Accountants are trained to think about and implement controls.  The classic examples are segregation of duties, reconciliations or budgets.  Generally though, these controls are to manage at the transactional level where an error or a small fraud might occur.  The big frauds of course are in the C-Suites and include such classics as off-balance sheet liabilities, rogue traders or manipulation of inventories.

COSO to the (US) Rescue!

The accounting community in the United States reacted to such a series of misdeeds in the late 1970’s by forming the Committee of Sponsoring Organizations (COSO) in the late 1980’s and issuing the 1992 COSO Integrated Framework (with a major revision released in 2013).

COSO has many benefits not the least of which was to define internal control, describing three lines of defense and provide a multi-dimensional model for thinking about the framework.

Internal Control Defined

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide “reasonable assurance” regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations.

Three Lines of Defense

Responsibility for this definition is defined in COSO as Three Lines of Defense.  The Internal Auditor represents the last line of defense with a corporate accounting/ management function the second and operations the first line of defense.

The responsibilities of each of the groups (or “lines”) are [2, p.2]:

1. Own and manage risk and control (front line operating
   management).
2. Monitor risk and control in support of management
   (risk, control, and compliance functions put in place by
   management).
3. Provide independent assurance to the board and
   senior management concerning the effectiveness of
   management of risk and control (internal audit).

The COSO Cube

The work of the lines of defense are done within 3 dimensions represented as a cube.  The top of the cube are the COSO objectives; each slice approximately paralleling the lines of defense discussed above.  The face of the cube represents the five key components or levels of internal control which are further defined into 17 distinct principles and then 87 Focus Points.  Finally, the side of the cube represents the application of the framework to an organization.

Criticisms of the COSO Framework

And there you have it, the COSO framework… so what are you waiting for, go ahead and implement it… While conceptually brilliant and a very good start, the framework has received criticism for a number of reasons including the following:

1. Mechanistic View of Organizations. An underlying assumption of the COSO framework is a large corporate structure in which the board commands and the workers on the bottom execute.  Nothing particularly wrong with this model other than organizations are increasingly moving away from it.  For example:
   • How do you manage internal control in a virtual organization?
   • Account for corporate structures, pushing accountability down as far as possible? 
   • The suggestion that culture and organizational tone is entirely a function of the board or senior management rather than a large set of interactions among staff, contractors and of course customers.
2. Overly Complex.  The COSO framework suggests that a control is a function of 3 Objectives X [5 components composed of 17 principles and 87 focal points (87)] X the complexity of the organization.  This is a LOT of data points and measurement factors to consider.
3. Not Practical. A function of this complexity is practicality of the framework.  A CFO is hard pressed to implement controls and then show a sequential evidence chain of this particular control mapped up to the framework.
4. No Review, Revision, Retirement or Continuous Improvement.  There is almost no focus whatsoever in sustaining, improving and retiring controls.  Thus once a control is put into place it is almost a statement of gospel and unchangeable as opposed to being simply a tool for management to achieve its objectives.  Like any tool, internal controls periodically need to be sharpened, maintained and retired.
5. Overtly Accountant and US Focused. COSO is too much a document of its circumstances – reacting to fraud and misdeeds – rather than helping the majority of the organizations build better organizations.  Personally I think that COSO could benefit from some globalization (e.g. add a Canadian, UK or Singapore accounting organization to its ranks) and from a non-academic roster (perhaps also add a trade union as a sponsoring organization).
6. Too Audit Focused.  A continuation of the above, but really the last line of defense is the auditor or the regulator?  To me the last line of defense is the shareholder or the citizen.  The auditor is simply a service function or bridge between these stakeholders and the management in the company.  COSO over-inflates the importance of the audit function.
7. Re-Draw the 2nd and 3rd Line of Defense Blocks.  Okay this one is a bit nit-picky but if you go up to the above lines of defense I would more proportionally draw the lines of defense.  Of course the problem is that the first line then should be drawn at say 90% of the real estate with the second coming in at 9.9% and internal audit the nominal remainder.  Nevertheless, how about a 50%, 40% and 10% ratio at least?
8. No Usable List of Controls. For all of its focus on control activities, exactly what are the control activities that can be used, the cost/benefit of control, control effectiveness and maintenance considerations.  Such a publicly available list would be a great service to the larger accounting community (and an excellent topic for the next blog!).
9. The Principles are an Excellent Start but Seem Incomplete.  In the 2013 COSO update, 17 principles were added each having points of focus.  The principles are generally very good but the problem with a list is that it is never complete.  Nevertheless somehow 17 seems to few and too incomplete – nevertheless an excellent start.

So is COSO Useful to Organizations?

An emphatic YES.  While flawed, US and audit focused it also represents a step forward in understanding internal controls.  Through a series of blogs and thinking I am hoping to identify ways in which COSO can be made practical in a larger concept of considering not only organizational control but also organizational enablement; a subject first explored in March 2018 blog: Organizational Efficiency and Control Model.

[1]. Criticisms of COSO, while not an extensive list enough to get you started:

1. Risk Management and Insurance Research.
2. Why the COSO frameworks need improvement.
3. The Trouble with COSO.

[2]. Leveraging COSO Across the Three Lines of Defense, The Institute of Internal Auditors (2015)