A Perfect Time to Scrap Everything?

Dan Clayton, CPA
Director of Knowledge Management
CHAN Healthcare Auditors

The recent Committee of Sponsoring Organizations of the Treadway Commission (COSO) revision of its Internal Control–Integrated Framework has me thinking it is a perfect time to scrap everything. About 10 years ago a friend was pretty excited about his home renovation project. However, during a visit near completion he confessed he had spent nearly double what it would have cost to scrap the home and start new. He also noted a number of sacrifices they had to make given the frame of the house. If his objective had been historical restoration it could have justified the cost. Is that our COSO revision objective — historical preservation? As I consider the needs of governance and management, I see significant opportunity for our profession that does not currently fit under the COSO roof. Why are we developing standards for the future based on a historical foundation rather than a current need? We can tear down a few walls, modernize a few amenities, but why are we choosing to inherently limit the professional foundation?

Helping to creating accountable and transparent organizations should be our future. It is the unstated desire of every organizational stakeholder, even if no one wants it applied to them. Continued corporate failure, difficult economic times, an increasingly anti-corporate public, and increasing regulatory scrutiny will combine to give accountable, transparent organizations a competitive advantage. We are coming out of an era where legal mitigation, financial accuracy, and threat management were the way to protect a corporate reputation while management went about its own way to create value. However, more is being asked today. What management does and does not do to create and protect value is prime public conversation. Why then are we aligning our value contribution to our old concepts of operational efficiency, reporting accuracy and compliance? Management’s need is greater!

Should we not choose a new foundation that first meets — or tries to address — the need for clear accountability and transparency, and then decide how to apply our traditional concepts? If we see management’s need, can we not simply align our internal audit efforts to run parallel with it? Management has one objective, which is to add value to customers. Can we not align our framework with this value pipeline internal to the organization?

Simple value pipeline:

  1. Strategic Development — What value does the organization want to create?
  2. Objective Development — What operations need to be created to get there?
  3. Objective Dissemination — Who is responsible for each part?
  4. Objective Oversight — What is put in place for each objective to monitor progress?
  5. Operations Alignment — What people, process and technology are used and are they aligned efficiently for the current expectations?

The better an organization does these things — with good management — the better its chance of reaching its value. Do we have an opportunity to help identify leading practices along this value creation/protection chain? Can we then measure (by maturity) to identify where value (opportunity or risk) is lost and “controls” or greater formality/transparency are needed? Could not standards along this value chain lead to greater internal reporting on internal vulnerabilities and threats? Sharing the maturity of internal efforts could be a great way to gain public reputation for transparency, anticipating a more corporate critical public over the next decade.

If internal audit truly seeks a strategic vision, is it time to scrap our vision of the value we deliver for a bigger one? Should internal audit build its own framework and exit COSO?

I say yes!

 

Posted on Jan 11, 2012 by Tim

Share This Article:    

  1. Dan:

    I like you was disappointed when COSO announced before commencing the exercise that the core definition of internal control and the five core categories that comprise the framework were not on the table for discussion or update.  That decision condemned the exercise to incrementalism in its worst form.  In 2004 I believe COSO made a mistake building COSO ERM on the same flawed five categories of control. Making the same decision 20 years after the COSO 92 was launched is even more problematic.  

    It is amazing to me that COSO would actually take a big step forward if it was to adopt the original definition of control and the nine control categories proposed in the 1991 exposure draft. I have drafted a white paper that will form part of my response to the COSO 2012 exposure draft.  (http://bit.ly/w1Qqp2)  I encourage all IIA members to take the time and review the COSO 1991 exposure draft, the 1995 Canadian CoCo framework and the OCEG GRC Maturity Framework and form a knowledgeable view if COSO 2012 represents any forward progress.  My view is that it does.  I encourage all of you to take the time to really understand the options available and have a view.

    For those of you that read my white paper you will see that my view is that the IIA is conflicted by its membership in COSO and should lobby the other four COSO membera and propose fundamental changes to COSO governance.  When was the last time COSO underwent an internal audit that was reported to all members of its member organizations?  The answer is never.   

  1. There was a typo in my first post.  Defiicent "RISK TREATMENTS" on my post. The second last sentence in the second paragraph should read:

    " I encourage all IIA members to take the time and review the COSO 1991 exposure draft, the 1995 Canadian CoCo framework and the OCEG GRC Maturity Framework and form a knowledgeable view if COSO 2012 represents any forward progress. My view is that it does NOT. I encourage all of you to take the time to really understand the options available and have a view."

  1. Dan, I like the simplicity and logical sequence of your approach as it actually reflects how a BOD and C Suite think about and run a business. Trying to force an internal control framework upon us (only accepted regulatory framework) that is rooted in post World War II thinking is dangerous. The focus has to be on value creation and preservation through good governance, prudent value and risk management and on how to execute and perform.  ISO 31000 did their enterprise risk framework in 25+ pages.  So this level of complexity is perplexing. The simpler, the better, the wider acceptance.

  1. Hi Bruce,This is a very interesting and cnnllehgiag topic. I have worked with a few CAEs back in my consulting days and as I look back I realise this is an area where most of them struggled. Fortunately, or unfortunately, I am now in a position where I am tasked with this responsibility (in a bank by the way). I have drafted my rating system based on the below factors:1 The economic value or exposure.2 Risk assessment3 The control environmentEach of the factors has related criteria depending on the areas being covered, for example assets under management, economic profit, expenditure, e.t.c.Can you please critic the aproach and suggest ways of improving it,Cheers
  1. Hi Bruce,This is a very interesting and clanhelging topic. I have worked with a few CAEs back in my consulting days and as I look back I realise this is an area where most of them struggled. Fortunately, or unfortunately, I am now in a position where I am tasked with this responsibility (in a bank by the way). I have drafted my rating system based on the below factors:1 The economic value or exposure.2 Risk assessment3 The control environmentEach of the factors has related criteria depending on the areas being covered, for example assets under management, economic profit, expenditure, e.t.c.Can you please critic the aproach and suggest ways of improving it,Cheers

Leave a Reply