Guidance for Smaller Public Companies Reporting on Internal Controls
An Overview and Assessment of the COSO Exposure Draft

By David R. Campbell and Mary V. Campbell

E-mail Story Print Story

As a result of the implementation concerns for SPCs, and the appropriateness of its framework, COSO issued an exposure draft (ED) in October 2005 intended to provide important guidance to SPCs when assessing the effectiveness of their internal controls over financial reporting. Analyzing responses to the ED reveals a concern that one of the most significant issues facing section 404 compliance by SPCs, cost-effective implementation, had not been addressed and that the ED lacked specific applicability to the smallest of SPCs. This article provides an overview of the ED and highlights the major concerns raised by 176 respondents, covering a broad spectrum of interested parties, including the AICPA, PCAOB, state CPA societies, CPA firms, the Financial Executives International (FEI), the Institute of Management Accountants (IMA), and various trade associations.

Exposure Draft Overview

An issue that concerned many respondents was that COSO did not define a small business in discrete quantitative terms. Instead, the ED’s definition was broad, because the guidance was intended for private companies and not-for-profits that may wish to strengthen their controls over financial reporting, as well as for SPCs. To meet this broader objective, the definition of small was based on qualitative characteristics such as:

• Simple product lines and processing requirements;
• A small group of owners who manage the business;
• A wider span of management control;
• A variable cost basis for the acquisition of services;
• Operating size; and
• Defined geographic boundaries.

The ED noted the following special challenges that small businesses face regarding internal controls:

• Adequate segregation of duties;
• Increased opportunity for management override of controls;
• Attracting an adequate pool of independent outside parties to serve on the board;
• Obtaining adequate internal accounting resources; and
• Controls over information technology.

The ED addressed other implementation differences between large and small companies, including how small businesses may need to focus more attention on monitoring actions as opposed to stipulating specific control activities, which would require more formal documentation. The ED also stressed the importance of a “risk lens” through which to view the company’s control environment. This last point is especially important, because accelerated filers, most of whom only recently adopted a risk-based approach, have found this to be an effective way of reducing costs and ensuring value delivered for each dollar spent.

While most respondents agreed that the ED addressed key issues and added value in many areas of SOX implementation, various stakeholders raised significant issues. The vast majority of respondents seriously questioned the ability of SPCs to achieve substantial cost reduction through the guidance provided. They stated that the delicate balance between formal and informal controls existing in SPCs was not adequately recognized and that many of the examples provided were not realistic for most small and medium-sized SPCs. Suggested solutions to improve the overall guidance from a small business perspective included the following:

• Defining SPCs in an internal-control context or based on a factor such as market capitalization;
• Providing guidance on measuring the effectiveness of the “tone at the top” of SPCs;
• Focusing on the development of a top-down approach to internal controls that would provide an illustrated project plan for the evaluation and documentation of internal controls for SPCs;
• Focusing on risks unique to small companies and how professional judgment must be applied to individual company circumstances when designing internal controls (e.g., specific challenges related to segregation of duties, financial reporting expertise, independence of board members, risk of management override); and
• Expanding the emphasis on the unique IT risks facing SPCs.

This last item, the unique IT issues faced by SPCs, was raised by many respondents. Concerns included the inability to separate IT controls within many SPC environments; the use of standardized software packages by many SPCs, with a lack of documentation for modifications; the need for IT involvement in the SOX process in the planning stages for testing controls over financial reporting; and the overall lack of IT expertise within many SPCs. Among respondents’ suggested solutions were the inclusion of increased guidance on the development of appropriate criteria for assessing IT in an SPC environment, and the inclusion on SPC boards of individuals with IT expertise who understand IT and related controls.

Building on the Original Framework

The 1992 COSO framework included the following components:

Control environment. The core of any business is its people—their individual attributes, including integrity, ethical values, and competence—and the environment in which they operate. They are the engine that drives the entity, and the foundation on which everything rests.

Risk assessment. The entity must be aware of and deal with the risks it faces. It must set objectives, integrated with sales, production, marketing, financial, and other activities, so that the organization is operating in concert. It also must establish mechanisms to identify, analyze, and manage the related risks.

Control activities. The entity must establish and implement control policies and procedures to ensure that the actions identified by management as necessary to address risks to achieving the entity’s objectives are effectively carried out.

Information and communication. Surrounding the control activities are the information and communication systems. These enable an entity to capture and exchange the information needed to conduct, manage, and control its operations.

Monitoring. The entire process must be monitored, and modifications made as necessary. In this way, the system can react dynamically, changing as conditions warrant.

The ED emphasized that the original framework components continued to be the foundation for assessing controls by all entities; however, a new area of “Roles and Responsibilities,” highlighting the importance of management, the board, and the entire staff in establishing a high-quality internal control framework for the enterprise, was unique for SPCs and deserved special emphasis. Many respondents believed that this additional guidance only complemented components of the original framework and that these additions could have been easily integrated within the “Information and Communication” or “Monitoring” components of the 1992 framework. Thus, while stating that the original framework had not been modified, the specific addition of a “Roles and Responsibilities” component led readers to sense that the framework had been reworked and that this material should be integrated into the components of the existing 1992 framework.

New Underlying Principles

The major new guidance featured in the ED was the inclusion of 26 principles that represented the “fundamental concepts associated with each internal control component” within the original framework that were intended to guide a company in assessing whether it has established effective controls over financial reporting. Many respondents viewed these new principles as effectively defining the components of a good system of internal controls—something that companies and their auditors may use as a checklist during the documenting and testing of control effectiveness, rather than guidelines that would require individualized SPC interpretation. In addition, many respondents thought that applying these 26 principles would be time-consuming and would not simplify the framework’s implementation for SPCs.

Respondents to the ED suggested the following solutions:

• Emphasizing that, although the principles may be helpful, they do not replace the original framework, they may not be present in all cases, they are not equally important, and they should not be viewed as a roadmap to effective internal controls.
• The principles contain redundancies that should be addressed through consolidation (e.g., consolidating principles 1, 3, and 17; and combining 6, 24, 25, and 26).

The Exhibit lists all 26 principles, along with the framework component to which each one relates. Notice the addition of the “Roles and Responsibilities” component to the original framework.

Attributes, Approaches, and Examples

Each principle was followed by additional guidance in the form of 105 attributes, with accompanying approaches and examples to facilitate the aspects of the 26 principles. For those unfamiliar with the internal control framework and the principles, these attributes would provide too much detail to handle; the important consideration is adherence to the basic principle, not to a checklist of attributes. Nevertheless, respondents noted that the 105 attributes may become expected for all SPCs, and auditors would gravitate to these as benchmarks rather than as guidance. In fact, many respondents thought that these attributes would not be realistic for SPCs, and that it should be made clear that specific attributes, approaches, and examples are neither all-inclusive nor mandatory.

The proposed approaches and examples were intended to provide specific illustrations of how small private and public companies have actually applied principles and attributes to create an effective system of internal controls. As noted previously, however, many respondents felt that the approaches and examples provided would not be applicable to the broad spectrum of SPCs.

Risk Matrices and Templates

The ED also provides several detailed risk matrices that complemented the templates provided at the end of the ED. The ED includes a risk identification and analysis matrix for significant accounts, as well as additional matrices to map account risk analysis to business processes and to map critical business processes to critical application and support infrastructure. These matrices may be particularly valuable at the beginning of the internal-control assessment process, because the assessment of risk is a major consideration in achieving a cost-effective approach for SPCs. Many respondents, however, thought that the illustrations, matrices, and templates were too high-end and that many SPCs would not find them transferable to their environments.

COSO Should Respond

Based upon the tone and intensity of the responses to the ED, many respondents believe that COSO’s guidance would not help address the compliance issues facing SPCs. In the minds of many, it would tend to bring less clarity to the process.

In the authors’ judgment, the issues raised about the ED were so pervasive that COSO will need to readdress the broad spectrum of issues raised by the responses before reissuing guidance specifically intended for SPCs. In the interim, the ED provided additional insight into the SOX compliance process—insight that firms and their auditors, large and small, should consider in the course of their ongoing SOX compliance efforts.