The Pros and Cons of Coso

COSO Enterprise Risk Management- Integrated Framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) created its internal control integrated framework to help enhance organization's enterprise risk management systems while still ensuring compliance with existing systems of ethics. At the time when it was constructed, a series of business scandals had raised "heightened concern and focus on risk management, and it became increasingly clear that a need exists for a robust framework to effectively identify, assess, and manage risk" (Flaherty & Mackey v). COSO was first instituted in the wake of the savings and loan debacle of the 1980s and there were calls for greater and more transparent record-keeping on the part of organizations to protect both investors and shareholders (Shaw 1). Of course, since its implementation, the wave of accounting-related scandals has failed to abate. COSO has been updated and reformed in the 21st century after the passage of the Sarbanes-Oxley Act (SOX) but whether it has the necessary specificity to offer meaningful guidelines to organizations to reduce risk, enhance growth, and ensure compliance with existing standards remains debatable.

COSO defines enterprise risk management as responding to several core, basic needs. The first is "aligning risk appetite and strategy," given that risk will vary from entity to entity (Flaherty & Mackey 1). It also means being more responsive to risk, ensuring that decisions are made to ensure that the best response is selected. As well as reducing losses risk management according to COSO also entails proactively identifying surprises and being better able to identify risks across enterprises. It also means seizing opportunities to capitalize upon and to more effectively deploy organizational capital (Flaherty & Mackey 1). Ideally, implementing COSO creates a more proactive and responsive organization that is agile enough to respond to changes in the environment. Its lack of specificity as to what constitutes risk is seen as a way to ensure that the framework will be applicable as the economy changes and so that it can be equally appropriate to a wide variety of organizations.

COSO views risk management as holistic in nature and encompassing a unified strategy throughout the system. "The framework emphasizes the importance of identifying and managing risks across the enterprise from a portfolio perspective. Many organizations perform risk management within each subdivision, but part of the overall vision of ERM is that the risks that occur in the subunits and sublevels of the entity are aggregated and viewed from the top as an overall portfolio of risk"(Chapman 3). It is a process-based theory and does not view internal controls as an end in and of themselves. Education of all employees prioritized as a method of control as all organizational players must work to improve operations, reporting, and compliance. There is a strong stress upon creating a culture that takes an appropriate view of risk and views ethics in a positive fashion, rather than as a threat to productivity. "Many frauds occur in companies that have excellent internal control systems because the corporate culture allows managers and employees to 'look the other way' and simply ignore that controls are being overridden" (Baggett 10). COSO's open-ended framework is guided by the concept that "attitudes are as important as systems" and that management must construct a belief system founded upon ethics (Baggett 10).

However, there have been a number of vocal critics of this somewhat diffuse concept behind the COSO framework. COSO has been criticized as excessively vague: it is fundamentally a principles-based system, without definitive, concrete standards. While in some quarters there has been increasing appreciation of a principles-based approach to accounting, others view this as giving too much discretion to management to misrepresent results. "Relying exclusively on rules permits accountants to declare a financial statement has met the letter of the law, or regulation, even when the spirit of the law is being grossly defiled. Under a principles regime, accountants would be required to use their judgment to determine if various financial reporting tactics are kosher or not" (Berkowitz & Rampell 1). But as noted in the trade publication CFO: "Critics claim that the framework is a broad, principles-based document not particularly suited to internal-controls monitoring. Parveen Gupta, an accounting professor at Lehigh University (who is helping the IMA form a CARD: ME advisory panel), likens COSO to a lifestyle guide for a healthy heart. It's helpful, he says, but specific cholesterol counts would be even more useful in determining the exact health of a patient" (Shaw 1). Advocates of principles-based standards view the training needed to give people the necessary moral compass to engage in proactive decision-making as the best way to found an organization more compliant with the principles of mitigating risk. The principles-based system encourages employees to obey existing regulations versus merely adhering to the letter of the law; opponents view this approach as dangerously open-ended. Rules offer accountants the advantage of appealing to clear guidelines if clients protest a particular action but organizations have shown themselves to be extremely creative when seeking a profit and find ways to avoid the rules. "A principle-based system of standards looks to a 'timeless' body of accounting concepts for guidance" (Berkowitz & Rampell 2002).

COSO has also been criticized as too complicated for managers without extensive accounting experience to implement and as unnecessarily unwieldy. "The somewhat confusing nature of the COSO framework may explain, in part, why many public issuers have struggled so mightily with Section 404" (Shaw 2006). Section 404 of the Sarbanes-Oxley Act requires that issuers "publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting" (A guide to Sarbanes Oxley, Section 404). What constitutes adequate scope and adequacy is itself hotly debated and COSCO provides few specific guidelines in this critical area, once again relying upon principles versus rules.