SOX 404 Deadline extended for Small Biz, By James DeLuccia IV

An early Christmas present to all “Smaller Companies and Newly Public Companies” from the SEC was announced on December 15, 2006 (Press release 2006-210). This further extends the deadline for management and auditor reports for all companies that are considered small or newly public. This additional extension does not provide any grants or reductions in the requirements, but is solely for the purpose of extending the time necessary to comply.

This is especially important as recent publications have made the requirements for SOX 404 compliance more relevant and reflective of the needs for organizations of many sizes. At this time, the updates to the guidance for implementation, the modifications to AS2, and the subsequent efficiencies gained by audit firms from conducting these internal audit engagements is creating a significant cost savings for smaller businesses, as larger organizations work out the kinks in the process.

These efficiencies are attested to in numerous letters to the SEC and PCAOB during the “Second-year Experiences with Implementation of Sarbanes-Oxley Internal Control Reporting and Auditing Provisions” period. As stated so eloquently by the Edward Nusbaum, CEO of Grant Thornton on the reasons for costs coming down in year two include “…experience…efficiencies in understanding…firsthand experience for planning and execution…” All of which can be associated with likely savings for the upcoming attestations for smaller businesses and newly filed companies. His six main points are posted below to communicate his entire meaning, as the above statements were greatly taken out of context for the purpose of this article:

The specific guidance table was exerted from the SEC press release, and describes precisely who and when are to comply with SOX:

Please post additional links that provide helpful information for smaller businesses and newly filed companies.

Best regards,

James DeLuccia IV

SEC Not Easing Section 404 – empowering management & laying framework for risk-based testing, By James J DeLuccia IV

The SEC posted a release relating to a much anticipated release on the Sarbanes Oxley Act requirements for section 404, internal controls over financial reporting.  Below are my comments on the press release, and the available information.

John W. White, Director of the SEC’s Division of Corporation Finance stated “The proposed interpretive guidance should reduce uncertainty about what constitutes a reasonable approach to management’s evaluation while maintaining flexibility for companies that have already developed their own assessment procedures and tools that serve the company and its investors well. Companies will be able to continue using their existing procedures if they choose, provided of course that those meet the standards of Section 404 and our rules. At the same time, the guidance maintains the important investor protection objectives of bringing information about material weaknesses into public view and fostering the preparation of reliable financial statements in an effective and efficient manner.”

All quoted exerts in this article were extracted from http://www.sec.gov/news/press/2006/2006-206.htm  The recent guidance provided by the SEC focuses on section 404 and specifically addresses:

“(1) a statement of management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) management’s assessment, as of the end of the company’s most recent fiscal year, of the effectiveness of the company’s internal controls structure and procedures for financial reporting.”

The new guidance as amended after the comment period is flexible and will not reduce the groundwork already in place at most organizations.  Specifically the SEC states:

“…afford management the latitude to either follow the interpretive guidance or to develop and use other methods that achieve the objectives of the Commission’s 2003 rules.”

While the proposed guidance-interpretative document is not yet available, the principles that directed the development have been made available.  These principles bring the decision making on what risks exist for the business.  This entails the management evaluating their controls to determine if material misstatements may exist, and the assessment of these controls.

“…management should evaluate the design of the controls that it has implemented to determine whether there is a reasonable possibility that a material misstatement in the financial statements would not be prevented or detected in a timely manner.”

“management should gather and analyze evidence about the operation of the controls being evaluated based on its assessment of the risk associated with those control”

In all the principles aim to allow management to determine the appropriate controls to address the relevant risks that the organization faces.  This is meant to allow for complete scalability for all levels of companies.

The to-be-released guidance document will lay out a clear risk-based approach to use when meeting the 404 requirements.  The high level points were released, but nothing much more.  The good news is that these are very similar to previously posted NIST risk standards, and independent groups.

Top Level Risk-Based SOX Approach proposed by SEC

1. Identification of risks to reliable financial reporting and the related controls that management has implemented to address those risks.
2. Evaluation of the operating effectiveness of controls
3. Reporting the overall results of management’s evaluation
4. Documentation

All in all, the initial guidance does not eliminate or excuse poor controls as some popular press medias are implying, but placing a bit more authority in management to identify risk and evaluate their own controls.  December is becoming quite heated, as an SEC roundtable is being webcast discussing Section 404, and the PCAOB is set to release an update to AS2.

More posts to follow as the world of controls becomes more mature…

James DeLuccia IV