How Small Companies Can Use AS5

The clock is ticking for smaller companies that are facing their first-ever Sarbanes-Oxley assessment on internal control over financial reporting, yet experts say many are still banking on another deferral rather than acting now to use the tools at their disposal.

Tagle

“Some companies are still holding out hope that that they might not have to deal with this after all,” says Raina Rose Tagle, a partner with Beers & Cutler, a Washington, D.C.-based regional audit firm.

Small public companies (those with market capitalizations at or below $75 million) must begin complying with SOX’s Section 404 requirements for fiscal years that end after Dec. 15, 2007. First up is the management report on internal controls over financial reporting, which must be filed with companies’ annual reports filed next spring; external auditors’ attestation over internal controls will come one year later.

While the SEC has stood firm on the 2007 deadline for the management reporting requirement, members of Congress have stumped for another delay for smaller companies. A bill to delay the effective date for another year is pending in Congress.

In the years since SOX first took effect, however, regulators have revised their compliance guidelines numerous times to make Section 404 more palatable—particularly for smaller companies, which say compliance costs will be a huge burden to them. The Securities and Exchange Commission published guidance earlier this year giving management more specific direction about how to assess and report on internal controls. Meanwhile, the Public Company Accounting Oversight Board issued a new, more flexible standard for auditors to follow when auditing internal controls.

Schrock

Still, some smaller companies are gripped by fear. “Many are frightened by the cost,” says Kathy Schrock, national SOX solution leader with executive services firm Tatum. “They don’t have the expertise internally to do this, and they’re concerned about the cost of outside help.”

Cindy Fornelli, executive director at the Center for Audit Quality, says she worries about the extent to which smaller companies may still be waiting for another delay. That attitude, she says, might cause a repeat of the panicky, year-end push to comply that larger companies endured when they first confronted Section 404 in 2004. Back then, the now-dead Auditing Standard No. 2 drove extensive documentation and testing of controls.

Fornelli

“If [smaller companies] are not doing the internal control work, it creates a self-fulfilling prophecy,” Fornelli says. “It puts pressure on the audit firms, puts pressure on the system, and puts us back where we were with AS2."

Schrock says some smaller companies may be going so far to decide that the prospect of complying is so daunting, they’ll pass on the requirements and accept whatever consequences await.

“There are companies with a structure such that they’ll decide they’re going to accept material weaknesses and not try to remediate them,” she says. “I spoke with a company recently that said, ‘We’re going to elect not to comply.’ I said, ‘We’re not aware of that election; talk to your SEC counsel.’”

Experts say some companies may also be minimizing the significance of the first year’s report since it need not be accompanied by an audit opinion. “What they do this year in establishing management assessment drives what happens next year when auditors come into the picture,” says Schrock. “They need to take a good stab at it this year.”

Fred Lutzeier, president of CBIZ Risk & Advisory Services, says companies that take a minimalist approach this year risk making misleading statements and getting dinged by auditors in the following year.

“If they don’t do the required leg work to get documentation in files that they’ve reviewed and where they’ve evaluated their internal controls and therefore believe they have no material weaknesses, they’re going to be making representations in their annual reports,” he says. “They run the risk in the following year of having to explain why they made such assessments in year one when the auditor says in the following year that controls are not good.”

Where You Should Be

Smaller companies that are working to comply should have documented their systems, evaluated their controls, and performed at least some testing by this point in the calendar year, Lutzeier says. “As we’re getting closer to the end of the year, they should be determining what remediation might be needed.”

Lutzeier

Companies that aren’t so far along, or haven’t started at all, can still meet the deadlines if they hustle, Lutzeier says. He recommends companies start with the SEC guidance directed at management. “If a company follows that guidance, it will be in a position to make a good faith effort to comply with the law,” he says.

External auditors may be able to help to some degree, but they are bound by independence rules from being too deeply involved in management’s process. Tagle says working with a second audit firm or other outside consultants can help avoid that problem.

Still, she adds, it’s important to have the existing external auditor involved to help smooth the path toward next year’s audit opinion. “Starting collaboration sooner rather than later is critical,” she says. “Companies are making a lot of decisions in Year One that will be evaluated by the external auditor in Year Two. It would be unwise to make those decisions in a vacuum.”

Bob Hirth, managing director at risk consulting firm Protiviti, says companies may be further along than they realize just because the nature of reporting and auditing has changed even for companies not yet required to comply with Section 404.

“Companies are making a lot of decisions in Year One that will be evaluated by the external auditor in Year Two. It would be unwise to make those decisions in a vacuum.”

— Raina Rose Tagle,

Partner,

Beers & Cutler

“Audit firms have been doing a pretty good job of getting much more attentive to the controls,” he says. “We’ve seen an increase in the number of management letters being issued to companies where the comments are around controls, even though the company doesn’t have to comply with SOX.”

Schrock says smaller companies that have yet to get started should begin by assessing risk around financial reporting misstatement, and external auditors are a great resource in pointing the way. “In many cases, the auditors have already geared their audit toward higher-level risks,” she says.

Inexperience with Section 404 requirements is a concern for companies and audit firms alike, Schrock admits. But, she says, professionals in middle- and smaller-market arenas have had the opportunity to watch how larger companies and audit firms have addressed the issues. Tagle agrees: “We’re seeing smaller companies starting to incorporate the lessons learned from bigger companies.”

One significant advantage is AS5’s new advice on how to scope multiple locations into or out of an audit; companies now have more flexibility to base testing and sampling on the materiality of a particular location. “Companies can really identify processes that cut across locations and aggregate the testing of controls, perhaps selecting just one sample for testing,” Tagle says.

Hirth

Multiple locations may prove tricky for smaller companies whose audit firms are regional, because the audit firm may not have staffing in far-off locations to conduct appropriate auditing. In such cases, auditors will rely on partner firms in auditing networks, Hirth says, but companies will have to play a role in assuring the effort is coordinated and consistent across multiple locations.

“The company needs to look to that lead audit partner for leadership of the affiliates,” he says. “Do they have a strong plan for organizing the audit? Do they have a standard approach and methodology? Are they making it clear among the different teams that are doing the work what’s the agreed way we’re going to do the work, and what level, style, and quantity of documentation is required?”