Print this issue
 View as PDF
Send us your comments

Vol. 11 Issue 3

The world of internal controls is not only for public companies. Private companies as well, should be analyzing and improving their internal controls. Over the past several years, we have seen some of the benefits received, as well as the difficulties encountered, with public companies complying with the Sarbanes-Oxley Act of 2002 (SOX). While private companies are not required to comply with SOX, they have the advantage of receiving the benefits through improving their internal controls while minimizing the difficulties encountered by public companies, such as, costs of hiring additional internal employees, cost of consultants and auditors, and time taken away from running the business to comply with deadlines and auditor requirements.

What can private companies gain by improving their internal controls?

• Understanding of internal controls creates value, which is critical in any organization.
• Reducing the risk of financial statement fraud or misappropriation of assets.
• Promoting a culture and environment of integrity, loyalty and high ethical values.
• Effective internal controls are one of the foundations that are essential to help your organization expand and reach its maximum potential.
• A strong internal control structure will provide more confidence to your customers, shareholders, bankers, lenders and accountants.
• Maintaining a high degree of reliance and accuracy on financial reporting.
• Improving obsolete and inefficient processes.
• Preparing your organization ahead of time if it plans to eventually go public.

In addition to the benefits and incentives of improving internal controls as described above, future financial statement audits of private companies may involve more internal control testing. Most public accounting firms conducting audits are registered with the Public Company Accounting Oversight Board (PCAOB). The PCAOB is the regulatory body created by the Sarbanes-Oxley Act of 2002, which regulates the auditors of public companies and ensures that they have complied with a set of strict guidelines. Therefore, public accounting firms have been using a risk-based audit approach for their public companies, which will most likely filter down to private companies. The risk-based audit approach relies, in part, on the organization's internal controls. Recently, the AICPA has issued new auditing standards (SAS no. 104 – 111, collectively referred to as the "Risk Based Standards") that will impact audits of private companies for calendar year 2007.

• Obtain a more in-depth understanding of the entity and its environment, including internal control.
• Complete a more rigorous assessment of the risk of material misstatement of the financial statements.
• Improve the link between assessed risks and audit procedures in response to those risks.

Based on the above audit requirements, auditors will now review the organization's internal control structure and determine if test of controls and a risk-based audit approach should be utilized. This will be determined on an individual basis depending on the organization's industry, business, size and internal controls structure.

In addition, the AICPA issued a new standard, Statement on Auditing Standards (SAS) No. 112, Communicating Internal Control Related Matters Identified in an Audit. This new standard defines terms currently used by the PCAOB, such as: control deficiency, significant deficiency, and material weakness. This standard also requires the auditor to communicate, in writing, any deficiencies to the organization's management. Therefore, private companies undergoing calendar 2006 audits (i.e. Dec. 31, 2006) can expect the auditor to communicate any deficiencies relating to internal control.

Fortunately, there is some guidance that can assist private companies in implementing and improving internal controls. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has released guidance to assist smaller public companies with their internal control framework. Private companies should use COSO as the basis for their internal control framework. COSO discusses the five components of the internal control framework, which include: (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. In order to develop and maintain an effective internal control framework, an organization should follow these seven steps: (1) plan and identify the risk assessment, (2) establish a control framework, (3) document the control activity, (4) identify specific controls, (5) evaluate the control design, (6) test the control effectiveness, and (7) remediate any deficiencies and retest.

Improving internal controls will initially cost the organization some time and money. However, it is a long-term investment for the organization that will prove to be beneficial, both operationally and financially, for years to come.