FEE commented to COSO on internal control

13 March 2012

FEE published its comment letter on the Committee of Sponsoring Organisations of the Treadway Commission (COSO) Public Exposure on Internal Control - Integrated Framework.

Sound corporate governance, including sustainable internal control systems is crucial for companies around the world, as it is a key factor in ensuring and restoring confidence in capital markets through the provision of financial and non-financial information of the highest quality.

To serve the purpose of sound and sustainable internal control systems, the Committee of Sponsoring Organisations of the Treadway Commission (COSO) Framework has been widely recognised and has proved its worth as a solid base for the set up and functioning of these systems in companies worldwide. This is beyond the reference in the COSO Framework to the US Sarbanes Oxley Act, Section 404, on effectiveness of internal control.

The societal developments and the financial and economical challenges companies have faced since the inception of the COSO Framework on internal control, and in particular over the last couple of years, have proven the need for a review of internal control frameworks in general. This review should be carried out to ensure that the corporate governance systems as a whole, including the internal control frameworks, are fit for purpose for the future.

Therefore, the review of the COSO Framework for internal control is timely in the context of the large variety of areas that are in focus of policy-makers and standard-setters around the world. Policy-makers and other stakeholders have especially identified the need for strong corporate governance and internal control and risk management are areas where stakeholders are showing increased interest.

In the context of strong corporate governance, external audit forms an important part of the system as a whole. Any improvements to internal control systems of companies should therefore include due consideration as to how the internal control systems of the entity interacts with the other elements of the governance of the entity, including risk management, internal audit, external audit and disclosures about corporate governance, and in particular, the fundamental relationships and obligations between employees, management, board committees, boards, auditors and shareholders at large.

Auditors can add value to companies’ corporate governance. Their expertise can be (and is already) provided in a variety of ways, all subject to the relevant ethical and independence provisions. As auditors base their general risk assessment of the company and subsequently design their audit procedures accordingly, on the internal control system, the internal control framework applied by the company is of significant interest to external auditors, in addition to its relevance to internal auditors, risk management departments and to management. This internal control framework goes further than what is referred to under Section 404 of the Sarbanes-Oxley Act, where the assessment and certification only cover the effectiveness of internal control over financial reporting. The ISAs also refer to internal control assessments in relation to financial reporting. Therefore, external auditors will be considering the appropriate application of the principles of the COSO Framework for that purpose.

FEE's general comments on the Consultation Paper that are relevant from the viewpoint of the audit profession with a European or international perspective are summarised below:

1. The COSO Framework should be developed with a global view in mind, as it is widely used globally and could be considered as a world-leading framework for internal control. It has a large variety of stakeholders across the world which underpins the need for flexibility in the framework in order to make it applicable for as many users as possible. COSO should note that the IFAC is currently working on the same topic and international cooperation is therefore encouraged.
2. The role of the board and of the audit committee could be further addressed, as boards and audit committees play a pivotal role for the monitoring of internal control in companies in addition to the monitoring activities carried out by management and internal audit. Especially the relationship between the audit committee and the auditor and guidelines to enhance the quality of the cooperation between the two parties are of key importance.
3. With regard to the COSO Cube, the objectives should be amended to include strategic processes, and the original 1992 order of the components should be restored to highlight visually that Control Environment is the foundation on which the other components stand.
4. The COSO Framework appears developed with (very) large companies in mind. A proportional approach to internal control has been addressed in the Consultation Paper, but could be further developed to ensure that the framework is applicable to companies of all sizes and with different levels of complexity. Furthermore, it should be ensured that the COSO Framework is sufficiently adapted to allow for new business models, such as internet companies where a different setup of internal control is needed. It should also be taken into consideration that IT technologies are much more widespread today for all companies than they were at the inception of the original COSO Framework.
5. Governance of COSO could be improved. This would include a more representative organisation, as well as installing due process measures that entail conducting public consultations of all volumes of the framework, and summarising the comments received in feedback statements.

Full paper

© FEE