319 62 147KB
English Pages 4 Year 2004
COSO Update
Financial Executives Research Foundation
COSO Update Comment Deadline Nears on Exposure Draft Enterprise Risk Management October 2003 The deadline for commenting on COSO’s newest project-Exposure Draft Enterprise Risk Management Framework- is October 14. To assist your review, FERF has prepared this topical alert to explain COSO and the ERM Framework and to provide an FEI member’s view of the ERM Framework. COSO/ERM Basics In August, the Committee of Sponsoring Organizations (COSO), sponsors of Internal ControlIntegrated Framework, issued an exposure draft of Enterprise Risk Management Framework. COSO is seeking comments from the public by October 14, 2003. What is COSO? COSO (http://www.coso.org) is the Committee of Sponsoring Organizations. Formed in 1985 as an alliance of five professional organizations, this coalition was established to create a single voice in the financial business community on issues related to the problem of fraudulent financial reporting. The body of work sponsored by COSO thus far has given birth to many standard internal control terms, such as “tone at the top.” The committee describes its mission in this manner: COSO is a voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance. There are five sponsoring organizations, including Financial Executives International (FEI), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA) and the Institute of Management Accountants (IMA) (formerly the National Association of Accountants). For more information, read a report prepared by FERF "What is COSO? Defining the Alliance That Defined Internal Control." Go to http://www.fei.org/rfbookstore/PubDetail.cfm?Pub=146. What is the ERM Framework? Enterprise Risk Management (ERM) is the process of identifying and analyzing risk from an integrated, company wide perspective. The Enterprise Risk Management Framework, which is a model for discussing and evaluating an organization's risk management efforts, encompasses Internal Control-Integrated Framework in its entirety. In an interview with the IIA, John J. Flaherty, COSO Chairman, discussed the genesis and objectives of the ERM Framework. "Although a lot of people are talking about risk, there is no commonly accepted definition of risk management and no comprehensive framework outlining how the process should work, making risk communication among board members and management difficult and frustrating. The COSO board felt that this situation was similar to that which existed prior to the publication of Internal Control- Integrated Framework. Just as that study helped get everybody singing off the same song sheet when it came to internal control issues, our goal is that the ERM Framework will offer boards and management a commonly accepted model for discussing and evaluating an organization's risk management efforts."
Financial Executives Research Foundation |1
COSO Update Comment Deadline Nears on Exposure Draft Enterprise Risk Management October 2003 How was the ERM Framework developed? COSO hired PricewaterhouseCoopers to author the report under the direction of the COSO advisory council. The draft framework, issued in August, is available for comments, which are due by October 14. In addition to the Framework that is currently available for comment, COSO, with the assistance of PricewaterhouseCoopers, is developing Application Guidelines, to provide users with specific steps for implementing and evaluating an ERM program. The date for issuance of the Application Guidelines is not known at this time. How does issuance of the ERM Framework impact my using the Internal Control-Integrated Framework for evaluating my internal controls over financial reporting under Sarbanes-Oxley Section 404? The issuance of the ERM Framework does not currently impact how companies use the Integrated Framework for evaluating internal controls over financial reporting under Section 404. However, since the ERM Framework encompasses the Integrated Framework in its entirety, use of the ERM Framework, once finalized, is expected to be acceptable for Section 404 purposes. The concern currently expressed by FEI’s Committee on Corporate Reporting is that it is difficult to support the ERM Framework without seeing and commenting on the Application Guidelines. Those who have concerns may consider commenting to COSO by the October 14 deadline. A Member’s View of the ERM Framework FERF interviewed R Malcolm Schwartz, a member of the New Jersey chapter of FEI since 1980, to learn his view of COSO’s new Exposure Draft Enterprise Risk Management Framework. As a former management consulting partner at PricewaterhouseCoopers, he was one of the principal contributors to COSO's Internal Control-Integrated Framework. He is currently a senior vice president of Technology Solutions Company and the COO of CRS Associates LLC. FERF: How is the ERM Framework different from the Integrated Framework? Schwartz: The ERM Framework builds upon the Integrated Framework. The Integrated Framework defined five interrelated components of internal control: 1. Control environment 2. Risk Assessment 3. Control Activities 4. Information and Communication, and 5. Monitoring The new Framework expands item number 2, Risk Assessment, to provide more specific detail regarding risk. It breaks risk assessment into thee pieces: event identification, risk assessment and risk response. FERF: What do you like about the ERM Framework? Schwartz: It gives more detail to assist in analyzing risk. As examples, Exhibit 5.1 provides examples of techniques for identifying risk-related events, Exhibit 6.1 provides descriptions of qualitative and quantitative methods for assessing risk, and Exhibit 5.2 provides event categories for internal and external factors. Financial Executives Research Foundation |2
COSO Update Comment Deadline Nears on Exposure Draft Enterprise Risk Management October 2003 FERF: What would you change about the ERM Framework? Schwartz: In the Integrated Framework, the three objective categories were operations, reporting and compliance. The ERM Framework adds strategic objectives. I would have left the three categories because strategic and operational objectives are intimately connected. And, I would have left reporting objectives as distinctive for external reporting, because internal reporting pervades all aspects of internal control and risk management. FERF: Some financial executives have expressed concern about how the ERM Framework figures into the Sarbanes-Oxley Section 404 work they have been doing. How are you addressing this issue as SVP at Technology Solutions and COO at CRS Associates? Schwartz: My approach has been to continue working with the Integrated Framework. The ERM Framework is still a draft and no one knows how different the final report will look from the draft. I, too, have noticed some confusion at the companies with whom I work. I think that the issuance of the ERM Framework may have caused less confusion in the business community if it had been issued as a supplement to the Integrated Framework, rather than as an entirely new framework, which does encompass the Integrated Framework. FERF: In the next few months, COSO will be issuing application guidelines to assist managers in using the ERM Framework. What do you expect to see in the ERM Application Guidelines? Schwartz: I expect that ERM Application Guidelines will be similar to the Integrated Framework’s Evaluation Tools. I hope that they will include further definition and assessment of risk evaluation techniques. A comparison of different techniques, especially qualitative versus qualitative techniques, would be useful to managers who are trying to determine how to assess their business risks.
This Topical Alert was authored by Tiffany McCann. Copyright © 2003 by Financial Executives Research Foundation, Inc. All rights reserved. No part of this publication may be reproduced in any form or by any means without written permission from the publisher. Financial Executives Research Foundation, Inc. (FERF) publishes material in the field of business management, with particular emphasis on the practice of financial management and its evolving role in the management of business. FERF is a 501(c)(3) independent nonprofit educational organization that relies on voluntary, tax-deductible contributions. FERF receives no portion of FEI membership dues. Order this and other FERF publications by logging on to http://www.fei.org/rfbookstore/. Discounts available to FEI members and FERF donors. BECOME A CORPORATE SUBSCRIBER TODAY WITH A 100% TAX-DEDUCTIBLE PLEDGE OF $250 TO FERF AND RECEIVE ALL FUTURE PUBLICATIONS, AS WELL AS MONTHLY TOPICAL AND ISSUE ALERTS, FREE OF CHARGE FOR ONE FULL YEAR. To subscribe, access our secure Online Support Form at https://www.fei.org/rf/secure/supportform.cfm (please be sure to include e-mail address).
Financial Executives Research Foundation |3