Reaching consensus: the GAO's acceptance of the COSO report.
The COSO report is being used by virtually all of the largest banks reporting under the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) as the criteria for determining internal control effectiveness. Internationally, the report serves as the basis for internal control standards currently under development in Canada and has been used by a number of foreign-based companies and translated into several languages.
The report's only major critic was the General Accounting Office. In speeches, letters and articles, GAO officials asserted the COSO report was a retreat from the public interest. (See "The COSO Report: Challenge and Counterchallenge," JofA, Feb.93, page 10, for details.)
THE REAL ISSUES
The GAO criticized COSO for not dealing adequately with requirements for management reporting on internal control, comprehensive evaluations of controls, auditor involvement, guidance for audit committees and reporting of control deficiencies, among other things. But what the GAO wanted most were (1) required management reports on internal control, at least for public companies, and (2) for such reports to cover not only what the COSO report calls financial reporting controls but also what is sometimes referred to as controls related to safeguarding assets.
The GAO's first request is straightforward; it is the second request, rooted in Congress's intent when it passed FDICIA, that is more involved. FDICIA requires large banks for the first time to report publicly on "controls over financial reporting." (Congress borrowed the term from the nearly complete COSO report.) But the COSO definition of those controls did not necessarily include what the GAO called safeguarding controls. Why "not necessarily"? Because it would depend on a company's circumstances.
Controls over financial reporting are intended to make sure losses are reported properly in financial statements. If controls to prevent a loss from fraud or theft, for example, are needed to ensure reliable financial statements, they fall under financial reporting controls. But if those controls were needed only to prevent losses, with other controls in place to make sure losses are reported properly, the loss-prevention controls would fall in the operations controls category. The GAO insisted management reports on internal control should not be restricted to making sure losses were reported properly but also should address prevention or early detection of the loss in the first place.
In response to the GAO's first main issue--mandatory management reporting, COSO pointed to the Treadway commission report, which clearly had called for management reporting on internal control by all public companies and had suggested a project to establish reporting criteria--the COSO report was the result of that recommendation. There was no reason to repeat the recommendation for reporting, which had already been made by Treadway. On the definitional issue, COSO said that the English language should not be subverted. Controls over financial reporting are just that--they help ensure reliable financial reports. Reliable financial statements provide--to management and the board of directors, if not to shareholders--information on activities resulting in loss so they can act to prevent such losses from recurring or escalating.
THE WORKING GROUP
In an effort to deal with these issues, a working group was formed to negotiate a settlement satisfactory to all parties. Thomas P. Kelley, AICPA group vice-president-professional, represented COSO; the GAO was represented by Robert W. Gramling and his staff; and I represented Coopers & Lybrand, the firm that wrote the COSO report. Joseph F. Moraglio, AICPA vice-president-federal, coordinated the sessions and participated in the negotiations.
After several months of negotiations aimed at finding common ground, there was a breakthrough. It was decided all parties could accomplish their objectives by writing a brief addendum to the COSO report. This would not be a change to the existing report, and certainly would not tinker with the all-important "framework" volume. Rather, a new definition would be developed and put into the Reporting to External Parties volume, with an encouragement that management report not only on financial reporting controls but on the newly defined controls as well.
WHAT THE ADDENDUM SAYS
The addendum (see "The COSO Report: A New Addendum Results in GAO Endorsement," JofA, July94, page 18) defines a new internal control category, "internal control over safeguarding of assets against unauthorized acquisition, use or disposition."
The new category is a subset of safeguarding of assets controls as defined in the COSO report. The already defined safeguarding of assets category includes any controls that help an entity ensure it operates efficiently, including controls geared to attaining performance and profitability goals. This broad category encompasses much of an entity's operations controls and may include financial reporting controls as well as compliance controls.
The new category is much narrower and will normally overlap operations and financial reporting controls. In the cube diagram below, the new controls are depicted by a vertical slab incorporating a small part of operations controls and financial reporting controls. The new category includes certain controls that will, for some companies, fall under financial reporting and for others will not.
Focusing on authorization, the new category includes controls to prevent or timely detect losses related to acquiring, using or disposing of assets in amounts material to the financial statements. The controls relate, for example, to preventing an entity from incurring unauthorized investments, making unauthorized expenditures, incurring unauthorized liabilities, having inventory stolen or detecting such events in a timely manner. The new category encompasses each of the five components defined in the COSO report and thus includes assessing the risk of unauthorized asset activities, comparing existing assets with recorded amounts and making available to management information it needs to carry out its responsibilities for preventing or detecting such unauthorized activities.
The new category does not cover all the other financial reporting and operations controls. It excludes controls designed to protect against asset loss arising from inefficiency or from management's operating decisions, including
* Selling a product that proves unprofitable.
* Incurring expenditures for equipment that later proves unnecessary or unsatisfactory.
* Authorizing what proves to be unproductive research or ineffective advertising.
* Accepting a level of merchandise pilferage by customers as part of operating a retail business.
When the addendum was being drafted, there was some concern readers might think it necessary to determine whether an entity's specific authorization levels were appropriate. The parties agreed that it was necessary only to focus on the process encompassed by the COSO components and to determine whether
* The entity had made an appropriate assessment of the risk of such asset loss and had determined the actions needed to manage the risk.
* Control activities to help ensure management's directives to address the risk were being carried out--including determining whether the authorization policies were being complied with.
* Management had the information it needed to carry out its responsibilities related to preventing or timely detecting such unauthorized activities.
* Mechanisms had been established to enable management to monitor the continued effective operation of the controls.
The issue of whether specific authorization levels were correct was purposefully excluded; one company's levels might not be best for another, even in the same industry. The decision not to address this issue was based on the principle a standard should not be so exact as to stifle innovation that might lead to better practices.
In other words, if an entity sets authorization standards different from its industry peers, this would not indicate the entity did not have effective controls to safeguard assets against unauthorized acquisition, use or disposition as long as the process the company follows includes the controls in the five COSO report components. That is, management must have an appropriate process that provides reasonable assurance that the entity's assets are safeguarded from the specified unauthorized activities. This approach is consistent with the COSO framework, which purposefully provides broad guidelines that allow companies to establish control systems responsive to their needs and that allow for continued innovation and improvement.
After the COSO and GAO representatives gained approval from their organizations, the result was a classic win-win situation.
COSO. COSO achieved its objective of retaining the integrity of the report, keeping the framework intact. None of the original definitions or concepts changed. The new definition is consistent with the report's original intent that additional special purpose definitions be added over time to accommodate special needs.
GAO. The GAO achieved its objective of having a definition related to safeguarding of asset controls incorporated in the COSO report so such controls could be reported on. In the future, we are likely to see companies that currently report on financial reporting controls begin to report on these safeguarding controls as well. The addendum also facilitates the GAO's joining with virtually all other interested parties in support of what has become the generally accepted standard on internal control.
Businesses, financial statement users, academia and the public. Everyone will realize the benefits of a common framework enabling effective communication on internal control. Misunderstandings resulting from the use of different terms for the same concept--and one term to mean different things--are less likely. Effective communication also may result in less litigation due to misunderstandings about the meaning of internal control terms in public reports. Businesses will benefit from having benchmarks with which to compare and strengthen their controls.
WHERE DO WE GO FROM HERE?
With the COSO report's acceptance, what happens next?
Professional and regulatory bodies are incorporating the report's definitions, terms and concepts in their standards, rules and literature. The AICPA is revising Statement on Auditing Standards no. 55, Consideration of the Internal Control Structure in a Financial Statement Audit, and the other sponsoring organizations are looking at how best to bring COSO into their literature. The GAO will consider including the report's definitions, terms and concepts in Government Auditing Standards (the yellow book) and also working with the FDIC to revise the FDICIA regulations related to management reporting on internal control. Textbooks and other academic works also are likely to refer to the COSO report when addressing internal control.
Use of the COSO report as effectiveness criteria in management reports on internal control already is evident, particularly by banks reporting under FDICIA. We can expect to see companies in other industries using the COSO report in producing management reports, not only to improve communication but also to limit liability by avoiding misunderstandings on what is being asserted with respect to the state of internal control. Many businesses already are using the COSO report as a benchmark in making self-assessments of their internal control systems and more are expected to do so.
COSO already has begun to consider what mechanism it should establish to keep its report current and relevant. While the basic structure should withstand the test of time, some new special purpose definitions or other refinements are likely to be needed to reflect emerging changes in the business environment and control methods.
The COSO report describes the relationship between objectives--what an entity strives to achieve--and the components, which represent what is needed to achieve the objectives. The relationship is depicted by this three-dimensional matrix. The vertical columns represent the three objective categories. The rows represent the five components. The third dimension of the matrix depicts the units or activities of an entity to which internal control relates. The new definition of internal control over safeguarding of assets against unauthorized acquisition, use or disposition is depicted by a narrow vertical slab incorporating a small portion of each of the operations and financial reporting categories.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||General Accounting Office, Committee of Sponsoring Organizations of the Treadway Commission|
|Author:||Steinberg, Richard M.|
|Publication:||Journal of Accountancy|
|Date:||Sep 1, 1994|
|Previous Article:||Exempt organizations and UBIT.|
|Next Article:||Continuing professional education.|