The author completed a COSO certification course, appreciating its quality despite previous frustrations with online learning. However, the course fell short in addressing the practical deployment of COSO, leaving gaps in internal-control specifics. Nonetheless, COSO promotes adaptability for organizations, suggesting they can customize the framework to better suit their needs.

I just finished certification in COSO via an online course offered by the 5 US accounting organizations. While I have a somewhat jaded view of online courses (having trudged through a few dozen hours of badly designed learning management systems), I have to say this certification was pretty good. Generally snappy with content and perspectives on COSO that I had not thought of or did not realize.  I hope to cover a few of these  in future blogs but first, a bit of a disappointment.  I was hoping the course would answer the question: ‘How the Heck Do you Deploy COSO?‘.

The COSO on Top, Controls on the Bottom and the Missing Middle Bit

If you are not familiar with COSO, read my prior COSO blogs or visit COSO.org.  Overall the framework does a good job describing the top of Internal Control.  Things such as ethics, board accountability, good information systems, etc.  However when the framework gets closer to defining exactly what is an ‘internal-control’, how many controls should you have and what processes they should be controlling – it goes silent.  Instead it simply points to Management and says: “take care of all those icky bits”.

On the one hand, that is reasonable given the diversity of organizations and situations.  After all, COSO is a framework and is not meant to be prescriptive.  The little help COSO provides (e.g. ‘illustrative tools‘) shows the organization’s audit DNA.  The assessment tool look more like an auditor’s working paper rather than a dynamic – real-time tool to be used by management.

Examples of middle bits are well-known.  The ISO 9000 standard on quality management or recommended Business Process Management organizations.  Heck, even best practices in planning at the strategic, tactical and operational levels.

All is Not Lost

Despite the Gap between the top down view of COSO to the management chasm at the bottom, all is not lost.  Firstly COSO encourages organizations to add ‘Points of Focus’ to better align the framework to the organization.  If necessary, an organization can even add an additional principle to the original 17 in the framework.  These additions or adaptations is the most important A-HA of this course.  COSO is a framework and not a standard.  It is a starting point that organizations can adapt to fit their specific circumstances.

As a final thought, it would be interesting if CPA-Canada modify the course or even better, an international version that transcends the American context found in COSO.  In other words, just like the flexibility of the underlying framework, stretch the course to fit a wider variety of circumstances.