Internal Control Guidance
Not Just a Small Matter

COSO’s latest guidance on controls for smaller businesses fits all organizations.

by Larry E. Rittenberg, Frank Martens and Charles E. Landes

EXECUTIVE SUMMARY

In its most recent guidance for compliance with Sarbanes-Oxley section 404 requirements for smaller entities, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has provided principles and examples of effective internal control. Titled Internal Control Over Financial Reporting—Guidance for Smaller Public Companies, the guidance emphasizes the business function and cost-effectiveness of internal control. Although the guidance is specifically tailored to smaller public companies, it can be applied to all organizations. Five components of COSO’s control framework may be viewed as both fundamental principles and an aid to planning, evaluating and updating controls. They are risk assessment, control environment, control activities, information and communication, and monitoring. Management can monitor controls most efficiently by integrating monitoring activity into financial reporting processes. Principles of effective internal control should not be considered a checklist but should be implemented in accordance with managers’ judgment, with a formality of structure appropriate to the size of the organization. Larry E. Rittenberg, CPA, Ph.D., CIA, is chairman of COSO and Ernst & Young professor of accounting at the University of Wisconsin at Madison. Frank Martens, CA, is director of advisory services at PricewaterhouseCoopers LLP in Vancouver, British Columbia, and project team manager for Internal Control Over Financial Reporting—Guidance for Smaller Public Companies. Charles E. Landes, CPA, is vice president, AICPA professional standards and services, and represents the AICPA on COSO’s board. Their e-mail addresses, respectively, are lrittenberg@bus.wisc.edu, frank.j.martens@ca.pwc.com and clandes@aicpa.org.

anagers of smaller businesses need to design and implement an effective system of internal control over financial reporting in a cost-beneficial way. To help achieve this, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has provided guidance to smaller businesses in its publication Internal Control Over Financial Reporting—Guidance for Smaller Public Companies (www.coso.org). The guidance encourages CPAs to work with organizations to implement controls that are fundamental building blocks to success. Effective internal control over financial reporting, including management’s understanding, design, implementation and monitoring, should be viewed as an important business function.

Often lost in the debate over the costs associated with Sarbanes-Oxley section 404 is the significant number of smaller businesses that fail, often because they do not have good business plans or do not identify and control risks. Research shows that a strong commitment to internal control is a matter of company priority, not a matter of resources. This guidance will help CPAs in industry and in public practice. CPAs in management will find it useful in implementing and evaluating internal control. CPAs in public practice will find it useful in assessing internal control over financial reporting and identifying the types of controls typically found in smaller businesses.

QUALIFICATION REQUIREMENTS
The guidance is drawn from the 1992 COSO Internal Control—Integrated Framework (IC Framework), which it clarifies but does not extend or replace. Focusing on the challenges faced by smaller businesses, the guidance explicitly addresses issues related to:

Segregating accounting duties.

Developing effective boards and audit committees.

Managing with wider spans of control.

Implementing sound information technology controls.

Documenting the design and operation of controls.

The guidance comprises three volumes, each with a distinct purpose. Volume 1 features a high-level executive summary intended for top management and boards. Volume 2 presents practical guidance with real-life examples drawn from smaller businesses. Volume 3 provides evaluation tools to help management implement and evaluate internal control over financial reporting.

A CONTINUOUS, INTEGRATED PROCESS
Maintaining effective internal control is not static. Organizations have to expect that controls will change over time as risks and processes change. The guidance recognizes that an organization should have processes to update its identification and assessment of risks as well as to monitor the continuing effectiveness of its internal control system (see “Section 404 for Small Caps,” JofA, Mar.06, page 67). The guidance is oriented toward objectives and principles. The fundamental principles are derived from the five COSO components —risk assessment, control environment, control activities, information and communication, and monitoring. Each of the principles is further described with key attributes that guide organizations in selecting the optimal control approach.

In this guidance, the traditional depiction of the internal control framework, usually shown and referred to as the “COSO Cube,” is supplemented with a diagram that illustrates the logical relationship of the control framework, starting with management’s objectives.

The logical interrelationship of the COSO components should help all companies plan their approaches to evaluating and updating controls. In understanding this relationship of controls and internal control components, COSO recognizes a systematic process whereby an organization:

Specifies its financial reporting objectives (possibly influenced by regulatory requirements).

Identifies and assesses the risks that may prevent it from achieving the desired objectives. Examples of the risks include management override, inadequate transaction processing and inappropriate accruals.

Designs and implements a control environment that sets the tone for the organization and its commitment to financial competencies to mitigate risk.

Designs and implements control activities—including authorizations, completeness tests and reconciliations—to further mitigate risks.

Develops an effective information and communication process that enables relevant parties to understand their control responsibilities and ensures management receives timely and relevant reports that facilitate effective investigation and decision making.

Monitors the effectiveness of its internal control system.

The objective of internal control over financial reporting is to achieve reliable financial reporting. Management’s annual assessment of internal control effectiveness should be based in large part on the monitoring of control effectiveness. That monitoring should also incorporate a systematic process to identify emerging risks of misstatement, so that the design of the internal control system is continuously improved to mitigate new risks.

MANAGEMENT ASSESSMENT OF INTERNAL CONTROL
Many businesses have viewed the assessment of internal control over financial reporting as a separate task from managing their day-to-day activities. By allowing these two areas to converge, management will attain greater efficiencies. This may occur through greater reliance on monitoring activities within a company or through the re-engineering of current processes. Management can obtain significant efficiencies if it integrates monitoring activities across its financial reporting processes rather than thinking of its section 404 assessment as a separate process on top of the IC Framework. This may provide management with sufficient assessment evidence of whether its system of internal control is effective over time.

The COSO board and supporting task force reviewed numerous smaller companies, both public and nonpublic, for examples of good internal control. That review underscored a fundamental COSO viewpoint that management judgment is important. Management should be empowered to choose the best set of controls because it is in the best position to decide and because control needs will change over time. The guidance identifies three factors to consider when choosing a control. It should:

Reduce risk to an acceptable level.

Be cost-effective.

Contribute to the effectiveness of one or more of the five components of effective internal control in the COSO Internal Control—Integrated Framework.

Volume 3 of the guidance includes templates for approaching the control decision. Many are presented in a questionnaire form and are based on the fundamental principles of control discussed in Volume 2. The templates are available, with the purchase of the guidance, as a download in Microsoft Word, so they can be tailored to each organization.

PRINCPLES OF EFFECTIVE CONTROL
The guidance includes 20 fundamental principles of internal control directly from the Framework and related to each of the five COSO internal control components (see accompanying list). The guidance includes attributes associated with each principle. Although it draws examples for smaller businesses, the principles apply to all organizations—large or small, public or not public, government and not-for-profit.

These 20 principles should not be viewed as a checklist for designing and achieving effective internal control. Effective internal control still depends on having the five internal control components in place and operating effectively, such that a company has reasonable—not absolute—assurance that it will prevent or detect material misstatements in a timely manner.

Rather, COSO views each principle as essential to effective implementation of the related internal control component. These attributes further guide control selection by making the expected characteristics of control more specific. For example, the guidance presents three attributes associated with the principle related to integrity and ethical values. To achieve a high level of ethical behavior, the organization should:

Articulate values in a clear statement of ethical values understood by personnel at all levels of the organization.

Monitor adherence to principles of sound integrity and ethical values.

Address deviation from sound integrity and ethical values promptly and appropriately.

These attributes, as well as all other principles and attributes included in the guidance, require judgments as to the most effective way to implement the controls. Thus, the control principles and attributes are designed to be scalable—less formal for smaller organizations and more formal for larger organizations, where communication is more indirect.

THE IMPORTANCE OF DOCUMENTATION
Many company officials would prefer to let controls operate without having to document them. Unfortunately, inadequate documentation is one reason many companies are surprised to find out their system of internal controls is not effectively designed or implemented. Documentation provides guidance for implementing controls, can serve as a basis for training new personnel in implementing them and provides evidence they have operated effectively. All controls and their operation need some documentation. When management and auditors must attest to internal control effectiveness, documentation must be more formal. It is not possible simply to rely on a statement that management performed the control. When parties have to attest to the control, there must be some evidence it was working effectively.

» Practical Tips

Stress to your clients or management team the importance of having financially literate, independent directors. The audit committee should establish its agenda thoroughly and well in advance to help management plan for its expectations. Advise managers to address a range of preventive and detective controls across the organization, such as segregating cash payments and access to inventory, purchases and fixed assets. See Volume 2 of Internal Control Over Financial Reporting—Guidance for Smaller Public Companies for more illustrations of best practices for all 20 COSO principles. To obtain Internal Control Over Financial Reporting—Guidance for Smaller Public Companies, go to www.coso.org/publications.htm or www.cpa2biz.com/stores/coso3. The executive summary is available as a free download. All three volumes are available from www.cpa2biz.com as a PDF file download or paperback set.

IMPLICATIONS FOR CPAS AS EXTERNAL AUDITORS
This guidance will be useful for external auditors in assessing the effectiveness of internal control over financial reporting. The guidance should assist both management and its auditors to move away from a “check-the-box” approach to one that focuses on accomplishing the organization’s objectives through effectively addressing the 20 principles underlying the COSO IC Framework.

It also offers additional perspective on approaches suitable for public companies and should encourage a healthy dialogue between management and its auditors. The dialogue between management and its auditors will lead to more creative and effective implementation of internal control in many organizations. Similarly, the principles and attributes contained in the guidance provide leadership opportunities for CPAs in management positions to focus on internal control objectives, process re-engineering and, most importantly, building effective monitoring into their control practices. As this article’s title indicates, the fundamental principles of internal control are not just for small companies.

Achieving effective internal control over financial reporting is just one step to corporate success and longevity. Businesses should integrate internal control processes with a more comprehensive process of enterprise risk management to achieve broader strategic, operational, reporting and compliance objectives. Another COSO document, Enterprise Risk Management: An Integrated Approach, may also be of help.