Internal Control Guidance For Small Companies
By: Ira R. Halperin
By Ira R. Halperin
On July 30, 2002, President Bush signed into law the Sarbanes Oxley Act of 2002 (“SOX”). Rule 404 of SOX requires public companies to annually provide investors with an assessment of the quality of their internal control over financial reporting. Accelerated filers, typically large public companies, were required to comply with the requirements of Rule 404 for its first fiscal year ending on or after November 15, 2004. Smaller public companies, as non-accelerated filers, are required to comply with the requirements in their first fiscal year ending on or after July 15, 2007.
Much has been written about the tremendous cost, both in out-of-pocket expenses and the diversion of management’s time and energies, which large companies have incurred in complying with these requirements. This has created much concern about the ability of smaller companies, which typically have significantly less financial and management resources, to comply, and the resulting impact on their businesses. In this regard, the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) has recently taken a step to aid these filers in meeting their obligations in complying with Rule 404.
In 1992, COSO published Internal Control – Integrated Framework (the “Framework”), a multi-volume report establishing a common definition of internal control. The Framework provides a means for organizations to assess and improve their control systems. The Framework has been widely accepted as the internal control standard for public companies and auditors trying to comply with SOX. However, after a flood of complaints that the Framework was not well suited for smaller companies, in January 2005 COSO initiated a project designed to provide guidance for implementation by these organizations(1)
In late October 2005, COSO released its exposure draft. In it COSO indicated that while there are some differences in approach, many of the techniques and concepts of good control are the same whether dealing with a large company or a small company. The exposure draft is intended to explain how smaller companies can achieve effective internal controls in a more efficient manner.
The exposure draft is not a checklist and does not suggest that the same set of controls must be implemented in every company or even would work for every company. However, the draft proposes twenty-six fundamental principles, derived from the five sections of the Framework (control environment, risk assessment, control activities, information and communication, and monitoring) that smaller companies should address in enacting an effective internal control system over financial reporting. The guidance includes examples of approaches that other companies have taken to incorporate the principles. COSO suggests that company management review the various approaches and consider the cost effectiveness of each to their organization.
COSO emphasizes that each individual company should determine the most appropriate and feasible methods for accomplishing each of the twenty-six fundamental principles. When a certain principle is not being met it should be discussed with top management and the company’s board of directors to decide if the internal control implemented is effective. Achievement of these principles demonstrates that controls are in place throughout the company.
While the COSO report will not alleviate the Rule 404 compliance burden on small companies, it will at least provide guidance and a better understanding of the various approaches that these companies may consider. COSO is seeking comments on the exposure draft through the end of the year and hopes to issue final guidance during the first quarter of 2006.
The basic principles are:
Section 1 – CONTROL ENVIRONMENT
- Integrity and Ethical Values;
- Importance of Board of Directors;
- Management’s Philosophy and Operating Style;
- Organizational Structure;
- Commitment to Financial Reporting Competencies;
- Authority and Responsibility;
- Human Resources;
Section 2 – RISK ASSESSMENT
- Importance of Financial Reporting Objectives;
- Identification and Analysis of Financial Reporting Risks;
- Assessment of Fraud Risk;
Section 3 – CONTROL ACTIVITIES
- Elements of Control Activity;
- Control Activities Linked to Risk Assessment;
- Selection and Development of Control Activities;
- Information Technology;
Section 4 – INFORMATION AND COMMUNICATION
- Information Needs;
- Information Control;
- Management Communication;
- Upstream Communication;
- Board Communication;
- Communication with Outside Parties;
Section 5 – MONITORING
- Ongoing Monitoring;
- Separate Evaluations;
- Reporting Deficiencies;
Three additional principles have been identified by COSO relating to the roles that different parties play in the internal control. The roles and responsibilities are directly taken from the 1992 guidance.Section 6 – ROLES AND RESPONSIBILITIES
- Management Roles;
- Board and Audit Committee Roles;
- Other Personnel.