Web BankAudit.Net
Search powered by Google
Sarbanes-Oxley Act
Is Sox 404 On or Off Again?

Written by: Ian Waller

With the Securities sand Exchange Commission’s (“SEC”) August 9th press release many companies are again asking themselves this question. The August 9th press release contained two important proposals for domestic companies:

  • First to move non-accelerated filers’ compliance date for management’s assessment of the effectiveness of internal control over financial reporting from fiscal year’s ending on or after July 15, 2007, until fiscal years ending on or after December 15, 2007. Also included in this proposal was an extension of the date for which companies must comply with Section 404(b), the requirement that independent auditors must issue an attestation on a company’s internal control over financial reporting. The new date would be for the first annual report for fiscal years ending on or after December 15, 2008.
  • Second to include a transition period for SOX 404 implementation for new public companies. This proposal would change the rules so companies would not have to issue either management’s report or auditor’s attestation on internal control over financial reporting until after the company has filed one annual report with the SEC.

What do these proposals mean for my organization?

For companies either looking to go public or in the process, you have a breathing period between the work related to your initial offering and the report due date on the internal control over financial reporting. It allows senior management and the Board of Directors to focus on employing the capital raised effectively and efficiently to maximize shareholder return, prior to investing substantial time and money to document, test and report on internal controls over financial reporting. However, management and the Board should consider this relief period as a good time to begin to document controls, to ensure there are no surprises during the year of required compliance.

For those companies already public and subject to SOX 404, the first proposal mentioned above delays only the external auditor’s portion of SOX 404 work for most companies.

The proposal only delays management’s assessment for companies with fiscal years ending prior to December 15, 2007. December 31 year-end companies must still perform management’s assessment of the effectiveness of the internal controls over financial reporting and provide a report on that assessment for their 2007 year end. The change is that your auditors do not have to come behind the internal work and test the controls to support issuing an attestation on their effectiveness.

For non-accelerated filers: where and when do we start?

There has been much debate on whether the framework used to evaluate larger public companies is applicable to smaller issuers. The SEC continues to issue guidance on the implementation of SOX 404 based on information it has obtained through Roundtable discussions. These discussions and subsequent guidance issuances are focusing on improving the implementation process based on issues identified during accelerated filer implementation.

Additionally, the SEC chartered an advisory committee on smaller public companies in 2005, and this committee issued its final report on April 23, 2006. The committee’s directives included consideration of the impact of the Sarbanes-Oxley Act of 2002, frameworks for internal control over financial reporting, methods for management’s assessment of such, auditing standards for such, and accounting and disclosure standards for smaller public companies. The committee submitted recommendations to the SEC on changes to consider relating to the above issues. The SEC is now in the process of considering the recommendations for implementation.

In July of 2006, the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) issued a report on “Internal Control over Financial Reporting – Guidance for Smaller Public Companies”. In 1992, COSO originally issued “Internal Control-Integrated Framework”. This 1992 report and the framework it lays out has been used by the majority of public companies in assessing their internal control over financial reporting. The July 2006 release by the committee provides guidance to smaller companies on how to apply this framework to design and implement internal controls over financial reporting. The report continues to uphold the five component internal control framework of control environment, risk assessment, control activities, information and communication, and monitoring.

The starting point for all companies, including non-accelerated filers is the control environment. Control environment encompasses the “Tone at the Top”. This includes senior management and the Board setting the standards of sound integrity and ethical values. The Board should be active and exercise substantial oversight of management and the overall company. The organizational management philosophy and operating style should support effective internal control. The control environment should also include hiring policies and practices that support competent hiring, clear authority and responsibility guidelines, and a strong organizational structure to support internal control.

Once the control environment has been properly established and documented, the remaining components of the framework can be established and/or documented, assessed, and tested. The “Tone at the Top” is the critical component of the framework. Failure to implement the proper “Tone at the Top” cannot be overcome by proper control activities or effective and efficient information and communication. A proper “Tone at the Top” can mitigate weaknesses in other components. First priority for a company must be in establishing or improving their control environment.

Furthermore, the COSO report noted the process for assessing the internal control over financial reporting needs to focus on risk. In other words, focus on the key objectives of the system of internal controls. Once the key objectives are identified the processes and procedures accomplishing these objectives must be documented and then tested. Once they are tested, any deficiencies identified must be evaluated and remediation, if necessary, must be implemented and then retested.

As you can see, this process is very time consuming and initial evaluation should begin early. Prior to beginning the evaluation process, the control environment establishment, assessment and documentation should be complete. More and more information on the implementation of SOX 404 is becoming available to smaller public companies. Although the deadline for your auditors to issue an opinion on the effectiveness of internal controls has been delayed, management’s work on implementing its provisions continues to be a pressing issue that should be given substantial consideration soon!

Related Links:

Contact Nichols, Cauley & Associates by Email, phone, or online form with your questions.

Site visitors should keep in mind that the content is generally designed to be of general applicability. Particular state laws, regulations and special contractual provisions can greatly impact rights, responsibilities and legal obligations. Only a competent attorney, accountant or other professional looking at all the pertinent facts and circumstances of a particular situation can provide definitive guidance for you. Please refer to our important legal discalimer which can be accessed from the bottom of any BankAudit.net webpage.
Home   |   About Us   |   Links   |   Legal Disclaimer
This site copyrighted,designed and maintained by Nichols, Cauley and Associates, LLC. All rights reserved.
Any comments or problems relating to the site should be sent by e-mail to Webmaster@BankAudit.net.
 D/b/a Nichols, Cauley & Associates, PLLC in North Carolina