An Accountant’s Look at the Changing Horizons within SOX 404 Presented to Colorado Bar Association’s Securities Law Group Presented by Bill Evert Hein & Associates LLP September 21, 2006 Why should companies care about controls? • • • • Fraud Lost revenues SOX 404 compliance Personal liability SOX 404 – Management Requirements Currently effective for accelerated filers ($75MM public float, etc.): • Incorporate within the Company’s Form 10-K a report that: – Acknowledges responsibility for establishing/ maintaining adequate internal controls over financial reporting – Identifies framework used (COSO) – Assesses effectiveness at end of fiscal year – Confirms independent auditors issued attestation report on management’s assertion Example Reporting Scenarios Auditor’s Opinion on Situation Management’s Report Management’s Assessment Effectiveness of ICOFR No material weakness identified. Internal control effective. Unqualified Unqualified Material weakness identified by management and auditor. Internal control not effective. Unqualified Adverse Example Reporting Scenarios Management’s Report Situation Company has one or more material weaknesses, but management’s assessment indicates internal control is effective. Issue adverse opinions on both management’s assessment and internal control. Management fails to fulfill its responsibilities regarding the internal control assessment. • • • Communicate to management and the Audit Committee. Disclaim opinions. Consider possible additional auditor responsibilities. Deficiencies – Conceptual Definitions A deficiency is considered a significant deficiency or material weakness if, either individually or in the aggregate, after considering compensating controls, the following criteria are met: Classification of Deficiency Likelihood of Misstatement Potential Magnitude of Misstatement Internal Control Deficiency Remote OR Inconsequential Significant Deficiency More than remote AND More than inconsequential Material Weakness More than remote AND Material Current Events – Moving Targets New guidance: • Remediation Standard (AS4) • New SAS standard • New COSO framework for small businesses (July 11, 2006) Coming soon: • New SOX 404 guidance regarding non-accelerated filers and IPOs • Guidance for companies implementing SOX 404 • Revised AS2 Issues/Pitfalls Encountered • Lack of: ― Lead time/resources/game plan ― Effective communication between auditor and client ― Motivation in second year • Issues: ― Late start (prevents integrated audits and rising costs) ― Multiple operations/foreign subsidiaries ― Company’s GAAP and SEC expertise ― Consequences of adverse and disclaimer opinions ― Controls at outsourced service providers Why is SOX 404 so difficult (and costly)? 1. Definition of significant deficiency “more than inconsequential”: A misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. If a reasonable person could not reach such a conclusion regarding a particular misstatement, that misstatement is more than inconsequential. 1. Must have controls over all of the relevant assertions over all significant accounts and footnotes. 2. Materiality and deficiency evaluation. 3. Testing of attributes, not dollars - “What could go wrong; not what does.” 4. Adjustments the auditor finds. Why should private companies adopt SOX? • Better controls thereby: ― Decreasing the likelihood of fraud ― Increasing operational efficiency • Exit strategy? • SOX will eventually become the standard by which companies are judged • New audit standards CHANGE IS GOOD YOU GO FIRST Components of the Control Environment 1. Integrity and ethical values 2. Commitment to competence 3. Board of Directors and Audit Committee 4. Management’s philosophy and operating style 5. Organizational structure 6. Assignment of authority and responsibility 7. Human resources policies and practice Why control environment is so important The following circumstances are at least a significant deficiency and a strong indicator of the existence of a material weakness per AS2. • Restatement of previously issued financial statements. • Auditor’s identification of a material misstatement in the current year audit that was not initially identified by the Company. • Ineffective Audit Committee oversight. • An ineffective internal audit or risk assessment function, if critical to reliability of Company’s financial reporting process. • An ineffective regulatory compliance function in highly regulated companies if functions could have a material effect on the reliability of financial reporting. • Identification of fraud of any magnitude on the part of senior management. • Previously communicated significant deficiencies that remain uncorrected after a reasonable period of time. • An ineffective control environment. Oversight by the Audit Committee and Board • Nature and frequency of meetings • Consideration of fraud when reviewing: ― Accounting principles ― Non-routine transactions • Evaluation of management’s assessment of fraud risk • Discussion with auditor’s potential fraud areas Risk Assessment • • Systematic process Consideration of potential fraud schemes: ― ― • • • • Types of fraud Fraud triangle Assessment of risk at all levels Evaluate likelihood and significance of risks Assessment of exposure Document oversight by Audit Committee