COSO Releases Final Guidance For Small Cos.

At long last, the much-anticipated guidance on how small companies should implement an effective internal control framework over financial reporting and other risks is ready for public consumption.

The Committee of Sponsoring Organizations plans to release the guidance today, complete with a Webcast to review the document’s main points. Companies have been waiting since last year for COSO to unveil its final guidance, considered a key tool to help small businesses confront the compliance challenges of Sarbanes-Oxley.

A 207-page exposure draft of the guidance was released back in October. The final guidance is considerably shorter and more “user-friendly,” according to those who have worked on or reviewed the document (see box at right for a summary and FAQ).

Rittenberg

The final version contains fewer principles and attributes than the exposure draft, and includes a color-coding system that matches specific compliance elements to the relevant principles and attributes, COSO Chairman Larry Rittenberg told Compliance Week in an interview.

The new guidance was drafted at the behest of the Securities and Exchange Commission, which in early 2005 asked COSO to scale down its original 1992 document, Internal Control—Integrated Framework, to make it more applicable to small businesses. The 1992 framework is widely accepted as the industry standard among large public companies, which have had to comply with Sarbanes-Oxley for two years now, for establishing internal control over financial reporting. Smaller companies, however—which don’t need to comply with SOX until 2007—found the original COSO framework too unwieldy for their smaller staffs and resources.

The final guidance includes just 20 of the 26 original principles included in the draft, while the number of attributes was cut from 113 to 75. It has been split into three volumes to make it easier to digest:

Summary—An executive summary, providing a high-level review for boards of directors and senior management;

Principles & Examples—An overview of internal control over financial reporting in smaller businesses, fundamental principles drawn from the original framework along with related attributes and approaches, and examples of how smaller businesses can apply the principles in a cost-effective way.

Tools—A compendium of tools to help management evaluate internal control.

The October 2005 draft guidance kept all 26 principles from the 1992 document and included real-life examples of how companies could apply them in a smaller setting, but was criticized by some as too long and prescriptive. For example, critics pointed out that the document described several cases where an internal audit function would be crucial in achieving certain principles, while many smaller companies have no an internal audit staff.

COSO PRINCIPLES

Below are the 20 basic principles outlined by COSO as the fundamental concepts necessary in achieving effective internal control over financial reporting:

Control Environment

Integrity and Ethical Values. Sound integrity and ethical values, particularly of top management, are developed and understood and set the standard of conduct for financial reporting.

Board of Directors. The board of directors understands and exercises oversight responsibility related to financial reporting and related internal control.

Management’s Philosophy and Operating Style. Management’s philosophy and operating style support achieving effective internal control over financial reporting.

Organizational Structure. The company’s organizational structure supports effective internal control over financial reporting.

Financial Reporting Competencies. The company retains individuals competent in financial reporting and related oversight roles.

Authority and Responsibility. Management and employees are assigned appropriate levels of authority and responsibility to facilitate effective internal control over financial reporting.

Human Resources. Human resource policies and practices are designed and implemented to facilitate effective internal control over financial reporting.

Risk Assessment

Financial Reporting Objectives. Management specifies financial reporting objectives with sufficient clarity and criteria to enable the identification of risks to reliable financial reporting.

Financial Reporting Risks. The company identifies and analyzes risks to the achievement of financial reporting objectives as a basis for determining how the risks should be managed.

Fraud Risk. The potential for material misstatement due to fraud is explicitly considered in assessing risks to the achievement of financial reporting objectives.

Control Activities

Integration with Risk Assessment. Actions are taken to address risks to the achievement of financial reporting objectives.

Selection and Development of Control Activities. Control activities are selected and developed considering their cost and their potential effectiveness in mitigating risks to the achievement of financial reporting objectives.

Policies and Procedures. Policies related to reliable financial reporting are established and communicated throughout the company, with corresponding procedures resulting in management directives being carried out.

Information Technology. Information technology controls, where applicable, are designed and implemented to support the achievement of financial reporting objectives.

Information And Communication

Financial Reporting Information. Pertinent information is identified, captured, used at all levels of the company, and distributed in a form and timeframe that supports the achievement of financial reporting objectives.

Internal Control Information. Information used to execute other control components is identified, captured, and distributed in a form and timeframe that enables personnel to carry out their internal control responsibilities.

Internal Communication. Communications enable and support understanding and execution of internal control objectives, processes, and individual responsibilities at all levels of the organization.

External Communication. Matters affecting the achievement of financial reporting objectives are communicated with outside parties.

Monitoring

Ongoing and Separate Evaluations. Ongoing and/or separate evaluations enable

management to determine whether internal control over financial reporting is present and

functioning.

Reporting Deficiencies. Internal control deficiencies are identified and communicated in a

timely manner to those parties responsible for taking corrective action, and to management

and the board as appropriate.

Source

Internal Control Over Financial Reporting—Guidance For Smaller Public Companies (COSO; Executive Summary; July 11, 2006)

Carcello

“We received a lot of feedback that the guidance needed to be more user-friendly to smaller businesses, particularly in the area of examples,” says Joseph Carcello, a member of the task force that drafted the new guidance and director of research for the University of Tennessee’s Corporate Governance Center. “A lot of effort was put in to make that happen.”

Carcello says the executive summary is “a summary of the meat of the major recommendations,” while the other two volumes “dig into the details” and provide examples and tools, as well as additional explanations of the fundamental concepts.

Rittenberg says the final guidance is clearer than last fall’s exposure draft. “We took the comments to heart and looked very critically at the number of principles and attributes,” he says. “We tested every principle we had for redundancy and clarity and reduced it fairly extensively.”

According to the executive summary, while the guidance is designed “primarily to help management with establishing and maintaining effective internal control over financial reporting, it also may be useful to management in more efficiently assessing internal control effectiveness, in the context of assessment guidance provided by regulators.”

Indeed, executives at companies of all sizes crave just such advice as they struggle to control ongoing SOX compliance costs. For two years, large filers have complained that their external auditors ran roughshod over assessments of internal controls, insisting that companies meet the expectations laid out by Auditing Standard No. 2, the standard given to external auditors by the Public Company Accounting Oversight Board.

In May, the SEC and the PCAOB finally conceded as much; the PCAOB began a new campaign of hectoring auditing firms to lighten up on clients, while the SEC promised more guidance specifically for corporate executives on how they should assess their internal controls. The SEC’s own guidance has not yet appeared, but many in financial reporting circles—especially the non-accelerated filers—hope that COSO’s new framework can serve just as well.

Rittenberg says the final COSO guidance stresses that the achievement of effective internal controls is based on “all five COSO components coming together to achieve the object of reliable financial reporting … The components are not an end to themselves, they’re a mean to achieving the objectives. I think that point got lost in the exposure draft.”

The guidance also stresses that once a company establishes effective controls, a robust monitoring process “should contribute a great deal of the evidence needed for [Section] 404 compliance,” Rittenberg says.

New in the final guidance is a color coding system that matches each of five fundamental elements of internal control to various principles and attributes that help address it. The five elements are identified as risk assessment, the control environment, control activities, information and communication, and monitoring.

Responding to the criticism that the draft was too prescriptive, Rittenberg notes, “We state clearly that COSO is a principles-based approach. Management has choices to make as to the best way to accomplish those principles.”

“We don’t say one approach is better than another, as long as management demonstrates they can accomplish a particular principle,” he says.

The executive summary and a related list of 27 "frequently asked questions" can be found in the box above, right; other resources and coverage is available as well.