COSO Guidance Out, But Will It Work?

At long last, guidance from COSO—that is, The Committee of Sponsoring Organizations of The Treadway Commission—on how small companies can assess and improve their internal control over financial reporting is available. Now comes the hard part: putting that guidance to work so that compliance with Sarbanes-Oxley doesn’t overwhelm non-accelerated filers next year.

Taub

So far, regulators and others have praised the three volume, 175-page tome as a valuable blueprint for small and large companies alike. Scott Taub, acting chief accountant of the Securities and Exchange Commission, says the document “will help companies of all sizes understand and apply the fundamental concepts of COSO’s internal control framework.” At the SEC’s Division of Corporation Finance, Director John White called it “an important part of improving the implementation of Section 404 so that it will work efficiently and effectively.” He also expected the guidance to help the SEC as it crafts its own Section 404 guidance for executives (see related story at right).

While the 207-page exposure draft—originally released last October—was criticized as being too long and prescriptive, COSO officials describe the final framework as considerably more “user-friendly,” with fewer principles (20 versus 26 in the draft) and attributes (75 down from 113). The framework also includes a color-coding system that matches specific compliance elements to the relevant principles and attributes. COSO and the SEC hope those features will make this framework more palatable than COSO’s predecessor 1992 framework, which is widely used by large companies that already must comply with Sarbanes-Oxley.

Still, several executives contacted by Compliance Week last week declined to comment on the framework’s practicality because they had not yet fully studied and digested its recommendations. As one person quipped, “It’s a lot to tackle.”

Dow

Robert Dow, a partner at law firm Arnall Golden Gregory who is also a CPA, says the examples and tools in the final framework will help small issuers grappling with Section 404. But, he adds, COSO, the SEC and the Public Company Accounting Oversight Board “have not backed away very much from the full implementation of SOX 404 for small issuers … It still represents a pretty robust roll out of an internal controls implementation.”

“Some very small companies tend to have very few formally documented controls, and those companies will have a lot of work to do to get to the starting block,” Dow says.

Rick Brounstein, chairman of the Smaller Public Company Task Force of Financial Executives International, and a member of the SEC Advisory Committee on Smaller Public Companies, was optimistic about the guidance.

Brounstein

“From reading the executive summary, I’m hopeful,” Brounstein told Compliance Week after combing through the introduction but prior to the July 12 release of Volumes II and III. Brounstein particularly welcomed the number of principles and attributes. “They’ve clearly gotten the message that people wanted something simpler,” he said.

Brounstein said he’s also curious how much guidance will be given to managements on how to conduct a Section 404 review, both with and without a formal audit of internal controls. He said the question of whether all companies will need to conduct an audit is “still in flux,” and that, “What you have to do to get comfortable with internal controls from management’s point of view and what you have to do to prove it to an auditor are two different things,” he said.

Guidance, Examples And More

The Institute of Management Accountants, a founding sponsor of COSO, affirmed its support for the small business framework, praising its many examples as “a starting point for small businesses to design and implement their own assessment processes” in alignment with the 1992 framework. Still, the IMA reiterated the need for “more optimal management assessment guidance that allows organizations of all sizes to realize the value in their compliance programs while driving improved business performance.” The group is developing its own risk-based assessment methodology for comment later this year, called CARD ME (Collaborative Assurance and Risk Design—Management Edition). IMA officials say it will allow organizations of all sizes to “cost effectively comply with regulation and focus on value-creating initiatives in accordance with the principles underlying the COSO 1992 internal control framework.”

DEFINE SMALL

The excerpt below is from "Internal Control Over Financial Reporting—Guidance For Smaller Public Companies," Volume 1: Executive Summary, published June 2006 by The Committee of Sponsoring Organizations of the Treadway Commission. The excerpt is from a section titled, "Characteristics Of 'Smaller' Companies":

What Are "Smaller" Companies?

Although there is a tendency to want a "bright line" to define businesses as small, medium-size or large, this guidance does not provide such definitions. It uses the term "smaller" rather than "small" business, suggesting there is a wide range of companies to which the guidance is directed. The focus is on businesses that have many of the following characteristics:

Fewer lines of business and fewer product lines

Concentration of marketing focus, by channel or geography

Leadership by management with significant ownership interest or rights

Fewer levels of management, with wider spans of control

Less complex transaction processing systems and protocols

Fewer personnel, many having wider range of duties

Limited ability to maintain deep resources in line as well as support staff positions such as legal, human resources, accounting and internal auditing.

None of these characteristics by themselves is definitive. Certainly, size by whatever measure—revenue, personnel, assets, or other—affects and is affected by these characteristics, and shapes our thinking about what constitutes "smaller."

Source

Internal Control Over Financial Reporting—Guidance For Smaller Public Companies," Volume 1: Executive Summary (Committee of Sponsoring Organizations of the Treadway Commission; June 2006)

The COSO document comes as the SEC is developing its own guidance for companies on how to assess their internal controls; the agency released a concept release on that guidance just last week (see box above, right, for details). The SEC is also working with the PCAOB to revise Auditing Standard No.2—the PCAOB’s guidance for external auditors assessing clients’ internal controls—in response to cries for relief from companies struggling to contain SOX compliance costs.

Rittenberg

Experts note that the new framework doesn’t change the existing COSO requirements, but provides examples of ways that smaller companies can meet them with fewer resources. During a July 11 webcast to unveil the framework, COSO Chairman Larry Rittenberg stressed its principles-based nature. “Management must make decisions on the most effect way to implement controls,” he said. “There are alternative ways to get to the right set of controls to achieve a particular objective. The guidance is just that: guidance. It’s not a cookbook.”

In response to the ever-popular question of whether the framework will help companies reduce the cost of compliance, Christine Bellino, a director at Jefferson Wells said, “I believe it will enable management and the board to make smarter decisions regarding the types of controls and the level of control necessary to achieve the organization’s financial reporting objectives.”

As for whether smaller companies can escape documenting their controls—a costly step for most companies—Rittenberg answered: “Documentation for small businesses can be significantly less formal, but there needs to be some evidence that the controls are working,” particularly for assertions to third parties such as external auditors.

Electronic copies of the framework are available for purchase on the COSO Web site and the Web sites of COSO’s five sponsoring organizations. The print version will be available July 23. The cost is $65 for members of any of the sponsoring groups—FEI, the IMA, the Institute of Internal Auditors, the American Institute of Certified Public Accountants, and the American Accounting Association—or $90 for non-members.

Rittenberg noted that COSO plans to “make a place available” on its Web site for users to provide feedback on the guidance.

Rittenberg added that COSO has two projects on its agenda in the near-term. One is to provide more research and examples of how companies are monitoring internal controls. In addition, he said, “There’s a need to compliment this guidance to deal with continuing assessment of internal controls … assessing how the components come together. There’s a need for another project in that arena. Both of those are on our horizon.”