In Brief

Bob Hirth is the immediate past chair of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), having served from June 2013 to January 2018. He joined the Sustainability Accounting Standards Board (SASB) in May 2017, having previously served on the SASB Foundation’s board of directors. Hirth also served on the Standing Advisory Group of the Public Company Accounting Oversight Board (PCAOB) from 2012 to 2016. He continues to serve as a senior managing director of Protiviti, a global internal audit and business risk consulting firm. He began his career with Arthur Andersen and is a graduate of Southern Methodist University in Dallas, Texas.

Recently, Hirth discussed his time with those organizations and their current projects with Donald Tidrick, a professor at Northern Illinois University. Hirth’s comments represent his own views and not those of COSO or SASB. The interview is presented below in edited form.

* * *

Donald Tidrick for The CPA Journal: Would you share a historical summary of COSO?

Bob Hirth: There were a number of financial reporting failures and challenges that led to the formation in 1985 of the National Commission on Fraudulent Financial Reporting, better known as the Treadway Commission for its chair James C. Treadway Jr., a former SEC commissioner. This commission was a private sector initiative to address serious issues of mutual concern to multiple professional organizations. The five sponsoring organizations that comprise COSO, as they are known today, are the American Accounting Association (AAA), the American Institute of CPAs (AICPA), the Financial Executives International (FEI), the Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA).

The Treadway Report was issued in 1987 and consisted of 49 recommendations. Some of these were directed at educators, while others were directed at regulators, corporate management, internal auditors, and independent auditors; all of them were intended to strengthen the credibility of the financial reporting function and reduce the occurrence (or increase the detection) of fraud.

One of those recommendations called for a comprehensive study of internal control, which motivated the five sponsoring organizations to continue their collaboration. The result was the 1992 Internal Control—Integrated Framework that was led by Coopers & Lybrand and coordinated by C&L’s Rick Steinberg. That framework was revisited about 20 years later and updated guidance issued in 2013. Of course, when the Sarbanes-Oxley Act of 2002 [SOX] was enacted, the frame-work was identified as suitable for purposes of internal control reporting, and hat elevated the visibility and reputation of COSO.

I think it noteworthy that, more than 30 years after the initial project, these five sponsoring organizations have continued to work on significant projects of mutual interest. We are an “infrastructure- less” organization driven by volunteers without employees or incorporation; representatives of each sponsoring organization pitch in to do what needs to be done in a highly collegial manner.

It is very important to recognize that COSO is not a standards-setting body. Its mission is to engage in thought leadership intended to improve organizations by focusing on three primary subject matters: internal control and governance, risk management, and fraud deterrence.

CPAJ: How did you come to be appointed to chair COSO in 2013? What motivated your decision to leave in 2018?

Hirth: I had reached a stage in my career at Protiviti where I was starting to consider taking on some new professional challenges. About that time, I saw an interesting discussion regarding the revision of the framework, so I called Dave Landsittel, then COSO chair, to inquire about the work that he was doing in that role. He let me know that he was in the process of wrapping up his service to COSO, and he encouraged me to apply for the position. I went through the interviews and was fortunate to be selected.

The initial term is three years, with the possibility of serving a second three-year term. As I approached the end of my original term, the revision of the Enterprise Risk Management (ERM) framework was not quite complete, so the board and I agreed to extend my term through the completion of that project. Following the release of that revised ERM framework, I transitioned out of COSO after about 4½ years, which seemed like a good jumping-off point.

CPAJ: Other than the revision of the ERM framework, what would you identify as the primary accomplishments of COSO during your time as chair?

Hirth: During that time, COSO moved from essentially having a book to sell to promoting multiple frameworks in a variety of formats. It no longer just sells printed materials; it also licenses the use of those materials. A number of software vendors have incorporated COSO materials into their applications, and other entities offer related training using these materials. These materials are available online, in addition to print form. Also, I believe that I contributed to increasing the visibility of COSO by making more than 200 presentations around the world in more than 20 countries.

Enterprise Risk Management

CPAJ: What motivated the ERM project, and how would you characterize the most important improvements in the revised framework, which was rolled out in 2017?

Hirth: The feedback about the 2013 revision to the internal control framework was highly favorable, and it led to the question: What about the ERM framework, which was a decade old at that point? About that time, PricewaterhouseCoopers expressed a willingness to discuss leading a project to update the ERM framework, since they had a right of first refusal from the original engagement letter. Those discussions focused on whether enough time had passed and whether enough changes in the business environment had happened since the 2004 framework was released to warrant an update. There was a consensus that the revision would be worthwhile.

We discovered that companies were already doing a lot of great things in pursuit of ERM, so one of our goals was to incorporate the value-added work of those companies into the revised framework. As the title, Enterprise Risk Management—Integrating with Strategy and Performance, suggests, the revision more closely links ERM to an entity’s strategic and performance issues by integrating ERM concepts throughout the entity’s operations. That ERM discussion about uncertainty, tradeoffs, choices, and risks should be built into the strategy-setting process itself, which leads to a better-reasoned, risk-adjusted strategy.

The revision establishes a more explicit relationship between ERM and decision making, generally, while emphasizing the relationship between risk and value. It retains a focus on five ERM-related components while explicitly identifying 20 principles that are relevant to those components. Having a “components and principles” structure for the internal control and ERM frameworks reflects a similar architecture for both frameworks, which I think facilitates users’ understanding.

CPAJ: In 2016, COSO announced a new self-study program to earn the “COSO Internal Control Certificate.” Has that certificate program gotten much traction?

Hirth: Originally, I envisioned that business schools might actually be certified in COSO, and I wanted the audit firms to encourage the schools to get that certification. As COSO-certified business schools, they would be recognized for their competence in teaching those concepts; the firms could then have confidence that graduates from those schools were proficient in these topics. I have not completely given up on that idea.

We currently have a “certificate” program that utilizes materials developed by the AICPA and paid for by COSO; COSO then licenses these materials to the five sponsoring organizations to deliver the certificate program. In 2015, the COSO Internal Control Certificate Program was launched for live instruction, and we followed up with an online version in 2016. The live version requires 4½ hours of advance study and 2½ onsite days, resulting in a total of 25½ hours of CPE. The online version consists of nine self-paced lessons and qualifies for 17 hours of CPE. Both versions lead to a certificate and a digital badge.
It has gotten a lot of traction and has been extremely successful for the AICPA and IIA, which have actively promoted the program. Similarly, an ERM Certificate Program will be released soon, and we expect global demand to be significant for that.

CPAJ: Shortly after you were named chair, COSO announced a thought leadership paper co-written with Ernst & Young that linked sustainability reporting with the ERM framework. Then, in 2018, COSO and the World Business Council for Sustainable Development (WBCSD)released new draft guidance applying ERM concepts to “Environmental, Social and Governance (ESG)–related risks.” How did these collaborative projects come about?

Hirth: Dave Landsittel initiated the 2013 collaboration with EY and WBCSD, so he deserves all the credit for that. When I joined COSO, the thought paper was substantially done. It is quite good, and offers a solid foundation in this subject matter.

This second project with WBCSD has been interesting. I was connected with Brendan Leblanc, who is the EY partner in charge of the firm’s climate change practice. There had been some discussion about developing a sustainability risk framework, but Brendan suggested that, since COSO was close to releasing the ERM revision, we should consider issuing a supplement to it specifically to address sustainability considerations, rather than develop a separate framework from scratch. That became the focus of the project with WBCSD. After a period for public comment and revision, COSO will issue an executive summary and supplemental framework in final form. There will probably be a couple of additional papers related to this initiative that will be developed.

Sustainability Accounting

CPAJ: You are one of nine members of the SASB. Please give a thumbnail sketch of SASB’s history and its role as a private-sector standards-setting body. How did you become a member of the board?

Hirth: SASB was founded in 2011 by Jean Rogers, with the support of Michael Bloomberg. She served as CEO until May 2017, when SASB was reconfigured to establish a two-tiered governance structure consisting of the SASB Foundation, which is responsible for funding activities among other things, and the Sustainability Accounting Standards Board, which is responsible for standards-setting activities. Until recently, Jean served as chair of the Standards Board, consisting of nine members including the chair. The SASB Foundation board of directors comprises 18 highly distinguished individuals, including two former chairs of the SEC (Mary Schapiro and Elisse Walter) and a former chair of FASB (Bob Herz).

Both boards have recently transitioned to new leadership. At the SASB Foundation, Bob Steel, former deputy mayor of New York and CEO at Perella Weinberg, has become chair. He takes over from Michael Bloomberg, who served from 2014 to 2018 and continues to be very supportive as chair emeritus. Jean Rogers recently passed the torch as chair to Jeff Hales, an accounting professor at Georgia Tech who had served as vice chair of SASB; he also served for five years as chair of the SASB Standards Council, which preceded the board. He has extensive technical expertise and practical understanding.

I had been on the SASB Foundation board when we decided to separate the standards-setting board from fundraising activities in 2017. I expressed a desire to be a member of the standards-setting board, which I thought would be especially interesting and impactful, and I was privileged to be selected as one of the nine members.

We have identified 79 industries to be classified into 11 sectors and are forming a sector advisory group (SAG) for each sector, which we anticipate will comprise 15–20 people. For example, I lead the technology SAG, consisting of hardware, software, IT services, Internet, semiconductors, and telecommunications. Forming all of those SAGs is one of our major initiatives for 2018. Each SAG will be composed of relevant stakeholders, including investors, preparers, and other experts who are knowledgeable about issues relevant to the particular sector. The SASB website provides information about the application process for persons interested in applying for consideration.

CPAJ: There are other sustainabilityrelated reporting standards, including the Global Sustainability Standards Board’s Global Reporting Initiative (GRI) Standards. Are there different roles for a domestic standards-setting body and a global one?

Hirth: Sustainability reporting is really a global issue. There are a number of alternative frameworks, including those associated with the GRI and the International Integrated Reporting Council (IIRC). Perhaps there may be some degree of consolidation over time. In my view, it is healthy to allow for some experimentation with a variety of reporting standards.
SASB has chosen to build our own model, which leverages the U.S. capital markets. The New York Stock Exchange is the most successful vehicle in the world for creating value, and listed companies tend to be global in scope. SASB has adopted an investor-oriented approach that is grounded in the concept of materiality and organized around industry lines, which is unique.

We have adopted the definition of materiality determined by the U.S. Supreme Court, which establishes the duty to disclose by public companies under the federal securities laws. SASB standards are voluntary, and should not be viewed as a new set of rules. Increasingly, these standards will be aligned with the 2017 recommendations of the G20’s Task Force on Climate-Related Financial Disclosures. SASB standards have been recognized by the European Commission as a suitable framework for disclosing information to investors in accordance with EU Directives. In short, we believe that SASB standards will facilitate providing useful information to investors while helping registrants meet their disclosure requirements in their SEC filings, including their management discussion and analysis (MD&A) presentations.

CPAJ: U.S. companies may have lagged somewhat behind European companies in focusing on sustainability reporting, but such reporting has certainly gained tremendous momentum in the United States. Do you envision that sustainability reports may someday become required of U.S. public companies?

Hirth: The European community tends to have a more regulatory-driven approach, whereas we tend to favor a more investor-driven demand for information. SASB is not requiring that any new items of information be disclosed; over time, these ESG-related risks may increase in importance and therefore be seen as material to investors, which would then have reporting implications.

Attestation and Credentialing

CPAJ: Do you envision that thirdparty assurance of U.S. corporate sustainability reports will someday be expected by stakeholders, if not required by regulatory authorities?

Hirth: SASB is a standards-setting body relevant to reporting of sustainability issues, so someone else should determine whether there is a need for third-party verification of those sustainability reports. This is similar to FASB, which issues financial statement–related reporting requirements, but then the PCAOB or the AICPA issues the relevant auditing standards, depending upon the nature of the entity involved. In July 2017, the AICPA issued guidance, Attestation Engagements on Sustainability Information Guide (Including Greenhouse Gas Emissions Information), directed at practitioners providing assurance on such sustainability reports under the AICPA’s Clarified Attestation Standards. There is potentially an enormous market for assurance services, but I still think that should be investor driven. The major accounting firms are very supportive of SASB, and they are naturally interested in exploring opportunities to strengthen their role in the growth of sustainability reporting.

CPAJ: SASB sponsors the “Fundamentals in Sustainability Accounting (FSA) Credential.” Would you comment on that initiative?

Hirth: There are two levels to the FSA Credential, reflecting the two examinations involved. Level I deals with principles and emerging practices; Level II addresses application and analysis. There are three testing blocks: January and February, May and June, September and October. An FSA Level II Candidate digital badge is given to candidates who pass the Level I exam, and that is replaced by the FSA digital badge after passing the Level II exam. In time, this may evolve from an assessment-based certificate into a certification program.

Currently, there are more than 500 individuals who have already completed one or both parts of the exam. Probably two-thirds of those have completed FSA I, and about one-third has completed FSA II. There are approximately another 650 that have just started the process. SASB’s website provides extensive information about the FSA Credential and the testing process.

CPAJ: Is there anything else that you might wish to say to readers of The CPA Journal?

Hirth: COSO and SASB both have a robust process for creating their materials. For important topics related to internal control, ERM, and sustainability reporting, these materials are intended to be useful to everybody everywhere. Both COSO and SASB strive to contribute to the improvement of organizations in a very broad and positive way. COSO represents a remarkable collaborative effort, for more than 30 years involving the AAA, AICPA, FEI, IIA, and IMA. SASB is a much more recent initiative, having been founded in 2011, but its mission is profoundly important, in my view. I invite readers to learn more at and

Hirth’s comments represent his own views and not those of COSO or SASB.

Donald E. Tidrick, PhD, CPA, CMA, CIA is the Deloitte Professor of Accountancy at Northern Illinois University, DeKalb, Ill.