SOX Deadline Approaches for Non Accelerated Filers

Smaller public companies, those with less than $75 Million market capitalization or a non-accelerated filer, are required to include the auditor’s attestation report on internal control over financial reporting with their annual report for a fiscal year ending on or after December 15, 2009. It appears this deadline will not be extended.

These companies already are including management’s assessment on the strength of their internal controls in their annual reports. Starting this year, the external auditor will provide an opinion on management’s assessment of their internal controls.

I am a non-accelerated filer, what should I produce for my auditor?

In order to provide their opinion, the auditor will be required to review a number of items including:

·         An explanation of how the company is incorporating the principals of the COSO framework is assessing the strengths of its controls (Control Environment, Risk Assessment, Control Activities, Information and Communication, Monitoring), such as the following:

         Control environment, including tone at the top, the assignment of authority and responsibility, consistent policies and procedures, and company-wide programs, such as codes of conduct and fraud prevention, that apply to all locations and business units,

         Management's risk assessment process,

         Centralized processing and controls, including shared service environments,

         Monitoring results of operations,

         Monitoring of controls, including activities of the internal audit function, the audit committee, and self-assessment programs,

         The period-end financial reporting process, and

         Board-approved policies that address significant business control and risk management practices

·         Risk Assessment, this risk assessment should identify the high risk accounts, processes, locations and assertions.

·         Process Documentation – For those high risk processes, the processes should be documented to sufficient detail to allow the auditor to see that generally accepted accounting principles are being followed and walk-through the process and determine if the controls are operating effectively.

·         Risk and Control matrix – For those high risk processes, identify the risk and mitigating controls and include information regarding the control such as if the control is preventative or detective, if it is automatic or manual, the frequency, etc.

·         Proof the control is working effectively – supply samples (determined by frequency) of proof the control was operating effectively.

·         Open issues with an explanation of any potential mitigating control or why this will not have a material effect on the company results.

They will review the information provided and conduct their own tests. Once they perform these tests, they will then to be able to provide an opinion on the strength of the internal controls over financial reporting.

What if I can’t provide this information to them?

If you cannot provide this information to the auditor, they will either conduct additional testing or indicate there is “Ineffective oversight of the company's external financial reporting and internal control over financial reporting by the company's audit committee”. Not a good thing!

A material weakness is a significant deficiency that, by itself, or in combination with other significant deficiencies, results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.

What if a material weakness is found?

If there are material weaknesses found in the internal controls, and you commented last year that it was managements opinion that your controls were operating effectively, it would be in your favor to: know the weakness exists as soon as possible, declare the weakness on an 8k and hopefully you will have enough time to remediate (fix) the control so it could possibly be working when the auditor arrives even though there may not be 6 months worth of evidence that control is working effectively.

What if I get a negative opinion from the auditor?

Remember, the auditor is actually making comments on YOUR assertion of the strength of your internal controls. If there is a material weakness, it will look better if management finds the weakness and the auditor concurs. Generally, a company with material weaknesses may have some immediate decline in stock price depending on how the information is disclosed. The SEC generally gives the company time to remediate the control unless it resulted in significant fraud.

About Visage Solutions – www.VisageSolutions.com

Visage Solutions is a consulting company operating in the areas of regulatory compliance, risk assessment, information security, risk management and compliance processes. Utilizing our proprietary SingleVue™ and OpsAudit™ methodologies, the company focuses on assisting business entities in mitigating operational risk. Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals. Our team is comprised of experienced executives, managers and consultants who can assist clients with the development, implementation and execution of their risk management and compliance strategy.

 
 


"The Visage Risk assessment tool and methodology allowed us to respond the risk assessment requirements of the FFIEC in a timely and cost effective manner ".
   Robert Kernodle, SVP and Risk Officer of Cornerstone Bank
 
"Although there is always a degree of subjectivity in any risk assessment, the Visage Risk Assessment tool and methodology is one of the best I've seen in removing subjectivity and providing the underlying support for the scoring system".
   Patrick Camblin Senior Partner in Camblin CPA, PLLC

if you would no longer like to receive periodic updates from VisageSolutions, please follow the unsubscription instructions at the bottom of the email.
Copyright © 2009 Visage Solutions, LLC.