Does the COSO report pass muster?

• Author: Johnston, Warren
• Position: Committee of Sponsoring Organizations' Internal Control-Integrated Framework - Viewpoint

Editor's note: By now, you've probably heard plenty about Internal Control-Integrated Framework, the report released late last year by the Committee of Sponsoring Organizations. (COSO was established by the National Commission on Fraudulent Reporting, known as the Treadway Commission.) Many companies are embracing its recommendations that they self-assess and monitor their internal-control systems, but some are criticizing the report's approach. (See "From FEI," Financial Executive, January/February 1993.)

If you're like most busy financial executives, you may have read only parts of the report. Warren Johnston, vice president of internal audit at TRW, read the entire document, and here he shares a few of his observations with Financial Executive readers.

In 1987 TRW, like many companies, decided to formally document its internal accounting controls. Worldwide, that effort took almost three years and substantial resources. It didn't encompass the marketing, management, human resources and manufacturing areas, which are included in COSO's Internal Control-Integrated Framework. If we interpret this report as suggesting similar documentation may be needed for all internal controls, following its recommendations could be a very time-consuming and expensive proposition. And while the report is valuable as a tangible reference point and does a good job of pulling together different ideas as a set of guidelines, it doesn't add much new information, except possibly a single definition of internal controls.

COSO's report was intended to be informal, but it could become formal if an organization like the Securities and Exchange Commission endorses all or part of it. If this happens, I'm concerned that internal audit may be deemed responsible for monitoring all internal controls. However, the guidelines must recognize that management has the right to restrict the charter to internal accounting controls.

Also, while the report discusses the CFO's and accounting officer's responsibilities, it establishes the CEO's ultimate responsibility for internal controls. Furthermore, it clearly states that division or plant CEOs have the ultimate responsibility in their organizations and therefore may be held to a higher level of responsibility for internal controls than ever before. The report suggests that evaluation and monitoring activities may have to be in place at those levels as well. Therefore, as a financial executive, you'll have to decide how you and...