Internal control guidance: not just a small matter.EXECUTIVE SUMMARY * In its most recent guidance for compliance with Sarbanes-Oxley section 404 requirements for smaller entities, the Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. (COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) ) has provided principles and examples of effective internal control. Titled Internal Control Over Financial Reporting--Guidance for Smaller Public Companies, the guidance emphasizes the business function and cost-effectiveness of internal control. Although the guidance is specifically tailored to smaller public companies, it can be applied to all organizations. * Five components of COSO's control framework may be viewed as both fundamental principles and an aid to planning, evaluating and updating controls. They are risk assessment, control environment control activities, information and communication, and monitoring. * Management can monitor controls most efficiently by integrating monitoring activity into financial reporting processes. Principles of effective internal control should not be considered a checklist but should be implemented in accordance Accordance is Bible Study Software for Macintosh developed by OakTree Software, Inc.[] As well as a standalone program, it is the base software packaged by Zondervan in their Bible Study suites for Macintosh. with managers' judgment, with a formality formality, in chemistry: see chemical equilibrium; concentration. of structure appropriate to the size of the organization. ********** COSO's latest guidance on controls for smaller businesses fits all organizations. Managers of smaller businesses need to design and implement an effective system of internal control over financial reporting in a cost-beneficial way. To help achieve this, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has provided guidance to smaller businesses in its publication Internal Control Over Financial Reporting--Guidance for Smaller Public Companies (www.coso.org). The guidance encourages CPAs to work with organizations to implement controls that are fundamental building blocks to success. Effective internal control over financial reporting, including management's understanding, design, implementation and monitoring, should be viewed as an important business function. Often lost in the debate over the costs associated with Sarbanes-Oxley section 404 is the significant number of smaller businesses that fail, often because they do not have good business plans or do not identify and control risks. Research shows that a strong commitment to internal control is a matter of company priority, not a matter of resources. This guidance will help CPAs in industry and in public practice. CPAs in management will find it useful in implementing and evaluating internal control. CPAs in public practice will find it useful in assessing internal control over financial reporting and identifying the types of controls typically found in smaller businesses. The guidance is drawn from the 1992 COSO Internal Control--Integrated Framework (IC Framework), which it clarifies but does not extend or replace. Focusing on the challenges faced by smaller businesses, the guidance explicitly addresses issues related to: * Segregating accounting duties. * Developing effective boards and audit committees. * Managing with wider spans of control. * Implementing sound information technology controls. * Documenting the design and operation of controls. The guidance comprises three volumes, each with a distinct purpose. Volume 1 features a high-level executive summary intended for top management and boards. Volume 2 presents practical guidance with real-life examples drawn from smaller businesses. Volume 3 provides evaluation tools to help management implement and evaluate internal control over financial reporting. A CONTINUOUS, INTEGRATED PROCESS Maintaining effective internal control is not static. Organizations have to expect that controls will change over time as risks and processes change. The guidance recognizes that an organization should have processes to update its identification and assessment of risks as well as to monitor the continuing effectiveness of its internal control system (see "Section 404 for Small Caps See Small capital ," JofA, Mar.06, page 67). The guidance is oriented o·ri·ent n. 1. Orient The countries of Asia, especially of eastern Asia. 2. a. The luster characteristic of a pearl of high quality. b. A pearl having exceptional luster. 3. toward objectives and principles. The fundamental principles are derived from the five COSO components--risk assessment, control environment, control activities, information and communication, and monitoring. Each of the principles is further described with key attributes that guide organizations in selecting the optimal control approach. In this guidance, the traditional depiction of the internal control framework, usually shown and referred to as the "COSO Cube," is supplemented with a diagram that illustrates the logical relationship of the control framework, starting with management's objectives. The logical interrelationship in·ter·re·late tr. & intr.v. in·ter·re·lat·ed, in·ter·re·lat·ing, in·ter·re·lates To place in or come into mutual relationship. in of the COSO components should help all companies plan their approaches to evaluating and updating controls. In understanding this relationship of controls and internal control components, COSO recognizes a systematic process whereby an organization: * Specifies its financial reporting objectives (possibly influenced by regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. ). * Identifies and assesses the risks that may prevent it from achieving the desired objectives. Examples of the risks include management override An arrangement whereby commissions are made by sales managers based upon the sales made by their subordinate sales representatives. A term found in an agreement between a real estate agent and a property owner whereby the agent keeps the right to receive a commission for the sale of , inadequate transaction processing Updating the appropriate database records as soon as a transaction (order, payment, etc.) is entered into the computer. It may also imply that confirmations are sent at the same time. Transaction processing systems are the backbone of an organization because they update constantly. and inappropriate accruals Accruals Accounts on a balance sheet that represent liabilities and non-cash-based assets used in accrual-based accounting. These accounts include, among many others, accounts payable, accounts receivable, goodwill, future tax liability and future interest expense. . * Designs and implements a control environment that sets the tone for the organization and its commitment to financial competencies to mitigate mit·i·gate v. To moderate in force or intensity. mit  i·ga tion n. risk.
* Designs and implements control activities--including authorizations, completeness tests and reconciliations--to further mitigate risks. * Develops an effective information and communication process that enables relevant parties to understand their control responsibilities and ensures management receives timely and relevant reports that facilitate effective investigation and decision making. * Monitors the effectiveness of its internal control system. The objective of internal control over financial reporting is to achieve reliable financial reporting. Management's annual assessment of internal control effectiveness should be based in large part on the monitoring of control effectiveness. That monitoring should also incorporate a systematic process to identify emerging risks of misstatement mis·state tr.v. mis·stat·ed, mis·stat·ing, mis·states To state wrongly or falsely. mis·state ment n. , so that the design of the internal control system is
continuously improved to mitigate new risks.
MANAGEMENT ASSESSMENT OF INTERNAL CONTROL Many businesses have viewed the assessment of internal control over financial reporting as a separate task from managing their day-to-day activities. By allowing these two areas to converge con·verge v. con·verged, con·verg·ing, con·verg·es v.intr. 1. a. To tend toward or approach an intersecting point: lines that converge. b. , management will attain greater efficiencies. This may occur through greater reliance on monitoring activities within a company or through the re-engineering of current processes. Management can obtain significant efficiencies if it integrates monitoring activities across its financial reporting processes rather than thinking of its section 404 assessment as a separate process on top of the IC Framework. This may provide management with sufficient assessment evidence of whether its system of internal control is effective over time. The COSO board and supporting task force reviewed numerous smaller companies, both public and nonpublic, for examples of good internal control. That review underscored a fundamental COSO viewpoint that management judgment is important. Management should be empowered to choose the best set of controls because it is in the best position to decide and because control needs will change over time. The guidance identifies three factors to consider when choosing a control. It should: * Reduce risk to an acceptable level. * Be cost-effective. * Contribute to the effectiveness of one or more of the five components of effective internal control in the COSO Internal Control Integrated Framework. Volume 3 of the guidance includes templates for approaching the control decision. Many are presented in a questionnaire form and are based on the fundamental principles of control discussed in Volume 2. The templates are available, with the purchase of the guidance, as a download To receive a file transmitted over a network. In any communications session, "download" means receive, and "upload" means send. The download/upload often implies a big/little scenario, in which data is being downloaded from the "big" server into the "little" user's computer. in Microsoft Word A full-featured word processing program for Windows and the Macintosh from Microsoft. Included in the Microsoft application suite, it is a sophisticated program with rudimentary desktop publishing capabilities that has become the most widely used word processing application on the market. , so they can be tailored to each organization. PRINCIPLES OF EFFECTIVE CONTROL The guidance includes 20 fundamental principles of internal control directly from the Framework and related to each of the five COSO internal control components (see accompanying list). The guidance includes attributes associated with each principle. Although it draws examples for smaller businesses, the principles apply to all organization--large or small, public or not public, government and not-for-profit. These 20 principles should not be viewed as a checklist for designing and achieving effective internal control. Effective internal control still depends on having the five internal control components in place and operating effectively, such that a company has reasonable--not absolute--assurance that it will prevent or detect material misstatements in a timely manner. Rather, COSO views each principle as essential to effective implementation of the related internal control component. These attributes further guide control selection by making the expected characteristics of control more specific. For example, the guidance presents three attributes associated with the principle related to integrity and ethical values. To achieve a high level of ethical behavior, the organization should: * Articulate articulate /ar·tic·u·late/ (ahr-tik´u-lat) 1. to pronounce clearly and distinctly. 2. to make speech sounds by manipulation of the vocal organs. 3. to express in coherent verbal form. 4. values in a clear statement of ethical values understood by personnel at all levels of the organization. * Monitor adherence adherence /ad·her·ence/ (ad-her´ens) the act or condition of sticking to something. immune adherence to principles of sound integrity and ethical values. * Address deviation DEVIATION, insurance, contracts. A voluntary departure, without necessity, or any reasonable cause, from the regular and usual course of the voyage insured. 2. from sound integrity and ethical values promptly and appropriately These attributes, as well as all other principles and attributes included in the guidance, require judgments as to the most effective way to implement the controls. Thus, the control principles and attributes are designed to be scalable--less formal for smaller organizations and more formal for larger organizations, where communication is more indirect. THE IMPORTANCE OF DOCUMENTATION Many company officials would prefer to let controls operate without having to document them. Unfortunately, inadequate documentation is one reason many companies are surprised to find out their system of internal controls is not effectively designed or implemented. Documentation provides guidance for implementing controls, can serve as a basis for training new personnel in implementing them and provides evidence they have operated effectively All controls and their operation need some documentation. When management and auditors must attest To solemnly declare verbally or in writing that a particular document or testimony about an event is a true and accurate representation of the facts; to bear witness to. To formally certify by a signature that the signer has been present at the execution of a particular writing so as to internal control effectiveness, documentation must be more formal. It is not possible simply to rely on a statement that management performed the control. When parties have to attest to the control, there must be some evidence it was working effectively IMPLICATIONS FOR CPAs AS EXTERNAL AUDITORS The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. This guidance will be useful for external auditors in assessing the effectiveness of internal control over financial reporting. The guidance should assist both management and its auditors to move away from a "check-the-box" approach to one that focuses on accomplishing the organization's objectives through effectively addressing the 20 principles underlying the COSO IC Framework. It also offers additional perspective on approaches suitable for public companies and should encourage a healthy dialogue between management and its auditors. The dialogue between management and its auditors will lead to more creative and effective implementation of internal control in many organizations. Similarly, the principles and attributes contained in the guidance provide leadership opportunities for CPAs in management positions to focus on internal control objectives, process reengineering and, most importantly Adv. 1. most importantly - above and beyond all other consideration; "above all, you must be independent" above all, most especially , building effective monitoring into their control practices. As this article's title indicates, the fundamental principles of internal control are not just for small companies. Achieving effective internal control over financial reporting is just one step to corporate success and longevity longevity (lŏnjĕv`ĭtē), term denoting the length or duration of the life of an animal or plant, often used to indicate an unusually long life. Businesses should integrate internal control processes with a more comprehensive process of enterprise risk management to achieve broader strategic, operational, reporting and compliance objectives. Another COSO document, Enterprise Risk Management: An Integrated Approach, may also be of help. Reported internal control deficiencies went down In the second year of compliance with Sarbanes-Oxley section 404 by accelerated fliers. In 2005, 15.4% of reporting companies had material weaknesses of internal control. In the first quarter of 2006, that dropped to 5.6%. Source: Audit Analytics COSO Project COSO has undertaken a project to identify practical, cost-effective approaches organizations may use to monitor their controls. More detail can be obtained at www.coso.org. COSO expects to issue a white paper in early 2007 that better articulates the monitoring component of internal control over financial reporting. The project will also identify best practices that companies are using or can use to develop better monitoring of their internal control effectiveness. In addition, the project will relate the monitoring component of the IC Framework to management's annual assessment and reports on internal control. Practical Tips * Stress to your clients or management team the importance of having financially literate, independent directors. The audit committee should establish its agenda thoroughly and well in advance to help management plan for its expectations. * Advise managers to address a range of preventive preventive /pre·ven·tive/ (pre-vent´iv) prophylactic. pre·ven·tive or pre·ven·ta·tive adj. Preventing or slowing the course of an illness or disease; prophylactic. n. and detective controls across the organization, such as segregating cash payments and access to inventory, purchases and fixed assets fixed assets npl → activo sg fijo fixed assets npl → immobilisations fpl fixed assets fix npl → . * See Volume 2 of Internal Control Over Financial Reporting--Guidance for Smaller Public Companies for more illustrations of best practices for all 20 COSO principles, * To obtain Internal Control Over Financial Reporting--Guidance For Smaller Public Companies, go to www.coso.org/publications.htm or www.epa2biz biz n. Informal Business. biz Noun Informal business Noun 1. .com/stores/ coso3. The executive summary is available as a free download, All three volumes are available from www.epa2biz.com as a PDF file See PDF. download or paperback set. Principles of Effective Control Over Financial Reporting Control Environment 1. Integrity and ethical values. Sound integrity and ethical values, particularly of top management, are developed and understood and set the standard of conduct for financial reporting. 2. Board of directors. The board of directors understands and exercises oversight
Oversight may refer to:
3. Management's philosophy and operating style. Management's philosophy and operating style support achieving effective internal control over financial reporting. 4. Organizational structure  This article has no lead section.To comply with Wikipedia's lead section guidelines, one should be written. . The company's organizational structure supports effective internal control over financial reporting. 5. Financial reporting competencies. The company retains individuals competent in financial reporting and related oversight roles. 6. Authority and responsibility. Management and employees are assigned as·sign tr.v. as·signed, as·sign·ing, as·signs 1. To set apart for a particular purpose; designate: assigned a day for the inspection. 2. appropriate levels of authority and responsibility to facilitate effective internal control over financial reporting. 7. Human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. . Human resource policies and practices are designed and implemented to facilitate effective internal control over financial reporting. Risk Assessment 8. Financial reporting objectives. Management specifies financial reporting objectives with sufficient clarity and criteria to enable the identification of risks co reliable financial reporting. 9. Financial reporting risks. The company identifies and analyzes risks to the achievement of financial reporting objectives as a basis for determining how the risks should be managed. 10. Fraud risk. The potential for material misstatement due to fraud is explicitly considered in assessing risks to the achievement of financial reporting objectives. Control Activities 11. Integration with risk assessment. Actions are taken to address risks to the achievement of financial reporting objectives. 12. Selection and development of control activities. Control activities are selected and developed considering their cost and potential effectiveness in mitigating mit·i·gate v. mit·i·gat·ed, mit·i·gat·ing, mit·i·gates v.tr. To moderate (a quality or condition) in force or intensity; alleviate. See Synonyms at relieve. v.intr. To become milder. risks to the achievement of financial reporting objectives. 13. Policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental . Policies related to reliable financial reporting are established and communicated throughout the company, with corresponding procedures resulting in the implementation of management directives. 14. Information technology. Information technology controls, where applicable, are designed and implemented to support the achievement of financial reporting objectives. Information and Communication 15. Financial reporting information. Pertinent PERTINENT, evidence. Those facts which tend to prove the allegations of the party offering them, are called pertinent; those which have no such tendency are called impertinent, 8 Toull. n. 22. By pertinent is also meant that which belongs. Willes, 319. information is identified, captured and used at all levels of the company and distributed in a form and time frame that supports the achievement of financial reporting objectives. 16. Internal control information. Information used to execute other control components is identified, captured and distributed in a form and time frame that enables personnel to carry out internal control responsibilities. 17. Internal communication. Communications enable and support understanding and execution of internal control objectives, processes and individual responsibilities at all levels of the organization. 18. External communication. Matters affecting the achievement of financial reporting objectives are communicated with outside parties. Monitoring 19. Ongoing and separate evaluations. Ongoing or separate evaluations enable management to determine whether internal control over financial reporting is functioning. 20. Reporting deficiencies. Internal control deficiencies are identified and communicated in a timely manner to parties responsible for taking corrective action A corrective action is a change implemented to address a weakness identified in a management system. Normally corrective actions are instigated in response to a customer complaint, abnormal levels if internal nonconformity, nonconformities identified during an internal audit or , and to management and the board as appropriate. AICPA AICPA See American Institute of Certified Public Accountants (AICPA). RESOURCES Publication * Internal Control Over Financial Reporting--Guidance for Smaller Public Companies. The guidance can be obtained at www.cpa2biz.com. (PDF file download, #990017PDF (Portable Document Format) The de facto standard for document publishing from Adobe. On the Web, there are countless brochures, data sheets, white papers and technical manuals in the PDF format. , members $50, nonmembers $75; paperback three-volume set, #990017, members $65, nonmembers $90; combined download and paperback, #990016HI, members $90, nonmembers, $125). For more information or to order, go to www.cpa2biz.com or call 888-777-7077. Web site * Smaller businesses are often challenged to find effective beard beard, hair on the lower portion of the face. The term mustache refers to hair worn above the upper lip. Attitudes toward facial hair have varied in different cultures. members and audit committees with accounting and control expertise. The COSO guidance recognizes the important role nonpracticing CPAs can play in meeting those needs. The AICPA has developed its Audit Committee Matching System (www.alcpa.org/info/committees/index.asp) to help organizations find a source of independent talent. CPAs should market the database in their area. JofA articles * "Section 404 for Small Cops (Common Open Policy Service) An IETF standard for exchanging policy information in a network. COPS allows routers and switches to reserve bandwidth based on organization policy, which stipulates the priority for individual users and groups. ," Mar.2006, page 67. * "The Value Proposition," Sep.2005, page 77. Larry E. Rittenberg, CPA, Ph.D., CIA CIA: see Central Intelligence Agency. (1) (Confidentiality Integrity Authentication) The three important concerns with regards to information security. Encryption is used to provide confidentiality (privacy, secrecy). , is chairman of COSO and Ernst & Young professor of accounting at the University of Wisconsin at Madison. Frank Martens. CA, is director of advisory services advisory services advisory services provided to the public, in their capacity as owners and managers of animals, are an important part of veterinary science. They may be provided by government bureaux, by commercial companies who deal in pharmaceuticals or animals or animal at PricewaterhouseCoopers LLP LLP - Lower Layer Protocol in Vancouver, British Columbia British Columbia, province (2001 pop. 3,907,738), 366,255 sq mi (948,600 sq km), including 6,976 sq mi (18,068 sq km) of water surface, W Canada. Geography , and project team manager for Internal Control Over Financial Reporting-Guidance for Smaller Public Companies. Charles E. Landes, CPA, is vice president. AICPA professional standards and services, and represents the AICPA on COSO's board. Their e-mail addresses See Internet address. e-mail address - electronic mail address , respectively, are Irittenberg@bus. wisc.edu, frank.j.martens@ca.pwc.com and clandes@aicpa.org. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion