Section 404 for small caps: ease the learning curve for small-cap companies.EXECUTIVE SUMMARY * In 2005 about 3,700 large-cap ($75 million or more) companies underwent the first wave of Sarbanes-Oxley section 404 audits. Here, a firm experienced with Sarbanes-Oxley section 404 audits for accelerated fliers shares its best practices to help with compliance for nonaccelerated fliers (companies with market capitalization Market Capitalization A measure of a public company's size. Market capitalization is the total dollar value of all outstanding shares. It's calculated by multiplying the number of shares times the current market price. This term is often referred to as market cap. under $75 million), which must begin filing audit reports for fiscal years ending after July 15, 2007. * The external auditor's section 404 responsibility is to critically evaluate the design and effectiveness of management's internal controls over financial reporting, test as necessary, form an opinion and communicate significant deficiencies and material weaknesses to management and the audit committee. * At least one year before the deadline, management should assign a project leader, establish a time line and a project team, engage outside assistance if necessary, set scoping criteria, "assess risk" and review the section 404 plan with the audit committee and external auditors The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. . * Many small-cap companies with limited accounting staffs will need assistance with tax accounting, lease accounting, reviews of transactions such as last-minute journal entries, application of GAAP GAAP See: Generally Accepted Accounting Principles GAAP See generally accepted accounting principles (GAAP). , staff training, IT controls, the control environment and segregation segregation: see apartheid; integration. of duties and internal control documentation from sources independent from their auditors. * The Sarbanes-Oxley Act See SOX. already has had a profound impact on the accounting profession and corporate America. Companies are now more conscious of how and why they do what they do, and in many cases they have improved their processes or eliminated duplication duplication /du·pli·ca·tion/ (doo-pli-ka´shun) 1. the act or process of doubling, or the state of being doubled. 2. . Let's hope performing Sarbanes-Oxley section 404 audits of internal controls turns out to be easier for nonaccelerated fliers. Those of us who already have performed section 404 internal control audits will attest To solemnly declare verbally or in writing that a particular document or testimony about an event is a true and accurate representation of the facts; to bear witness to. To formally certify by a signature that the signer has been present at the execution of a particular writing so as the process is long, complex, tedious and stressful. Indeed, section 404--which requires a company's annual report to certify cer·ti·fy v. cer·ti·fied, cer·ti·fy·ing, cer·ti·fies v.tr. 1. a. To confirm formally as true, accurate, or genuine. b. exactly how effective its control and reporting procedures are--is proving to be the most challenging part of the Sarbanes-Oxley Act. This article describes how our firm, Marcum & Kliegman LLP LLP - Lower Layer Protocol of Melville, N.Y., approached section 404 audits, and shares some best practices we learned on the job. THERE'S WORK TO DO The SEC required companies with market capitalization equal to or greater than $75 million (accelerated filers) to comply with section 404 for fiscal years ending after November 15, 2004 (see "The Value Proposition," JofA, Sep.05, page 77). Accordingly, in 2005 about 3,700 companies underwent the first wave of internal control audits. Of them, about one in seven reported material weaknesses. Nonaccelerated fliers will commence compliance for fiscal years ending after July 15, 2007. No one knows exactly how many eventually will comply, but about 12,000 companies are listed on various national exchanges. In addition, banking and insurance companies are discussing adopting "Sarbanes-Oxley-like" initiatives for nonpublic entities. Some states have enacted tougher regulations on not-for-profits, and nonpublic broker-dealers and hedge funds hedge fund, in finance, a highly speculative, largely unregulated investment device. Originating in the 1950s, the funds "hedge" by offsetting "short" positions (borrowing a security and then selling it at a higher price before repaying the lender) against "long" soon may face increased regulation. CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. firms will be busy for a while, so it's a good time to work on skills to handle the workload. RESPONSIBILITY GUIDELINES guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. PCAOB PCAOB Public Company Accounting Oversight Board Auditing Standard no. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements, provides guidance for a section 404 audit. The performance and reporting directions are based on the framework developed by the Committee of Sponsoring Organizations (COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) ) of the Treadway Commission. COSO'S 1992 report Internal Control--Integrated Framework describes five key components of internal control (the control environment, risk assessment, control activities, information and communication, and monitoring) and provides businesses with evaluation tools. The SEC requires that companies' management design an internal control system that can substantiate To establish the existence or truth of a particular fact through the use of competent evidence; to verify. For example, an Eyewitness might be called by a party to a lawsuit to substantiate that party's testimony. every assertion in their financial statements. To do that, management has to analyze the company's system of internal control over financial reporting and provide evidence sufficient to support its conclusions. The external auditor's responsibility is to do the following: * Critically evaluate management's assessment process. * Evaluate both the design and effectiveness of the internal control system. * Perform independent testing. * Form an opinion on the internal control system. * Communicate significant deficiencies and material weaknesses to both management and the audit committee. Both management and the external auditor must evaluate any internal control deficiencies that exist and quantify Quantify - A performance analysis tool from Pure Software. their severity Auditing Standard no. 2 prescribes a much lower deficiency threshold than previous audit guidance. It includes three definitions. First, an internal control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned duties, to prevent or detect misstatements on a timely basis. Second, a significant deficiency is a single deficiency or combination of deficiencies that results in a more than remote likelihood that a misstatement mis·state tr.v. mis·stat·ed, mis·stat·ing, mis·states To state wrongly or falsely. mis·state  ment n. of the annual or interim financial statements that is more than inconsequential in·con·se·quen·tial adj. 1. Lacking importance. 2. Not following from premises or evidence; illogical. n. A triviality. will not be prevented or detected. Finally, a material weakness is a significant deficiency or combination of significant deficiencies that results in a more than remote likelihood that a material misstatement in the annual or interim financial statements will not be prevented or detected. Before fieldwork field·work n. 1. A temporary military fortification erected in the field. 2. Work done or firsthand observations made in the field as opposed to that done or observed in a controlled environment. 3. begins, company management and the external auditors must discuss the thresholds and reach consensus on the significant accounts and disclosures--and they absolutely must agree on how best to quantify more than remote and more than inconsequential. 404 ROAD MAP A typical section 404 project plan for a nonaccelerated filer should not be rushed. Ideally, the first phase should commence 12 to 18 months before the company's reporting deadline. The last phase will coincide with the fieldwork for the fiscal yearend financial statement audit. Marcum & Kliegman bases its work plan on the following steps: Phase one: Planning and scoping. Company management assigns a project leader and project team, establishes a time line, engages outside assistance if necessary, sets scoping criteria, performs risk assessment and reviews the section 404 plan with the audit committee and external auditors. Phase two: Documentation and evaluation. Company management documents, reviews and updates all control activities, prepares flowcharts, seeks feedback from external auditors and remediates control deficiencies. Phase three: Management testing. Company management tests key controls, documents the results of testing and fixes any control deficiencies. Phase four: Interface with external auditors. Company management performs complete walk-throughs of systems with external auditors. It reviews its test results with the external auditors and presents an initial management assessment to them. Phase five: External auditor testing. The external auditor completely reviews all internal control documentation including narratives, flowcharts and walk-throughs. Then the external auditor identifies areas of risk and related key controls, verifies the scope of testing, designs test plans and determines sample sizes. The external auditor then tests the controls' operating effectiveness and evaluates the test results with management and the audit committee. Phase six: Reporting. Management prepares its section 404 assessment for inclusion in Form 10-K Form 10-K A report required by the SEC from exchange-listed companies that provides for annual disclosure of certain financial information. Form 10-K See 10-K. , reviews the document with external auditors and determines who within the company should sign the section 404 certifications. The attestation The act of attending the execution of a document and bearing witness to its authenticity, by signing one's name to it to affirm that it is genuine. The certification by a custodian of records that a copy of an original document is a true copy that is demonstrated by his or her could include the company's general counsel and/or chief information officer if they are heavily involved in the system of internal control over financial reporting. At this stage the external auditors summarize sum·ma·rize intr. & tr.v. sum·ma·rized, sum·ma·riz·ing, sum·ma·riz·es To make a summary or make a summary of. sum their testing, review the test results and prepare a draft opinion. After that they report their conclusions to the audit committee, obtain a management representation letter and prepare a final opinion for inclusion in Form 10-K. LESSONS LEARNED Marcum & Kliegman has four clients that qualified as accelerated fliers. Based on the section 404 work our firm has done to date, we developed a "top 10" list of section 404 best practices that we use in our internal training classes, client newsletters and public speaking engagements. Start the process early. Pending changes from the SEC, the first nonaccelerated fliers will have to report as of July 15, 2007. That may seem a long way off, but it is actually right around the corner, and section 404 projects already should have started at small-cap companies. Stress the need for clients to self-assess to get a leg up on any deficiencies before auditors come in. Prepare a comprehensive risk assessment. Focus on material accounts and processes. Consider the primary reasons for reports of material weaknesses and determine whether the client needs improvement in the following areas: * Tax accounting. * Lease accounting. * Review of transactions (especially last-minute journal entries). * Application of GAAP. * Staff expertise and training. * IT controls. * The control environment and segregation of duties. * Internal control documentation. Note: Small-cap companies with limited accounting staffs will almost certainly need assistance with some or all of the above areas. Develop specific section 404 training for your staff. Staff members more experienced with debits and credits (that is, posting to a general ledger General Ledger A company's accounting records. This formal ledger contains all the financial accounts and statements of a business. Notes: The ledger uses two columns: one records debits, the other has offsetting credits. and reconciling accounts) will adapt to training more efficiently and have better relations with clients. Hold training sessions that focus on following a transaction from initiation straight through to the general ledger and financial statements to help less experienced staff members get up to speed quickly. Advise clients to appoint a section 404 team leader. The section 404 audit will run more smoothly if one person assumes the leadership role, with responsibility for keeping the project on track and acting as liaison with the external auditors, consultants, internal auditors Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. , audit commit tee and key members of management. This person should not be the CFO See Chief Financial Officer. , CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. or an external consultant. The ideal person is an internal auditor or someone who will not be distracted dis·tract·ed adj. 1. Having the attention diverted. 2. Suffering conflicting emotions; distraught. dis·tract by monthly or quarterly dosing processes or financial reporting. Carefully monitor and evaluate the project team. The external auditor must meet with the project team on a regular basis and promptly inform management and the audit committee if deadlines slip or the internal control documentation is not adequate. This oversight is especially critical if management engages an outside consultant. There is a booming cottage industry cottage industry: see sweating system. of section 404 consultants, and we found that not all consultants are created equal. Given that large numbers of companies will have to start reporting next year, in addition to the existing accelerated fliers, there likely will be a shortage of section 404 qualified internal staff. However, the SEC's Advisory Committee on Smaller Public Companies may modify section 404 small cap compliance rules before then, which may change the marketplace. Flowchart, flowchart, flowchart! System narratives are nice, but flowcharts rock. A well-designed flowchart highlights the key controls in a fraction of the time it takes to read a system narrative--and using them is more fun. Ideally, the client should prepare the flowcharts. When that's not possible, the external audit teams will need to do it for smaller companies. We found Visio, Microsoft Excel (tool) Microsoft Excel - A spreadsheet program from Microsoft, part of their Microsoft Office suite of productivity tools for Microsoft Windows and Macintosh. Excel is probably the most widely used spreadsheet in the world. Latest version: Excel 97, as of 1997-01-14. and PowerPoint easy to use and sufficient for most applications. Keep the audit committee informed. Regular communication with the audit committee is critical. A periodic audit committee conference call will ensure there are no surprises at the end. Discuss deficiencies with management promptly and candidly can·did adj. 1. Free from prejudice; impartial. 2. Characterized by openness and sincerity of expression; unreservedly straightforward: In private, I gave them my candid opinion. . While about 14% of section 404 filers have reported material weaknesses, virtually all filers have had significant deficiencies reported to the audit committee by the external auditor. When an auditor finds a significant deficiency or material weakness, it can result in a stressful conversation with management--especially when long-standing clients have had clean opinions on previous financial statement audits (see "What We're Up Against," below). An auditor who finds a significant deficiency or material weakness should * Bring the problem to the attention of management and the audit committee immediately. * Discuss the implications openly and candidly. * Offer suggestions for remediation. Keep current with new developments. Last year at this time there was little formal guidance on how to perform an internal control audit available to CPA firms. Today guidance is available from the AICPA AICPA See American Institute of Certified Public Accountants (AICPA). , the SEC, the PCAOB and the Web sites of the Big 4 and other national firms. Use the work of others. For the many smaller public companies that don't have full-time internal audit staff, outsource CFO or internal audit personnel may be an effective alternative for internal control documentation or testing. Find the best service providers in these areas so you can offer clients alternative help if they need it. FOLD 404 INTO THE FINANCIAL STATEMENT AUDIT Technically the section 404 audit and the financial statement audits are integrated. So far, however, external auditors have not been able to use section 404 internal control testing in fiscal yearend financial statement audits. This should not be a surprise, given that Auditing Standard no. 2 is relatively new and there was some uncertainty about how to apply it. Still, the PCAOB encourages integration and stressed this point in a Board Policy Statement on May 16, 2005. One simple example of how an external auditor can use internal control tests is to design testing of the accounts-receivable revenue cycle so interim customer accounts-receivable balances are verified via confirmations or another procedure. If weaknesses are noted in the system, the sample size for the yearend confirmations can be greatly reduced based on the internal controls. LOOK SHARP The amount of additional work needed to complete a section 404 audit generally will exceed your expectations. For small business clients, uncovering gaps in company controls "may well be grimly costly," said the Wall Street Journal (August 15, 2005). In fact, audit fees for accelerated filers have increased by 40% to 80%. Plan accordingly and remember Murphy's Law (humour) Murphy's Law - (Or "Sod's Law") The correct, *original* Murphy's Law reads: "If there are two or more ways to do something, and one of those ways can result in a catastrophe, then someone will do it. . The Sarbanes-Oxley Act already has had a profound impact on the accounting profession and corporate America. Companies are now more conscious of how and why they do what they do, and in many cases they've improved or streamlined their processes. CPAs at all levels of practice need to consider the implications of section 404 for all types of clients. Nonpublic companies in regulated industries, or any companies that wish to do business with a public company, will benefit from a clearer business model. Focusing on internal control reporting in the future can help achieve the goal of improved bottom-line results. RESOURCES Web sites * www.pcaobus.org/ Standards * www.sec.gov/rules AICPA RESOURCES The Institute answers individual questions at the Sarbanes-Oxley Act hot line: 866-265-1977, and provides up-to-date compliance information for CPAs at Sarbanes-Oxley Act/PCAOB Implementation Central, www.aicpa.org/sarbanes/ index.asp. CPE (Customer Premises Equipment) Communications equipment that resides on the customer's premises. CPE - Customer Premises Equipment * AICPA Annual Accounting and Auditing Update Workshop (2005 ed.) (# 736181/A). * Annual Update for Accountants and Auditors (2004-2005 ed.) (# 730024JA). * Auditing Update: A Review of Recent Activities (2005 ed.) (# 732771JA). * Internal Control Reporting: A Manager's Guide to Surviving the Audit (# 732490/A). * Internal Control Reporting: A Practical Guide to the PCAOB Standard (# 181421/A). * SEC Reporting (text, # 736772GZJA; DVD/manual, # 186753GZJA; VHS/ manual, # 186752GZJA). Publications * Consideration of Internal Control in a Financial Statement Audit, an AICPA Audit and Accounting Guide (# 012451JA). * Consideration of Internal Control in a Financial Statement Audit: An Amendment to SAS (1) (SAS Institute Inc., Cary, NC, www.sas.com) A software company that specializes in data warehousing and decision support software based on the SAS System. Founded in 1976, SAS is one of the world's largest privately held software companies. See SAS System. No. 55-SAS 78 (# 060671JA). * Financial Reporting Fraud: A Practical Guide to Detection and Internal Control by Charles R. Lundelius Jr. (# 029879JA). * Guide to Financial Reporting and Analysis, John Wiley John Wiley may refer to:
See Dow Jones Averagesr (DJA). ). Web sites * AICPA Center for Public Company Audit Firms, www.cpa.org/CPCAF. * CPA Marketing Tool Kit, www.aicpa.org/ cpamarketing. * PCPS PCPS Primary Care and Population Sciences PCPS Partners for Child Passenger Safety PCPS Pleasant Corners Public School (Canada) PCPS Plymouth Counselling and Psychotherapy Service (UK) Firm Practice Center, http://pcps.aicpa.org. For more information or to place an order, go to www.cpa2biz biz n. Informal Business. biz Noun Informal business Noun 1. .com or call the AICPA at 888-777-7077. A Work in Progress At press time, the SEC Advisory Committee on Smaller Public Companies' latest release suggested it may recommend full or partial exemptions of section 404 for certain size small public companies. What We're Up Against Here is a little exchange that took place with one of our clients recently: Auditor: Jim, we are doing a walk-through of your accounts-payable system and we see that you paid a $7,500 invoice with two checks issued on the same day, one for $4,500 and one for $3,000. Can you explain to us why this occurred? CFO: Yes, of course. We have a strict rule that all checks over $5,000 have to be signed by at least two authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: signers and we had to get the check out that day Only one signer was around, so we just cut two checks. Auditor: But, Jim, issuing two checks in this manner defeats the purpose of having two signers as a control procedure. Wouldn't you agree? CFO: I see your point. Well, I'll just have to make sure that the CEO pre-signs some checks and leaves them for me so I won't have that problem in the future. Author: Needless to say, we corrected his misperception mis·per·ceive tr.v. mis·per·ceived, mis·per·ceiv·ing, mis·per·ceives To perceive incorrectly; misunderstand. mis . Practical Tips * Urge clients to get going. A section 404 internal audit should begin 12 to 18 months before the company's reporting deadline. * Use flowcharts. A well-designed flowchart highlights the key controls in a fraction of the time it takes to read a system narrative. * A good place to start is to design testing of the accounts-receivable revenue cycle, so interim customer accounts-receivable balances are verified via another procedure. John W. Green, CPA, is a partner at Marcum & Kliegman LLP, Melville, N.Y. His e-mail address See Internet address. e-mail address - electronic mail address is jgreen@mkllp.com. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion