Sox Article

In October, 2005, the long awaited draft entitled Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting was released for public comment.  The authors of the draft, the Committee of Sponsored Organizations of the Treadway Commission (COSO) tried to address internal controls for the small cap companies in their 189 page manifesto.

The original COSO internal control framework, released in 1992 gained notoriety with the passage of the Sarbanes-Oxley Act of 2002.  However, the framework did not address the environment of the smaller public companies prompting the G-men to extend the compliance date of the smaller companies to just this side of Armegedan.  This extension provided COSO the time to address smaller companies, and adapt the framework that can work in the small company environment.

The Small Business guidance (SB) uses twenty-six fundamental principles that constitute effective internal controls over financial reporting.  Even though these controls are applicable to companies of all sizes, they focused on smaller companies which implement internal controls in a different manner and may not need such formal controls and not decrease their quality.

The original framework consisted of five components that intersected the three perspectives of financial reporting, operations, and compliance.  Similarly, SB identified several themes, some which mirror the original framework.  The themes that are similar to the framework are: control environment, risks, control activities, information technology(communication), and monitoring.  SB added the focus of personal responsibility for controls that are indigent to smaller businesses.

The emphasis of this article is not to analyze the framework in less than 1,600 words; that would be inadequate, if not comical.  Instead, this article addresses the question of whether COSO achieved their goals in addressing small business controls from two different perspectives: 1) The CPA Sarbanes-Oxley consultant; and 2) The Chief Internal Control Officer of a small structured company.

CPA Sarbanes-Oxley Consultant

“Really there was nothing earth-shattering the way auditor’s look at it.” Started Kevin Holmes of Good, Schwartz, Brown, and Berns when asked for his initial opinion about the new COSO-SB.  Kevin has spearheaded the SOX consulting practice of GSBB since the inception of the Act in 2002.  Like all reputable SOX consultants, he chartered the unknown territory of compliance after Enron balancing the needs of the Act with the prejudices of the outside auditors.

One aspect that the new framework had that improved the original COSO framework is that it did not give the impression that all five internal control components should be addressed equally.  The initial framework gave the user the impression that all components should be given equal consideration.  This impression gave the outside auditors the ammunition to focus on their comfort zone, “control activities.”

Auditors, by nature, have a good foundation in auditing control activities, therefore, they treaded in their familiar waters…to a fault of overkill.  In fact, the PCOAB alluded to this fact in their May 16th guidelines directing auditors to use a more risk-based approach when certifying internal controls.

The new framework continued this emphasis of   risk-based approach because smaller companies do not have the infrastructure, or need for extensive control activities.  Many of their controls are embodied in the few high management persons who have an hands-on in control activities.  Larger companies rely more on “process-level” controls because they are too big for upper management to authorize every transaction, vendor, and decision.  This was best shown on page 19 of the framework where a graphical illustration depicts control activities a lot smaller than the previous framework that gave the impression that it was equally important as all other components. (See Exhibit 1 comparison).

In addition, Kevin points out, page 125 of COSO-SB depicts the strength of “entity –level” controls over process-level controls.  Instead it is the “Tone at the Top” that small companies must present to its auditors in a concise format for assessment; and that just boils down to management involvement.  And then secondly, management involvement is only as good as how much you rely on it.  To have it without using it is like ….

Corporate Internal Control Specialist

Now that Sarbanes has affected corporate America for the foreseeable future, it remains to be seen how smaller corporate structures shall adapt. Larry Russell, the chief Internal control officer of Bidz. Com, Inc. has been on both sides of table.  Prior to joining Bidz. Com com, Larry consulted to public companies of all sizes regarding the Sarbanes requirements. His knowledge from both an interior and exterior point of view offers a unique perspective.

 

Call Us (310) 216-7632 or

Send Message

Send Message