Linkedin-in Youtube Facebook-f

SOX 404(b) audits

Section 404(b) of the Sarbanes-Oxley
Act, known as SOX 404(b), requires that
companies evaluate the effectiveness of their internal controls over internal reporting
and have this audited by their external auditors. Since the Sarbanes-Oxley Act was
passed in 2002, the SEC has delayed SOX
404(b) compliance for smaller reporting
companies. The delay can be an extended
window to improve internal controls.

“Complete your testing and management
report so there is sufficient time for the auditors to perform their test of your work, and
also their own independent testing before the
reporting deadline,” advises Richard Kam,
principal for Gumbiner Savett Inc.

Smart Business spoke with Kam about
SOX 404(b), what is required of a small
reporting company’s auditors and how to
prepare for an SOX 404(b) audit.

When do smaller reporting companies have
to comply with SOX 404(b)?

Currently, the SEC requires the company’s
independent auditors to provide their attestation to management’s SOX 404(a) report for
fiscal years ending after Dec. 15, 2008. For
companies with calendar year ends, this
would be as of Dec. 31, 2008. However, in a
Dec. 12, 2007 SEC release, a one-year delay
was proposed, which has not yet been
approved by the SEC, but it appears likely.

What is required of the auditors?

Auditors of public companies are bound by
the standards set out by the Public Company
Accounting Oversight Board (PCAOB).
PCAOB Auditing Standard No. 5 (AS5), An
Audit of Internal Control Over Financial
Reporting That Is Integrated with An Audit of
Financial Statements, sets the requirements
of the auditors. It is available to anyone for
free on the PCAOB Web site (pcaobus.org). I
recommend that CEOs, CFOs and their staff
read the standard to understand what their
auditors will be asking of them.

What can a business expect from auditors in
their compliance with AS5?

The auditors will consider the work performed by management in reaching the conclusion reported under SOX 404(a). As indicated by the title of AS5, the auditors will integrate their audit of internal controls with
their audit of the financial statements. This
should allow for efficiencies as the auditors
may be able to reduce testing in the financial
statement audit if the internal controls are
found to be reliable. The auditors will take a
top-down, risk-based approach. This allows
them to focus on the areas they consider to
be of highest risk. Some areas of concern to
the auditors may include controls over:

  • significant and unusual transactions

  • journal entries and adjustments, especially those made at the period end and at the
    financial-statement level

  • related-party transactions

  • areas requiring significant estimates by
    management

Taking into account their understanding of
the company and its system of internal control, the auditors will consider each financial
statement line item (cash, accounts receivable, inventory, etc.), the nature and complexity of the account and the related reporting risks. The auditors will consider what can
go wrong as well as the associated controls at
the entity level and at the activity level.
Consideration will be given to the strength of
entity level controls when designing tests to perform on the activity level controls.

The auditors will also consider the reporting process, which may include:

  • how information is entered into the general ledger

  • the selection of accounting policies

  • initiation, authorization and recording of
    information in the general ledger

  • recurring and nonrecurring adjustments
    to the quarterly and period-end financial
    statements

  • how quarterly and annual financial statements and related disclosures are compiled

Procedures the auditors will perform to test
the operating effectiveness of a control will
include a mix of inquiry of appropriate personnel, observation of operations, inspection
of relevant documentation and reperformance of the control.

How important a role does the control environment play in the auditing process?

A key component of entity level controls is
the control environment. This addresses the
‘tone at the top.’ The auditors will consider if
management promotes effective internal
control over financial reporting and has
sound integrity and ethical values, and if the
board or audit committee understands and
exercises the appropriate level of oversight
on financial reporting and internal control.

How should management prepare for the
SOX 404(b) audit?

Management should base its 404(a) evaluation of the effectiveness of the company’s
internal control over financial reporting on a
suitable recognized framework (e.g. COSO
framework). Re-emphasize to the board and
audit committee their responsibilities related
to internal control over financial reporting.

Communicate with your auditors early
about what the scope of your testing will be,
including the number of transactions you
intend to select and the period you will cover.
Discuss the way you are setting up the files
and who will be doing the testing. Conduct
testing throughout the year to correct any
control deficiencies and retest them for effectiveness before the year-end audit.

RICHARD KAM is a principal for Gumbiner Savett Inc. Reach him at (310) 828-9798 or [email protected].

Sign Up For News In Your Market

Stay up-to-date with local business news and networking events from Smart Business. Sign up to receive advice from business professionals, or register for information on our networking events near you!

Sign Up Now

Markets

The April Digital Editions Are Now Available!

View this month’s Smart Business magazines on our easy to view, Digital Platform.

Click to View

Linkedin-in Youtube Facebook-f
© 2024 SMART BUSINESS NETWORK INC. ALL RIGHTS RESERVED | Built and Powered By Metisentry

835 SHARON DRIVE, SUITE 200, CLEVELAND, OH 44145  | P: 440.250.7000 |  PRIVACY POLICY