COSO_vol01_screen

Internal Control over Financial Reporting – Guidance for Smaller Public Companies Volume I : Executive Summary Committee of Sponsoring Organizations of the Treadway Commission Board Members Larry E. Rittenberg COSO Chair Mark Beasley American Accounting Association Nick Cyprus Financial Executives International Charles E. Landes American Institute of Certified Public Accountants David A. Richards The Institute of Internal Auditors Jeffrey Thomson Institute of Management Accountants PricewaterhouseCoopers LLP – Author Principal Contributors Miles Everson (Project Leader) Partner New York City Frank Martens Director Vancouver, Canada Frank Frabizzio Partner Philadelphia Tom Hyland Partner New York City Paul Tarwater Partner Dallas Mark Cohen Senior Manager Boston Erinn Hansen Senior Manager Philadelphia Mario Patone Manager Philadelphia Chris Paul Senior Associate Boston Shurjo Sen Manager New York City Project Task Force to COSO Guidance Deborah Lambert (Chair) Partner Johnson, Lambert & Co. Rudolph J. J. McCue WHPH, Inc. Christine Bellino Jefferson Wells International, Inc. Douglas F. Prawitt Professor of Accounting Brigham Young University Joseph V. Carcello Professor of Accounting University of Tennessee Malcolm Schwartz CRS Associates LLC Members at Large Carolyn V. Aver CFO Agile Software Corporation Brian O’Malley Chief Audit Executive Nasdaq Dan Swanson President and CEO Dan Swanson & Associates Kristine M. Brands Director of Financial Systems Inamed, A Division of Allergan Andrew Pinnero JLC/Veris Consulting LLC Dominique Vincenti Director of Professional Practice The Institute of Internal Auditors Serena Dávila Director for Private Companies & Small Business Financial Executives International Pamela S. Prior Director of Internal Control & Analysis Tasty Baking Company Kenneth W. Witt American Institute of Certified Public Accountants Gus Hernandez Partner Deloitte & Touche, LLP James K. Smith, III Vice President & CFO Phonon Corp. Observer Jennifer Burns Professional Accounting Fellow Securities and Exchange Commission Copyright © 2006 by the Committee of Sponsoring Organizations of the Treadway Commission. 1 2 3 4 5 6 7 8 9 0 MC&D 0 9 8 7 6 All rights reserved. For information about reprint permission and licensing, please visit www.aicpa.org/cpyright.htm, or telephone AICPA at 1-888-777-7077 �Internal Control over Financial Reporting – Guidance for Smaller Public Companies • Volume I : Executive Summary The Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 1992 issued Internal Control – Integrated Framework to help businesses and other entities assess and enhance their internal control systems. Since that time the Framework has been recognized by executives, board members, regulators, standard setters, professional organizations and others as an appropriate comprehensive Framework for internal control. Also, changes have taken place in the financial reporting and related legal and regulatory environments. Significantly, the Sarbanes-Oxley Act was enacted into United States law in 2002. Among its provisions, Section 404 requires management of public companies to annually assess and report on the effectiveness of internal control over financial reporting. With these developments and the passage of time, the Framework nonetheless remains relevant today and is used by management of public companies large and small in complying with Section 404. Many companies, however, have experienced unanticipated costs, with smaller companies facing unique challenges in implementing Section 404. This document neither replaces nor modifies the Framework, but rather provides guidance on how to apply it. It is directed at smaller public companies – although also usable by large ones – in using the Framework in designing and implementing cost-effective internal control over financial reporting. Although this guidance is designed primarily to help management with establishing and maintaining effective internal control over financial reporting, it also may be useful to management in more efficiently assessing internal control effectiveness, in the context of assessment guidance provided by regulators. This report is in three volumes. The first consists of this Executive Summary, providing a high level summary for companies’ boards of directors and senior management. The second provides an overview of internal control over financial reporting in smaller businesses, including descriptions of company characteristics and how they affect internal control, challenges smaller businesses face, and how management can use the Framework. Presented are twenty fundamental principles drawn from the Framework, together with related attributes, approaches and examples of how smaller businesses can apply the principles in a cost-effective manner. Internal Control over Financial Reporting – Guidance for Smaller Public Companies Volume I : Executive Summary June 2006 � Internal Control over Financial Reporting – Guidance for Smaller Public Companies • Volume I : Executive Summary The third contains illustrative tools to assist management in evaluating internal control. Managers may use the illustrative tools in determining whether the company has effectively applied the principles. It is expected that senior management will find the Executive Summary and Overview chapter of Volume II of particular interest and might refer to certain of the following chapters as needed, and that other managers will use Volumes II and III as a reference source for guidance in those areas of particular need. Characteristics of “Smaller” Companies Although there is a tendency to want a “bright line” to define businesses as small, medium-size or large, this guidance does not provide such definitions. It uses the term “smaller” rather than “small” business, suggesting there is a wide range of companies to which the guidance is directed. The focus is on businesses that have many of the following characteristics: Fewer lines of business and fewer products within lines Concentration of marketing focus, by channel or geography Leadership by management with significant ownership interest or rights Fewer levels of management, with wider spans of control Less complex transaction processing systems and protocols Fewer personnel, many having a wider range of duties Limited ability to maintain deep resources in line as well as support staff positions such as legal, human resources, accounting and internal auditing. None of these characteristics by themselves is definitive. Certainly, size by whatever measure – revenue, personnel, assets, or other – affects and is affected by these characteristics, and shapes our thinking about what constitutes “smaller.” Costs and Benefits Management and other stakeholders of public companies, particularly smaller ones, have focused great attention on the cost of complying with Section 404, with less attention given to the associated benefits. Although it may be difficult to measure impacts associated with inaccurate financial reporting, market reactions to corporate misstatements clearly signal that the investment community does not readily tolerate inaccurate reporting, regardless of company size. In that respect and with other benefits described below, effective internal control adds significant value. Among the most significant benefits is the strengthened ability of companies to access the capital markets, providing capital which drives innovation and economic growth. Other benefits include reliable and timely information supporting management’s decision-making, consistent • • • • • • • While incremental cost to assess and report on internal control has become a focal point for many corporate stakeholders, it is useful to balance costs with the related benefits. �Internal Control over Financial Reporting – Guidance for Smaller Public Companies • Volume I : Executive Summary mechanisms for processing transactions across an organization enhancing speed and reliability, and ability to accurately communicate business performance with partners and customers. Meeting Challenges in Attaining Cost-Effective Internal Control The characteristics of smaller companies provide significant challenges for cost-effective internal control. This particularly is the case where managers view control as an administrative burden to be added onto existing business systems, rather than recognizing the business need and benefit for effective internal control that is integrated with core processes. Among the challenges are: Obtaining sufficient resources to achieve adequate segregation of duties Management’s ability to dominate activities, with significant opportunities for management override of control Recruiting individuals with requisite financial reporting and other expertise to serve effectively on the board of directors and audit committee Recruiting and retaining personnel with sufficient experience and skill in accounting and financial reporting Taking management attention from running the business in order to provide sufficient focus on accounting and financial reporting Maintaining appropriate control over computer information systems with limited technical resources. While all companies incur incremental costs to design and report on internal control over financial reporting, costs can be proportionally higher for smaller companies. Yet despite resource constraints, smaller businesses usually can meet this challenge and succeed in attaining effective internal control in a reasonably cost-effective manner. This is accomplished in a variety of ways, outlined in this guidance, many of which already exist today in smaller companies and for which management can “take credit” in considering internal control effectiveness. Wide and Direct Control from the Top Many smaller businesses are dominated by the company’s founder or other leader who exercises a great deal of discretion and provides personal direction to other personnel. While key to enabling the company to meet its growth and other objectives, this positioning also can contribute significantly to effective internal control over financial reporting. In-depth knowledge of different facets of the business – its operations, processes, array of contractual commitments and business risks – enables its leader to know what to expect in reports generated by the financial reporting system and to follow up as needed when unanticipated variances surface. A related downside in terms of ability to override established control procedures can be addressed with specified protocols. • • • • • • With use of this guidance, management of smaller companies can meet the challenges of their unique environments, lessening incremental costs and achieving the benefits of effective internal control. � Internal Control over Financial Reporting – Guidance for Smaller Public Companies • Volume I : Executive Summary Effective Boards of Directors Smaller companies typically have relatively straightforward business operations with less complex business structures, enabling directors to gain more in-depth knowledge of business activities. Directors may have been closely involved with the company during its evolution and have a strong historical perspective. Coupled with what often is exposure to and frequent communication with a wide range of managers, this assists the board and its audit committee in performing oversight responsibilities for financial reporting in a highly effective manner. Compensating for Limited Segregation of Duties Resource constraints may limit the number of employees, sometimes resulting in concerns regarding segregation of duties. There are, however, actions management can take in order to compensate for potential inadequacy. These include managers reviewing system reports of detailed transactions; selecting transactions for review of supporting documents; overseeing periodic counts of physical inventory, equipment or other assets and comparing them with accounting records; and reviewing reconciliations of account balances or performing them independently. In many small companies managers already are performing these and other procedures supporting reliable reporting, and credit should be taken for their contribution to effective internal control. Information Technology The reality of limited internal information technology resources often can be dealt with through use of software developed and maintained by others. These packages still require controlled implementation and operation, but many of the risks associated with in-house developed systems are avoided. Typically there is a limited need for program change controls, inasmuch as changes are done exclusively by the developer company, and generally a smaller company’s personnel lack technical expertise to make unauthorized modifications. Such commercially available packages also bring advantages in the form of embedded facilities for controlling which employees can access or modify specified data, performing checks on data processing completeness and accuracy, and maintaining related documentation. Further advantage can be gained by utilizing software that comes with a variety of built-in application controls that can improve consistency of operation, automate reconciliations, facilitate reporting of exceptions for management review, and support proper segregation of duties. Smaller companies can take advantage of these capabilities, ensuring “flags” or “switches” are properly set to take advantage of the software’s capabilities. Monitoring Activities The monitoring component is an important part of the Framework, where a wide range of activities routinely performed by managers in running a business can provide feedback on the functioning of other components of the internal control system. Management of many smaller �Internal Control over Financial Reporting – Guidance for Smaller Public Companies • Volume I : Executive Summary Management of many smaller businesses routinely perform monitoring activities in running the business, and they should take sufficient “credit” for their important contribution to internal control effectiveness. businesses regularly perform such procedures, but have not always taken sufficient “credit” for their contribution to internal control effectiveness. These activities, usually performed manually and sometimes supported by computer software, should be fully considered in designing and assessing internal control. From a different perspective, there is another way monitoring activities can promote efficiency. After the first year of assessing and reporting on internal control, many companies repeated the assessment process in year two with little if any cost savings. A different approach, however, can be taken to promote efficiency. By focusing on monitoring activities already in place or that might be added with little additional effort, management can identify significant changes to the financial reporting system since the prior year, thereby gaining insight into where to target more detailed testing. While for effective internal control all five components must be in place and operating effectively and some testing of each component is necessary, highly effective monitoring activities can both offset certain shortcomings in other components and sharpen targeting of assessment work with resulting overall efficiency. Achieving Further Efficiencies In addition to considering the above, companies can gain additional efficiencies in designing and implementing or assessing internal control by focusing on only those financial reporting objectives directly applicable to the company’s activities and circumstances, taking a risk based approach to internal control, right sizing documentation, viewing internal control as an integrated process, and considering the totality of internal control. The COSO Framework recognizes that an entity must first have in place an appropriate set of financial reporting objectives. At a high level, the objective of financial reporting is to prepare reliable financial statements, which involves attaining reasonable assurance that the financial statements are free from material misstatement. Flowing from this high level objective, management establishes supporting objectives related to the company’s business activities and circumstances and their proper reflection in the company’s financial statement accounts and related disclosures. These objectives may be influenced by regulatory requirements or by other factors that management may choose to incorporate when setting its objectives. Efficiencies are gained by focusing on only those objectives directly applicable to the business and related to its activities and circumstances that are material to the financial statements. Experience shows that this can be most efficiently accomplished by beginning with a company’s financial statements and identifying supporting objectives for those business activities, processes and events that can materially affect the financial statements. In this way, a basis is formed for giving attention only to what is truly relevant to the reliability of financial reporting for that company. � Internal Control over Financial Reporting – Guidance for Smaller Public Companies • Volume I : Executive Summary Focusing on Risk While management considers risks in several respects, its overarching consideration is the risks to key objectives, including the risks to reliable financial reporting. Risk-based means focusing on quantitative and qualitative factors that potentially affect the reliability of financial reporting, and identifying where in transaction processing or other activities related to financial statement preparation something could go wrong. By focusing on key objectives management can tailor the scope and depth of risk assessments needed. Often risk is considered in the context of initially designing and implementing internal control, where risks to objectives are identified and analyzed to form a basis for determining how the risks should be managed. Another is in the context of assessing whether internal control is effective in mitigating risks to objectives. In the context of assessing internal control effectiveness, there sometimes is a tendency to consider internal control using generic lists of controls appropriate to a “typical” organization. While these tools in questionnaire or other form may be useful, an unintended result is that management sometimes focuses on “standard” or “typical” controls that simply are not relevant to the company’s financial reporting objectives or risks associated with those objectives. A related problem encountered is starting assessments with the details of accounting systems and documenting them in extreme depth without recognizing whether the entirety of processes are truly relevant to achieving reliable financial reporting. This is not to say that such approaches cannot be useful, as they can be. However, whatever approach is followed, efficiencies are gained when attention is directed to the objectives management has established specific to the company’s business activities and circumstances. Right-Sizing Documentation Documentation of business processes and procedures and other elements of internal control systems is developed and maintained by companies for a number of reasons. One is to promote consistency in adhering to desired practices in running the business. Effective documentation assists in communicating what is to be done, and how, and creates expect