COSO ERM is Dying and on Life Support and the Big Four Know It

In 2015, I wrote an article, ”How COSO destroyed Risk Management” and critiqued what I saw as scope creep in the mandate of the Big Four accounting firms into enterprise risk management. Here is one excerpt from the article:

“COSO has lost sight of its original mandate from a narrow focus on developing an internal controls framework, emanating from an integrated [internal control] framework designed to understand the causal factors that can lead to fraudulent financial reporting to a broader and rather vague Enterprise Risk framework with little substance.”

Five years later this observation now seems prescient in its criticism and is actually being confirmed by COSO itself. COSO’s internal controls framework is not a standard, in and of itself, but it has made a number of positive contributions by defining the importance of internal controls, compliance and developed a set of principles for assurance in the integrity of financial reporting. The weakness in COSO ERM is the “ERM” part. ERM was included as an afterthought after a string of financial scandals that exposed the narrow focus of COSO on internal controls and compliance not the broader risks inherent in all organizations — decision risk.

Accurate and fair financial reporting is critical to the establishment of trust in the financial markets and integrity in senior management’s statements about the operations of their controls. Stakeholders depend on the Big Four accounting firms to be stewards of good auditing and to fairly represent the accuracy of financial statements in the U.S. and abroad. Most public accountants perform these duties with the level of professionalism expected and take these duties seriously.

However, any organization can lose its way when leadership and corporate culture begin to justify actions that become questionable, but still legal given the vagaries of gray areas in financial assumptions. This article is less an examination of the ethics of financial reporting but is instead a focus on how far COSO and members of its board have veered from its original mandates and core drivers of business; auditing financial statements, to a focus on consulting on risk management.

Make no mistake, issues of ethics do exist and have driven the UK to separate Big Four auditing from consulting engagements. Other countries are beginning to raise similar concerns about the dominate role of the Big Four as they squeeze out competition and have the boards’ ear on sensitive matters. Audit independence is challenged when reliance on fee revenue growth depends on adding more services unrelated to assurance.

So why do I believe COSO ERM is dying and on life support? It appears that COSO is killing it themselves. If you are paying attention, and few are, the Big Four accounting firms have quickly shifted their business models from audit to consulting services. Follow the money. In 2019, 42% of PwC’s workforce worked in assurance but the fastest growing group now work in advisory services. Advisory services and consulting is becoming a larger share of revenue for each of the Big Four firms.

Ethical questions aside in advisory services, the Big Four’s adoption of a technology-solutions approach is misguided without a full understanding of the context of the problem. A technology-solutions approach is the adoption of a “hammer”. It shouldn’t be a surprise that the Big Four views data as the “nail” to solve each organization’s problem. Insights into data, like internal controls, is a one dimensional solution to a three dimensional problem.

The strategic question for organizations is less about a technology solution and more about how to build a resilient organization that is scalable and sustainable in a digital business environment. Should external auditors provide those solutions or the firm? Ideally, organizations should design automation to facilitate and streamline audit work for assurance while simultaneously automating internal controls monitoring and decision support based on the strategic challenges faced by the firm. Exponential audit and advisory fee growth by audit firms is a symptom of systemic risk! This metric alone demonstrates that management is checking the box of assurance and should be a warning to external stakeholders.

Very few organizations have the ability to quantify measurable reductions in risk therefore the lack of a strategic plan in audit and risk management is driving fee revenue up for public accounting firms every year. Warren Buffet articulated this disconnect very simply, “You never know who’s swimming naked until the tide goes out”. A key risk indicator is growth in audit fees and advisory services.

In my opinion, COSO evolved out of a need to address audit risk. Fraud, financial engineering and questionable audit opinions are the direct result of failings in COSO’s framework. Sarbanes-Oxley (SOX) was established to hold management and public accounting firms accountable for questionable business practice. However, SOX has done very little to reduce the number of “zombie firms” that are being exposed following the emerging COVID pandemic.

The methods by the Big Four and by inclusion, COSO, in their advisory/consulting practice raises other concerns that should be addressed. In 2015, I predicted that the next Chief Risk Officer would be a “Robot.” The article was meant to be a warning to risk, audit, compliance, and IT professionals to take the lead. I failed to anticipate or predict that the Big Four firms would adopt these practices as a means of increasing advisory services however that is exactly what is happening.

In fairness, public accountants have the right to pursue innovation and innovate themselves to remain competitive. The question for the Big Four and corporate executives is whether industry should outsource research and development with their data and vendor solutions or make an investment to build sustainable domain knowledge that can be leveraged enterprise wide? Looked at through a cognitive risk lens the return on investment is not the cost of technology vs some metric. A better measure is how does this technology contribute to organizational knowledge about known and unknown risks? How does technology enable staff to innovate? How does technology empower executives to make better choices among risky options?

Why would forward-looking organizations outsource that capability to a third-party accounting firm? Making the right choice in a digital environment fraught with disruption heightens the strategic importance of build versus buy.

Sustainability is built on a foundation of investment in people, surrounded by the right level of technology. Sustainable risk management is not created out of a box. Sustainable risk management is intelligence, experimentation, a clear picture of the problem to be solved and tools that truly empower people.

A cognitive risk framework was an early adopter of a human-centered approach that is now finally becoming mainstream if the 2020 PWC Global Risk Study is an early indicator. Lastly, to put a fine point on it, cognitive risks are pervasive and represent decisions made under uncertainty. That is not an audit problem. Cognitive risks are strategic challenges for management to solve.

My predictions were timely but they were intended to preserve the role of risk management in what was an obvious transition from manual processes to automation that has and will continue to be driven by change in how organizations manage their operations, customer interactions and, yes, risk management as well.

Let’s again look at what the Big Four firms are doing. Recently, PwC published their 2020 Global Risk Study. Surprisingly, the survey focused entirely on the Internal Audit function and did not mention risk management, compliance or IT security staff. Intentional or not, it is an oblique omission. What was more striking is the total absence of any mention about the COSO ERM framework as a model to remedy the findings in the study. Instead the key changes targeted “Proactive Risk Focus”, what PwC calls “Risk Sensing”, “Audit Spectrum” and “Behavioral Science”. Wait what?!?

R.I.P. COSO ERM — Welcome to a Cognitive Risk Framework!

I do not take credit for this transformation because technology and behavioral science is accessible to anyone willing to make the connection but similarities are striking. Coincidence?

I anticipate that COSO will continue with their efforts, but should it? The answer is clearly yes, but accounting firms should not dictate the direction of automation in control design. The Big Four play a quasi-regulatory role that pure market participants do not. If this were baseball it would be equivalent to “team owners“ creating their own rules and deciding how to follow them. AICPA and PCAOB should be the referees not passive observers of COSO’s march into AI-enabled internal controls.

The Big Four should evolve however they should do so with appropriate guardrails in place. PCAOB and AICPA have a responsibility to include public discussion on advanced technology and data, machine learning and provide professional standards of care. How else will audit independence be sustained in a digital environment where lines are easily crossed?

If I am right, COSO will continue advising on automation engagements to manage risks. Does that mean that my 2015 article, “Meet R.I.S.K. Why Your Next Chief Risk Officer Will Be a “Smart” Robot” will become a reality?

The answer to that question depends on whether risk professionals remain complacent or begin to develop a cognitive risk framework before the Big Four?

#cognitivehack #cognitiveriskframework #humanelement

James Bone is a founder of global compliance associates, thegrcbluebook and author of Cognitive Hack: The New Battleground in Cybersecurity…the Human Mind. James has created the first and only Cognitive Risk Framework for Cybersecurity and Enterprise Risk Management.