By Steven Ulmer, CPA (inactive), CISA, CIRM

In an admittedly unscientific sample, I have not found one person in manufacturing operations who knows about the COSO Internal Control Framework. I contacted several prominent people, and not one knew what I was talking about. All of them had to google COSO before we could continue our discussion.

Since one of the three components of the COSO internal control over financial reporting (ICFR) is effectiveness and efficiency of operations – which includes financial performance measures and safeguarding of assets – one would think what I found in my sample should not be the case.

Since the three COSO objectives overlap, a siloed approach creates concerns. One significant concern would be whether there is enough information and communication to carryout internal control responsibilities for meeting business objectives. There may be inconsistencies in design and implementation of controls without overall coordination. In doing research, I came across mention of significant control issues requiring coordination, including difficulties in getting data within department, across enterprise, from customers and suppliers, and a lack of IT/OT (information technology/operating technology) interaction. All this results in digital transformation failures.

One of my finance contacts offered his opinion that operations would be more effective and efficient using COSO ICFR. His feedback was a restatement of the various components, such as clear objectives, assessing risks to objectives, controls in place to facilitate achievement of objectives, right information/key performance indicators in place, and monitoring to determine that as things change the objectives, risks, controls, and information requirements change accordingly. I do not think operations would argue with the need for any of the above. Instead, their response would be that they believe this is what they are already doing. Such a view may indicate a lack of understanding on the part of finance of the operational part of the business.

I am not expressing an opinion as to whether I agree or disagree with the reasons cited by my finance and manufacturing operations contacts for the lack of knowledge or support from operations. With that caveat, here are the more prominent reasons they mentioned:

• There has been no real effort by COSO to reach out to people in operations. There was no participation in the development or update of the COSO ICFR by organizations such as the American Production and Inventory Control Society (APICS) or the Lean Enterprise Institute. It was strictly an exercise by finance organizations; therefore, the framework is “still only the playground of finance.” The use of COSO ICFR for operations is more aspirational.
• Does COSO ICFR provide anything useful for operations? COSO ICFR is too abstract (read “not real-world”), bureaucratic, and/or cumbersome. There is the perception that control is viewed as the goal and not a means to achieve organizational objectives.
• Finance people are "blockers" who get in the way of delivering value to the customers. Lean practitioners would rather eliminate or reduce the cause of variation then control, measure, or report it. One of my contacts noted, “I would rather have highly reliable standard work that I could see in effect during a walking tour than any internal audit or backward-looking monthly report.” Most do not need an internal control framework to do that.
• Since Finance uses the COSO ICFR primarily for financial reporting, people view its use through the Sarbanes-Oxley Act (SOX) lens, including the infrastructure (read bureaucracy) required in performing an evaluation of SOX compliance.
• There is a perception and ownership issue. If someone is put in charge (finance, enterprise risk management, etc.), the perception of other parts of the business is that group oversees those controls, and the rest of the organization no longer needs to worry about it.

The purpose of this blog is to start a conversation. I realize some people may not perceive a problem with the status quo while others may believe the COSO ICFR is not appropriate for manufacturing operations, but there needs to be better coordination. In my judgment, there is value in conversations between finance and operations. I encourage COSO to reach out to organizations such as those cited earlier in the article to determine if there is an opportunity to work together on an issues paper. If nothing else, there is benefit in getting different viewpoints because it may lead to outcomes that are different than the way things have been done in the past (diversity of thought). It may be worthwhile to explore the value of concepts such as design thinking, lean, and agile on the way internal controls are designed, implemented, and coordinated.

Key questions to address are as follows:

• What problems are we trying to solve? Is there an issue with COSO ICFR remaining primarily a document for financial reporting purposes?
• Can management systems model their real-world environments but still report against a common internal control framework?
• How do we best coordinate the system of internal controls? As changes occur, how can an organization ensure control systems for addressing risks to business objectives adapt to add additional features and remove features that are outdated?
• What guidance can be provided for addressing the control ownership issue mentioned above?

I would be interested in your comments and constructive feedback.

Steven Ulmer, CPA (inactive), CISA, CIRM, is a part-time adjunct associate professor of accounting. He can be reached at sulmer13@gmail.com.

Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.