Presentation - Accounting Day

advertisement
The Value of Experience
HASKELL & WHITE LLP
ACCOUNTING DAY 2010
SOX 404 for the SME
The “Wait” is/may be Over!
Town and Country Convention Center
San Diego, California
May 10, 2010
The Value of Experience
WELCOME AND INTRODUCTIONS:
 Haskell & White LLP is pleased to be the GOLD
SPONSOR for Accounting Day 2010
 Why Haskell & White LLP is qualified to speak on this
topic
 A word about today’s speaker
Our Agenda
SOX Section 404(b) – Understanding the Basics
Status of Regulatory Environment
Helpful Lessons Learned – Tips for Success
Action Items to Increase the Likelihood of an Effective and
Cost-Efficient Audit
V. Using PCAOB AS 5 to Manage the Audit Process
VI. Closing Comments & Questions
I.
II.
III.
IV.
SOX SECTION 404(b) – UNDERSTANDING THE BASICS
How did we get here? (A little history refresher.)
•March 2000: NASDAQ bubble bursts; economic downturn begins
•2001: Enron restatement and bankruptcy
•2002: Adelphia off-balance sheet debt; self-dealing; bankruptcy
Peregrine Systems falsified revenues; bankruptcy
WorldCom capitalizing expenses; inflating revenues; bankruptcy
 Enter sponsors Paul Sarbanes and Michael Oxley
 July 30, 2002 – G.W. Bush: “The most far-reaching reforms of American
business practice since the time of Franklin D. Roosevelt.”
 And, here we are almost 10 years later talking about implementation!
SOX SECTION 404(b) – UNDERSTANDING THE BASICS
 Sarbanes-Oxley Act has 11 Titles – these are key:
• (I) PCAOB, (II) Auditor Independence
• (III) Corporate Responsibility – Section 302 certifications (individual
responsibility - I have reviewed this report, no untrue statements, I am
responsible for controls, etc.)
• (IV) Enhanced Financial Disclosures
• (VIII) Corporate and Criminal Fraud Accountability
• (IX) White Collar Crime Penalty Enhancement – Section 906
certifications (report complies with Exchange Act, report fairly
presents); failure to certify is a criminal offense
SOX SECTION 404(b) – UNDERSTANDING THE BASICS
SOX Title 4; Section 404: Management Assessment Of Internal Controls
(a) RULES REQUIRED- The Commission shall prescribe rules requiring each
annual report required by section 13 of the Securities Exchange Act of
1934 (15 U.S.C. 78m) to contain an internal control report, which shall-(1) state the responsibility of management for establishing and
maintaining an adequate internal control structure and procedures for
financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of
the issuer, of the effectiveness of the internal control structure and
procedures of the issuer for financial reporting.
SOX SECTION 404(b) – UNDERSTANDING THE BASICS
SOX Title 4; Section 404: Management Assessment Of Internal Controls
(b) INTERNAL CONTROL EVALUATION AND REPORTING- With
respect to the internal control assessment required by subsection (a), each
registered public accounting firm that prepares or issues the audit report for
the issuer shall attest to, and report on, the assessment made by the
management of the issuer. An attestation made under this subsection shall
be made in accordance with standards for attestation engagements issued or
adopted by the Board. Any such attestation shall not be the subject of a
separate engagement.
SOX SECTION 404(b) – UNDERSTANDING THE BASICS
Management’s report on ICFR must include:
•
A statement of management’s responsibility for establishing and
maintaining adequate ICFR
•
A statement identifying the framework used by management (COSO)
•
A statement whether or not the entity’s ICFR is effective as of the
end of the most recently completed fiscal year (design and operating
effectiveness)
•
A statement that the entity’s IRPAF has issued an attestation report
on management’s assessment of ICFR
STATUS OF REGULATORY ENVIRONMENT
SEC and PCAOB respond to Congress:
•
June 2003: rules adopted – accelerated filers have integrated audit
requirement for FYE 12/31/2004
•
June 2004: SEC approves PCAOB AS 2
•
July 2007: SEC approves PCAOB AS 5 (the “kinder, gentler” integrated
audit standard
•
Non-accelerated filers receive a series of postponements, the last of which
was thought to have been issued in June 2008 (But wait, there is more!!)

The SEC has worked hard to make SOX 404 less burdensome for smaller public
companies – Roundtables; PCAOB AS 2 studied and superseded via AS5; SEC
Guidance for registrants; PCAOB Guidance for auditors.
STATUS OF REGULATORY ENVIRONMENT
• October 2009 – The SEC provides yet another extension for
SOX for Small and Medium Enterprises (SMEs) – A six-month
extension until years ending after June 15, 2010.
• Political Agenda??
– Why 6 months? Vast majority of companies had 12/31
year ends…perhaps a 6 extension sounded better than a
year.
– Financial reform. Obama administration is seeking reforms
in light of the recent banking crises
STATUS OF REGULATORY ENVIRONMENT
• SEC promised “no more extensions” in its October 2009
release.
• Proposed legislation in the House of Representatives includes
language that would permanently exempt registrants from
404(b) if their market cap is under $75 million.
• Proposed legislation in the Senate is silent with respect to any
404 extensions/exemptions.
• Current view – time is running out….further extensions
unlikely; unless……..
HELPFUL LESSONS LEARNED – TIPS FOR SUCCESS





“Tone at the Top” is required. Buy-in to the process has to start with the “CEO”.
Plenty of information out there for the public SME that is working on their ICFR
project.
Likewise, private companies can look to these resources for “best practices”.
REMINDER – Internal control is a “process” providing reasonable assurance
regarding
•
Reliability of financial reporting
•
Effectiveness and efficiency of operations
•
Compliance with laws and regulations
No need to start from scratch
•
Special projects (due diligence)
•
Internal auditors
•
Information Technology
•
Prior year 404(a) evaluation
•
Auditor’s previous understanding of internal controls
HELPFUL LESSONS LEARNED – TIPS FOR SUCCESS

ICFR Assessment is not an “accounting thing”
•
Cross-company assistance is needed
•
Other departments will need to be involved in evaluating operational controls
•
Don’t let other departments not play, resistance can be expected

In the name of efficiency, operations might actually be improved along the way

Wouldn’t it be nice to know your controls are keeping you and your company in
compliance with the myriad of regulations companies face today (SEC, IRS,
FTB, EPA, FDA, etc., etc.).
HELPFUL LESSONS LEARNED – TIPS FOR SUCCESS

Executive level buy-in has been a key to success
•
If they have not bought in as leaders of the organization, other departments
will not participate to the extent you need them
•
Be careful of what message the C-level delivers. This speaks volumes of
the control environment.
•
“We will pass with flying colors and have no material weaknesses!!!!”
HELPFUL LESSONS LEARNED – TIPS FOR SUCCESS

Start EARLY – Those who have started early tend to have a better experience
•
•
•
Corrective or new controls will have time to season
Allows time to remediate control deficiencies identified
External resources for assistance might be difficult
to secure late in the season – the good ones go fast
If you have a June 30, 2010 FYE – you
are now way behind!! The rest of you do
not have any time to waste.
HELPFUL LESSONS LEARNED – TIPS FOR SUCCESS


Start EARLY (continued)
•
Avoid crunch time. Very difficult for you and your auditors to do the ICFR
and Financial Statement audit at the same time.
•
Test ICFR first to allow the auditors to rely on those results – less
substantive work
•
Start with the hard stuff! i.e. Entity level controls and revenue (AS5
describes a “top down approach”)
•
Complete the control design assessment first. Don’t waste time testing
controls that do not work.
IT Assessment
•
Strong IT controls can allow for more reliance on system generated
documents and information.
•
Remediation / change is sometimes slow in this arena.
HELPFUL LESSONS LEARNED – TIPS FOR SUCCESS


Early upfront communication with the auditors goes a long way
•
Scope / Risk assessment – will you cover everything the auditors are going to
look at?
•
Key controls and sample sizes
•
Extent of documentation
•
Communicate known control deficiencies and areas with weaknesses
•
Understand Auditor’s plan for the Integrated Audit (timing, staffing,
experience levels, use of specialists, etc.)
Allow time to evaluate and perhaps remediate deficiencies identified by your
process or that of the auditors
•
Identification and evaluation of mitigating controls takes some time for the
auditors to buy in to your positions
ACTION ITEMS TO INCREASE THE LIKLIHOOD OF AN
EFFECTIVE AND COST-EFFICIENT AUDIT



Study and do your homework – know SEC and PCAOB guidance
Embrace a “top-down” approach
•
Begin at the financial statement level; risk assessment; entity level controls;
and works down to significant accounts and disclosures and their relevant
assertions
Adopt an appropriate attitude
•
Attitude of compliance
•
Attitude of improvement
ACTION ITEMS TO INCREASE THE LIKLIHOOD OF AN
EFFECTIVE AND COST-EFFICIENT AUDIT



Entity-level controls (ELCs) are your friend
•
Control environment
•
Controls over management override
•
Company’s risk assessment process
•
Monitoring controls
•
Controls over period-end financial reporting process
Emphasize risk assessment – “What could go wrong?”
Take inventory of your documentation, resources and skill sets; who
“owns” the project?
ACTION ITEMS TO INCREASE THE LIKLIHOOD OF AN
EFFECTIVE AND COST-EFFICIENT AUDIT



Know your significant accounts, relevant assertions and key controls
•
Evaluate automated controls vs. manual controls
•
Evaluate preventative controls vs. detective controls
•
Evaluate design –are controls correctly aligned with assertions?
•
Evaluate operation –are controls working as properly designed?
Don’t plan to settle for a material weakness report just because you are small
•
Realign internal duties
•
Engage external resources
•
Strengthen board oversight
Start early – knowing today is better than knowing tomorrow
ACTION ITEMS TO INCREASE THE LIKLIHOOD OF AN
EFFECTIVE AND COST-EFFICIENT AUDIT


Communicate early and often with your auditor and save money!
•
Discuss concepts of materiality
•
Discuss areas to be “scoped in” or “scoped out”
•
Reach understanding as to appropriate sample sizes
•
On what internal information and/or testing processes will auditor be able to
place reliance?
Develop an effective communication plan with your Board of Directors/Audit
Committee – frequent status reports on project plan; issue notification;
sufficiency of resources; what they can do to help the company?
USING PCAOB AS 5 TO MANAGE THE AUDIT PROCESS



AS 2 approved by the SEC in June 2004; rules-based; 160 pages
AS 5 approved by the SEC in July 2007; principles-based; 56 pages
Why the change?
•
Accelerated filers experienced significant costs – exceeded all SEC estimates
(remember the SEC’s initial cost estimate?)
•
PCAOB inspection of auditors noted lack of integration with financial
statement audits; lack of risk assessment; over-auditing of controls
•
SEC concern regarding the costs to smaller public companies and the
scalability of the standard
USING PCAOB AS 5 TO MANAGE THE AUDIT PROCESS
 Understanding some key concepts in AS 5 will help ensure:
•
Integration of the financial statement and ICFR audits
•
Employment of a “top-down” approach and the application of an
appropriate risk assessment to the audits
•
Leverage from the work supporting management’s assessment
•
Leverage from prior year audits
•
Appropriate use of benchmarking
•
Effective communications with your auditors
USING PCAOB AS 5 TO MANAGE THE AUDIT PROCESS



Pa10: “Risk assessment underlies the entire audit process…”
Pa19: “As the risk associated with a control increases, the need for the auditor to
perform his or her own work on the control increases.”
Pa21: “The auditor should use a top-down approach to the audit of ICFR to select
the controls to test.”
USING PCAOB AS 5 TO MANAGE THE AUDIT PROCESS



Pa25: “Because of its importance to effective ICFR, the auditor must evaluate the
control environment at the company.”
Pa57: “In subsequent years’ audits, the auditor should incorporate knowledge
obtained during past audits…”
Pa60: “The auditor may also use a benchmarking strategy for automated
application controls…”
USING PCAOB AS 5 TO MANAGE THE AUDIT PROCESS


PaA7: “A material weakness is a deficiency, or a combination of deficiencies, in
ICFR, such that there is a reasonable possibility that a material misstatement of
the company’s annual or interim financial statements will not be prevented or
detected on a timely basis.”
PaA11: “A significant deficiency is a deficiency, or a combination of
deficiencies, in ICFR, that is less severe than a material weakness, yet important
enough to merit attention by those responsible for oversight of the company’s
financial reporting.”
Closing Comments & Questions
8001 Irvine Center Drive
Suite 300
Irvine, CA 92618
T (949) 450-6200
F (949) 450-6201
12707 High Bluff Drive
Suite 200
San Diego, CA 92130
T (858) 350-4215
F (858) 350-4218
Download