Well, it seemed like a good idea at the time.
Last year, the nonprofit Institute of Management Accountants (IMA) announced plans to host a conference in December. Apparently, the IMA wanted to preview a fledgling internal-controls framework — one aimed at helping publicly traded companies cope with tough new monitoring requirements mandated by the Sarbanes-Oxley Act. The IMA’s offering, devised in conjunction with Paisley Consulting, was intended to be an alternative to the well-established COSO controls framework. That framework, used by the majority of Sarboxers, was first promulgated in 1992 by the Treadway Commission’s Committee of Sponsoring Organizations (hence, COSO).
But when word got out that the IMA, one of the five sponsoring organizations, was offering a rival framework, things turned ugly. Attendees quickly began pulling out of the event. One source close to the situation claims government regulators — many of whom have publicly backed COSO — refused to attend, because they didn’t want to give the appearance of endorsing a rival system. Ultimately, the IMA had little choice but to cancel the event. Larry Rittenberg, COSO’s chairman, says he advised IMA executives to delay the unveiling until he had a chance to talk to them. “We think everyone ought to look for ways to better implement the COSO model,” he explains. “But we should work within the COSO structure.”
Seemingly chastened by the incident, in late January IMA officials agreed to work on developing a management-focused system within the COSO framework. Jeffrey Thomson, vice president for research and applications development at the group, says the template (called Collaborative Assurance & Risk Design: Management Edition, or, unfortunately, CARD: ME) will allow managers, rather than external auditors, to take the lead in setting internal controls. But the IMA’s near-defection speaks volumes about the troubles with COSO. Critics claim that the framework is a broad, principles-based document not particularly suited to internal-controls monitoring. Parveen Gupta, an accounting professor at Lehigh University (who is helping the IMA form a CARD: ME advisory panel), likens COSO to a lifestyle guide for a healthy heart. It’s helpful, he says, but specific cholesterol counts would be even more useful in determining the exact health of a patient.
COSO is also complicated — some say too complicated for midlevel managers. It’s no snap, that’s for sure. The framework has three key objectives (operations, finance, and compliance) mapped across five components, in a manual that runs 353 pages.
Malcolm Schwartz, a member of the IMA, says some managers have assumed the 203-page “Evaluation Tools” section at the end of the book is part of the framework. It isn’t.
The somewhat confusing nature of the COSO framework may explain, in part, why many public issuers have struggled so mightily with Section 404. Then again, it’s not entirely clear if any current controls template adequately addresses the laborious task of documenting and monitoring thousands of internal controls. Finance managers do appear to be searching for alternatives, though. In a poll conducted by CFO in January (see “Standard Deviation” at the end of this article), three-quarters of the respondents said they relied upon various frameworks in addition to, or other than, COSO when mapping internal controls. About a third of the surveyed executives cited the use of COBIT (Control Objectives for Information and Related Technology), a technology-governance model now published by the IT Governance Institute.