The Committee of Sponsoring Organizations has released a draft of new guidance on monitoring internal controls, considered by many to be a vital—if elusive—part of streamlining Sarbanes-Oxley compliance efforts.
The 40-page document was released last week, and COSO officials are asking the business community to review the draft and provide feedback. The comment period will end Oct. 31, and the final version is scheduled for release during the first quarter of 2008. The draft can be viewed online at http://www.coso.org/publications.htm.
The project team that assembled the paper was led by Trent Gazzaway, managing partner of national corporate governance at Grant Thornton, plus COSO Chairman Larry Rittenberg, and Institute of Internal Auditors President Dave Richards. Representatives from audit firms and regulators, including the U.S. Government Accountability Office, the Securities and Exchange Commission, and the Public Company Accounting Oversight Board, also participated.
Gazzaway
Gazzaway styles the draft as the “third leg of a stool” for improving the efficiency and effectiveness of evaluating internal controls. The other two legs are pieces of guidance issued by the SEC and the PCAOB earlier this year to help managers understand their SOX compliance obligations and help auditors understand how to take a risk-based approach to auditing internal controls.
Seeing the link between effective monitoring and SOX compliance is particularly important, Gazzaway says. The time and expense that companies have devoted to building processes for SOX and its notorious Section 404 provisions might have been reduced if companies had been able to take advantage of existing effective monitoring or make modifications to implement effective monitoring.
Businesses “didn’t always realize, when Section 404 came out, that they could take credit for effective monitoring and use that for support in their assertions,” Gazzaway explains. “Congress never intended 404 to be a massive fourth-quarter exercise above what well-managed companies were already doing. Congress expected companies to be in a position to tell stakeholders whether they have good internal controls.”
COSO’s draft guidance brings everyone back to the principles of the original COSO framework and aims to help companies build monitoring into their core operations, Gazzaway says. Businesses should be able to use their monitoring program as one of the primary sources of support for their assertions.
Rittenberg
One part of monitoring that the new COSO paper addresses is the gathering of information, both through direct and indirect methods. The direct collection of information can be more costly for companies because it involves observing and testing controls within operations. But indirect information collection, Rittenberg says, can include analyzing operating data and using it to make inferences about the continued effectiveness of internal controls.
Both methods bring value to the monitoring process. Striking the right balance between them can improve the efficiency and fluidity of the entire evaluation process, Gazzaway says.
The monitoring guidance is the first step COSO is taking to provide more guidance on internal controls to companies. Next, the group plans to supplement the discussion with case-study examples that illustrate effective monitoring systems. Members of that task force have been asked to identify companies that might qualify as case-study subjects, Rittenberg says, and the GAO is examining potential government agency candidates.
No comments yet