Our Public Companies Group experts specialize in tax services and accounting services.

 View PDF

Michael P. Kelly Manager Internal Audit Services

Joseph Christ Manager Internal Audit Services

The much-anticipated guidance on how small Public companies should implement an effective internal control framework over financial reporting as required by Sarbanes-Oxley was released by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission on July 11. The final guidance is considerably shorter and more "user friendly" than the original version of COSO.

The new guidance includes just 20 of the 26 original principals from the Internal Control - An Integrated Framework issued by the Commission in 1992. It is a scaled-down version that was designed to assist smaller public companies in implementing the Framework in order to comply with the Sarbanes-Oxley Act of 2002 (SOX). The Framework is widely accepted as the industry standard among large public companies that have had to comply with SOX regulations since the 2004 reporting year. Smaller companies, defined as those with a public float of $75 million or less, are not required to comply until fiscal years beginning after December 16, 2006. These small companies found the original Framework too cumbersome for their smaller staffs and limited resources.

The COSO guidance, however, does not define businesses as small, medium or large as do the SEC and PCAOB above. For COSO, the term "smaller" rather than "small" business suggests that there is a wide range of companies to which the guidance is directed. The focus is on businesses that have many of the following characteristics:

• Fewer lines of business and fewer products within lines.
• FewerConcentration of marketing focus, by channel or geography.
• FewerLeadership by management, with wider spans of control.
• FewerLess complex transaction processing systems and protocols.
• FewerFewer personnel, many having a wider range of duties.
• FewerLimited ability to maintain deep resources in line as well as support staff positions such as legal, human resources, accounting and internal auditing.

The new guidance is broken down into three volumes as follows:

1. Executive Summary - provides a high-level review for boards and senior management.
2. Guidance - fundamental principals drawn from the original Framework along with related attributes and approaches, and examples of how smaller businesses can apply the principals in a cost-effective way.
3. Evaluation Tools - A compendium of tools to help management evaluate internal control.

The final version provides guidance to management with respect to achieving a more efficient assessment of internal control effectiveness, while still stressing the achievement of effective internal controls based on all five COSO components. This guidance is meant to ease the burden placed on smaller companies by their external auditors who may insist on strict adherence to the expectations laid out by the PCAOB Auditing Standard No. 2. It does, however, provide advice to companies of all sizes as they work to optimize their ongoing SOX compliance investment.

The guidance maintains that this is a principals-based approach and it is up to management's discretion on how to accomplish these principals. It stresses that once a company establishes effective controls, a robust monitoring process should contribute a great deal of the evidence needed for SOX Section 404 compliance. A new feature in the final guidance is a color-coding system that matches each of five fundamental elements of internal control (Risk Assessment, Control Environment, Control Activities, Information & Communication and Monitoring) to the principles and attributes that address each of these elements.

Below are 20 basic principles outlined in the guidance as the fundamental concepts necessary in achieving effective internal control over financial reporting:

Control Environment
1. Integrity and Ethical Values. Sound integrity and ethical values, particularly of top management, are developed and understood and set the standard of conduct for financial reporting.

2. Board of Directors. The board of directors understands and exercises oversight responsibility related to financial reporting and related internal control.

3. Management's Philosophy and Operating Style. Management's philosophy and operating style support achieving effective internal control over financial reporting.

4. Organizational Structure. The company's organizational structure supports effective internal control over financial reporting.

5. Financial Reporting Competencies. The company retains individuals competent in financial reporting and related oversight roles.

6. Authority and Responsibility. Management and employees are assigned appropriate levels of authority and responsibility to facilitate effective internal control over financial reporting.

7. Human Resources. Human resource policies and practices are designed and implemented to facilitate effective internal control over financial reporting.

Risk Assessment
8. Financial Reporting Objectives. Management specifies financial reporting objectives with sufficient clarity and criteria to enable the identification of risks to reliable financial reporting.

9. Financial Reporting Risks. The company identifies and analyzes risks to the achievement of financial reporting objectives as a basis for determining how the risks should be managed.

10. Fraud Risk. The potential for material misstatement due to fraud is explicitly considered in assessing risks to the achievement of financial reporting objectives.

Control Activities
11. Integration with Risk Assessment. Actions are taken to address risks to the achievement of financial reporting objectives.

12. Selection and Development of Control Activities. Control activities are selected and developed considering their cost and their potential effectiveness in mitigating risks to the achievement of financial reporting objectives.

13. Policies and Procedures. Policies related to reliable financial reporting are established and communicated throughout the company, with corresponding procedures resulting in management directives being carried out.

14. Information Technology. Information technology controls, where applicable, are designed and implemented to support the achievement of financial reporting objectives.

Information And Communication
15. Financial Reporting Information. Pertinent information is identified, captured, used at all levels of the company, and distributed in a form and timeframe that supports the achievement of financial reporting objectives.

16. Internal Control Information. Information used to execute other control components is identified, captured, and distributed in a form and timeframe that enables personnel to carry out their internal control responsibilities.

17. Internal Communication. Communications enable and support understanding and execution of internal control objectives, processes, and individual responsibilities at all levels of the organization.

18. External Communication. Matters affecting the achievement of financial reporting objectives are communicated with outside parties.

Monitoring
19. Ongoing and Separate Evaluations. Ongoing and/or separate evaluations enable management to determine whether internal control over financial reporting is present and functioning.

20. Reporting Deficiencies. Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action, and to management and the board as appropriate.

The methodology that Amper has developed is adaptable to both large and small companies. It is a comprehensive integrated risk-based approach that is designed to effectively and efficiently support the internal control and financial statement assertions required by Sarbanes-Oxley. It reflects our interpretation of PCAOB Standards, our experience with numerous public companies to achieve compliance and our integration of best practices and prevailing standards.

We welcome the opportunity to answer any questions you may have regarding your companies unique situation. In addition, http://www.coso.org is a valuable reference resource.