|
|
|
Features
< Back
Sarbanes Oxley : Technology : Section 404
Is COSO for Smaller Public Companies the Answer to SOX Compliance?
By
Robert Benoit
|
|
Robert Benoit
President
Lord & Benoit
|
Lord & Benoit announced on Oct 25, 2006 that it was one of the First SOX Compliance Firm to Use COSO for Smaller Public Companies. Lord & Benoit is a national SOX Compliance and Research firm focused on affordable compliance for Smaller Public Companies.
On July 11, 2006, COSO released their "Internal Control over Financial Reporting - Guidance for Small Public Companies" The COSO implementation tool covers the unique needs of the financial reporting requirement and is therefore focused on achieving understandable and efficient SOX compliance. Did they accomplish that task?
Lord & Benoit set out to see if the new COSO guidance would truly be more efficient and practical for smaller public companies. The study was performed on a small public company client that voluntarily complied with SOX 404.
Why did they volunteer? One reason that motivated the CEO was the Lord & Benoit study on share price movements of 2,481 calendar year accelerated filers www.Section404.org Lord & Benoit Report: Do the Benefits of SOX 404 Exceed the Cost?. This study, also reported by the Wall Street Journal on May 8, showed that companies that had good internal controls in their first year had market beating stock price gains.
Additionally, the CFO realized that there was a good chance the company had weaknesses - since she did most of the accounting work. She also wanted adequate time to address the issues before the year end.
Was COSO for smaller companies helpful?
In proper fashion and as recommended by the SEC, PCAOB and COSO we started the project with Risk Assessment. COSO Guidance for Smaller Public Companies has done an excellent job at interpreting PCAOB Auditing Standard 2:
• Risk Assessment: Identifying significant accounts, locations, business units and financial statement assertions. COSO illustrated the mapping of these to processes and subprocesses. COSO identified and documented the key IT infrastructures and spreadsheets that support those processes and subprocesses.
• COSO illustrated how mapping risk assessment starts with the company?s financial statements and works backwards into the important accounts that need to be analyzed, the important computer systems and spreadsheets that generate those numbers. Then Risk maps to the modules (subprocesses like AP, AR GL) that gather the detailed transactions. The study of internal controls over financial reporting finished with the internal controls over these transactions. Alas this area makes sense!
The COSO guidance then took us to company level controls (Control Environment, Risk, Information and Communication and Monitoring). Activity Level controls were tested near the end. By the end of this study the smaller public company client had about 10-15 items that needed improvement. We heard comments like?
• What is an audit committee charter?
• I thought didn?t need a whistleblower program?
• Do you have any examples of what an ethics policy looks like?
• The audit committee is supposed to be looking at fraud and internal controls?
• Our Quickbooks accounting package is out of control?
• We need to document risks?
• Do you know where we can get sample HR policies?
• Is it a problem that the CFO does almost everything?
• How can we creatively segregate duties?
• Our IT Dept needs to have controls even though it?s so small?
Then Fraud Risk Assessment and Enterprise Risk Assessment was analyzed. The original COSO and SAS Standards were more helpful here than the COSO Guidance for Smaller Public Companies. At the end of this study it was clear what needed to be test and what didn?t.
Many of the Section 404 deficiencies noted in Form 10-Ks have related to accounting and disclosure deficiencies. So how did COSO address these points? COSO Guidance for Smaller Public Companies illustrated a nice list of questions relating to accounting standards and policies (closing procedures, consolidations, GL maintenance, financial statement preparation and assumptions on key accounting principles). The Guidance required the user to have an understanding of underlying assumptions for each question, but for those of us who understand the requirements, COSO kept us on course. The same for disclosure controls. Disclosure controls are addressed but need supplementation with outside auditor disclosure checklists (which they are allowed to give us under PCAOB standards).
What about IT and Sarbanes-Oxley? So many companies have been using COBIT or ITGI for testing IT. At the same time they disclosed on their Section 404 self assessments that they used COSO. Maybe there was good reason, but the important thing is that the new Guidance has identified key IT controls for smaller public companies. It also addresses spreadsheet controls. In most cases COSO IT for SOX 404 is more focused and efficient for smaller public companies than some of the other frameworks.
For the design of controls we found the original COSO to be more helpful (and a good internal control questionnaire). The COSO Guidance for Smaller Public Companies does not supplant the original 1992 COSO Framework.
For testing activity level controls, COSO Guidance for Smaller Public Companies illustrated a revenue cycle control matrix followed by a sample payroll narrative. It may have been more helpful to keep the activity controls the same since control narratives and matrices need to correlate with one another. Narratives flow to the control matrices and the control matrices flows to the test matrices.
The COSO Guidance for Smaller Public Companies has made great strides in helping smaller public companies right-size their internal controls. Would more guidance be helpful, such as the monitoring project being developed? Certainly. But COSO Guidance for Smaller Public Companies is definitely a great first step and should be applauded. Lord & Benoit plans to continue to use the guidance as a cost effective tool to help smaller (and larger) companies comply affordably with Sarbanes-Oxley Section 404.
Lord & Benoit is a national SOX Compliance and Research firm focused on affordable compliance for Smaller Public Companies. Lord & Benoit?s research has been quoted by all of the Big 4 firms, SEC, IIA, PCAOB, SAG, AIPCA-CFCAF, SEC Advisory, Wall Street Journal and over 100 other trade journals. Bob Benoit teaches ?Complying with SOX Section 404? particularly for smaller public companies. He has also been on the AICPA Peer Review Acceptance Board in Massachusetts for the past 10 years. For more information about Lord & Benoit research, go to www.Section404.org
For more information or questions contact Bob Benoit at (508) 853-6404 x204 Info@LordandBenoit.com or visit www.LordandBenoit.com
Robert Benoit
President
Lord & Benoit
Bob is President and Director of SOX Research at Lord & Benoit, LLC, one of the most influential SOX Research and Compliance firms for smaller public companies.
In addition to his position with Lord & Benoit, Bob serves on the COSO Monitoring Project Task Force. He has also served on the AICPA Peer Review Acceptance Board in MA for past 11 years, has taught Complying with Sarbanes-Oxley Section 404 throughout the country through the State CPA Societies and is the author of the Lord & Benoit Reports, which have been referenced by the SEC, PCAOB, COSO, AICPA, CHH, RIA, BNA, Wall Street Journal, all of the "Big 4" firms and over 120 legal, educational and trade journals around the world.
Bob is the first evaluator to use the COSO Guidance for Smaller Public Companies, the inventor of Virtual SOX taught on the AICPA website and research contributor to the SEC Subcommittee, SEC Concept Releases and SEC/PCAOB Internal Control Roundtables
|
|
|
|
|
