The Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) has released an important new exposure draft of "Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting." This draft guidance was generated to give smaller businesses an alternative to COSO’s full-blown “Framework” for internal controls. We believe this is an important opportunity for smaller businesses to help craft reasonable standards for internal controls.
COSO’s initially issued “Internal Control – Integrated Framework” (the “COSO Framework”) in 1992, which laid out the famous “COCO Cube.” Section 404 of the Sarbanes-Oxley Act of 2002 required the Securities and Exchange Commission to prescribe rules by which every public company would prepare an “internal control report” stating the effectiveness of the company’s internal controls.
The SEC’s final regulations did not mandate the COSO Framework as the exclusive means of determining the effectiveness of internal controls, but in the absence of any other standard, the COSO Framework has become the procrustean standard for all companies – large and small. As a result, the costs associated with the Sarbanes-Oxley Act have been growing at an alarming rate. A recent survey found that the average cost of compliance with Section 404 was over $2.5 million. These costs are greater on smaller businesses, a recent industry study found that companies with revenues under $100 million spent an average of 2.55% on compliance in 2004, versus only 0.06% spent by companies with revenues in excess of $5 billion.
But as the new COSO Report acknowledges, there have been many changes since 1992, including the widespread use of the internet and the development of more effective audit committees. The new COSO report focuses on the analysis and approach that small to medium companies need to take to implement the requirements under Section 404. It lists 26 fundamental principles associated with key components of internal control. The report also contains useful examples of how internal controls affect businesses -- for example, how internal controls apply in certain HR settings, or how a mining operation keeps track of gold. This report will be a valuable addition to the literature for companies large and small.
Comments and suggestions on these controls are due by December 1. Just as the SEC accepted the original COSO Framework as a standard for compliance with Section 404, we expect the new COSO Report to be readily accepted as a framework for smaller businesses. If you, your business or industry have an interest in commenting on any aspect of the new COSO report, please contact one of the attorneys listed below. Please feel free to contact any of your corporate counsel contacts at Powell Goldstein LLP with any questions about the report or the procedures for commenting on the suggestions in the report.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.