SOX 404 for the SME The “Wait” is/may be Over!

The Value of Experience

SOX 404 for the SME

The “Wait” is/may be Over!

Town and Country Convention Center

San Diego, California

May 10, 2010

HASKELL & WHITE LLP ACCOUNTING DAY 2010

The Value of Experience

WELCOME AND INTRODUCTIONS:

Haskell & White LLP is pleased to be the GOLD SPONSOR for Accounting Day 2010

Why Haskell & White LLP is qualified to speak on this topic

A word about today’s speaker

Our Agenda

I. SOX Section 404(b) – Understanding the Basics

II. Status of Regulatory Environment

III. Helpful Lessons Learned – Tips for Success

IV. Action Items to Increase the Likelihood of an Effective and Cost-Efficient Audit

V. Using PCAOB AS 5 to Manage the Audit Process

VI. Closing Comments & Questions

SOX SECTION 404(b) – UNDERSTANDING THE BASICS

How did we get here? (A little history refresher.)

•March 2000: NASDAQ bubble bursts; economic downturn begins

•2001: Enron restatement and bankruptcy

•2002: Adelphia off-balance sheet debt; self-dealing; bankruptcy

Peregrine Systems falsified revenues; bankruptcy

WorldCom capitalizing expenses; inflating revenues; bankruptcy Enter sponsors Paul Sarbanes and Michael Oxley July 30, 2002 – G.W. Bush: “The most far-reaching reforms of American

business practice since the time of Franklin D. Roosevelt.” And, here we are almost 10 years later talking about implementation!


Sarbanes-Oxley Act has 11 Titles – these are key:

• (I) PCAOB, (II) Auditor Independence

• (III) Corporate Responsibility – Section 302 certifications (individual responsibility - I have reviewed this report, no untrue statements, I am responsible for controls, etc.)

• (IV) Enhanced Financial Disclosures

• (VIII) Corporate and Criminal Fraud Accountability

• (IX) White Collar Crime Penalty Enhancement – Section 906 certifications (report complies with Exchange Act, report fairly presents); failure to certify is a criminal offense


SOX Title 4; Section 404: Management Assessment Of Internal Controls

(a) RULES REQUIRED- The Commission shall prescribe rules requiring each annual report required by section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m) to contain an internal control report, which shall--

(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.


SOX Title 4; Section 404: Management Assessment Of Internal Controls

(b) INTERNAL CONTROL EVALUATION AND REPORTING- With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.


Management’s report on ICFR must include:

• A statement of management’s responsibility for establishing and maintaining adequate ICFR

• A statement identifying the framework used by management (COSO)

• A statement whether or not the entity’s ICFR is effective as of the end of the most recently completed fiscal year (design and operating effectiveness)

• A statement that the entity’s IRPAF has issued an attestation report on management’s assessment of ICFR

STATUS OF REGULATORY ENVIRONMENT

SEC and PCAOB respond to Congress:

• June 2003: rules adopted – accelerated filers have integrated audit requirement for FYE 12/31/2004

• June 2004: SEC approves PCAOB AS 2

• July 2007: SEC approves PCAOB AS 5 (the “kinder, gentler” integrated audit standard

• Non-accelerated filers receive a series of postponements, the last of which was thought to have been issued in June 2008 (But wait, there is more!!)

The SEC has worked hard to make SOX 404 less burdensome for smaller public companies – Roundtables; PCAOB AS 2 studied and superseded via AS5; SEC Guidance for registrants; PCAOB Guidance for auditors.


• October 2009 – The SEC provides yet another extension for SOX for Small and Medium Enterprises (SMEs) – A six-month extension until years ending after June 15, 2010.

• Political Agenda??

– Why 6 months? Vast majority of companies had 12/31 year ends…perhaps a 6 extension sounded better than a year.

– Financial reform. Obama administration is seeking reforms in light of the recent banking crises


• SEC promised “no more extensions” in its October 2009 release.

• Proposed legislation in the House of Representatives includes language that would permanently exempt registrants from 404(b) if their market cap is under $75 million.

• Proposed legislation in the Senate is silent with respect to any 404 extensions/exemptions.

• Current view – time is running out….further extensions unlikely; unless……..

“Tone at the Top” is required. Buy-in to the process has to start with the “CEO”. Plenty of information out there for the public SME that is working on their ICFR

project. Likewise, private companies can look to these resources for “best practices”. REMINDER – Internal control is a “process” providing reasonable assurance

regarding• Reliability of financial reporting• Effectiveness and efficiency of operations• Compliance with laws and regulations

No need to start from scratch • Special projects (due diligence)• Internal auditors• Information Technology • Prior year 404(a) evaluation• Auditor’s previous understanding of internal controls

HELPFUL LESSONS LEARNED – TIPS FOR SUCCESS

ICFR Assessment is not an “accounting thing”

• Cross-company assistance is needed

• Other departments will need to be involved in evaluating operational controls

• Don’t let other departments not play, resistance can be expected

In the name of efficiency, operations might actually be improved along the way

Wouldn’t it be nice to know your controls are keeping you and your company in compliance with the myriad of regulations companies face today (SEC, IRS, FTB, EPA, FDA, etc., etc.).


Executive level buy-in has been a key to success

• If they have not bought in as leaders of the organization, other departments will not participate to the extent you need them

• Be careful of what message the C-level delivers. This speaks volumes of the control environment.

• “We will pass with flying colors and have no material weaknesses!!!!”


Start EARLY – Those who have started early tend to have a better experience

• Corrective or new controls will have time to season

• Allows time to remediate control deficiencies identified

• External resources for assistance might be difficult

to secure late in the season – the good ones go fast

If you have a June 30, 2010 FYE – you are now way behind!! The rest of you do not have any time to waste.



Start EARLY (continued)

• Avoid crunch time. Very difficult for you and your auditors to do the ICFR and Financial Statement audit at the same time.

• Test ICFR first to allow the auditors to rely on those results – less substantive work

• Start with the hard stuff! i.e. Entity level controls and revenue (AS5 describes a “top down approach”)

• Complete the control design assessment first. Don’t waste time testing controls that do not work.

IT Assessment

• Strong IT controls can allow for more reliance on system generated documents and information.

• Remediation / change is sometimes slow in this arena.

Early upfront communication with the auditors goes a long way

• Scope / Risk assessment – will you cover everything the auditors are going to look at?

• Key controls and sample sizes

• Extent of documentation

• Communicate known control deficiencies and areas with weaknesses

• Understand Auditor’s plan for the Integrated Audit (timing, staffing, experience levels, use of specialists, etc.)

Allow time to evaluate and perhaps remediate deficiencies identified by your process or that of the auditors

• Identification and evaluation of mitigating controls takes some time for the auditors to buy in to your positions


Study and do your homework – know SEC and PCAOB guidance Embrace a “top-down” approach

• Begin at the financial statement level; risk assessment; entity level controls; and works down to significant accounts and disclosures and their relevant assertions

Adopt an appropriate attitude

• Attitude of compliance

• Attitude of improvement

ACTION ITEMS TO INCREASE THE LIKLIHOOD OF AN EFFECTIVE AND COST-EFFICIENT AUDIT


Entity-level controls (ELCs) are your friend

• Control environment

• Controls over management override

• Company’s risk assessment process

• Monitoring controls

• Controls over period-end financial reporting process Emphasize risk assessment – “What could go wrong?” Take inventory of your documentation, resources and skill sets; who

“owns” the project?

Know your significant accounts, relevant assertions and key controls

• Evaluate automated controls vs. manual controls

• Evaluate preventative controls vs. detective controls

• Evaluate design –are controls correctly aligned with assertions?

• Evaluate operation –are controls working as properly designed? Don’t plan to settle for a material weakness report just because you are small

• Realign internal duties

• Engage external resources

• Strengthen board oversight Start early – knowing today is better than knowing tomorrow


Communicate early and often with your auditor and save money!

• Discuss concepts of materiality

• Discuss areas to be “scoped in” or “scoped out”

• Reach understanding as to appropriate sample sizes

• On what internal information and/or testing processes will auditor be able to place reliance?

Develop an effective communication plan with your Board of Directors/Audit Committee – frequent status reports on project plan; issue notification; sufficiency of resources; what they can do to help the company?


AS 2 approved by the SEC in June 2004; rules-based; 160 pages AS 5 approved by the SEC in July 2007; principles-based; 56 pages Why the change?

• Accelerated filers experienced significant costs – exceeded all SEC estimates (remember the SEC’s initial cost estimate?)

• PCAOB inspection of auditors noted lack of integration with financial statement audits; lack of risk assessment; over-auditing of controls

• SEC concern regarding the costs to smaller public companies and the scalability of the standard

USING PCAOB AS 5 TO MANAGE THE AUDIT PROCESS

Understanding some key concepts in AS 5 will help ensure:

• Integration of the financial statement and ICFR audits

• Employment of a “top-down” approach and the application of an appropriate risk assessment to the audits

• Leverage from the work supporting management’s assessment

• Leverage from prior year audits

• Appropriate use of benchmarking

• Effective communications with your auditors



Pa10: “Risk assessment underlies the entire audit process…” Pa19: “As the risk associated with a control increases, the need for the auditor to

perform his or her own work on the control increases.” Pa21: “The auditor should use a top-down approach to the audit of ICFR to

select the controls to test.”


Pa25: “Because of its importance to effective ICFR, the auditor must evaluate the control environment at the company.”

Pa57: “In subsequent years’ audits, the auditor should incorporate knowledge obtained during past audits…”

Pa60: “The auditor may also use a benchmarking strategy for automated application controls…”


PaA7: “A material weakness is a deficiency, or a combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.”

PaA11: “A significant deficiency is a deficiency, or a combination of deficiencies, in ICFR, that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting.”

Closing Comments & Questions

8001 Irvine Center Drive

Suite 300

Irvine, CA 92618

T (949) 450-6200

F (949) 450-6201

12707 High Bluff Drive

Suite 200

San Diego, CA 92130

T (858) 350-4215

F (858) 350-4218

Documents

SOX 404 for the SME The “Wait” is/may be Over!