Skip Navigation Links.
Collapse IRMI OnlineIRMI Online
Expand How To Use IRMI OnlineHow To Use IRMI Online
My Paid Publications
Expand What's NewWhat's New
Expand DashboardsDashboards
Expand Commercial Liability InformationCommercial Liability Information
Expand Commercial Property InformationCommercial Property Information
Expand Commercial Auto InformationCommercial Auto Information
Expand D&O, PL, E&O, EPLI InformationD&O, PL, E&O, EPLI Information
Expand Workers Compensation InformationWorkers Compensation Information
Classifications and Cross-References
Collapse Risk Mgt. and Multiline InformationRisk Mgt. and Multiline Information
Expand Risk Management -- Why and HowRisk Management -- Why and How
Collapse Free Expert CommentaryFree Expert Commentary
Expand Brand Equity and Product RecallBrand Equity and Product Recall
Expand Catastrophe Risk ManagementCatastrophe Risk Management
Expand Claims ManagementClaims Management
Expand Construction Case StudiesConstruction Case Studies
Expand Construction QualityConstruction Quality
Expand Construction SafetyConstruction Safety
Expand Corporate AviationCorporate Aviation
Expand Corporate Fraud PreventionCorporate Fraud Prevention
Expand Courts and CoverageCourts and Coverage
Expand Cyber InsuranceCyber Insurance
Expand Drafting and Interpreting Insurance PoliciesDrafting and Interpreting Insurance Policies
Expand Enterprise Risk ManagementEnterprise Risk Management
Expand Environmental Risk ManagementEnvironmental Risk Management
Expand EthicsEthics
Expand Global ImpactGlobal Impact
Expand Insurance ArchaeologyInsurance Archaeology
Collapse InternalControlInternalControl
Internal Control Disaster: Fiasco at Heathrow (April 2008)
Efficient Samples for Control and Audit (January 2008)
The Startling Economics of Controls Documentation Review (November 2007)
How To Test Fewer Key Controls in a Sarbanes-Oxley Section 404 Project (July 2007)
Clear Thinking and "Risk Appetite" (April 2007)
The Psychology of Devising Internal Controls (January 2007)
COSO's New Guidance for Smaller Organizations (November 2006)
Promoting Good Management of Risk and Uncertainty (August 2006)
Practical Word Choices for Risk Managers (April 2006)
Seven Frontiers of Internal Control and Risk Management (January 2006)
Controls Design for Efficient Compliance with Sarbanes-Oxley's Section 404 (October 2005)
Time To Put Numbers on Internal Controls (August 2005)
Why the COSO Frameworks Need Improvement (April 2005)
How To Cut Sarbanes-Oxley Compliance Costs (January 2005)
Internal Control and Leaking Profits (October 2004)
Risk Management versus Internal Control (June 2004)
Embedded Risk Management: The Auditors' Contribution (January 2004)
Innovating in the Face of Internal Control Regulations (January 2004)
Embedding Risk Management: Easier, Faster, Better (October 2003)
Auditors and Risk Management (July 2003)
Expand Litigation ManagementLitigation Management
Expand MaritimeLawMaritimeLaw
Expand MediationMediation
Expand Political RiskPolitical Risk
Expand Privacy IssuesPrivacy Issues
Expand ReinsuranceReinsurance
Expand Risk Management TechnologyRisk Management Technology
Expand SecuritySecurity
Expand Terrorism Risk Management & InsuranceTerrorism Risk Management & Insurance
Expand IRMI InsightsIRMI Insights
Expand IRMI Update Newsletter ArchivesIRMI Update Newsletter Archives
Expand Risk Finance InformationRisk Finance Information
Expand Construction InformationConstruction Information
Expand Personal Lines InformationPersonal Lines Information
Expand Insurance IndustryInsurance Industry
Expand Glossary of Insurance & Risk Management TermsGlossary of Insurance & Risk Management Terms
Expand SearchSearch
Terms of Use
Privacy Statement
System Requirements
Support

COSO's New Guidance for Smaller Organizations: A Trojan Horse?

November 2006

In June 2006, the Committee of Sponsoring Organizations (COSO) produced its eagerly anticipated guidance on internal controls for smaller organizations. The guidance was eagerly anticipated because of the high cost of compliance with Section 404 of the Sarbanes-Oxley Act of 2002, which is widely thought to be higher in percentage terms for smaller companies.

by Matthew Leitch

The Securities and Exchange Commission (SEC) had asked COSO to write new guidance to take some heat out of the smaller companies' cost issue. Despite attempts to present this guidance in a positive way, the reaction from smaller companies was not a happy one. It did not directly address their complaints about external audit fees, and some saw it as so vague that it could lead to more work rather than less.

On August 9, 2006, the SEC issued rules pushing back the Section 404 compliance date for smaller companies yet again. The accompanying press release said:

  • "The actions taken in these releases continue the Commission's efforts to be sensitive and responsive to the particular needs of smaller public companies and foreign private issuers, and to minimize the burdens that Section 404 may impose on them," said SEC Chairman Christopher Cox.

  • "By offering further relief for smaller companies and most foreign issuers, today's actions will allow time for the Commission and the PCAOB to redesign Section 404 implementation in a way that is efficient and cost effective for investors."

So, what is wrong with COSO's new guidance?

Tone and Substance

Many readers of the new guidance will have reacted to its overall tone and stance. It carefully avoids any statements that might seem like a relaxation or concession. Although it accurately lists the characteristics of smaller companies that make internal controls a different challenge it also points out that smaller companies have certain advantages and there are things they can do. The message is "management needs to be smarter." At times the guidance even says that one reason for high costs of compliance is management having a bad attitude to controls.

People do not like to be told, even in a veiled way, that they are stupid and silly. So, on that basis alone, this guidance was not going to be popular with smaller companies.

However, when we look at the substance of the document it becomes clear that, like the original COSO internal controls framework, it is too vague to define a standard of control and, worse still, it contains material that may well be taken up by auditors and used to pad out their checklists even further.

Vague as to Extent

Suppose you gave someone the job of defining when a piece of string is "long," and after a while they came back with this definition: "When a piece of string is measured from end to end and its length is found to be sufficient, then it is a long piece of string." Has "long" been defined? No, of course not. A crucial piece of information is missing. Nothing has been said about the qualifying length. How long is "long?"

Both COSO's 1992 internal controls framework and the new guidance for smaller companies fail to be specific as to extent. Despite thousands of words which are widely believed to define an effective control system, these documents provide no definition of effectiveness at all.

Take this overall statement on effectiveness from the new guidance: "When the five components are present and functioning, to the extent that management has reasonable assurance that financial statements are being prepared reliably, internal control can be deemed effective." This definition is just like the pseudo definition of long string given above.

All the detailed principles stated in the new guidance are vague as to extent, though in different ways. For example:

  • 13. Policies and procedures—Policies related to reliable financial reporting are established and communicated throughout the company, with corresponding procedures resulting in management directives being carried out.

This is vague on extent in several ways:

  • At least how many policies, covering how much of financial reporting, and in how much detail?

  • Communicated to how many people, in which roles? Surely not everyone needs to know, so who does?

  • Surely no procedure can guarantee all directives relating to reliable financial report are carried out every time, so presumably 100 percent compliance is not expected. What level of compliance is expected?

You can do the same with all the other principles. Consequently, even if COSO had wanted to relax the requirements on smaller companies in some way they could not have done. You can't lower the bar if it hasn't been set.

Examples of Controls in Smaller Companies

The COSO guidance tries to help by providing examples of controls used successfully by smaller companies. Unfortunately, it also avoids defining "smaller" in such a way that a company can decide if it is smaller or not, or indeed just how small it is. For the examples to work, the size of the companies needs to be related to the control techniques used.

A Trojan Horse

If the new COSO guidance simply failed to change the requirements on smaller companies and failed to provide guidance that was calibrated with size, then that would be disappointing but not a step backwards. Unfortunately, the guidance does three things that could make things much worse for smaller companies, and for larger ones too.

First, it provides a list of principles on top of statements made previously in COSO documents. Second, it creates a conceptual bridge between the internal controls framework and COSO's enterprise risk management (ERM) framework. And third, it steers people toward a more abstract view of control systems. All of these push more work toward professional auditors and especially toward external auditors.

The Principles

Additional guidance almost never results in reduced audit costs. New guidance just adds to the existing guidance, usually piling on more detail. This detail gets added to checklists and "points of focus" used by auditors, and the usual result is to increase the complexity of the audit and raise the standard of control expected. This is the danger of the principles listed in COSO's new guidance for smaller companies.

Doug Prawitt, Professor of Accounting at Brigham Young University, and a member of the core guidance group that produced the guidance, said last week at a conference that when he stated in public that he thought the new material would be useful to large companies too, SEC representatives were unhappy. Perhaps they recognized the dangers in the principles list.

Link to COSO ERM

The conceptual bridge between the internal controls framework and ERM framework comes in the shape of a diagram in which the five elements are transformed from the old triangle shape into a cycle based on a typical risk management process.

COSO's ERM framework has not been taken up with enthusiasm since its release and one reason is probably fear that it will become the basis of a new and more complicated Section 404 evaluation model. In "Why the COSO Frameworks Need Improvement," I listed a number of other problems with the ERM framework.

A More Abstract Approach

The third danger within the new guidance is its steer toward organizing the evaluation of effectiveness according to the five elements. The problem is that not many people feel confident that they understand what all the five elements mean. We might be comfortable with "control activities" and perhaps even "monitoring," but what exactly are the boundaries of "Information and Communication" for example?

Lacking confidence, people will defer to others they assume must know what it all means—auditors. Ultimately, if you don't know what to do, the safest strategy for compliance is to combine overkill with doing whatever your external auditors seem to want.

Summary

COSO's guidance for smaller companies is not a step forward and may prove to be a big step backward. It is vague as to extent on every principle, and shifts power toward external auditors instead of away from them. Let us hope that the extra time allowed by the SEC leads to a better answer.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

More Risk Management Information from IRMI
Books, Manuals, Newsletters IRMI
Online 		SilverPlume
Sage
Practical Risk Management IRMI Online SilverPlume Sage
The Risk Report IRMI Online SilverPlume Sage
Construction Risk Management IRMI Online SilverPlume Sage
Contractual Risk Transfer IRMI Online SilverPlume Sage
Risk Financing IRMI Online SilverPlume Sage
Exposure Survey Questionnaire IRMI Online SilverPlume Sage
Guidelines for Insurance Specifications IRMI Online SilverPlume Sage
How To Draft and Interpret Insurance Policies
IRMI Insurance Checklists IRMI Online SilverPlume Sage
RMIS Review IRMI Online
Free Risk Management Articles in IRMI.com
25 Risk-Conquering Ideas
Risk Management
Effective Contractual Risk Transfer in Construction
Risk Management - Why and How
Insurance Continuing Education Courses from IRMI
Litigation Management (CE)
Contractual Risk Transfer in Construction (CRIS CE)
Check It Out
Save 36% with the IRMI Professional Library
© 2000-2009 International Risk Management Institute, Inc. (IRMI). All rights reserved.