Comparison of COSO and Basel
COSO and Basel are both sets of standards that help businesses manage risk. COSO is a framework for internal control of financial processes within any organization. It helps companies comply with financial reporting as required by the Sarbanes-Oxley Act of 2002 (SOX). In contrast, Basel II, the latest Basel Accord, regulates finance and banking internationally. Basel II proposes ways for banks to more accurately calculate capital provisions they should make against credit, commercial and operational risk (Basel II Compliance, 2009). Basel II compliance is only a requirement for large investment banks active in international capital markets.
COSO stands for the “Committee of Sponsoring Organizations of the Treadway Commission,” a group that established a common definition of internal control and created an outline for evaluating the effectiveness of internal controls. COSO was formed in 1985 to sponsor the work of the National Commission on Fraudulent Financial Reporting (known as the “Treadway Commission”), chaired by James C. Treadway, Jr. (About Us, 2009).
The Treadway Commission’s mission was to study causes of financial fraud, and to develop recommendations for public companies, independent auditors, the US Securities and Exchange Commission (SEC), regulators, and educational institutions. It was formed in response to scandals related to savings and loans associations in the 1980s. The Commission concluded that the best way to prevent major financial frauds was to improve internal controls (Singleton, 2009). COSO developed a model of internal controls, circulated it among members of the various stakeholder organizations and, in 1992, published the COSO Model of Internal Control, an important part of the technical literature for financial auditors.
In 2002, Congress passed SOX. As a result, publicly traded companies had to comply with section 404, which requires management to evaluate internal controls every year and publish those findings with their SEC filings. The Public Company Accounting Oversight Board (PCAOB), created by SOX, had been given responsibilities for setting standards for financial reporting, and it began to issue auditing standards. The first one, Auditing Standard (AS) No. 1, accepted all previous auditing standards set by the AICPA. The second one, AS No. 2, was published in June 2004, and addressed the issue of complying with SOX section 404. It recommended the COSO model as a way to evaluate and report on internal controls. AS No. 2 established the COSO model as a tool that auditors, internal and external, needed to understand, especially in applying it to section 404 evaluations of internal controls (Singleton, 2009).
AICPA issued SAS No. 109, “Understanding the Entity and Its Environment, and Assessing the Risks of Material Misstatement,” in 2006, again showing the importance placed on COSO and its usefulness in evaluating internal controls. SAS No. 109 requires financial auditors to evaluate internal controls, especially those related to IT, those that are a central part of information systems, and those related to the “entity and its environment.” In SAS No. 109, appendix B gives more information on how to apply the standard, and uses the COSO model to develop audit procedures, questions and other data useful for developing audit procedures to comply with this standard (Singleton, 2009). Financial audits need to include someone capable of complying with this standard, such as an IT auditor or Certified Information Systems. Therefore the IT auditor needs to understand the COSO model.
COSO defines internal controls as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in (1) the effectiveness and efficiency of operations, (2) the reliability of financial reporting and (3) the compliance of applicable laws and regulations” (Enterprise Risk Management, 2004). The COSO Model of Internal Controls uses five elements of internal controls: control environment, risk assessment, information and communication, control activities, and monitorin
COSO is persistently quoted and paraphrased in control and governance documents for different sectors, and has become the standard for controls over financial reporting, because of the Security and Exchange Commission’s interpretation of SOX.
Basel II is an updated version of the original international bank capital accord (Basel I), which has been in effect since 1988. The Basel Committee on Banking Supervision, on which the United States serves as a participating member, developed Basel II and published it in June 2004. The Basel II framework encompasses three complementary pillars: (1) capital adequacy requirements (2) supervisory review, and (3) market discipline. The revised accord aims to improve the consistency of capital regulations internationally, make regulatory capital more risk sensitive, and promote enhanced risk-management practices among large, internationally active banking organiza
Which Model Seems Most Logical and Useful?
A company should evaluate which framework to use based on its size and type. COSO can be applied by virtually any type of enterprise; whereas Basel II is costly and complicated to fully implement, and only required for certain large financial institutions.
The manner in which the components of the COSO framework are applied to an organization depends on the nature and size of the organization. Although SOX is directed at public companies, many private companies and nonprofit organizations are choosing to evaluate their systems of internal control using COSO’s framework (What is COSO?, 2009).
A 2006 survey by the Financial Stability Institute suggests that about 100 countries plan to apply Basel II over the next few years, although implementation is not expected to be uniform across regions (Will Basel II, 2008). Already, most of Europe has implemented the new standard. In the U.S., Basel II regulation is moving forward, and it will change the way regulators calculate capital ratios. An “Advanced” version is already available for the largest dozen or so banks, and a “Standardized” version will be available for the other 7,500 U.S. banks sometime in 2009 (Geoffrey & William, 2009). Recently there have been proposals to make Basel rules even tougher.
Problems with COSO and Basel II
COSO and Basel II have both been criticized for having inadequacies. It is claimed that COSO is too general and vague for internal-controls monitoring by all types and sizes of businesses. Critics also say the 353-page COSO manual is too complicated for midlevel managers. Why did COSO not prevent the global financial crisis, some people wonder? Others point out that COSO does little to prevent fraud. Most fraud occurs at the executive and Board levels, which are above internal control (Steinberg, 2006). Another drawback of COSO is that its financial disclosure provides poor risk disclosure. Lehman Brothers is an example of one corporation that failed with no warnings to investors or regulators.
Basel II standards have also been henpecked, and even more closely scrutinized as the system gains worldwide support. Criticisms include that the more sophisticated risk measures unfairly advantage the larger banks that are able to implement them. Also, developing countries generally do not have these larger banks, and Basel II will disadvantage the economically marginalized by restricting their access to credit or by making it more expensive (Mainudden, 2009). Another criticism is that the operation of Basel II will lead to a more pronounced business cycle. The credit models used for Pillar 1 compliance is a one year time horizon. This would mean that, during a downturn in the business cycle, banks would need to reduce lending as their models forecast increased losses, increasing the size of the downturn.
In conclusion, a business should follow a risk management framework in adherence to laws and regulations it must follow. However, it should incorporate many elements into its risk management program, and not rely solely on one framework. Also, regulators should be aware of weaknesses and inconsistencies in risk management frameworks, and include it in their assessment of models used.
About Us. (n.d.). Retrieved July 4, 2009, from http://www.coso.org/aboutus.htm
Basel II Compliance. (n.d.). Retrieved July 4, 2009, from http://www.cipheroptics.com/compliance/basel-ii-details.html
Enterprise Risk Management – Integrated Framework. (2004, September 1). Retrieved July 4, 2009, from www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf
Geoffrey, R., & William, N. (2009, March 1). Basel II Regulation. Retrieved July 4, 2009, from http://findarticles.com/p/articles/mi_qa5353/is_200903/ai_n31514289/?tag=content;co
Mainuddin, S. S. (n.d.). Basel 2 and Its Implications. Retrieved July 4, 2009, from http://www.thefinancialexpress-bd.com/2008/02/06/24535.htm
Shaw, H. (2006, March 15). The Trouble with COSO. Retrieved July 4, 2009, from http://www.cfo.com/article.cfm/5598405/c_2984409?f=singlepage
Singleton, T. (n.d.). The COSO Model: How IT Auditors Can Use It to Evaluate the Effectiveness of Internal Controls. Retrieved July 4, 2009, from https://www.isaca.org/Template.cfm?Section=IT_Audit_Basics&Template=/ContentManagement/ContentDisplay.cfm&ContentID=46042
Steinberg, R. (2006, February 16). Will 404 Really Prevent Financial Reporting Fraud?. Retrieved July 4, 2009, from http://www.complianceweek.com/article/2296/will-404-really-prevent-financial-reporting-fraud-
What Is COSO? (n.d.). Retrieved July 4, 2009, from http://www.mcgladrey.com/Resource_Center/Audit/Articles/WhatIsCOSO.html
Will Basel II Help Prevent Crises or Worsen Them? (2008, June 1). Retrieved July 4, 2009, from http://www.imf.org/external/pubs/ft/fandd/2008/06/saurina.htm