The SEC has spoken: No U.S. public company will be exempt from Section 404 of the Sarbanes-Oxley Act (the "Act"). This pronouncement demonstrates the importance of Section 404, even to smaller public companies. Helping to understand the issues that larger companies have experienced during 2005 and 2006, the SEC and PCAOB issued guidance intending to make Section 404 compliance more economical, efficient and constructive. Further, in July of 2006 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued guidance for smaller public companies in implementing internal controls over financial reporting in a cost effective manner.
Compliance with Section 404 has not only improved the quality of financial statements, but has significantly bolstered investor confidence and assurance of integrity of the U.S. capital markets. However, it has not been easy. In order to meet the challenges created by limited resources and experience, many companies have turned to the consulting services practice groups of accounting and auditing firms.
The SEC has recommended that companies consider the formation of disclosure committees to be charged with judging the materiality of the information and disclosure obligations on a timely basis. Companies must consider SOX compliance in areas such as audit committee quality and composition, accounting controls, accounting policies, code of ethics and a whistle blower policy. The company's board of directors and its audit committee could be very effective in performing oversight responsibilities over financial reporting. "Tone at the top," including entity-wide controls, are critical when evaluating the control environment.
What Have We Learned From The Accelerated Filers?
Much of the criticism of SOX has focused on the cost to comply with its regulations. The high cost seen in year one may be due to companies either focusing on the wrong areas or undertaking projects without proper guidance. Consistent and constant communication can be the key to avoiding these issues.
Another point learned was that in the world of internal control, more is not necessarily better. The whole purpose of the exercise is to ensure the company has the right controls in the right place. This is not a numbers game. To the contrary, an effective and efficient internal control system will address all material risk areas with a minimum number of controls. In identifying significant controls, it's important to summarize them at entity level, as common denominators across multiple processes or accounts. In addition, key controls (controls mitigating risks that are material to the financial statements) should be emphasized. Redundant or non-value controls can be brought to the attention of process owners as part of the documentation and assessment process, but left out of the final analysis.
Since formal guidance has been lacking, it is also important to include the auditors throughout the project, from the strategic planning, through scoping and risk assessment, documentation, testing and conclusions. Detailing management's approach, including the deliverables at each stage, minimizes any surprises. Management's broad objectives should also incorporate significant areas related to information and technology. Early evaluations of an effective general computer control environment could reduce the amount of overall work. Communication and focus on the significant areas will help reduce costs and assist in achieving an effective internal control assessment.
Key Steps To An Efficient And Effective Internal Control Assessment
Create a project plan: A comprehensive project plan is instrumental in identifying the resources needed and target dates. It also helps to outline the documentation approach, which includes the tools available to gather the information to complete management's assessment of internal controls over financial reporting.
Assign responsibilities: It is important that management and process owners understand, accept, and take responsibility for critical financial reporting controls. In smaller companies there are few people and layers of management which would promote a closer working relationship and less formalized policies and procedures. Management and employees are assigned the appropriate levels of authority to strengthen and facilitate an effective control environment.
Outline financial reporting objectives: Management must specify financial reporting objectives with sufficient detail and criteria to enable the identification of risk to reliable financial reporting. Management needs to align the control objectives with the control activities covering the relevant financial statement assertions; evaluate the design effectiveness of internal controls and prepare gap analysis relating to objectives and risks; and design solutions to remedy those gaps and strengthen the controls over financial reporting.
Conduct testing and evaluations: Adequate testing of in-scope processes with emphasis on key controls and evaluating the test results is critical. This helps to ensure that internal control deficiencies are identified and reported in a timely manner to those parties responsible for taking corrective actions.
Sarbanes-Oxley compliance is the kind of strategic initiative all organizations should strive to achieve. Leveraging internal and external competencies as well as software technology will promote optimum results. Companies should also look beyond SOX and transform internal control monitoring into a core management competency at all levels of the organization to address financial reporting objectives as well as operational and other compliance objectives.
Published August 1, 2006.