Internal controls haven’t made executives at many small companies happy lately as they struggle to comply with Sarbanes-Oxley regulations.
But you wouldn’t know that from Tuesday’s quirky introduction to new guidance intended to help those smaller companies assess their controls. “People in control are happy people,” declared Dave Richards, president of the Institute of Internal Auditors, brandishing a large drawing of a smiley face.
Richards’ unusual visual aid kicked off a Tuesday webcast about new guidance from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) aimed at smaller companies.
The guidance emphasizes a cost-effective approach to assessing internal controls over financial reporting by offering examples of different ways to comply with the existing COSO model.
The new guidance was requested by the Securities and Exchange Commission, which has heard a significant outcry from small companies and the accounting industry since the internal controls provision of Section 404 of the Sarbanes-Oxley Act became effective. For most companies, COSO’s 1992 Internal Control-Integrated Framework model has been the de facto reference guide for how best to conduct an assessment of internal controls since the law passed.
Yet smaller companies found the original COSO model a strain on their resources because it required such controls as clearly segregated job duties, controls over computer systems, and certain levels of in-house expertise for various financial processes. COSO member said they expect the guidance will help companies of all sizes, but particularly smaller companies.
It remains to be seen whether scaled guidance will help companies reduce their financial and human resource burdens in identifying, documenting, auditing, and assessing their internal controls.
“It’s guidance, it’s not a cookbook,” explained COSO chair Larry Rittenberg during the webcast. “Management must [still] make decisions on the most effective way to implement controls,” he said.
The new guidance does not change the long-standing COSO requirements, but provides examples of ways that companies can meet them with fewer resources. The approximately 180-page document, which contains three volumes, will be available online on July 12 and a print version will become available around July 23, according to Rittenberg. (See below the article, under “Related Websites” for links) The first volume, an executive summary, focuses on risk as a basis for developing internal controls and is intended for an audience of board and audit committee members and senior management. The second volume, which targets senior management, includes guidance that describes how companies can achieve cost-effective controls. The third volume, evaluation tools, provides examples of alternate ways that smaller companies can achieve compliance given their particular restraints.
At the conclusion of the webcast, Richards held up another drawing, this one of a sleepy face catching some Z’s. “If you really want to sleep at night, pay attention to internal control.”