A Conversation with COSO Chairman Larry Rittenberg

By Donald E. Tidrick

E-mail Story Print Story

On January 1, 2005, Rittenberg became the chairman of the Committee of Sponsoring Organizations of the Treadway Commission, more commonly known as COSO. In making the announcement, Dave Richards, president of the Institute of Internal Auditors and a COSO member, said, “The commission is thrilled to have Dr. Rittenberg assume the role as COSO Chairman. He has spent his career dedicated to promoting the business ethics and practices [that] COSO stands for and he will provide a strong voice for the organization.”

This interview took place in connection with Rittenberg’s visit to Northern Illinois University on April 20, 2005, to speak at NIU’s Beta Alpha Psi (Gamma Pi Chapter) spring initiation banquet.

About COSO

Donald E. Tidrick for The CPA Journal: Would you share a historical summary of COSO?
Larry Rittenberg: COSO began in the mid-1980s when five private-sector organizations that were concerned about the apparent increasing frequency of fraudulent financial reporting came together to sponsor the “National Commission on Fraudulent Financial Reporting”—more commonly called the Treadway Commission after its chairman, James C. Treadway, Jr., a former SEC commissioner. The sponsoring organizations were: 1) the American Accounting Association (AAA); 2) the American Institute of Certified Public Accountants (AICPA); 3) the Financial Executives Institute (now Financial Executives International, FEI); 4) the Institute of Internal Auditors (IIA); and 5) the National Association of Accountants (now known as the Institute of Management Accountants, IMA).

The Treadway Commission conducted a comprehensive study of financial fraud in the United States and the factors that contributed to such fraud. It issued a detailed report in October 1987, consisting of 49 recommendations designed to enhance the prevention and detection of fraudulent financial reporting. These recommendations were directed at several relevant constituencies: public companies (20 recommendations); independent public accountants (9); the SEC and other regulators (12); and educators (8). These recommendations included a call for effective corporate internal control, objective internal audit functions, and informed oversight of financial reporting by effective audit committees. Interestingly, many of the original recommendations of the Treadway Commission now sound a lot like the Sarbanes-Oxley Act of 2002.

CPAJ: How are COSO’s activities financed?
Rittenberg: In many ways, COSO has been a “virtual” organization. Its initial activities were financed by contributions from the five sponsoring organizations. Later, some significant activities were financed largely by Coopers & Lybrand and, more recently, by PricewaterhouseCoopers. Those firms contributed the research teams to develop the Internal Control–Integrated Framework and subsequently the Enterprise Risk Management–Integrated Framework. Other activities have been financed, at least in part, by our sales of COSO publications, such as our various frameworks.

In addition, it is important to recognize that COSO members, including myself as chair, are volunteers, donating their time to COSO. Although I am currently spending about half of my time on COSO matters, I am not directly compensated for that work. We have had a variety of task forces in the past (and right now we have a very large task force addressing our small business project), and those activities are strictly voluntary. The individuals’ travel and out-of-pocket expenses are paid by their employers or sponsoring organizations rather than by COSO.

CPAJ: Who are the current members of COSO, and do they bring unique organizational perspectives to COSO?
Rittenberg: Each of the members is selected by the leadership of the sponsoring organization. In some cases, the member may, in fact, be the leader of the sponsoring organization. For example, before his untimely passing in March 2004, Bill Bishop was the president of the IIA and he represented the IIA on the COSO board. Bill was a very strong intellectual force in developing the Internal Control–Integrated Framework. The current IIA president, Dave Richards, is also the IIA’s COSO representative. The AAA representative to COSO is chosen by the association’s leadership. I was the AAA representative to COSO for three years prior to my selection to chair COSO. The current AAA representative is Mark Beasley of North Carolina State University. The AICPA is represented by Chuck Landes, its vice president, professional standards and services. Nick Cyprus of the Interpublic Group of Companies in New York (formerly vice president and controller of AT&T) is the FEI representative. The IMA representative is Dennis Neider from PricewaterhouseCoopers.

These highly successful individuals often view issues similarly. For example, long before Enron imploded, there was a consensus that COSO needed to develop guidelines regarding enterprise risk management. We tend to reach a consensus on most issues, although it is common for a wide range of different views to be expressed during our discussions.

CPAJ: How did you come to be appointed COSO chairman, and what are your responsibilities and priorities in that role?
Rittenberg: My selection to chair COSO reflects an accumulation of work and professional relationships developed over many years. I had the opportunity to represent the AAA on COSO when it began exploring the need for a comprehensive framework on enterprise risk management, subsequently developed into the Enterprise Risk Management–Integrated Framework published last year. As the AAA’s representative, I worked with a team of two other AAA members to contribute to the project. My predecessor as COSO chairman, John Flaherty (a past chairman of the IIA and former vice president and general auditor of PepsiCo), became COSO chairman in 1996 and graciously agreed to continue in that role until the enterprise risk management (ERM) project was completed. I was gratified that the other COSO members and respective organizations had confidence in my abilities to lead the organization.

The chairman’s primary role is to articulate a vision for COSO and build a consensus among its members. Moreover, the chairman represents COSO in a wide variety of interactions with other organizations. In recent months, I have had the privilege of dealing with the SEC, the Public Company Accounting Oversight Board (PCAOB), and the Government Accountability Office (GAO) with regard to COSO-related activities. These are interesting times! It is also challenging to keep our projects moving forward, especially when COSO is dependent upon volunteers.

Going forward, we need to think strategically about the role of COSO—not only about future projects that COSO should address, but also about the possibility of expanding the set of organizations that comprise COSO. It is encouraging to see a growing number of organizations that want to work together to strengthen corporate governance and to improve the reliability of financial reporting and internal controls.

CPAJ: How often does COSO meet?
Rittenberg: The frequency of our meetings depends on the nature of our current activities. For example, prior to the ERM project, COSO met once or twice a year and had conference calls as necessary. During the ERM project, the COSO board and the task force met quarterly. Right now, we are working on the control guidance project for small businesses and are meeting every three weeks. Not all of the COSO members can attend every task force meeting, although, as chairman, I do. The COSO board’s fall meeting will be about how to think strategically about the composition and nature of COSO as we go forward. There is going to be a continuing demand for greater guidance in the control and risk area.

COSO’s Accomplishments

CPAJ: What would you identify as COSO’s major accomplishments to date?
Rittenberg: Certainly the original Treadway Report in 1987 was a significant contribution. One of its most consequential recommendations was for the development of a conceptual framework for implementing and evaluating internal controls. Prior to the 1992 issuance of COSO’s Internal Control–Integrated Framework, internal control guidance consisted primarily of ad hoc checklists. Two Bills deserve particular mention for their intellectual contributions to the development of the internal control framework: Bill Ihlanfeldt, a former IMA chairman and former assistant controller at Shell Oil, played a key role in getting COSO to focus on internal control issues. And Bill Bishop, a former IIA president, made sure the framework was broad enough to encompass controls comprehensively from an organizational perspective, not just a financial reporting point of view.

I had the privilege of attending a recent SEC roundtable on Sarbanes-Oxley section 404 where I talked with Mike Cook, the former chairman of Deloitte & Touche and the first COSO chairman. Mike expressed particular pride in having established a COSO infrastructure that led to the development of the Internal Control–Integrated Framework. In retrospect, it is noteworthy that this framework (developed primarily by accountants) embraced all aspects of the organization: financial reporting, operational activities, and compliance issues. As a result, it has been widely accepted over time. In terms of overall impact on businesses, the 1992 internal control project is COSO’s most significant contribution to date.

In 1996, COSO published “Internal Control Issues in Derivatives Usage,” which extended the internal control guidance to address a specific challenge at the time in need of guidance and clarification. In 1999, COSO published a study by Mark Beasley, Joe Carcello, and Dana Hermanson on fraudulent financial reporting. The study examined SEC enforcement actions for fraudulent financial reporting by public companies in the decade following the original Treadway Report. They identified a number of control and reporting abuses that took place in relatively small businesses, and noted the need for such companies to invest in infrastructure for improved controls.

The 2004 Enterprise Risk Management–Integrated Framework is another of COSO’s significant contributions. We know that many companies have failed because they did not approach risk management in a comprehensive, logical manner—and the ERM Framework provides an integrated way to address organizational risks.

CPAJ: What significant contributions does COSO’s 2004 Enterprise Risk Management–Integrated Framework make beyond the 1992 Internal Control–Integrated Framework?
Rittenberg: The primary difference is that “enterprise risk management” is a broader term than “internal control.” Fundamentally, controls exist only to mitigate risk. So every internal control framework has to start with a systematic approach to identifying risk. It is also important to recognize that organizations are in the business of taking risks. Management and boards have to determine their risk “appetites” and their risk tolerances. Discussion of risk appetites and tolerances is required at the highest levels of an organization, but we have seen too many companies where those discussions have not occurred. The ERM framework takes a commonsense, conceptual approach to comprehensively address risk management issues in an organization.

Controls are designed to manage the risks within the organization’s tolerances. There are a variety of ways to manage risks: one way is to control the risk, perhaps through diversification; another way is to insure against the risk. Organizations globally must be attentive to risks. The ERM framework is an enhanced, proactive approach to managing organizational risks. These are not “accounting” concepts per se, even though the COSO frameworks have been developed by a committee comprised of representatives from primarily accounting associations.

CPAJ: Would you comment on a current COSO project, “Implementing the COSO Control Framework in Smaller Businesses,” and the motivation behind it?
Rittenberg: The primary reason for the “small business” project is the renewed attention that the Sarbanes-Oxley Act has brought to the Internal Control–Integrated Framework. The COSO framework is fundamentally a principles-based approach to internal control, and that is not always understood. For example, when I attended the SEC’s April roundtable, I heard some people say, “COSO is for large corporations. After all, it was developed by PricewaterhouseCoopers.” That simply is not accurate! When viewed conceptually, the COSO framework is applicable to every organization. The implementation approaches may vary across organizations, however. I suppose that a number of the examples included in the framework may be primarily applicable to larger organizations. That’s always a difficulty with giving examples—people may read the examples as if they are the framework itself. Examples may also become outdated, particularly given computer processing developments over the past decade. So we are trying to clarify the conceptual application of the internal control framework and the use of relevant examples.

The initiative for this project started with a conversation between Rick Steinberg, a great conceptual thinker and one of the developers of the internal control framework, and Don Nicolaisen, the SEC Chief Accountant. Don requested a meeting with COSO to discuss some Sarbanes-Oxley implementation issues. I attended that meeting last fall, along with Rick and Miles Everson, our current project team leader. At that meeting, Don indicated that companies, especially relatively small ones, had been asking for additional guidance to implement the internal control framework in light of section 404 requirements. He asked us to take on that project. I was very interested in it, although we had some timing issues because we were still finishing up the ERM project. After extensive discussion, the COSO members endorsed the project.

COSO has a history of developing “frameworks,” not “standards” or detailed guidance. Essentially, the SEC Chief Accountant was saying, “You’ve got a great framework, but not everyone understands it and companies need more guidance to implement it.” The intent of this project is to find ways to help smaller companies to effectively and efficiently meet the requirements of section 404. We put together a task force that began just this past January, and we plan to have a report with preliminary guidance available on our website (www.coso.org) with a comment period continuing through November or perhaps mid-December. We want to make this guidance practical and beneficial for management, personnel within organizations, and their external auditors to understand and implement COSO’s internal control model. I hope readers of this interview who are interested in controls for small businesses will give us their feedback.

Upcoming Projects

CPAJ: Do you envision any future projects for COSO?
Rittenberg: Once we get the small business guidance completed, I hope we will pursue a project on monitoring controls. If we are going to reduce the cost of Sarbanes-Oxley section 404 requirements, we need to find ways to make the process more efficient. The COSO framework lends itself to greater efficiencies, but we have not thought about it in enough depth. In the initial implementation of Sarbanes-Oxley, people have gone back to the fundamental processes of an organization to identify key controls, to document those controls, and to test those controls to verify that they are operating effectively. The COSO model focuses on assessing whether those controls address significant risks and reduce the risks to acceptable levels. If they are effective, organizations then develop effective information systems that provide systematic feedback to help monitor the effectiveness of the controls and processes. The design and monitoring process is similar to what an engineer does in setting up stamping machines in a factory. The controls are designed, tolerances are specified, and monitoring mechanisms are installed to signal process failures. We should be thinking about accounting processes in the same vein.

In my view, we need more research to identify effective and reliable monitoring controls. We need to find out if we can identify the significant monitoring controls in accounting processes and determine whether they are operating effectively. If we can do that, then we can spend more time testing the effectiveness of the monitoring controls and then randomly test other controls, thereby reducing the overall section 404 compliance tests dramatically.

I am currently working to develop a survey about the extent to which organizations are using monitoring controls over their financial processes. One of my friends, a partner in Deloitte, is helping me survey the firm’s enterprise risk management group, and the IIA is also providing assistance. I would love to get some talented academic researchers working on this, too. And, if there are any readers of this interview with good examples of such monitoring controls, I would be delighted to hear from them at coso@bus.wisc.edu.

In addition, we need to think strategically about the best infrastructure for COSO going forward. For example, should COSO sponsor specific research? I tend to think we should, but others might prefer to limit our activities to developing broad frameworks. So, we will discuss such matters. And I think we will have significant discussions about whether the number of sponsoring organizations should be expanded.

CPAJ: What impact, if any, has COSO had outside the United States? Does COSO coordinate with international professional organizations?
Rittenberg: COSO has certainly had a significant impact outside of the United States, especially through multinational corporations. Our ERM and internal control frameworks have been translated into most of the major languages around the globe, including French, Spanish, Chinese, Russian, Portuguese, Italian, Finnish, and Swedish. Corporate governance and internal control issues are very important in many countries. The Australians, the British, the Canadians, the French, the Germans, the Malaysians, and the Taiwanese, among others, have all developed conceptual models of governance, control, and risk management.

Control and risk management frameworks, however, vary in terms of the detail involved. Some frameworks are based on detailed processing objectives over processes. COSO is one of the few frameworks with a significant review of the control environment. Look at some of the major recent corporate failures. Where did the problems fundamentally arise? They occurred primarily because of breakdowns of the control environment and management override of processes. So, in short, all of these frameworks make a contribution. At the moment, there is no organized collaboration on these issues like there is for international accounting standards.

CPAJ: In closing, Is there anything else you wish to say to readers of The CPA Journal?
Rittenberg: It is important to understand that the COSO internal control and ERM frameworks are based on principles that place the responsibility on management to identify risks and implement controls that reduce those risks to acceptable levels. Management should have discussions with the board, their internal auditors, and their external auditors, as applicable, about the appropriate levels of risks.

We are an open organization and we will have an exposure draft of our small business project. That is not unusual—we have had exposure drafts of each of our framework projects. In this case, we understand that the SEC and PCAOB have referenced us, so we want any guidance offered by COSO to have been subjected to the discipline of that exposure process.

I urge readers to visit our website (www.coso.org), provide us with constructive feedback, and share any examples of monitoring controls they may have. We will take those comments seriously as we move forward to assist organizations in implementing more effective controls.