For many companies, the mention of internal controls sets off a passionate discussion of the latest physical inventory or the recent establishment of an asset tracking system.

While safeguarding the company's assets is one element of internal controls, Section 404 of the Sarbanes-Oxley Act of 2002 has brought to the forefront a concept of internal control policies and procedures that was previously foreign to many public companies, especially smaller public companies.

Today, companies are realizing that internal controls are really about providing management and ultimately shareholders with reasonable assurance regarding the reliability of financial results and disclosures.

Such reliability can only be achieved by a self-analysis of the effectiveness and efficiency of the accounting operation and the implemented institutional safeguards throughout the organization to ensure compliance with applicable laws and regulations.

Head in the Sand

To meet the demands of this new internal control environment will be no easy task for many companies.

In an approach that is similar to the proverbial ostrich with his head in the sand, many smaller public companies have put off any evaluation or improvement of their internal control systems, policies and procedures until the SEC establishes a final rule regarding Section 404.

These companies have taken this approach, in spite of clear evidence that the requirements will soon be finalized. For example, the SEC has published a proposed rule concerning the requirements of Section 404 in SEC Release No.33-8138.

While a final implementation of the proposed rule has been delayed, the SEC has signaled that the delay is only to allow Public Company Accounting Oversight Board to have a director appointed so that the PCAOB can have a chance to weigh-in on the proposed rule. With the recent selection of William J. McDonough to head the PCAOB, quick action concerning the SEC's rulemaking obligations concerning Section 404 should be anticipated.

Companies that want to begin the process of complying with the spirit of the expected SEC rulemaking can and should take a variety of actions now to begin to address the requirements of Section 404.

Some suggested actions include:

Figure out what your organization currently does to assess your controls relating to financial reporting;

Assess whether your organization needs outside help to assist with the process;

Analyze whether your organization is able to gather and evaluate control related information throughout your entire organization;

Begin to identify control gaps for correction prior to the reporting requirements of the new rules

Focus your entire organization on controls;

Seek input for improvement of your internal control processes from internal and external sources.

Busy Bees

While some companies have taken the ostrich approach, others have taken a busy bee approach. They have buzzed throughout their organization creating new internal controls and instituted new processes, some of which are duplicative of an existing well-performing process.

The damage that can be caused by the busy bee approach is that many of these new processes will eventually be ignored once it becomes apparent that they are having a detrimental effect on the ability of the company to operate in a fast-paced business environment.

Internal controls should be established at a level to ensure that their objective can be realized without creating undue bureaucracy for the organization. In short, a company needs to establish an appropriate balance between the ultimate goal and the control necessary to meet the goal.

The establishment of a system of internal controls is not a rigid process and there is no right way or wrong way to establish them. Rather, internal controls should be specific to each organization after a thorough analysis of the operations of the organization and a review of the existing controls.

Because organizations change, a company should expect that over time its internal controls will require review and likely change. Failure to do so can result in a system that merely safeguards assets without providing appropriate safeguards to shareholders.

This column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.

 

Topics