How useful is the COSO framework?

[Jens Kristiansen]

In continuance of my thread from yesterday

How useful is the COSO framework? (internal control – integrated framework) actually? And can we use ISO standards to support the COSO framework?

We are two research students (Msc. BPM) from the Aarhus School of Business (Denmark) who are focusing a large research project on the topic of integrating QMS such as ISO 9001, EFQM and MBNQA with SOX, specifically section 404, with the general aim of expediting compliance.

We are corresponding with a large European company stock listed on the NYSE, which has provided us with information pertaining to the implementation of SOX. Due to the support of the COSO framework by the SEC, this European company deemed it pertinent to apply, and mention the use of the COSO framework in their annual reporting requirements.

In their efforts to comply with section 404 they claim to have focused upwards of 90% of their time, effort and money on one specific section of the COSO framework, namely control activities with respect to financial reporting. According to Sanford Leibesman, the ISO 9001:2000 clauses that support or overlap with this part of the COSO framework are; Clauses 5.6.1, 5.6.2, 5.6.3, 8.5.2 and 8.5.3.

We by no means wish to insult Mr. Liebesman’s research and knowledge of this area, but when taking our “insider information” into consideration, it would seems somewhat utopian to rely on five ISO clauses to cover the information needs which apparently constitute over 90% of the costs involved in compliance with section 404.

We are supporters of Mr. Liebesman’s ideas, and the European company in question could be an isolated case. We would therefore appreciate any feedback or comments on the above mentioned.

[RCBeyette]

For what it's worth, many of us question the "usefullness" of ISO 9001, as well. As with any standard/guideline/framework, an organization will benefit from it only if they wish to address the spirit of the document versus addressing the black ink on white paper.

If I recall, the structure of COSO can be broken down into 5 main areas:

• Control information
• Information and communication
• Risk assessment
• Monitoring
• Control activitives

These can be rearranged to align with the Plan-Do-Check-Act methodology which also aligns with ISO 9001.

For a company wishing to integrate separate systems (i.e., quality, environment, health & safety, financial, etc.) into one Business Management System, seeing this alignment will assist them in streamline their process controls and any associated documentation.

At a glance, I see the overlaps as such (and this is my first go-thru, so please keep that in mind):

1. Control Environment - ISO 9001 4.1 / 5.1 / 5.4
2. Information and Communication - ISO 9001 4.2.3 / 4.2.4 / 5.5.3 / 7.2.3 / 7.3.1 / 7.3.2 / 7.3.3
3. Risk Assessment - ISO 9001 7.3.4 / 7.3.5 / 7.3.6 / 7.3.7 / 8.3 / 8.4 / 8.5.2 / 8.5.3
4. Monitoring - ISO 9001 8.1 / 8.2
5. Control Activities - 5.5.1 / 5.5.2 / 5.6 / 8.5.1

You'll notice that I have placed corrective and preventive action in Risk Assessment. In my opinion, the financial abnormality has occurred (or potentially might occur) and the organization will need to evaluate the level of risk to it in order to take appropriate actions.

I am curious as to why you believe that expending 90% of the costs in control activities is "utopian". Keep in mind that to keep a system under control, means that you are ensuring its stability. This will cost money. Ask the company what it would cost them if the system was not stable and financial errors and abnormalities are occurring.

[Jens Kristiansen]

Quote:

I am curious as to why you believe that expending 90% of the costs in control activities is "utopian". Keep in mind that to keep a system under control, means that you are ensuring its stability. This will cost money. Ask the company what it would cost them if the system was not stable and financial errors and abnormalities are occurring

Let me try to clarify:

As we stated it is not utopian to believe that 90% of the costs involved in compliance with section 404 can be attributed to COSO element 5 (control activities), but rather that 90% can be credited to control activities with respect to financial reporting, and that the demand for information related thereto can be satisfied by five ISO clauses.

Liebesmans “holistic approach” with equal focus on all elements of the COSO framework is very interesting but hard to justify if 90% of the costs can be credited to only one of the relationships between COSO three objectives (operations, financial reporting and compliance) and five Components/Elements.

Our problem is that, we as students of business performance management face the challenge of explaining and convincing financial auditors that quality tools can be used to satisfy their financial audit needs. In our experience financial auditors don’t necessary understand the level of detail involved in ISO certification, nor do they understand that ISO is more then just production and product specifications.


That being said, we do, to some degree, understand the financial auditors concern. Once ISO has assisted in clarifying what a processes is and the how to conduct internal controls its usefulness tapers of somewhat. Financial auditors have a need for financial details that cannot necessarily be found in ISO 9001:2000. Or can they!?

You mention that you have placed 8.5.2 and 8.5.3 in risk assessment, but by placing 8.5.1 under control activities they are represented there as well. (8.5.1 includes both corrective and preventive actions.) Moreover 8.5.1 includes clause 5.6

The advantage of ISO 9001:2000 is its anal approach to documentation, which at the same time is one of its must fundamental links to section 404. What we are search for are ISO clauses that are detailed enough to satisfy the financial reporting demands.

We believed we have found some clauses but are interested in hearing what others think with regards to this subject. On a different subject…… any thoughts on linking ISO to SOX by using Jurans Cost of Quality approach (another of Liebesmans suggestions if we remember correctly).

Thank you for your input.

[Bulksupplier]

If you are building a system to meet both SOx and ISO 9001 then the COSO Framework is useful - it is recognised by SOx auditors from the 'Big 4', whereas ISO 9001 doesn't cut much ice with them.

We have integrated SOx requirements into our quality system by adding the SOx Narratives alongside the Quality Manual, and adding specific SOx evidence (records) to the procedures. This has proven useful in support of 'alternate controls' used to avoid recruiting an army of people for 'segregation of duties' and process-numbing bureaucracy for 'management controls'.

We recently got our SOx 'sign-off', so our approach looks to have been successful.

[RCBeyette]

The traditional approach to Cost of Quality has two main categories for costs, each with their own two sub-categories:

• Costs of Control
  • Prevention Costs
  • Appraisal Costs
• Costs of Failure of Control
  • Internal Failure Costs
  • External Failure Costs

Typically, your Prevention and Appraisal Costs equate to quality planning, setting of objectives, data analysis and reporting, improvement programs, inspections, testing and audits. All functions which could, if I understand Mr. Liebesman's approach, would fall under COSO's Control Activities.

Total quality costs will obviously vary from company to company and industry to industry.[list][*]Internal Failures = 25% - 40%[*]External Failures = 20% - 40%[*]Appraisal = 10% - 50%[*]Prevention = 0.5% - 5%

However, in theory, as the Costs of Control go up, the Costs of Failure of Control should go down.

Why do you believe that the financial auditors do not understand the alignment of the ISO 9001 requirements to COSO? I recommend removing the use of the word ISO from your explanation. I further recommend that wherever the "quality" appears, replace it with financial and replace "customer" with "stakeholder" or "shareholder". Often times, you must speak the 'language' of the audience.

Financial auditors are number-crunchers (and balancers). The concept of (product) quality often eludes them. Speak in terms of $$$ and they may warm up to your explanations.

You will not find financial details in ISO 9001. The scope of that document is on product quality and meeting customer requirements. The problem is defining your product and who your customer is. A product can be a service, including accounting and financial services. The customer could be the shareholders, suppliers, community, employee or the actual recipient/user of the product.

Because people read ISO 9001 so darn literally, they often fail to recognize that ISO 9001 can be applied to processes off of the shop-floor. My organization has removed the word "quality" and replaced it with "business". We have a business management system which addreses the needs of all our Stakeholders in the areas of safety, environment, quality, financial, cost, delivery and morale. Our controls also address these areas. Back in 1998, we used ISO 9001 as the foundation for this approach. Now we use Plan-Do-Check-Act as that is the common thread between all of the requirements in documents like ISO 9001, ISO 14001, OHSAS 18001, ISRS, SOX, etc.

I can appreciate your statment that 8.5.2 and 8.5.3 are captured under 8.5.1...and to some degree, I agree with you. However, we look at 8.5.2 and 8.5.3 as more "here and now" situations...issues which must be resolved as immediately as possible. Continual improvement tends to focus on the overall processes and we associate forecasted cost savings/reductions with these projects.

The ISO 9001 clauses, as far as I am concerned, meet the needs of SOX, if only people open their minds to the wording. Taken to literally, no, it will not meet the needs. If you consider finance/accounting as a process, you have a wonderful document which will greatly assist an organization in meeting the needs of Sarbanes-Oxley.