Sarbanes-Oxley Compliance for Nonaccelerated Filers
Solving the Internal Control Puzzle
By Sid M. Edelstein
No business legislation in recent history has elicited a broader range of reaction among financial professionals than the Sarbanes-Oxley Act of 2002 (SOA). While SOA clearly presents compliance challenges for public companies of all sizes, for many smaller, nonaccelerated filers these challenges can seem all but insurmountable. For some, this perception can lead to willful denial that compliance requirements extend to them. For others, it typically yields token efforts at compliance that often fall short. Neither is a good response. Unfortunately, many smaller companies lack the internal resources and specialized expertise necessary to successfully address all of the complexities associated with comprehensive SOA compliance.
Much of the standard professional auditing literature and available guidelines focuses almost exclusively on the objective analysis of accounting system control activities that support the financial reporting process. As a result, many auditors may find themselves ill equipped to address some of the more subjective and technically unfamiliar internal control aspects of SOA compliance audits: internal control framework development methodologies, the risk assessment activities on which they depend, and the information technology (IT) and business process automation systems that facilitate them.
Because business technology plays a major role in most companies’ internal control activities, IT-related aspects of SOA compliance are not commonly addressed in typical accounting literature. Such IT aspects include the COBIT IT internal control and governance framework, as well as IT general controls than can potentially impact the accuracy and timeliness of a company’s financial reporting processes. The historical development of COSO’s Internal Control-Integrated Framework and an overview of its key elements form the conceptual underpinnings of corporate internal control systems.
A Short History of Decay
Sarbanes-Oxley is not the first time that government has tried to protect the public from corporate malfeasance. A similar spate of high-profile corporate scandals in the 1980s prompted the establishment of the Treadway Commission, which laid the foundation for a variety of meaningful accounting and financial reporting reforms. Today’s SOA provisions are the direct descendants of these reforms. They are also only the first round in what is likely to become an ongoing legislative effort to improve corporate governance and accountability.
The Treadway Commission’s charter recognized the need to improve corporate internal control over financial recordkeeping and accounting practices. The task of addressing this issue fell to a group of private organizations known as the Committee of Sponsoring Organizations (COSO). COSO’s primary contribution to the Treadway Commission’s efforts was the development of an open, integrated framework for analyzing and improving the effectiveness of internal controls. Officially published in 1992, COSO’s Internal Control-Integrated Framework has become the de facto standard for internal control analysis and reporting. While leaving the door open to other potential internal control development frameworks, both the SEC and the PCAOB have specifically sanctioned the COSO framework as an appropriate guideline for SOA-compliant internal control analysis, development, and documentation.
Overview of the COSO Integrated Framework
The conceptual underpinnings of the COSO framework are quite simple and based upon the following observations:
- Every business has numerous operational objectives that it must accomplish in order to be successful.
- Every operational objective contains various inherent quantitative and qualitative risks to its achievement.
- The potential consequences of these risks should be reduced, wherever possible and practical, by instituting “integrated” internal controls.
COSO defines five key elements of an integrated, or comprehensive, framework of internal control as follows:
- Control environment.
Executive management and corporate governance bodies must ensure that appropriate corporate ethics and values are established and enforced at the executive level and effectively instilled throughout the entire organization. If this “tone at the top” is not successfully established, the entire system of internal control can be easily undermined and susceptible to fraud and inaccurate financial reporting.
- Risk assessment.
Efforts must be made to analyze, define, and document the qualitative and quantitative risks for all key business units and processes involved in achieving the organization’s business objectives. Accurate risk assessment is perhaps the most critical element in establishing an effective framework of internal control. It serves to highlight and isolate those specific business units and processes which present the greatest risk to the organization’s operational goals, and thereby helps focus and prioritize the creation of the organization’s overall internal control framework.
- Control activities.
Once all internal control objectives have been established and their risks have been accurately assessed, specific safeguards, processes, and procedures must be developed and implemented to reduce or mitigate the defined risks to all critical internal control objectives. Many internal control analysis, testing, and reporting functions tend to focus almost exclusively upon control activities, because they lend themselves to objective analytical criteria. The danger, however, is that effective control activities in and of themselves do not ensure that the organization has implemented an effective system of internal controls. All five COSO components must be present to ensure that these control activities function correctly and consistently over time.
- Information and communication.
Information and communication channels that support internal control objectives must be available and understood by all members of the organization as well as all necessary external entities (e.g., boards of directors, audit committees). Open internal and external communications are vital to internal control because they support the checks and balances that ensure the integrity of the control environment as well as the effectiveness and consistent application of control activities.
The organization must ensure that all internal control objectives are continuously monitored, regularly tested, and revised as necessary to support changing business conditions. An effective internal control system must be dynamic and adaptable. As business technology continues to evolve, the pace of business grows exponentially faster and becomes more difficult to control. If the organization does not have a methodology in place for accurately measuring and benchmarking the effectiveness of its internal control procedures over time, these controls can quickly become outdated and ineffectual.
COSO affirms that an integrated internal control framework must take all of these elements into account and include control objectives that effectively address each of them. In other words, the effectiveness of a company’s overall system of internal controls could be severely compromised if any one of these five key components is lacking in its design or execution.
COSO also requires that the development of control objectives incorporate a scope that encompasses the following three functional considerations:
- Operations: Improved operational efficiencies.
- Financial Reporting: Accuracy and timeliness of the financial reporting process.
- Compliance: Adherence to all corporate legal and regulatory responsibilities.
Finally, COSO requires that control objectives based upon the guidelines detailed above be developed for all business units as well as all key business processes conducted within these units. This ensures that the control framework is designed to encompass both company-wide and process-specific operational control objectives. (Exhibit 1 and Exhibit 2 present a graphical representation of the COSO framework and an example of typical COSO internal control documentation.)