SOX 404: US Non-Accelerated Filers – Are You Ready for Certification?
April 2008 and written by Geoff Rodrigues, CA, ORMP of Horwath Orenstein - On July 30, 2002, the Sarbanes-Oxley Act became law for all companies listed in the United States, including those foreign companies that have listings on United States exchanges. Section 404 of the Sarbanes-Oxley Act set out requirements for both management of these public companies as well as the external auditors to separately and independently evaluate the company’s internal controls over financial reporting. Section 404 has two provisions: 404 (a) requires management to assess the effectiveness of the company’s internal controls over financial reporting, while 404 (b) requires a separate auditor attestation of the company’s internal controls. Accelerated filers (i.e. companies with market capitalization over $75 million) have been subject to both provisions since 2004. Non-accelerated filers (i.e. companies with market capitalization less than $75 million) are now gearing up to make their first certification, as management must perform their assessment for their first year ending after December 15, 2007, with the external auditors performing their assessment likely after December 15, 2009 (this date is still under review).
What Does this All Mean?
What this means is that management, should already be looking at evaluating not only the design of their internal controls over financial reporting, but also the operating effectiveness before year end. Section 404 says management has to certify that as at year-end the internal controls over financial reporting are effective in mitigating those risks that could prevent the financial statements from being materially accurate. The United States Securities and Exchange Commission were very clear in their release 33-8183, “Strengthening the Commission’s Requirements Regarding Auditor Independence”, stating, “…..we believe that designing and implementing internal accounting and risk management controls impairs the accountant’s independence because it places the accountant in the role of management.” A large part of evaluating the internal controls is making design changes to identified weaknesses. Therefore, it is pretty clear that the independent auditors cannot effectively assist management with their assessment without impairing their independence. Also, the auditors are expected to perform their own assessment of the internal controls. So how could they be able to independently assess and conclude on internal controls that they have already assessed on behalf of management, and presumably participated in making design changes based on that assessment. With all that being said, what is management to do?
Tips to Management on Performing their Assessment
Our role as consultants to companies going through the process is to provide guidance and assistance to them on applying a systematic process to document and evaluate their internal controls over financial reporting to allow management to conclude on their effectiveness. Below we have summarized our thoughts on how to efficiently and effectively implement a sustainable certification effort:
Overall Plan – Probably the most important piece of the entire effort is to plan. If you fail to plan, then plan to fail! Within the plan companies should begin by starting at the top. Management should look at the financial statements and assess what are the areas where material errors are likely to occur. This is achieved by considering several factors such as defining a materiality threshold to identify from a quantitative prospective what are the financial statement accounts that if misstated by that threshold, would likely affect the decisions of users of the financial statements. After performing the quantitative assessment, management should also perform a qualitative assessment on those same financial statement accounts by looking at inherent items such as complexity of transactions, history of errors, transaction volume, subjectivity to judgment, etc. After performing both the quantitative and qualitative assessment, management should be in a position to identify which financial statement areas to focus attention. Other objectives of the plan are to develop a steering committee, develop milestones for performance of key phases, establish a document repository and identify a pilot process for evaluation.
Entity Level Controls – Based on guidance set out by the Public Company Accounting Oversight Board in Audit Standard 5, the assessment should be top-down focusing more attention on the entity level controls due to their pervasive nature and impact. The intention is that with a strong control framework at the entity level, the likelihood of material errors occurring at the transaction level is reduced. Some of the areas to look at within the entity level are control environment, disclosure controls and procedures, estimates and judgments, period end reporting, and susceptibility to fraud.
Conduct Pilot – The purpose of conducting a pilot is to test the state of a single process or location, at the transaction level, to provide an indication of the state of all the key transaction level controls. This will provide management with a sample based on time spent that can be extrapolated to determine the amount of work required to complete certification. Management can use those results to refine the budget, resources, timetable and plan.
Project Roll-Out – This is the phase where the internal controls at the process level (identified in the planning phase) are evaluated. This is done by documenting the controls using process maps, risk/control matrices, and/or process narratives. Once documented the controls are evaluated for effective design by ensuring controls are in place to mitigate all critical risks identified for each process. Once management concludes the design is effective, the controls are tested to ensure they are operating effectively.
Monitoring – The final phase representing the testing of the operating effectiveness of the internal controls over financial reporting. In this phase, samples are selected for all key controls identified in the previous phase and test plans and procedures are developed. The test procedures are executed and results are extrapolated to represent the entire population of transactions for each material process.
Note: Remediation and implementation of new or modified controls can occur both at the design evaluation and operating effectiveness stage. Much of the work planned in the project rollout and monitoring phases is based on the results of the entity level evaluation and to what extent management can rely on the strength of the entity level controls. An important hazard to watch out for is scope creep, so make sure you keep to the plan.
I’m going to conclude this article with 10 of the most commonly pitfalls we’ve encountered companies experience when conducting their own internal control evaluation (whether it’s SOX 404 or Bill 198/MI-52-109):
April 2008 and written by Geoff Rodrigues, CA, ORMP of Horwath Orenstein - On July 30, 2002, the Sarbanes-Oxley Act became law for all companies listed in the United States, including those foreign companies that have listings on United States exchanges. Section 404 of the Sarbanes-Oxley Act set out requirements for both management of these public companies as well as the external auditors to separately and independently evaluate the company’s internal controls over financial reporting. Section 404 has two provisions: 404 (a) requires management to assess the effectiveness of the company’s internal controls over financial reporting, while 404 (b) requires a separate auditor attestation of the company’s internal controls. Accelerated filers (i.e. companies with market capitalization over $75 million) have been subject to both provisions since 2004. Non-accelerated filers (i.e. companies with market capitalization less than $75 million) are now gearing up to make their first certification, as management must perform their assessment for their first year ending after December 15, 2007, with the external auditors performing their assessment likely after December 15, 2009 (this date is still under review).
What Does this All Mean?
What this means is that management, should already be looking at evaluating not only the design of their internal controls over financial reporting, but also the operating effectiveness before year end. Section 404 says management has to certify that as at year-end the internal controls over financial reporting are effective in mitigating those risks that could prevent the financial statements from being materially accurate. The United States Securities and Exchange Commission were very clear in their release 33-8183, “Strengthening the Commission’s Requirements Regarding Auditor Independence”, stating, “…..we believe that designing and implementing internal accounting and risk management controls impairs the accountant’s independence because it places the accountant in the role of management.” A large part of evaluating the internal controls is making design changes to identified weaknesses. Therefore, it is pretty clear that the independent auditors cannot effectively assist management with their assessment without impairing their independence. Also, the auditors are expected to perform their own assessment of the internal controls. So how could they be able to independently assess and conclude on internal controls that they have already assessed on behalf of management, and presumably participated in making design changes based on that assessment. With all that being said, what is management to do?
Tips to Management on Performing their Assessment
Our role as consultants to companies going through the process is to provide guidance and assistance to them on applying a systematic process to document and evaluate their internal controls over financial reporting to allow management to conclude on their effectiveness. Below we have summarized our thoughts on how to efficiently and effectively implement a sustainable certification effort:
Overall Plan – Probably the most important piece of the entire effort is to plan. If you fail to plan, then plan to fail! Within the plan companies should begin by starting at the top. Management should look at the financial statements and assess what are the areas where material errors are likely to occur. This is achieved by considering several factors such as defining a materiality threshold to identify from a quantitative prospective what are the financial statement accounts that if misstated by that threshold, would likely affect the decisions of users of the financial statements. After performing the quantitative assessment, management should also perform a qualitative assessment on those same financial statement accounts by looking at inherent items such as complexity of transactions, history of errors, transaction volume, subjectivity to judgment, etc. After performing both the quantitative and qualitative assessment, management should be in a position to identify which financial statement areas to focus attention. Other objectives of the plan are to develop a steering committee, develop milestones for performance of key phases, establish a document repository and identify a pilot process for evaluation.
Entity Level Controls – Based on guidance set out by the Public Company Accounting Oversight Board in Audit Standard 5, the assessment should be top-down focusing more attention on the entity level controls due to their pervasive nature and impact. The intention is that with a strong control framework at the entity level, the likelihood of material errors occurring at the transaction level is reduced. Some of the areas to look at within the entity level are control environment, disclosure controls and procedures, estimates and judgments, period end reporting, and susceptibility to fraud.
Conduct Pilot – The purpose of conducting a pilot is to test the state of a single process or location, at the transaction level, to provide an indication of the state of all the key transaction level controls. This will provide management with a sample based on time spent that can be extrapolated to determine the amount of work required to complete certification. Management can use those results to refine the budget, resources, timetable and plan.
Project Roll-Out – This is the phase where the internal controls at the process level (identified in the planning phase) are evaluated. This is done by documenting the controls using process maps, risk/control matrices, and/or process narratives. Once documented the controls are evaluated for effective design by ensuring controls are in place to mitigate all critical risks identified for each process. Once management concludes the design is effective, the controls are tested to ensure they are operating effectively.
Monitoring – The final phase representing the testing of the operating effectiveness of the internal controls over financial reporting. In this phase, samples are selected for all key controls identified in the previous phase and test plans and procedures are developed. The test procedures are executed and results are extrapolated to represent the entire population of transactions for each material process.
Note: Remediation and implementation of new or modified controls can occur both at the design evaluation and operating effectiveness stage. Much of the work planned in the project rollout and monitoring phases is based on the results of the entity level evaluation and to what extent management can rely on the strength of the entity level controls. An important hazard to watch out for is scope creep, so make sure you keep to the plan.
I’m going to conclude this article with 10 of the most commonly pitfalls we’ve encountered companies experience when conducting their own internal control evaluation (whether it’s SOX 404 or Bill 198/MI-52-109):
- Management is trying to evaluate a function versus a process – the “Silo” mentality
- Not enough communication between management and internal audit. Internal audit is independent of management and usually performs the evaluation once the controls are documented by management.
- Lack of top-down risk-based approach – too much focus at the transaction level
- Lack of competent internal resources – organizations tend to bring in employees from finance to perform the work, but management must carefully oversee their work as not all finance personnel have experience in internal control
- Insufficient testing of automated controls – too much focus on manual controls
- Lack of timely implementation of guidance – piecemeal application of standards
- Treatment of compliance as project management versus process management – the framework developed must be sustainable
- Insufficient knowledge transfer from process owners to key personnel
- Lack of differentiation between key and non-key controls and streamlining of processes
- No initiative to introduce operational efficiencies based on compliance activities
The most important thing to remember is that internal control evaluation should extend beyond regulatory compliance and should add value where possible. So when management is going through the process, it is important to make the number of controls scaleable to the size of the organization with the focus remaining on what will materially effect the financial statements and users’ decisions. Remember, one size does not fit all!
As your company nears year-end, the most important question you can be asking yourself is, are you ready for certification?
posted by 180 Systems at 5:13 PM 
0 Comments:
Post a Comment
<< Home