140 likes | 293 Views
An Accountant’s Look at the Changing Horizons within SOX 404 Presented to Colorado Bar Association’s Securities Law Group Presented by Bill Evert Hein & Associates LLP September 21, 2006. Why should companies care about controls?. Fraud Lost revenues SOX 404 compliance Personal liability.
E N D
An Accountant’s Look at the ChangingHorizons within SOX 404Presented toColorado Bar Association’s Securities Law GroupPresented byBill EvertHein & Associates LLPSeptember 21, 2006
Why should companies care about controls? • Fraud • Lost revenues • SOX 404 compliance • Personal liability
SOX 404 – Management Requirements Currently effective for accelerated filers ($75MM public float, etc.): • Incorporate within the Company’s Form 10-K a report that: • Acknowledges responsibility for establishing/ maintaining adequate internal controls over financial reporting • Identifies framework used (COSO) • Assesses effectiveness at end of fiscal year • Confirms independent auditors issued attestation report on management’s assertion
Deficiencies – Conceptual Definitions A deficiency is considered a significant deficiency or material weakness if, either individually or in the aggregate, after considering compensating controls, the following criteria are met:
Current Events – Moving Targets New guidance: • Remediation Standard (AS4) • New SAS standard • New COSO framework for small businesses(July 11, 2006) Coming soon: • New SOX 404 guidance regarding non-accelerated filers and IPOs • Guidance for companies implementing SOX 404 • Revised AS2
Issues/Pitfalls Encountered • Lack of: ― Lead time/resources/game plan ― Effective communication between auditor and client ― Motivation in second year • Issues: ― Late start (prevents integrated audits and rising costs) ― Multiple operations/foreign subsidiaries ― Company’s GAAP and SEC expertise ― Consequences of adverse and disclaimer opinions ― Controls at outsourced service providers
Why is SOX 404 so difficult (and costly)? • Definition of significant deficiency “more than inconsequential”: A misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. If a reasonable person could not reach such a conclusion regarding a particular misstatement, that misstatement is more than inconsequential. • Must have controls over all of the relevant assertions over all significant accounts and footnotes. • Materiality and deficiency evaluation. • Testing of attributes, not dollars - “What could go wrong; not what does.” • Adjustments the auditor finds.
Why should private companies adopt SOX? • Better controls thereby: ― Decreasing the likelihood of fraud ― Increasing operational efficiency • Exit strategy? • SOX will eventually become the standard by which companies are judged • New audit standards CHANGE IS GOODYOU GO FIRST
Components of the Control Environment • Integrity and ethical values • Commitment to competence • Board of Directors and Audit Committee • Management’s philosophy and operating style • Organizational structure • Assignment of authority and responsibility • Human resources policies and practice
Why control environment is so important The following circumstances are at least a significant deficiency and a strong indicator of the existence of a material weakness per AS2. • Restatement of previously issued financial statements. • Auditor’s identification of a material misstatement in the current year audit that was not initially identified by the Company. • Ineffective Audit Committee oversight. • An ineffective internal audit or risk assessment function, if critical to reliability of Company’s financial reporting process. • An ineffective regulatory compliance function in highly regulated companies if functions could have a material effect on the reliability of financial reporting. • Identification of fraud of any magnitude on the part of senior management. • Previously communicated significant deficiencies that remain uncorrected after a reasonable period of time. • An ineffective control environment.
Oversight by the Audit Committee and Board • Nature and frequency of meetings • Consideration of fraud when reviewing: ― Accounting principles ― Non-routine transactions • Evaluation of management’s assessment of fraud risk • Discussion with auditor’s potential fraud areas
FRAUD Risk Assessment • Systematic process • Consideration of potential fraud schemes: • Types of fraud • Fraud triangle • Assessment of risk at all levels • Evaluate likelihood and significance of risks • Assessment of exposure • Document oversight by Audit Committee