COSO: the rise of the phoenix? For guidance on standards and systems of internal control, you may need to dig into a decade-old report.

• Author: Ferrara, Ralph C.
• Position: Legal Brief

ON JUNE 5, 2003, the SEC adopted yet another rule in a series that implements the Sarbanes-Oxley Act of 2002. The new rule corresponds to Section 404 of the Act, which directed the Commission to promulgate rules requiring public companies to include an internal control report in their annual reports. This internal control report must (i) state management's responsibility for establishing and maintaining an adequate control structure and procedures for financial reporting, and (ii) contain an assessment of the effectiveness of the company's internal control structure and procedures for financial reporting.

As it has with other post-Act rules, the Commission has exceeded the scope of its Congressional mandate.

Beyond a mere assessment of the internal controls, the new rule requires management to evaluate the effectiveness of the company's internal controls using a "suitable, recognized control framework." In the ensuing months, officers, directors, and auditors will be grappling with the question of which framework satisfies this description.

The SEC's guidance as to the meaning of "suitable, recognized control framework" is thin. The rule indicates that the framework must be: (i) free from bias, (ii) sufficiently complete, (iii) relevant to an evaluation of internal control over financial reporting, and (iv) able to allow consistent qualitative and quantitative measurements of a company's internal control. The rule also requires that the chosen framework must have been made available "for public comment."

The Commission's accompanying commentary indicates that the rule does not mandate the "use of a particular framework" because various "evaluation standards exist outside the United States," and frameworks may be developed in the future that "satisfy the intent of the statute without diminishing the benefits to investors."

However, according to the SEC, the "COSO Framework"--first presented in a 1992 report by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)--"satisfies [the] criteria and may be used as an evaluation framework for purposes of management's internal control evaluation" (emphasis ours).

In light of this endorsement, it is difficult to imagine that any publicly held company in the United States will choose another evaluation framework to support its first internal controls report, which must appear in its next 10-K.

COSO was formed in 1985 by five professional associations, including the American...