As 404(b) Nears, Small Filers Hear Advice

Non-accelerated filers may still be hoping for yet another delay in full compliance with Section 404 of Sarbanes-Oxley, but the wise ones should prepare for the inevitable now rather than risk incurring more audit costs later this year.

Small filers have evaded Section 404 for years, with its costly requirement to assess and audit internal controls over financial reporting. Only this year have they begun compliance with Section 404(a)—management’s assessment of internal controls—but the truly fearsome provision has always been 404(b), requiring an external audit of internal control.

As it stands now, small filers must comply with Section 404(b) for fiscal years ending on or after Dec. 15, 2009. And after four years of deadline extensions from the Securities and Exchange Commission, most experts now say the stalling is over.

DeLoach

There is “no basis to think that the SEC is going to delay the attestation requirement again,” says Jim DeLoach, a managing director at consulting firm Protiviti. “Act on the rule as it presently exists and [don’t] wait and hope the SEC might change it.”

Yes, the SEC is still conducting a cost-benefit study of Section 404 compliance costs, which commissioners ordered the last time they extended the compliance deadline in 2008. The SEC has been mum on when that report will be issued. An SEC spokesman said the Office of Economic Analysis is currently analyzing the response data.

Theoretically, the study could give the Commission cover to extend the deadline yet again or to exempt small filers from Section 404 entirely. But that was the popular idea during the tenure of former Chairman Christopher Cox, a Republican appointee. He has since been replaced by Obama appointee Mary Schapiro; when asked about Section 404 during her confirmation testimony in January, she said, “It’s time that we bring uniformity to the system.”

In other words, don’t bet on another delay.

Gerety

DeLoach and fellow Protiviti managing directors Paresh Raghani and Bonnie-Jeanne Gerety offer several tips to ensure that the auditor attestation process goes smoothly. Chief among them: Don’t procrastinate. While small filers have now gone through their first cycle of looking at internal controls themselves, “having an external party involved does change the dynamic, not only as far as their process, but how you’re going to be doing things internally,” Gerety says.

First up, companies should read and understand the available guidance on Section 404, particularly the SEC’s guidance for management, and the Public Company Accounting Oversight Board’s Auditing Standard No. 5 for external audit firms. In January of this year the PCAOB also issued guidance for auditors of smaller companies, and the Committee of Sponsoring Organizations published guidance in February aimed at helping companies use their existing internal control monitoring to support their Section 404 assertions.

In particular, Gerety says, read the PCAOB’s January guidance. That is what the audit firms will be using, so the more companies can align their approach with the auditors, the better the chance that the auditors will be able to rely on management’s work and keep audit fees down.

“Understanding the rules that apply to external auditors and engaging them early in the process will help position you for success,” she says. That said, management, rather than the auditors, should “set the agenda and drive the process,” Gerety continues, since management makes the assertions on the internal control environment.

Refresher on the Basics

As with any compliance initiative, tone at the top is critical. Gerety says involvement by the audit committee, CEO, and CFO will be crucial, and companies should set up a SOX steering committee that includes the CFO, controller, IT director, and SOX project management. The group should meet at least monthly and should provide a quarterly update to the audit committee.

AUDITOR GUIDANCE

Key Points From PCAOB Guidance for Auditors

Protiviti Managing Director Bonnie-Jeanne Gerety offers eight key points for management to remember based on the PCAOB guidance for auditors of smaller companies:

Emphasis on tone at the top. Operating style, the company’s code of ethics, the clarity of roles and responsibilities, and a strong audit committee are all areas auditors will study for evidence of the tone set by management.

Start at the top when identifying key controls. Management can rely on entity-level controls in lieu of process-level controls if there’s sufficient precision in those controls to detect and correct material errors and omissions. That can translate into less testing by external auditors. Examples of entity controls include monitoring of operational results, controls over period-end financial reporting processes, and controls that monitor other controls.

Focus on risk. Management should focus on risk throughout the assessment process, not just at the beginning, since changes in the business affect the risk of misstatements. That should include evaluation of the risk of material misstatement and the risk of control failure. If it doesn’t relate to an ICFR risk, however, it’s not relevant to management’s assessment.

Understand the risk of management override. It’s a bigger issue for smaller companies, but companies can mitigate the risk by maintaining an ethical corporate culture; having an effective whistleblower program; leveraging an internal audit function with direct reporting to the board or the audit committee; and having a qualified board and audit committee that take its responsibilities seriously.

Understand the effect of less formal documentation. The form, extent, and availability of documentation can affect the evidence required for management’s assessment and can change the auditor’s assessment. That doesn’t mean management should create volumes of documentation. “Meet with your external auditor early and develop and effective audit strategy,” says Gerety.

Pay attention to the segregation of duties. In addition to segregating incompatible duties, which can be tough for small companies, companies should identify alternative controls, such as a reviewing detailed transaction reports on a regular and timely basis; reviewing selected transactions, performing periodic counts of assets and comparing them to accounting records, and reviewing reconciliations of account balances.

Know Your IT controls. Smaller companies with less complex IT environments should work with auditors to determine what applications should be in scope, controls dependent on IT, and the effect of IT control deficiencies on tests of other controls. Examples of IT-related risks that may affect reliability of financial reporting include reliance on systems or programs inaccurately processing data, processing inaccurate data or both, and unauthorized access to data.

Anticipate evaluation of your financial reporting competencies. Among other things, auditors may consider how the company establishes and agrees on the required knowledge, skills and abilities for different roles and responsibilities, the training provided to the financial reporting process, and whether employees are reviewed and evaluated relative to their assigned roles.

—Source: Protiviti April 14 Webinar: Auditor Attestation: What You Can Expect.

For compliance to be as cost-effective as possible, SOX “should be perceived as a process, and something here to stay” rather than a once-a-year project. Planning should begin in the first quarter or early second quarter. At that point, management should determine the SOX timeline, confirm that it works for their external auditors, identify project sponsors, and clearly define roles and responsibilities.

Early and ongoing communication with auditors is vital. In particular, Raghani says, get agreement from the external auditors on six points:

the selection of significant financial reporting objectives and related accounts;

the selection of key controls;

documentation standards;

the evidence needed to support a conclusion on the effectiveness of ICFR;

the determination of locations and units to be included in scope;

and the methodology for assessing the severity of control deficiencies.

Reaching agreement with outside auditors on those decisions at the early stages and communicating throughout the process can lessen the differences in the approaches used by management and auditors for testing the operational effectiveness controls. That, Raghani says, can help keep audit costs down.

Raghani

And while it’s common for smaller companies to have less extensive documentation compared to larger companies, Raghani says management should have “enough documentation to ensure that the assessment is repeatable and avoids second guessing toward the end of the project.”

Gerety says the best approach may be documentation that’s as simple as risk and control matrices that identify key risks, provide a high-level flow of the transaction, and identify a control within process. Documentation efforts should focus first on entity-level controls, which may mitigate risk of material misstatements and reduce reliance on process level controls.

Scoping work should also start early in the first quarter. “The earlier you start scoping activities, the better off you’ll be,” Gerety says, since making scoping decision early can help eliminate unnecessary activities and cost. For smaller companies, significant accounting transactions may affect scoping and immateriality and should be reassessed on quarterly basis to identify changes in the company’s risk profile.

Updating documentation, assessment of entity-level controls, and design work should all be completed by early second quarter. While there’s a tendency by smaller companies to push that work back to the end of year, Gerety says companies would be wise to complete it earlier to leave time for testing operational effectiveness and remediating any problems.

She also suggests companies prioritize remediation early on, so they can focus on their highest-risk areas first, in the event that there are multiple control failures and not enough time to remediate all of them.

Finally, Gerety says the list of key controls should be revisited annually to adjust for any changes in the company’s operating environment and to evaluate whether any improvements can be made, such as rationalizing some controls or moving up to entity-level controls.