10 Threats to SOX Compliance for Smaller Public Companies

This article might be helpful for smaller public companies...

To help CFOs of smaller companies navigate wisely through the Sarbanes-Oxley compliance process, Lord & Benoit has published a study, "10 Threats to SOX Compliance for Smaller Public Companies."

In summarizing the results, Lord & Benoit suggests this list should be used by CFOs as a starting point for a macro-level risk assessment at smaller public companies. Identifying potential concerns, developing action plans to remediate these risks, and taking quick action can minimize the likelihood of an adverse Section 404 report at the end of the first year of compliance.

The Lord & Benoit study reveals that the first year of SOX compliance may be particularly challenging for smaller public companies as they transition from entrepreneurial to corporate growth. The top 10 threats to SOX compliance for smaller public companies appear to be:

(1) accounting and disclosure controls; (2) treasury; (3) competency and training of accounting personnel; (4) control environment; (5) design of controls or lack of effective compensating controls; (6) revenue recognition; (7) financial closing process; (8) inadequate account reconciliations; (9) information technology; and (10) consolidations, mergers, and intercompany accounts.

Clear Blogging

I told you that before February 2007, I had no inclination to read a blog; I had so many other things to read like my fasinating monthly Journal of Accountancy (that was a joke) and IIA Insight.  In addition to my monthly magazines, I had the weekly accounting literature updates to keep up with.

And truth be told, I was a bit intimidated by the blogging thing.  It seemed to take so much time.  What would I blog about?  Who else besides me was interested in auditing and SOX? 

That was before I read Clear Blogging: How People Blogging Are Changing the World and How You Can Join Them by Bob Walsh.  Highly recommended!!!  The book is easy to read and at the end of each chapter, there is a To Do list that summarizes the key things you should do to get started.

That's how I started this blog.  Page by page, I read it.  Then, I went back to the To Do lists and completed the easiest tasks.  Clearly, there's more I could do for my blog, but just getting started was liberating.  Blogging was no longer this mysterious thing that techies do.  Heck, if I could do it, anyone can.

Seth Godin Live in Silicon Valley

I heard Seth Godin speak live in Silicon Valley on Wednesday.  Very engaging story teller!  He reminded me that I need to build that skill to connect with clients or in presentations.  Just listening to him gave me ideas for marketing material that is alive and dynamic. 

If he comes to your city, it's well worth the $50.

SEC: SOX Guidance Yes, Extension No

The SEC has decided not to extend the deadline of SOX 404 compliance for companies with less than $75 million in market capitalization.

PCAOB Approves Auditing Standard 5

You can read the press release for details.  A brief summary is below.

The New Auditing Standard

The Board’s new standard is designed to achieve four objectives:

1.                  Focus the Internal Control Audit on the Most Important Matters – The new standard focuses auditors on those areas that present the greatest risk that a company’s internal control will fail to prevent or detect a material misstatement in the financial statements.  It does so by incorporating certain best practices designed to focus the scope of the audit on identifying material weaknesses in internal control, before they result in material misstatements of financial statements, such as using a top-down approach to planning the audit.  It also emphasizes the importance of auditing higher risk areas, such as the financial statement close process and controls designed to prevent fraud by management.  At the same time, it provides auditors a range of alternatives for addressing lower risk areas, such as by more clearly demonstrating how to calibrate the nature, timing and extent of testing based on risk, as well as how to incorporate knowledge accumulated in previous years' audits into the auditors' assessment of risk and use the work performed by companies’ own personnel, when appropriate.

2.                  Eliminate Procedures that Are Unnecessary to Achieve the Intended Benefits – The Board examined every area of the internal control audit to determine whether the previous standard encouraged auditors to perform procedures that are not necessary to achieve the intended benefits of the audit.  As a result, among other things, the new standard does not include the previous standard’s detailed requirements to evaluate management's own evaluation process and clarifies that an internal control audit does not require an opinion on the adequacy of management’s process.  As another example, the new standard refocuses the multi-location direction on risk rather than coverage by removing the requirement that auditors test a "large portion” of the company’s operations or financial position. 

3.                  Make the Audit Clearly Scalable to Fit the Size and the Complexity of Any Company – In coordination with the Board’s ongoing project to develop guidance for auditors of smaller, less complex companies, the new standard explains how to tailor internal control audits to fit the size and complexity of the company being audited.  The new standard does so by including notes throughout the standard on how to apply the principles in the standard to smaller, less complex companies, and by including a discussion of the relevant attributes of smaller, less complex companies as well as less complex units of larger companies.  The upcoming guidance for auditors of smaller companies will develop these themes even further.

4.                  Simplify the Text of the Standard – The Board’s new standard is shorter and easier to read.  This is in part because it uses simpler terms to describe procedures and definitions.  It is also because the standard has been streamlined and reorganized to  begin with the audit itself, to move definitions and other background information to appendices, and to avoid duplication by cross-referencing to existing concepts and requirements that appear elsewhere in the Board’s standards and relevant laws and SEC rules.  For example, the new standard eliminates the previous standard’s discussion of materiality, thus clarifying that the auditor’s evaluation of materiality for purposes of an internal control audit is based on the same long-standing principles applicable to financial statement audits.  Also, in order to better coordinate the final standard and the SEC’s new rules and management guidance, the new standard conforms certain terms to the SEC’s rules and guidance, such as the definition of “material weakness” and use of the term “entity-level controls” instead of “company-level controls.”

PCAOB to Vote on Audit Standard May 24th

The Public Company Accounting Oversight Board on May 24, 2007, will vote on a final standard on auditing internal control over financial reporting, as well as a related independence rule and conforming amendments to the board's auditing standards.  If adopted, the new standard would supersede the board's existing auditing standard, Auditing Standard No. 2, "An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements."

PwC Study: Internal Audits Lack Strategy for Risk Assessment

According to a recent PWC study, there continues to be a lack of consistency around the assessment of risk by internal auditors, according to the third annual study of current issues for the internal audit profession.

A number of divergent and conflicting trends related to risk assessment are a concern among internal audit executives. Although there is growing interest in enterprise risk management (more than 80 percent of respondents reported they conduct an annual enterprise-wide risk assessment), only a handful of those surveyed said they update the internal audit risk assessment continuously, while 64 percent may be doing little or nothing between annual assessments.

At one-third of the companies surveyed, multiple enterprise-wide risk assessments are being conducted across the organization. Of this group, only 20 percent consider these assessments "well" aligned, while 50 percent said they are "somewhat" aligned and 30 percent said they are "not well" aligned, with little or no coordination among the parties making the assessments.

PwC said six imperatives should be considered when strengthening the internal audit risk assessment process, as suggested by the study:

1. Adopt a process approach to risk assessment and planning.
2. Supplement annual risk assessments with quarterly or more frequent updates.
3. Leverage your prior assessment results.
4. Align and leverage risk assessments.
5. Seek out the specialized talent you need.
6. Coordinate effectively with other risk management groups.

Internal Auditor Jobs on the Rise, Says IIA

Corporate scandals, Sarbanes-Oxley legislation, and a renewed focus on protecting stakeholder interests are driving the growth of the internal audit profession, according to the Institute of Internal Auditors.

The global professional association said this is creating a record number of jobs for internal auditors, higher salaries for internal audit practitioners, and an enhanced perception of internal auditing's true value within the business community at-large.

I remember the old days when the internal auditors were perceived as second-rate auditors.  If you couldn't make it as an external auditor, then you became an internal auditor.  Also, the internal auditors were the 'gotcha' guys so you wanted to keep them out of your dept or at least limit the amount of time they spent looking at your dept.  That perception has changed dramatically since Enron and SOX. 

Now that I perform internal audits, I hope that my clients view my input as beneficial.  I go out of my way to build a collaborative working relationship by communicating why I do certain things or why the risks are high.  If people understand the context (or why you do something) and the reasoning makes sense, they go out of their way to help you.

Free Webcast -Managing Compliance and Ethics Globally

For those of you who want to learn more about managing compliance globally, Compliance Week is hosting this webcast...

When running a global compliance and ethics program, how do you overcome perceptions that this is just an American legal requirement? How do you respect local cultural differences but build a common corporate culture? How do you create allies in local business units to extend your reach? Join us, Thursday, May 24, 2007 at 2 p.m. EST with experts from The Altria Group, The Dow Chemical Company and LRN, when they will discuss what they are doing to ensure that their companies stay on the right side of the line, no matter where they do business.

SOX Compliance Costs Decline Again

In its sixth Sarbanes-Oxley compliance survey, trade association Financial Executives International found that Section 404 compliance cost Corporate America less in year three of adoption than in each of the first two years.

I agree with the study that the cost reductions are a result of overcoming the initial start-up costs and finding more efficient ways to perform controls or to test the controls.  For example, my client's IT dept has tweaked its in-house incident-tracking tool to include a drop-down menu that identifies IT changes related to SOX.  This enabled the IT dept to quickly query or compile a list of all the IT changes for the auditors.

My client has also incorporated the controls into its daily/monthly/quarterly procedures so that performing the controls is a normal part of life.