As new leadership takes the helm at COSO, the board is considering whether it can help sort out ongoing tension over public company internal control reporting.
Paul Sobel, currently vice president and chief audit executive at Georgia-Pacific, is beginning a three-year term to succeed Robert Hirth. Sobel plans to retain his position at Georgia-Pacific while also taking the reins at COSO, more officially known as the Committee of Sponsoring Organizations of the Treadway Commission. COSO is a collaborative think-tank that authored the Internal Control — Integrated Framework, the most widely utilized tool for achieving compliance with Sarbanes-Oxley internal control reporting requirements.
At Georgia-Pacific, Sobel is responsible for managing the internal audit function and providing oversight and counsel on risk management and compliance programs throughout the company. He has served in similar capacities at three other large public companies, and he has held numerous volunteer leadership positions at the Institute of Internal Auditors, including serving as global chairman in 2013 and 2014.
Sobel’s near-term priority as the incoming chair of COSO is to promote adoption of the board’s recently updated enterprise risk management framework. “It’s still relatively new,” he said. “I’m not sure how many have had the time to dive into the framework. It has a lot of rich information, and we need to make sure organizations have a better understanding of the key concepts.”
COSO also is developing some additional guidance to support the newly updated ERM framework, focused primarily on examples that might help organizations understand how the framework applies to real situations. Publishing the examples with the framework might have made the document too unwieldy, Sobel says. “This will give some examples from different industries that people can relate to, so it gives ideas of how to operationalize the framework,” he says.
Hirth, who has retained his position as senior managing director at Protiviti while also serving as COSO chairman, is also a member of the Sustainability Accounting Standards Board. During Hirth’s tenure as COSO chair, the board issued an update to its internal control framework and updated the ERM framework. Sobel served on the advisory council for the ERM update.
Sobel says he will focus in the coming months on a recently formed partnership with the World Business Council on Sustainable Development to produce guidance that will focus on how COSO’s ERM framework can be utilized to address risks in environment, social, and governance issues.
The new chairman also expects to work with the COSO board to identify any gaps in current thought leadership with respect to COSO’s key mission areas, such as risk management, internal control, fraud prevention, and governance. That could include some kind of role in helping sort out continued tension among public companies, auditors, and regulators over internal control over financial reporting, Sobel says.
The Public Company Accounting Oversight Board continues to deliver harsh inspection findings on the major audit firms, and problems persist in the audit of internal control, especially in the area of management review controls and controls over data and significant assumptions. “There have been some early discussions,” says Sobel. The first step is to determine what role COSO would assume.
“To the extent we’re talking about practical guidance as it relates to the internal control framework, that could be a role for COSO to play,” he says. “The board is discussing what might make sense. Whether that’s some kind of thought leadership or guidance, it’s too early to tell what COSO will decide.”