Printer Friendly

The name of the GAO's game is more legislation.

The General Accounting Office (GAO) made a power move this past fall in the field of corporate governance. The target: the report of the Committee of Sponsoring Organizations (COSO). The purpose: to broaden the scope of internal controls.

The move was played out in an exchange of letters between Donald H. Chapin, GAO assistant comptroller general, and Robert L. May, chairman of COSO. The original GAO letter, while addressed to May, was part of a filing made to the Federal Deposit Insurance Corporation (FDIC) regarding the regulations for the new FDIC Improvement Act. The GAO was displeased at not being able to use the COSO report in its efforts to push internal controls beyond financial reporting and into operations.

"We are disappointed that the final |COSO~ report is not responsive to our major concerns," Chapin wrote. "|It~ does not underscore the importance of internal controls, falls short on meeting the expectations of the Treadway Commission |National Commission on Fraudulent Financial Reporting~ for management's reporting on the effectiveness of internal controls, and misses opportunities to enhance internal controls oversight and evaluation."

Faced with this criticism in the public arena, COSO quickly responded. "We could not disagree more," wrote May. "The final COSO report does exactly what the Treadway Commission asked for." By establishing a common definition and a standard of measure, it "provides a foundation for mutual understanding that enables all parties to speak a common language and communicate effectively on internal control issues."

What the GAO did not like was the FDIC using the COSO report as an example of acceptable internal control standards in proposed regulations for the FDIC Improvement Act. "The report's message," Chapin wrote, " does not advance the status of corporate governance and may actually encourage management to lessen its attention to internal controls."

May responded: "Your letter makes it clear that achieving public reporting by management and independent auditors on a wide range of internal controls is high on the GAO's list of priorities. ... But that is not why COSO undertook this project and it is entirely inappropriate to impugn the COSO report because it does not echo the priorities of one organization."

The result of all this, according to Gaylen N. Larson, chairman of, and one of FEI's representatives on, the Project Advisory Council to COSO --and group vice president and chief accounting officer of Household International--was an exchange that focused on the details of the COSO standards rather than on the overall objectives of the GAO. "The GAO's agenda is to expand the role of the external auditor into the examination of internal controls," he says. "The COSO report places the GAO at some risk in accomplishing this."

As chairman of the Project Advisory Council, Larson had frequent discussions with the GAO. "I was told," Larson says, "that the GAO had no problem with the components as we described them. |But it decided~ to discredit the report, not by focusing on the operating issue but by alleging that COSO failed to tell the audit committees how to operate, COSO tried to narrow the role of the external auditor to financial reporting, COSO ignored protection of assets, etc."

The Chapin letter makes six charges.

1. "The report does not advocate public reporting on internal controls for financial reporting and fails to encourage evaluation of other controls such as those for laws and regulations."

May responded that the Treadway Commission had already done this. "COSO's role was to provide a common definition of internal control, a conceptual framework, and evaluation tools that would be useful to regulators, managements, independent accountants, and auditing standard-setters. ... There was no need for COSO to repeat Treadway Commission recommendations ... and it is misleading to criticize the COSO report for this lack of redundancy."

May added: "The thrust of the whole COSO report is to encourage evaluation of all controls, including controls over compliance with laws and regulations."

"The GAO's agenda," interprets Larson, "goes far beyond reviewing controls over the preparation of financial statements. They have told me, for example, that they believe external auditors should review the lending process to determine whether or not the lending decisions make sense. In fact, they've gone so far as to say that the role of the auditor should include reporting on risktaking decisions of management."

2. "The report excludes safeguarding of assets from financial reporting controls, which is actually a step backward from those controls long associated with financial reporting. ... If management |excludes safeguarding~, then the reporting suggested by COSO would be more limited than the scope of the system of controls addressed by the Foreign Corrupt Practices Act (FCPA)."

May's response: "This criticism is misleading. The report |does~ deal with controls over the safeguarding of assets, but it defines such internal controls, and properly so, as operations controls."

In addition, he stated that definitions of internal control by the FCPA and the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) were based on a definition in the AICPA's generally accepted auditing standards. And these, in turn, differed from definitions found in internal auditing literature and various management textbooks. Because of this, he said, the Treadway Commission report called for developing integrated guidance, since the different definitions and studies "have resulted in varying interpretations and philosophies and occasionally caused disagreements about the adequacy of a given internal control system."

May continued: "The COSO report goes far beyond the narrow objectives of internal accounting control to cover three broad objectives." These are operation objectives, financial reporting objectives, and compliance objectives. "Financial reporting controls," he said, "generally do not include controls to improve profitability or prevent loss of assets. ... Controls to achieve those objectives are operations controls."

May added: "Those who believe there should be public reporting on controls over the lending process, or any other operations activity, should not try to achieve that objective by rejecting valid conclusions in a responsible report and by distorting the clear meaning of the English language. Rather, they should attempt to achieve their objectives through clear communications with legislators, regulators, and other interested parties. ... We must keep our eye on the objective--reliable financial reporting--and not sweep controls into that category simply to achieve other objectives."

"The reason the COSO report: causes the GAO problems," says Gaylen Larson, "is that it focused on three subcategories of internal controls: operations, financial reporting, and compliance with laws and regulations. Financial reporting focuses on those controls required to achieve accurate financial reporting. It doesn't, and in any opinion shouldn't, focus on how you run a business. The GAO wants to force external auditors, and their reports, into how a business is operated."

While the FDICIA allowed regulators to write in such provisions when implementing regulations, Larson believes the GAO is fearful that they will not do so and therefore wants to use the "protection of assets" clause in the AICPA definition to force regulators to deal with this aspect of internal controls. If CC)SO's definition is used, Larson says, then legal authority to require such an extension of auditor responsibility is subject to challenge.

3. "The report does not recognize the important role that an entity's external auditor can play in evaluating internal controls."

May's response: "This is a misstatement of fact--the COSO report explicitly recognizes and extensively discusses the importance of the role and responsibilities of external auditors. This criticism appears to stem from the view that 'public reporting especially with auditor attestation will lead to stronger internal controls.' That criticism ignores the fact that COSO was charged only with providing a definition and a framework, because the Treadway Commission itself had already urged public reporting."

May also quotes the COSO report: "Perhaps no other external party plays as important a role in contributing to achievement of the entity's financial reporting objectives as the independent certified public accountants." The report then goes on, he says "to describe an external auditor's existing responsibilities for internal controls."

4. "The report misses the importance of comprehensive evaluations of internal controls. ... It downgrades the importance of discrete annual evaluation of controls as compared to ongoing monitoring of controls by management."

May's response: "The COSO report does not 'downgrade' anything. It does provide useful guidance for management on how to monitor their internal control systems. The letter disagrees with this guidance solely because of an unwarranted concern that 'implementing the COSO report may result in management being unable to make a comprehensive statement about the effectiveness of controls at a point in time.' We do not understand that concern because the report makes it clear that the frequency and extent of separate evaluations is a matter of management's judgment."

5. "The report does not provide specific guidance for an effective audit committee's role."

May's response: "There is no merit to this criticism." He quotes the report: "It makes eminent sense for even small companies, to the extent practicable, to have audit committees composed of independent directors." May goes on: "The report directs boards and audit committees to the guidelines provided in the Treadway Commission report." Moreover, he says, "the scope of the discussion on boards and audit committees is substantive and entirely consistent with a framework document."

6. "The report encourages limited reporting of internal control deficiencies." It also "advocates point-in-time reporting rather than period-of-time reporting."

May's response: "This criticism is unwarranted. What is at issue are choices among established and responsible alternatives. ... COSO believes that outside users of a management report on internal controls should expect to learn whether there is an internal control weakness that could have a material impact on the financial statements ... |and should~ expect people within the entity, up to and including the audit committee, to obtain and act on information about reportable conditions."

To the charge that COSO advocates point-in-time reporting, May stated: "The volume on 'Reporting to External Parties' discussed both 'period-of-time' and 'point-in-time' reporting and concluded that either 'should meet the needs of security holders and other report users.' It went on to say, that 'point-in-time reporting is, however, likely to be considered the preferred alternative.'"

The GAO letter made one additional point: "The COSO model for internal control evaluation does not measure up to the FDIC Improvement Act model."

May's response: "FDICIA does not set up a model for corporate governance. It simply requires institutions to report publicly on their controls over financial reporting. ... The FDIC may decide that public reporting on internal controls should go beyond financial controls, and that is its prerogative. That does not mean the COSO report should not stand as the common language on the concepts of internal control."

Chapin's letter concluded: "We believe that the COSO report does not meet the Treadway Commission promise of reform. ... |It~ in effect calls for a retreat from the public interest. ...

"We plan to continue to advocate the model set forth in the |FDICIA~ to Congress and others who may affect how internal control issues are finally resolved. We believe that applying the model will strengthen internal controls. ... Clearly, action beyond the COSO report, such as legislation, is needed to further protect investors and our nation's government."

Larson interprets this to mean that the GAO's next objective is to extend the FDICIA internal control provisions to insurance companies. "The GAO is attacking the points of least resistance," he says, "but their objective is to extend these provisions to all publicly held and regulated companies." It is therefore a mistake, he added, to view this narrowly as a banking industry problem.

May's own conclusion: "We continue to believe that the COSO report merits the support of all interested parties, including the GAO. For the first time, there exists an established, accepted standard that helps management identify basic weaknesses in operating, financial reporting, and legal/regulatory compliance controls and take action to strengthen them. Legislators and regulators can build upon that standard when in their judgment the public interest calls for added procedures or reports. But when they consider doing that, they will do so with the benefit of a common language and framework that allows them to better assess the costs and benefits of proposed initiatives."

If there is no apparent winner to this exchange of letters, it is because it really was not a debate. Instead, the letters represent contrasting appeals to legislative and public opinion.

"The problem the COSO report poses for the GAO," sums up Larson, "is that its definition makes it clear that controls over financial reporting often are severable and distinct from controls over operating a business. The GAO's problem therefore is a political one. It does not want to go back to Congress to change the FCPA and FDICIA definitions into which it has already expended a lot of political capital. In Don Chapin's words, 'You get only one chance on the Hill.'"

Larson concludes: "I asked Chapin why he did not make the GAO's ultimate goals and its practical problems clearer to COSO during the comments period. His only response was that the GAO had a lot of other things on its plate, and probably didn't give the COSO project the attention it deserved.

"It is important to be candid on this issue," Larson says, "for until the public understands what is really happening, it is not possible to understand this exchange of letters. That is unfortunate because, while our perspectives may be different, we are all committed to the objective of improving controls and reducing fraudulent financial reporting."
COPYRIGHT 1993 Financial Executives International
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1993, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:From FEI; General Accounting Office
Publication:Financial Executive
Date:Jan 1, 1993
Previous Article:At long last, meet EDGAR!
Next Article:Readers support North American Free Trade Agreement.

Related Articles
GAO report finds improved single audit quality.
FEI positions: how are they developed?
Catching the important issues.
GAO report gives accounting profession good marks.
Financial Executives Gain Clout with Government.
GAO report: Terrrorism insurance needed.
FEI reorganizes staff to better serve members (people).
Are there good reasons for auditor rotation? Auditor rotation remains a concern of regulators and governance activists, and Financial Executives...
Fei national: about FEI's technical committees.
Withholding tax riles government contractors.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters