Does the COSO report pass muster?
If you're like most busy financial executives, you may have read only parts of the report. Warren Johnston, vice president of internal audit at TRW, read the entire document, and here he shares a few of his observations with Financial Executive readers.
In 1987 TRW, like many companies, decided to formally document its internal accounting controls. Worldwide, that effort took almost three years and substantial resources. It didn't encompass the marketing, management, human resources and manufacturing areas, which are included in COSO's Internal Control-Integrated Framework. If we interpret this report as suggesting similar documentation may be needed for all internal controls, following its recommendations could be a very time-consuming and expensive proposition. And while the report is valuable as a tangible reference point and does a good job of pulling together different ideas as a set of guidelines, it doesn't add much new information, except possibly a single definition of internal controls.
COSO's report was intended to be informal, but it could become formal if an organization like the Securities and Exchange Commission endorses all or part of it. If this happens, I'm concerned that internal audit may be deemed responsible for monitoring all internal controls. However, the guidelines must recognize that management has the right to restrict the charter to internal accounting controls.
Also, while the report discusses the CFO's and accounting officer's responsibilities, it establishes the CEO's ultimate responsibility for internal controls. Furthermore, it clearly states that division or plant CEOs have the ultimate responsibility in their organizations and therefore may be held to a higher level of responsibility for internal controls than ever before. The report suggests that evaluation and monitoring activities may have to be in place at those levels as well. Therefore, as a financial executive, you'll have to decide how you and the internal-audit function will support general managers.
I'm also afraid the document may stagnate or become inflexible. It must be a living document, easy to modify, perhaps published in a three-ring binder. Internal controls will undergo constant change in the future, so an easily modified document could accommodate new interpretations or changes without the need for republishing. If having common guidelines is valuable, then making them user-friendly is extremely important.
Although the document covers management responsibilities extensively, it doesn't address the specific responsibilities of the board of directors and audit committees. Many financial executives believe it shouldn't. If, however, the document clearly established those roles (and I'm not suggesting the roles would be extensive), maybe we could stop looking for definitions from all the different bodies that publish reports on common practices, such as the American Institute of Certified Public Accountants, the Institute of Internal Auditors or public accounting firms.
The report is correct in its assessment that board and audit-committee responsibilities may vary by the type of business and other factors, making assembling a set of common standards difficult. Nevertheless, the document could contain some basic guidelines so we understand how to best support them. Or the framework should state that boards of directors and audit committees have no extraordinary or assigned responsibility for internal controls, which may be the real answer.
What about the impact on businesses in trouble, the ones that may need to be most sensitive to internal controls? They may not have the time or the resources to address internal controls. If they devote resources to documenting internal controls and go bankrupt, we would probably all agree they focused on the wrong thing.
Of course, following many of the time-tested internal-control procedures might help prevent bad decisions or out-of-control situations, which could improve a company's chances to stay out of bankruptcy. But in reality, when management teams are confronted with the pressures of survival, improving and documenting controls is not generally a high priority.
And what about small locations with limited personnel? We all do our best to provide maximum control in such environments, but small organizations could never live up to these standards.
The difficulty is that these types of situations will drive management's decisions, but later the guidelines may be used against the company to purport that it didn't comply with basic authoritative literature and consequently was negligent.
Still, for other companies the strength of their internal controls could prove useful as a corporate-defense tool, especially under the new federal sentencing guidelines. The ability to demonstrate an internal-control system that meets a widely accepted set of guidelines could go a long way in convincing courts that company management was prudent in fulfilling its responsibilities. Frequently, in cases of alleged fraud or mismanagement, prosecutors have one point of view on what constitutes adequate internal control, while management has a different perception. The Integrated Framework could provide a simple and conclusive set of guidelines that both parties accept.
However, many executives question whether this report carries or should carry such authority. It may become authoritative in much the same way that the Treadway Commission Report has -- through sheer frequency of use. If it's to be used as authoritative literature, then we'll be expected to abide by it.
Moreover, the report has prompted several offshoot documents, which could dilute the original purpose. The Defense Contract Audit Agency has drafted and is now testing its own internal-control review process, and I understand the Federal Deposit Insurance Corp. is also drafting a set of independent procedures. Will they support or deviate from the guidance set forth in the Integrated Framework? I believe they'll at least partially reflect the COSO recommendations. Nevertheless, instead of one clear-cut set of guidelines, we'll have to focus on several, which may affect how much acceptance the document enjoys.
Overall, the COSO report can provide a standard that promotes consistency and simplicity. It would be nice to have a single living document that we could share as the authoritative guide on internal controls. But can it gain the support necessary to reach that level of acceptance? If not, we should carefully weigh the cost of adopting and implementing the guidelines. It may make more sense simply to remain sensitive to the expectations of the groups and individuals with whom we deal regularly.
Mr. Johnston is vice president of internal audit at TRW in Cleveland.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Viewpoint; Committee of Sponsoring Organizations' Internal Control-Integrated Framework|
|Date:||Sep 1, 1993|
|Previous Article:||Quality in 3D: EVA, CVA, and employees.|
|Next Article:||College planning: shake hands with the taxman.|