In response to widespread criticism of the cost and burden of implementing Section 404 of the Sarbanes-Oxley Act of 2002, on internal controls, the Committee of Sponsoring Organizations of the Treadway Commission has issued comprehensive guidance and principles that should help smaller companies comply.In a July Webcast that introduced the new guidance, COSO chairman Larry Rittenberg emphasized that it does not specify prescriptive solutions to internal control problems.
"This guidance is principles-based," Rittenberg said. "In other words, management must make decisions on the most effective way to implement controls to achieve the internal control objectives. There are alternative ways to get to the right set of controls to achieve a particular objective ... . So this guidance is just that: guidance, not a cookbook. Management still needs to make decisions."
The guidance, "Internal Control over Financial Reporting - Guidance for Smaller Companies," was derived from COSO's 1992 document, "Internal Control: Integrated Framework," which has become a de facto standard for determining the adequacy of internal controls. The new document neither replaces nor modifies the original framework. Rather, it provides guidance on how to apply it to smaller companies.
Scott Taub, then-acting chief accountant of the Securities and Exchange Commission, praised the document. "This guidance will help smaller companies more efficiently and effectively implement the Section 404 internal control requirements," Taub said. "It will also help companies of all sizes understand and apply the fundamental concepts of COSO's internal control framework."
Typical of the principles approach of the guidance, it uses the term "smaller" for these companies and loosely defines them with a number of characteristics, such as fewer lines of business and levels of management, limited personnel, and less complex transactions.
The document lists 20 principles, down from the 26 that were in the exposure draft, which received 175 comment letters. Rittenberg said that certain principles were combined with others to reduce redundancy and increase simplicity.
The comment letters called for a shorter document, so COSO broke it into three volumes: an extensive summary, an overview of internal control in smaller companies, and a series of illustrative examples that serve as "tools" in a customizable format.
One writer of a comment letter, Kyle J. Pexton, vice president of finance and business operations at Authorize.net Corp., expressed satisfaction with the final document.
"COSO has done a very good job of outlining what challenges are facing small and mid-market enterprises," Pexton said. "Does it resolve all of the widespread complaints? Not completely, but it's certainly a step in the right direction." He called the document "an evolutionary process" that should be under continuous improvement.
Take it step by step
The guidance is structured around five components of internal control - risk assessment, control environment, control activities, information and communication, and monitoring - each supported by a set of principles for evaluating its effectiveness. Each principle is explained through a subset of attributes.
Rittenberg explained that the process begins with management "sitting down and deciding the objectives of financial management" for its business, then assessing the risks in achieving those objectives.
The guidance reiterates that internal control is most cost-effective when it is an integrated part of the business process. The document explores several means of improving cost-effectiveness, such as compensating for limited segregation of duties, using "tone at the top" to help management foster better controls, improving oversight by the board of directors, focusing on probable risks, and making better use of information technology.
Serena Davila, Financial Executives International director of technical activities and a member of the COSO task force, said that the core issues behind complaints of cost and burden on small companies are beyond the scope of the guidance, but that it is nonetheless a valuable resource.
"The COSO document recognizes the special challenges facing small companies in establishing and reporting on internal control ... that impact the company's ability to establish segregation of duties, hire staff with requisite expertise, and provide sufficient remuneration for board members to be willing to take on the potential liability of board service," Davila said. "Importantly, the guidance also offers ideas for how small companies faced with such challenges can still design and operate internal control effectively, how certain features of oversight or compensating controls can assist them in achieving effective internal control."
"Internal Control over Financial Reporting - Guidance for Smaller Companies" can be downloaded at www.coso.org.
