Reducing separate evaluations would be a good thing. Finance chiefs have complained bitterly about the huge duplication of work among finance departments, internal audit, and external auditors in the pursuit of 404 compliance. Those complaints were not lost on members of the PCAOB: in May, they issued a statement encouraging auditors to exercise more judgment and to rely on the work of others. So far, that doesn’t seem to be happening. Defenders of the COSO model, however, insist such duplication is inevitable, particularly in the early stages of Section 404 compliance. “Implementing [Sarbox] and the PCAOB’s Auditing Standard No. 2 was like any other new venture,” says Nick Cyprus, senior vice president, controller, and chief accounting officer at Interpublic Group. “Start-up costs and the learning curve were high. Everyone was learning.”
The White-Elephant Reference
The difficulties may have stemmed in part from a lack of advice from external auditors. Spooked by the demise of rival Arthur Andersen — and the subsequent rise of the PCAOB — the remaining Big Four firms have reportedly adhered strictly to the letter of the law in maintaining their independence during audits.
Even with some auditor input, mapping COSO to Sarbox can be nettlesome. One of the biggest problems: limiting internal audits to one of the three key objectives of the framework. In the COSO model, those objectives are applied to five key components (monitoring, information and communication, control activities, risk assessment, and control environment).
Given the number of possible matrices, it’s not surprising that the number of audits can get out of hand. Celanese Corp., an industrial-chemicals company, is creating a risk-and-controls matrix that revolves around the Treadway Commission’s model. But eager to reduce the amount of documentation and testing, the company is focusing only on implementing the COSO components that relate directly to Section 404.
Selecting the key areas related to financial reporting was no easy task, recalls Paul Peters, Celanese’s Sarbanes-Oxley project director. “As a framework, COSO has value,” he says. “But CFOs must be careful of this white elephant. It is more than what is required in Sarbanes-Oxley.”
Tim Leech, chief methodology officer at Paisley, argues that while the COSO standard was groundbreaking at the time, it was not meant to be a marking guide for controls. Leech, who has been working on the CARD: ME system since 1986, believes that COSO is akin to a book on grammar principles — it doesn’t help you evaluate a fourth-grader’s writing and determine whether the student should pass or fail. Consequently, the model does not permit reasonably consistent and repeatable measurements of a company’s control over financial reporting.
Small companies have had a particularly hard time applying COSO. In the past, finance managers at many of these businesses relied upon external auditors to provide advice on financial systems. Section 404 changed all that. With few options, executives at some of these businesses have besieged officials at COSO, seeking help. The committee responded, releasing an exposure draft of a guidance initiative for small businesses in October. At press time, the group was readying the final version of the guidance for public release.