New COSO guidance emphasizes benefits for smaller companies

When accelerated filers adopted the Committee of Sponsoring Organizations framework for their internal controls and compliance under the Sarbanes-Oxley Act, smaller companies began to follow suit. But many of them thought, "This is for the big guys."

As a result, COSO came out with a framework of broad-based internal controls tailored to the needs of smaller public companies in 2006, and more recently, introduced its Guidance on Monitoring Internal Control Systems.


Between SOX initially applying only to larger companies and the complaints about excessive compliance costs, there was an impression that a formal internal controls framework is only for large businesses. COSO's current guidance re-emphasizes that internal controls are not about compliance, but are an operational necessity for every business.

When smaller public companies were scheduled to become SOX-compliant, the huge costs deterred many from taking advantage of an adequate internal controls framework. For these companies, the requirement for an auditor's attestation report on the effectiveness of the internal controls under Section 404 (b) has been delayed. However, the requirement for management to report its assessment of internal controls under Section 404(a) was implemented last year.

This ushered in an internal controls consciousness among many smaller companies, while others viewed reporting under Section 404 (a) more as a regulatory requirement. The present guidance bridges the gap between these two different views.


The guidance is very timely. When there is a low expectation for business activity, management can spend time introspecting and evaluating the internal controls framework that exists within the organization. The guidance not only stresses a need for an internal controls framework, but also provides a mechanism to achieve these goals. It comprehensively describes the various ways of instituting a self-sustaining monitoring process and further lays out a framework to use the internal controls to maintain and improve business processes across all functions and impact the bottom line. It describes the various methods that a board of directors and the senior management can employ to have an effective oversight as the organization grows.

Many small companies have spent a substantial amount of funds establishing and evaluating their internal controls for management reporting under Section 404. The new guidance gives a step-by-step methodology to convert this knowledge base into a monitoring process that can yield efficiencies such as increased speed of business processes, increased senior management comfort and increased investor reliance.

COSO is not alone in realizing the challenges that small companies face while implementing and benefiting from internal controls compliance.

In January, the Public Company Accounting Oversight Board published Staff Views - An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements: Guidance for Auditors of Smaller Public Companies.

The guide, primarily aimed at the auditors of such companies, provides ways to scale the audit procedures to the size of the individual company. For example, a common issue among small companies is their lesser degree of segregation of duties when compared to large companies.

The guide suggested that the auditor might evaluate other existing controls that overcome such a risk. With a company implementing the monitoring process outlined in the COSO guide and its auditors adopting the procedures per the PCAOB's guidance, smoother and more efficient audits can be expected.


While the focus has been on smaller public companies, there is nothing preventing a similarly sized private company or a not-for-profit organization from taking advantage of this helpful guidance. The degree and type of risks vary for different entities. The guidance demystifies the concepts of internal controls compliance for smaller organizations and assists them in developing a monitoring process to achieve their objectives.

Anupam Goradia is a CPA with the New Jersey firm of WithumSmith+Brown.

(c) 2009 Accounting Today and SourceMedia, Inc. All Rights Reserved.

Register or login for access to this item and much more

All Accounting Today content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access