COSO—the Committee of Sponsoring Organizations of the Treadway Commission—recently released its long-awaited internal control guidance for small business. The new document is designed to help non-accelerated filers and other companies reduce the burdensome costs that have been or would be incurred in dealing with Section 404 of Sarbanes-Oxley.
Before we get into how the guidance can help, let’s dispel some mistaken notions:
The Un-Framework—There have been reports—even in the pages of this highly esteemed publication—calling COSO’s new issuance a “framework.” It’s not a framework, and never was intended to be one. The internal control framework used by companies in connection with 404—COSO’s Internal Control—Integrated Framework, published in 1992—is the framework. This new document contains guidance on how smaller businesses can use the '92 framework cost-effectively. I can speak with firsthand knowledge of the fact that this is guidance, and not a framework: The SEC’s then-chief accountant, when he and I spoke at a conference in Boston a couple of years ago, asked me whether COSO might be interested in taking on this project, and in subsequent meetings with the chief accountant and his senior staff the idea of guidance, not a new framework, was solidified.
Still Nothing On Management's Assessment—This guidance does not provide methodology for management’s assessment of internal control over financial reporting. That document still does not exist. The COSO framework sets the standard for what internal control is, and outlines criteria for determining whether internal control is “effective.” Auditing Standard No. 2, from the Public Company Accounting Oversight Board, tells auditors what they need to do to issue a clean opinion on the internal control system, as well as on management’s assessment. And, in the absence of a standard on what management needs to do to conduct a proper assessment, AS2 has been used to fill the void. The SEC, fully aware that this new COSO guidance does not address that issue, announced that it will be developing a document on management’s assessment, which frankly is good news and long overdue.
From Small To Large—While this guidance was developed with small business in mind, much of it applies equally to big business, and can be useful to large companies looking to make their 404 efforts more efficient.
With that in mind, let’s look at the substance of the guidance—first that which applies primarily to small companies, and then to guidance that applies to large businesses as well. In the interest of full disclosure, I’ll note that I had a hand in developing portions of the guidance material. So, while I believe I can be reasonably objective in describing and assessing the COSO guidance, readers might take what I say here with a grain of salt.
Help for Smaller Businesses
Guidance is provided in a number of areas:
Segregation Of Duties. The guidance reflects the reality in many small companies that achieving segregation of duties typically found in larger ones often is just not economically achievable. The guidance makes an important point: that segregation of duties is not an end in itself, but rather a means of mitigating risks inherent in processing information. As such, other controls are often in place that satisfactorily mitigate the risks. These may include actions already being taken by managers in the normal course of carrying out their managerial responsibilities, such as reviewing reports of transactions, looking at supporting documents, looking at inventory or other assets and relating their observations to accounting reports, and checking or performing reconciliations. The point is, segregation of duties is a control, and there is more than one way to deal with the related risks.
Qualified Accounting Personnel. With tight budgets, and limits on relying on external auditors for accounting expertise, small companies face the challenge of maintaining personnel with sufficient accounting expertise to pass muster of effective internal control. The guidance offers some suggestions. For example, a company can bite the bullet and upgrade its accounting staff’s expertise, through training or otherwise. Or it can avoid unnecessary complexity in corporate structure or business model—not to avoid opportunities for profitable growth, but to avoid complexity where simplicity accomplishes the same result. And with regulators speaking out, greater clarity now exists that specified types of communications with auditors are normal and appropriate business practices, and do not drive a conclusion that the company’s personnel lack ability to prepare reliable financial statements.
Information Technology. Another reality is that many small companies don’t have extensive resources to develop and maintain software in the typically controlled manner. While initially this circumstance might be viewed as a control weakness, the guidance explains that existing controls might be adequate. Where a company uses packaged software developed and maintained by commercial software services, many of the risks associated with in-house developed software are reduced. Controls over program changes are less necessary, as the changes are made exclusively by the developer company; and in many instances, small business people simply don’t have the technical expertise to make unauthorized changes.
Also Benefits For Big Business
As noted, much of the COSO issuance can help not only small companies streamline their 404 efforts, but also even the largest ones. Large companies of course have the benefit of larger and more sophisticated staffs, and may have already considered or implemented some of these ideas. There may, however, be opportunities to gain further efficiencies.
Automated Controls. An increasing variety of software is available that can improve consistency of operation and processing results, automate reconciliations, facilitate exception reporting, and support proper segregation of duties. Commercially developed packages provide embedded facility for controlling which employees in the company can access or modify specified data, performing checks on data processing completeness and accuracy, and maintaining related documentation. While many larger businesses are already taking advantage of these capabilities, many small businesses and some larger ones are not. On another level, the guidance describes how significant amounts of testing of computer application controls can be sharply reduced, by recognizing how effective IT general controls—such as over program development and changes to programs—can obviate the need for much of the yearly, direct testing of controls within computer application programs.
Many things managers do on a day-to-day basis to run and grow the business contribute significantly to internal control over financial reporting. The guidance highlights how companies can “take credit” for these activities, compensating for perceived shortcomings or otherwise shoring up support for internal control effectiveness.
Management’s Monitoring Activities. Many things managers do on a day-to-day basis to run and grow the business contribute significantly to internal control over financial reporting. The guidance highlights how companies can “take credit” for these activities, compensating for perceived shortcomings or otherwise shoring up support for internal control effectiveness. And, from another perspective, management’s monitoring provides insight into where significant changes have occurred, enabling a targeted approach to where attention needs to be given in the 404 effort—and where effort can be cut back.
Management Override. While, as noted, actions taken by management in running the business can contribute to effective internal control, there is the other side of the coin: the risk that management can override established procedures for reliable financial reporting. Questions have been raised as to what constitutes sufficient control to deal with this risk. Well, the guidance provides answers—this risk can be mitigated by what is already in place in many, if not most, companies today. These are a culture of integrity and ethical values, an effective whistleblower program, an effective internal audit function, and a qualified board of directors and audit committee that take their responsibilities seriously.
The guidance goes on to describe how companies can gain additional efficiencies by focusing on only those financial reporting objectives directly applicable to the company’s activities and circumstances and taking a risk-based approach. It also discusses “right-sizing documentation,” making the point that documentation often does not need to be formal or extensive. And it discusses the relevance of considering the totality of internal control, where a control in one component can serve the purpose of controls that might normally be present in another.
What You’ll Want to Read
The COSO guidance consists of three volumes—which no doubt is viewed by skeptics as much too long for smaller businesses, who might say that a report of more than 200 pages by definition is too long. However, the report’s organization is such that readers can target their attention.
If you’re a board member, or especially as an audit committee member, you’ll want to read the first volume, a 12-page executive summary.
As a member of senior management, you’ll want to focus on the second volume, but only the 17-page “Overview” chapter.
Staff involved with 404 responsibilities are likely to use the entirety of the report, not to read cover-to-cover but rather as a reference source when seeking efficiencies in particular areas of internal control.
It is expected that auditors also will use the report’s content, and reflect it in the conduct of their work.
For those who had been looking for a reduced, “COSO-lite” framework, or for opportunities to make massive reductions in control systems, this guidance will be a disappointment. But if you’re looking to make your 404 efforts more efficient—perhaps significantly so—then this guidance will certainly be of value.
Related coverage and resources can be found in the box above, right.
No comments yet