Larry E. Rittenberg, PHD, CIA, CPA: there is no shortcut to good controls; COSO's new chairman says every corporation needs muscular internal controls and audit executives with the authority to enforce them

Internal Auditor, August, 2005 by Russell A. Jackson

AT FIRST BLUSH, IT MIGHT SEEM THAT LARRY Rittenberg, Ernst & Young professor of accounting and information systems at the University of Wisconsin, Madison, took the reins of The Committee of Sponsoring Organizations of the Treadway Commission (COSO) last year at a time of particularly propitious circumstances. The U.S. Sarbanes-Oxley Act of 2002 laid out a road map for internal controls, and the organization's own Enterprise Risk Management (ERM)--Integrated Framework, issued in 2004, seemed to provide clear guidance for how companies should embrace risk management. COSO, an outsider might thus assume, could more or less coast along, tweaking one piece of guidance here and explaining the details of a specific part of its frameworks there.

But that's not the case. As Rittenberg hits the six-month mark in his three-year tenure as chairman of COSO, Sarbanes-Oxley is under assault by business lobbyists, and worldwide opinion regarding the ERM framework is growing more diverse and pointed day by day. Indeed, Rittenberg says, "COSO has made tremendous strides over the years, but we have a lot of work yet to do."

Rittenberg may be uniquely qualified to handle that work. He is a former IIA vice president of research and president of The IIA Research Foundation and currently serves on the board of directors, governance committee, and audit committee of Woodward Governor Co., a publicly traded energy control systems manufacturer based in Rockford, Ill. His work in auditing, risk, control, and governance includes more than 45 articles and monographs, and he was a member of the drafting subcommittee of the Report of the NACD Blue Ribbon Commission on Audit Committees. He also participated on a task force that investigated the effect of outsourcing on auditor independence for the Independence Standards Board, a joint venture between The American Institute of Certified Public Accountants and the U.S. Securities and Exchange Commission (SEC).

[ILLUSTRATION OMITTED]

That impressive resume will serve Rittenberg's organization well as the fine points of Sarbanes-Oxley undergo endless scrutiny and potential modification and as world opinion on the role of ERM continues to evolve. Navigating those changes will require COSO to establish and maintain a strong voice and a clear message. That message is likely to come down to this: No matter what twists and turns companies face along the way, they have no choice but to develop, implement, and enforce detailed policies and procedures to ensure that audit-related information gets where it needs to be within the organization and that risk is characterized, correctly assigned, and thoroughly managed. Rittenberg had these issues on his mind when Internal Auditor spoke with him recently.

There seems to be growing dissent from companies about the cost and effort required to comply with Sarbanes-Oxley. U.S. Public Company Accounting Oversight Board (PCAOB) Chairman William McDonough recently declared that "the first round of internal control audits cost too much." What is COSO's position on such efforts?

The costs associated with Sarbanes-Oxley Section 404 compliance have been high, but the benefits have been significantly underestimated. They include restored confidence in our capital markets system and significant control improvements. Further, we all understand that the costs associated with Section 404 work will decrease in the future. My opinion is the cost-benefit issue will come into better balance in the second or third year of operations. There will be less spent on documenting controls because that will have been done in the first year. Companies will develop better information systems and monitoring processes to assure themselves that controls are working. The emphasis on management testing may be shifted to ensuring that the monitoring processes signal impending control deficiencies and that corrective action is taken in a timely fashion. Internal auditors can certainly be leaders in their organizations to improve the efficiency of overall control processes and to help implement improved monitoring processes. Companies need to develop better monitoring procedures that will help them identify when a process has suffered a decrease in control. Control needs to be viewed as a process model, not just a series of checklists to be completed.

Would COSO support legislation fine-tuning Sarbanes-Oxley or additional legislation mandating the organization's suggested methods for improving internal controls?

The SEC has indicated that COSO's Internal Control--Integrated Framework, which was published in 1992, is one framework by which a company might judge the quality of its internal control processes, so we've received a lot of attention. And I think it's proven itself to be a viable framework. My personal opinion is we don't need any additional legislation. From COSO's perspective, we hope organizations will implement better controls regardless of whether there's legislation mandating that it be done. We don't take a stance on the political issue of whether internal control improvements should be mandated. That's up to the legislators to determine. The motivation to implement better controls should come from a desire to improve operations, risk management processes, and governance.