Improving Internal Control Over Financial Reporting
COSO’s Guidance Not Just for Public Companies Anymore

By Jeffrey E. Michelman and Bobby E. Waldrup

E-mail Story
Print Story
APRIL 2008 - When the Committee of Sponsoring Organizations (COSO) released its Internal Control—Integrated Framework (ICFR) in 1992, the event went largely unnoticed. The importance of this framework changed dramatically with the passage of the Sarbanes-Oxley Act of 2002 (SOX). Because SOX required all covered entities to base their assessment of internal control on a recognized framework, COSO was readily embraced. Unfortunately, smaller public and nonpublic companies have found the 1992 framework complicated to apply and to understand.

Since the application of COSO by SEC registrants that were accelerated filers in 2004, smaller publicly traded organizations have continued to argue that complying with SOX section 404 was an unfair burden. As a means for improving both the understandability and the applicability of the ICFR, COSO released Internal Control over Financial Reporting—Guidance for Smaller Public Companies (ICFR-SPC). Although the true value and utility of the ICFR-SPC for compliance with SOX section 404 will become clearer over the next several years, the authors believe that the value of the ICFR-SPC goes far beyond publicly traded companies. In particular, ICFR-SPC offers great utility to small businesses, but only if it is properly understood and applied.

ICFR-SPC offers a significant opportunity for small CPA firms to offer value-added services to existing and potential clients. This importance is illustrated in a 2005 survey by the AICPA’s Private Companies Practice Section (PCPS), which found that the number-three challenge for small CPA firms was “marketing/practice growth.” Small businesses often lack internal controls because the costs are perceived to outweigh the benefits. Yet these same organizations are often burdened by excessive regulatory costs-per-employee and higher-than-average fraud costs and occurrence of fraud. These pressures on small business are listed in Exhibit 1. Many will no doubt interpret this as more evidence of the regulatory burdens placed on small businesses, and will say that small businesses should continue to advocate for continued exemption from compliance with laws like SOX. The authors, however, believe that CPAs have failed to recognize the opportunity to provide added-value internal control services, because small businesses either do not understand the value of internal controls or are unwilling to pay for the evaluation and, ultimately, the application of internal controls. As a result, small businesses are often the organizations most susceptible to fraud.

The inability of CPAs to sell these services to small businesses has often been due to a lack of usable tools to evaluate, apply, and communicate both the importance of internal control and suggestions for its application. (The Sidebar presents a case study of an opportunity missed and the related fraud that ensued.) Unfortunately, small CPA firms often see the need for their services as solely stemming from compliance with a direct demand by an external party (i.e., the IRS or a lender). In contrast, the authors believe that the ICFR-SPC offers a powerful tool for practitioners to provide value-added services that go beyond complying with external demands and pass a cost-benefit test. Moreover, CPAs not involved in the assurance function can seize the opportunity to act as business advisor.

The original five components of internal control in the 1992 ICFR (control environment, risk assessment, control activities, information and communication, and monitoring) offered more insight into how large organizations operate than how small businesses do. In contrast, ICFR-SPC is a framework that offers a clear explanation of the five components of internal control as well as how they apply to small businesses, both for-profit and nonprofit. Because the focus of the ICFR is on financial risk, the secondary benefits to nonassurance clients is not always readily apparent.

The importance of internal control to many small businesses is characterized by 10 factors that the authors believe are particularly important for businesses to enhance their system of internal control (see Exhibit 2). While these 10 characteristics are not necessarily formal internal control threats, they can act as red flags to a CPA.

In contrast to the original ICFR, the ICFR-SPC links the components in a feedback loop, stressing the importance of internal control as a dynamic process. Although the paramount importance of internal control for public companies is to ensure the integrity of the financial reporting process, the authors think that the three secondary factors of internal control are what make them most valuable to small businesses:

  • Reliable and timely information supporting management’s decision-making on matters such as product pricing, capital investment, and resource deployment;
  • Consistent mechanisms for processing transactions across an organization, enhancing the speed at which transactions are initiated and settled, the reliability of related recordkeeping, and the ongoing integrity of data; and
  • Ability and confidence to accurately communicate business performance with business partners and customers.

The importance of these secondary characteristics of internal control can offer untapped value to small businesses. COSO believes that the 20 principles of ICFR-SPC apply to all organizations, with size or complexity affecting only the scope of implementation. In particular, of the 20 basic principles of internal control, the authors believe that CPAs should focus on the importance of 11 of these with businesses of all sizes (highlighted in Exhibit 3). The following discussion focuses on professional service organizations in particular.

Control Environment

Of the seven principles that relate to the control environment, four are pervasive across organizations of all types and sizes. Because small nonpublic companies will often have no board of directors or in-house financial reporting unit, this discussion will not address them. Furthermore, the critical aspects of management philosophy and operating style are sufficiently important for small business to be necessary parts of the first principle, integrity and ethical values. Integrity and ethical values are the basis by which the control model is built. Although CPAs cannot instantiate these traits into a client, they can help a business communicate these values to employees on a regular basis, and also remind them of these tenets if a client has “lost their way.” It is particularly important for a CPA in these situations to link their code of professional ethics with ethical business practices.

Organizational structure is often difficult for small business owners to understand, particularly if their professional training is technical. In such cases, CPAs can help a business define the administrative relationships in the organization. A logical adjunct to this process is helping a company define the authority and responsibilities of employees, especially the segregation of duties necessary under the circumstances.

In particular, human resources is one area in which many companies falter significantly. Because many professionals (e.g., attorneys and physicians) do not take courses in management, they have inadequate knowledge of hiring, training, supervision, performance evaluation, and compensation. In this regard, CPAs need to know when to provide advice and when to seek the help of human resources professionals.

Risk Assessment

Medical and legal professionals often understand and advise their clients on risk assessment, yet they often fail to adequately transfer these concepts to their own businesses. Although the risk of noncompliance with GAAP is an important concept, many small businesses use cash-basis accounting, and therefore should focus on fraud risk rather than on financial reporting objectives and risks. In this respect, a CPA has a twofold role: to understand how the fraud triangle—opportunity, pressure, and rationalization—affects both the business and how the business must pay attention to the dynamic nature of these factors in its employees. Moreover, a CPA should ensure that a client understands whatever fraud risks are unique to the industry, the location, or the broader economy.

Control Activities

Because CPAs in this context are not providing attest services, they should be particularly involved in helping clients identify control activities that facilitate integration with risk assessment. For example, CPAs can advise a small business on the choice of a service bureau to provide payroll services when the fraud-related risk of processing payroll in-house is significant. A CPA can reviewer the service provider’s Statement on Auditing Standards (SAS) 70, Service Organizations, report, and advise the client appropriately. In small businesses, selection and development of control activities should focus on mitigating any risks of fraud that have been identified. In particular, small businesses are often unwilling or unable to implement certain types of segregation of duties. CPAs should initiate a discussion about additional outsourcing activities or increased owner involvement.

Because many small businesses do not rely on information technology (IT) controls, CPAs should advise clients of the need to integrate control activities and document them as part of its policies and procedures. Perhaps one of the greatest opportunities for CPAs is to help clients develop and maintain policies and procedures that are appropriate for the organization and are reevaluated as the organization changes. For example, as organizations move from paper to digital format for both financial and nonfinancial data, policies that deal with record maintenance are crucial. Although IT is important, the internal control application will generally be less complex, and the available off-the-shelf software is generally satisfactory. In the authors’ opinion, IT is not a significant issue for most small businesses.

Information and Communication

In a vibrant, growing organization, the owners often become increasingly removed from day-to-day administration. This sense of disconnection requires the regular communication of internal control information in the form of easily understood metrics that have been developed jointly by the client and the CPA. For example, has the mix between cash and credit sales increased the organization’s risk of theft?

An organization’s internal communication structure is often overlooked, although it is critical to the success of the internal control model. Organizations should encourage employees to communicate with management or owners when they believe that issues of efficiency and effectiveness—or, more important, fraud—have arisen. In this context, the effectiveness of the internal control model is limited by the engagement of the employees involved. Because non–publicly held organizations often do not prepare external reports, they often ignore the importance of information and communication altogether. A critical built-in control of small organizations is involvement of the owner, but as professionals focus on providing a service they become increasingly removed from the administrative and control processes.


Small-business professionals often overlook monitoring because internal control deficiencies do not generally have to be reported to a third party. Nevertheless, ongoing and separate evaluations are quite important for small businesses. The authors believe that a CPA should meet with clients at least once a year to discuss changes in both the internal and external environments. Although professionals understand their service delivery process, they often lose touch with administrative processes that are critical for their business’s financial health and viability. Unfortunately, too many organizations develop internal controls but never re-examine them as the organization changes. The area of monitoring is a particularly robust opportunity for CPAs to provide value-added services to clients.

Opportunity for Adding Value

CPAs without public company clients may tend to dismiss the ICFR-SPC as irrelevant. The authors encourage them to reconsider this attitude and work diligently with new or existing clients to communicate the value of these services. CPAs in small practices who do not see the benefits of this framework miss an opportunity to expand their practices. Internal control is not just about complying with SOX section 404. Rather, internal controls, when applied appropriately, help businesses of all sizes thrive and enhance competitiveness.

Jeffrey E. Michelman, PhD, CPA, CMA, is an associate professor of accounting, and Bobby E. Waldrup, PhD, CPA, is an associate dean and associate professor of accounting, both in the department of accounting and finance of the Coggin College of Business of the University of North Florida, Jacksonville, Fla.

Note: The authors would like to thank the following MBA students for their help in completing this project: Vernon Bird, Susanna Ho, Patrick Lynch, Carolyn Thurman, and Marie Wolford.





















The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices


Visit the new