Jeremy Dillard
How COSO changes will affect small businesses

Owners and managers can take several steps to prepare for and respond to updated framework.

May 19, 2014
By Jeremy Dillard, CPA

Last year, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released an updated Internal Control—Integrated Framework to reflect that internal control has become more complex in recent years, particularly in the areas of outsourced service providers and technology. The intent of the updated framework is to provide better guidance to management and those charged with governance in fulfilling their internal control responsibilities and to help entities address future changes.

The framework defines internal control as “a process, effected by an organization’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives” relating to operations, financial reporting, and compliance.

Within this definition of internal control are two fundamental premises:

  1. Internal control is ultimately performed by people and cannot prevent bad decisions or the chance that actions may prevent an entity from achieving its objectives.
  2. A system of internal control is expected to provide reasonable assurance, not absolute assurance, that objectives will be achieved. Absolute assurance is not possible because there are inherent limitations within any system of internal control as well as uncertainties and risks that may exist.

Components of internal control

Supporting the entity in its efforts to achieve objectives, the framework sets out five components of internal control, which are listed below with considerations for small businesses. One significant change is that the framework now includes 17 principles (the fundamental concepts that help users understand requirements for effective internal control and assist in designing and implementing systems of internal control) and 81 points of focus (the important characteristics of a principle).


Considerations for Small Businesses

Control Environment
The set of standards, processes, and structures that provide the basis for carrying out internal control and extend beyond the idea of “culture” to comprise:

  • The organization’s integrity and ethical values;
  • The board of directors’ oversight responsibilities;
  • The assignment of authority and responsibility;
  • The process for attracting, developing, and retaining employees; and
  • The measures, incentives, and rewards to drive accountability for performance.
  • Small businesses with active management involvement in the financial reporting process might not have extensive descriptions of accounting procedures or detailed written policies, but the control environment may still be effective.
  • Small businesses might find it costly or difficult to attract competent and independent directors, but the board should have members to adequately facilitate constructive criticisms, discussions, and decision-making related to internal control.
  • The owner-manager may personally identify deviations from the standards of conduct and address them directly, leading to an effective yet less formal system for addressing deviations.

Risk Assessment
The process for identifying, assessing, evaluating, and managing risks (including the risks of fraud related to the misappropriation of assets as well as financial reporting).

  • The owner-manager typically performs an ad-hoc risk assessment process on a situational basis when deemed necessary. The process is rarely formalized or documented, but the fundamental concepts remain relevant. However, the informality of the process or lack of documentation should not lead the owner-manager to conclude that the entity does not have a risk assessment process.
  • The management of small businesses often relies on outside professionals to provide information for the change assessment process that is still effective and appropriate for the small business’s size. For example, the owner-manager may learn about new laws and regulations, consult with legal counsel or the entity’s tax adviser about those changes and their potential impacts on the entity, evaluate the impacts, and develop a plan of action.

Control Activities
The tools used by an organization to mitigate risks. Activities consist of policies and procedures established by management.

  • The active involvement of an owner-manager in a small business may mitigate certain risks arising from lack of segregation of duties; however, other risks, such as the override of controls, may be increased.
  • Segregation of duties may not be practical, cost effective, or feasible for smaller businesses because they lack sufficient resources to achieve ideal segregation. In these situations, management should institute compensating controls, which usually involve an employee independent of the process performing a supervisory control.

Information and Communication
Information is necessary for the organization to carry out internal control responsibilities.

Communication enables personnel to understand internal control responsibilities and their importance to achieving objectives.

  • Employees in small businesses may understand their job duties but not understand how those duties relate to internal controls. To improve the employees’ understanding, management may provide them with a clear narrative document that summarizes the objectives as well as periodically provide relevant financial information and/or metrics.
  • Small businesses should have controls over using outsourced service providers, including review of the service contract, sharing the entity’s expectations for ethics and performance with the service provider, and adding the service provider to the entity’s payables system.

Monitoring Activities
The organization uses ongoing evaluations, separate evaluations, or some combination of the two to ascertain whether the components of internal control are present and functioning.

  • Because small businesses typically lack an internal audit function, management may use other internal or external objective reviewers, such as compliance officers, operations specialists, IT security specialists, or consultants to perform monitoring activities. Management may also use personnel from different functional areas to evaluate components of internal control.

Note: The framework assumes that all principles are relevant. However, there may be rare situations where management had determined that a principle is irrelevant to the associated component. In those situations, management must support that determination, including the rationale of how, in the absence of that principle, the associated component could be present and functioning. Otherwise, a major deficiency exists in the system of internal control.

The framework states that some level of documentation is necessary for management to conclude that the components of internal control are properly designed, implemented, and operating effectively.

However, small businesses often find less need for formal documentation of control activities because there are typically fewer employees and levels of management, closer working relationships, and frequent interaction between employees. These factors often promote communication of what is expected and what is being done. Consequently, management of smaller business can often determine that certain controls are in place through direct observation.

Effective date
The updated (2013) framework will supersede the original (1992) framework effective Dec 15, 2014, and early adoption of the updated framework is permitted. Accordingly, CPAs working with organizations that have a Dec. 31 year end should start planning now to attend training to understand the impact on assurance engagements as well as to proactively address the impact of these changes on their clients.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Jeremy Dillard, CPA, is a partner with Rivera, Jamjian & Dillard LLP in Los Angeles. He is the 2013 winner of the AICPA’s Maximo Mukelabai Award, which honors a young CPA for community service and his or her commitment and contributions to the accounting profession. For more information or to nominate a young CPA for the 2014 award, go to the Maximo Mukelabai Award webpage.