If the Committee of Sponsoring Organizations of the Treadway Commission has succeeded in doing what it set out to do, small public companies may soon have an easier time of documenting their internal controls.Back in 1992, COSO issued a set of recommendations, "Internal Control - Integrated Framework." Ten years later, the Sarbanes-Oxley Act of 2002 required companies to certify the adequacy of their internal controls, and the COSO framework became a de facto standard.
SOX Section 404, on internal controls, went into effect for large companies effective November 2004. Overwhelmed with the task of compliance, they objected, but generally managed to meet the requirements. Smaller companies - those with market caps under $75 million - balked at the prospect. Meeting SOX would be unbearably complicated and expensive in both money and manpower. The SEC extended the deadline for compliance until 2007, but they would still have to comply.
COSO soon got to work, and the result has just been issued as an exposure draft of proposed guidelines.
The guidelines present 26 principles associated with the five key components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring.
The objective of the document, "Guidance for Smaller Companies Reporting on Internal Control over Financial Reporting," was not to rewrite or simplify the original framework, but to offer guidelines that facilitate implementation in the context of a small company.
The COSO Web site reported that over 4,000 copies of the document were downloaded within a week of its issuance. Financial officers have just begun to look at the report, but accountants and consultants who contributed to the document are praising what they see in the final proposal.
Christine Bellino, director of technology risk management at Jefferson Wells International, in Denver, and a member of the COSO task force that produced the document, advises companies on SOX compliance, and helps them identify, customize and implement internal controls. "Two years ago, if I'd had this document, it would have made life a lot easier," she said. "It sticks to the 1992 framework. It's principles are the same, but it also gives approaches, examples and templates of how you can comply. It's not the full cookbook, but it goes a long way toward that for those who aren't as savvy about internal controls on both the informational technology and the business process sides. It really gives them something they can put in their hands and say, 'I can do this.' That alone will save companies a lot of time, money and effort, because they're kind of guessing how to meet the intent of the principles."
Larry E. Rittenberg, Ph.D, CIA, CPA, COSO chair and Ernst & Young Professor of Accounting at the University of Wisconsin, emphasized that the guidelines do not affect the fundamental principles of COSO's original integrated framework. "The mission we had was to better articulate the principles in the 1992 framework, and I think we have," he said. "The major reason was to provide guidance that identifies ways smaller businesses can meet the objectives in the internal control framework, and do so in a way that does not add significantly to the cost incurred in achieving internal control."
Rittenberg compared the document to a roadmap that can help smaller companies grapple with challenges that are especially difficult in a smaller company, such as segregation of duties and the threat of management override.
COSO is requesting comments on the proposed guidance. The big question, Rittenberg said, is whether the guidance is specific enough to help with the original conceptual framework.
"We haven't prescribed a single particular answer for every company," he said. "We've said, 'This is the principle you need to accomplish. You figure out the most economic way to accomplish it and demonstrate that you've accomplished it.' We give some approaches, but we ask companies to figure out what's best for them. So our big concern is whether the guidance is specific enough."
Reducing the cost
The proposed guidelines identify several ways in which smaller companies can reduce the costs of internal control. It recommends broadening the pool of audit committee members, building controls into the organization's culture, a tighter focus on areas that represent greater risk, the use of software templates for design and evaluation, more effective use of information technology, leveraging management to more efficiently monitor the financial reporting process, and outsourcing appropriate control responsibilities.
Though many privately held companies do not necessarily need to meet the requirements of Sarbanes-Oxley or provide documented certification of the effectiveness of their internal controls, many companies recognize that following the principles of the framework yields several benefits. It can lead to more efficient and effective financial reporting, better data for decision-making, increased stakeholder confidence, and eventual access to public capital markets.
James K. Smith, a member of the COSO task force and vice president and chief financial officer of Phonon Corp., in Simsbury, Conn., has seen his company pass from public hands to private hands after it was sold off by a parent company. He said that Phonon still has a "public company mentality," even though it is now a private company. He has had discussions with his board of directors regarding the continuation of internal controls and the purpose of doing so.
The process of contributing to the guidelines, he said, has taught him a lot. "The original COSO framework has language about smaller companies handling internal control in a much less formal manner, and that very much describes my company," Smith said. "We are in the process of formalizing a lot of the procedures that we follow and the practices that we utilize to maintain our internal control. So working on the guidelines has been very valuable to me."
Big Four firm PricewaterhouseCoopers was engaged to conduct the project, which was coordinated with the Securities and Exchange Commission's Advisory Committee on Smaller Public Companies. COSO members include the American Institute of CPAs, the American Accounting Association, Financial Executives International, the Institute of Management Accountants and the Institute of Internal Auditors.
The document can be seen at www.coso.org. Comments are requested through the Web site by Dec. 31, 2005. Final guidance is expected in the first quarter of 2006.
