Internal Control Guidance: Not Just a Small Matter

COSO's latest guidance on controls for smaller businesses fits all organizations.




In its most recent guidance for compliance with Sarbanes-Oxley section 404 requirements for smaller entities, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has provided principles and examples of effective internal control. Titled Internal Control Over Financial Reporting—Guidance for Smaller Public Companies, the guidance emphasizes the business function and cost-effectiveness of internal control. Although the guidance is specifically tailored to smaller public companies, it can be applied to all organizations.

Five components of COSO’s control framework may be viewed as both fundamental principles and an aid to planning, evaluating and updating controls. They are risk assessment, control environment, control activities, information and communication, and monitoring.

Management can monitor controls most efficiently by integrating monitoring activity into financial reporting processes. Principles of effective internal control should not be considered a checklist but should be implemented in accordance with managers’ judgment, with a formality of structure appropriate to the size of the organization.

Larry E. Rittenberg, CPA, Ph.D., CIA, is chairman of COSO and Ernst & Young professor of accounting at the University of Wisconsin at Madison. Frank Martens, CA, is director of advisory services at PricewaterhouseCoopers LLP in Vancouver, British Columbia, and project team manager for Internal Control Over Financial Reporting—Guidance for Smaller Public Companies. Charles E. Landes, CPA, is vice president, AICPA professional standards and services, and represents the AICPA on COSO’s board. Their e-mail addresses, respectively, are , and .

Managers of smaller businesses need to design and implement an effective system of internal control over financial reporting in a cost-beneficial way. To help achieve this, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has provided guidance to smaller businesses in its publication Internal Control Over Financial Reporting—Guidance for Smaller Public Companies ( The guidance encourages CPAs to work with organizations to implement controls that are fundamental building blocks to success. Effective internal control over financial reporting, including management’s understanding, design, implementation and monitoring, should be viewed as an important business function.

Often lost in the debate over the costs associated with Sarbanes-Oxley section 404 is the significant number of smaller businesses that fail, often because they do not have good business plans or do not identify and control risks. Research shows that a strong commitment to internal control is a matter of company priority, not a matter of resources. This guidance will help CPAs in industry and in public practice. CPAs in management will find it useful in implementing and evaluating internal control. CPAs in public practice will find it useful in assessing internal control over financial reporting and identifying the types of controls typically found in smaller businesses.

The guidance is drawn from the 1992 COSO Internal Control—Integrated Framework (IC Framework), which it clarifies but does not extend or replace. Focusing on the challenges faced by smaller businesses, the guidance explicitly addresses issues related to:

Segregating accounting duties.

Developing effective boards and audit committees.

Managing with wider spans of control.

Implementing sound information technology controls.

Documenting the design and operation of controls.

The guidance comprises three volumes, each with a distinct purpose. Volume 1 features a high-level executive summary intended for top management and boards. Volume 2 presents practical guidance with real-life examples drawn from smaller businesses. Volume 3 provides evaluation tools to help management implement and evaluate internal control over financial reporting.

Maintaining effective internal control is not static. Organizations have to expect that controls will change over time as risks and processes change. The guidance recognizes that an organization should have processes to update its identification and assessment of risks as well as to monitor the continuing effectiveness of its internal control system (see “ Section 404 for Small Caps,JofA, Mar.06, page 67). The guidance is oriented toward objectives and principles. The fundamental principles are derived from the five COSO components —risk assessment, control environment, control activities, information and communication, and monitoring. Each of the principles is further described with key attributes that guide organizations in selecting the optimal control approach.

In this guidance, the traditional depiction of the internal control framework, usually shown and referred to as the “COSO Cube,” is supplemented with a diagram that illustrates the logical relationship of the control framework, starting with management’s objectives.

The logical interrelationship of the COSO components should help all companies plan their approaches to evaluating and updating controls. In understanding this relationship of controls and internal control components, COSO recognizes a systematic process whereby an organization:

Specifies its financial reporting objectives (possibly influenced by regulatory requirements).

Identifies and assesses the risks that may prevent it from achieving the desired objectives. Examples of the risks include management override, inadequate transaction processing and inappropriate accruals.

Designs and implements a control environment that sets the tone for the organization and its commitment to financial competencies to mitigate risk.

Designs and implements control activities—including authorizations, completeness tests and reconciliations—to further mitigate risks.

Develops an effective information and communication process that enables relevant parties to understand their control responsibilities and ensures management receives timely and relevant reports that facilitate effective investigation and decision making.

Monitors the effectiveness of its internal control system.

The objective of internal control over financial reporting is to achieve reliable financial reporting. Management’s annual assessment of internal control effectiveness should be based in large part on the monitoring of control effectiveness. That monitoring should also incorporate a systematic process to identify emerging risks of misstatement, so that the design of the internal control system is continuously improved to mitigate new risks.

Many businesses have viewed the assessment of internal control over financial reporting as a separate task from managing their day-to-day activities. By allowing these two areas to converge, management will attain greater efficiencies. This may occur through greater reliance on monitoring activities within a company or through the re-engineering of current processes. Management can obtain significant efficiencies if it integrates monitoring activities across its financial reporting processes rather than thinking of its section 404 assessment as a separate process on top of the IC Framework. This may provide management with sufficient assessment evidence of whether its system of internal control is effective over time.

The COSO board and supporting task force reviewed numerous smaller companies, both public and nonpublic, for examples of good internal control. That review underscored a fundamental COSO viewpoint that management judgment is important. Management should be empowered to choose the best set of controls because it is in the best position to decide and because control needs will change over time. The guidance identifies three factors to consider when choosing a control. It should:

Reduce risk to an acceptable level.

Be cost-effective.

Contribute to the effectiveness of one or more of the five components of effective internal control in the COSO Internal Control—Integrated Framework.

Volume 3 of the guidance includes templates for approaching the control decision. Many are presented in a questionnaire form and are based on the fundamental principles of control discussed in Volume 2. The templates are available, with the purchase of the guidance, as a download in Microsoft Word, so they can be tailored to each organization.

The guidance includes 20 fundamental principles of internal control directly from the Framework and related to each of the five COSO internal control components (see accompanying list). The guidance includes attributes associated with each principle. Although it draws examples for smaller businesses, the principles apply to all organizations—large or small, public or not public, government and not-for-profit.

These 20 principles should not be viewed as a checklist for designing and achieving effective internal control. Effective internal control still depends on having the five internal control components in place and operating effectively, such that a company has reasonable—not absolute—assurance that it will prevent or detect material misstatements in a timely manner.

Rather, COSO views each principle as essential to effective implementation of the related internal control component. These attributes further guide control selection by making the expected characteristics of control more specific. For example, the guidance presents three attributes associated with the principle related to integrity and ethical values. To achieve a high level of ethical behavior, the organization should:

Articulate values in a clear statement of ethical values understood by personnel at all levels of the organization.

Monitor adherence to principles of sound integrity and ethical values.

Address deviation from sound integrity and ethical values promptly and appropriately.

These attributes, as well as all other principles and attributes included in the guidance, require judgments as to the most effective way to implement the controls. Thus, the control principles and attributes are designed to be scalable—less formal for smaller organizations and more formal for larger organizations, where communication is more indirect.

  COSO Project
COSO has undertaken a project to identify practical, cost-effective approaches organizations may use to monitor their controls. More detail can be obtained at . COSO expects to issue a white paper in early 2007 that better articulates the monitoring component of internal control over financial reporting.

The project will also identify best practices that companies are using or can use to develop better monitoring of their internal control effectiveness. In addition, the project will relate the monitoring component of the IC Framework to management’s annual assessment and reports on internal control.


Many company officials would prefer to let controls operate without having to document them. Unfortunately, inadequate documentation is one reason many companies are surprised to find out their system of internal controls is not effectively designed or implemented. Documentation provides guidance for implementing controls, can serve as a basis for training new personnel in implementing them and provides evidence they have operated effectively. All controls and their operation need some documentation. When management and auditors must attest to internal control effectiveness, documentation must be more formal. It is not possible simply to rely on a statement that management performed the control. When parties have to attest to the control, there must be some evidence it was working effectively.

» Practical Tips
Stress to your clients or management team the importance of having financially literate, independent directors. The audit committee should establish its agenda thoroughly and well in advance to help management plan for its expectations.

Advise managers to address a range of preventive and detective controls across the organization, such as segregating cash payments and access to inventory, purchases and fixed assets.

See Volume 2 of Internal Control Over Financial Reporting—Guidance for Smaller Public Companies for more illustrations of best practices for all 20 COSO principles.

To obtain Internal Control Over Financial Reporting—Guidance for Smaller Public Companies, go to or The executive summary is available as a free download. All three volumes are available from as a PDF file download or paperback set.


This guidance will be useful for external auditors in assessing the effectiveness of internal control over financial reporting. The guidance should assist both management and its auditors to move away from a “check-the-box” approach to one that focuses on accomplishing the organization’s objectives through effectively addressing the 20 principles underlying the COSO IC Framework.

Principles of Effective Control Over Financial Reporting

Control Environment
1. Integrity and ethical values. Sound integrity and ethical values, particularly of top management, are developed and understood and set the standard of conduct for financial reporting.

2. Board of directors. The board of directors understands and exercises oversight responsibility for financial reporting and related internal control.

3. Management’s philosophy and operating style. Management’s philosophy and operating style support achieving effective internal control over financial reporting.

4. Organizational structure. The company’s organizational structure supports effective internal control over financial reporting.

5. Financial reporting competencies. The company retains individuals competent in financial reporting and related oversight roles.

6. Authority and responsibility. Management and employees are assigned appropriate levels of authority and responsibility to facilitate effective internal control over financial reporting.

7. Human resources. Human resource policies and practices are designed and implemented to facilitate effective internal control over financial reporting.

Risk Assessment
8. Financial reporting objectives. Management specifies financial reporting objectives with sufficient clarity and criteria to enable the identification of risks to reliable financial reporting.

9. Financial reporting risks. The company identifies and analyzes risks to the achievement of financial reporting objectives as a basis for determining how the risks should be managed.

10. Fraud risk. The potential for material misstatement due to fraud is explicitly considered in assessing risks to the achievement of financial reporting objectives.

Control Activities
11. Integration with risk assessment. Actions are taken to address risks to the achievement of financial reporting objectives.

12. Selection and development of control activities. Control activities are selected and developed considering their cost and potential effectiveness in mitigating risks to the achievement of financial reporting objectives.

13. Policies and procedures. Policies related to reliable financial reporting are established and communicated throughout the company, with corresponding procedures resulting in the implementation of management directives.

14. Information technology. Information technology controls, where applicable, are designed and implemented to support the achievement of financial reporting objectives.

Information and Communication
15. Financial reporting information. Pertinent information is identified, captured and used at all levels of the company and distributed in a form and time frame that supports the achievement of financial reporting objectives.

16. Internal control information. Information used to execute other control components is identified, captured and distributed in a form and time frame that enables personnel to carry out internal control responsibilities.

17. Internal communication. Communications enable and support understanding and execution of internal control objectives, processes and individual responsibilities at all levels of the organization.

18. External communication. Matters affecting the achievement of financial reporting objectives are communicated with outside parties.

19. Ongoing and separate evaluations. Ongoing or separate evaluations enable management to determine whether internal control over financial reporting is functioning.

20. Reporting deficiencies. Internal control deficiencies are identified and communicated in a timely manner to parties responsible for taking corrective action, and to management and the board as appropriate.

It also offers additional perspective on approaches suitable for public companies and should encourage a healthy dialogue between management and its auditors. The dialogue between management and its auditors will lead to more creative and effective implementation of internal control in many organizations. Similarly, the principles and attributes contained in the guidance provide leadership opportunities for CPAs in management positions to focus on internal control objectives, process re-engineering and, most importantly, building effective monitoring into their control practices. As this article’s title indicates, the fundamental principles of internal control are not just for small companies.

Achieving effective internal control over financial reporting is just one step to corporate success and longevity. Businesses should integrate internal control processes with a more comprehensive process of enterprise risk management to achieve broader strategic, operational, reporting and compliance objectives. Another COSO document, Enterprise Risk Management: An Integrated Approach, may also be of help.


Internal Control Over Financial Reporting—Guidance for Smaller Public Companies. The guidance can be obtained at (PDF file download, #990017PDF, members $50, nonmembers $75; paperback three-volume set, #990017, members $65, nonmembers $90; combined download and paperback, #990016HI, members $90, nonmembers, $125).

For more information or to order, go to or call 888-777-7077.

Web site
Smaller businesses are often challenged to find effective board members and audit committees with accounting and control expertise. The COSO guidance recognizes the important role nonpracticing CPAs can play in meeting those needs. The AICPA has developed its Audit Committee Matching System ( to help organizations find a source of independent talent. CPAs should market the database in their area.

JofA articles
Section 404 for Small Caps,” Mar.2006, page 67
“The Value Proposition,” Sep.2005, page 77

Where to find March’s flipbook issue

The Journal of Accountancy is now completely digital. 





Get Clients Ready for Tax Season

This comprehensive report looks at the changes to the child tax credit, earned income tax credit, and child and dependent care credit caused by the expiration of provisions in the American Rescue Plan Act; the ability e-file more returns in the Form 1040 series; automobile mileage deductions; the alternative minimum tax; gift tax exemptions; strategies for accelerating or postponing income and deductions; and retirement and estate planning.