The Value of Experience HASKELL & WHITE LLP ACCOUNTING DAY 2010 SOX 404 for the SME The “Wait” is/may be Over! Town and Country Convention Center San Diego, California May 10, 2010 The Value of Experience WELCOME AND INTRODUCTIONS: Haskell & White LLP is pleased to be the GOLD SPONSOR for Accounting Day 2010 Why Haskell & White LLP is qualified to speak on this topic A word about today’s speaker Our Agenda SOX Section 404(b) – Understanding the Basics Status of Regulatory Environment Helpful Lessons Learned – Tips for Success Action Items to Increase the Likelihood of an Effective and Cost-Efficient Audit V. Using PCAOB AS 5 to Manage the Audit Process VI. Closing Comments & Questions I. II. III. IV. SOX SECTION 404(b) – UNDERSTANDING THE BASICS How did we get here? (A little history refresher.) •March 2000: NASDAQ bubble bursts; economic downturn begins •2001: Enron restatement and bankruptcy •2002: Adelphia off-balance sheet debt; self-dealing; bankruptcy Peregrine Systems falsified revenues; bankruptcy WorldCom capitalizing expenses; inflating revenues; bankruptcy Enter sponsors Paul Sarbanes and Michael Oxley July 30, 2002 – G.W. Bush: “The most far-reaching reforms of American business practice since the time of Franklin D. Roosevelt.” And, here we are almost 10 years later talking about implementation! SOX SECTION 404(b) – UNDERSTANDING THE BASICS Sarbanes-Oxley Act has 11 Titles – these are key: • (I) PCAOB, (II) Auditor Independence • (III) Corporate Responsibility – Section 302 certifications (individual responsibility - I have reviewed this report, no untrue statements, I am responsible for controls, etc.) • (IV) Enhanced Financial Disclosures • (VIII) Corporate and Criminal Fraud Accountability • (IX) White Collar Crime Penalty Enhancement – Section 906 certifications (report complies with Exchange Act, report fairly presents); failure to certify is a criminal offense SOX SECTION 404(b) – UNDERSTANDING THE BASICS SOX Title 4; Section 404: Management Assessment Of Internal Controls (a) RULES REQUIRED- The Commission shall prescribe rules requiring each annual report required by section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m) to contain an internal control report, which shall-(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. SOX SECTION 404(b) – UNDERSTANDING THE BASICS SOX Title 4; Section 404: Management Assessment Of Internal Controls (b) INTERNAL CONTROL EVALUATION AND REPORTING- With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement. SOX SECTION 404(b) – UNDERSTANDING THE BASICS Management’s report on ICFR must include: • A statement of management’s responsibility for establishing and maintaining adequate ICFR • A statement identifying the framework used by management (COSO) • A statement whether or not the entity’s ICFR is effective as of the end of the most recently completed fiscal year (design and operating effectiveness) • A statement that the entity’s IRPAF has issued an attestation report on management’s assessment of ICFR STATUS OF REGULATORY ENVIRONMENT SEC and PCAOB respond to Congress: • June 2003: rules adopted – accelerated filers have integrated audit requirement for FYE 12/31/2004 • June 2004: SEC approves PCAOB AS 2 • July 2007: SEC approves PCAOB AS 5 (the “kinder, gentler” integrated audit standard • Non-accelerated filers receive a series of postponements, the last of which was thought to have been issued in June 2008 (But wait, there is more!!) The SEC has worked hard to make SOX 404 less burdensome for smaller public companies – Roundtables; PCAOB AS 2 studied and superseded via AS5; SEC Guidance for registrants; PCAOB Guidance for auditors. STATUS OF REGULATORY ENVIRONMENT • October 2009 – The SEC provides yet another extension for SOX for Small and Medium Enterprises (SMEs) – A six-month extension until years ending after June 15, 2010. • Political Agenda?? – Why 6 months? Vast majority of companies had 12/31 year ends…perhaps a 6 extension sounded better than a year. – Financial reform. Obama administration is seeking reforms in light of the recent banking crises STATUS OF REGULATORY ENVIRONMENT • SEC promised “no more extensions” in its October 2009 release. • Proposed legislation in the House of Representatives includes language that would permanently exempt registrants from 404(b) if their market cap is under $75 million. • Proposed legislation in the Senate is silent with respect to any 404 extensions/exemptions. • Current view – time is running out….further extensions unlikely; unless…….. HELPFUL LESSONS LEARNED – TIPS FOR SUCCESS “Tone at the Top” is required. Buy-in to the process has to start with the “CEO”. Plenty of information out there for the public SME that is working on their ICFR project. Likewise, private companies can look to these resources for “best practices”. REMINDER – Internal control is a “process” providing reasonable assurance regarding • Reliability of financial reporting • Effectiveness and efficiency of operations • Compliance with laws and regulations No need to start from scratch • Special projects (due diligence) • Internal auditors • Information Technology • Prior year 404(a) evaluation • Auditor’s previous understanding of internal controls HELPFUL LESSONS LEARNED – TIPS FOR SUCCESS ICFR Assessment is not an “accounting thing” • Cross-company assistance is needed • Other departments will need to be involved in evaluating operational controls • Don’t let other departments not play, resistance can be expected In the name of efficiency, operations might actually be improved along the way Wouldn’t it be nice to know your controls are keeping you and your company in compliance with the myriad of regulations companies face today (SEC, IRS, FTB, EPA, FDA, etc., etc.). HELPFUL LESSONS LEARNED – TIPS FOR SUCCESS Executive level buy-in has been a key to success • If they have not bought in as leaders of the organization, other departments will not participate to the extent you need them • Be careful of what message the C-level delivers. This speaks volumes of the control environment. • “We will pass with flying colors and have no material weaknesses!!!!” HELPFUL LESSONS LEARNED – TIPS FOR SUCCESS Start EARLY – Those who have started early tend to have a better experience • • • Corrective or new controls will have time to season Allows time to remediate control deficiencies identified External resources for assistance might be difficult to secure late in the season – the good ones go fast If you have a June 30, 2010 FYE – you are now way behind!! The rest of you do not have any time to waste. HELPFUL LESSONS LEARNED – TIPS FOR SUCCESS Start EARLY (continued) • Avoid crunch time. Very difficult for you and your auditors to do the ICFR and Financial Statement audit at the same time. • Test ICFR first to allow the auditors to rely on those results – less substantive work • Start with the hard stuff! i.e. Entity level controls and revenue (AS5 describes a “top down approach”) • Complete the control design assessment first. Don’t waste time testing controls that do not work. IT Assessment • Strong IT controls can allow for more reliance on system generated documents and information. • Remediation / change is sometimes slow in this arena. HELPFUL LESSONS LEARNED – TIPS FOR SUCCESS Early upfront communication with the auditors goes a long way • Scope / Risk assessment – will you cover everything the auditors are going to look at? • Key controls and sample sizes • Extent of documentation • Communicate known control deficiencies and areas with weaknesses • Understand Auditor’s plan for the Integrated Audit (timing, staffing, experience levels, use of specialists, etc.) Allow time to evaluate and perhaps remediate deficiencies identified by your process or that of the auditors • Identification and evaluation of mitigating controls takes some time for the auditors to buy in to your positions ACTION ITEMS TO INCREASE THE LIKLIHOOD OF AN EFFECTIVE AND COST-EFFICIENT AUDIT Study and do your homework – know SEC and PCAOB guidance Embrace a “top-down” approach • Begin at the financial statement level; risk assessment; entity level controls; and works down to significant accounts and disclosures and their relevant assertions Adopt an appropriate attitude • Attitude of compliance • Attitude of improvement ACTION ITEMS TO INCREASE THE LIKLIHOOD OF AN EFFECTIVE AND COST-EFFICIENT AUDIT Entity-level controls (ELCs) are your friend • Control environment • Controls over management override • Company’s risk assessment process • Monitoring controls • Controls over period-end financial reporting process Emphasize risk assessment – “What could go wrong?” Take inventory of your documentation, resources and skill sets; who “owns” the project? ACTION ITEMS TO INCREASE THE LIKLIHOOD OF AN EFFECTIVE AND COST-EFFICIENT AUDIT Know your significant accounts, relevant assertions and key controls • Evaluate automated controls vs. manual controls • Evaluate preventative controls vs. detective controls • Evaluate design –are controls correctly aligned with assertions? • Evaluate operation –are controls working as properly designed? Don’t plan to settle for a material weakness report just because you are small • Realign internal duties • Engage external resources • Strengthen board oversight Start early – knowing today is better than knowing tomorrow ACTION ITEMS TO INCREASE THE LIKLIHOOD OF AN EFFECTIVE AND COST-EFFICIENT AUDIT Communicate early and often with your auditor and save money! • Discuss concepts of materiality • Discuss areas to be “scoped in” or “scoped out” • Reach understanding as to appropriate sample sizes • On what internal information and/or testing processes will auditor be able to place reliance? Develop an effective communication plan with your Board of Directors/Audit Committee – frequent status reports on project plan; issue notification; sufficiency of resources; what they can do to help the company? USING PCAOB AS 5 TO MANAGE THE AUDIT PROCESS AS 2 approved by the SEC in June 2004; rules-based; 160 pages AS 5 approved by the SEC in July 2007; principles-based; 56 pages Why the change? • Accelerated filers experienced significant costs – exceeded all SEC estimates (remember the SEC’s initial cost estimate?) • PCAOB inspection of auditors noted lack of integration with financial statement audits; lack of risk assessment; over-auditing of controls • SEC concern regarding the costs to smaller public companies and the scalability of the standard USING PCAOB AS 5 TO MANAGE THE AUDIT PROCESS Understanding some key concepts in AS 5 will help ensure: • Integration of the financial statement and ICFR audits • Employment of a “top-down” approach and the application of an appropriate risk assessment to the audits • Leverage from the work supporting management’s assessment • Leverage from prior year audits • Appropriate use of benchmarking • Effective communications with your auditors USING PCAOB AS 5 TO MANAGE THE AUDIT PROCESS Pa10: “Risk assessment underlies the entire audit process…” Pa19: “As the risk associated with a control increases, the need for the auditor to perform his or her own work on the control increases.” Pa21: “The auditor should use a top-down approach to the audit of ICFR to select the controls to test.” USING PCAOB AS 5 TO MANAGE THE AUDIT PROCESS Pa25: “Because of its importance to effective ICFR, the auditor must evaluate the control environment at the company.” Pa57: “In subsequent years’ audits, the auditor should incorporate knowledge obtained during past audits…” Pa60: “The auditor may also use a benchmarking strategy for automated application controls…” USING PCAOB AS 5 TO MANAGE THE AUDIT PROCESS PaA7: “A material weakness is a deficiency, or a combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.” PaA11: “A significant deficiency is a deficiency, or a combination of deficiencies, in ICFR, that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting.” Closing Comments & Questions 8001 Irvine Center Drive Suite 300 Irvine, CA 92618 T (949) 450-6200 F (949) 450-6201 12707 High Bluff Drive Suite 200 San Diego, CA 92130 T (858) 350-4215 F (858) 350-4218