News

New COSO Guidance for Smaller Companies

News Brief
July 11, 2006

By:  Cydney Posner

In the course of implementing its SOX 404 rules, the SEC asked COSO to develop an internal control framework for smaller public companies. COSO responded to that request by announcing that there was no such thing as "COSO-lite" and, in October 2005, by providing as a discussion draft 207 pages of additional guidance on how smaller companies could implement the existing COSO framework. To put it mildly, the effort was not warmly welcomed, and COSO was effectively sent back to the drawing board.

Today, COSO released its additional guidance on its control framework directed at smaller companies, although usable by larger ones. COSO's new guidance outlines and describes the attributes of 20 principles fundamental to the five components of the COSO framework, lists a variety of approaches that smaller companies can use to apply the principles and includes examples of how smaller companies can apply the principles.

While the guidance does not define "smaller," it does identify characteristics common to smaller companies, none of which is definitive:

  • Fewer lines of business and fewer products within lines;
  • Concentration of marketing focus, by channel or geography;
  • Leadership by management with significant ownership interest or rights;
  • Fewer levels of management, with wider spans of control;
  • Less complex transaction processing systems and protocols;
  • Fewer personnel, many having a wider range of duties; and
  • Limited ability to maintain deep resources in line as well as support staff positions, such as legal, human resources, accounting and internal auditing.
These characteristics result in associated challenges with regard to internal control, including:

  • Insufficient resources to segregate duties;
  • Management's ability to dominate and override controls;
  • Recruiting board members with adequate expertise and personnel with adequate financial and accounting expertise;
  • Management need to focus on operation of the business with less time for accounting matters; and
  • Limited technical resources for IT controls.
Nevertheless, COSO finds some compensating factors. For example, a dominating leader with wide and direct control may also have in-depth knowledge that allows him to "know what to expect in reports generated by the financial reporting system and to follow up as needed when unanticipated variances surface." The ability to override can, COSO suggests, be addressed with specific protocols. Similarly, directors may have more in-depth knowledge that may assist in oversight. To compensate for limited segregation of duties, a common problem at smaller companies, managers can review system reports, select transactions for review of supporting documentation, oversee periodic inventory or asset counts and compare them with records and review reconciliations. COSO suggests that these activities all contribute to effective internal control. Limited technology resources may be remedied through the purchase of external software maintained by others; moreover, external software often builds in controls that can improve consistency. Credit can also be given for the regular monitoring by management of business operations, which can provide information about internal control systems. Management may be able to focus on monitoring activities in place to target significant changes requiring more detailed testing.

Companies may also be able to gain efficiencies by focusing only on those financial reporting objectives directly applicable to the company's activities and circumstances (i.e., beginning with the financial statements and identifying support objectives related to the business that are material to the financial statements), using a risk-based approach (i.e., focusing on the quantitative and qualitative factors that potentially affect the reliability of financial reporting and identifying where in transaction-processing something may go awry), right-sizing documentation, viewing internal control as an integrated process and considering the totality of internal control. The level of documentation necessary will depend on the circumstances, but some level of paperwork will always be necessary, for e.g., billings and reconciliations. In smaller companies, management may be more directly involved in performing the controls and may need less documentation as a result; however, there must be information to show that the accounting systems and procedures are well-designed and implemented. The company's regulatory requirements may also have an impact. Management will need to support its public assertions on effectiveness, which support will typically involve at least the major accounting processes, and will also need to provide the auditors with evidence that the controls are effective. However, there may still be instances of informal and undocumented policies and procedures, where management is able to obtain evidence through the normal conduct of the business that indicates regular performance of the controls, although control processes cannot be "performed entirely in the mind of the CEO or CFO." Embedding the creation and retention of the evidence with the processes would be beneficial. The guidance contains a variety of illustrations of documentation.

The summary reminds us that the five elements of internal control--risk assessment, control environment, control activities, information and communication, and monitoring--work together as part of an integrated process: once the financial reporting objective has been specified, management identifies and assesses relevant risks, determines which risks could lead to a material misstatement, determines how the risks should be managed though control activities, implements approaches to capture, process and communicate necessary information in the context of the control environment, which must be constantly refined. These components are all then monitored to ensure effectiveness. Determining if internal control is effective involves a judgment; COSO states that, if all five components are present and functioning to the extent that management has reasonable assurance that its financial statements are being prepared reliably, then internal control can be deemed effective. (Hmm, sounds a bit tautological to me….) However, it is not necessary that each component function at the highest level, and a deficiency in one component may be mitigated by another stronger component.

Set forth below are the 20 basic principles as outlined by COSO in the executive summary as the fundamental concepts necessary to achieve effective internal control over financial reporting:

Control Environment

  1. Integrity and Ethical Values.  Sound integrity and ethical values, particularly of top management, are developed and understood and set the standard of conduct for financial reporting.
  2. Board of Directors.  The board of directors understands and exercises oversight responsibility related to financial reporting and related internal control.
  3. Management's Philosophy and Operating Style.  Management's philosophy and operating style support achieving effective internal control over financial reporting.
  4. Organizational Structure.  The company's organizational structure supports effective internal control over financial reporting.
  5. Financial Reporting Competencies.  The company retains individuals competent in financial reporting and related oversight roles.
  6. Authority and Responsibility.  Management and employees are assigned appropriate levels of authority and responsibility to facilitate effective internal control over financial reporting.
  7. Human Resources.Human resource policies and practices are designed and implemented to facilitate effective internal control over financial reporting.
Risk Assessment

  1. Financial Reporting Objectives.  Management specifies financial reporting objectives with sufficient clarity and criteria to enable the identification of risks to reliable financial reporting.
  2. Financial Reporting Risks.  The company identifies and analyzes risks to the achievement of financial reporting objectives as a basis for determining how the risks should be managed. \
  3. Fraud Risk.  The potential for material misstatement due to fraud is explicitly considered in assessing risks to the achievement of financial reporting objectives.
Control Activities

  1. Integration with Risk Assessment.  Actions are taken to address risks to the achievement of financial reporting objectives.
  2. Selection and Development of Control Activities.  Control activities are selected and developed considering their cost and their potential effectiveness in mitigating risks to the achievement of financial reporting objectives.
  3. Policies and Procedures.  Policies related to reliable financial reporting are established and communicated throughout the company, with corresponding procedures resulting in management directives being carried out.
  4. Information Technology.Information technology controls, where applicable, are designed and implemented to support the achievement of financial reporting objectives.
Information And Communication

  1. Financial Reporting Information.  Pertinent information is identified, captured, used at all levels of the company, and distributed in a form and timeframe that supports the achievement of financial reporting objectives.
  2. Internal Control Information.  Information used to execute other control components is identified, captured, and distributed in a form and timeframe that enables personnel to carry out their internal control responsibilities.
  3. Internal Communication.  Communications enable and support understanding and execution of internal control objectives, processes, and individual responsibilities at all levels of the organization.
  4. External Communication.  Matters affecting the achievement of financial reporting objectives are communicated with outside parties.
Monitoring

  1. Ongoing and Separate Evaluations.  Ongoing and/or separate evaluations enable management to determine whether internal control over financial reporting is present and functioning.
  2. Reporting Deficiencies.  Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action, and to management and the board as appropriate.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.