|
 |
|||||||
|
|
|
|
|||||||||||||||||
|
|||||||||||||||||||
|
|
|||
|
Reader
Profile
Editor's note: Each month, we ask a Directors & Boards reader to comment on critical issues facing directors today. If you'd like to participate in this section in the future, please email Scott Chase. The Wait Is Finally Over For Small Businesses Non-accelerated filers brace themselves for SOX implementation surge. Now that the SEC has taken action to define Sarbanes-Oxley corporate governance requirements for small businesses, what can we expect in this arena? Ever since the two words – Sarbanes-Oxley – began to role off the tongues of those in corporate America, small businesses have been bracing themselves for the anticipated sleepless nights and onslaught of headaches due to corporate governance guidelines. After three years of delays and what appeared to be some mercy given to smaller companies, these businesses are now finding out the true impact of this legislation. On May 23, 2007, the Securities and Exchange Commission (SEC) voted to publish guidance for management on the evaluation of internal controls over financial reporting. The intention behind these new guidelines is to streamline implementation of Section 404 of the Sarbanes-Oxley Act by offering guidance on Management's Assessment, thus eliminating deferral by management to PCAOB Auditing Standard No. 2 (AS2) as the de-facto rule for implementation. The SEC's regulatory efforts are also intended to enhance investor protections and strengthen the U.S. financial markets while reducing the cost of compliance. Subsequently on Thursday, May 24, 2007, PCAOB issued a new auditing standard - Auditing Standard No. 5 (AS5) - to replace the existing AS2. This new guideline provides guidance for external auditors allowing for improved audit efficiency, a more focused, risk-based and scalable approach for opining on internal controls over financial reporting. Simply stated, the new standard focuses the audit of internal control over financial reporting on a risk-based approach that retains the old standard’s core principles, while reducing implementation costs. While these provisions do not create a separate standard for smaller companies, AS5 does explicitly require the auditor to tailor the nature, extent and timing of testing to meet the unique characteristics of less complex entities. The standard identifies the unique characteristics of less complex companies and operations and identifies six areas where those characteristics impact the competent evidence required by the auditor in reaching their conclusion. The auditor should evaluate the complexity of the company or operation and that evaluation should have a “pervasive effect on the audit.” What’s the background leading up to this situation? How exactly are companies classified? In July 2002 the U.S. Congress passed the Sarbanes-Oxley Act (SOX), designed to help restore public and investor confidence following highly publicized corporate bankruptcies and scandals, including Enron and others. All companies publicly registered under the SEC had to comply with SOX requirements. SOX requires company management to certify its financial results quarterly and assert annually that its internal controls over financial reporting are effective. This annual assertion results in additional costs and burdens for companies of all sizes, but particularly for smaller companies that lack the internal expertise or manpower to do what’s required. As part of the assertion, management must both document and evaluate those internal controls that mitigate the risk of a material misstatement of the financial reports. The SEC classifies companies as either accelerated or non-accelerated filers. Accelerated filers typically include companies with market capitalizations greater than $75 million. Characteristics of less complex companies, or non-accelerated filers, generally include: a market capitalization of $75 million or less, fewer lines of business/products, a highly concentrated marketing focus and management with significant ownership interests or rights. Also typical of these businesses are fewer levels of management and wider spans of control, more streamlined transaction processing systems, fewer personnel with a broader range of responsibilities, and limited expertise in various areas. The distinction between filers is important because the compliance deadline for non-accelerated filers has been pushed back repeatedly, currently non-accelerated filers are required to furnish management’s assessment for fiscal years ending on or after December 15, 2007 with auditor attestation under section 404 required for fiscal years ending on or after December 15, 2008. Non-accelerated filers that haven’t addressed or completed their SOX compliance can take full advantage of lessons learned by companies already in compliance, and of the newly proposed standards intended to ease inefficiencies and costs related to implementation. What are the benefits of new guidance for small businesses? Accelerated filers learned that more is not necessarily better. Many external auditors erred on the conservative side, requesting documentation and testing of nearly every procedure and control, not just key controls over financial reporting. That usually resulted in higher costs. In addition, without compliance guidance to fall back on, management deferred to its external auditors and AS2. The new guidance from the SEC applied in conjunction with the changes in AS5 promotes efficiency, allowing management to focus on only those controls needed to adequately address the risk of a material misstatement in its financial statements. The new guidance also states that management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk, and provides an approach for making these risk-based judgments. As a result, management may be able to use more-efficient approaches to gathering evidence in low-risk areas and perform more extensive testing and evidence-gathering in high-risk areas. Armed with this knowledge, small businesses can ease the burden of implementing SOX guidelines by keeping the following processes top-of-mind.
What critical factors can ease this transition? Do you have any tips? Even with the new simplified standard and added SEC management guidance, it’s often difficult for companies to know where to begin. A good first step is to understand and evaluate the strengths and weaknesses of eight critical factors within the organization. After assessing these, management can create action plans to address weaknesses before compliance efforts begin, improving implementation process effectiveness and cost efficiency. The eight critical factors to assess are: 1) Tone at the top – The business environment created by management that sets the tone for how the company operates 2) Number of business processes – Those financial statement accounts that present the greatest reporting risk 3) Policies and procedures documentation – Available workflows or narratives that define key steps in the processes 4) Extent of information systems integration – Whether or not multiple, non-integrated systems exist 5) Operational structure and complexity – Whether operations are centralized or de-centralized 6) Availability of internal resources – Whether skilled resources are available within the organization 7) Role of internal audit – Whether a mature internal audit function is available to help with the workload 8) External auditor involvement – Expectations and requirements of the external auditor You lead off with “tone at the top.” How important is this, really? And how can the board monitor the potential for management override of internal controls? Tone at the top specifically relates to management’s ability to set the tone for how the company operates and meets its business objectives. Tone at the top is perhaps more important and easier to implement in smaller companies due to management’s span of control and ability to directly influence the internal control environment. Tone at the top is often aligned with company entity-level controls. Entity-level controls represent the highest level of controls within and across the organization, including operational, financial and compliance controls. Entity-level controls typically have a pervasive impact on controls at the process, transaction or application level. Arguably the biggest pain point for non-accelerated filers or smaller companies relates directly to management’s ability to override controls without significant oversight. Override can negate existing controls such as segregation of duties; therefore, checks and balances are vital to a strong internal control environment. As a mitigation activity, the board of directors can oversee management, monitoring areas of significant risk to ensure certain controls function as intended. This may include meetings to discuss key performance indicators and the organization’s key controls, discussions with external auditors on monitoring management override of controls, or reviewing evidence supporting changes in certain account balances. It may also include periodic senior management walkthroughs of critical processes. All monitoring activities should be documented in board meeting minutes. Other than compliance with SOX, what long-term benefits, if any, does management’s assessment of internal controls over financial reporting offer to smaller companies? It’s generally accepted that the initial-year compliance effort will result in additional costs, particularly if remediation is necessary to improve internal controls. Many times, smaller companies have fewer people performing more jobs. That means remediation of control gaps or failures often includes additional steps or approvals in the processes under review. These enhancements to internal controls would seem to add costs to the processes in both the initial and subsequent years of SOX. However, these enhancements can help prevent future intentional or unintentional financial reporting errors, misstatements and misappropriations, perhaps saving the company money and preventing litigation and public embarrassment in the long run. Companies should emerge from year one of SOX compliance with improved processes and more confidence in their financial reporting. Sustaining compliance in subsequent years should be a much easier process. Significantly, for some companies, the long-term benefits may include strategic initiatives to centralize or standardize business processes, optimize information systems, develop internal capabilities to monitor the internal control environment and reduce the cost of capital. The compliance clock for smaller businesses and non-accelerated filers is ticking. Accelerated filers learned there is no such thing as too much preparation or planning. The sooner efforts begin, the better. Fortunately, the path to compliance is now clearer. With some forethought and planning, small businesses can reap the benefits of a solid assessment of internal controls over financial reporting while managing the burdens.
|
|
||
Owen Sullivan joined Jefferson Wells, a subsidiary of Manpower, in 2003 as CEO and President. In 2005, he was also named chief executive officer of another Manpower subsidiary, Right Management Consultants. Sullivan’s 20-plus years of corporate and entrepreneurial business experience includes nine years with Metavante Corporation (formerly M&I Data Services) in Milwaukee, where he was president of the Enterprise Solutions and Financial Services groups. Through his firm Sullivan Advisors, LLC, he provided consulting services to venture capitalists and equity groups, building strategic plans and evaluating acquisition opportunities. He began his career at IBM where he spent 14 years in several sales and marketing management positions. Jefferson Wells delivers professional services in internal audit and controls, technology risk management, tax, and finance and accounting. It serves clients, including Fortune 500 and Global 1000 companies, from 50 offices across North America and Europe. The firm has worked on more than 4,000 Sarbanes-Oxley related engagements. Copyright © 2007 Directors & Boards, P.O. Box 41966 Philadelphia, PA 19101-1966. All rights reserved. Contact the webmaster. < Privacy Notice > |
||||
