COSO tackles risk framework; AICPA project on back burner

by Glenn Cheney

The Web site of the American Institute of CPAs offers a page where members can learn more about the non-audit assurance services that CPAs can provide. The institute has developed comprehensive programs for each, which include ElderCare, Performance View, SysTrust and WebTrust.

The risk advisory services page, however, is still "under construction" despite an indication that it would be rolled out in late 2001.

The delay results from neither forgetfulness nor negligence. Rather, in the shadow of terrorist attacks and corporate accounting scandals, risk management has become of such paramount importance that the institute is waiting until the Committee of Sponsoring Organizations (COSO) completes a comprehensive enterprise risk management framework on which a new non-audit assurance service can be based.

The COSO project progresses during an increasing call for more effective risk management at American corporations.

"You hear less about internal control these days and a lot more about risk management," said John J. Flaherty, COSO chair. "Just as it used to be with internal control, there are no commonly agreed-on definitions of what risk management is and who’s responsible for it, nor are there comprehensive guidance and templates on how good risk management should work."

Working in conjunction with the Canadian Institute of Chartered Accountants, the AICPA introduced its risk advisory service with a preliminary document on risk management. Meanwhile, other COSO members - the Institute of Management Accountants, Financial Executives International, the American Accounting Association and the Institute of Internal Auditors - have developed risk management guidelines for their respective sectors.

COSO was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative that studied the causal factors that can lead to fraudulent financial reporting. The group developed recommendations for public companies and their independent auditors for the Securities and Exchange Commission and other regulators, and for educational institutions. In 1991, it published an influential report, "Internal Control - Integrated Framework," that now serves as the template for corporate reporting on internal control as required by the Sarbanes-Oxley Act of 2002.

Perceiving a widening hodgepodge of sector-specific guidelines, COSO decided to take on a massive project to develop an integrated framework that would serve as a universal platform from which all other accounting and financial sectors could develop compatible guidelines. That framework will be based on and an extension of COSO’s internal control document. The committee engaged PricewaterhouseCoopers to conduct a study of risk management, a project of an estimated 10,000 hours.

"This document will build off the internal control study," Flaherty said. "That was one of the things we challenged PwC to do - not to abandon or make obsolete the internal control framework, but to wrap the new study around it."

Until COSO produces a definitive document, the AICPA has put its risk advisory services project on hold.

The existing AICPA document, "Managing Risk in the New Economy," gives American auditors and Canadian Chartered Accountants a vocabulary and tools for helping clients with risk assessment and management. The eventual program, which will be back on the drawing board as soon as the COSO document is completed, will offer more tools, best practices and other practice aids that CPAs can use to expand their practices with risk management services.

Tony Maki, a partner with Moss Adams, was on the task force that wrote that document. He is now chairing the COSO advisory council that is working with PricewaterhouseCoopers.

COSO decided that it would be critical for not just CPAs but United States markets and businesses to have a document that everyone could rely on for enterprise risk management. Maki said, "It goes beyond what the AICPA was doing for its members. It goes a step further to give whole industries what they need to develop more definite risk management."

COSO is putting the finishing touches on the document and expects to issue an exposure draft in January, 2003.

Both Flaherty and Maki hasten to point out that the COSO project is not in response to corporate and terrorist tragedies of the past year. The project was undertaken in January 2001, well before the events of 9-11 and the accounting improprieties found at several large corporations.

"[These events] only heighten our awareness of the importance of having this document be done," Maki said. "We felt that it was important - and it has become even more important - because what’s surfacing is the way that certain practices in an organization can risk that organization outside of traditional internal control and the work of auditors. There are business risks that auditors don’t normally look at. They are auditing financial numbers, but there are other pieces that have just as big an impact."

For reprint and licensing requests for this article, click here.
MORE FROM ACCOUNTING TODAY