Addicted to Controls. Sedated by Assurance.

Reliance on Control Activities is enabling bad risk decisions and corporate misconduct. . Is there a way forward?

The fundamental paradigms of risk and control professionals are being tested. Extreme, reactionary advocates of Control Activities to mitigate risk have influenced standards and practices that do not work.

In a recent blog I suggested that we have become addicted to “controls”, or more specifically “Control Activities” as defined by COSO, and that addiction is blinding us to risk. I believe reliance on Control Activities as a primary response is evidence of, and a good predictor, of bad risk decisions. Failures in COSO Control Environment and Risk Assessment are primarily responsible for bad risk decisions and bad corporate behavior.

Those failures should be considered Material Weaknesses and clean audit opinions denied.

Clean audit opinions on internal control effectiveness even where COSO Control Environment or Risk Assessment practices have utterly failed and led to catastrophic losses don’t make sense.

Its Time to Take a Closer Look

Let us start with three hypothetical scenarios:

  1. An airplane manufacturer makes and sells airplanes that cannot fly.
  2. A pharmaceutical manufacturer sells a drug that kill people.
  3. A major data broker loses millions of confidential customer records to hackers.

Would these hypothetical corporations receive a clean audit opinion on internal control over financial reporting using the COSO model below? The answer is Yes.

Did these events have financial impacts? The answer is Yes.

Have these issues been addressed?

 Without a strong Control Environment and responsible Risk Assessment poor and even fatal risk decision are certain and internal control over anything should be questioned. Internal control over financial reporting is not quarantined from bad management. COSO did not seem to contemplate excepting internal control over financial reporting from bad management. In fact, as I recall, and I co authored a response to the initial COSO exposure draft, COSO was intended to lead to better risk decisions and fewer corporate failures. What happened?

Bad risk decisions enabled by faulty elements in the Control Environment (e.g. egregious conduct, fraud, incompetence, destructive compensation systems etc.) or faulty Risk Assessment, lead to catastrophic risk decisions, corporate misconduct, or both.  

In each of the three hypothetical examples above failures in Control Environment and Risk Assessment were to blame. Can companies with such massive failures, by definition, have effective internal control over anything? If so COSO is meaningless and we have made it so.

The Way Forward

Several changes are clearly needed now.

  1. Call out the real causes of failure

Enforce the PCAOB definition of Material Weakness:

A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.

None of these hypothetical companies should receive a clean audit opinion. These types of failures are evidence of total and catastrophic failures in control, specifically in Control Environment and Risk Assessment. All of them should have been denied a clean audit opinion and with it, unrestricted access to capital markets and a pass on debt covenants and other obligations.Isn’t that what SOX was supposed to prevent? I understand that we are dealing with just internal control over financial reporting in audit opinions. But is it reasonable to suggest that with massive failures in the application of COSO the company is still COSO compliant? Wouldn’t it be more prudent to assume that massive failures in the Control Environment or Risk Assessment can reasonably be expected to result in material losses both financial, and nonfinancial now and well into the future? Assessing Control environment and Risk Assessment can be subjective. But we should call out and name failures in those elements when we see them. Shouldn’t we put this type of failure right up there with a lack of Segregation of Duties in the financial close process, an oft reported Material Weakness? Why do we limit Material Weaknesses to failed Control Activities?

2. Drive COSO compliance out of financial reporting and into the business

Replace Risk Factor Reporting with Objective Status Reporting

Replace every reported Risk Factor with a complementary objective. The objectives should reflect and be limited to the core business model of the business.  For example, if shifting consumer preferences is a Risk Factor, define an objective that targets revenue or market share. Disclose that objective, the planned performance levels for that objective and the confidence management has that the planned performance level will be achieved. Assess the risks to achieving the objective and the measures needed to manage the risk.

I know this is a radical change, but can we trust companies who do not know this information? In relying on Control Activities, we are blocking insights.

Companies who  are not sure what their top risks or objectives should be or are concerned that disclosing objectives and planned performance will be advantageous to competitors can be exempted by simply stating “we just can’t figure this out” or “we know our top risks, and critical objectives but we aren’t going to tell you” and naming those conditions as their only risks. Caveat emptor.

Once the objectives are listed, the company should make “a positive declaration intended to give investors confidence” and provide evidence to support their assertion. The assertions must be risk based and objective centric. Risk Oversight Solutions a business owned by Tim Leech a long-time colleague, offers advice and methodology. Its an enhancement to a methodology I worked with for years with Tim. I have firsthand knowledge of its rigorous tools.


  1.  If product safety is a risk they could state “We are xx% certain (It could be 99.9 or 10%, just tell us.) that our planes will fly safely xx% of the time,” or, in the case of the pharmaceutical company,
  2. “We have procedures in place to ensure that give us xx% confidence the pharmaceutical products we sell are manufactured and distributed in a way that reduces incidence of misuse and accidental death to x%”, or for the hypothetical data broker,
  3. “We have measures in place to reduce the probability of data loss from hackers to less than xx% but we cannot be completely confident they will work more than xx% of the time.

Just tell us please. Let stakeholders decide the risks they want to accept and the confidence they have in management. Companies can be compared to each other within an industry. The results would be transparent.

3. Provide assurance that is meaningful

Require independent audit opinions that provide real assurance against objectives.  

Here is what we get today.

 Hint: Assurance is a defined as a positive declaration intended to give confidence.

This is from the 2019 annual report of a company with catastrophic headline grabbing failures.

“Our audit included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, testing and evaluating the design and operating effectiveness of internal control based on the assessed risk, and performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion”

4. Recognize the tools and talent available to us today.

The tools and talent to begin this journey are here now. I believe the risk management profession has the frameworks to support assertions on objective centric risk-based performance. I believe that auditors I have met in my work around the world could develop standards to audit the reliability of these assertions and provide (or withhold) assurance.

  • Move to Data Driven Assurance

Transparency is essential. Data is essential.

I am certain that the risk and control professions would make huge advances in technical knowledge and decision making and begin to adopt and exploit powerful technologies available today and I am certain. The data needed to monitor risks and performance against objectives is digitized somewhere. The analytics need to provide insight are here now.

Todays standard and practices are flawed. They do not add value and bad practices have stunted the development of the profession and the adoption of technology.

Reliable risk and control management practices and supporting standards must be driven by data and insight, not belief in flawed criteria and subjective judgement.

Better to do the right thing wronger than the wrong thing righter (Russell Ackoff) That’s how we learn.

Let us shift from a “broken control activity” model of control effectiveness to a positive data driven, comprehensive objective centric risk-based approach. The definition of success and effectiveness should be sustained performance. Let us deal with the causes of failure, not the symptoms. Let’s add value.

I welcome and read all comments.

Published by Bruce McCuaig

I'm interested in all aspects of risk and compliance management. I want to make it work for business executives, the practitioner community and the business.

Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: