In October, 2005, the long awaited draft entitled Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting was released for public comment. The authors of the draft, the Committee of Sponsored Organizations of the Treadway Commission (COSO) tried to address internal controls for the small cap companies in their 189 page manifesto.
The original COSO internal control framework, released in 1992 gained notoriety with the passage of the Sarbanes-Oxley Act of 2002. However, the framework did not address the environment of the smaller public companies prompting the G-men to extend the compliance date of the smaller companies to just this side of Armageddon. This extension enabled COSO additional time to address smaller companies, and adapt the framework that can work in the small company environment.
But then when you thought we were all paddling in the same direction, the SEC Internal Controls Subcommittee to the Advisory Committee of Small Public Companies issued a preliminary report in December 2005 which took the oars out of our hands and exposed us to the murky waters of quasi-internal controls. The recommendations of this committee included:
- Exempt micro-cap companies (the bottom 1% of market capitalization, currently less than $128 million) from SOX sec 404 under certain conditions.
- Exempt smaller companies (the next bottom 5% of market capitalization, currently less than $787 million) from external audit requirements under SOX sec 404 under certain conditions, or at least required a more cost-effective approach to these requirements.
Due to these developments from these different agencies, “smaller company” internal control technology is left in a bog. Where should internal control-assisting technology go from here? Does it stay the course, but, lighten the load? Does it change radically, throwing out the first two years of Sarbanes compliance?
To answer these questions, we must look at the basic fundamentals of the two reports. To give a more balanced analysis to this comparison, I have included discussions from a CPA Sarbanes-Oxley consultant and a corporate internal-control specialist.
COSO Small-business guidance Background (COSO-SB)
The Small Business guidance (SB) uses twenty-six fundamental principles that constitute effective internal controls over financial reporting. Even though these controls are applicable to companies of all sizes, they focused on smaller companies which implement internal controls in a different manner and may not need such formal controls and not decrease their quality.
The original framework consisted of five components that intersected the three perspectives of financial reporting, operations, and compliance. Similarly, SB identified several themes, some which mirror the original framework. The themes that are similar to the framework are: control environment, risks, control activities, information technology (communication), and monitoring. SB added the focus of personal responsibility for controls that are indigent to smaller businesses.
CPA Sarbanes-Oxley Consultant
“Really there was nothing earth-shattering about the new guidance. Since we have been assisting companies with SOX compliance we have been using the approach suggested in the guidance when it made sense considering the structure of our client’s internal control environment, which was with substantially all of our smaller company clients. The real challenge and big question is how will the auditor’s look at it, and whether or not they modify their audit approach.” started Kevin Holmes of Good, Swartz, Brown, and Berns when asked for his initial opinion about the new COSO-SB. Kevin has spearheaded the SOX consulting practice of GSBB since the inception of the Act in 2002. Like all reputable SOX consultants, he chartered the unknown territory of compliance after Enron, balancing the needs of the Act with the preferences of the outside auditors.
Kevin explained that one aspect of the SB framework that improved the original COSO framework intent is that it demonstrated that all five internal control components should not be addressed equally. The initial framework gave the user the impression that all components should be given equal consideration. This impression gave the outside auditors the ammunition to focus on their comfort zone, “control activities.” (See Exhibit 1)
Auditors, by nature, have a good foundation in auditing control activities. When SOX emerged, they treaded in their familiar waters of control activities… maybe to a fault of overkill. Thus, auditors emphasized process controls in the control activities component over all other components. (See Exhibit 2). In fact, the PCOAB alluded to this fact in their May 16th guidelines directing auditors to use a more risk-based approach when certifying internal controls.
The new framework continued the PCOAB emphasis of risk-based approach because smaller companies do not have the infrastructure, or need, for extensive control activities. Many of their controls are embodied in the few high management persons who have a hands-on function in control activities. Larger companies rely more on “process-level” controls because they are too big for upper management to authorize every transaction, vendor, and decision. This was best shown on page 19 of the COSO-SB framework where a graphical illustration depicted the control activities component smaller than the previous framework. (See Exhibit 3)
In addition, Kevin alludes to page 125 of COSO-SB which suggested the strength of “entity –level” controls over process-level controls. Instead it is the “Tone at the Top” that small companies must present to its auditors in a concise format for assessment; and that just boils down to management involvement. And then secondly, management involvement is only as good as how much you can rely on it. This top-down approach to controls will reduce the number of controls on the process-level since management’s involvement replaces the need for such controls.
Although the COSO-SB guidance is a step in right direction, alone it may not be sufficient to facilitate the reductions smaller companies are looking for in their compliance costs, Kevin indicated. For example, a smaller company may emphasize its management “Tone at the Top” controls over process-level controls as it assesses its ability to manage financial reporting and fraud risk, but the guidance does not suggest how the auditors can factor this into their existing audit methodologies, which tend to focus significantly on process-level controls. Kevin believes that if smaller companies continue to be subject to the reporting requirements of Section 404 that the PCAOB will have to develop a new audit standard that auditors can follow when auditing internal controls for smaller companies. If such a new standard were developed and it clearly indicated how the auditors could evaluate and test entity-level controls in lieu of process-level controls then some real progress could be made to reduce company compliance costs, a significant portion of which relates to fees charged by the audit firms.
Corporate Internal Control Specialist
Now that Sarbanes has affected corporate America for the foreseeable future, it remains to be seen how smaller corporate structures shall adapt. Larry Russell, the chief Internal control officer of Bidz. Com, Inc. has been on both sides of table. Prior to joining Bidz. Com, Larry consulted to public companies of all sizes regarding the Sarbanes requirements. His knowledge from both an interior and exterior point of view offers a unique perspective.
Larry was encouraged by the example on page 97 that illustrates responsibilities. “I’m happy that this framework moves away from the checklist approach, and addresses internal controls from a risk-based point of view.” Larry commented. “This, of course, is the thrust of the May pronouncement.”
Larry stated thus the biggest challenge to small structures internal controls is to prove that management has entity-level controls. The solution would be to independently document extemporaneous controls.
Larry cautioned that these controls are not just for “small-cap” companies, but all companies with small internal control structures. In other words, a company, like Bidz Com, can be a large-cap company (greater than 75 millions to market value), but have a smaller internal control environments. This smaller environment has separation of duties issues, but will manage their controls through greater management involvement.
Technology
The COSO-SB, the SEC Advisory, and the May PCOAB Pronouncement dictate a radical change in the technological approach to internal controls. Currently, software companies emphasize process-level testing and controls which accommodate the preferences of the auditors. Many of these companies succumbed to the temptation of focusing their software on a “checklist approach” now being mitigated by the PCOAB.
However, the current movement emphasizes an “entity-level” risk assessment approach that in turn dictates the proper focus on process-level controls. Technology should increase their emphasis on monitoring significant balance sheet accounts for smaller companies. Once a company’s balance sheet is analyzed from this top-down approach, then, a risk-based analysis at the process level can be properly performed. (See Exhibit 4). This direction of analysis allows the internal control specialist, and ultimately the auditor, to properly judge the scope of the engagement. To do a bottom-up analysis, like most software have adopted, only increases the likelihood that a scope would be too great in testing internal controls, and ultimately excessive auditing costs.
After a tool has met the top-down process, then it can be mapped to internal control processes, and business cycles. These process maps, in an attempt to provide continuing assurance, should alert the management with stop lights and alerts when these processes are materially affected.
As seen in the relative graphs, the technology for smalleructured companies should emphasize the increase role of the Control Environment and Monitoring. Checks and balances that are performed by only a few individuals (which is their Control Environment). The tool should also empower them with enough monitoring tools to react quickly to changes in the over-all company atmosphere, and internal control inconsistencies.
Under this approach, smaller companies can afford to possess proper internal controls if technology changes its focus, direction, and control precedents while satisfying the auditor’s internal control requirements.
Some may think that this is “lightening the load” of internal controls for small businesses. An argument can be made that the movement is really just tailoring internal controls to a different environment. To use the original COSO framework for smaller companies would be like putting a full vest life jacket on a toddler while it was taking a bath.
But, does that mean the experience learned in the prior two years was irrelevant to the technology companies? Absolutely not. SOX technology metamorphosis is like looking for a light switch in the dark. Some may just feel around the wall, while others purchase expensive night-vision glasses to find the switch. The end result is that the light is turned on, but, at what cost? As the auditor requirements change, as outlined above, technology will meet the challenge for the small business with a less-expensive solution.