publications

 ON BALANCE • FREQUENCY • THE BRIDGE • CPA2B • ACCOUNTING FOR THE FUTURE 

 

(taken from the Sept/Oct 2006 issue of On Balance magazine)

COSO provides

small business guidance

By Larry E. Rittenberg, CPA, Ph.D

On July 11, 2006, COSO introduced its new publication, Internal Control over Financial Reporting – Guidance for Smaller Public Companies. This article provides an overview of the guidance and its relevance to Wisconsin CPAs. The guidance is published in three volumes and is available on the Web site at www.coso.org.

KEY DECISIONS IN DEVELOPING GUIDANCE

COSO has studied internal control and risk management for more than 20 years. The resulting research points to two firm conclusions: (a) good internal control is an integral part of successful organizations and (b) all organizations can achieve effective internal control. A commitment to good internal control is a matter of company priority, not a matter of resources. In developing the guidance, COSO maintained a principles-based approach that recognizes the importance of management judgment and unique characteristics of each organization.

EFFECTIVE INTERNAL CONTROL IS A CONTINUOUS PROCESS

Effective internal control is not a static process. Rather, it is a process that is achieved on a constant basis as companies continually refine their reporting objectives, increase their understanding of risks to the achievement of those objectives, and implement controls to reduce those risks to an acceptable level.

An overview of the continuous nature of internal control is shown below in Figure 1.

The guidance lays out the logical relationship of the COSO Framework and supplements the traditional "COSO Cube" that portrays the integrated nature of internal control. An organization:

• Specifies its financial reporting objectives.

• Identifies and assesses the risks affecting the achievement of the objectives.

• Designs and implements a control environment.

• Designs and implements specific control activities.

• Develops an effective information and communication process.

• Monitors the effectiveness of its control implementation.

PRINCIPLES AND ATTRIBUTES OF

EFFECTIVE INTERNAL CONTROL

The task force developed 20 fundamental principles of internal control derived directly from the COSO Framework. For each of the fundamental principles, COSO identified specific attributes that would normally be present in achieving the principle. These principles are shown in Figure 2.

figure 2

Control Environment

  1. Integrity and Ethical Values – Sound integrity and ethical values, particularly of top management, are developed and understood. They set the standard of conduct for financial reporting.

  2. Board of Directors – The board of directors understands and exercises oversight responsibility related to financial reporting and related internal control.

  3. Management’s Philosophy and Operating Style – Management’s philosophy and operating style support achieving effective internal control over financial reporting.

  4. Organizational Structure – The company’s organizational structure supports effective internal control over financial reporting.

  5. Financial Reporting Competencies – The company retains individuals competent in financial reporting and related oversight roles.

  6. Authority and Responsibility – Management and employees are assigned appropriate levels of authority and responsibility to facilitate effective internal control over financial reporting.

  7. Human Resources – Human resource policies and practices are designed and implemented to facilitate effective internal control over financial reporting.

Risk Assessment

  1. Financial Reporting Objectives – Management specifies financial reporting objectives with sufficient clarity and criteria to enable the identification of risks to reliable financial reporting.

  2. Financial Reporting Risks – The company identifies and analyzes risks to the achievement of financial reporting objectives as a basis for determining how the risks should be managed.

  3. Fraud Risk – The potential for material misstatement due to fraud is explicitly considered in assessing risks to the achievement of financial reporting objectives.

Control Activities

  1. Integration with Risk Assessment – Actions are taken to address risks to the achievement of financial reporting objectives.

  2. Selection and Development of Control Activities – Control activities are selected and developed considering their cost and their potential effectiveness in mitigating risks to the achievement of financial reporting objectives.

  3. Policies and Procedures – Policies related to reliable financial reporting are established and communicated throughout the company, with corresponding procedures resulting in management directives being carried out.

  4. Information Technology – Information technology controls, where applicable, are designed and implemented to support the achievement of financial reporting objectives.

Information and Communication

  1. Financial Reporting Information – Pertinent information is identified, captured, used at all levels of the company, and distributed in a form and timeframe that supports the achievement of financial reporting objectives.

  2. Internal Control Information – Information used to execute other control components is identified, captured and distributed in a form and timeframe that enables personnel to carry out their internal control responsibilities.

  3. Internal Communication – Communications enable and support understanding and execution of internal control objectives, processes and individual responsibilities at all levels of the organization.

  4. External Communication – Matters affecting the achievement of financial reporting objectives are communicated with outside parties.

Monitoring

  1. Ongoing and Separate Evaluations – Ongoing and/or separate evaluations enable management to determine whether internal control over financial reporting is present and functioning.

  2. Reporting Deficiencies – Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action, and to management and the board as appropriate.

Each principle should be achieved if the organization is going to accomplish its control objectives. The principles lead to specific attributes which further guide management in designing and implementing effective internal control. For example, the first principle identified regarding Integrity and Ethical Values, is shown below.

Sound integrity and ethical values, particularly of top management, are developed and understood and set the standard of conduct for financial reporting.

Attributes of the principle:

• Articulates values

• Monitors adherence

• Addresses deviations

The control principles and the attributes are designed to be scalable to the size and nature of the organization.

CONCERNS OF SMALLER BUSINESSES

The guidance addresses specific challenges faced by smaller businesses, including the risk of management override, segregation of duties, information technology for smaller businesses, attracting effective board and audit committee members, and the extent of documentation needed. Finally, COSO believes that the guidance provided in the report will be very useful to other organizations.

LOOKING FORWARD

COSO is committed to strengthening of governance, risk and control processes in organizations. It will continue to support research related to mitigating the extent of fraudulent financial reporting. We encourage all readers to examine the guidance and determine its applicability to their organizations.

return to previous page