Internal Control Over Financial Reporting
COSO’s Guidance Not Just for Public Companies
Jeffrey E. Michelman and Bobby E. Waldrup
APRIL 2008 -
When the Committee of Sponsoring Organizations (COSO) released its
Internal Control—Integrated Framework (ICFR) in 1992,
the event went largely unnoticed. The importance of this framework
changed dramatically with the passage of the Sarbanes-Oxley Act
of 2002 (SOX). Because SOX required all covered entities to base
their assessment of internal control on a recognized framework,
COSO was readily embraced. Unfortunately, smaller public and nonpublic
companies have found the 1992 framework complicated to apply and
the application of COSO by SEC registrants that were accelerated
filers in 2004, smaller publicly traded organizations have continued
to argue that complying with SOX section 404 was an unfair burden.
As a means for improving both the understandability and the applicability
of the ICFR, COSO released Internal Control over Financial
Reporting—Guidance for Smaller Public Companies (ICFR-SPC).
Although the true value and utility of the ICFR-SPC for compliance
with SOX section 404 will become clearer over the next several
years, the authors believe that the value of the ICFR-SPC goes
far beyond publicly traded companies. In particular, ICFR-SPC
offers great utility to small businesses, but only if it is properly
understood and applied.
offers a significant opportunity for small CPA firms to offer
value-added services to existing and potential clients. This importance
is illustrated in a 2005 survey by the AICPA’s Private Companies
Practice Section (PCPS), which found that the number-three challenge
for small CPA firms was “marketing/practice growth.”
Small businesses often lack internal controls because the costs
are perceived to outweigh the benefits. Yet these same organizations
are often burdened by excessive regulatory costs-per-employee
and higher-than-average fraud costs and occurrence of fraud. These
pressures on small business are listed in Exhibit
1. Many will no doubt interpret this as more evidence of the
regulatory burdens placed on small businesses, and will say that
small businesses should continue to advocate for continued exemption
from compliance with laws like SOX. The authors, however, believe
that CPAs have failed to recognize the opportunity to provide
added-value internal control services, because small businesses
either do not understand the value of internal controls or are
unwilling to pay for the evaluation and, ultimately, the application
of internal controls. As a result, small businesses are often
the organizations most susceptible to fraud.
of CPAs to sell these services to small businesses has often been
due to a lack of usable tools to evaluate, apply, and communicate
both the importance of internal control and suggestions for its
application. (The Sidebar
presents a case study of an opportunity missed and the related
fraud that ensued.) Unfortunately, small CPA firms often see the
need for their services as solely stemming from compliance with
a direct demand by an external party (i.e., the IRS or a lender).
In contrast, the authors believe that the ICFR-SPC offers a powerful
tool for practitioners to provide value-added services that go
beyond complying with external demands and pass a cost-benefit
test. Moreover, CPAs not involved in the assurance function can
seize the opportunity to act as business advisor.
five components of internal control in the 1992 ICFR (control
environment, risk assessment, control activities, information
and communication, and monitoring) offered more insight into how
large organizations operate than how small businesses do. In contrast,
ICFR-SPC is a framework that offers a clear explanation of the
five components of internal control as well as how they apply
to small businesses, both for-profit and nonprofit. Because the
focus of the ICFR is on financial risk, the secondary benefits
to nonassurance clients is not always readily apparent.
of internal control to many small businesses is characterized
by 10 factors that the authors believe are particularly important
for businesses to enhance their system of internal control (see
2). While these 10 characteristics are not necessarily formal
internal control threats, they can act as red flags to a CPA.
to the original ICFR, the ICFR-SPC links the components in a feedback
loop, stressing the importance of internal control as a dynamic
process. Although the paramount importance of internal control
for public companies is to ensure the integrity of the financial
reporting process, the authors think that the three secondary
factors of internal control are what make them most valuable to
and timely information supporting management’s decision-making
on matters such as product pricing, capital investment, and
mechanisms for processing transactions across an organization,
enhancing the speed at which transactions are initiated and
settled, the reliability of related recordkeeping, and the ongoing
integrity of data; and
and confidence to accurately communicate business performance
with business partners and customers.
of these secondary characteristics of internal control can offer
untapped value to small businesses. COSO believes that the 20
principles of ICFR-SPC apply to all organizations, with size or
complexity affecting only the scope of implementation. In particular,
of the 20 basic principles of internal control, the authors believe
that CPAs should focus on the importance of 11 of these with businesses
of all sizes (highlighted in Exhibit
3). The following discussion focuses on professional service
organizations in particular.
Of the seven
principles that relate to the control environment, four are pervasive
across organizations of all types and sizes. Because small nonpublic
companies will often have no board of directors or in-house financial
reporting unit, this discussion will not address them. Furthermore,
the critical aspects of management philosophy and operating style
are sufficiently important for small business to be necessary
parts of the first principle, integrity and ethical values. Integrity
and ethical values are the basis by which the control model is
built. Although CPAs cannot instantiate these traits into a client,
they can help a business communicate these values to employees
on a regular basis, and also remind them of these tenets if a
client has “lost their way.” It is particularly important
for a CPA in these situations to link their code of professional
ethics with ethical business practices.
structure is often difficult for small business owners to understand,
particularly if their professional training is technical. In such
cases, CPAs can help a business define the administrative relationships
in the organization. A logical adjunct to this process is helping
a company define the authority and responsibilities of employees,
especially the segregation of duties necessary under the circumstances.
human resources is one area in which many companies falter significantly.
Because many professionals (e.g., attorneys and physicians) do
not take courses in management, they have inadequate knowledge
of hiring, training, supervision, performance evaluation, and
compensation. In this regard, CPAs need to know when to provide
advice and when to seek the help of human resources professionals.
legal professionals often understand and advise their clients
on risk assessment, yet they often fail to adequately transfer
these concepts to their own businesses. Although the risk of noncompliance
with GAAP is an important concept, many small businesses use cash-basis
accounting, and therefore should focus on fraud risk rather than
on financial reporting objectives and risks. In this respect,
a CPA has a twofold role: to understand how the fraud triangle—opportunity,
pressure, and rationalization—affects both the business
and how the business must pay attention to the dynamic nature
of these factors in its employees. Moreover, a CPA should ensure
that a client understands whatever fraud risks are unique to the
industry, the location, or the broader economy.
in this context are not providing attest services, they should
be particularly involved in helping clients identify control activities
that facilitate integration with risk assessment. For example,
CPAs can advise a small business on the choice of a service bureau
to provide payroll services when the fraud-related risk of processing
payroll in-house is significant. A CPA can reviewer the service
provider’s Statement on Auditing Standards (SAS) 70, Service
Organizations, report, and advise the client appropriately.
In small businesses, selection and development of control activities
should focus on mitigating any risks of fraud that have been identified.
In particular, small businesses are often unwilling or unable
to implement certain types of segregation of duties. CPAs should
initiate a discussion about additional outsourcing activities
or increased owner involvement.
small businesses do not rely on information technology (IT) controls,
CPAs should advise clients of the need to integrate control activities
and document them as part of its policies and procedures. Perhaps
one of the greatest opportunities for CPAs is to help clients
develop and maintain policies and procedures that are appropriate
for the organization and are reevaluated as the organization changes.
For example, as organizations move from paper to digital format
for both financial and nonfinancial data, policies that deal with
record maintenance are crucial. Although IT is important, the
internal control application will generally be less complex, and
the available off-the-shelf software is generally satisfactory.
In the authors’ opinion, IT is not a significant issue for
most small businesses.
In a vibrant,
growing organization, the owners often become increasingly removed
from day-to-day administration. This sense of disconnection requires
the regular communication of internal control information in the
form of easily understood metrics that have been developed jointly
by the client and the CPA. For example, has the mix between cash
and credit sales increased the organization’s risk of theft?
internal communication structure is often overlooked, although
it is critical to the success of the internal control model. Organizations
should encourage employees to communicate with management or owners
when they believe that issues of efficiency and effectiveness—or,
more important, fraud—have arisen. In this context, the
effectiveness of the internal control model is limited by the
engagement of the employees involved. Because non–publicly
held organizations often do not prepare external reports, they
often ignore the importance of information and communication altogether.
A critical built-in control of small organizations is involvement
of the owner, but as professionals focus on providing a service
they become increasingly removed from the administrative and control
professionals often overlook monitoring because internal control
deficiencies do not generally have to be reported to a third party.
Nevertheless, ongoing and separate evaluations are quite important
for small businesses. The authors believe that a CPA should meet
with clients at least once a year to discuss changes in both the
internal and external environments. Although professionals understand
their service delivery process, they often lose touch with administrative
processes that are critical for their business’s financial
health and viability. Unfortunately, too many organizations develop
internal controls but never re-examine them as the organization
changes. The area of monitoring is a particularly robust opportunity
for CPAs to provide value-added services to clients.
for Adding Value
public company clients may tend to dismiss the ICFR-SPC as irrelevant.
The authors encourage them to reconsider this attitude and work
diligently with new or existing clients to communicate the value
of these services. CPAs in small practices who do not see the
benefits of this framework miss an opportunity to expand their
practices. Internal control is not just about complying with SOX
section 404. Rather, internal controls, when applied appropriately,
help businesses of all sizes thrive and enhance competitiveness.
E. Michelman, PhD, CPA, CMA, is an associate professor
of accounting, and Bobby E. Waldrup, PhD, CPA, is an associate dean
and associate professor of accounting, both in the department of
accounting and finance of the Coggin College of Business of the
University of North Florida, Jacksonville, Fla.
The authors would like to thank the following MBA students for their
help in completing this project: Vernon Bird, Susanna Ho, Patrick
Lynch, Carolyn Thurman, and Marie Wolford.