REVIEW: "Beyond COSO", Steven J. Root
- BKBECOSO.RVW 20070218
"Beyond COSO", Steven J. Root, 1998, 0-471-39112-3, U$65.00/C$84.99
%A Steven J. Root
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%I John Wiley & Sons, Inc.
%O U$65.00/C$84.99 416-236-4433 fax: 416-236-4448
%O Audience i Tech 1 Writing 2 (see revfaq.htm for explanation)
%P 340 p.
%T "Beyond COSO: Internal Control to Enhance Corporate Governance"
In the preface, the author notes that it is impossible to have
complete control of any situation: problems and fraud will happen
despite all of our efforts. Root recommends that companies should
implement internal controls as suggested by COSO (the Committee of
Sponsoring Organizations of the Treadway Commission), but must also go
beyond them, in a manner similar to the layered defence or defence in
Chapter one contains an analysis of the limitations of the COSO
directives (and ends with a rather odd overview of the book itself).
The concepts of, and problems with, internal control is covered in
chapter two. Chapter three presents a history of twentieth century
corporate frauds and the attempts to restrict them. Business ethics
and values are discussed in chapter four.
Chapter five outlines the COSO framework, noting that internal
controls provide assurance of the efficiency of operations and
reliability of financial reporting--as long as there is compliance
with the laws and regulations. (As this material is based on the 1992
version of COSO, it is interesting to note that the components of risk
management are pretty much the same, but that the dimensions of
objectives categories and unit-levels had not yet been added to the
model.) Further concerns and limitations of COSO are expressed and
analyzed. Additional frameworks are reviewed in chapter six. Using a
hybrid of devices from these other frameworks, chapter seven suggests
the extension of internal controls with additional management aspects.
Chapter eight recommends that an oversight process be established for
internal controls, noting particularly legal obligations and related
factors such as standards of care, generic corporate organization and
business roles and tasks. The oversight issues are extended in
chapter nine, looking in more detail at job roles, and also insights
that arise from chaos theory. Chapter ten finishes off the book with
a review of the reporting of internal controls: much of this is
concerned with the wording used in such statements, and the
ineffectiveness of such reports to control incidents and fraud.
Despite its age, this book is one of the more useful guides in the
area of governance and controls in corporations. Root was willing to
go beyond the usual promotional jobs that masquerade as management
advice. While he does not solve the problem, he at least makes the
issues clearer, and raises interesting points in regard to solutions.
copyright Robert M. Slade, 2007 BKBECOSO.RVW 20070218
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
And the tubby beard went on.
Dictionary of Information Security www.syngress.com/catalog/?pid=4150