The IRS And The COSO Cube

Have you been following the emerging news story regarding political bias at the Internal Revenue Service (IRS)? Apparently, the agency that regulates America’s federal system of income taxation is now under investigation for purportedly mistreating conservative “tea party” groups during its reviews of tax exemption applications.

If you’re a tax accountant, you can’t help but feel a little embarrassed about the apparent dearth of internal controls at the Service. After all, many accountants are specialists in the field of risk management; they charge significant fees to their clients for advice regarding the development of systems of internal control.

Just two weeks ago, for instance, the world’s leading committee of professional accounting trade organizations issued a new cube shaped framework that defines internal control development activities. Isn’t it unfortunate, and ironic as well, that the accounting professionals at the IRS failed to implement their own profession’s frameworks?

COSO: A Brief History

The tale of these frameworks began thirty years ago, when the five major accounting trade organizations in the United States invited Wall Street veteran James Treadway to chair a Commission to assess the causes of fraudulent financial reporting practices. The resulting report of the Treadway Commission led to the development of the first control framework in 1992, which was then slightly modified two years later.

Developed in response to concerns that were raised during the Crash of 1987 and the financial scandals of the Gordon Gekko era, the paradigm was represented by the shape of a three dimensional cube. The top of the cube displayed the three perspectives (i.e. operations, reporting, and compliance) that affect internal controls, whereas the front of the cube presented the five components (i.e. the control environment, risk assessment, control activities, information and communication, and monitoring activities) that define such controls.

In 2004, in response to concerns that were raised during the financial and corporate scandals of the Enron and Worldcom era, the Council of Sponsoring Organizations (COSO) expanded its cube into a framework of enterprise risk management. They did so by adding a fourth perspective (i.e. strategic considerations) to the top of the cube, and three components (i.e. objective setting, event identification, and risk response) to its front. And then, just two weeks ago, they defined seventeen explicit principles to support a further refined framework.

Control and Risk

So there is certainly no lack of guidance regarding the implementation and maintenance of internal control and risk management systems. But what do these frameworks mean? And how can they help us assess what recently transpired at the IRS?

First and foremost, it is important to keep in mind that internal control and risk management are not synonymous phrases. In fact, internal control is a concept that is embedded within the practice of risk management.

A competent risk manager understands that many internal controls are implemented to prevent the occurrence of troublesome events. And if prevention is impossible, additional controls are employed to detect the existence of such events. Yet there are times when prevention and early detection controls simply fail to provide efffective risk management strategies.

In other words, there are occasions when competent risk managers have no choice but to respond to occurrences of troublesome events without the control benefits of prevention or early detection. Such risk response activities are not components of systems of internal controls per se, but they do play significant roles within systems of enterprise risk management.

Prevention controls, detection controls, and response activities are the three proverbial “building blocks” of enterprise risk management. So how can we relate them to the unfolding tale of political intrigue at the IRS?

Likelihood and Impact

The COSO prescriptive framework is a fairly simple one. If a potentially troublesome event is relatively likely to occur, then the organization should develop new prevention (or detection) controls to reduce this likelihood of occurrence to tolerable levels. And if the event is expected to inflict a costly impact, then the organization should also implement new response capabilities to limit its damage.

Now let’s apply this principle to the current IRS controversy. What was the likelihood that an understaffed IRS office, struggling to manage a flood of tax exemption applications, would resort to questionable assessment tactics? This was arguably a relatively likely event, and thus more might have been done to prevent (or detect) its occurrence. For instance, the IRS might have invested in enhanced training and oversight activities.

But how much damage has the controversy actually inflicted on the conservative groups that were inappropriately investigated by the IRS? Even though they appear to have been unfairly targeted for scrutiny, there is no indication that any have lost or been denied their tax exempt status as a result of the investigations.

So an application of the accounting profession’s COSO framework might not necessarily fault the IRS for its questionable response to the controversy. Nevertheless, it might lead one to question whether the Service did enough to prevent (or detect) the occurrence of the problem.