Comments by the Auditing Standards Committee of the Auditing Section of the American Accounting Association on Public Exposure Draft: Internal Control—Integrated Framework (COSO Framework): Participating Committee Members: Free

Board of Directors

Committee of Sponsoring Organizations of the Treadway Commission

Dear Board Members:

The Auditing Standards Committee of the Auditing Section of the American Accounting Association is pleased to provide comments on the Public Exposure Draft: Internal Control—Integrated Framework (COSO Framework). We hope that our attached comments and suggestions are helpful and will assist the Board. If the Board has any questions about our input, please feel free to contact our committee chair for any follow-up.

• Respectfully submitted,

• Auditing Standards Committee

• Auditing Section—American Accounting Association

• Contributors:

• Scott D. Vandervelde, University of South Carolina

• Joseph F. Brazel, North Carolina State University

• Keith L. Jones (Committee Chair), George Mason University

• Paul L. Walker, University of Virginia

Our comments on the COSO Internal Control—Integrated Framework are organized based on the questions put forth by COSO and PricewaterhouseCoopers.¹ We provide ratings using the five-point scale accompanying the questions (Strongly Agree; Somewhat Agree; Neither Agree nor Disagree; Somewhat Disagree; Strongly Disagree), add our thoughts regarding the reasoning behind our rating for each question, and then provide some overall comments (i.e., our response to question 18).

• 1. Are you a member of one or more of the COSO organizations?

• The American Accounting Association is a COSO organization.

• 2. Are you responding on behalf of yourself or an organization or company?

• The views expressed in this letter are those of the members of the Auditing Standards Committee and do not reflect an official position of the American Accounting Association. In addition, the comments reflect the overall consensus view of the Committee, not necessarily the views of every individual member.

• 3. Where do you reside?

• Committee members reside in various states.

• 4. Where within your organization do you apply the COSO Framework?

• Not applicable.

• 5. The updated Framework will help strengthen an entity's systems of internal control.

• Somewhat Agree. The original COSO framework provides a good fundamental ideal for establishing and maintaining internal controls; however, some of the lack of adoption (or commitment to the framework) has likely stemmed from uncertainty on “how” to implement the framework. This type of implementation information has been touted as one of the strengths of the COBIT framework used for information technology controls.² A significant strength of the updated Framework is the level of detailed guidance provided for organizations to implement COSO. However, it still comes down to the implementation. The beginning of the Framework clearly states that the guidance is not to be viewed as a “checklist” in describing the purpose of the five components and related principles.

• This listing of principles is not meant to imply a binary checklist. Rather, principles are meant to enable effective operation of the components and the overall system of internal control, with appropriate use of management judgment (paragraph 55).

• If organizations treat it as a checklist, then the strength of the ideals behind the Framework will be reduced. However, the principles and the discussion around them appear to lend themselves to having organizations treat the Framework like a checklist. It might be easy for an organization's leadership to feel that, if they can check off each of the 17 principles, then they must be COSO compliant. However, the Framework is more than just the principles. Its effectiveness is a function of the organization committing to the core values behind the Framework. It will be important for there to remain a consistent message from regulators and auditors regarding the Framework not being treated as a checklist. Additionally, the effectiveness of the entity's system of internal controls will be directly impacted by the systems and the people performing the controls.

• 6. The updated Framework is internally consistent and logical.

• Somewhat Agree. The design of the Framework is logical, starting with the Control Environment and the tone at the top, and following through the various components of COSO. The more detailed principles within each of the COSO components will be helpful for implementation within organizations upon adoption. However, the extent of separation between the principles across the five COSO components is in some cases unclear; that is, some of the detailed principles could cross over into other components. For example, under the Information and Communication component, Principle 14 states, “The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control” (paragraph 64). The PCAOB considers the lack of documentation of internal controls to be a possible material weakness when evaluating internal control effectiveness. Therefore, Principle 14 could be considered as part of Control Activities within the COSO Framework. Another example under the Monitoring component, Principle 17, states “The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate” (paragraph 65). Communicating information to the appropriate level of management and those responsible for governance could be considered as part of Information and Communication within the COSO Framework. Other examples could be identified upon implementation where it is unclear as to what component of COSO is being impacted; however, it likely will not matter under which component the principle falls, as long as the principles and underlying ideals of the Framework are followed. Additionally, the interrelated nature of internal controls within an organization makes it less important to consider the COSO Framework components as independent functions.

• 7. The updated Framework is written in a manner that is understandable and provides ease of use.

• Neither Agree nor Disagree. While the discussion within each COSO Framework component lends itself to possibly being applied like a checklist (a potential weakness of the Framework identified in other comment responses), it is generally easy to understand and should be very helpful in implementing the Framework. When first trying to implement the Framework within an organization, the level of detailed guidance will be more helpful than the original framework. The lack of adoption of the original 1992 framework in the 1990s is likely an artifact of organizations not knowing how to implement it and not understanding its value.

• However, the sheer size of the document may affect its usefulness and ease of implementation if managers perceive it to introduce information overload. While the detailed guidance is generally useful, the updated Framework also includes some unnecessary detail that distracts from its overall mission. For example, Principle 7 appears to commingle Internal Control guidance with specific guidance on Enterprise Risk Management (ERM) strategies. Paragraphs 231 and 239 provide interesting examples, but appear better suited for an ERM framework than an internal control framework. These are just a few examples. A more succinct document may be more easily digested and implemented in practice.

• 8. The updated Framework is applicable to organizations of varying legal structures and sizes, and operating in various geographies and industries.

• Strongly Agree. The Framework can be used by all organizations, regardless of size, structure, location, or purpose. The implementation of the Framework will vary based on the type and size of the organization, but the core values can still be followed. Segregation of duties is a common control activity that is important for organizations. If the size of an organization does not allow for the ideal level of segregation of duties, other controls can be implemented in order to compensate for this challenge, such as increased involvement of the owner (for privately held companies) or board of directors. The same will be true for other controls that will vary in their implementation, but the ideals of the Framework remain applicable.

• 9. The updated Framework will impose additional burdens on entities reporting on internal control—e.g., reporting on internal control over external financial reporting based on Sarbanes-Oxley Act of 2002 (SOX) requirements.

• Somewhat Disagree. If entities are already following the COSO Framework, then the updated Framework should not impose additional burdens. Additional burdens will be realized by organizations who have not become COSO compliant. If entities were following the original COSO Framework, then the updated Framework should not add additional burdens. The updated Framework provides greater clarification and guidance, but does not change the fundamental core values of COSO.

• 9a. If you believe that there is an additional burden, is the change appropriate? If not, why not?

• The burden for organizations that were not COSO compliant will not be any greater than would be realized if the original COSO Framework were adopted. The burden associated with adopting the updated Framework is appropriate in order to increase the credibility and reliability of information produced for both internal and external purposes.

• 10. Compared to the 1992 framework, the updated Framework creates a higher threshold for attaining effectiveness of internal control.

• Somewhat Disagree. The updated Framework does not appear to change the threshold for internal control effectiveness. It appears to clarify and provide more guidance for what having effective internal controls entails. However, people might still perceive the threshold to be higher because of the listing of specific principles within the Framework. In an article titled “The Impact of SAS No. 82 on Perceptions of External Auditor Responsibility for Fraud Detection” DeZoort and Lee (1998) show that, while the intent of SAS No. 82 was merely to clarify the auditor's responsibility for fraud detection, the perception was that it increased responsibility. Similarly, it could be interpreted by both financial statement users and organization leaders that the updated Framework creates a higher standard for effective internal controls. If the threshold is perceived to be higher, then the burden for organizations to implement the updated Framework also will be higher (Question 9).

• 11. The 17 principles set out in the updated Framework are a complete set of principles.

• Neither Agree nor Disagree. It is not clear that it is possible to come up with a “complete” set of principles for internal controls. The principles that are included in the updated Framework provide guidance for implementation; however, these principles are not to be used as a checklist. If the principles are not a checklist, then that implies that there may be other items to consider.

• 12. The 17 principles with related attributes are helpful in describing important considerations of an effective system of internal control.

• Strongly Agree. As previously stated in this comment letter, the principles and additional discussion in the updated Framework associated with the principles provide valuable guidance for organizations to implement the COSO Framework.

• 13. There are necessary changes to the principles.

• Neither Agree nor Disagree. Until the updated Framework is adopted and implemented by organizations, it is difficult to determine whether changes to the principles are needed. Going forward, the involvement of academics could be valuable in helping to evaluate the usefulness of and/or necessary changes to the principles through all paradigms of research: analytical, archival, and experimental.

• 14. An entity can conclude that it has effective internal control if one or more of the 17 principles are not present and functioning.

• Somewhat Agree. Effectiveness of internal controls should be viewed as being on a continuum with “highly ineffective internal controls” on one end and “highly effective internal controls” on the opposite end. At some point on the continuum, the evaluation of internal controls changes from ineffective to effective. The internal controls could be assessed as effective, while still not being at the “highly effective internal controls” endpoint, meaning that it still has room for improvement.

• 15. The updated Framework appropriately expands the reporting objective category (i.e., internal and external reporting, financial and non-financial reporting).

• Strongly Agree. In order for the COSO Framework to become part of the core values of an entity, it must permeate throughout the organization in all aspects of the processing of information. This includes the generation and production of internal and external reporting of both financial and non-financial information.

• 16. The expanded reporting objective, and the manner in which this objective category is presented in the Framework, does not diminish our ability to apply the Framework when reporting on internal control over external financial reporting.

• Somewhat Agree. The core values of the Framework should be applicable to all financial reporting, whether it is internal or external, for privately or publicly held entities, for private external constituents, or interested government bodies. The Framework is designed to assist management in increasing the reliability and credibility of information.

• 17. The updated Framework provides an appropriate balance of reporting, operations, and compliance related approaches and examples.

• Neither Agree nor Disagree. Until the application of the updated Framework is observed, it is difficult to evaluate the appropriate balance of these dimensions of the updated Framework. This is another area where academics can play a valuable role in helping to evaluate the effectiveness of the implementation of the updated Framework.

• 18. Are there any other general comments that you would like to provide?

In an article titled “Auditor Independence: A Burdensome Constraint or a Core Value,” Kinney (1999) points out that there are two ways to view auditor independence. The Constraint View of auditor independence means only following the letter of the law in evaluating one's independence. The Core Value View of auditor independence means going beyond the letter of the law and thinking about both the spirit of the independence standard and the true meaning of the independence. In order for the COSO Framework to be truly effective, organizations need to approach implementation as a Core Value similar to how Kinney discusses it with respect to independence. The effectiveness of the Framework depends upon such an implementation by organizations. While the updated Framework is valuable in providing more specific guidance than the original 1992 framework, if organizations view the principles as a checklist, similar to the constraints discussed by Kinney (1999), then its effectiveness will be limited. Paragraphs 351 and 352 support internal controls being thought of as core values within the entity in pointing out the importance of personnel understanding the role that the internal controls play in the greater mission of the organization and how their individual role supports the entity achieving its objectives.

KPMG published a document titled “The Compliance Journey: Making Compliance Sustainable” (KPMG 2005). KPMG explains that internal control compliance progresses through four different states of an entity's internal controls: fragmented state, functional state, integrated state, and embedded state. These states are increasing in effectiveness as an organization moves from fragmented to embedded. An embedded state of internal control compliance would be representative of an entity displaying the true core values of the COSO Framework, with all people within the entity believing in and following proper internal control procedures throughout the year. In contrast, in the fragmented state, the entity would be treating internal control compliance as merely a requirement (or constraint) with significant efforts required of a designated group each year to ensure effective internal controls.

The updated COSO Framework provides very useful and helpful guidance that hopefully will increase the ability of organizations to implement strong internal controls and understand their true importance. The key to the effective implementation will come down to whether organizations look to the Framework for guidance, and not merely as a checklist.

From a practical standpoint, managers will be looking for greater detail on how the updated Framework impacts their work with respect to SOX 302/404, and how it affects their ability to sign off on the financial statements. It would be wise for the updated Framework to succinctly address these questions up front.

In Paragraph 44, the committee should consider adding the following to the External Non-Financial Reporting box: Non-Financial Performance Metrics. Research has documented that Non-Financial Performance Metrics can be key determinants of the value placed on a firm (Amir and Lev 1996; Ittner and Larcker 1998; Hughes 2000). These Metrics often are disclosed in companies' 10-K filings along with their annual financial statements (in the External Financial Reporting box). For example, popular press coverage of the recent IPO filing by Facebook was directed at both the company's financial performance (e.g., sales growth) and its related Non-Financial Performance Metrics (e.g., number or users, employees) (e.g., Raice 2012). While there is no direct reporting standard for Non-Financial Performance Metrics, a company should maintain effective controls that these metrics are reported accurately to external stakeholders.

With respect to Principle 8 (Assess Fraud Risk), the Framework appropriately notes that assessing the risk of fraud includes considering incentives/pressures, opportunities, and attitudes/rationalization. These factors can be viewed as ex ante fraud risks (or items that may increase the likelihood of fraud occurring either concurrently or in the future). The authors may want to stress in the Framework that organizations consider empirically validated ex post measures of fraud risk or measures that indicate that fraud has already occurred (often called fraud red flags). Examples of fraud red flags include excessive management turnover (particularly related to accounting and finance), large positive differences between net income and cash flow from operations, large positive differences between sales growth and growth in related Non-Financial Performance Metrics (e.g., number of website users, employees, products, patents), and consistently meeting or just beating analyst earnings forecasts (e.g., Lee et al. 1999; Graham et al. 2006; Brazel et al. 2009). Thus, organizations can assess fraud risk by examining not only the sources of fraudulent behavior (i.e., fraud triangle), but also the ex post effects of fraud that often are observed via the review of fraud red flags. The advantage of ex post fraud risk factors is that organizations can potentially identify where to ask pointed questions and collect relevant data to detect fraud (e.g., a specific division where both management turnover is high and a large positive difference exists between sales growth and growth in related Non-Financial Performance Metrics). The Supplemental Guide discussed in the Framework would be a good source for providing empirically validated red flags (as well as benchmarks) for organizations to consider in their assessment of fraud risk.