Non-Accelerated SOX Implementation

SOX Implementation - Who Must Comply
Extension of the Non-Accelerated SOX implementation
SOX financial reporting implementation and main SOX 404 Elements
Recommended management's Non-Accelerated SOX implementation
SOX Auditing Standard No. 5

Public Company News
  • Amper International Tax Alert - April 2010
  • SEC Issues Statement on Global Accounting Standards

    • [view all Public Company articles]


    Our Public Companies Group experts specialize in tax services and accounting services.

    Risk Services News
  • Developing a Winning Organization
  • Take a Proactive Position on Risk Management

    • [view all Risk Services articles]


    Our technology risk services team has experience in accounting, financial, operational, IT management, and back-office operations.

    Amper is one of the largest independent CPA, accounting, tax preparation, and auditing firms in the New Jersey, Pennsylvania and New York region.


    search  
     Print this issue
     View as PPT
    Send us your comments
    Non-Accelerated SOX: Efficient Implementation

    Peter Bible
    Leader, Public Company Group

    Andy Barfuss
    Leader, Business Risk & Advisory

    SOX PRIMER

    SOX Primer
    Selected History

    • A Continuum of Financial Reporting Regulation & Guidance
      • 1934 - The Securities Exchange Act
        • Requires issuers to file 10 K’s & 10 Q’s
        • Requires adequate books & records and internal controls
      • 1977 – Foreign Corrupt Practices Act
        • Requires internal accounting controls for financial reporting
      • 1987 – The Treadway Commission
        • Recommended steps to reduce fraudulent financial reporting
      • 1991- The Federal Deposit Insurance Corporation Improvement Act (“FDICIA”)
        • Recommended management’s assessments and assurances over a bank’s internal controls.
      • 1992 – The COSO Report
        • Recommended framework to identify risks and design internal controls
        • Framework embraced by SEC and PCAOB
      • 2002 – Sarbanes Oxley Act
        • Extension of the Securities Exchange Act of ‘34
        • Requires an opinion from management and the external public accounting firm over controls for financial reporting
      • 2003 to 2008 – SEC Extends Multiple Deadlines
      • 2009 – New Political Climate Makes Further Extensions Unlikely
        • New SEC Appointee, Mary Schapiro “ It’s time that we bring uniformity to the system”

    SOX Primer
    Who Must Comply

    • All SEC Registrants:
      • S-1 filers must comply with SOX
      • Accelerated filers:
        • Market cap > $75 million
        • Year ends after November 15, 2004
      • Non-accelerated filers:
        • Market cap < $75 million
        • Year ends after December 15, 2009

    SOX Primer
    Main 404 Elements

    • Formalized, Annual, Two-Step Process:
      • Section 404(a) – Management’s Assessment of Internal Controls:
        • Document and test internal controls
        • Assert that controls are adequate (or not) for the preparation of reliable financial statements
      • Section 404(b) – Requires an External Audit of Internal Control:
        • Independently review management’s basis for Assertion
        • Independently test controls
        • Attest that management’s system of controls is adequate (or not) for the generation of reliable financial statements

    SOX Primer
    Other Elements

    SOX Primer
    Auditing Standard No. 5

    • July 25, 2007 - SEC approved PCAOB’s AS #5
      • Replaced Auditing Standard No. 2
      • Provides interpretive guidance for external auditors
      • Goal = improving the efficiency and effectiveness of their SOX 404 efforts
      • Key Features:
        • Less prescriptive than AS #2
        • Provides audit scalability – matching size & complexity of client
        • Requires a risk-based approach to focus to eliminate unnecessary procedures
        • Provides principles-based approach for reliance upon work of others

    SOX Primer
    Classifications of Deficiencies

    • Under AS-5:
      • Significant Deficiency:
        • “A significant deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of a registrant’s financial reporting”
      • Material Weakness:
        • “A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis”

    SOX Primer
    PCAOB Guidance - Small Public Companies

    • January 2009 - PCAOB published guidance for Auditors of Small Public Companies
    • External auditor & management collaboration required:
      • Highlight Tone at the Top
      • Use a Top Down Approach to identify key controls
      • Concentrate on Areas of Risk
      • Evaluate and understand the risk of management override
      • Understand the significance of having informal documentation
      • Address Segregation of Duty (SOD) issues
      • Understand Information Technology Controls
      • Prepare for a financial reporting skills evaluation

    NON-ACCELERATED CONSIDERATIONS

    Non-Accelerated Considerations
    Internal Control Defined

    • Policies & procedures to ensure the achievement of an objective:
      • Documentation
      • Performing reconciliations
      • Security
      • Organizational design

    Non-Accelerated Considerations
    Common Control Deficiencies

    GAAP Application Internal Control Non-Accelerated Filers
    Stock Options Poor Control Environment Segregation of Duties – esp. IT
    Hedging Non-routine Transactions Treasury
    Derivative Securities Account Reconciliations Former Owner Influence
    Lease Accounting Ineffective Review & Approval Board Effectiveness
    Inter-company Complex Accounting Issues Revenue Recognition
    Foreign Subs IT – General Computing Controls IT – Application Controls

    Non-Accelerated Considerations
    Inherent Challenges

    • Internal Control – Inherent Challenges:
      • Lack of accounting resources for effective segregation of duties
      • IT staff with dual responsibilities – production & development
      • Ability of senior executives to override controls
      • Ability to recruit & retain sophisticated GAAP and IT talent

    PRACTICAL APPROACH

    Practical Approach
    Lessons From Accelerated Filers

    • What went right
      • Top-down approach – risk-driven scoping
      • Started project early
      • Honest evaluation of problems
      • Held key individuals accountable
    • What went wrong
      • Late start
      • Limited collaboration with external auditors
      • Underestimated amount of work required
      • Attempted to self-test
      • Did not effectively involve business process owners
      • Did not take into account Information Technology
      • Staff project with people who had “day jobs”

    Practical Approach
    Optimizing AS5

    EXTERNAL AUDITOR INVOLVEMENT AND COLLABORATION IS CRITICAL
    Risk Assessment • Performed at the consolidated level (Balance Sheet, P&(L), Footnotes)
    • Consider both qualitative and quantitative factors
    • Determine definition(s) for risk rankings
    • Assign risk at the account assertion level (i.e. completeness, valuation, existence, accuracy, presentation)
    Define Materiality • Determine and document the basis for materiality calculation (i.e. 5% of total assets or 1% of revenues)
    • Consider using a 3-year rolling average to account for volatility
    • Define qualitative factors for measuring a material weakness, significant deficiency or a deficiency
    Entity Level Assessment • Take credit for how you manage, operate and monitor the business results
    • Determine and document your entity level controls
    • Link the entity level controls to the account balances on the risk assessment
    Process Level Controls • Only perform when entity level controls are not sufficient
    • Limit documentation and testing to those controls deemed significant at the financial assertion level (i.e. do not document and test all controls within a process but only those controls deemed the most significant)

    Practical Approach
    Optimized AS5 – Key Controls

    Example: Single Location Distributor
    Process “Traditional Approach” # Key Controls “Optimized AS5 Approach” # Key Controls Optimized AS 5 - Control Examples
    Entity Level 5-10 10-15 Policies & Procedures, Code of Ethics Board and Audit Committee Oversight, Monthly/Quarterly Financial Reviews, Budget Process, Hiring Process, Training, Schedule of Authority
    Information Technology 15-25 5-10 Access, Segregation of Duties, Change Management, Backup
    Financial Reporting 15-25 5-10 Reconciliations, Closing Checklists, Segregation of Duties, Estimates/Judgments, Journal Entries, Applications
    Order to Cash 15-25 5-10 Cutoff, Valuation of Reserves, Revenue Recognition, Authorization, Segregation of Duties, Applications
    Inventory 15-25 5-10 Valuation of Reserves, Costing, Physical/Cycle Counts, Applications, Segregation of Duties
    Purchase to Pay 15-25 5-10 Authorization, Segregation of Duties, Applications
    Fixed Assets 10-20 3-5 Depreciation, Impairment, Disposals, Applications
    Payroll 10-20 3-5 Authorization, Segregation of Duties, SAS 70, Applications
    Treasury 15-25 4-5 Authorization, Segregation of Duties, Application
    Taxes 10-20 5-10 Estimates/Judgments, Documentation, Approvals
    # Key Controls 125-220 50-90
    Estimated Hours 1,200-2,000 500-750 Combined hours for Amper and client team.

    Practical Approach
    Phased Predictable Process

    Plan >> Scope >> Document >> Evaluate >> Test >> Assess >>
    • Identify Rules & Responsibilities
    • Develop Project Plan & Timeline
    • Define Reporting Requirements
    • Set the Tone     		• Identify Financial Reporting objectives and related processes and business units
    • Identify key IT applications
    • Complete entity level controls assessment     		• Key processes, risks and controls
    • Link entity level controls to process risks and financial reporting objectives
    • Assess Segregation of Duties     		• Control Design
    • Plan to remediate design deficiencies
    • Track remediation efforts     		• Key controls
    • Identify ineffective controls
    • Track remediation efforts to address ineffective controls
    • Re-test key controls as necessary     		• Evaluate significance of remaining control deficiencies
    • Evaluate effectiveness of overall control environment
    • Formulate Final Conclusion
    • Develop Report

    Practical Approach
    Success Factors

    • Don’t Delay
    • Educate yourself - Rules & Guidance
    • Create sustainable, top-down, risk-based approach
    • Build “Entity-level” controls
    • Limit reliance upon “Process-level” controls
    • Learn from Lessons past
    • Objective Assessment of Financial Statement Risk
    • Constant collaboration with External Auditor
    • Timely remediation of Control Deficiencies
    • Balance internal resources with external experts

    Practical Approach
    Control Deficiencies

    • SOX = perfection not mandated
    • “Living with” certain deficiencies = Management / Board choice:
      • Material Weakness - 10-K disclosure required
        • Disclose reasoning for accepting material weakness
        • Shareholders, prospective investors, lenders – ultimate judges
      • Significant Deficiencies – no disclosure required

    Practical Approach
    Cost & Scope Factors

    • Cost for Management Assertion & Auditor Attestation impacted by:
      • Nature & complexity of operations and financial reporting
      • Extent of documentation supporting ICFR and Management testing
      • Nature, timing and adequacy of management testing
    • For single-location, non-accelerated entities:
      • Typical cost = $30,000 to $75,000 for first year
      • Requires 300 to 750 hours of client effort
      • Unknown is remediation of control deficiencies

    WRAP-UP

    Wrap Up
    Continuous ICFR Process

    • Internal Control for Financial Reporting (“ICFR”):
      • Focus on continuous process:
        • “Once a year” event insufficient likely creating inefficiencies
      • Ongoing Monitoring:
        • Control deficiency remediation
        • Process changes requiring documentation updates
        • Efficiency opportunities
      • Rolling Risk Assessment:
        • Continuously update risk assessment, for old & new risks
      • Establish a Control Culture:
        • Embracing control culture
        • Reduces surprises & fire drills

    Wrap Up
    The Amper Advantage

    • Amper’s “SOX-in-a-Box” Service:
      • Fixed Price Range – typically $25,000 to $60,000
      • Scope of effort determined within first week
      • Transparent scheduling and assignment of duties:
        • Amper duties
        • Client duties
      • Industry-specific templates easily adapted to your company
      • Experience rivaling any other provider:
        • No one beats us in practical non-accelerated experience
      • Over100 dedicated SEC compliance specialists near you

    Contacts

    Pete Bible
    Leader, Public Company Practice
    732-287-1000
    E-mail

    Andy Barfuss
    Leader, Business & Risk Advisory Services
    732-287-1000
    E-mail

    The material contained in this presentation is for general information and should not be acted upon without prior professional consultation.


    Contact Us            Locations & Directions        Site Map
    Amper, Politziner & Mattia, LLP is now EisnerAmper LLP   •  1-866-99-AMPER  •  info@amper.com
    web site design and online marketing solutions
    by Set Now Solutions