal. 2 In that book, Simons defined four levers of control: yy diagnostic control systems – the traditional systems used to monitor and adjust operating performance, e.g. business plans, budgets, financial and cost-accounting systems yy interactive control systems that provide strategic feedback to update and redirect strategy, e.g. competitive analyses and market feedback reports yy belief systems that communicate core values such as mission statements, credos and vision statements. yy boundary systems that define the limits of freedom, such as codes of conduct and ethics statements. Underpinning all these is what Simons described as “Internal Controls” which “safeguard (sic) information and assets.” Simons’ conception of control as strategic and behavioural represents a substantial broadening of the concept of control and use of corporate routines and information to direct and re-direct attention, intention and action. It deliberately brings strategy and strategic direction within the ambit of control, a clear point of departure from the COSO approach. Stream 3: Integrating control knowledge from other disciplines Since British psychiatrist Ross Ashby published Introduction to Cybernetics in 1956,3 integrating mechanical knowledge with behavioural understanding has held the promise of enhancing our understanding of control. Cybernetics, Ashby noted, deals with “co-ordination, regulation and control . . . for these are of the greatest biological and practical interest.” As he went on to explain: Cybernetics deals with all forms of behaviour in so far as they are regular, or determinate, or reproducible. The materiality is irrelevant, and so is the holding or not of the ordinary laws of physics.
While attempts to integrate understanding of the disparate disciplines of mechanical control with human behaviour have, so far, not translated to corporate internal control. However, in the mid-‘90s, a research initiative at Utah State University was intended to do just that. Combining accounting, behaviour and engineering disciplines, the initiative would have sought to apply these coherently to internal control. Although mooted, to my knowledge, the initiative did not proceed. Summary, so far Taken together, these disparate streams indicate that there are multiple perspectives on internal control and that multiple disciplines are potentially involved in securing a robust solution to the challenges of controlling a complex, modern organization. At the turn of the century, conceptually at least, COSO was not the only kid on the block. Internal control was broadly conceived; application to financial reporting was merely one of several strands of thinking under development.
2 3
Robert Simons, 1995. Levers of Control: How Managers Use Innovative Control Systems to Drive Strategic Renewal, Boston: HBS Press. Ross Ashby, 1957. Introduction to Cybernetics, London: Chapman & Hall
Paradigm Risk | London
12
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
The impact of the Sarbanes-Oxley Act 2002 In the wake of another flurry of accounting scandals in the early part of this century, Congress passed the Sarbanes-Oxley Act in 2002. Rules subsequently promulgated by SEC and PCAOB, the body created by Title 1 of the Act, have changed materially the significance of COSO. It is worth pausing to consider the long title of PL 107–204: An Act to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.
This title was very similar to the original areas of investigation of the House of Representatives’ Oversight Committee chaired by Rep. John Dingell (D-MI) and to the focus of the subsequent Treadway Commission. §404 of SOXA requires that the external auditor provide an internal control report that must: contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
As written, this is an expansive requirement covering any and all aspects of internal control. However, in its interpretation,4 the PCAOB substantially narrowed the focus of the requirement to internal control over financial reporting: the PCAOB is requiring that auditors perform an audit of internal control over financial reporting and to perform that audit in conjunction with the audit of a company’s financial statements.
And Companies use internal controls as checks on a variety of processes, including financial reporting, operating efficiency and effectiveness, and compliance with applicable laws and regulations. The Sarbanes-Oxley Act focuses on companies’ internal control over financial reporting.
This far narrower focus on internal control only over financial reporting drove the rules concerning §404 promulgated by PCAOB. However, (i) the terminology of §404, (ii) the acceptance of COSO explicitly as the de jure standard for the basis of the narrower assessment of internal control, (iii) the broader language and focus of COSO and (iv) the search for professional meaning among internal auditors have all conflated to create an ‘illusion of control’ among executives and board members that is unjustified and unsubstantiated by the procedures laid out for §404 assessment. This was, from the outset, entirely foreseeable to those involved closely in the debate on internal control with the professions represented on COSO.
4
PCAOB Release 2004-001, March 9, 2004
Paradigm Risk | London
13
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
Implementation of SOXA §404 Published GAO data show that, between July 1, 2002, and September 30, 2005 there were 1,390 restatement announcements because of financial reporting fraud and/or accounting errors. By the end of this period, 6.8 percent of filers restated or 1 in every 15 firms. Over the period, on average, almost 1 in every 6 firms restated their financial statements. In the period October 1, 2005, and June 30, 2006, there were 396 restatement announcements. Yet, here the publicly-available data from GAO cease. Although analyses are available privately, they are expensive to obtain. Remarkably, filers are not required to publish their histories of restatement. The vast number of restatements of financial statements observed since 2002 raise two fundamental questions: yy Has SOXA §404 achieved its principal objective of improving control over financial reporting? and yy What does that tell us about improvements in firms’ internal control efficacy? Assuming that the period to June 30, 2006 represents the peak of the pressure on firms and audit committees to restate as the capabilities and diligence of reporters and their auditors have steadily improved since 2002, this would suggest prima facie that SOXA §404 has been effective at improving control over financial reporting, at least in the absence of counterfactuals – evidence to the contrary. Unfortunately, beginning in August 2007, and accelerating through the second half of 2008, the US then the world has suffered a banking crisis leading to a global financial crisis. A significant proportion of the 928 firms participating in the US Treasury’s Troubled Asset Relief Program (TARP) under the Emergency Economic Stabilization Act of 2008 which disbursed over $600 billion in temporary capital were or are SEC registrants and were thus covered by SOXA §404 and COSO. This represents a counterfactual of staggering proportions. At some point prior to the onset of the financial crisis, executives and board members of each of the SEC-registered firms that subsequently required bailing out must have received assurances that the stated value of accounts over which they were required to attest were reliable. And yet they were not. Therefore, we can conclude that, even if §404 encouraged greater precision in the accounts of filers, in the case of the TARP participants at least, those accounts were precisely wrong. It is, of course, unfair to lay the blame for this at the door of COSO. Clearly, the accounting assumptions used in the valuation of financial instruments were dependent on a raft of assumptions from the economics of mark-tomarket and ‘mark-to-model’ accounting that proved erroneous. However, thinking about efficacy of internal control in this light does expose the fundamental reliance of any assessment on internal control and any assurance thereover on the current state of knowledge at the time. Because that knowledge changes, assumptions underpinning internal control will change and the basis of assessment of control must change with them. Summary The very success of COSO at capturing attention regulatorily and geographically seems to have inhibited – possibly, to have crowded out – other initiatives to develop coherent approaches to internal control. This matters. If COSO were demonstrably effective in all applicable settings, its dominance could be hailed as a progressive development that contributes positively to the creation of wealth in the US and globally. However, even if COSO were effective at that level, there have been almost no rigorous attempts to assess its effectiveness.
Paradigm Risk | London
14
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
Generalising on the performance of COSO But more prosaic problems exist with COSO. Here, for the sake of brevity, we attempt to summarise these. Problem 1: Partial statement of objectives Ultimately, companies need have only two objectives: (i) to minimize to an economically-efficient level the physical harm they inflict upon natural persons, and (ii) to maximize, over some horizon, their value to shareholders. Enlightened firms may also consider some objective relating to minimizing their exploitation of the commons and production of unpriced negative externalities. All other objectives are subordinate to these. The objectives discussed by COSO feed in to these superordinate objectives. However, the link between the objectives established by COSO – effectiveness and efficiency of operations, reliability of reporting and compliance – is unstated. Clearly, there will be a set of strategies with related objectives by which the firm pursues its superordinate financial return objective. Again, the relationship between these and the COSO objective set is unstated. That the linkage is unstated is not a weakness of COSO as written. However, by failing to consider how the framework as written will be applied in practice, the COSO authors made in 1992 and continue to make a series of idealistic assumptions about the depth of insight practitioners seek and obtain before imposing the COSO framework on an unsuspecting firm. While a problem among firm’s control-related employees, this has posed a major and persistent problem among advisors who have wrought untold damage to firms’ understanding of the relationship between corporate performance, subordinate objectives, risk and control. There is a wealth of anecdotal evidence that this has blighted both genuine efforts at strategic and behavioural control and corporate performance. The current COSO redraft does not identify and makes no attempt to address this problem. Problem 2: Management by objectives The logic of COSO is predicated on a comprehensive and effective corporate effort to define subordinate objectives. This is also idealistic and has been shown, by an extensive academic and empirical literature, to be fraught with human and methodological problems. Management by objectives (hereafter MBO) has, long since, been abandoned as a serious effort in strategy and corporate planning, yet it persists without either explicit recognition or explanation in COSO. Without doubt, all corporations, divisions, business groups and many teams set objectives, frequently across at least the classes offered by COSO. Often, these will be related to a superordinate group’s objectives. Yet the naïvety of predicating a control framework that is expected to be robust to actual operating conditions on a cascading ordering of control across a corporate entity is staggering. The gross over-simplification this implicit assumption represents illustrates the danger of theoreticallyderived approaches which lack strong empirical roots or reference to corporate practice. Of course, the pervasiveness of COSO now makes such original empirical reference impossible. This creates a tremendously dangerous logical pit into which the COSO authors appear to have fallen: the COSO MBO framework is how many firms approach internal control (by regulatory fiat), therefore it is the practical and, in some sense ‘correct’, approach to internal control. This logic is as circular as it is selfreferential. COSO has made no attempt itself to test or challenge either the original assumption or the logic or efficacy of the prevailing practice.
Paradigm Risk | London
15
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
GENERALISING ON THE PERFORMANCE OF COSO, cont.
Problem 3: No linkage to causes of corporate failure or under-performance To our knowledge, there have been no attempts, either in the original COSO or in consideration of the focus and content of the re-draft initiative, to understand the causes of corporate failure or link these to the exercise of corporate internal control. If, as some research suggests5, the preponderance of corporate failures or losses of shareholder value have strategic causes6, any meaningful internal control framework must be capable of addressing the control routines required to address corporate objectives at this level. COSO makes no such effort. Without attention to objectives at this level, COSO must make explicit the limitations in its focus, coverage and applicability. Its failure to do so represents is, at best, potentially leading and, at worst, disingenuous. Problem 4: Over-reach of COSO (as an organization) The framework of internal control cannot be separated meaningfully from the work of COSO the organization. COSO’s sloppy and ill-judged foray in to enterprise risk management (ERM), based on a framework lifted from the internal control framework, has irreparably muddied the waters of what COSO is and does and what its work can be used for. Most importantly, the term ‘risk’ is common to both documents; the differences between its respective meanings are inadequately explained. In the light of such confusion by COSO (the organization), users cannot help but be confused about the limits of applicability of both frameworks – the applicability of the COSO internal control framework is made considerably more ambiguous by the COSO ERM framework. There is little COSO (the organization) can now do about this problem; the proverbial ‘cat’ is out of the ‘bag’. To address it will require retraction of the COSO ERM document (which would not represent a loss to the business world) and a clear explanation of the limits of the internal control framework in addressing ‘risk’, which would need to be defined very clearly and restrictively. Problem 5: No robust attempt to determine utility By far the greatest failing of COSO (the organization) in its review of the internal control framework has been that it has made no robust attempt to understand the utility of the framework to corporate users. On the contrary, its popularity and extensive application is seen as evidence of its utility. And perhaps it is. But an equally plausible explanation is that it has been effective at its principal and original task: improving the reliability of financial reporting. Outside that limited focus, its utility and efficacy are unproven; worse, they are substantially untested. At the very least, COSO should have prepared (and should now prepare) a properly independent, robust and rigorous review of the efficacy and utility of COSO. To have any pretense of intellectual honesty, this must address those areas in which COSO has not worked as originally envisaged or as commonly presumed. The findings of such a review and range of interpretations thereof should drive the scope of amendment of COSO, rather than the presumed range of knowledge and group of people who benefit materially from its existence and current form. This issue is so serious a failing that COSO should withhold publication of its revisions until such a review has been scoped, prepared, delivered, published and, itself, made subject to a period of public comment. The approach taken to review of COSO has not been either independent or objective, nor has it been intellectually honest or methodologically robust. Given the role of COSO established by §404 of SOXA, this represents an abrogation of responsibility by COSO (the organization). This must be addressed as a matter of both urgency and importance. 5 6
Booz Allen Hamilton, 2004. ‘Too Much SOX Can Kill You: Resolving the Compliance Paradox’, BAH White Paper, available online. Defined as “customer demand, competitive pressure, management ineffectiveness;” BAH (2004).
Paradigm Risk | London
16
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
GENERALISING ON THE PERFORMANCE OF COSO, cont.
Problem 6: Inattentive to empirical evidence of failure What limited evidence is available suggests that, in practice, COSO does not perform well in supporting corporate efforts at internal control outside the limited focus of the requirements of its use mandated by PCAOB and SOXA §404.7 There is no evidence that COSO has reviewed the studies which highlight its potential problems in application or that it has addressed substantively the concerns raised. Problem 7: Not geared to on-going learning or inculcation of lessons of failure As with the original framework, the COSO re-draft does not provide a mechanism for review of failures of internal control within the firm or other parties or offer robust approaches for such lessons to be inculcated in to the framework or work resulting from its application. While a careful reading of the principles allows the interpretation that the COSO framework should be used in such a way that it supports this sort of dynamic adaptation or learning, this expectation is not ‘front and centre’. And yet any amount of research on risk demonstrates that this facility is among the most important if not the most important of all elements of effective management of risk. Again, this omission represents a failure to consider properly how the COSO framework will be used in practice, including the potential for misinterpretation, distortion and emergence of unintended consequences. The entire framework requires significant review from this perspective as part of the broader review of its efficacy and utility in operation. Problem 8: Inattentive to impact on perception of users A key subset of the problems of application of COSO in practice is the illusion of control referred to above. The phrase has its origins in personal psychology 8. In relation to corporate control, one prominent author9 uses the phrase to refer to the presentation by the corporate system that it is ‘in control’ when its corporate assurance routines have no means properly of supporting the assertion. In another context, US essayist William Langewiesche10 has written about: the creation of an entire pretend reality that includes unworkable chains of command, unlearnable training programs, unreadable manuals, and the fiction of regulations, checks, and controls. Such pretend realities extend even into the most self-consciously progressive large organizations . . . The systems work in principle, and usually in practice as well, but the two may have little to do with each other.
In a both cases – Power and Langewiesche – the underlying problem is the failure of those responsible for the design of the routine or process to consider how the control (or control process) will be used ‘in anger’ or in the mess of busy and resource-constrained practice. In the case of COSO, it is clear that, if any thought were given to this issue at all, it would have been thought applied by the principal beneficiaries of the expanded practice that would result from its implementation. The outcome of the ‘internal control as process’ approach was always going to be a greatly expanded role for practice firms whose expertise in control of financial reporting is considerable but limited in other areas of control and, in the vastly more complex area of risk, typically disciplinarily narrow and paltry. Indeed, perhaps the greatest weakness of the COSO framework technically is its representation of risk and how to deal with it. COSO implies that control of risk is the only feasible objective and the 7 8 9 10
See, for example, Leen Paape & Roland Spekle, 2012. ‘The Adoption and Design of Enterprise Risk Management Practices: An Empirical Study’, European Accounting Review, forthcoming (available online) Ellen Langer, 1975. ‘The illusion of control’. Journal of Personality and Social Psychology, 32 (2): 311–328 Michael Power, 2007. Organized uncertainty: designing a world of risk management. Oxford: Oxford University Press. William Langewiesche, 1998. ‘The Lessons of ValuJet 592’, Atlantic Monthly, March.
Paradigm Risk | London
17
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
GENERALISING ON THE PERFORMANCE OF COSO, cont.
principal option in responding to risk. This implication is inappropriate (read: ‘wrong’) at multiple levels and, again, dangerous in terms of creating an illusion of control where control is not realistically possible or observable. As noted above, the inappropriate and technically dubious foray into ERM by COSO has further muddied the waters. Problem 9: Linear control representation The underlying logic of COSO is linear: controls manage risks to the achievement of objectives. For each objective, there are multiple risks; for each risk there are one or many controls. Controls can act across different risks, but these relationships are understood; risks may affect the achievement of multiple objectives but these relationships are understood. Lines can be drawn (metaphorically) between each objective and its attendant risks, between each risk and its attendant controls; hence, ‘linear’. Such depictions (literally) are commonplace in COSO-related implementations and testing. Within statements of account, this is a reasonable representation of reality. Each transaction matches to at least two accounts (a debit and a credit). Ever-present uncertainty is handled using linear (sometimes curvi-linear) rules about value change (such as depreciation) or by reference to external real phenomena (marking to market). In only a few instances does complexity creep in, most notably around valuation of illiquid derivative instruments using ‘mark-to-model’ approaches. It is important to note that statements of account do not seek to represent reality; they represent a stylized, rule-based interpretation of historic activity, which is a very different thing. For this application – control over financial reporting – COSO is well suited; that is, after all, where it came from. However, effectiveness and efficiency of operations and compliance systems are very different beasts. Consider the following statement from COSO (para. 20): People do not always understand, communicate, or perform consistently. Each individual brings to the workplace a unique background and technical ability, and each has different needs and priorities. These individual differences can be inherently valuable and beneficial to innovation and productivity, but if not properly aligned with the entity’s objective, they can be counterproductive. Yet, people must know their responsibilities and limits of authority. Accordingly, a clear and close linkage needs to exist between peoples’ duties and the way in which these duties are carried out and aligned with the entity’s objectives. (emphasis added)
This assertion rests on a simplified and idealized view11 of control of people individually and in groups. Effectiveness and efficiency of operations and compliance systems are fundamentally human systems – “internal control is a process, effected by an entity’s board of directors, management and other personnel”; however, in the case of operations and compliance, there exist complex and changing (dynamic) human interpretation systems, signals and feedback at individual and group levels. The interactions between the rules or directives and the personnel required to implement them that can and do create complex patterns of externally- and self-governed behaviour within and between group members or ‘actors’. These actors, and the contexts, conditions and events to which they are required to react (replete with mixed signals and messages) interact in unexpected and unpredictable ways; unexpected behaviours and outcomes emerge – hence, ‘emergent behaviour’. These are standard descriptions of complex (sometimes ‘adapative’) systems. In such systems, linear control routines are unreliable. What is most interesting is when and under what conditions they are unreliable, and why that may have consequences that can be either deleterious and beneficial. Behavioural systems operate in two zones: (i) the stable zone in which outcomes appear predictable where, if the system is disturbed, it returns to its previous, stable state, and (ii) the unstable zone where a small stimulus (an external triggering event or change in underlying conditions or actor preferences) leads to behaviour that results in an outcome away from the starting point, which in turn can generate 11
Tamas Vicsek, 2002. ‘Concepts: Complexity – the bigger picture’, Nature, 418, 11 July
Paradigm Risk | London
18
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
GENERALISING ON THE PERFORMANCE OF COSO, cont.
further ‘divergence’.12 Technically, in physics, the movement between these states is known as a ‘phase transition’ sometimes referred to as ‘the edge of chaos’.13 The important message is that the system can easily become dominated by dependencies and relationships we do not understand – by ‘unknowns’. It is also important to note, as partially acknowledged in the COSO extract cited, that such ‘chaos’ is essential to organisational adaptation and innovation: For an organisation to seek stable equilibrium relationships with an environment which is inherently unpredictable is bound to lead to failure. The organisation will build on its strengths, fine-tune its adjustments – and succumb to more innovative rivals. Successful strategies, especially in the longer-term,do not result from fixing an organisational intention and mobilising around it; they emerge from complex and continuing interactions between people . . . [Hence] the importance of openness to accident, coincidence, serendipity. Strategy is the emerging resultant. 14
The danger with the linear approach to control of effectiveness and efficiency of operations and compliance is that neither accommodates ‘accident, coincidence or serendipity’; such notions are considered antithetical to control. Worse, COSO’s linear approach to control of risk, when applied organizationally – as occurs through PCAOB diktat – stultifies thinking about approaches to risk, reducing it to a control exercise. This is unrealistic and potentially disastrous. Again, it is not applying COSO as written, but is an inevitable and predictable result of (a) giving COSO a broad mandate through PCAOB diktat, (b) dominance of linear, rule-based thinking in the accounting profession, (c) affording the accounting profession the ‘box-seat’ in determining the approach to implementation of COSO, and (d) conflating the audit of firms with an opinion on internal control. While the opinion on internal control is limited to one of COSO’s three control objectives – control over financial reporting – the COSO framework itself claims a broader relevance (expanded even further by the COSO ERM foray); COSO has done very little to delimit its applicability. An unbiased observer might conclude either that the COSO authors (or amenders) do not recognize the limits of their knowledge and its practical utility or have a vested interest in ignoring those limits. Thus, the PCAOB endorsement of COSO and its resulting dominance is a double-edged sword. COSO must either encourage PCAOB to a more catholic vision of admissible control frameworks of which it will compete equally as one of many, or delimit its proclaimed utility to internal control over financial reporting – its originally-intended purpose. Failure to do so will result in on-going expansion of the gap between necessary management understanding of organisational control and the frameworks commonly propagated to effect internal control; innovation will remain moribund. There is much debate in both the internal control and risk fraternities about the relative merits of COSO versus ISO or equivalent approaches. In reality, as applied in practice (or by advisory practitioners, anyway) process-based models of risk commit the same sins of over-simplification; the language is different but the result the same. Problem 10: ‘Culture’ and assumptions about knowledge The revised COSO draft uses the world ‘culture’ 12 times. The document refers variously to culture, to control culture and to internal control culture. At no time are these defined, explained or differentiated; it is left to the reader to imprint his or her perceptions, associations, biases and misapprehensions on to the meaning of the text in each case. There is no glossary entry for culture, or any of the other usages. 12 13 14
Jonathan Rosenhead, 1998. ‘Complexity Theory and Management Practice,’ London School of Economics Operations Research Working paper, 98.25, LSE. Rosenhead (1998) Rosenhead (1998)
Paradigm Risk | London
19
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
GENERALISING ON THE PERFORMANCE OF COSO, cont.
The term first appears at para. 118 as internal control culture which is related as being synonymous with control environment, the first of the five, major elements of COSO. It must, therefore, be both a structurally and a semantically important construct. The same paragraph talks about “establishing a strong culture,” used gerundively as the subject of the verb ‘to consider’ relating to “how clearly and consistently ethical and behavioural standards are communicated and reinforced in practice”. As the authors of COSO are no doubt aware, the term ‘culture’ and its attendant phrases are used extensively by practitioners of internal control and of risk, frequently in relation to control environment or tone at the top, both of which phrases originated with the Treadway Commission. No other concept displays as clearly that the authors of the revised COSO document are either happy to exceed their knowledge or unaware of the limits of their knowledge or both. Culture is a useful descriptive phenomenon but has definite limits, as Gareth Morgan suggests: There is an important distinction to be drawn between attempts to create networks of shared meaning that link key members of an organisation around vision, values, and codes of practice so essential to selforganisation . . and the use of culture as a manipulative tool. To the extent that the insights of culture are used to create and Orwellian world of “corporate newspeak”, where culture controls rather than expresses human character, the metaphor may prove quite manipulative and totalitarian in its influence. The message: observer beware. There is often more to culture than meets the eye and our understanding is a usually much more fragmented and superficial than the reality itself. [However,] many management theorists view culture as a phenomenon with clearly defined attributes. Like organisational structure, culture is often reduced to a set of discrete variables such as values, beliefs, stories, norms, and rituals that can be documented in manipulated in instrumental way. 15
None of the caution Morgan urges is evident in the way the term ‘culture’ is used within COSO. The result may not be an “Orwellian world of corporate newspeak” but is neither elucidatory nor even meaningful. The difficulty the COSO authors face is that they cannot explain the term without exposing the limits of their understanding of the term and its practical utility. Yet no term in the internal control lexicon causes more misapprehension or introduces more erroneous assumptions. This is the Catch-22 at the heart of the COSO initiative. Without defining culture and using it consistently, correctly and with humility, COSO causes confusion; defining it introduces diffidence and ambiguity. Both these attributes – diffidence and ambiguity – belong in the mix of a human behavioural system; neither is admissible in to the strictures of internal control over financial reporting. Yossarian was right: “That’s some catch, that Catch-22”.16 Problem 11: Independence and objectivity COSO (the organization) has shown scant regard either for its position as a de facto producer of regulatory standards (a role bestowed on it by the PCAOB) or independence and objectivity its standards require of others. Not only has the review of COSO (the framework) fallen to successors to its original authors, but also to – in one, very major sense – the principal financial beneficiaries of PCAOB’s mandate that COSO be used for §404 attestations of internal control. Simply put, PwC is not objective about the utility of COSO and has no incentive to be so. Furthermore, COSO (the organization) has shown scant regard for independence in other matters, supporting one of its board member’s (AICPA’s) representatives and a leading author of COSO ERM (Prof. Mark Beasley) to review enterprise risk oversight globally. Undoubtedly, Prof. Beasley’s experience, knowledge and position give him a clear perspective on the risk oversight; however, it is one of many perspectives and is certainly not an unbiased one. In other ways, the various COSO initiatives have shown either scant regard for – or possibly a limited understanding of – independence and objectivity. In common with most such ‘research’ world-wide in the management fields of governance, risk and internal control, COSO references frequently the 15 16
Gareth Morgan, 1997. Images of Organization, Sage Publications. Joseph Heller, 1961. Catch-22, Simon & Schuster.
Paradigm Risk | London
20
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
GENERALISING ON THE PERFORMANCE OF COSO, cont.
opinions of participants – actors – in the corporate governance, risk and internal control efforts of firms as evidence of utility. It is not. Such actors are not unbiased; on the contrary, they have a strong, vested interest in the broader perception of utility of current practice – the status quo – and are unlikely to report it as either ineffective or invalid. In a parallel point to ‘Problem 5’ above, only normalized (where possible), objective assessments of effectiveness will go any way to demonstrating the utility of COSO or any other control or risk approach; opinion and perceptions are useful indicators of where to look but not what you find when you look there.
Paradigm Risk | London
21
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
The international dimension With the range of SEC registrant firms offshore who access US securities markets through listings of equity, debt or American depository receipts, the application of COSO is increasingly global. Certainly, its influence is global. And yet its governance remains resolutely American and its locus of benefit presumed to be purely US-centric. PCAOB and SEC, naturally enough, refer to American rather than international accounting standards. While, as a US regulator, that remains SEC’s prerogative, its purview and that of COSO is broader; in increasingly globalised capital markets, an ever-growing number of non-US firms fall under COSO’s hegemony. The absence of representation and the failure to broaden governance to the governed seems rather like a refusal to amend governance for the: accommodation of large districts of people, unless those people would relinquish the right of Representation . . . a right inestimable to them and formidable to tyrants only.
While the parallel with the Declaration of Independence is, of course, ad absurdum, the point is valid that the international applicability of COSO suggests its governance should expand to accommodate those its output impacts. There are many routes to achieving this representation. All that is required is the imagination to expand governance to international organizations; IFAC would seem a logical addition.
Paradigm Risk | London
22
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
Issues with the Exposure Draft The Exposure Draft is, of itself, a worthy enough addition to the debate on internal control. But that is not what the Exposure Draft will be. Upon adoption by COSO, it would, presumably be evaluated by PCAOB which could either accept it as a replacement framework, as an alternative formulation (less likely) or reject it for use in SOXA §404 assessments. Through SEC rule-making, it would have force of law. This is the double-edged sword referred to above. Therefore, the utility of the redraft must be assessed in terms both of its stand-alone utility and its utility as guidance for SOXA §404 assessments; of the two, the latter will dominate as its impact will have regulatory force and mandatory applicability to the 8,000 or so SEC filers globally. The principal changes from the 1992 COSO appear to be (i) the 17 principles and explanatory text (ii) examples provided in various parts of the text The utility of the principles is highly questionable. First, collectively they suffer the problems outlined above. Perhaps most significantly, they are likely to be applied clumsily in practice – to be used as yet another driver of checklists to which registrant firms will be subjected by junior auditors without the knowledge, experience or judgement to apply them interpretively. This will add to registrants’ costs without providing any greater knowledge, insight or assurance over control. They are not wrong per se; the approach is simply wrong-headed. It is important to ask the question: what are the principles? The exposure draft states (para. 31): Principles are meant to enable effective operation of the component and the overall system of internal control, with appropriate use of management judgment.
Presumably, the intention of the authors is that the principles will clarify the focus and content of the firm’s internal control approach or framework. However, if management judgement is to be applied, as suggested, why will the judgement of subsequent reviewers be superior? In order to identify failings in the firm’s internal control framework, a reviewer would need to assert superior judgement to that of management. Inherently, the principles, as drafted, imply comparative subjective assessment which will be problematic for auditors, independent or otherwise. In reality, these ‘principles’ are nothing of the sort. There is no over-arching logic to their derivation or definition. They are more akin to standards of practice. The attributes defining each of the ‘principles’ also lack a clear logic or framework and appear to have been assembled heuristically. The collection of observations that form the bulk of the revised text appear to be based on limited, highly rationalistic and mechanistic assumptions about how firms operate. Let us take two examples to review the application in practice of the framework as redrafted: competence and risk management (other than fraud-related risks). The immediately relevant ‘principles’ are: Principle 4: The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives. Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives. Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control.
Paradigm Risk | London
23
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
ISSUES WITH THE EXPOSURE DRAFT, cont.
Competence At para. 163, the COSO redraft defines competence as the qualification to carry out assigned responsibilities and requires relevant skills and expertise, which are gained largely from professional experience, training and certifications. It is expressed in individuals’ attitude and behaviour carrying out their responsibilities.
This is a very narrow, mechanistic view of competence and ignores the extremely important elements of professional reflection and the context of application of professional judgement. While there is a nod to phenomenology of competence in the final sentence, the statement ignores the context of individuals’ experiences and the setting in which the competence will be applied. At no point in the discussion of competence is there a recognition of the essential nature of professionalism, insight and risk-taking as essential elements in innovation which is the life-blood of any competitive firm. While the discussion of attributes lends itself well to a check-list, it does little to support profit-making to achieve the firm’s super-ordinate financial objective. Risk assessment: specification of objectives We have discussed risk identification under Problem 2 (Management by Objectives) above. However, one area bears further comment. The idea of an auditor assessing whether or not management has specified sufficiently robustly across a firm the range of objectives to support comprehensive identification of risks in that firm is either (a) laughable, or (b) an attempt by the authors to fashion a new industry in objectives review to supplement their declining SOXA-related audit revenues. Furthermore, there is a direct contradiction in the text between ‘principle’ 6 and the statement at para. 222, that: [a]lthough an entity might not explicitly state all objectives, the does not mean that an implied objective is without either internal or external risk. Regardless of whether an objective is stated or implied, an entity’s risk assessment process should consider risks that may occur.
While stepping back from the requirement for comprehensive definition of objectives is realistic, it is inconsistent both with the ‘principle’ as stated and with the over-arching logic of COSO (which is, itself, unrealistic). Either firms specify their objectives comprehensively or they do not. If they do not, the objectives risks controls chain is broken. Identifying and analyzing risk At para. 224, the Exposure Draft states: Risk identification must be comprehensive.
With this simple and definitive statement, COSO shows clearly that its authors have not grasped the nature of risk as it exists beyond financial reporting and highlights the limitations of the authors’ technical understanding of risk. It is not epistemologically possible for risk assessment to be comprehensive. This is not a minor error or an arcane technical point – it represents a fundamental misunderstanding of what risk is and is not and the limits of management practice to address risk. The glossary defines risk as: The possibility that an event will occur and adversely affect the achievement of objectives.
Paradigm Risk | London
24
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
ISSUES WITH THE EXPOSURE DRAFT, cont.
While seductively simple, this definition is both misleading and limited. First, events or conditions will always occur that will adversely affect the achievement of objectives. Secondly, not all risks are event-related; for example, customers’ preferences may alter – not an ‘event’, but a shift in operating conditions. Thirdly, risk relates fundamentally to the presence of uncertainty about the future; there is an infinite range of possible future states many or most of which will, relative to current assumptions about the future, “adversely affect the achievement of objectives”. Fourthly, risk can also take the form of complexity or ambiguity or volatility. None of these represents an ‘event’. The notion of risk is at the heart of the objectives risks controls chain. With definition and usage of risk offered, the COSO authors demonstrate their lack of technical understanding of a term that is at the centre of their framework. If this derives simple from technical bias – from accountants using the term in a way that fits with the intended accounting application of the framework, so be it. However, the consequence is to narrow the utility of the framework to the original Treadway Commission focus of reliability of financial reporting. If risk assessment cannot be comprehensive across uncertainty qua risk, perhaps there is another vector across which it can be conducted comprehensively? If this is what is in the minds of the authors, it must be made clear. Competence, change and risk A material weakness of the Exposure Draft document is that it fails to address the combination of ‘principles’ or attributes, all of which operate simultaneously and often interactively and frequently unpredictably. An understanding of the essential role of competence in a firm’s risk management is important, but not competence as defined by COSO – it cannot appear on a job description, policy or objectives statement. The capacity of professionals to interpret feedback in a system17, reflect-in-action and reflect-on-action18 and to make sense retrospectively19 of the conditions in which they operate are vital to dealing both with change and with sudden change or crisis. This interaction of factors and the resulting emergent properties of the firm’s management system, make the highly routinized approach of COSO problematic in practice.
17 18 19
Chris Argyris and Donald Schön, 1974. Theory in Practice. Increasing professional effectiveness, San Francisco: JosseyBass. Donald Schön, 1983. The Reflective Practitioner. How professionals think in action, London: Temple Smith Karl Weick, 1995. Sensemaking in Organizations, Sage
Paradigm Risk | London
25
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
Integrating risk and internal control Much like statutory interpretation, an essential principle of drafting guidance documents is either to define terminologies directly or to use words in their everyday meaning. In this sense (particularly when the name of the document includes ‘integrated framework’), a firm that substantively meets the conditions laid out in the document for internal control should be able to be deemed ‘in control’. Of course, there are provisoes to this general assessment, which are made clear within COSO. The difficulty arises in relation to the hierarchy of control issue. In the COSO framework, controls are associated with risks to the achievement of objectives; if the objectives have a reasonable probability of being achieved (or, conversely, an acceptably limited probability of not being achieved), the organization is deemed to be ‘in control’. Control, therefore, appears as both a higher-order objective and a routine for the achievement of lower order objectives. Within both the 1992 and currently-revised COSO framework, this contradiction is clearly confusing and unreconciled. One possible alternative construction is the idea of a hierarchy of control – control operating at multiple levels of the organization as routines linked to the focal point of the level in the hierarchy. In this construction, control appears as a requirement at multiple levels of the hierarchy where the objective depends on the focus or field of control – external risk sources / counterparties / exposure paths, internal sources and organisational or internal subsystems (eg. human/cultural or analytical):
value creation strategy objective-setting and monitoring
FIGURE 1 Partial depiction of the control hierarchy from Paradigm Risk’s PREFace framework
. . . [intermediate elements not shown] information data transaction
By addressing all levels of organisational exposure class, this approach clarifies the difference between an organisation being ‘in control’ and achieving control within a class of activity. Part of a larger, multi-dimensional framework,20 this construction provides greatly improved clarity and diagnostic focus for assessment control performance. COSO’s current, linear representation of objective risk control invites the superficially seductive appeal to integrate the firm’s control framework (ie. COSO) with an organisational risk framework. However, this is problematic at two levels: (i) the ‘risk’ referred to in COSO represents only a narrow class of ‘risks’ – known risks to objectives, specified as sub-objectives of the firm’s superordinate objectives (ie. the MBO cascade of objectives called for in COSO’s new principle 6), and 20
The larger framework is known as PREFace – Paradigm Risk Enterprise Framework & Active Control Environment
Paradigm Risk | London
26
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
INTEGRATING RISK & INTERNAL CONTROL, cont.
(ii) both risk and control disciplines (or disciplinary sets – each is an inter-disciplinary construction) are relatively immature; the current state of our knowledge does not permit integration of separate and incomplete concepts with any likelihood of achieving a framework that is mutuallyexclusive, comprehensive or exhaustive. Indeed, given the complexity of the underlying behavioural system in the firm, such integration may never be possible with any expectation of efficacy of the resulting control system. While superficially tempting, the exhortation to attempt integration of risk and control frameworks is driven by confusion emerging from the language of COSO – from the narrow use of the term ‘risk’ and the ambiguity of the term ‘control’. Considerably improved knowledge about both constructs is necessary before integration is either feasible or desirable. The current COSO redraft does not move that point closer.
A summary including recommended actions is shown at the front of this paper.
Paradigm Risk | London
27
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
ATTACHMENT 1
About Paradigm Risk Paradigm Risk is a specialist, multi-disciplinary strategic risk and governance consultancy bringing together expert consultants and practitioners in the fields of governance, risk and assurance. Paradigm Risk offers experience-based and thought-led advisory services in governance, risk and assurance to financial institutions as well as to the broader corporate community and government agencies. In a modern financial institution, managing the governance processes for risk and for prudential and other regulatory compliance is a constant challenge, as are providing assurance over compliance with applicable regulations, and managing the supervisory interface. Managing the association between the firm’s risk preferences and profile and its business objectives and regulatory requirements in risk is, similarly, an on-going challenge. Paradigm Risk brings both practical and theoretical insights to bear on these twin problems of performance and of regulatory change and compliance, especially in areas of risk and firm-level governance requirements. In the corporate sector, we work with boards and senior executives to understand how they can take ‘more risk’ more safely; that is, how they can understand and anticipate risk better and become more responsive and more resilient to risk and uncertainty. Paradigm Risk aims to move the discourse on risk in the firm from assurance routines to a strategic debate that can help the firm to identify and exploit strategic opportunites through better execution and better-focused assurance to discharge governance responsibilities. In the public sector, Paradigm Risk advises on dealing with uncertainty in policy formulation as well as the impact of risk on organisation and delivery – minimising unintended consequences and improving policy effectiveness and efficiency. We recognise that leading change in firms requires a leadership position in thinking and representation to regulators; we aim to shape the debate. Where we lead, others follow. www.paradigmrisk.com
Paradigm Risk | London
28
Comments to COSO on Public Exposure Draft Internal Control – Integrated Framework March 2012
ATTACHMENT 2
About the author Peter Bonisch Managing Director Paradigm Risk London
Peter is one of the UK’s leading advisors on risk governance in financial services and corporate sectors. He works with boards of directors and senior executives on improving their governance processes around risk and assurance, and on enhancing and protecting corporate reputation. Peter is a former National Director of Assurance Services for Ernst & Young in New Zealand. At Ernst & Young, he was a leading member of Ernst & Young’s global risk methods development group. From 1996 to 1998, he was also President of the Institute of Internal Auditors. He has worked internationally with leading clients on risk management and lectures in the UK on corporate governance. From 2008 – 2009, he was a partner in one of the UK’s leading corporate governance advisory firms, and was managing director of a London-based risk and assurance consultancy from 2002 to 2005. In 2005, Peter was made a Fellow of the Securities & Investment Institute and has sat on their Advanced Operational Risk Advisory Panel. He is a regular contributor to debates on governance, risk and control in the UK and Europe. He has a post-graduate degree in International Relations. Peter has a growing reputation as one of the pre-eminent thinkers and writers on governance and risk management in the UK. Recently, he co-authored a government-funded research report on systemic risk. He can be contacted at peter.bonisch@paradigmrisk.com
Paradigm Risk | London
29