Yet another whistleblower ignored by the SEC By Eleanor Bloxham, contributor

FORTUNE -- On September 15, 2006, the Institute of Management Accountants sent a comment letter to the SEC. In its correspondence, the IMA asked the SEC to take another look at some financial reporting controls the commission had endorsed for Sarbanes-Oxley implementation.

That framework of controls, called COSO 92, was already 14 years old, and ten years old when Sarbox became law. It was actually a revision of an older standard that was repurposed for the rule. The IMA wanted the SEC to consider an alternative, "practical, risk based approach" that was less "auditor centric" and took "full account of the many advances over the past 30 years in the fields of risk management, quality and internal control".

Despite four months of letters to the SEC and Congress by the IMA, a meeting with the SEC and Public Company Accounting Oversight Board, and testimony to Congress, the SEC and Congress did not move forward on the IMA's suggestion.

Tim Leech, the primary author of the paper for the IMA, says the failure to properly address the issues raised by the IMA led to inadequate implementations of Sarbanes-Oxley. Rules about "integrity, ethics and competence" were specifically excluded from COSO 92, according to a recent article by Leech in Cost Management. Leech believes those and other fatal flaws resulted in failures of companies to adequately address risk and pay measurements.

If these concerns sound familiar, they should. Pay and failures of measurement and oversight of risk have been cited as being major drivers that contributed to the financial crisis and "Great Recession." Integrity, ethics and competence have also figured prominently in the mix.

The revolving door of regulation strikes again?

Leech believes that one of the reasons the SEC never addressed the IMA's concerns is the revolving door between the audit community and the federal regulator, the SEC. As the IMA suggested in its letters, a big hurdle to improving Sarbox's implementation was the fact that COSO 92 is now 18 years old and the big audit firms, and the companies they audit, were fully invested in that standard, flaws and all.

Enter Douglas K. Besch, a senior manager from KPMG who came to the SEC's Office of Chief Accountant as an two-year termed Accounting Fellow and has recently returned to his firm. Leech, in conversation and email exchanges with Mr. Besch, argued that the risk-controls frameworks endorsed by the SEC needed to be reviewed. (Risk controls frameworks are just what they sound like --a way for companies to measure and control the risk they're taking with their assets and decisions.)

The SEC had actually opened the door in saying that other suitable frameworks could be used, which Besch himself confirms, and is part of the SEC's rule on the topic.

Besch said that he told Leech that registrants could use other frameworks as long as they could demonstrate they worked. But Leech wasn't just asking for an alternative, he was asking the SEC to rethink its recommendation -- the only way practices would ever really change. Despite the failures of the financial crisis making the need for change clear, without an SEC formal review and support from the big audit community, Leech has made little progress in his crusade.

Registrants who have to file reports based on COSO 92 were, according to Besch, free to "pre-clear" other risk controls approaches, but there was no project on at the SEC to review these issues, which is why the SEC would not review suggestions that came only from Leech. But what corporation would willingly stick out like a sore thumb by holding itself to non-recommended risk controls frameworks, and also take on the burden of proving to the SEC that those frameworks actually work?

Only corporations and auditors can tell the SEC when a rule doesn't work

Leech believes that if he had been with one of the largest audit firms or a major corporation, his views might have been listened to. In fact, the SEC does have a mechanism which can be used. But as outlined on the web, the process is available only to registrants and their auditors, not members of the general public, even when they happen to work at the Institute of Management Accountants.

Leech laments that these issues have dragged on over the years as other countries look to the U.S. for guidance. And as we now know, there have been many cases where individuals try to bring attention to issues that later become well known. Two painful lessons for the SEC were the Bernard Madoff and Allen Stanford cases and the warnings raised by Harry Markopolos and Leyla Basagoitia, respectively, that went unheeded because they didn't fit into the SEC's processes.

It is hard know how much the use of COSO 92 contributed to the financial crisis and whether the IMA's proposal could have helped prevent it. But clearly the issues Leech raises are worthy of consideration, given the lack of financial and risk transparency at the heart of the crisis. Discounting the possibility that there is something to learn here seems unwise. Questions must be raised in looking at the accounting probnlems Lehman Brothers and Bank of America (BAC, Fortune 500): how exactly did auditors sign off on the firms' risk controls processes and miss the off balance sheet maneuvers that caused so much financial pain?

Given all that we do know, the SEC clearly needs to create a process for allowing input from outside the company and auditor communities. No one group can claim to have a lock on the best ideas. To prevent another crisis of this magnitude, it seems like taking seriously the weaknesses in an 18 year old control framework as part of a law that has cost companies billions to implement would seem to be a good start.

--Eleanor Bloxham is CEO of The Value Alliance and Corporate Governance Alliance, a board advisory firm. To top of page