COSO's New Guidance for Smaller Organizations: A Trojan Horse?
November 2006
In June 2006, the Committee of Sponsoring
Organizations (COSO) produced its eagerly anticipated guidance on internal controls
for smaller organizations. The guidance was eagerly anticipated because of the
high cost of compliance with Section 404 of the Sarbanes-Oxley Act of 2002,
which is widely thought to be higher in percentage terms for smaller companies.
by Matthew
Leitch
The Securities and Exchange Commission (SEC) had asked COSO to write new
guidance to take some heat out of the smaller companies' cost issue. Despite
attempts to present this guidance in a positive way, the reaction from smaller
companies was not a happy one. It did not directly address their complaints
about external audit fees, and some saw it as so vague that it could lead to
more work rather than less.
On August 9, 2006, the SEC issued rules pushing back the Section 404 compliance
date for smaller companies yet again. The accompanying press release said:
-
"The actions taken in these releases continue the Commission's efforts
to be sensitive and responsive to the particular needs of smaller public
companies and foreign private issuers, and to minimize the burdens that
Section 404 may impose on them," said SEC Chairman Christopher Cox.
-
"By offering further relief for smaller companies and most foreign issuers,
today's actions will allow time for the Commission and the PCAOB to redesign
Section 404 implementation in a way that is efficient and cost effective
for investors."
So, what is wrong with COSO's new guidance?
Tone and Substance
Many readers of the new guidance will have reacted to its overall tone and
stance. It carefully avoids any statements that might seem like a relaxation
or concession. Although it accurately lists the characteristics of smaller companies
that make internal controls a different challenge it also points out that smaller
companies have certain advantages and there are things they can do. The message
is "management needs to be smarter." At times the guidance even says that one
reason for high costs of compliance is management having a bad attitude to controls.
People do not like to be told, even in a veiled way, that they are stupid
and silly. So, on that basis alone, this guidance was not going to be popular
with smaller companies.
However, when we look at the substance of the document it becomes clear that,
like the original COSO internal controls framework, it is too vague to define
a standard of control and, worse still, it contains material that may well be
taken up by auditors and used to pad out their checklists even further.
Vague as to Extent
Suppose you gave someone the job of defining when a piece of string is "long,"
and after a while they came back with this definition: "When a piece of string
is measured from end to end and its length is found to be sufficient, then it
is a long piece of string." Has "long" been defined? No, of course not. A crucial
piece of information is missing. Nothing has been said about the qualifying length. How long is "long?"
Both COSO's 1992 internal controls framework and the new guidance for smaller
companies fail to be specific as to extent. Despite thousands of words which
are widely believed to define an effective control system, these documents provide
no definition of effectiveness at all.
Take this overall statement on effectiveness from the new guidance: "When
the five components are present and functioning, to the extent that management
has reasonable assurance that financial statements are being prepared reliably,
internal control can be deemed effective." This definition is just like the
pseudo definition of long string given above.
All the detailed principles stated in the new guidance are vague as to extent,
though in different ways. For example:
- 13. Policies and procedures—Policies
related to reliable financial reporting are established and communicated
throughout the company, with corresponding procedures resulting in management
directives being carried out.
This is vague on extent in several ways:
-
At least how many policies, covering how much of financial reporting,
and in how much detail?
-
Communicated to how many people, in which roles? Surely not everyone
needs to know, so who does?
-
Surely no procedure can guarantee all directives relating to reliable
financial report are carried out every time, so presumably 100 percent compliance
is not expected. What level of compliance is expected?
You can do the same with all the other principles. Consequently, even if
COSO had wanted to relax the requirements on smaller companies in some way they
could not have done. You can't lower the bar if it hasn't been set.
Examples of Controls in Smaller Companies
The COSO guidance tries to help by providing examples of controls used successfully
by smaller companies. Unfortunately, it also avoids defining "smaller" in such
a way that a company can decide if it is smaller or not, or indeed just how
small it is. For the examples to work, the size of the companies needs to be
related to the control techniques used.
A Trojan Horse
If the new COSO guidance simply failed to change the requirements on smaller
companies and failed to provide guidance that was calibrated with size, then
that would be disappointing but not a step backwards. Unfortunately, the guidance
does three things that could make things much worse for smaller companies, and
for larger ones too.
First, it provides a list of principles on top of statements made previously
in COSO documents. Second, it creates a conceptual bridge between the internal
controls framework and COSO's enterprise risk management (ERM) framework. And
third, it steers people toward a more abstract view of control systems. All
of these push more work toward professional auditors and especially toward external
auditors.
The Principles
Additional guidance almost never results in reduced audit costs. New guidance
just adds to the existing guidance, usually piling on more detail. This detail
gets added to checklists and "points of focus" used by auditors, and the usual
result is to increase the complexity of the audit and raise the standard of
control expected. This is the danger of the principles listed in COSO's new
guidance for smaller companies.
Doug Prawitt, Professor of Accounting at Brigham Young University, and a
member of the core guidance group that produced the guidance, said last week
at a conference that when he stated in public that he thought the new material
would be useful to large companies too, SEC representatives were unhappy. Perhaps
they recognized the dangers in the principles list.
Link to COSO ERM
The conceptual bridge between the internal controls framework and ERM framework
comes in the shape of a diagram in which the five elements are transformed from
the old triangle shape into a cycle based on a typical risk management process.
COSO's ERM framework has not been taken up with enthusiasm since its release
and one reason is probably fear that it will become the basis of a new and more
complicated Section 404 evaluation model. In "Why
the COSO Frameworks Need Improvement," I listed a number of other problems
with the ERM framework.
A More Abstract Approach
The third danger within the new guidance is its steer toward organizing the
evaluation of effectiveness according to the five elements. The problem is that
not many people feel confident that they understand what all the five elements
mean. We might be comfortable with "control activities" and perhaps even "monitoring,"
but what exactly are the boundaries of "Information and Communication" for example?
Lacking confidence, people will defer to others they assume must know what
it all means—auditors. Ultimately, if you don't know what to do, the safest
strategy for compliance is to combine overkill with doing whatever your external
auditors seem to want.
Summary
COSO's guidance for smaller companies is not a step forward and may prove
to be a big step backward. It is vague as to extent on every principle, and
shifts power toward external auditors instead of away from them. Let us hope
that the extra time allowed by the SEC leads to a better answer.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.