Concerned that companies are investing much in internal controls but then risking it all by not monitoring those controls, COSO, the Committee of Sponsoring Organizations of the Treadway Commission, has issued a discussion document that may eventually become a full set of guidelines on monitoring.COSO chairman Larry Rittenberg said he has been pondering this project ever since the Sarbanes-Oxley Act of 2002's Section 404 went into effect.
"After spending so much money on building an internal control system and evaluating it every year, companies ought to look at internal control as a process and then monitor the controls to determine whether they continue to be effective," Rittenberg said. "Companies already have a lot of information that could indicate whether controls are continuing to operate effectively, or signal that they are not."
The innovative use of indirect information - operations information, for example, as an indicator of the integrity of the financial system - is one of the concepts that led the committee to issue a discussion document before proceeding to an actual proposal for comment.
Rittenberg said that management should be making more use of monitoring and ought to "take credit" for using it to cost-effectively confirm Section 404 compliance. He emphasized that the COSO document does not present new requirements for SOX compliance.
"We really felt that monitoring has been under-utilized by many companies," Rittenberg said. "We want all companies to have good internal control. We know they have to do it efficiently, and we felt that a little more clarification, followed by examples, which we'll have later, will help companies become more efficient in achieving good internal control."
COSO is still working on the examples and case studies that would help companies apply the concepts and principles that are presented in the discussion document. This additional guidance will be included in an exposure draft of a final document. Several pilot companies will serve as sources of this practical information.
Though earlier COSO documents - the "Framework" that was issued in 1992, and the guidance on internal controls for smaller companies issued in 2006 - stress the importance of monitoring control systems, they do not go into much detail on implementing the principles of monitoring those systems. The discussion document gives those principles more substance and applicability.
Grant Thornton partner Trent Gazzaway, one of the authors of the document, said that the guidelines don't change the requirements of Sarbanes-Oxley, nor should they increase the burden of financial reporting. To the contrary, they should relieve some of the burden by making the process more efficient and effective.
"Part of the problem with SOX compliance was that people didn't understand the value of the monitoring component of the COSO framework, and how it contributes to management's understanding of and belief in the effectiveness of controls," Gazzaway said.
Gazzaway said that effective monitoring can eliminate the need for the "layer of internal control evaluation" that is typically performed at the end of a fiscal year. By assessing the effectiveness of a monitoring system, he said, auditors can indirectly assess the effectiveness of the monitored controls. He sees the lack of guidance as a big cause of companies opting for expensive and inefficient year-end evaluations, rather than ongoing monitoring.
Calling monitoring "the third leg of the stool," Gazzaway said that it links and supports the Securities and Exchange Commission's internal control compliance requirements and the audit requirements found in Public Company Accounting Oversight Board Auditing Standard No. 5.
"Companies can take the COSO guidance and get a rough idea of what the SEC expects them to have in place and what documents they need to support their assertions, and then look to the guidance to develop the actual programs that operate year round," Gazzaway said. "Auditors can start with AS5 to see what the PCAOB expects from them, then look at the monitoring guidance to identify where management had effective monitoring procedures in place, then focus on those procedures more than on some of the detailed controls."
The document presents several questions.
The clarity of the concepts is the big one, Rittenberg said, along with the question of whether the guidelines provide enough information for companies to apply the principles presented. COSO also asks whether the concepts in monitoring suffice to identify and correct weaknesses before problems occur.
The questions can be answered at a "feedback portal" on COSO's Web site. The portal and the document are online at: www.coso.org/publications.htm.
Comments are requested by Oct. 31, 2007.
