After years of postponement, non-accelerated filers will need to comply with Section 404(b) of the Sarbanes-Oxley Act, which requires management and an external auditor to report on the adequacy of a public company’s internal control over financial reporting.
Smaller reporting companies with a market cap below $75 million have complied with other sections of SOX, but now the internal control audit requirement will be in place. Wayne Pinnell, managing partner of Haskell & White LLP, says non-accelerated filers will be audited for fiscal years ending on or after December 15, 2009.
“Planning is a key to success,” he says. “If a company’s initial planning was done years ago or they are not feeling prepared, now is the time to review their documentation and test their internal controls as further delays to the requirement are not likely.”
Smart Business learned more from Pinnell about how businesses can prepare for the audit and what they should expect.
Are the affected businesses ready to be held to SOX’s standards?
Companies have been required for a number of years to ensure that their internal controls are in place, but the external audit for smaller public companies had not been a requirement. At recent SEC conferences, people have asked if it will be delayed again, but that possibility does not look likely. Companies that are subject to these upcoming audit requirements should move forward with the idea that there will be no further delay.
What can businesses do to prepare?
If you are concerned about your internal controls, consultants are available to help with the design and testing with SOX in mind. At this point, companies should also conduct a planning session with their auditor to coordinate testing and reporting efforts. One key to stress: Focus on the big picture and take a top-down environmental approach. Mistakes can happen when you focus too much time on the nuts and bolts of transaction processing and fail to recognize the overall strengths or weaknesses in the organizational structure.
Why is a top-down approach better?
Environment controls deal with big-picture issues such as a company’s industry and related business practices, the ability to identify and respond to risks, and the overall entity structure and line of authority. If, when evaluating internal controls, you skip over these ‘global’ areas while spending too much time on the minute details of issuing a check, for example, you are likely to miss more critical weaknesses in the operating environment. The general COSO framework for internal control and the PCAOB audit standard focus heavily on the top-down approach.
What are the consequences that could occur for noncompliance?
Noncompliance could result in a disclosure of material weaknesses in a company’s 10-K as reported by management and the company’s auditor. It just takes one material weakness to receive an adverse auditor opinion on internal control effectiveness. For the longer term, public companies can find that reporting material weaknesses can discredit the organization in the eyes of investors and potential business partners. While there are no direct consequences, such as fines or penalties, management of such companies needs to recognize that SOX is part of the overall securities law with which they should maintain an attitude of and effort for compliance.
How would those consequences change for a private company?
Slowly but surely, private companies have been feeling a trickle-down effect for the last three years as a result of risk-based audit standards, which have focused on internal controls. Creditors and investors are very interested in understanding the nature of the internal controls at private companies and may begin asking for information about the state of a company’s internal controls as they evaluate relationships. The second issue for private companies centers on transactional matters. If they are contemplating going public or merging with a public company, they will need to focus on documenting and testing internal controls in the near-term.
What do you expect the outcome to be?
Due to the sheer magnitude of non-accelerated filers that will be required to comply with SOX 404(b) for the first time, a large number of material weaknesses could be reported by smaller organizations as they may not have the organizational structure large enough to provide for a good segregation of duties or they may be lacking in technical ability or depth of infrastructure. Some internal control weaknesses can be fixed at a relatively low dollar cost by reassigning duties. However, the smaller companies will also be focused on the overall cost/benefit argument.
How can businesses find those fixable issues?
Ask your auditors or consultants or network with other companies to see what issues they faced and how they fixed them. Find an outside seminar or workshop on SOX where you may be able to ask questions that you are uncomfortable asking your own auditors. Since the regulation has been around for a number of years, the answers will be available.
Wayne R. Pinnell, CPA, is the managing partner at Haskell & White LLP. Reach him at (949) 450-6314 or firstname.lastname@example.org.