A U D I T I N G
Improving Intemal Control Over Hnancial Reporting
COSO's Guidance Not Just for Public Companies Anymore
By Jeffrey E. Michelman and Bobby E. Waldrup
Since the application of COSO by SEC registrants that were heti the Committee of Sponsoring Organizations (COSO) released its Internal Control—Integrated acceleratedfilers In 2004, smaller publicly traded organizations have continued to argue that complying with SOX section 404 was an unfair burden. As a means for improving both the understandability and the applicability of the ICFR, COSO released Internal Control over Financial Reporting—Guidance for Smaller Public Companies (ICFR-SPC). Although the true value and utility of the ICFR-SPC for compliancewith SOX section 404 will become clearer over the next several years, the authors believe that the value of the ICFR-SPC goes far beyond publicly traded
Framework (ICFR) in 1992, the event went largely unnoticed. The importance of this framework changed dramatically with the passage of the Sarbanes-Oxley Act of 2002 (SOX). Because SOX required all covered entities to base their assessment ofintemal controt on a recognized framework, COSO was readily embraced. Unfortunately, smaller public and nonpublic companies have found the 1992 framework complicated to apply and to understand.
APRIL 2008 / THE CPA JOURNAL
companies. In particular, ICFR-SPC offers great utility to small businesses, but only if it is properly understood and applied. ICfT^-SPC offers a significant opportunity forsmall CPA firms to offer valueadded services to existing and potential clients. This importance is illustrated in a 2005 survey by the AICPA's Private Companies Practice Section (PCPS). which found that the number-three challenge for small CPA firms was "marketing/practice growth." Small businesses often lack interTial controls because the costs are perceived to outweigh the benefits. Yet thesesame organizations are often burdened by excessive regulatory costs-per-employee and higher-than-average fraud costs and occurrence of fraud, TTiese pressures on small business are listed in Exhibit I. Many will no doubt interpret this as more evidence of the regulatory burdens placed on small businesses, and will say that small businesses should continue to advocate for continued exemption fromcompliance with laws like SOX. The authors, however, believe that CPAs have failed to recognize the opportunity to provide added-value internal control services, because small businesses either do not understand the value of inlemal controls or are unwilling to pay for the evaluation and. ultimately, the application of internal controls. As a result, small businesses are often the organizations mostsusceptible to fraud. The inability of CPAs to sell these services to small businesses has often been due to a lack of usable tools to evaluate, apply, and communicate both the importance of intemal control and suggestions for its application. (The Sidebar presents a case study of an opportunity missed and the related fraud that ensued J Unfortunately, small CPA firms often see the need for theirservices as solely stemming from compliance with a direct demand by an extemal party (i.e., the IRS or a lender). In contrast, the authors believe that the ICFR-SPC offers a powerful tool f H practitioners to provide value-added serc" vices that go beyond complying with external demands and pass a cost-benefit test Moreover, CPAs not involved in the assurance function can seize the opportunity toact as business advisor. The original five components of intemal control in the 1992 ICFR (control environ-
ment, risk assessment, control activities, information and communication, and monitoring) offered more insight into how large organizations operate than how small businesses do. In contrast, ICFR-SPC is a framework that ofFers a clear explanation of the five components of intemal...