The board of directors’ oversight responsibility for “internal controls over financial reporting” can be met more efficiently and effectively if directors have more operations risk-based internal controls expertise. The board relies heavily on management’s assurances that internal controls are adequate and risks mitigated. Unfortunately, most assurances are based on risk assessments that are primarily financial because the personnel conducting the assessment and the directors reviewing the assessment reports are financial professionals.
Too little focus is placed on operational risks. Yet, most publicly traded firms have at least two internal control systems. The Committee of Sponsoring Organizations (COSO), which covers financial reporting, operations and compliance is different from the International Organization for Standardization (ISO), which focuses on operational controls related to quality, the environment and safety. Miscues with operational controls become financial risks that can be easily overlooked. COSO and ISO controls must be coordinated, and reports to the board must contain results from both systems.
Moreover, board members must recognize the value of ISO audit results and demand that management include them.
Advantages of Coordinated Audits
There are numerous advantages for the inclusion of ISO audits in the board’s oversight of risk assessment. In addition to the obvious advantages of more cost-effective audits, elimination of unnecessary audits and more comprehensive risk assessments, boards may be most interested in the regulatory compliance aspects. The new 2010 proxy rules require disclosure of the board’s role, administration and leadership structure as it relates to the oversight of risks. This additional scrutiny of the internal controls process will require boards to increase their knowledge and involvement in this process. Moreover, it will more than likely require boards to enhance the process. Integrating ISO audits in the process can be an effective component to meeting the new disclosure requirements.
In addition, compliance would be improved by meeting the expectations of the Public Company Accounting Oversight Board (PCAOB). The September 2009 PCAOB report titled “Report on the First-Year Implementation of Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements,” indicated that registered PCAOB auditors could improve their audits of publicly traded companies in six areas, including “using the work of others” and “entity-level controls.” Audits could be more efficient if reduced testing of controls at the process or entity levels were done by relying more on the work of others (e.g., the ISO audits), the report concluded. It is highly likely that the PCAOB would agree that the inclusion of ISO audits could improve the efficacy and effectiveness of the board’s oversight responsibility.
Where ISO and COSO Overlap
Many publicly traded companies incur the cost of conducting several independent internal controls audits. Granted, the audits are conducted for different reasons and their impetus is from different sources. Companies voluntarily pay independent ISO audit firms (i.e., registrars) to audit their management systems in order to remain viable as competitors in the marketplace. These same companies pay independent PCAOB-registered audit firms to ensure their management systems comply with the Sarbanes-Oxley Act of 2002. Yet, there are many similarities in the two different audits.
The international management system standards (e.g., ISO 9001, ISO 14001 and ISO 18001) were developed under the coordination of the ISO, a worldwide standards-setting body based in Geneva, Switzerland. The standards have become a widely used marketing tool and operational enhancement vehicle. For many industries, certification to these standards has become a requirement to conduct business. These ISO certifications require that a company design and implement internal controls over its operations, then train some of its employees to conduct annual internal audits to ensure compliance. Under the guidelines of these standards, most companies with such internal control systems also engage an outside independent auditor called a registrar to audit and certify their system annually.
The predominant standard for auditing internal controls over financial reporting was developed by COSO, which is comprised of the major financial and accounting organizations. This standard is typically used as the basis for the CEO and CFO certifications that the internal controls are effective when the quarterly financial reports are filed with the Securities and Exchange Commission. COSO defines internal control as “a process designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations.”
Many boards seem to be aware that the COSO framework is designed to cover some operational areas and that ISO internal controls cover some financial areas. The COSO framework is primarily a tool of the board and its senior executives, while the ISO internal controls are tools of the operational units. Yet, the two systems essentially perform the same functions, just at different levels in the organization. Companies incur significant expense to manage both internal control systems and are likely to increase their expenditures to perform this function as financial regulatory scrutiny increases.
When the tenets of two internal control systems are studied, it becomes clear that there are significant overlaps in the internal controls for the ISO and COSO systems. Boards need to be aware of opportunities to maximize the cost-effectiveness of merging or coordinating the two systems. Many boards do not understand the intricacies of either internal control system, let alone the value that they could provide if properly coordinated. Still, oversight of the internal controls and risks is one of the primary responsibilities of a board of directors.
Both internal control systems cover all three core elements (see related chart below), but there are some distinct differences. ISO covers all operational controls and some financial reporting and regulatory compliance controls. COSO covers all financial reporting controls and some operational and regulatory compliance controls. Another difference is that ISO-managed risks are typically quantitatively expressed (e.g., statistical process control) whereas COSO-managed risks are typically rated in general terms such as high, medium and low.
However, there are more similarities than differences: both internal control systems require certification by independent third parties, both require annual internal management audits (minimally), both are standards developed by recognized standards bodies, both seek to minimize company risks and enhance performance, both apply to all levels of the company and both are geared toward the achievement of established objectives. There are many similarities that, if adequately coordinated, could yield significant advantages for an enterprise-wide risk management system.
Larry Taylor PhD is the CEO of The Creighton Group, a board advisory services firm based in Los Angeles. He serves on the board of OBN Holdings and The CM Diamonds Foundation.