But complying with Sarbanes-Oxley, more casually known as SOX, is costly and redundant when you figure that outside auditing firms must perform double audits, first on managements’ assessment of internal controls, then again by testing the controls and forming a conclusion about the effectiveness of internal controls.
“New guidance from the SEC and Public Company Accounting Oversight Board (PCAOB) is the first major step toward addressing excessive compliance costs,” says Chris Meshginpoosh, director of Management Advisory Services for Kreischer Miller, Horsham, Pa.
Indeed, cost-prohibitive assessment and auditing procedures have driven some smaller companies to avoid an initial public offering, or to go public in overseas markets instead. Large public companies spend hundreds of thousands of dollars complying with SOX, and companies with market capitalization of less than $70 million confront similar costs a disproportionate burden.
Smart Business spoke to Meshginpoosh about ways companies can mitigate SOX compliance costs even before final guidance is expected to be passed in mid-2007.
What exactly does the proposed guidance mean by a ‘top-down, risk-based’ approach to internal controls assessment?
Basically, this approach involves starting at the financial statement level and working your way backward through internal control processes as opposed to beginning from the ground up. During their first year of compliance, many large companies started by asking process owners to document every process, with almost complete disregard to the size or risk profile of the related account balances or disclosures. In other words, even if the controls in these processes failed, it would be of no concern to investors and, ultimately, would have very little impact on the company’s bottom line. Given the size and geographic dispersion of many large companies, this type of an approach was exhausting.
Instead, the SEC and PCAOB are once again stressing the importance of a top-down risk-based approach. Which account balances are material? Which accounts involve a high degree of risk? Are there high-level controls such as detailed variance analyses that address the risk, or do I need to rely on lower-level process controls?
Where might relying on entity-level controls might be appropriate?
Let’s take payroll. Most companies rely heavily on employees to conduct operations and, as a result, payroll balances are generally material to financial statements. But let’s take an example where a company primarily employs salaried workers and experiences very little employee turnover. Because payroll balances would be relatively predictable, detailed budget versus actual comparisons performed by management that require investigation of variances in excess of defined thresholds might represent a highly effective entity-level control associated with certain payroll assertions.
However, if the company employs a large number of hourly employees, has a high rate of turnover as well as substantial cyclicality, a budget-to-actual comparison might not be as effective. Therefore, the company might need to rely on lower-level controls such as supervisory reviews of timesheets.
Are there areas where companies need to spend more time?
One of my biggest concerns is that companies have spent a considerable amount of time on low-risk areas, but have not focused closely enough on areas that require an understanding of complex accounting issues. However, if you look at the nature of material weaknesses disclosed by public companies, a substantial majority involve errors associated with the application of complex accounting pronouncements.
If companies employ effective top-down, risk-based approaches, they should identify these types of potential issues in the planning process. Once identified, companies should think long and hard about the qualifications of their personnel and decide whether augmenting internal resources with outside accounting expertise is warranted.
What resources can companies refer to as they consider ways to implement the proposed guidance now?
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission established a framework a decade ago that still serves as the de facto standard for internal control assessments. Also, the SEC's proposed guidance is available on its website, www.sec.gov. Finally, companies can always consult third party advisors to assist them in their evaluation efforts.
CHRIS MESHGINPOOSH is director of Management Advisory Services for Kreischer Miller in Horsham, Pa. Reach him at firstname.lastname@example.org or (215) 441-4600.