Larry E. Rittenberg, PHD, CIA, CPA: there is no shortcut to good controls; COSO's new chairman says every corporation needs muscular internal controls and audit executives with the authority to enforce them

Internal Auditor, August, 2005 by Russell A. Jackson

Of course, there are other approaches that assist organizations in developing assurance that they have addressed all the risks. The Control Objectives for Information and Related Technology, from the Information Systems Audit and Control Association, for example, is a very detailed approach that starts with objectives. Those objectives are another way of ensuring that the organization is addressing risks--and implementing controls that assist in accomplishing the objectives results in addressing the risks associated with IT. Our objective should not be to determine which framework is the framework of choice. It should be to ensure that the framework and the approaches taken to implement it are comprehensive. The existing frameworks that have been used by IT auditors are internally consistent and complementary.

COSO recently was part of several roundtables--held by the SEC and by your organization itself--on the subject of small-business compliance with Sarbanes-Oxley. What operational advice did those meetings yield?

We're really trying to get some feedback on whether there are problems understanding and implementing the COSO model and where companies could use more control guidance. The advice that struck me the most was when participants said to us, "Just make sure you get it right." They told us we are to internal control reporting what the U.S. Financial Accounting Standards Board is to financial reporting. They view us in a positive light--but that is a lot of pressure. Two of the principal issues of concern to the participants were the risk of management override and the need to be risk-based in approaching the implementation and evaluation of controls. Clearly, there was discussion of some things that small businesses are not going to like. One is the sense that controls have to be more formalized. That doesn't mean bureaucratic or inefficient. It means controls have to be visible, understood, and communicated throughout the organization. Less formal controls are not acceptable. Also of concern is the fact that public organizations have to invest in a control infrastructure. There is no shortcut to good controls. To make things easier for small companies, we are working on developing guidance for them. We expect to release an exposure draft in August. That's optimistic and aggressive, but we know there's a need for such guidance.

Can you give internal auditors a preview of the guidance?

The small business guidance is going to say that there are certain responsibilities that companies assume when they go public. In today's environment, one of those is designing, implementing, and reporting on the effectiveness of internal controls over financial reporting. It is also going to say--and this is the good news--that the COSO framework is conceptual and principles-based. The guidance will explain the principles of good control and will provide examples of how each company can achieve the control objectives at a reasonable cost. However, it is the responsibility of each company to determine which set of controls provides optimum results.