September 18, 2006
Dear Ms. Morris,
Please accept my commentary on the recently issued Concept Release Concerning Managements Reports on Internal Control over Financial Reporting as follows. These represent my opinions and not those necessarily of our company. I am commenting on three topical areas in this document, namely:
Adequacy of the risk framework- why companies have selected use of COSO framework rather than one of the other frameworks available
Breadth of the risk assessment and
Depth of the risk assessment
As to use of the COSO framework, COSO has been/is used because there has/is and continues to be lack of awareness of other frameworks, insistence/pressure by the auditors and a sense that somehow if its made in America, it must be better. COSO is a solid framework but is exceedingly difficult to implement as companies by now have realized. The COSO framework is represented by a cube with highly interactive objectives of internal control and the five components of a good system of internal controls. There are other risk/control frameworks around the globe including Turnbull, CoCo and AU/NZ4360:2004. I would suggest that the framework out of Australia/New Zealand is far superior to COSO and much easier to implement. The ease of use is facilitated because the flow through risk and control is logical and does not involve/necessitate integrated thinking to comprehend. There is no question in my mind that companies would benefit greatly from development of other frameworks and in particular the Australian framework although Turnbull and others would also be excellent.
On the issue of breadth of the risk assessment, I think that the risk assessment needs to include all the major risks that a company faces and not just those specifically targeted for integrity of the financial reporting. Thats because there is an interrelationship among the different risks that could impact decision-making based on aggregate tolerance, compensating controls, etc. Compliance risk could become financial risk, operational and strategic risk as well could become financial risk. Performing a risk assessment just focused on the financial integrity/reporting for the key assertions is inadequate and will/has result(ed) in dysfunctional decisions over risk mitigation and moreover resulted in unnecessary testing. What is needed is a more holistic approach.
On the issue of depth of the risk assessment, I think that guidance should be issued using the Australian framework of what a top down approach means, how it would be specifically conducted, the deliverables, how risks would be linked backwards to the strategic objectives and forwards to the business processes, how risks should be quantified both in dollar terms and qualitatively, the differences between gross and residual risk etc. As per my comment above, it is critical that a top down approach be taken, and a roll up needs to be performed of the various risks as well. What may seem to be a material financial risk may in fact be mitigated in many different ways. I have many examples of how this roll up could occur and the specific steps needed to conduct such a review. All in all, everyone will be better off with a thoroughly laid out top down approach to this.
At this juncture, I have no other commentary on the questions raised in your Concept document. Thank you for consideration of my comments. If you have any specific questions, please let me know. I would be pleased to assist in further development of guidance in this area.
Arnold H. Schanfield, Chief Internal Auditor
Sojitz Corporation of America
1211 Avenue of the Americas
New York, New York 10036