Kelley: It's certainly true that managements, legislators and regulators bave an interest in internal contro4 but compliance with tbe COSO recommendations has not been mandated by any governmental or private sector body. Is it realistic to expect managements to implement COSO'S recommendations in the absence of any requirement to do so?

May. Yes, and they would be well advised to start now. The SEC has had a proposal under consideration for some time that would require a management report on the effectiveness of the company's internal controls. The Public Oversight Board of the AICPA'S SEC Practice section has recently urged the Commission to act on that proposal, and companies should be prepared for that possibility.

And there's more. A spokesman for the U.S. General Accounting Office said the GAO believes "appraising the quality controls has at least equal importance with giving opinions on financial statements." An earlier version of Congressman Wyden's legislation related to financial fraud prevention and detection called for reports by management and by independent auditors on internal controls, and that provision may surface. The Federal Deposit Insurance Corporation Improvements Act of 1991 requires management's assessment of the effectiveness of the institution's internal control structure and its compliance with designated laws and regulations and, further, requires attestation by the institution's outside auditors on management's assertions. Finally, U.S. Federal Sentencing Guidelines provide for reduced sentences for organizations that have an "effective program to prevent and detect violations of law."

Given all these developments and given the significance of internal controls to an entity's operations, financial reporting, and compliance with laws and regulations, it clearly behooves managements to act now. And the COSO report is the only act in town in terms of defining what constitutes internal control and how to go about assessing its effectiveness.

Kelley: COSO has no independent existence or authority. Are the sponsoring organizations standing bebhind the report?

Larson: Absolutely. At a meeting in mid-March, the COSO representatives reaffirmed their support of the COSO report and endorsed the following statements: 1. A broad consensus has been reached on the COSO definition of internal control and on a framework that provides a standard against which entities can measure the effectiveness of their internal controls. 2. The implementing guidance in the COSO report helps management identify basic weaknesses in operating, financial reporting, and legal/regulatory compliance controls and take action to strengthen them. COSO intends to monitor the adequacy and effectiveness of that guidance on an ongoing basis and to take or oversee any actions that may be needed. 3. Chief executives of American business should, as the report indicates, initiate a self-assessment of their internal control systems against the COSO standard, strengthen those systems, and move their enterprises towards appropriate established goals. 4. About one public company, in four includes in its annual report to shareholders a management report discussing some aspects of internal control. For Fortune 500 companies, the number is about 60%. After a decade that has seen far to many financial frauds, it is time for all public companies to consider implementation of the COSO report's recommendations, including the guidance provided on reporting to external parties. We strongly recommend that a management report that complies with that guidance be included in 1993 and subsequent annual reports to shareholders.

May: Let me add that in 1987, the Treadway Commission said that management reports to shareholders should "provide management's assessment of the effectiveness of the company's internal contfols." With the issuance of Internal Control-integrated Framework, companies have guidance that has achieved general acceptance. It is time to move forward and to implement that guidance.

Kelley: As Gaylen said, 60% of Fortune 500 companies are reporting on internal control now, and auditors are assessing internal control systems and discussing "reportable conditions" with audit committees. I suspect a lot of people feel that the COSO report may be much ado about nothing because many entities and just about all auditors have been able to assess internal control systems without it.

May: People who feel that way--and I hope not too many do--are seriously mistaken. If the COSO report was not a major development, it would not have taken three years to reach agreement on its conclusions and recommendations and the final report would not have received the attention it has.

It's true that many public companies comment on internal controls in their annual reports, but most restrict the discussion to an acknowledgement responsibility for an effective system. Very few express a conclusion about their controls for the simple reason that there has been no consensus among companies, auditors, legislators, regulators, or anyone else on what the definition of internal control should be and what criteria should be used to gauge its effectiveness.

Of course, external auditors, do not have to make an assessment of the effectiveness of the internal control structure to perform an audit of financial statements. in fact, they can limit their work, depending on the other procedures they apply, to obtaining an understandin of the system for purposes of planning the engagement.

Kelley: The GAO bas expressed concern about the fact that the COSO report Puts "safe-guarding of assets" in the category of effectiveness and efficiency of operations. To what extent, if any, is that notion comprehended in the category of reliability of financial reporting?

Larson: In the context of the reliability of financial reporting, management would be concerned about controls designed to provide reasonable assurance that among other things, goods represented to be in inventory are actually there, and appropriate provision was made for obsolete goods. But controls designed to provide reasonable assurance that the goods ordered were "the best for the money" would fall into the category of effectivemess and efficiency of operations. That's the COSO position and, inceidentally, it is consistent with SAS 30.

As a financial and accounting officer, I find that an improtant distinction. Protection of assets in the full sense of the word is primarily a management task, not an accounting or financial function. The accounting process should not comprehend primary responsibility for determining how an entity makes and spends its money. The accounting process should M'pnitor and report the results and make suggestions, of course, but that, is a far different responsibility.

Kelley: Going back to the Treadway Commission recommendation for a management report on the effectiveness of internal control, what should companies be doing to be in a position to express a conclusion about their internat controls?

May: Before we get to that, its important to clarify the control categories which we're talking about. The COSO report provides guidance on reporting to external parties only with respect to internal control over the preparation of an entity's published financial statements. The COSO report points out that this "puts an appropriate fence around intemal control reporting, recognizing limitations and the state of the art." Moreover, the report notes that a public report on compliance controls would require the development of an appropriate threshold for measuring the severity of control deficiencies.

However, just because managements that elect to report publicly on their entity's internal controls would restrict their report to controls over financial reporting does not mean that the evaluation of internal controls would or should be restricted to financial reporting controls. First, in most control systems, controls often serve to accomplish more than one objective. Second, if I were a CEO, I'd want to know that my company's financial reports were reliable. But you can bet your bottom dollar that my first concern would run to the business decisions, transactions and events that eventually find their way into the financial statements. I would want to know, first, that there was a process within the entity designed to provide reasonable assurance that the business decisions being made were the right ones, that transactions reflected those business decisions, and that every reasonable effort was being made to anticipate and deal with events that could significantly affect the entity. And I'd want to know second, that all these things, were happening within the parameters of applicable laws and regulations.

Kelly: Point taken. But as thet song goes, "Where do I begin?"

May: The first thing is sure you understand the coponents of internal controls and cover them all adequately. For example, before the issuance of the COSO report, many managements and auditors focused on control activities perhaps with some modest attention to the control environment. According to COSO, the control environment is much broader than say, an active audit committee and corporate code of conduct, which too many may have limited their attention to in the past. Of course, it involves a clear and ongoing commitment to integrity and ethical values. But evaluating the control environment also contemplates studying how the entity obtains and retains competent people, how the board and audit committee actually operate, how management's philosophy and operating style impact personnel behavior, and more.

Larson: I'd like to emphasize the component called risk assessment. In talking about this area, the COSO report focuses on mechanisms to identify and anlyze risks, including the special risks associated with changing conditions, that are related to the entity's objectives. By the same token, I believe it is entirely appropriate for managements that are trying to implement the recommendations in the COSO report on a cost-effective basis to consider the risks that their existing systems are seriously deficient. In doing that, management should consider matters such as views concerning units, components, or activities that may pose a higher degree of risk to the entity, existing understanding of the system, the results of internal and external audits and the actions taken on reported deficiencies or recommendations. the perceived effectiveness of ongoing monitoring activities, and experience with the effectiveness of their systems in for example minimizing "suprises."

On the basis of that assessment, management should decide whether to authorize a full and separate evaluation of its internal controls, to rely on ongoing monitoring activities, or to authorize separate evaluations of portions of their internal control systems so that key areas are covered over, say, a three to five year period. (This is discussed in some depth in the "monitoring" section of the Framework volume of the report.) I'd lso like to emphasize my personal opinion that this kind of initial assessment needs to be made by a spectrum of people representing operations, accounting, and internal audit. And it should, of course, be documented.

However management decides to address a self-assessment, it is important, in my opinion, for everything related to internal controls to ultimately be considered in the light of the COSO report. That means that corporate-wide policies should be studied to make sure they reflect COSO definitions and criteria. internal audit programs should be modified to be consistent with the COSO approach. Public and internal reports on internal controls should track COSO concepts and language. And above all, internal communications should continually be enhanced to focus all personnel on the entity's objectives and values and the importance of the controls in place to achieve those objectives and maintain those values.

Kelley: What kinds of tools are available to belp companies evaluate their internal controls?

Larsom The COSO report includes blank "component tools" which provide "points of focus" within each component and examples of matters that might be considered in addressing the points of focus. It includes a blank risk assessment and control activities worksheet for use at the activities level and that documents objectives for each significant activity and helps the preparer analyze risks and identify control activities relevant to each risk. It includes an overall system evaluation form by component. And, yes, it includes some filled-out forms for illustrative purposes.

May: Let's not forget the software the Financial Executives Institute has developed. As I understand it, that software is an automated self- assessment tool that allows organizations to identify and report potential internal control weaknesses quickly and efficiently and runs on industry-standard IBM or IBM-compatible personal computers. It comes, incidentally, with the four-volume COSO report.

Kelley: Gentlemen, as the new and immediate past chairmen of COSO, bow about a closing remark?

May: I encourage all organizations large and small, and their accountants, to use and apply the document in a serious way. Additional discussion about using the guidance in less sophisticated environments such as are often found in smaller entities is presented in each component chapter in the Framework volume under the title "Application to Small and Mid-size Entities." Try it, you'll like it.

Larsow: Building the right controls into the management process supports quality products and services and, contrary to some schools of thought, actually empowers initiative. Businesses that are well controlled and provide quality products and services should be able to compete effectively in the global marketplace. I believe the COSO report will help companies meet that challenge.

Gayien N. Larsot4 CPA, chairman of the Committee of Sponsoring Organizations, is group vice president of Household International, a major financial services business. Prior to joining Household Mr. Larson practiced public accounting with a big-six firm. Mr. Larson is a member of the AICPA and has served on the Auditing Standards Advisory Council, AcSEC task forces, and Finance Companies Audit Guide Committee.

Robert L May, CPA, is a former president of tbe AICPA. Mr. May has served as chairman of the Committee of Sponsoring Organizations, vice chairman of the AICPA, chairman of tbe National Review Board, and a member of the Auditing Standards Board executive committee. Mr. May is also a former president of the International Federation of Accountants IFAC's and the first chairman of IFACS International Auditing Practices. Committee.

Thomas P. Keuey, CPA, is vice president-professional at the AICPA. Mr. Kelley has been with the AICPA since 1974, holding his current position since 1984. Mr. Kelley has contributed to several accounting publications. Before joining the AICPA, Mr. Kelley worked with Arthur Andersen & Co. in Boston and Rochester, NY.