COSO for CSOs: An interview with the internal control and ERM frameworks' co-author
Richard M. Steinberg talks about risk management, adoption rates, and forthcoming updates to COSO's work.
By Interview by Bradley Schaufenbuel
January 23, 2013 — CSO —
As the business world focuses more on risk management, more people are turning to the frameworks developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
COSO is a joint initiative of five private-sector organizations dedicated to providing thought leadership on enterprise risk management (ERM), internal control and fraud deterrence.
Richard Steinberg is the lead project partner of the PricewaterhouseCoopers team that in 1992 conceptualized and developed the COSO Internal Control Integrated Framework. The framework—which is in the process of being updated, with a final draft expected this April—is widely used today for designing, implementing and evaluating the effectiveness of internal controls.
Steinberg also led development of the COSO Enterprise Risk Management Integrated Framework, developed in 2004. This is a broader framework that incorporates concepts of the Internal Control framework. It describes the critical principles and components of an effective ERM process, namely, how important risks should be identified, assessed, responded to and controlled.
Bradley Schaufenbuel, director of information security at Midland States Bank, recently interviewed Steinberg for CSO.
Bradley Schaufenbuel: Has the COSO framework for internal control met your expectations for adoption?
Rick Steinberg: It's the standard used by the vast majority of public companies for enhancement and reporting as required by Sarbanes-Oxley. It has resulted in a common language of internal control that was absent before its issuance, as well as more commonly understood concepts and terminologies of internal control. I've also seen enhanced communication among executives across companies. Its principles and key concepts have stood the test of time, so yes, it has met my expectations.
You have said you believe that the updated internal control framework to be a substantial improvement over the old one. Why?
The key enhancement is that certain concepts inherent in the 1992 version—elements of control, attributes related to each principle—have been made more explicit. Also, the surrounding discussions have been brought up to date by focusing on new business models, evolving technology, third-party involvement and fraud detection.
[Also read Fraud prevention: Improving internal controls by Daniel Draz, CFE]
The principles inherent in the framework have been highlighted, and if that's what security managers have been focusing on, it will be received well. If the hope is for a great deal more detail on information security, then it's probably not going to satisfy those hopes.
Does the greater recognition of third parties highlight the need for organizations to increase their focus on improving vendor management and oversight programs?
The draft updated internal control framework certainly focuses better on the risks involved and the relationships with third parties and how to better manage those risks.
We're not only talking about relationships with vendors but also other types of third parties—service providers, representatives, agents operating in foreign locations, business partners. They've all received more focus in this update.
There has been criticism that the COSO risk management framework is too complex. What can be done to simplify it or change this perception?Risk management is simple in concept but can be challenging to deal with in the real world. I may be a bit biased, but I don't think it's extraordinarily complex.
The cube in the framework brings concepts together in a meaningful way. But people who don't focus on risk on a regular basis or as a process might need to work a bit to get their arms around it.
There are other ways to do that than focusing solely on the framework; they can pursue educational and training programs to gain that understanding.
The framework's Application Techniques volume is a tool that security managers might want to look into, because there's a wealth of knowledge for specific ways to apply risk management effectively.