Internal control and risk management enthusiasts, listen up: we have a new podcast with incoming COSO chairman Paul Sobel, who talked about his desire for COSO to publish more guidance to help companies understand how to put its internal control and risk management frameworks to good, practical use.
As always, you can listen to the full conversation above. Meanwhile, here are Sobel’s points that stood out most to me.
No big projects; more practical guidance. Sobel says he wants to invoke “a bit of a moratorium on big frameworks” since COSO has already undertaken two this decade: first, an overhaul of its framework for effective internal control, published in 2013; and then an overhaul of its framework for enterprise risk management, published last year.
Both of those overhauls were much needed at their respective times. Most companies use COSO’s internal controls framework to manage their Sarbanes-Oxley compliance, and they had been laboring under the original framework from 1992 until Version 2.0 came along five years ago. Then COSO launched into its ERM overhaul — again, much needed, since the financial crisis demonstrated how painfully inadequate most risk management and corporate governance efforts were.
So it’s good that we have these updated frameworks, more reflective of how modern organizations actually work. But many organizations still struggle to take the broad principles of either framework and apply those concepts to the specific risks they face. Hence, Sobel says, “This will be the opportunity to focus on guidance and thought leadership papers.”
The first bit of help is likely to come later this spring: a compendium of practical examples of how to put the ERM framework to good use. COSO published similar “example guidance” with its 2013 internal control framework.
Sobel also hinted that we might see still more guidance for the internal control framework too, although nothing definite is planned yet.
Demonstrating effective internal control over financial reporting, he said, “continues to be somewhat burdensome for our organizations.” That could lead to more guidance on applying the internal control framework’s principles and points of focus to specific risks.
Two thoughts come to my mind when I hear that. First, I’ve heard of audit firms insisting that all a company’s internal controls and documentation be matched to the internal control framework’s points of focus. That’s painstaking work, which pushes up audit fees. So guidance along these lines might be ammunition internal control executives could use to push back against overly demanding auditors.
Second, I wonder how more internal control guidance might fit into the larger context reducing SOX compliance obligations — an idea that’s all the rage with Republicans running Congress and the Securities and Exchange Commission these days. They would love to repeal Section 404(b) of SOX, which requires an annual audit of internal control.
As I’ve said before, I don’t believe 404(b) repeal will solve the problem SEC leadership wants to address, and I’m dubious that Congress will ever amend SOX so dramatically. But more guidance to help companies navigate internal control over financial reporting in a cost-effective way is always a good thing. Let’s hope COSO does it.
We need to show the board and C-suite why frameworks matter. Disclosure: I’m a big fan of the COSO frameworks, because when you take the time to read and consider them in detail, you see how they really can apply to a wide range of specific challenges: vendor risk management in the cloud computing world; “runaway executive risk” that might lead to sexual misconduct allegations; and so forth.
The challenge is in getting leadership to embrace the frameworks (especially the ERM framework) as tools for that more disciplined approach to risk management. Boards everywhere feel overwhelmed with risk, and wish they could get their arms around all the risk issues in a disciplined way — but they can’t quite see how the COSO frameworks might help.
Sobel sees this too: the frameworks need to be applied at a strategic level. “I feel like the foundation is already there for effective governance,” he said. “We just need to be sure that organizations are looking at, understanding, and embracing those components.”
He didn’t promise specific guidance on how parts of the ERM and internal control frameworks can be applied to governance, but the raw material is there: the Control Environment component of the internal control framework; and the Governance & Culture component of the ERM framework. Let’s hope we see more on that sometime in the future.
Up next: sustainability. COSO is already working with the World Business Council for Sustainable Development to develop guidance applying the ERM framework to sustainability issues. (Draft guidance out! Public comment until June 30!) Sobel was quick to say COSO will never get into the business of issuing standards directly, but it does want to develop more material to help companies apply risk management principles to specific risks that might be defined by standard-setting bodies.
“I think [the sustainability project] is a really good example of how organizations can benefit from joint guidance, applying the ERM framework to specific risk areas,” Sobel told me.
I agree. Now, if we could only convince COSO and NIST to work together on more guidance for cybersecurity risks…