Ready or not, the Dec. 15 deadline for non-accelerated filers to start complying with Section 404 of the Sarbanes-Oxley Act is fast approaching—and this time, the odds that small companies can avoid compliance yet again are small.
The Securities and Exchange Commission has issued its final changes to help companies meet their 404 compliance obligations, and affirmed that no more deadline extensions are coming. Bills floating through Congress may pre-empt that decision in favor of another year’s delay, but experts say too little time now remains for companies to bet on that outcome.
Basilo
“Many small businesses have really procrastinated, so far,” says Thomas Basilo, chief executive officer of accounting and consulting firm WithumSmith+Brown Global Assurance. “They should stop procrastinating and move this forward. In our experience, what we’re seeing is that most companies really think they’re much further ahead than they actually are.”
By continuing to put the project off, a number of problems can arise, including the inability of a company to finish the project on time and the potential for carelessness. “If you haven’t done your documentation, done your testing, or done your planning, and you try and do all that at the last minute, there are more chances for mistakes,” says Dan Blum, a research director at the Burton Group consulting firm.
To avoid any kinds of problems, boards of directors need to take several steps right away—if they haven’t already—“including establishing transparency guidelines, setting a proper tone at the top, and being explicit about organizational ethics,” says Trent Henry, another analyst at the Burton Group.
“The tone at the top is absolutely critical to success of the project,” Basilo says. “The board needs to be sure that the attitude of the CEO is one of, ‘We need to get this project done.’”
Ernie Ten Eyck, an adviser to the Association of Audit Committee Members, agrees. “I think it’s their job to hold their feet to the fire and make sure things get done.”
First Steps
Brounstein
Specifically, at this point in the game, companies already should have assessed key control environment issues and established a work plan based on a risk analysis, says Rick Brounstein, executive vice president of Calypte Biomedical Corp., a non-accelerated filer in California. “I assume most companies by now have looked at the key control environment issues,” he says. “It would be a little late to find new board members if there was an independence issue or audit qualification issue—if that process has not been started.”
Boards also should have already selected a point-person from the audit committee who can ensure that compliance is being achieved. Ideally, Basilo says, this person should be an independent outsider with extensive financial knowledge.
It’s also essential for board members to pay attention to the latest auditing standard guidelines, he recommends; the Public Company Accounting Oversight Board overhauled its auditing standard in June, and the SEC approved that final guidance only last month. “Review the company’s 2007 to 2008 internal audit plan, and revise it to incorporate the internal audit department into the Section 404 compliance project,” Basilo says.
Henry
Paying attention to technology is also important, Henry says. On that front, wise steps include understanding “change control” (to ensure that modifications to critical environments are timely, approved, and properly executed) and enforcing segregation of duties (to ensure that no single employee, especially a technical administrator) is able to execute a critical action without adequate oversight.
External Auditors
Next, the board should schedule a planning session, which should involve the CFO and CEO. Based on experience with larger companies, says Ten Eyck, “senior executives tend to get either uninvolved or involved too late.”
By including them in the meetings, a company can more clearly assess where it stands and whether to bring in an outside auditing firm, Basilo suggests.
Boards should consider tapping outside help. One reason depends largely on company or staff size. “Most of these smaller companies are not going to have the manpower to do the type of work that needs to be done, so they can cut some of these things by bringing an outsider to, at least, help them assess the plan to provide them with some guidance,” says Basilo.
Henry adds that a young or newly public company “might not have accounting, procedural, and technical controls that evolve over time,” he says. “They need rapid assessment, advice, and implementation of internal controls to meet SOX obligations.”
In general, outside auditors can more clearly assess the CEO’s attitude regarding the compliance process, as well as the readiness of the company, says Basilo.
Auditor Relationship
When hiring an external auditor, don’t be afraid to probe the firm’s knowledge of current SOX compliance processes. “Many firms have assumed that SOX requires a Chinese wall between auditors and the companies being examined; this isn’t the case,” says Henry. “The PCAOB has made it clear that a healthy conversation between auditors and companies is essential for SOX to be effective.”
Blum
For example, Blum suggests, you might want to ask what a firm’s methodology is; what resources it will provide; and what its timeline for conducting tests and a walk-through will be, as well as the meeting dates when the auditors will be coming in, he says.
The bottom line is, “you need to make sure that all is in line with what the company’s goals are,” says Basilo.
While a company cannot use its external auditor in any consulting capacity to help design internal controls, “you can most certainly involve them in discussions about the appropriate classes of controls and how to show evidence of effectiveness,” Henry says. “This will make the whole experience much less painful.”
The key is getting the financial statements correct before filing annual reports in the spring of 2008. Especially important would be to remediate controls identified as weaknesses and used to produce the financial statement, says Brounstein. “That should be the priority.”
Pinpointing any deficiencies that were found the previous year is especially essential because “a deficiency looks a lot worse if it was not fixed the next year,” says Basilo.
SOX Appeal
Overall, treat the Section 404 project as an exercise in improving business processes rather than a mere annoying compliance obligation. After all, “The whole Sarbanes-Oxley Act was really designed to increase investor confidence in companies,” Basilo says.
While many people view the increased cost of being a public company as not necessarily worth the effort, Basilo contends that the positive benefits for SOX—including increased convictions for fraud and corporate crime, greater credibility in financial statements, and more corporate integrity—far outweigh the costs.
Ten Eyck
“I think it’s going to be messy for a lot of these first-time filers simply because they’re smaller companies” and lack the staff size of larger companies, Ten Eyck says.
“Embracing the revised guidance offered by the SEC and the new auditing standards proposed by the PCAOB will help the board and the company overcome and effectively manage the challenges of SOX,” Basilo says.
No comments yet