SOX meets tech: as control requirements change, technology must meet small-business challenges.The Committee of Sponsoring Organizations of the Treadway Commission's long-awaited draft, Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting, was released in October 2005 to address internal controls for smaller publicly owned Publicly owned can refer to:
COSO's small-business guidance uses 26 principles that constitute effective internal controls over financial reporting and identifies several themes, including control environment, risks, control activities, information technology (communication) and monitoring. The small-business guidance also added the focus of personal responsibility for controls that are necessary to smaller businesses. Shortly after COSO's draft was released, the SEC Internal Controls Subcommittee to the Advisory Committee of Small Public Companies issued a preliminary report in December 2005 that exposed the profession to the murky waters of quasi-internal controls. This subcommittee recommended to: 1. Exempt "micro-cap" companies with market capitalization Market Capitalization A measure of a public company's size. Market capitalization is the total dollar value of all outstanding shares. It's calculated by multiplying the number of shares times the current market price. This term is often referred to as market cap. of less than $128 million from SOX (1) (Schema for Object-oriented XML) An XML schema developed by Veo Systems and Muzino Communications, which was submitted to the W3C. SOX is based on DTD, but adds data typing and reuse mechanisms. Sec. 404 under certain conditions; and 2. Exempt smaller companies with market capitalization of less than $787 million from external audit requirements of Sec. 404 under certain conditions, or at least require a more cost-effective approach to these requirements. Due to these developments, "smaller company" internal control technology is left in a bog. Where should internal control-assisting technology go from here? Does it stay the course, but try to lighten light·en 1 v. light·ened, light·en·ing, light·ens v.tr. 1. a. To make light or lighter; illuminate or brighten. b. To make (a color) lighter. 2. the load? Does it change radically, throwing out the first two years of SOX compliance? DIFFERENT APPROACH The COSO-SB, the SEC advisory and the PCAOB PCAOB Public Company Accounting Oversight Board pronouncement that directed auditors to use a more risk-based approach when certifying internal controls necessitate ne·ces·si·tate tr.v. ne·ces·si·tat·ed, ne·ces·si·tat·ing, ne·ces·si·tates 1. To make necessary or unavoidable. 2. To require or compel. a radical change in the technological approach to internal controls. Software companies emphasize process-level testing and controls, which accommodate the auditor's preferences. However, the new movement emphasizes an entity-level risk assessment approach that dictates the proper focus on process-level controls. Technology should increase its emphasis on monitoring significant balance sheet accounts for smaller companies. Once a company's balance sheet is analyzed in this top-down approach Top-down approach A method of security selection that starts with asset allocation and works systematically through sector and industry allocation to individual security selection. , a risk-based analysis at the process level can be properly performed (Exhibit 1), mitigating the risk of excessive testing and expense. [GRAPHIC OMITTED] After a tool has met the top-down process, then it can be mapped to internal control processes and business cycles. These process maps should include stoplights and alerts to warn managers when processes are materially affected. Technology for smaller companies also should emphasize the increased role of the control environment and monitoring. The tool should empower the company's limited financial staff with enough monitoring tools to react quickly to changes in the company atmosphere and internal control inconsistencies. [ILLUSTRATION OMITTED] With updated technology, smaller companies can afford proper internal controls and satisfy the auditor's internal control requirements. That does not mean, however, that the experience learned in the prior two years was irrelevant to the technology companies. SOX technology metamorphosis is Metamorphosis I is a woodcut print by the Dutch artist M. C. Escher which was first printed in May, 1937. This piece measures 7 5/8 x 35 3/4” and is printed on two sheets. like looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. a light switch in the dark--some may feel around the wall, while others purchase expensive night-vision glasses to find the switch. The end result is that the light is turned on, but at what cost? As auditor requirements change, technology must meet the small-business challenge with a less-expensive solution.
exhibit 1
ENTITY-LEVEL/PROCESS-LEVEL relationships comparison
LARGE-STRUCTURE FRAMEWORK SMALL-STRUCTURE FRAMEWORK
INITIAL BOTTOM-UP INTERNAL TOP-DOWN INTERNAL CONTROLS
CONTROLS APPROACH APPROACH
entity-level controls entity-level risks &
controls
Process-level risks & Process-level controls
controls
Note: Table made from bar graph.
BY RICK NORRIS, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. Rick Norris, JD, CPA is a principal with Los Angeles-based Decision Point Solutions LLC (Logical Link Control) See "LANs" under data link protocol. LLC - Logical Link Control . You can reach him at rnorris@decisionpoint.la. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion