The SEC Issues Guidance on Internal Controls and Approves PCAOB Auditing Standard No. 5: The Ball is Now in the Court of Small Businesses to Get Control Over Controls
by Jeff Sone and
Non-accelerated filers, public companies with market capitalization of $75 million or less (smaller businesses), face a critical deadline to bring their internal control environment into compliance with one of the most difficult requirements of the Sarbanes-Oxley Act of 2002 (SOX).
Smaller businesses will be required to comply with the management attestation requirement of Section 404 of SOX for fiscal years that end on or after December 15, 2007, and will be required to comply with the auditor attestation requirement one year later for fiscal years ending on or after December 15, 2008. Accelerated filers have been complying with the Section 404 requirements since 2004. Smaller businesses, which comprise the vast majority of public companies, have enjoyed two postponements of the compliance dates since the rules implementing Section 404 were approved. Despite congressional hearings on the matter and pressure on the Securities and Exchange Commission (SEC), the expectation is that further postponements will not take place. Although the House of Representatives has passed an amendment that is awaiting Senate action that would post-pone the compliance deadline for smaller businesses for another year, we feel that adoption by the Senate and signing by the President in time to provide meaningful relief to smaller businesses is unlikely.
Smaller businesses should, if they have not already, begin performing risk assessments and determining and documenting key controls. Any delays by smaller businesses to begin the process of compliance will result in lack of sufficient time to remediate issues that are discovered, which in turn will result in adverse reports and costly negative disclosure regarding their controls. The challenges that smaller businesses face include implementing or strengthening the internal audit function, adequately documenting existing controls, and implementing adequate segregation of duties for accounting and control personnel.
Although compliance with Section 404 has proven difficult and expensive for many reporting companies, others have tried with some success to treat the requirement as an opportunity to improve the efficiency and effectiveness of the company’s business processes and as an opportunity to give senior management better visibility into the business. Additionally, senior managers who indicate a lack of commitment to compliance with the requirements of Section 404, whether through negative communication with employees or failure to assure progress toward compliance, are likely to find themselves subject to criticism by their independent auditors, all of whom are required by their firms to comment upon management’s commitment to compliance.
Smaller businesses will not be faced with all of the issues their larger cousins wrestled with over the last four years. Among other things, audit firms have a great deal of experience with Section 404; meaning, that many common issues can be resolved in a consistent way. In addition, an experienced cadre of consulting accountants now exists to assist companies in documenting their internal controls and resolving potential issues. Because of other provisions of SOX, however, a smaller business will not be able to retain its independent auditors for this kind of assistance. All issuers also now have the advantage of guidance and new rules issued by the SEC in June and July 2007 relating to Section 404 compliance.1 These rules were adopted with the express purpose of increasing audit efficiency and reducing audit costs by facilitating more effective and efficient evaluations of internal control over financial reporting by management and auditors. The SEC’s interpretive guidance on these rules provides an approach by which management can conduct a top-down, risk-based evaluation of internal control over financial reporting. An evaluation that complies with this interpretive guidance is one way for management to satisfy the evaluation requirements of Rules 13a-15(c) and 15d-15(c) under the Securities Exchange Act of 1934. The two principles underlying the top-down, risk-based approach are that (1) management should evaluate whether it has implemented controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner and (2) management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk.
The SEC has also revised the SOX requirements for the auditor’s attestation report on the effectiveness of internal control over financial reporting to require only one report on the effectiveness of internal control over financial reporting, eliminating the current requirement for a separate auditor opinion on management’s assessment process. These revisions were intended to address criticism that management’s Section 404 related evaluation process was being driven by the external auditors rather than by what in management’s view were the key areas of risk in the company’s reporting process. Finally, all issuers will benefit from the SEC’s approval in July 2007 of the Public Company Accounting Oversight Board’s (PCAOB) Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements,2 to replace Auditing Standard No. 2. Auditing Standard No. 2 was often blamed for the high costs of compliance with Section 404 by accelerated filers. Auditing Standard No. 5 provides the new professional standards and related performance guidance for independent auditors to attest to, and report on, the effectiveness of a company’s internal control over financial reporting and is effective for audits for fiscal years ending on or after November 15, 2007.
So What Is Next?
The PCAOB is developing guidance for smaller businesses and the SEC is preparing a guide for smaller businesses covering the SEC interpretive guidance but further relief postponing the compliance date applicable to smaller businesses is not likely. Smaller businesses cannot wait any longer and their Audit Committees should be setting expectations regarding the timing and implementation of compliance.
Audit Committees should understand that the company’s independent auditors are expecting to see leadership from the Audit Committee in setting an appropriate “tone at the top” and failing that are likely to be critical of management and the Audit Committee. Audit delays under those circumstances are quite likely. Negative responses to any discovered “material weaknesses” or “significant deficiencies” are also more likely where the independent auditors do not see aggressive leadership on Section 404 compliance by the Audit Committee.
Management should assess the company’s control environment and identify risk areas and prepare a plan for assuring Section 404 compliance. Very often, smaller businesses will lack the resources necessary to bring the company quickly into compliance. So, outside consultants may prove useful in providing a rapid assessment and advice with respect to the implementation of internal controls. As discussed above, the company’s existing independent auditor will not likely be willing to provide this service. Smaller businesses should be engaging with their outside auditors and establishing a timeline for the activities required for the company’s implementation and documentation of controls and for the auditor’s testing of controls in the next year for the auditor to fulfill the attestation requirements. These timelines should have adequate time built into them to allow for the remediation of deficiencies that are discovered during the course of management assessment and the external auditor’s testing of controls. Auditors will appreciate early communication of a reasonable timeline.
If you have questions concerning the new rules and guidance issued by the SEC and the PCAOB and steps your business should be taking to comply with the rules and related disclosure requirements, you can contact Jeff Sone at firstname.lastname@example.org or Alex Frutos at email@example.com in our Dallas office, Mike Meskill at firstname.lastname@example.org in Austin, Sabrina McTopy at email@example.com or Richard Roth at firstname.lastname@example.org in Houston, or Steve Jacobs at email@example.com in San Antonio for additional information.
SEC Interpretive Release No. 33-8810, dated June 20, 2007, Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 and SEC Release No. 33-8809, dated June 20, 2007, Amendments to Rules Regarding Management’s Report on Internal Control Over Financial Reporting.
SEC Release No. 34-56152, dated July 27, 2007.
you wish to be added or removed from this
list, please reply to this email with
the word "add" or "remove" in the subject line.