Our Public Companies Group experts specialize in tax services and accounting services.

 Print this issue
 View PDF
Send your comments

During my 23 years of accounting experience, I have witnessed many changes. Most recently, I have seen the increased burden imposed by Section 404 of Sarbanes-Oxley on small companies.

Many small companies which are not accelerated filers have deferred doing any testing to meet the requirements of Sarbanes-Oxley under the assumption there would be some deferral of the implementation date, as well as the hope that many smaller companies would be exempt entirely from its requirements. There was also the prospect that there would be more literature giving additional guidance on which companies could base their audit and attestation of their internal financial controls.

Careful monitoring and analysis of where cash is spent is something these companies focus on daily, which they discuss with senior management and get Board approval. That in itself provides them with a strong control system over cash expenditures without unnecessary formal documentation of internal controls in place. The point is that a company that may not be adhering strictly to the demands of Accounting Standards 2 (AS2) or the COSO requirements may at the same time have sufficient control within its own cash management system since every dime is being watched. So how do we convert this practice into acceptable procedures and policies?

Some Relief Granted

The SEC has granted some relief in terms of the times when smaller public companies will have to comply with the requirements of Section 404. In August 2006, the SEC issued a release in response to an earlier recommendation from the SEC Advisory Committee on Smaller Companies. Non-accelerated smaller companies may now extend the date for filing a report by management assessing the effect of the company's internal financial controls to fiscal years ending after December 15, 2007 (formerly the report was required to be filed for fiscal years ending on or after July 15, 2007). The proposal also extends the date by which non-accelerated small company filers must begin to comply with the Section 404 (b) requirement to provide an auditor's attestation report on internal controls over financial reporting in a company's annual report. This deadline will be moved to the first annual report for a fiscal year ending on or after December 15, 2008.

The industry, the PCAOB and the SEC have been undertaking a process by which they are looking at the effort and cost as well as the desired outcome of Section 404 reporting and other Sarbanes requirements over internal controls. They are making a genuine effort to facilitate reporting requirements for smaller companies. They are also looking at the effect COSO (Committee of Sponsoring Organizations of the Treadway Commission) is having as a benchmarking tool for corporate governance. For over 30 some years this rule of governance has been the hallmark of good governance for large corporations.

How New SOX Guidelines Are Expected To Aid Small Companies

The prevailing thinking is that the SEC and PCAOB will take a top-down approach in order to put into context the major financial statement risks a company faces. What controls should they have in place versus what had been the norm under AS2? AS2 was more of a bottom-up approach, which included starting off with appropriate sign-offs on various time sheets and receiving reports and then building all the way to the top of the internal control spectrum – the financial statements. In contrast with AS2, AS5 is thought to be the better way – start with the financial statements at the top and work the processes down to necessary controls. Couple this with COSO Lite which is designed to build suggested controls for smaller organizations, giving auditors and companies a standard by which to benchmark their internal financial controls.

At the end of 2006 the SEC and the PCAOB released proposed new guidance and standards to assist small public companies in complying with Section 404. These standards are designed primarily to: 1) focus the audit on matters most important to internal control of financial matters and eliminate unnecessary procedures; (2) modify the audit requirement for smaller companies so that only the necessary detailed information is produced by relying more on the work of the company's advisors and focusing on the top-down approach. The PCAOB still holds to the proposition that the auditor should test the effectiveness of controls in order to attest to and report on management's assessment.

How Small Companies Can Build A Structure Of Controls That Best Reflects Their Risks

One of the areas we at Amper have been featuring is to help our small companies use their existing cash control models which are so effective, then constructing a superstructure upon the existing cash controls to monitor other risks to satisfy the internal control requirement. This structure does not encompass all of the COSO guidelines but it does afford companies with sufficient controls and accompanying documentation to give them a passing grade with regard to the internal control benchmark. We have found that we are able to use the one major control, i.e., cash management tool documentation, as the guiding control for companies with as few as two people in a finance department. This one measure often alleviates some of the inherent weaknesses in the reporting system.

John Pennett is an Audit Partner in Amper's Edison, New Jersey office, where he serves as the Director of the Life Sciences Practice and a member of the Firm's Public Companies Group.