In the wait for COSO's internal control guidelines due out in May, CFOs and their staffs, particularly those from small and medium size entities, may need to do some prep work.
By Kristine Brands

CFOs and their staffs who have put off on updating their internal controls until new guidelines are released may find out they have a lot more work to do. That's especially so for finance folks who work for small and medium size entities (SMEs), which tend to have fewer resources than their peers at bigger companies do. 

The Committee of Sponsoring Organizations for the Treadway Commission (COSO) is due to release its new framework, 2013 Internal Control - Integrated Framework, and its supplemental guidance on May 14. It should help corporate executives adopt better internal controls in operations, compliance and financial reporting.

Becoming familiar with the new framework and its optional, adaptable guidelines as early as possible is the first--and arguably the most important--step CFOs and their teams can take toward adopting more effective internal control systems by 2014. They also should include their auditors in the planning process.  

The document itself, along with its companion guides, represents two-and-a-half years of effort to refresh the original 1992 internal-control framework and reflects changes in the business environment over the past 21 years. The transition period for the new framework is May 14, 2013 through December 15, 2014.

It’s important to remember that the COSO board continues to have confidence in the 1992 framework and allows companies to use it through the transition period, after which it is considered superseded by the new framework. During this period, COSO advises companies to disclose which framework they are using.

With a 19-month window for the transition to the new framework, CFOs thus need to develop a plan to map their current internal-control systems to it and ensure that the additions relevant to their companies are satisfied. Corporate execs need to become familiar with the 17 principles embedded in the original framework that take prominence in the new framework. The principles concern the control environment, risk assessment, control activities, information and communication and monitoring activities.

But for SMEs, the transition period could be even tighter. That's because they typically would need a longer time to catch up. In evaluating the COSO components regarding monitoring internal controls, for example, this will require resources and expertise that might stretch SMEs budgets. Large-cap companies may be able to automate that evaluation, but SME's may not have the information-system resources needed for automation and may have to rely on manual evaluations.

Determining Effectiveness
Although CFOs will also find the new COSO supplemental guidance useful, not all of the guidance is right for every size of business. Corporate executives need to determine the appropriate level of adherence for their business.  

For example, COSO’s Illustrative Tools for Assessing Effectiveness of a System of Internal Controls supplement provides a method for companies to demonstrate that their internal-control systems are effective. But it's not intended to evaluate transaction-level internal controls. It merely includes templates on how to organize the effectiveness assessment and scenarios showing how to apply the templates.