an accountant’s look at the changing horizons within sox 404 presented to colorado bar...
TRANSCRIPT
An Accountant’s Look at the ChangingHorizons within SOX 404
Presented toColorado Bar Association’s Securities Law Group
Presented by
Bill EvertHein & Associates LLP
September 21, 2006
Why should companies care about controls?
• Fraud• Lost revenues• SOX 404 compliance• Personal liability
SOX 404 – Management Requirements
Currently effective for accelerated filers ($75MM public float, etc.):
• Incorporate within the Company’s Form 10-K a report that:
– Acknowledges responsibility for establishing/ maintaining adequate internal controls over financial reporting
– Identifies framework used (COSO)– Assesses effectiveness at end of fiscal year– Confirms independent auditors issued
attestation report on management’s assertion
Example Reporting Scenarios
SituationManagement’s
Report
Auditor’s Opinion on
Management’sAssessment
Effectiveness of ICOFR
No material weakness identified.
Internal control effective.
Unqualified Unqualified
Material weakness identified by management and auditor.
Internal control not effective.
Unqualified Adverse
Example Reporting Scenarios
SituationManagement’s
Report
Company has one or more material weaknesses, but management’s assessment indicates internal control is effective.
Issue adverse opinions on both management’s assessment and internal control.
Management fails to fulfill its responsibilities regarding the internal control assessment.
• Communicate to management and the Audit Committee.
• Disclaim opinions.• Consider possible additional
auditor responsibilities.
Deficiencies – Conceptual Definitions
Classification of Deficiency
Likelihood ofMisstatement
Potential Magnitudeof Misstatement
Internal Control Deficiency
Remote OR Inconsequential
Significant Deficiency More than remote
AND More than inconsequential
Material Weakness More than remote
AND Material
A deficiency is considered a significant deficiency or material weakness if, either individually or in the aggregate, after considering compensating controls, the following criteria are met:
Current Events – Moving TargetsNew guidance:
• Remediation Standard (AS4)
• New SAS standard
• New COSO framework for small businesses
(July 11, 2006)
Coming soon:
• New SOX 404 guidance regarding non-accelerated filers and IPOs
• Guidance for companies implementing SOX 404
• Revised AS2
Issues/Pitfalls Encountered
• Lack of:
― Lead time/resources/game plan
― Effective communication between auditor and client
― Motivation in second year
• Issues:
― Late start (prevents integrated audits and rising costs)
― Multiple operations/foreign subsidiaries
― Company’s GAAP and SEC expertise
― Consequences of adverse and disclaimer opinions
― Controls at outsourced service providers
Why is SOX 404 so difficult (and costly)?
1. Definition of significant deficiency “more than inconsequential”:
A misstatement is inconsequential if a reasonable person would conclude, after considering
the possibility of further undetected misstatements, that the misstatement, either
individually or when aggregated with other misstatements, would clearly be immaterial to
the financial statements. If a reasonable person could not reach such a conclusion
regarding a particular misstatement, that misstatement is more than inconsequential.
1. Must have controls over all of the relevant assertions over all significant
accounts and footnotes.
2. Materiality and deficiency evaluation.
3. Testing of attributes, not dollars - “What could go wrong; not what
does.”
4. Adjustments the auditor finds.
Why should private companies adopt SOX?
• Better controls thereby:
― Decreasing the likelihood of fraudlikelihood of fraud
― Increasing operational efficiency
• Exit strategy?
• SOX will eventually become the standard by
which companies are judged
• New audit standards
CHANGE IS GOODYOU GO FIRST
Components of the Control Environment
1. Integrity and ethical values
2. Commitment to competence
3. Board of Directors and Audit Committee
4. Management’s philosophy and operating style
5. Organizational structure
6. Assignment of authority and responsibility
7. Human resources policies and practice
Why control environment is so important
The following circumstances are at least a significant deficiency and a strong indicator of the existence of a material weakness per AS2.
• Restatement of previously issued financial statements.
• Auditor’s identification of a material misstatement in the current year audit that was not initially identified by the Company.
• Ineffective Audit Committee oversight.
• An ineffective internal audit or risk assessment function, if critical to reliability of Company’s financial reporting process.
• An ineffective regulatory compliance function in highly regulated companies if functions could have a material effect on the reliability of financial reporting.
• Identification of fraud of any magnitude on the part of senior management.
• Previously communicated significant deficiencies that remain uncorrected after a reasonable period of time.
• An ineffective control environment.
Oversight by the Audit Committee and Board
• Nature and frequency of meetings
• Consideration of fraud when reviewing:
― Accounting principles
― Non-routine transactions
• Evaluation of management’s assessment of fraud risk
• Discussion with auditor’s potential fraud areas
Risk Assessment
• Systematic process• Consideration of potential fraud schemes:
― Types of fraud― Fraud triangle
• Assessment of risk at all levels• Evaluate likelihood and significance of risks• Assessment of exposure• Document oversight by Audit Committee