Though using the templates are often described as complicated, it’s important to remember that companies are not required to use it. Indeed, using this complex tool may be difficult to apply to one’s operations. But the CFO’s team still needs to evaluate if it will be helpful to their organizations, or, instead, if it’s necessary to develop a new approach for assessing the effectiveness of their systems of internal control.

Similarly, COSO’s compendium of examples that help corporate executives in the external financial reporting process, Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, is still optional guidance--but it can help. One principle is that “the board of directors demonstrates independence from management and exercises oversight for the development and performance of internal control.”

That's an important principle, and for some, one that is easily followed. How would a company’s internal control satisfy this principle? If a company has standards of conduct for the board and it addresses any deviations from those standards.

But again, this may be harder to apply for all companies, particularly when considering SMEs. For example, financial dashboards (which depict financial data online) could be used to satisfy COSO’s  “Information and Communication” control component by automatically communicating financial results to the organization.

But Enterprise Resource Planning (ERP) systems of growing companies may not include this capability. If that's the case, SMEs could develop periodic reports that communicate dashboard-type results to the organization.

As it stands, the compendium is expected to supersede COSO’s already existing 2006 Internal Control over Financial Reporting--Guidance for Smaller Companies.

For all sized companies, however, the new compendium also clarifies wording about what constitutes “material weaknesses/major deficiencies” in internal controls  and aligns with what the Public Company Accounting Oversight Board (PCAOB) and the Security and Exchange Commission (SEC) agree on for a “top-down and risk-based approach” (where management focuses on risks that could end up having a material misstatement on the company's financials) to internal controls. Both the SEC and PCAOB have said the COSO framework is appropriate. 

Companies required to comply with the SEC’s classification of internal-control weaknesses can use the COSO guidance to classify internal-control deficiencies as a material weakness, significant deficiency or control weakness. The supplement says: “If an internal control deficiency is classified as a material weakness, the company’s system of internal control over financial reporting does not meet the framework’s requirements for effective internal control. However, if an internal control deficiency is not classified as a material weakness, the company’s system could still achieve effective internal control over external financial reporting.” 

In addition, the COSO supplement added the following focus points that address risk when finance departments prepare financial statements: risk of material omission or misstatement; risk of material omission or misstatement due to fraud; risk of material omission due to illegal acts and corruption; and the need for risk response.

Recommendations have also been made to the COSO board to pursue follow-up projects that would include more detailed examples in the compendium.