How ERM's role has evolved with corporate-governance regulation

March 28, 2005
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a private-sector consortium formed in 1985 to fight financial-statement fraud via education and guidelines.

David Wood
David A. Wood & Associates
Lincoln, UK

Scott Randall
Det Norske Veritas Consulting

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a private-sector consortium formed in 1985 to fight financial-statement fraud via education and guidelines. It developed the COSO I-Internal Controls Framework (1992).

A requirement for internal controls is part of the US Foreign Corrupt Practices Act (FCPA), which requires companies, among other things, to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization; (ii) transactions are recorded as maintain accountability for assets; (iii) access to assets is permitted only in accordance with management’s general or specific authorization; and (iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.”

Another significant development was a publication in 1999 in the UK entitled “Internal Control Guidance for Directors on the Combined Code” (the so-called Turnbull Report). This document advanced the philosophy of board-level responsibility for corporate governance, the performance of risk management, and the stipulation of internal controls and risk-mitigation measures.


The Enron implosion of 2001, followed shortly by other corporate scandals, prompted the US Congress to reinforce corporate-governance obligations on companies by passing the Sarbanes-Oxley Act of 2002 (SOX).

Click here to enlarge image

In 2003 the US Securities and Exchange Commission (SEC) accepted COSO I as a “best practice” guideline for companies and auditors for SOX Section 404, the requirement for an internal-control report in annual financial statements. In addition, several parts of the Code of Federal Regulations (CFR) applied by SEC now place financial and operational disclosure obligations on publicly quoted corporations.

The relevant sections of the CFR deal with how specific types of commercial entities and their accountants are to record, report, and keep records of financial transactions and the value of assets for purposes of public disclosure. They require the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of assets; reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles; and that receipts and expenditures are made in accordance with authorizations of management and directors (see table).

Although the CFR sections are important to the discussion of how internal controls over financial statements are to be audited, they have little relevance to overall operational risk management other than the avoidance of financial-reporting and compliance risks. But they show how the COSO internal controls framework provides a link between SOX 404 compliance and enterprise risk management (ERM). The last step in this transition occurred in September 2004 through the publication of the COSO II ERM framework, which truly deals with operational and strategic risk management rather than simply financial reporting and compliance.

Published accounting and audit standards also affect internal controls and reporting. Statement of Financial Accounting Standards No. 69 addresses disclosure and reporting requirements for oil and gas production activities and reserves valuation. As yet, the reserves-disclosure scandal of 2004 and SOX have not been formally linked, although some commentators have suggested that they should be.

Financial Statement Auditing Standard No. 78, published by the Auditing Standards Board, is the standard used by financial accounting auditors to execute SOX Section 404 internal controls audits. It involves a series of “tests” to determine which of five levels of internal controls a company has and to make a judgment as to whether those internal controls pass a CFR requirement for “reasonable assurance.”

In 2003, COSO-I was expanded beyond internal controls to address more broadly ERM. The move added three elements-internal environment, objective-setting, and event identification-to the original five and renamed one of the internal control elements from “control activities” to “risk response.” Thus the original accounting-oriented internal-controls framework was expanded and transformed into a comprehensive, strategic-level guideline for sound business management.

In July 2003, this COSO-II draft, “Framework for Enterprise Risk Management (ERM),” was issued for public comment. The final ERM standard was published in September 2004.

‘Safeguarding of assets’

These instruments interact to provide current “best practice” for ERM with respect to “safeguarding of assets” in the context of corporate responsibility for financial reporting. Systematic integration with operational risk assessment and management is required to successfully implement ERM within a corporation.

The financial disclosure aspect of “safeguarding of assets” under SEC regulations obliges a corporation to “provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of its assets that could have a material effect on its financial statements.”

However, in the context of ERM, “safeguarding” could have meanings different from the one used strictly in the financial-disclosure context.