Section 404(b) of the Sarbanes-Oxley Act, known as SOX 404(b), requires that companies evaluate the effectiveness of their internal controls over internal reporting and have this audited by their external auditors. Since the Sarbanes-Oxley Act was passed in 2002, the SEC has delayed SOX 404(b) compliance for smaller reporting companies. The delay can be an extended window to improve internal controls.
“Complete your testing and management report so there is sufficient time for the auditors to perform their test of your work, and also their own independent testing before the reporting deadline,” advises Richard Kam, principal for Gumbiner Savett Inc.
Smart Business spoke with Kam about SOX 404(b), what is required of a small reporting company’s auditors and how to prepare for an SOX 404(b) audit.
When do smaller reporting companies have to comply with SOX 404(b)?
Currently, the SEC requires the company’s independent auditors to provide their attestation to management’s SOX 404(a) report for fiscal years ending after Dec. 15, 2008. For companies with calendar year ends, this would be as of Dec. 31, 2008. However, in a Dec. 12, 2007 SEC release, a one-year delay was proposed, which has not yet been approved by the SEC, but it appears likely.
What is required of the auditors?
Auditors of public companies are bound by the standards set out by the Public Company Accounting Oversight Board (PCAOB). PCAOB Auditing Standard No. 5 (AS5), An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, sets the requirements of the auditors. It is available to anyone for free on the PCAOB Web site (pcaobus.org). I recommend that CEOs, CFOs and their staff read the standard to understand what their auditors will be asking of them.
What can a business expect from auditors in their compliance with AS5?
The auditors will consider the work performed by management in reaching the conclusion reported under SOX 404(a). As indicated by the title of AS5, the auditors will integrate their audit of internal controls with their audit of the financial statements. This should allow for efficiencies as the auditors may be able to reduce testing in the financial statement audit if the internal controls are found to be reliable. The auditors will take a top-down, risk-based approach. This allows them to focus on the areas they consider to be of highest risk. Some areas of concern to the auditors may include controls over:
- significant and unusual transactions
- journal entries and adjustments, especially those made at the period end and at the financial-statement level
- related-party transactions
- areas requiring significant estimates by management
Taking into account their understanding of the company and its system of internal control, the auditors will consider each financial statement line item (cash, accounts receivable, inventory, etc.), the nature and complexity of the account and the related reporting risks. The auditors will consider what can go wrong as well as the associated controls at the entity level and at the activity level. Consideration will be given to the strength of entity level controls when designing tests to perform on the activity level controls.
The auditors will also consider the reporting process, which may include:
- how information is entered into the general ledger
- the selection of accounting policies
- initiation, authorization and recording of information in the general ledger
- recurring and nonrecurring adjustments to the quarterly and period-end financial statements
- how quarterly and annual financial statements and related disclosures are compiled
Procedures the auditors will perform to test the operating effectiveness of a control will include a mix of inquiry of appropriate personnel, observation of operations, inspection of relevant documentation and reperformance of the control.
How important a role does the control environment play in the auditing process?
A key component of entity level controls is the control environment. This addresses the ‘tone at the top.’ The auditors will consider if management promotes effective internal control over financial reporting and has sound integrity and ethical values, and if the board or audit committee understands and exercises the appropriate level of oversight on financial reporting and internal control.
How should management prepare for the SOX 404(b) audit?
Management should base its 404(a) evaluation of the effectiveness of the company’s internal control over financial reporting on a suitable recognized framework (e.g. COSO framework). Re-emphasize to the board and audit committee their responsibilities related to internal control over financial reporting.
Communicate with your auditors early about what the scope of your testing will be, including the number of transactions you intend to select and the period you will cover. Discuss the way you are setting up the files and who will be doing the testing. Conduct testing throughout the year to correct any control deficiencies and retest them for effectiveness before the year-end audit.
RICHARD KAM is a principal for Gumbiner Savett Inc. Reach him at (310) 828-9798 or email@example.com.