Small business are reacting with skepticism to the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) claim that its newly-issued guidance for smaller firms will help them assess internal controls in a cost-effective manner.
The guidance, which supplements COSO’s 1992 Internal Control-Integrated Framework, aims to reduce compliance burdens for companies with fewer financial and human resources by illustrating how firms can use different approaches and adapt their circumstances to compliance requirements. Most companies have referred to COSO’s 1992 model to comply with the requirement to assess internal controls spelled out in section 404 of the Sarbanes-Oxley Act.
However, smaller firms have balked at the audit costs incurred for compliance. Upon the passage of Sarbanes-Oxley, predictions estimated the average internal control audit would be approximately $91,000 each year, recalls Chris Cole, regulatory counsel at the Independent Community Bankers of America. Instead, the costs have been about $700,000 to $800,000 each year, according to Cole, who noted that costs vary according to each firm.
Businesses doubt the new guidance will reduce audit costs because, as intended, it is guidance for management, not auditors. Released on July 11, Internal Control over Financial Reporting-Guidance for Small Public Companies, does not address how auditors adhere to the Public Company Accounting Oversight Board’s Auditing Standard No. 2 (AS2), the guideline for external auditors on how to assess controls.
“Small businesses still have to comply with AS2, and that is creating a cost burden,” noted Cole, “COSO does not do anything to relieve that burden.” Cole believes that accounting firms, driven by fears of liability and a motivation to maximize their fees, will attempt to review every type of internal control. Auditors’ conservative application of the one-size-fits-all auditing standard drives compliance expenses, he says.
The new, anecdotal compliance approaches offered by COSO causes the guidance to be vague, a characteristic that, perversely enough, might even prompt auditors to add items to their auditing checklist, notes Eric Balzer, chief financial officer of Ramtron International. Auditors, anxious to protect themselves, seek definitive guidelines to prove their work to the PCAOB, not anecdotes on approaches that might be effective, he said. “Vagueness will drive more auditing work,” predicts Balzer. “I don’t think there is much value-added [in the guidance].”
The guidance does provide a detailed map for corporate boards and management, notes Cole, but it will only be helpful in adopting good internal controls and complying with Sarbox Section 404. “It is certainly not going to reduce any costs of the external audit,” says Cole, “Companies will still have to document their internal controls and do everything that AS2 requires.”
A solution may be in the distant future. In its July 11th concept release on Sarbox Section 404, the Securities and Exchange Commission noted it will continue to work with the PCAOB to address complaints raised about Auditing Standard No. 2 by the business community.
Cole and Balzer believe that only a legislative solution will provide relief for companies, but they do not expect that a bill amending Sarbox will appear in Congress until after Senator Paul Sarbanes and Congressman Michael Oxley retire at the end of 2006. “Beginning next year, I think you will see a concerted effort by business groups to amend 404,” predicted Cole. “No one wants to challenge them [Sarbanes and Oxley] while they are still in Congress.”