Printer Friendly

SOX meets tech: as control requirements change, technology must meet small-business challenges.

The Committee of Sponsoring Organizations of the Treadway Commission's long-awaited draft, Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting, was released in October 2005 to address internal controls for smaller publicly owned companies.

COSO's small-business guidance uses 26 principles that constitute effective internal controls over financial reporting and identifies several themes, including control environment, risks, control activities, information technology (communication) and monitoring.

The small-business guidance also added the focus of personal responsibility for controls that are necessary to smaller businesses.

Shortly after COSO's draft was released, the SEC Internal Controls Subcommittee to the Advisory Committee of Small Public Companies issued a preliminary report in December 2005 that exposed the profession to the murky waters of quasi-internal controls.

This subcommittee recommended to:

1. Exempt "micro-cap" companies with market capitalization of less than $128 million from SOX Sec. 404 under certain conditions; and

2. Exempt smaller companies with market capitalization of less than $787 million from external audit requirements of Sec. 404 under certain conditions, or at least require a more cost-effective approach to these requirements.

Due to these developments, "smaller company" internal control technology is left in a bog. Where should internal control-assisting technology go from here? Does it stay the course, but try to lighten the load? Does it change radically, throwing out the first two years of SOX compliance?


The COSO-SB, the SEC advisory and the PCAOB pronouncement that directed auditors to use a more risk-based approach when certifying internal controls necessitate a radical change in the technological approach to internal controls. Software companies emphasize process-level testing and controls, which accommodate the auditor's preferences.

However, the new movement emphasizes an entity-level risk assessment approach that dictates the proper focus on process-level controls.

Technology should increase its emphasis on monitoring significant balance sheet accounts for smaller companies. Once a company's balance sheet is analyzed in this top-down approach, a risk-based analysis at the process level can be properly performed (Exhibit 1), mitigating the risk of excessive testing and expense.


After a tool has met the top-down process, then it can be mapped to internal control processes and business cycles. These process maps should include stoplights and alerts to warn managers when processes are materially affected.

Technology for smaller companies also should emphasize the increased role of the control environment and monitoring. The tool should empower the company's limited financial staff with enough monitoring tools to react quickly to changes in the company atmosphere and internal control inconsistencies.


With updated technology, smaller companies can afford proper internal controls and satisfy the auditor's internal control requirements.

That does not mean, however, that the experience learned in the prior two years was irrelevant to the technology companies. SOX technology metamorphosis is like looking for a light switch in the dark--some may feel around the wall, while others purchase expensive night-vision glasses to find the switch.

The end result is that the light is turned on, but at what cost? As auditor requirements change, technology must meet the small-business challenge with a less-expensive solution.
exhibit 1

ENTITY-LEVEL/PROCESS-LEVEL relationships comparison


entity-level controls entity-level risks &

Process-level risks & Process-level controls

Note: Table made from bar graph.


Rick Norris, JD, CPA is a principal with Los Angeles-based Decision Point Solutions LLC. You can reach him at
COPYRIGHT 2006 California Society of Certified Public Accountants
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2006, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Sarbanes-Oxley Act of 2002; Committee of Sponsoring Organizations
Author:Norris, Rick
Publication:California CPA
Geographic Code:1USA
Date:May 1, 2006
Previous Article:A clearer picture: enhanced business reporting: better info means better decisions.
Next Article:Data destruction: taking laptop security beyond passwords, encryption.

Related Articles
Happenings at the Board of Directors' December meeting.
New SEC rules will challenge insurers in 2003 financial filings. (Briefing: Highlights from BestWeek)).
PCAOB issues internal control standards ED.
Tips for the Sarbanes-Oxley learning curve: the act has brought more complexity to firm management; here's some broad-based help.
Changes in auditing practices affect nonprofit governance.
Cherry-picking Sarbanes-Oxley: provisions that deserve a second look.
The sky isn't falling fear of SOX is waning.
Sarbanes-Oxley helps cost of capital: study.
Time to remove our SOX.

Terms of use | Privacy policy | Copyright © 2020 Farlex, Inc. | Feedback | For webmasters