Conversation with COSO Chairman Larry Rittenberg
Donald E. Tidrick
- Rittenberg has an extensive record of service to a variety
of academic and professional organizations, including the
Institute of Internal Auditors, where he was president of
the IIA’s Research Foundation. He is also a former member
of the executive committee of the American Accounting Association.
January 1, 2005, Rittenberg became the chairman of the Committee
of Sponsoring Organizations of the Treadway Commission,
more commonly known as COSO. In making the announcement,
Dave Richards, president of the Institute of Internal Auditors
and a COSO member, said, “The commission is thrilled
to have Dr. Rittenberg assume the role as COSO Chairman.
He has spent his career dedicated to promoting the business
ethics and practices [that] COSO stands for and he will
provide a strong voice for the organization.”
interview took place in connection with Rittenberg’s
visit to Northern Illinois University on April 20, 2005,
to speak at NIU’s Beta Alpha Psi (Gamma Pi Chapter)
spring initiation banquet.
E. Tidrick for The CPA Journal: Would you share a historical
summary of COSO?
Rittenberg: COSO began in the mid-1980s when
five private-sector organizations that were concerned about
the apparent increasing frequency of fraudulent financial
reporting came together to sponsor the “National Commission
on Fraudulent Financial Reporting”—more commonly
called the Treadway Commission after its chairman, James
C. Treadway, Jr., a former SEC commissioner. The sponsoring
organizations were: 1) the American Accounting Association
(AAA); 2) the American Institute of Certified Public Accountants
(AICPA); 3) the Financial Executives Institute (now Financial
Executives International, FEI); 4) the Institute of Internal
Auditors (IIA); and 5) the National Association of Accountants
(now known as the Institute of Management Accountants, IMA).
Treadway Commission conducted a comprehensive study of financial
fraud in the United States and the factors that contributed
to such fraud. It issued a detailed report in October 1987,
consisting of 49 recommendations designed to enhance the
prevention and detection of fraudulent financial reporting.
These recommendations were directed at several relevant
constituencies: public companies (20 recommendations); independent
public accountants (9); the SEC and other regulators (12);
and educators (8). These recommendations included a call
for effective corporate internal control, objective internal
audit functions, and informed oversight of financial reporting
by effective audit committees. Interestingly, many of the
original recommendations of the Treadway Commission now
sound a lot like the Sarbanes-Oxley Act of 2002.
How are COSO’s activities financed?
many ways, COSO has been a “virtual” organization.
Its initial activities were financed by contributions from
the five sponsoring organizations. Later, some significant
activities were financed largely by Coopers & Lybrand
and, more recently, by PricewaterhouseCoopers. Those firms
contributed the research teams to develop the Internal
Control–Integrated Framework and subsequently
the Enterprise Risk Management–Integrated Framework.
Other activities have been financed, at least in part, by
our sales of COSO publications, such as our various frameworks.
addition, it is important to recognize that COSO members,
including myself as chair, are volunteers, donating their
time to COSO. Although I am currently spending about half
of my time on COSO matters, I am not directly compensated
for that work. We have had a variety of task forces in the
past (and right now we have a very large task force addressing
our small business project), and those activities are strictly
voluntary. The individuals’ travel and out-of-pocket
expenses are paid by their employers or sponsoring organizations
rather than by COSO.
Who are the current members of COSO, and do they bring unique
organizational perspectives to COSO?
Rittenberg: Each of the members is selected
by the leadership of the sponsoring organization. In some
cases, the member may, in fact, be the leader of the sponsoring
organization. For example, before his untimely passing in
March 2004, Bill Bishop was the president of the IIA and
he represented the IIA on the COSO board. Bill was a very
strong intellectual force in developing the Internal
Control–Integrated Framework. The current IIA
president, Dave Richards, is also the IIA’s COSO representative.
The AAA representative to COSO is chosen by the association’s
leadership. I was the AAA representative to COSO for three
years prior to my selection to chair COSO. The current AAA
representative is Mark Beasley of North Carolina State University.
The AICPA is represented by Chuck Landes, its vice president,
professional standards and services. Nick Cyprus of the
Interpublic Group of Companies in New York (formerly vice
president and controller of AT&T) is the FEI representative.
The IMA representative is Dennis Neider from PricewaterhouseCoopers.
highly successful individuals often view issues similarly.
For example, long before Enron imploded, there was a consensus
that COSO needed to develop guidelines regarding enterprise
risk management. We tend to reach a consensus on most issues,
although it is common for a wide range of different views
to be expressed during our discussions.
How did you come to be appointed COSO chairman, and what
are your responsibilities and priorities in that role?
Rittenberg: My selection to chair COSO reflects
an accumulation of work and professional relationships developed
over many years. I had the opportunity to represent the
AAA on COSO when it began exploring the need for a comprehensive
framework on enterprise risk management, subsequently developed
into the Enterprise Risk Management–Integrated
Framework published last year. As the AAA’s representative,
I worked with a team of two other AAA members to contribute
to the project. My predecessor as COSO chairman, John Flaherty
(a past chairman of the IIA and former vice president and
general auditor of PepsiCo), became COSO chairman in 1996
and graciously agreed to continue in that role until the
enterprise risk management (ERM) project was completed.
I was gratified that the other COSO members and respective
organizations had confidence in my abilities to lead the
chairman’s primary role is to articulate a vision
for COSO and build a consensus among its members. Moreover,
the chairman represents COSO in a wide variety of interactions
with other organizations. In recent months, I have had the
privilege of dealing with the SEC, the Public Company Accounting
Oversight Board (PCAOB), and the Government Accountability
Office (GAO) with regard to COSO-related activities. These
are interesting times! It is also challenging to keep our
projects moving forward, especially when COSO is dependent
forward, we need to think strategically about the role of
COSO—not only about future projects that COSO should
address, but also about the possibility of expanding the
set of organizations that comprise COSO. It is encouraging
to see a growing number of organizations that want to work
together to strengthen corporate governance and to improve
the reliability of financial reporting and internal controls.
How often does COSO meet?
Rittenberg: The frequency of our meetings
depends on the nature of our current activities. For example,
prior to the ERM project, COSO met once or twice a year
and had conference calls as necessary. During the ERM project,
the COSO board and the task force met quarterly. Right now,
we are working on the control guidance project for small
businesses and are meeting every three weeks. Not all of
the COSO members can attend every task force meeting, although,
as chairman, I do. The COSO board’s fall meeting will
be about how to think strategically about the composition
and nature of COSO as we go forward. There is going to be
a continuing demand for greater guidance in the control
and risk area.
What would you identify as COSO’s major accomplishments
Rittenberg: Certainly the original Treadway
Report in 1987 was a significant contribution. One of its
most consequential recommendations was for the development
of a conceptual framework for implementing and evaluating
internal controls. Prior to the 1992 issuance of COSO’s
Internal Control–Integrated Framework, internal
control guidance consisted primarily of ad hoc checklists.
Two Bills deserve particular mention for their intellectual
contributions to the development of the internal control
framework: Bill Ihlanfeldt, a former IMA chairman and former
assistant controller at Shell Oil, played a key role in
getting COSO to focus on internal control issues. And Bill
Bishop, a former IIA president, made sure the framework
was broad enough to encompass controls comprehensively from
an organizational perspective, not just a financial reporting
point of view.
the privilege of attending a recent SEC roundtable on Sarbanes-Oxley
section 404 where I talked with Mike Cook, the former chairman
of Deloitte & Touche and the first COSO chairman. Mike
expressed particular pride in having established a COSO
infrastructure that led to the development of the Internal
Control–Integrated Framework. In retrospect,
it is noteworthy that this framework (developed primarily
by accountants) embraced all aspects of the organization:
financial reporting, operational activities, and compliance
issues. As a result, it has been widely accepted over time.
In terms of overall impact on businesses, the 1992 internal
control project is COSO’s most significant contribution
1996, COSO published “Internal Control Issues in Derivatives
Usage,” which extended the internal control guidance
to address a specific challenge at the time in need of guidance
and clarification. In 1999, COSO published a study by Mark
Beasley, Joe Carcello, and Dana Hermanson on fraudulent
financial reporting. The study examined SEC enforcement
actions for fraudulent financial reporting by public companies
in the decade following the original Treadway Report. They
identified a number of control and reporting abuses that
took place in relatively small businesses, and noted the
need for such companies to invest in infrastructure for
2004 Enterprise Risk Management–Integrated Framework
is another of COSO’s significant contributions. We
know that many companies have failed because they did not
approach risk management in a comprehensive, logical manner—and
the ERM Framework provides an integrated way to address
What significant contributions does COSO’s 2004 Enterprise
Risk Management–Integrated Framework make beyond the
1992 Internal Control–Integrated Framework?
Rittenberg: The primary difference is that
“enterprise risk management” is a broader term
than “internal control.” Fundamentally, controls
exist only to mitigate risk. So every internal control framework
has to start with a systematic approach to identifying risk.
It is also important to recognize that organizations are
in the business of taking risks. Management and boards have
to determine their risk “appetites” and their
risk tolerances. Discussion of risk appetites and tolerances
is required at the highest levels of an organization, but
we have seen too many companies where those discussions
have not occurred. The ERM framework takes a commonsense,
conceptual approach to comprehensively address risk management
issues in an organization.
are designed to manage the risks within the organization’s
tolerances. There are a variety of ways to manage risks:
one way is to control the risk, perhaps through diversification;
another way is to insure against the risk. Organizations
globally must be attentive to risks. The ERM framework is
an enhanced, proactive approach to managing organizational
risks. These are not “accounting” concepts per
se, even though the COSO frameworks have been developed
by a committee comprised of representatives from primarily
Would you comment on a current COSO project, “Implementing
the COSO Control Framework in Smaller Businesses,”
and the motivation behind it?
Rittenberg: The primary reason for the “small
business” project is the renewed attention that the
Sarbanes-Oxley Act has brought to the Internal Control–Integrated
Framework. The COSO framework is fundamentally a principles-based
approach to internal control, and that is not always understood.
For example, when I attended the SEC’s April roundtable,
I heard some people say, “COSO is for large corporations.
After all, it was developed by PricewaterhouseCoopers.”
simply is not accurate! When viewed conceptually, the COSO
framework is applicable to every organization. The implementation
approaches may vary across organizations, however. I suppose
that a number of the examples included in the framework
may be primarily applicable to larger organizations. That’s
always a difficulty with giving examples—people may
read the examples as if they are the framework itself. Examples
may also become outdated, particularly given computer processing
developments over the past decade. So we are trying to clarify
the conceptual application of the internal control framework
and the use of relevant examples.
initiative for this project started with a conversation
between Rick Steinberg, a great conceptual thinker and one
of the developers of the internal control framework, and
Don Nicolaisen, the SEC Chief Accountant. Don requested
a meeting with COSO to discuss some Sarbanes-Oxley implementation
issues. I attended that meeting last fall, along with Rick
and Miles Everson, our current project team leader. At that
meeting, Don indicated that companies, especially relatively
small ones, had been asking for additional guidance to implement
the internal control framework in light of section 404 requirements.
He asked us to take on that project. I was very interested
in it, although we had some timing issues because we were
still finishing up the ERM project. After extensive discussion,
the COSO members endorsed the project.
has a history of developing “frameworks,” not
“standards” or detailed guidance. Essentially,
the SEC Chief Accountant was saying, “You’ve
got a great framework, but not everyone understands it and
companies need more guidance to implement it.” The
intent of this project is to find ways to help smaller companies
to effectively and efficiently meet the requirements of
section 404. We put together a task force that began just
this past January, and we plan to have a report with preliminary
guidance available on our website (www.coso.org)
with a comment period continuing through November or perhaps
mid-December. We want to make this guidance practical and
beneficial for management, personnel within organizations,
and their external auditors to understand and implement
COSO’s internal control model. I hope readers of this
interview who are interested in controls for small businesses
will give us their feedback.
Do you envision any future projects for COSO?
Rittenberg: Once we get the small business
guidance completed, I hope we will pursue a project on monitoring
controls. If we are going to reduce the cost of Sarbanes-Oxley
section 404 requirements, we need to find ways to make the
process more efficient. The COSO framework lends itself
to greater efficiencies, but we have not thought about it
in enough depth. In the initial implementation of Sarbanes-Oxley,
people have gone back to the fundamental processes of an
organization to identify key controls, to document those
controls, and to test those controls to verify that they
are operating effectively. The COSO model focuses on assessing
whether those controls address significant risks and reduce
the risks to acceptable levels. If they are effective, organizations
then develop effective information systems that provide
systematic feedback to help monitor the effectiveness of
the controls and processes. The design and monitoring process
is similar to what an engineer does in setting up stamping
machines in a factory. The controls are designed, tolerances
are specified, and monitoring mechanisms are installed to
signal process failures. We should be thinking about accounting
processes in the same vein.
my view, we need more research to identify effective and
reliable monitoring controls. We need to find out if we
can identify the significant monitoring controls in accounting
processes and determine whether they are operating effectively.
If we can do that, then we can spend more time testing the
effectiveness of the monitoring controls and then randomly
test other controls, thereby reducing the overall section
404 compliance tests dramatically.
currently working to develop a survey about the extent to
which organizations are using monitoring controls over their
financial processes. One of my friends, a partner in Deloitte,
is helping me survey the firm’s enterprise risk management
group, and the IIA is also providing assistance. I would
love to get some talented academic researchers working on
this, too. And, if there are any readers of this interview
with good examples of such monitoring controls, I would
be delighted to hear from them at email@example.com.
addition, we need to think strategically about the best
infrastructure for COSO going forward. For example, should
COSO sponsor specific research? I tend to think we should,
but others might prefer to limit our activities to developing
broad frameworks. So, we will discuss such matters. And
I think we will have significant discussions about whether
the number of sponsoring organizations should be expanded.
What impact, if any, has COSO had outside the United States?
Does COSO coordinate with international professional organizations?
Rittenberg: COSO has certainly had a significant
impact outside of the United States, especially through
multinational corporations. Our ERM and internal control
frameworks have been translated into most of the major languages
around the globe, including French, Spanish, Chinese, Russian,
Portuguese, Italian, Finnish, and Swedish. Corporate governance
and internal control issues are very important in many countries.
The Australians, the British, the Canadians, the French,
the Germans, the Malaysians, and the Taiwanese, among others,
have all developed conceptual models of governance, control,
and risk management.
and risk management frameworks, however, vary in terms of
the detail involved. Some frameworks are based on detailed
processing objectives over processes. COSO is one of the
few frameworks with a significant review of the control
environment. Look at some of the major recent corporate
failures. Where did the problems fundamentally arise? They
occurred primarily because of breakdowns of the control
environment and management override of processes. So, in
short, all of these frameworks make a contribution. At the
moment, there is no organized collaboration on these issues
like there is for international accounting standards.
In closing, Is there anything else you wish to say to readers
of The CPA Journal?
Rittenberg: It is important to understand
that the COSO internal control and ERM frameworks are based
on principles that place the responsibility on management
to identify risks and implement controls that reduce those
risks to acceptable levels. Management should have discussions
with the board, their internal auditors, and their external
auditors, as applicable, about the appropriate levels of
are an open organization and we will have an exposure draft
of our small business project. That is not unusual—we
have had exposure drafts of each of our framework projects.
In this case, we understand that the SEC and PCAOB have
referenced us, so we want any guidance offered by COSO to
have been subjected to the discipline of that exposure process.
readers to visit our website (www.coso.org),
provide us with constructive feedback, and share any examples
of monitoring controls they may have. We will take those
comments seriously as we move forward to assist organizations
in implementing more effective controls.
Rittenberg, PhD, CIA, CPA, is the Ernst & Young
professor of accounting at the University of Wisconsin–Madison,
where he teaches auditing and assurance courses, with emphasis
management and corporate governance.
E. Tidrick, PhD, CPA, CMA, CIA, is an associate professor
of accountancy at Northern Illinois University, DeKalb, Ill.