In June 2006, the Committee of Sponsoring Organizations (COSO) produced its eagerly anticipated guidance on internal controls for smaller organizations. The guidance was eagerly anticipated because of the high cost of compliance with Section 404 of the Sarbanes-Oxley Act of 2002, which is widely thought to be higher in percentage terms for smaller companies.
The Securities and Exchange Commission (SEC) had asked COSO to write new guidance to take some heat out of the smaller companies' cost issue. Despite attempts to present this guidance in a positive way, the reaction from smaller companies was not a happy one. It did not directly address their complaints about external audit fees, and some saw it as so vague that it could lead to more work rather than less.
On August 9, 2006, the SEC issued rules pushing back the Section 404 compliance date for smaller companies yet again. The accompanying press release said:
So, what is wrong with COSO's new guidance?
Many readers of the new guidance will have reacted to its overall tone and stance. It carefully avoids any statements that might seem like a relaxation or concession. Although it accurately lists the characteristics of smaller companies that make internal controls a different challenge it also points out that smaller companies have certain advantages and there are things they can do. The message is "management needs to be smarter." At times the guidance even says that one reason for high costs of compliance is management having a bad attitude to controls.
People do not like to be told, even in a veiled way, that they are stupid and silly. So, on that basis alone, this guidance was not going to be popular with smaller companies.
However, when we look at the substance of the document it becomes clear that, like the original COSO internal controls framework, it is too vague to define a standard of control and, worse still, it contains material that may well be taken up by auditors and used to pad out their checklists even further.
Suppose you gave someone the job of defining when a piece of string is "long," and after a while they came back with this definition: "When a piece of string is measured from end to end and its length is found to be sufficient, then it is a long piece of string." Has "long" been defined? No, of course not. A crucial piece of information is missing. Nothing has been said about the qualifying length. How long is "long?"
Both COSO's 1992 internal controls framework and the new guidance for smaller companies fail to be specific as to extent. Despite thousands of words which are widely believed to define an effective control system, these documents provide no definition of effectiveness at all.
Take this overall statement on effectiveness from the new guidance: "When the five components are present and functioning, to the extent that management has reasonable assurance that financial statements are being prepared reliably, internal control can be deemed effective." This definition is just like the pseudo definition of long string given above.
All the detailed principles stated in the new guidance are vague as to extent, though in different ways. For example:
13. Policies and procedures—Policies related to reliable financial reporting are established and communicated throughout the company, with corresponding procedures resulting in management directives being carried out.
This is vague on extent in several ways:
You can do the same with all the other principles. Consequently, even if COSO had wanted to relax the requirements on smaller companies in some way they could not have done. You can't lower the bar if it hasn't been set.
The COSO guidance tries to help by providing examples of controls used successfully by smaller companies. Unfortunately, it also avoids defining "smaller" in such a way that a company can decide if it is smaller or not, or indeed just how small it is. For the examples to work, the size of the companies needs to be related to the control techniques used.
If the new COSO guidance simply failed to change the requirements on smaller companies and failed to provide guidance that was calibrated with size, then that would be disappointing but not a step backwards. Unfortunately, the guidance does three things that could make things much worse for smaller companies, and for larger ones too.
First, it provides a list of principles on top of statements made previously in COSO documents. Second, it creates a conceptual bridge between the internal controls framework and COSO's enterprise risk management (ERM) framework. And third, it steers people toward a more abstract view of control systems. All of these push more work toward professional auditors and especially toward external auditors.
Additional guidance almost never results in reduced audit costs. New guidance just adds to the existing guidance, usually piling on more detail. This detail gets added to checklists and "points of focus" used by auditors, and the usual result is to increase the complexity of the audit and raise the standard of control expected. This is the danger of the principles listed in COSO's new guidance for smaller companies.
Doug Prawitt, Professor of Accounting at Brigham Young University, and a member of the core guidance group that produced the guidance, said last week at a conference that when he stated in public that he thought the new material would be useful to large companies too, SEC representatives were unhappy. Perhaps they recognized the dangers in the principles list.
The conceptual bridge between the internal controls framework and ERM framework comes in the shape of a diagram in which the five elements are transformed from the old triangle shape into a cycle based on a typical risk management process.
COSO's ERM framework has not been taken up with enthusiasm since its release and one reason is probably fear that it will become the basis of a new and more complicated Section 404 evaluation model. In "Why the COSO Frameworks Need Improvement," I listed a number of other problems with the ERM framework.
The third danger within the new guidance is its steer toward organizing the evaluation of effectiveness according to the five elements. The problem is that not many people feel confident that they understand what all the five elements mean. We might be comfortable with "control activities" and perhaps even "monitoring," but what exactly are the boundaries of "Information and Communication" for example?
Lacking confidence, people will defer to others they assume must know what it all means—auditors. Ultimately, if you don't know what to do, the safest strategy for compliance is to combine overkill with doing whatever your external auditors seem to want.
COSO's guidance for smaller companies is not a step forward and may prove to be a big step backward. It is vague as to extent on every principle, and shifts power toward external auditors instead of away from them. Let us hope that the extra time allowed by the SEC leads to a better answer.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.