Larry E. Rittenberg, PHD, CIA, CPA: there is no shortcut to good controls; COSO's new chairman says every corporation needs muscular internal controls and audit executives with the authority to enforce them

Internal Auditor, August, 2005 by Russell A. Jackson

Might COSO go a step further and become a standards-setting body?

COSO has developed strong conceptual models for risk and control, and the SEC has made the COSO model a standard by referring to it. We see our short-term objective as assisting organizations in applying the framework in a cost-effective manner. Thus, we are developing guidance for smaller businesses. I hope that we will develop similar guidance for monitoring in the next year. We do not see ourselves expanding beyond that model of operation.

Are you planning any revisions to COSO's framework?

Remember, it's a framework. It has stood the test of time as an important framework in which to understand and improve internal controls over all aspects of the organization, not just financial reporting. Thus far, the problems have not been with the framework, but have focused more on the audit and reporting requirements. Thus, we do not have any plans to revise the original document. However, we are working to provide more practical guidance to those involved in implementing the framework. The environment has changed, and we may need to add new examples that illustrate the implementation of the framework in the current environment. We also need to remember that the internal control framework is broader than accounting. It encompasses the effectiveness of operations, compliance with policies and regulations, and safeguarding of assets.

Let's look at how the COSO framework becomes operational in a specific area of a company. How would COSO become the framework of choice for information technology (IT) auditing?

COSO is a broad framework that applies to all aspects of an organization's operations, including IT. If you think about an area like IT and apply the COSO framework, it says to first identify the quality of management over the IT processes, determine if management has the right information to identify problems and take corrective action, determine if IT management has the competence to identify risk and develop controls that are applicable to those risks, and determine if human resource policies emphasize strong character and a commitment to both excellence and the organization's code of conduct. Then audit executives would identify the risks associated with IT operations, such as security, completeness of processing, and access. Unauthorized access to data or applications, for example, creates significant risks for a company, which can result in incorrect information processing, theft of assets, and inappropriate use of data. The next step would be to identify control procedures that would mitigate those risks to an acceptable level and, once the controls are implemented and tested, to develop an information and communication system that signals when the controls are not working or the processes are out of control. The organization would also develop a monitoring system that provides feedback on the process to address new risks and develop additional controls to address those risks. Remember, it is a continuous and comprehensive process, although some auditors and managers would like more detailed guidance for each of the processes.