COSO has yet to demonstrate that its internal control framework is effective. It costs SEC filers hundreds of millions of dollars each year to comply with the current framework, without any evidence that it enhances internal control or improves corporate performance.
COSO has recently issued for public submission an exposure draft revising its 1992 document Internal Control – Integrated Framework. The period allowed for public submissions has now closed. The redraft does not represent a substantive change from the 1992 document.
Neither COSO nor the authors of the redraft on behalf of COSO have undertaken or cited any systemic attempt to review the efficacy of COSO’s approach to internal control. Before proceeding to issue the re-draft, COSO must demonstrate clearly and systematically that the present framework is broadly effective at BOTH (i) its original purpose – improving internal control of financial reporting – and (ii) its broader purpose of promoting internal control in other areas of organizations’ activities. Asking executives their opinion is, in itself, a valuable exercise but does not demonstrate efficacy empirically. We believe it is responsible to question the COSO framework’s performance against these sets of objectives in light of the financial crisis and its impact of the value of SEC filers from the financial sector and the impact of the subsequent economic crisis on filers in other sectors, across jurisdictions.
Therefore, we, the undersigned, call on
(1) SEC, PCAOB (who endorse the COSO framework in regulation) and COSO to recognize that the proposed redraft of COSO has been undertaken with little or no empirical understanding of the efficacy of COSO in achieving organizational internal control.
We call further on
(2) COSO to withhold publication of the redrafted COSO internal control framework until it has completed a properly-independent, methodologically robust and comprehensive review of COSO’s effectiveness at promoting internal control over financial reporting, over compliance and operations, as well as achieving higher-level organizational control. The latter objective set includes ensuring the user organization is ‘in control’ and achieving higher-order objectives including return on shareholders’ investment presently and in the foreseeable future.
(3) COSO (the organization) to publish the results of the study or studies it commissions to review COSO’s (the framework’s) efficacy and to conduct a systematic consultation on the future direction of both (a) quasi-regulation on internal control over financial reporting and (b) broader aspects of internal control.
(4) COSO to determine the utility of the current re-draft of COSO (the framework) based on the findings of its review(s) and consultation exercise and to determine whether or not to publish it, and with what amendments, based on the reviews we have called for above.
