SOX meets tech: as control requirements change, technology must meet small-business challenges.
COSO's small-business guidance uses 26 principles that constitute effective internal controls over financial reporting and identifies several themes, including control environment, risks, control activities, information technology (communication) and monitoring.
The small-business guidance also added the focus of personal responsibility for controls that are necessary to smaller businesses.
Shortly after COSO's draft was released, the SEC Internal Controls Subcommittee to the Advisory Committee of Small Public Companies issued a preliminary report in December 2005 that exposed the profession to the murky waters of quasi-internal controls.
This subcommittee recommended to:
1. Exempt "micro-cap" companies with market capitalization of less than $128 million from SOX Sec. 404 under certain conditions; and
2. Exempt smaller companies with market capitalization of less than $787 million from external audit requirements of Sec. 404 under certain conditions, or at least require a more cost-effective approach to these requirements.
Due to these developments, "smaller company" internal control technology is left in a bog. Where should internal control-assisting technology go from here? Does it stay the course, but try to lighten the load? Does it change radically, throwing out the first two years of SOX compliance?
The COSO-SB, the SEC advisory and the PCAOB pronouncement that directed auditors to use a more risk-based approach when certifying internal controls necessitate a radical change in the technological approach to internal controls. Software companies emphasize process-level testing and controls, which accommodate the auditor's preferences.
However, the new movement emphasizes an entity-level risk assessment approach that dictates the proper focus on process-level controls.
Technology should increase its emphasis on monitoring significant balance sheet accounts for smaller companies. Once a company's balance sheet is analyzed in this top-down approach, a risk-based analysis at the process level can be properly performed (Exhibit 1), mitigating the risk of excessive testing and expense.
After a tool has met the top-down process, then it can be mapped to internal control processes and business cycles. These process maps should include stoplights and alerts to warn managers when processes are materially affected.
Technology for smaller companies also should emphasize the increased role of the control environment and monitoring. The tool should empower the company's limited financial staff with enough monitoring tools to react quickly to changes in the company atmosphere and internal control inconsistencies.
With updated technology, smaller companies can afford proper internal controls and satisfy the auditor's internal control requirements.
That does not mean, however, that the experience learned in the prior two years was irrelevant to the technology companies. SOX technology metamorphosis is like looking for a light switch in the dark--some may feel around the wall, while others purchase expensive night-vision glasses to find the switch.
The end result is that the light is turned on, but at what cost? As auditor requirements change, technology must meet the small-business challenge with a less-expensive solution.
exhibit 1 ENTITY-LEVEL/PROCESS-LEVEL relationships comparison LARGE-STRUCTURE FRAMEWORK SMALL-STRUCTURE FRAMEWORK INITIAL BOTTOM-UP INTERNAL TOP-DOWN INTERNAL CONTROLS CONTROLS APPROACH APPROACH entity-level controls entity-level risks & controls Process-level risks & Process-level controls controls Note: Table made from bar graph.
BY RICK NORRIS, CPA
Rick Norris, JD, CPA is a principal with Los Angeles-based Decision Point Solutions LLC. You can reach him at firstname.lastname@example.org.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Sarbanes-Oxley Act of 2002; Committee of Sponsoring Organizations|
|Date:||May 1, 2006|
|Previous Article:||A clearer picture: enhanced business reporting: better info means better decisions.|
|Next Article:||Data destruction: taking laptop security beyond passwords, encryption.|