|EXECUTIVE SUMMARY |
| In 2005 about 3,700 large-cap ($75 million or more) companies underwent the first wave of Sarbanes-Oxley section 404 audits. Here, a firm experienced with Sarbanes-Oxley section 404 audits for accelerated filers shares its best practices to help with compliance for nonaccelerated filers (companies with market capitalization under $75 million), which must begin filing audit reports for fiscal years ending after July 15, 2007.
The external auditor’s section 404 responsibility is to critically evaluate the design and effectiveness of management’s internal controls over financial reporting, test as necessary, form an opinion and communicate significant deficiencies and material weaknesses to management and the audit committee.
At least one year before the deadline, management should assign a project leader, establish a time line and a project team, engage outside assistance if necessary, set scoping criteria, “assess risk” and review the section 404 plan with the audit committee and external auditors.
Many small-cap companies with limited accounting staffs will need assistance with tax accounting, lease accounting, reviews of transactions such as last-minute journal entries, application of GAAP, staff training, IT controls, the control environment and segregation of duties and internal control documentation from sources independent from their auditors.
The Sarbanes-Oxley Act already has had a profound impact on the accounting profession and corporate America. Companies are now more conscious of how and why they do what they do, and in many cases they have improved their processes or eliminated duplication.
John W. Green, CPA, is a partner at Marcum & Kliegman LLP, Melville, N.Y. His e-mail address is firstname.lastname@example.org .
et’s hope performing Sarbanes-Oxley section 404 audits of internal controls turns out to be easier for nonaccelerated filers. Those of us who already have performed section 404 internal control audits will attest the process is long, complex, tedious and stressful. Indeed, section 404—which requires a company’s annual report to certify exactly how effective its control and reporting procedures are—is proving to be the most challenging part of the Sarbanes-Oxley Act. This article describes how our firm, Marcum & Kliegman LLP of Melville, N.Y., approached section 404 audits, and shares some best practices we learned on the job.
|A Work in Progress |
At press time, the SEC Advisory Committee on Smaller Public Companies’ latest release suggested it may recommend full or partial exemptions of section 404 for certain size small public companies.
The SEC required companies with market capitalization equal to or greater than $75 million (accelerated filers) to comply with section 404 for fiscal years ending after November 15, 2004 (see “ The Value Proposition ,” JofA , Sep.05, page 77). Accordingly, in 2005 about 3,700 companies underwent the first wave of internal control audits. Of them, about one in seven reported material weaknesses.
Nonaccelerated filers will commence compliance for fiscal years ending after July 15, 2007. No one knows exactly how many eventually will comply, but about 12,000 companies are listed on various national exchanges. In addition, banking and insurance companies are discussing adopting “Sarbanes-Oxley-like” initiatives for nonpublic entities. Some states have enacted tougher regulations on not-for-profits, and nonpublic broker-dealers and hedge funds soon may face increased regulation. CPA firms will be busy for a while, so it’s a good time to work on skills to handle the workload.
PCAOB Auditing Standard no. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements, provides guidance for a section 404 audit. The performance and reporting directions are based on the framework developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. COSO’s 1992 report Internal Control—Integrated Framework describes five key components of internal control (the control environment, risk assessment, control activities, information and communication, and monitoring) and provides businesses with evaluation tools.
The SEC requires that companies’ management design an internal control system that can substantiate every assertion in their financial statements. To do that, management has to analyze the company’s system of internal control over financial reporting and provide evidence sufficient to support its conclusions.
The external auditor’s responsibility is to do the following:
Critically evaluate management’s assessment process.
Evaluate both the design and effectiveness of the internal control system.
Perform independent testing.
Form an opinion on the internal control system.
Communicate significant deficiencies and material weaknesses to both management and the audit committee.
Both management and the external auditor must evaluate any internal control deficiencies that exist and quantify their severity. Auditing Standard no. 2 prescribes a much lower deficiency threshold than previous audit guidance. It includes three definitions. First, an internal control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned duties, to prevent or detect misstatements on a timely basis. Second, a significant deficiency is a single deficiency or combination of deficiencies that results in a more than remote likelihood that a misstatement of the annual or interim financial statements that is more than inconsequential will not be prevented or detected. Finally, a material weakness is a significant deficiency or combination of significant deficiencies that results in a more than remote likelihood that a material misstatement in the annual or interim financial statements will not be prevented or detected.
Before fieldwork begins, company management and the external auditors must discuss the thresholds and reach consensus on the significant accounts and disclosures—and they absolutely must agree on how best to quantify more than remote and more than inconsequential .
A typical section 404 project plan for a nonaccelerated filer should not be rushed. Ideally, the first phase should commence 12 to 18 months before the company’s reporting deadline. The last phase will coincide with the fieldwork for the fiscal yearend financial statement audit. Marcum & Kliegman bases its work plan on the following steps:
Phase one: Planning and scoping. Company management assigns a project leader and project team, establishes a time line, engages outside assistance if necessary, sets scoping criteria, performs risk assessment and reviews the section 404 plan with the audit committee and external auditors.
Phase two: Documentation and evaluation. Company management documents, reviews and updates all control activities, prepares flowcharts, seeks feedback from external auditors and remediates control deficiencies.
Phase three: Management testing. Company management tests key controls, documents the results of testing and fixes any control deficiencies.
Phase four: Interface with external auditors. Company management performs complete walk-throughs of systems with external auditors. It reviews its test results with the external auditors and presents an initial management assessment to them.
Phase five: External auditor testing. The external auditor completely reviews all internal control documentation including narratives, flowcharts and walk-throughs. Then the external auditor identifies areas of risk and related key controls, verifies the scope of testing, designs test plans and determines sample sizes. The external auditor then tests the controls’ operating effectiveness and evaluates the test results with management and the audit committee.
Phase six: Reporting. Management prepares its section 404 assessment for inclusion in Form 10-K, reviews the document with external auditors and determines who within the company should sign the section 404 certifications. The attestation could include the company’s general counsel and/or chief information officer if they are heavily involved in the system of internal control over financial reporting. At this stage the external auditors summarize their testing, review the test results and prepare a draft opinion. After that they report their conclusions to the audit committee, obtain a management representation letter and prepare a final opinion for inclusion in Form 10-K.
Marcum & Kliegman has four clients that qualified as accelerated filers. Based on the section 404 work our firm has done to date, we developed a “top 10” list of section 404 best practices that we use in our internal training classes, client newsletters and public speaking engagements.
Start the process early. Pending changes from the SEC, the first nonaccelerated filers will have to report as of July 15, 2007. That may seem a long way off, but it is actually right around the corner, and section 404 projects already should have started at small-cap companies. Stress the need for clients to self-assess to get a leg up on any deficiencies before auditors come in.
Prepare a comprehensive risk assessment. Focus on material accounts and processes. Consider the primary reasons for reports of material weaknesses and determine whether the client needs improvement in the following areas:
Review of transactions (especially last-minute journal entries).
Application of GAAP.
Staff expertise and training.
The control environment and segregation of duties.
Internal control documentation.
Note : Small-cap companies with limited accounting staffs will almost certainly need assistance with some or all of the above areas.
Develop specific section 404 training for your staff. Staff members more experienced with debits and credits (that is, posting to a general ledger and reconciling accounts) will adapt to training more efficiently and have better relations with clients. Hold training sessions that focus on following a transaction from initiation straight through to the general ledger and financial statements to help less experienced staff members get up to speed quickly.
Advise clients to appoint a section 404 team leader. The section 404 audit will run more smoothly if one person assumes the leadership role, with responsibility for keeping the project on track and acting as liaison with the external auditors, consultants, internal auditors, audit committee and key members of management. This person should not be the CFO, CEO or an external consultant. The ideal person is an internal auditor or someone who will not be distracted by monthly or quarterly closing processes or financial reporting.
Carefully monitor and evaluate the project team. The external auditor must meet with the project team on a regular basis and promptly inform management and the audit committee if deadlines slip or the internal control documentation is not adequate. This oversight is especially critical if management engages an outside consultant. There is a booming cottage industry of section 404 consultants, and we found that not all consultants are created equal. Given that large numbers of companies will have to start reporting next year, in addition to the existing accelerated filers, there likely will be a shortage of section 404 qualified internal staff. However, the SEC’s Advisory Committee on Smaller Public Companies may modify section 404 small cap compliance rules before then, which may change the marketplace.
Flowchart, flowchart, flowchart! System narratives are nice, but flowcharts rock. A well-designed flowchart highlights the key controls in a fraction of the time it takes to read a system narrative—and using them is more fun. Ideally, the client should prepare the flowcharts. When that’s not possible, the external audit teams will need to do it for smaller companies. We found Visio, Microsoft Excel and PowerPoint easy to use and sufficient for most applications.
Keep the audit committee informed. Regular communication with the audit committee is critical. A periodic audit committee conference call will ensure there are no surprises at the end.
Discuss deficiencies with management promptly and candidly. While about 14% of section 404 filers have reported material weaknesses, virtually all filers have had significant deficiencies reported to the audit committee by the external auditor. When an auditor finds a significant deficiency or material weakness, it can result in a stressful conversation with management—especially when long-standing clients have had clean opinions on previous financial statement audits (see “ What We’re Up Against, ” below).
||What We’re Up Against |
Here is a little exchange that took place with one of our clients recently:
Auditor : Jim, we are doing a walk-through of your accounts-payable system and we see that you paid a $7,500 invoice with two checks issued on the same day, one for $4,500 and one for $3,000. Can you explain to us why this occurred?
CFO : Yes, of course. We have a strict rule that all checks over $5,000 have to be signed by at least two authorized signers and we had to get the check out that day. Only one signer was around, so we just cut two checks.
Auditor : But, Jim, issuing two checks in this manner defeats the purpose of having two signers as a control procedure. Wouldn’t you agree?
CFO : I see your point. Well, I’ll just have to make sure that the CEO pre-signs some checks and leaves them for me so I won’t have that problem in the future.
Author : Needless to say, we corrected his misperception.
An auditor who finds a significant deficiency or material weakness should
Bring the problem to the attention of management and the audit committee immediately.
Discuss the implications openly and candidly.
Offer suggestions for remediation.
Keep current with new developments. Last year at this time there was little formal guidance on how to perform an internal control audit available to CPA firms. Today guidance is available from the AICPA, the SEC, the PCAOB and the Web sites of the Big 4 and other national firms.
Use the work of others. For the many smaller public companies that don’t have full-time internal audit staff, outsource CFO or internal audit personnel may be an effective alternative for internal control documentation or testing. Find the best service providers in these areas so you can offer clients alternative help if they need it.
Technically the section 404 audit and the financial statement audits are integrated. So far, however, external auditors have not been able to use section 404 internal control testing in fiscal yearend financial statement audits. This should not be a surprise, given that Auditing Standard no. 2 is relatively new and there was some uncertainty about how to apply it. Still, the PCAOB encourages integration and stressed this point in a Board Policy Statement on May 16, 2005
One simple example of how an external auditor can use internal control tests is to design testing of the accounts-receivable revenue cycle so interim customer accounts-receivable balances are verified via confirmations or another procedure. If weaknesses are noted in the system, the sample size for the yearend confirmations can be greatly reduced based on the internal controls.
| Urge clients to get going. A section 404 internal audit should begin 12 to 18 months before the company’s reporting deadline.
Use flowcharts. A well-designed flowchart highlights the key controls in a fraction of the time it takes to read a system narrative.
A good place to start is to design testing of the accounts-receivable revenue cycle, so interim customer accounts-receivable balances are verified via another procedure.
The amount of additional work needed to complete a section 404 audit generally will exceed your expectations. For small business clients, uncovering gaps in company controls “may well be grimly costly,” said the Wall Street Journal (August 15, 2005). In fact, audit fees for accelerated filers have increased by 40% to 80%. Plan accordingly and remember Murphy’s Law.
The Sarbanes-Oxley Act already has had a profound impact on the accounting profession and corporate America. Companies are now more conscious of how and why they do what they do, and in many cases they’ve improved or streamlined their processes. CPAs at all levels of practice need to consider the implications of section 404 for all types of clients. Nonpublic companies in regulated industries, or any companies that wish to do business with a public company, will benefit from a clearer business model. Focusing on internal control reporting in the future can help achieve the goal of improved bottom-line results.
The Institute answers individual questions at the Sarbanes-Oxley Act hot line: 866-265-1977, and provides up-to-date compliance information for CPAs at Sarbanes-Oxley Act/PCAOB Implementation Central, http://cpcaf.aicpa.org/Resources/Sarbanes+Oxley/
AICPA Annual Accounting and Auditing Update Workshop (2005 ed.) (# 736181JA).
Annual Update for Accountants and Auditors (2004–2005 ed.) (# 730024JA).
Auditing Update: A Review of Recent Activities (2005 ed.) (# 732771JA).
Internal Control Reporting: A Manager’s Guide to Surviving the Audit (# 732490JA).
Internal Control Reporting: A Practical Guide to the PCAOB Standard (# 181421JA).
SEC Reporting (text, # 736772GZJA; DVD/manual, # 186753GZJA; VHS/manual, # 186752GZJA).
Consideration of Internal Control in a Financial Statement Audit, an AICPA Audit and Accounting Guide (# 012451JA).
Consideration of Internal Control in a Financial Statement Audit: An Amendment to SAS No. 55—SAS 78 (# 060671JA).
Financial Reporting Fraud: A Practical Guide to Detection and Internal Control by Charles R. Lundelius Jr. (# 029879JA).
Guide to Financial Reporting and Analysis, John Wiley & Sons (# WI354252P0000DJA).
AICPA Center for Public Company Audit Firms, www.aicpa.org/CPCAF .
CPA Marketing Tool Kit, www.aicpa.org/cpamarketing .
PCPS Firm Practice Center, http://pcps.aicpa.org .
For more information or to place an order, go to www.cpa2biz.com or call the AICPA at 888-777-7077.