Printer Friendly

The COSO report: challenge and counterchallenge.

When the Committee of Sponsoring Organizations (COSO) of the Treadway Commission released its landmark report, Internal Control--Integrated Framework, in September 1992, it thought its work was done and the baton could be passed to others who would implement its recommendations. After all, the report was the product of thousands of hours of analysis, discussion, formal dialogue and due process involving many members of the sponsoring organizations and others, including chief executives, board members, legislators, regulators, lawyers and consultants. COSO knew a broad consensus of opinion had been reached on a definition of internal control and on a framework that would provide a standard against which entities could measure the effectiveness of their internal controls.

However, COSO soon learned it had to step up to defend its work. On October 30, Donald H. Chapin, assistant comptroller general in the General Accounting Office (GAO), sent Robert L. May: COSO's chairman, a blistering letter that concluded the COSO report m effect calls for a retreat from the public interest." That letter became a part of the public record when, on the same day, Mr. Chapin sent it to the Federal Deposit Insurance Corp. as part of the GAO's response to the request for comment on proposed regulations implementing the FDIC Improvement Act of 1991. On November 12, Mr. May responded on behalf of COSO. The American Institute of CPAs made his letter an addendum to its letter of comment, and thus it is a part of the public record.

COSO believes the GAO is motivated by a long-held and often-stated belief that there is a pressing need for public reporting on internal controls, including internal controls that go beyond financial reporting matters and encompass certain operations and compliance controls. COSO argues the GAO "should not try to achieve that objective by rejecting valid conclusions in a responsible report .... "Rather, it should attempt to do so "through clear communications with legislators, regulators, and other interested parties, and through legislative or regulatory initiatives carried out under appropriate due process procedures."

Both letters are included here for your review. COSO is confident you will conclude its report "is an important contribution to the literature on corporate governance...that helps management identify basic weaknesses in operating, financial reporting and legal/regulatory compliance controls and take action to strengthen them."

The GAO letter acknowledges the COSO report "has sponsorship and general acceptance by most important private sector interests." So let's get on with the task of implementing its recommendations ! Copies of the four-volume COSO report, Internal Control--Integrated Framework (product no. 990002JA), can be ordered by calling (800) TOAICPA. The basic price before quantity discounts and shipping and handling is $50. An executive summary (product no. 990001JA) is also available for $3.

Letter of November 12, 1992, from Robert L. May, chairman, Committee of Sponsoring Organizations of the Treadway Commission, to Donald H. Chapin, assistant comptroller general, General Accounting Office

Your October 30 letter on the final report of the Committee of Sponsoring Organizations of the Treadway Commission, Internal Control--Integrated Framework, asserts that the COSO report "does not underscore the importance of internal controls, falls short of meeting the expectations of the Treadway Commission for management's reporting on the effectiveness of internal controls, and misses opportunities to enhance internal controls oversight and evaluation." The letter makes six major arguments in support of those general points and concludes that "the COSO report in effect calls for a retreat from the public interest."

We could not disagree more.

The COSO report is a direct response to the Treadway commission's recommendations. The report is the product of thousands of hours of analysis, discussion, formal dialogue and due process involving members of the sponsoring organizations and many others, including chief executive s, board members, legislators, regulators, lawyers and consultants. COSO itself, its Project Advisory Council, and the report's author, all listened to and weighed the input that was received from hundreds of sources. The comments of the General Accounting Office were considered in that pro* cess. The consensus...was and is that the final COSO report does exactly what the Treadway commission called for. The report

* Establishes a common definition that serves the needs of all interested parties--management, inter nal auditors, independent accountants, academics, legislators and regulators.

* Provides a standard against which business and other entities--large or small, in the public or private sector, for profit or not--can assess their control systems and determine how to improve them.

The COSO report provides a foundation for mutual understanding that enables all parties to speak a common language and communicate effectively on internal control issues. With that common language and a better understanding of the benefits and limitations of internal controls, legislators and regulators are in a better position to assess their objectives and the costs and benefits of what is necessary to achieve them.

Your letter makes it clear that achieving public reporting by management and independent auditors on a wide range of internal controls is high on the GAO's list of priorities and harshly criticizes the COSO report for, in essence, not espousing the same position. But that is not why COSO undertook this project and it is entirely inappropriate to impugn the COSO report because it does not echo the priorities of one organization.

The COSO report enables regulators to set the scope of reporting on internal control in a precise way because it provides, for the first time, clear-cut terminology and definitions having, as your letter states, sponsorship and general acceptance by most important private sector interests.

The COSO report is an important contribution to the literature on corporate governance. Its recommendations are in the public interest and the report merits the support of all interested parties, including the GAO. It would be extremely unfortunate if the adoption and use of the report by the business community were in any way impaired because of unwarranted criticism. Accordingly, we must answer the criticisms in your October 30 letter firmly and unequivocally; we do so in the following memorandum.

Memorandum from the Committee of Sponsoring Organizations of the Treadway Commission accompanying Robert L. May's letter of November 12, 1992, to Donald H. Chapin

Mr. Chapin's October 30, 1992, letter makes six specific criticisms of the COSO report and from that reaches the conclusion that "the COSO report in effect calls for a retreat from the public interest." Those who have been involved with this project from its;inception, who have participated in many discussions over the issues, who have worked toward and succeeded in finding consensus, object strongly to that conclusion. The reality is that the COSO report is an important contribution to the literature on corporate governance and its implementation is clearly in the public interest, as demonstrated by the following responses to the six major criticisms.

It is asserted that the report "does not advocate public reporting on internal controls for financial reporting and fails to encourage evaluation of other controls such as those for laws and regulations."

There is no merit to this criticism. COSO's charge was to provide a definition and a framework in recognition of the fact that the Treadway commission itself had already urged public reporting. To say the report fails to encourage evaluation of other controls is a clear misstatement. The thrust of the whole COSO report belies this assertion.

The Treadway commission's report recommended that "all public companies should be required by SEC rule to include in their annual reports to stockholders management reports [that]... acknowledge management's responsibilities for the financial statements and internal control, discuss how these responsibilities were fulfilled and provide management's assessment of the effectiveness of the company's internal controls." The report went on to say that "the Auditing Standards Board should revise the auditor's standard report to describe the extent to which the independent public accountant has reviewed and evaluated the system of internal accounting control."

To enable more specific consideration and implementation of those recommendations, COSO's role was to provide a common definition of internal control, a conceptual framework and evaluation tools that would be useful to regulators, managements, independent accountants and auditing standard-setters. COSO has done this. There was no need for COSO to repeat Treadway commission recommendations (recommendations that also had been made by the Cohen commission and by the Financial Executives Institute) that themselves necessitated the COSO internal control project, and it is not appropriate and, indeed, misleading to criticize the COSO report for this lack of redundancy.

The simple fact is there will be reports on internal control as individual entities deem it appropriate or when relevant regulatory agencies, following due process procedures and exercising their legislated powers, determine that such reports are important to the public.

The letter expresses disagreement with the COSO position that "public reporting is not a component of, or criterion for, effective internal control" because public reporting, in the view of the GAO, "encourages management to be proactive and pay attention to the effectiveness of internal controls." The reality is that entities can have and do have effective internal control systems without making public statements to that effect, just as people can be and are honest without saying so publicly.

The statement that the COSO report "fails to encourage evaluation of other controls such as those for laws and regulations" is a clear misstatement. The thrust of the whole COSO report is to encourage evaluation of all controls, including controls over compliance with laws and regulations. Indeed, our cover letter made the point unequivocally: "We urge chief executives to... consider the state of their companies' internal controls. Using the framework, management can assess the internal control system against an established standard to help identify basic weaknesses in operating, financial reporting and legal/regulatory compliance controls and take action to strengthen them."

It is asserted that the report "excludes safeguarding of assets from financial reporting controls."

This criticism is misleading. The COSO report deals with controls over the safeguarding of assets, but it defines such controls, and properly so, as operations controls.

The letter cites two reasons for its assertion:

* The COSO definition of internal control is not consistent with the definition in the Foreign Corrupt Practices Act (FCPA). (The act distinguishes between "administrative control" and "accounting control" and states that the latter is concerned with the "safeguarding of assets and the reliability of financial records.")

* Generally accepted auditing standards (GAAS) focus audit work on internal controls for financial reporting that parallel those of the FCPA.

The fact is that the definition of internal control in the FCPA was taken from the GAAS in effect at that time, and the Treadway commission could have urged its acceptance--but it did not do that. It was precisely because there was a definition of internal control in the FCPA and a slightly different one in GAAS and another one in pronouncements of the Institute of Internal Auditors, and because the matter had been studied by the AICPA's special advisory committee on internal accounting control and the Financial Executives Research Foundation, that the Treadway commission recommended that its "sponsoring organizations should cooperate in developing additional, integrated guidance on internal control." The commission rightly pointed out that the different definitions and studies "have resulted in varying interpretations and philosophies" and occasionally caused disagreements "about the adequacy of a given internal control system."

The Treadway commission's recommendation should not be rejected because a definition of internal control exists in FCPA. The 1979 report of the special advisory committee on internal accounting control noted that the definition was originally "developed by independent auditors for their own purposes and that

... it must also be recognized that the Foreign Corrupt Practices Act gives explicit recognition to internal accounting controls to the exclusion of all others, and the objectives in the act were taken almost verbatim from professional auditing literature." Moreover, the COSO report goes far beyond the narrow objectives of internal accounting control to cover three broad objectives:

* Operations objectives. These pertain to the effectiveness and efficiency of the entity's operations, including performance and profitability goals and safeguarding resources against loss.

* Financial reporting objectives. These pertain to the preparation of reliable financial statements, including prevention of fraudulent financial reporting.

* Compliance objectives. These pertain to adherence to laws and regulations to which the entity is subject.

The term "controls over financial reporting" means, and should mean, what it says. Reasonable businesspersons reading the English language in a responsible way readily conclude that controls over financial reporting deal with just that--reliable financial reporting. That means preparing financial reports that fairly present an entity's financial position, results of operations and cash flows in accordance with generally accepted accounting principles. Financial reporting controls generally do not include controls to improve profitability or prevent loss of assets, whether through inefficiency, bad decisions, excessive risk taking or otherwise. Controls to achieve those objectives are operations controls. Those who believe there should be public reporting on controls over the lending process or any other operations activity should not try to achieve that objective by rejecting valid conclusions in a responsive report and by distorting the clear meaning of the English language. Rather, they should attempt to achieve their objectives through clear communications with legislators, regulators and other interested parties, and through legislative or regulatory initiatives, carried out under appropriate due process procedures.

The letter asserts that GAAS defines internal control over financial reporting to include "safeguarding" controls, but that is not correct. The current standard, Statement on Auditing Standards no. 55, defines internal control subject to auditor consideration as dealing strictly with the reliability of financial reporting. That statement indicates, as does the COSO report, that certain authorization and other asset protection controls can, in specified circumstances, be relevant to financial reporting, in which case they would fall under the definition of internal control over financial reporting. But we must keep our eye on the objective-- reliable financial reporting--and not sweep controls into that category simply to achieve other objectives.

It should also be noted that the term "safeguarding of assets" can be and often is interpreted broadly and could include virtually all operations controls. These could include controls addressing decisions on utilization of resources, including human resources, marketing decisions, asset allocations and myriad decisions made in running a business. In this connection, as explained in the COSO report, no internal control system can provide even reasonable assurance that all operations objectives are achieved. It can provide reasonable assurance only that management is aware of the extent to which those objectives are achieved. This fact needs to be recognized by those who advocate public reporting on controls other than financial reporting control, and any "safeguarding" controls to be the subject of reporting would need to be carefully defined.

It is asserted that the report "does not recognize the important role that an entity's external auditor can play in evaluating internal controls."

This is a misstatement of fact--the COSO report explicitly recognizes and extensively discusses the importance of the role and responsibilities of external auditors. This criticism appears to stem from the view that "public reporting especially with auditor attestation will lead to stronger internal controls." As stated above, that criticism ignores the fact that COSO was charged only with providing a definition and a framework because the Treadway commission itself had already urged public reporting.

The COSO report states: "Perhaps no other external party plays as important a role in contributing to achievement of the entity's financial reporting objectives as the independent certified public accountants." The section goes on to describe an external auditor's existing responsibilities for internal controls, noting that auditors in most cases provide useful internal control information to management. Specifically, the section concludes, "This information frequently will relate not only to financial reporting but to operations and compliance as well, and can make important contributions to an entity's achievement of its objectives in each of these areas. The information is reported to management and, depending on its significance, to the board of directors or audit committee."

The letter accurately notes that "COSO stated that external auditors' involvement with public management reporting on internal controls is being considered by various public and private sector bodies, but it is an issue beyond the scope of its report." That continues to be our position, and is consistent with our charge.

It is asserted that the report "misses the importance of comprehensive evaluations of internal controls."

There is no merit to this criticism. The letter expresses this view because of a belief that separate, comprehensive evaluations are necessary for public reporting. COSO, on the basis of its extensive work, including field-testing, holds a different view.

The letter asserts that the COSO report "downgrades the importance of discrete annual evaluation of controls as compared with ongoing monitoring of controls by management," because the report says "the greater the degree and effectiveness of ongoing monitoring, the less need for separate evaluations."

The COSO report does not "downgrade" anything. It does provide useful guidance for managements on how and when to monitor their internal control systems. The letter disagrees with this guidance solely because of an unwarranted concern that "implementing the COSO report may result in management being unable to make a comprehensive statement about the effectiveness of controls at a point in time." We do not understand that concern because the report makes it clear that the frequency and extent of separate evaluations is a matter of management's judgment. If management knows it must or will make a statement on its internal controls, management will take that into account in evaluating the adequacy of its monitoring procedures.

It is asserted that the report "does not provide specific guidance for an effective audit committee role." There is no merit to this criticism. In addition to the guidance referred to and praised in the letter, the COSO report says that "it makes eminent sense for even small companies, to the extent practicable, to have audit committees composed of independent directors," and it directs boards and audit committees to the guidelines provided in the Treadway commission report. The report discusses the need for a strong and active board, and discusses the composition, responsibilities and activities of boards and audit committees.

The letter states that the "FDIC Improvement Act [FD/C/A] requires that bank and thrift audit committees be independent from management and that committees of large institutions have members with certain expertise." This implies that very specific rules can be applied across the vast spectrum of American business. That just isn't so. Moreover, the scope of the discussion on boards and audit committees is substantive and entirely consistent with a framework document, and the report refers the reader to the Treadway commission's report for guidelines for audit committees.

It is asserted that the ,report "encourages limited reporting of internal controls deficiencies."

This criticism is unwarranted. What is at issue are choices among established and responsible alternatives. COSO made its choices based on its research, analysis and discussions.

The letter takes the position that management should publicly report "reportable conditions," not "material weaknesses," and that the reports should cover a period of time, not be made as of a point in time.

The notion of material weaknesses focuses on the significance of the risk that errors or irregularities in amounts that would be material to the financial statements may occur and not be detected within a timely period. The notion of a reportable condition does not specifically address the materiality of an error or irregularity. COSO believes that outside users of a management report on internal controls should expect to learn whether there is an internal control weakness that could have a material impact on the financial statements. Those users should, however, expect people within the entity, up to and including the audit committee, to obtain and act on information about reportable conditions and other matters as they carry out their responsibilities. We believe this conclusion is well supported.

The letter states that "COSO also advocated point-in-time reporting." The volume on Reporting to External Parties discussed both "period-of-time" and "point-in-time" reporting and concluded that either "should meet the needs of security holders and other report users." It went on to say that "point-in-time reporting is, however, likely to be considered the preferred alternative" and explained why. That conclusion is also well supported.

In addition, it is asserted that "the COSO model for internal control evaluation does not measure up to the FDIC Improvement Act model."

We disagree emphatically. The COSO report provides a common reference point in that it defines internal control, provides a conceptual framework for evaluating the effectiveness of a system of internal control and supplies tools useful in making such an evaluation, and the report, as the letter acknowledges, "has sponsorship and general acceptance by most important private sector interests."

FDICIA does not set up a model for corporate governance. It simply requires institutions to report publicly on their controls over financial reporting. The COSO report defines that term and related terms in a logical, understandable and accepted way. The FDIC may decide that public reporting on internal controls should go beyond financial controls, and that is its prerogative. If the FDIC makes that decision, it should do so on the merits, using the accepted COSO terminology. The COSO report represents the common language on the concepts of internal control that enables all interested parties to communicate clearly on the issues.

The COSO report is an important contribution to the literature on corporate governance. Its recommendations are in the public interest. It would be extremely unfortunate if the adoption and use of the report by the business community were in any way impaired because of unwarranted criticism.

We continue to believe the COSO report merits the support of all interested parties, including the GAO. For the first time, there exists an established, accepted standard that helps management identify basic weaknesses in operating, financial reporting and legal/regulatory compliance controls and take action to strengthen them. Legislators and regulators can build upon that standard when in their judgment the public interest calls for added procedures or reports. But when they consider doing that, they will do so with the benefit of a common language and framework that allows them to better assess the costs and benefits of proposed initiatives.

Letter of October 30, 1992, from Donald H. Chapin, assistant comptroller general, General Accounting Office, to Robert L. May, chairman, Committee of Sponsoring Organizations of the Treadway Commission

We appreciate your September 11, 1992, briefing on the final report, Internal Control--Integrated Framework, by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. We are disappointed that the final report is not responsive to our major concerns provided to you on March 16, 1992, in our comments on the draft report. We believe that the final report does not underscore the importance of internal controls, falls short of meeting the expectations of the Treadway commission for management's reporting on the effectiveness of internal controls and misses opportunities to enhance internal controls oversight and evaluation.

In general, the report's message does not advance the status of corporate governance and may actually encourage management to lessen its attention to internal controls. In particular, the report

* Does not advocate public reporting on internal controls for financial reporting and fails to encourage evaluation of other controls such as those for laws and regulations.

* Excludes safeguarding of assets from financial reporting controls, which is actually a step backwards from those controls long associated with financial reporting.

* Does not recognize the important role that an entity's external auditor can play in evaluating internal controls.

* Misses the importance of comprehensive evaluations of internal controls.

* Does not provide specific guidance for an effective audit committee role.

* Encourages limited reporting of internal controls deficiencies.

The COSO report provides a framework and criteria for evaluation controls, but given its shortcomings is less likely to be effective than the more comprehensive treatment of controls provided by the FDIC Improvement Act. Further, if COSO's weak approach to controls affects the behavior of the regulators, the benefits of the act's internal control and corporate governance reforms will not be fully realized.

PUBLIC REPORTING ON THE EFFECTIVENESS OF CONTROLS

The Cohen commission, the Financial Executives Institute (one of the five sponsoring organizations of COSO) and the Treadway commission have at one time or another since the late 1970s recommended reporting on internal controls. On two separate occasions the Securities and Exchange Commission has proposed rules for reporting on internal controls by securities registrants. The FDIC Improvement Act requires such reporting for federally insured banks and thrifts with assets of $150 million or more for fiscal years beginning after December 31, 1992. Moreover, according to COSO, one of every four public companies, and 60% of the Fortune 500 companies, already voluntarily report on internal controls in some fashion.

COSO represents organizations with both responsibility for and an interest in internal controls. COSO is in a position to provide an important service to the investing public and others by strongly supporting public reporting on internal controls as a means to better ensure that they are in place and working effectively.

COSO did not follow our recommendation that it strongly support public reporting in its final report. COSO stated that it was not expressing a position on public reporting on internal controls for financial reporting. COSO stated that "public reporting on internal control is not a component of, or criterion for, effective internal control." We disagree. As effective internal controls are clearly management's responsibility, public reporting enhances management's stewardship and accountability to shareholders and other interested parties. Public reporting encourages management to be proactive and pay attention to the effectiveness of internal controls rather than reacting when weaknesses lead to serious corporate problems.

We also recommended that COSO encourage more comprehensive reporting on internal controls, including controls over compliance with laws and regulations. Our work as well as others' has underscored the serious nature of noncompliance with laws and regulations by insured depository institutions and other organizations. The FDIC Improvement Act requires reporting on noncompliance with safety and soundness laws and regulations designated by the regulators. These requirements resulted from the frequent finding of violations at institutions that failed. Also, federal agencies are required to consider controls over compliance with laws and regulations when evaluating and reporting on internal controls under the Chief Financial Officers Act of 1990 and the Federal Managers' Financial Integrity Act of 1982.

COSO's final report stated that management reporting on internal controls over compliance is an evolving area and that the criteria provided in its report could be used for reporting on compliance controls. COSO pointed out that a threshold for measuring the severity of controls deficiencies, perhaps similar to the material weakness concept for financial reporting, would need to be identified. COSO also believed that focusing on the controls systems would better address the underlying objective of preventing noncompliance than reporting instances of noncompliance. We believe that both are important. The effectiveness of controls, both from their design and in actual operation, needs to be determined. As with management reporting on the effectiveness of controls for financial reporting, public reporting on compliance enhances management's stewardship and accountability for compliance.

EVALUATION OF INTERNAL CONTROLS FOR FINANCIAL REPORTING

In commenting on COSO's draft report, we pointed out that COSO referred to safeguarding of assets as primarily an operations objective. We expressed concern that if management excluded safeguarding of assets from the fmancial reporting controls objectives, then the reporting suggested by COSO would be more limited than the scope of the system of controls addressed by the Foreign Corrupt Practices Act (FCPA) and sends the wrong signal about what constitutes effective internal controls. For example, the FCPA requires SEC-registered companies to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (1) transactions are executed in accordance with management's authorization, (2) transactions are recorded to maintain asset accountability, (3) access to assets is permitted only with management's authorization and (4) recorded accountability for assets is compared with existing assets at reasonable intervals and appropriate actions taken with respect to differences. COSO's limited definition of financial reporting controls would encompass only the second and fourth internal controls objectives as defined by the FCPA.

Also, generally accepted auditing standards (GAAS)[1] focus audit work on internal controls for financial reporting that parallel those of the FCPA. For example, GAAS defines the broad objectives of internal accounting controls to provide management with reasonable assurance that assets are safeguarded from unauthorized use or disposition and that financial records are reliable to permit the preparation of financial statements. GAAS lists the specific objectives, as stated in the FCPA, as necessary to achieve the broad objectives.[2]

The significance of COSO's narrow definition of financial reporting controls objectives is illustrated by an example from its final report regarding commercial bank lending activity. The report's example assumes that controls exist to ensure credit files contain current customer credit histories and performance data. However, the bank's lending officers do not use that information in making credit decisions. Instead, approvals of draw downs against existing credit lines, and even increases in limits, are made intuitively. Financial management periodically conducts thorough reviews to determine appropriate levels of loan loss reserves. COSO states that under this scenario, controls over operations have significant weaknesses, whereas controls over financial reporting do not. The effect of such distinctions for management reporting on internal controls is that management's evaluation of the effectiveness of financial reporting controls would include only controls intended to ensure that any loan losses are accurately reported. The cause of those losses would not be included in management's evaluation as the breakdown in internal controls would be considered a breakdown in operation controls. COSO has distinguished between financial and operation controls in a way that would make any reporting on financial controls much less meaningful.

We believe that COSO's narrow definition of financial reporting controls is a serious step backward to evaluating and reporting on the effectiveness of these controls. This step could encourage management to lessen its attention to internal controls and may discourage more expansive public reporting on controls now being made by some companies that deal with controls for the safeguarding of assets from loss or misappropriation. Also, shareholders and other interested parties are likely to be misled by such reports. Under COSO's definition of financial reporting controls, management would be reporting on the reliability of controls to tally the losses accurately and not on the deficient controls that lead to the losses.

The COSO report also downgrades the importance of discrete annual evaluation of controls as compared with ongoing monitoring of controls by management. COSO states the greater the degree and effectiveness of ongoing monitoring, the less need for separate evaluations. Further, the frequency of separate evaluations necessary for management to have reasonable assurance about the effectiveness of the internal controls system is a matter of management's judgment. We agree with COSO that the design and operation of internal controls need to be monitored on a timely basis as an entity's operations change over time and can reduce the effectiveness of internal controls. What is important is that internal controls are comprehensively reviewed at least annually and that the results of both monitoring and separate evaluations of the effectiveness of controls accomplish that result. Implementing the COSO report may result in management being unable to make a comprehensive statement about the effectiveness of controls at a point in time.

ROLE OF THE EXTERNAL AUDITOR

COSO did not revise its final report to address the essential role that external auditors play with respect to internal controls as we recommended. GAAS requires external auditors to gain an understanding of an organization's internal control structure and to assess its control risk. GAAS also provides guidance and procedures for reporting on internal controls. The FDIC Improvement Act requires management of banks and thrifts to report on the effectiveness of financial reporting controls annually and for external auditors to report separately on management's assertions. As evidenced by the internal control weaknesses that contributed significantly to bank and thrift failures, an independent review of management's internal controls assertions is needed to ensure such weaknesses are identified and corrected before significant losses have been incurred.

COSO stated that external auditors' involvement with public management reporting on internal controls is being considered by various public and private sector bodies, but it is an issue beyond the scope of its report. However, as previously stated, COSO took the position that public reporting is not a component of effective internal controls. We believe that such a position may discourage public reporting, and it could very well lead to inadequate management attention to the effectiveness of internal controls. Public reporting, especially with auditor attestation, will lead to stronger internal controls.

ROLE OF THE BOARD OF DIRECTORS AND AUDIT COMMITTEES

COSO in its draft report stated that the chief executive officer is ultimately responsible for the overall internal control structure but recognized that management can override controls, enabling a dishonest management to intentionally misrepresent results to cover its track. We recommended that the final report should also make clear that the board of directors and its audit committee have oversight responsibility for ensuring that internal controls are functioning properly and that management properly supervises the controls and does not override them. We also urged COSO to comprehensively delineate the duties and responsibilities of boards of directors and audit committees for internal controls and to set forth the independence and competence requirements for audit committee members.

Statutes and other authoritative sources do not comprehensively delineate all the specific internal controls responsibilities of boards of directors and audit committees, nor are the qualifications necessary to successfully discharge those responsibilities fully addressed. Our report, Audit Committees: Legislation Needed to Strengthen Bank Oversight (GAO/AFND92-19, October 21, 1991), reported the results of our survey of chairmen of large banks' audit committees (assets of $30 billion or more) in which many respondents stated bank audit committees lack the independence, expertise and information on internal controls and compliance with laws and regulations necessary to properly oversee bank operations.

COSO's final report added a discussion emphasizing the important role of board of directors and audit committees for effective internal controls. In that respect, the report states they must possess an appropriate degree of management, technical and other expertise, coupled with the necessary stature and mind set so that they can adequately perform the necessary governance, guidance and oversight responsibilities that are critical to effective internal control. The COSO report also states that because a board must be prepared to question and scrutinize management's activities, present alternative views and have the courage to act in the face of obvious wrongdoing, it is necessary that the board contain outside directors.

We believe that COSO's final report is responsive to our concerns that the important role of the board of directors and its audit committee be explained. How ever, COSO did not define the necessary expertise and independence necessary to successfully fulfill the board's or audit committee's responsibilities for effective internal controls. The FDIC Improvement Act requires that bank and thrift audit committees be independent from management and that committees of large institutions have members with certain expertise. We believe the act sets forth a good example. It should be noted that COSO's report implies that "outside directors" bring the necessary independence to scrutinize management's activities. Obviously, personal and economic factors that could affect a director's independence also must be considered.

PUBLIC REPORTING OF INTERNAL CONTROLS DEFICIENCIES

We advised COSO that its draft report was unclear how uncorrected internal controls weaknesses should be reported--notwithstanding that COSO did not advocate public reporting on the effectiveness of internal controls. We recommended that uncorrected weaknesses should be reported, even when management is making a good faith effort to correct them. We believe that such matters are important to an appraisal by the shareholders and other interested readers of management's report on the quality of financial reporting controls maintained by the business.

COSO's final report limited public reporting of uncorrected internal controls deficiencies related to financial reporting to those judged by management to be material weaknesses. COSO used the GAAS definition defined as a condition in which "the design or operation of the specific internal control structure elements do not reduce to a relatively low level the risk that errors or irregularities in amounts that would be material to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions."

GAAS also provides a broader threshold for deficiencies called "reportable conditions," which are "significant deficiencies in the design or operation of the internal controls structure, which could adversely affect the organization's ability to record, process, summarize and report financial data consistent with the assertions of management in the financial statements.[3]

By limiting public reporting of controls deficiencies to material weaknesses, the COSO report will discourage reporting of significant impediments to a business's ability to record, process, summarize and report relevant financial data. The result may well be "empty" management reports on internal controls when deficiencies such as reportable conditions exist. Such reporting will not provide a fair picture of the status of financial reporting controls. The future of a business may well be jeopardized by financial controls deficiencies, but these conditions will not be revealed by the kind of controls report proposed by COSO. We believe shareholders and other interested parties would be better served by reporting of uncorrected reportable conditions with those weaknesses judged to be material identified as such.

COSO also advocated point-in-time reporting (as of one day during the year) rather than period-of-time reporting (for an entire year). COSO concluded that point-in-time reporting was preferable because it meets the needs of security holders and is less costly and provides an environment conducive to identification and correction of controls deficiencies. An obvious concern of such reporting is that it reports on the effectiveness of internal controls on a given day (generally yearend) and does not address the effectiveness of internal controls for the other 364 days of the year. COSO's solution to this was to suggest that management's report include a statement about the existence of mechanisms for system monitoring and responding to identified controls deficiencies.

A reference in management's report to self-monitoring mechanisms may well provide misleading assurances if such mechanisms are not effective, and certainly they are not an equal substitute for period-of-time reporting. As a minimum, we believe point-in-time reporting is a further supporting argument for reporting uncorrected reportable conditions and a strong argument for reporting all "reportable conditions" identified during the year to give the report user some idea of how monitoring mechanisms are working.

EFFECT ON ACHIEVING BENEFITS OF THE FDIC IMPROVEMENT ACT

The FDIC Improvement Act provides a structure to strengthen corporate governance of banks and thrifts and to facilitate early warning of safety and soundness problems. These reforms address deficiencies that significantly contributed to the failure of banks and thrifts and the depletion of the insurance funds. The reforms include corporate governance, accounting and regulatory reforms.

Regarding internal controls, the act requires banks and thrifts with assets of $150 million or more to report annually to the federal regulators on their financial condition and management for fiscal years beginning after December 31, 1992. The report is to include a statement of management's responsibilities for preparing financial statements, establishing and maintaining an adequate internal controls structure for financial reporting and complying with laws and regulations relating to safety and soundness that are designated by the FDIC or the appropriate federal banking agency. The report also must include management's assessment of (1) the effectiveness of the institution's internal controls structure and procedures and (2) the institution's compliance with the designated laws and regulations. The act requires the institution's external auditor to report separately on management's assertions.

The act also requires the institution to have an independent audit committee entirely made up of outside directors who are independent of institution management. For large institutions, the act provides that audit committees shall include members with banking or related financial management expertise, have access to the committee's own outside counsel and not include any large customers of the institution.

We believe the COSO model for internal controls evaluation does not measure up to the FDIC Improvement Act model. The regulations to implement the act are not finalized and many critical terms need to be defined that will play a key role in determining the success of the reforms. If the COSO guidance is adopted by the regulators and becomes the criteria for internal controls evaluation and reporting for the act, the benefits of the act's internal control and corporate governance reforms will not be fully realized.

In conclusion, we believe that the COSO report does not meet the Treadway commission promise of reform. After a number of years of discussion and attempts to advance the state of internal controls and corporate governance, the COSO report in effect calls for a retreat from the public interest. This is especially disheartening as the COSO report has sponsorship and general acceptance by most important private sector interests. We believe that COSO has failed to respond effectively to the recognized need for strengthened corporate governance.

Congress responded with the FDIC Improvement Act to address the breakdowns in internal controls and other areas of corporate governance in the banking industry. We plan to continue to advocate the model set forth in the act to Congress and others who may affect how internal controls issues are finally resolved. We believe that applying that model will strengthen internal controls and provide a more comprehensive approach to strengthen corporate governance and public accountability. Clearly, action beyond the COSO report such as legislation is needed to further protect investors and our nation's government.

1 Statement on Auditing Standards no. 30, Reporting on Internal Accounting Control.

2 The American Institute of CPAs auditing standards board's April 29, 1992, proposed statement of standards for attestation engagements, Report/ng on an Entitity's Internal Control Structure Over Financial Reporting, would supersede SAS no. 30. In commenting on the proposed standard, we recommended on August 14, 1992, that the board include the basic concepts that are implicit in the internal control structure. [3] Management's assertions that underlie an entity's financial statements concern the existence or occurrence of assets, liabilities and ownership interests; completeness of recognizing transactions; rights (assets) and obligations (liabilities) of the entity at a given date; appropriate valuation or allocation of assets, liabilities, revenue and expense components; and presentation and disclosure.
COPYRIGHT 1993 American Institute of CPA's
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1993, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Committee of Sponsoring Organizations of the Treadway Commission
Author:May, Robert L.
Publication:Journal of Accountancy
Date:Feb 1, 1993
Words:7083
Previous Article:Foreign currency translation, EPS and ESOPs and alternative revenue programs of rate-regulated utilities.
Next Article:POB annual report stresses liability crises.
Topics:


Related Articles
Accountability standards for corporate reporting.
COSO to revise internal control guidelines.
Can honesty be legislated?
The COSO report: a new addendum results in GAO endorsement.
Business reporting: what comes next?
Ask FERF (Financial Executives Research Foundation) about...COSO resources. (Resources).
Section 404 compliance in the annual report: assessing control deficiencies now is a documented process required of management.
Guidance for smaller companies.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters