The Committee of Sponsoring Organizations of the Treadway Commission has finally published for comment its long-awaited draft of guidance for smaller public companies on using its framework to address the internal control provisions Sarbanes-Oxley.
For months, companies and regulators have been anxiously awaiting the 207-page guidance, which was finally issued last week. Its expected arrival was part of the reason the Securities and Exchange Commission cited in its September decision to delay the effective date of Section 404 of the Act by another year for smaller public companies (see related coverage in box at right).
The SEC, which approved COSO's original Internal Control—Integrated Framework for use in fulfilling the requirements of SOX Section 404, asked COSO to develop guidance on using the framework to address the needs of smaller businesses in response to concerns by companies that the existing frameworks weren’t appropriately tailored to a small business control environment.
Those involved in developing it said the guidance, originally expected in August, was delayed because of the time involved in the effort to generate real-life examples.
Richards
“We wanted to have live examples to demonstrate how the principles are being put in practice because we felt it would add more credibility to the information,” said Dave A. Richards, a member of the COSO board and president of The Institute of Internal Auditors. “It takes them from theory into practice. We wanted to give companies practical information they can modify and tailor to their own organizations.”
But those who were hoping the guidance would offer shortcuts to complying with the internals control provisions of Sarbanes-Oxley Section 404 may be disappointed. The much-anticipated exposure draft maintains all 26 fundamental principles found in the original 1992 internal control framework.
Rittenberg
“There isn’t a shortcut to good internal controls,” COSO chairman Larry Rittenberg told Compliance Week. “There is not a 'COSO Lite'.” Rittenberg said the guidance doesn’t replace the 1992 document. Rather, the new document offers clearer guidance on the original framework by defining each principle, describing its attributes, listing various approaches companies can use to incorporate the principles, and giving real-world examples of how smaller companies have effectively applied the principles. It also includes an appendix of tools that companies have used to help monitor their controls.
Rittenberg said the guidance discusses specific issues that are challenges for small businesses, such as management override, segregation of duties, and how companies can use accounting software to attain consistency if they turn on the right controls.
“The conclusion of the group was that those 26 principles are still valid for organizations today, and they are as valid for small businesses as they are for large businesses,” the IIA’s Richards said. “There isn’t a difference in how you define what makes up good internal controls regardless of the size of the business. But how those principles are addressed in a small business is different than how they’re address in large business.”
COST EFFECTIVE
The excerpt below is from the draft executive summary of “Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting,” published by the Committee of Sponsoring Organizations of the Treadway Commission, Oct. 2005. Please keep in mind that this is just the draft; COSO is accepting public comments through Dec. 31, 2005. Reprinted with permission.
Controls Need to Be Cost Effective for Smaller Businesses
Although it is often difficult to measure the risks associated with inaccurate financial reporting, market reactions to corporate misstatements clearly signal that the market does not readily tolerate inaccurate reporting, regardless of a company’s size. Accordingly, an effective internal control system can add value to a company. However, a company, and particularly a smaller company, may incur additional costs to design effective controls over financial reporting and demonstrate they are in place. A company can lessen the amount of those incremental costs and still maintain appropriate levels of internal control by implementing the principles contained in this report. Internal control should be established and maintained in a way that meets the objectives of reliable financial reporting in a cost-effective manner.
There are many options available for smaller businesses to reduce the costs of internal control. We have identified several that are summarized below and discussed further throughout this document.
Broaden the Pool of Audit Committee Members – Audit committees can provide valuable insight and oversight, helping companies apply internal control in a cost effective manner. The population from which potential board and audit committee members are selected, can be expanded by considering highly qualified individuals with financial expertise. Some options include:Chief financial officers
Management accounting experts
Accounting professors with detailed knowledge of business, accounting, and auditing
Chief audit executives (internal audit directors) who have experience in internal control and business strategy from their own businesses
Retired partners from public accounting firms.
Build Controls into the Culture – Building control responsibility and control knowledge into the culture is often the most effective way to reduce costs.
Sharpen the Risk Focus – The internal control process should be focused on areas that represent significant risks to the achievement of reliable financial reporting.
Use Software Templates for Design and Evaluation – Templates or readily available software tools can facilitate the design and evaluation of controls.
Use Information Technology to Standardize Controls – Information technology (accounting software) can be used to (a) implement consistent controls, and (b) enhance segregation of duties.
Leverage Management Monitoring – With its knowledge of the company, management can provide effective monitoring of the financial reporting process.
Outsource Some Activities – It may be possible to outsource some activities, including parts of monitoring or internal audit.
Organize Evaluation Around Principles – Exhibit 1.1, along with the chapter overviews, can be used as a checklist of principles to consider in developing effective internal control over financial reporting.
Further, the guidance includes in each chapter a discussion of alternative approaches and provides detailed examples taken from smaller companies. For instance, the guidance illustrates how a less formal, but still effective, ethics program might include posting of a statement of values in all work places, how reliance on information technology controls can be improved when using packaged software applications, and how approaches to ongoing monitoring lessens the need for separate evaluations.
Source
Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting (COSO, Oct. 2005)
Rittenberg says the key is for executives to read the principles and attributes, and to think about how they can be applied most effectively within the organization. “It’s not a check the box mentality,” he said. “Companies have to have a more laser focus as to how to apply the principles before they start doing it.” By doing so, Rittenberg says companies can avoid the cost of doing unnecessary testing, or implementing costly controls that may not be needed.
Reducing Costs
The biggest complaint about Section 404 by those who’ve already been required to comply has been the cost of documenting and testing all of their controls during the first year. Smaller companies that haven’t had to comply yet have voiced their concerns that those costs will be disproportionately burdensome on them.
“One issue that we’ve heard is that this is really not solving the problem of cost,” said Richards. “[The examples in the guidance] prove that many organizations that are small businesses are already doing these things. It’s not as catastrophic as some companies want you to believe.”
“I hope companies will take the time up front to identify the really important controls and how to test them,” said Rittenberg. “There’s a cost to those controls, but we’re trying to emphasize that the incremental cost can be controlled; smaller companies can find less formal, less costly ways to achieve the control objectives.”
For example, he said, “The documentation [for smaller companies] has to provide evidence that the control works, but it might not need to be formal with tons of sign offs.”
In addition, Rittenberg stressed the importance of effective monitoring. “After the first year, companies can achieve costs savings if they use effective monitoring,” he said. “The process should be managed with the same kind of care that companies use in managing their production line. Once you’ve established that that line is working properly, monitoring is an effective and efficient approach to managing cost as you go forward.”
Rittenberg, who teaches an advanced auditing course at the University of Wisconsin, said he tested out the new guidance in his classroom. “When I forced my students to take the principles and really drill down into the details, they found that they might end up testing fewer controls than before, and might find more efficient ways to test the controls,” said Rittenberg. “Both of those things will reduce costs. Companies have to focus on becoming more precise as to what controls they test.”
“There are two relevant costs here,” he added. In addition to the cost to companies to implement good internal controls, Rittenberg said, “Let’s not forget the cost that society bears when there’s no confidence in the capital markets. This does a lot in cutting the broader costs to the capital market.”
No Free Ride
While the authors of the guidance had in mind companies with $200 million in revenue or less, Dan Swanson, a member of the COSO task force and director of professional practices for the IIA, said, “The examples of approaches, techniques and different controls will assist all businesses in reviewing their controls and what they should focus on from a documentation standpoint.”
“It’s attempting to make the 404 process as efficient as possible,” said Swanson. “I think it will also be beneficial to large and private companies. Everyone has internal controls responsibilities.”
While it remains to be seen whether some smaller issuers will eventually be exempted from reporting under Section 404, Richards and others note that that doesn’t give them a free pass on having good internal controls. “Regardless of the [SOX] reporting requirements, the concept of good internal controls still applies,” noted Richards. “Companies don’t get a free ride even if they don’t have to report under 404.”
Richards said COSO plans to meet in January to assess public comments and “determine what issues need to be addressed and to try to provide assessment of the comments.” No hearings on the guidance are planned, although Richards added that if “there was a groundswell of problems or objections, we might look at doing that.”
Nicolaisen
Officials at the SEC and other members of the business community welcomed the guidance. Outgoing SEC chief accountant Donald Nicolaisen called the guidance, "an important step forward in helping smaller businesses understand and apply COSO's internal control framework in connection with implementing Section 404 of the Sarbanes-Oxley Act.”
An advisory committee established by the SEC to examine, among other things, the effect of the internal control provisions on smaller public companies, had recommended the 404 delay, in part to allow time for companies to implement the new COSO guidance. That committee is expected to issue its final report in April.
“I look forward to the exposure period, as I believe the comments received by COSO will provide new ideas and useful examples that potentially will further improve the document,” Nicolaisen said. “Section 404 is too important not to get right, but getting it right requires both effective and efficient implementation.” Nicolaisen said the SEC staff will continue to monitor and assess the effects of the internal control reporting rules on smaller public companies.
Beller
“The approach they have taken, when finalized, may help not only smaller businesses, but organizations of all sizes, better understand and apply COSO's 1992 Framework," noted Alan Beller, Director of the SEC’s Division of Corporation Finance.
Cunningham
“Hopefully it will be helpful to smaller companies,” said Colleen Cunningham, president and chief executive of Financial Executives International. Referring to the 26 principles and 105 attributes contained in the guidance, Cunningham added, “It’s a lot of information. A concern we have is that auditors will require all of these in the internal control framework—that they might try to use it as a checklist, versus guidance that might be helpful to management.”
Cunningham, who said the group will “probably comment” on the draft, said she hopes that FEI members “will comment directly to COSO. We need to get their feedback.”
Comments on the draft are due by Dec. 31, 2005. Final guidance is expected in the first quarter of 2006. The COSO Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting and other resources can be found in the box above, right.
No comments yet