A U.S. business group today published for comment new guidance for smaller businesses in fulfilling the requirements of internal control reporting of the Sarbanes-Oxley Act, known as section 404.

The guidance was published by a group known as the Committee of Sponsoring Organizations of the Treadway Commission, a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. COSO comprises The Institute of Internal Auditors, the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, and the Institute of Management
Accountants.

COSO’s new guidance outlines 26 fundamental principles associated with the five key components of internal control: control environment, risk assessment, control activities, information and communication; and monitoring.

The report defines each principle and describes its attributes, lists a variety of approaches smaller companies can use to incorporate the principles, and includes real-world examples of how smaller companies have effectively applied the principles.

In adopting its rules with respect to Section 404, the U.S. Securities and Exchange Commission specified that management must base its evaluation of the effectiveness of the company’s internal control over financial reporting on a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. The COSO framework satisfies that criteria and has been widely used by management and auditors in fulfilling the requirements of Section 404.

Concerns have been expressed that existing internal control frameworks are not appropriately tailored to a small business control environment and that, as a result, the costs and burdens of internal control assessments may fall disproportionately on smaller businesses, the SEC said. Due to these concerns, SEC staff encouraged COSO to develop guidance on the use of their framework to address the needs of smaller businesses.

The COSO Board created an Advisory Task Force to assist in the development of this guidance, consisting of approximately twenty members with a variety of experience in smaller businesses. Input was also obtained from financial officers and senior management of smaller businesses, regulators, investors, external auditors, internal auditors, consultants, lawyers and academicians.

Commenting on the document, Donald Nicolaisen, chief accountant at the SEC, said, “I believe this guidance is an important step forward in helping smaller businesses understand and apply COSO’s internal control framework in connection with implementing Section 404 of the Sarbanes-Oxley Act. I am grateful to COSO for the efforts they expended over the past year to develop this guidance, and I am supportive of their process.”

“Section 404 is too important not to get right, but getting it right requires both effective and efficient implementation. The staff will continue to monitor and assess the effects of the internal control reporting rules on smaller public companies,” he added.