Transcript www.eisneramper.com

Non-Accelerated SOX
Efficient Implementation
Peter Bible
Leader, Public Company Group
Andy Barfuss
Leader, Business Risk & Advisory
June 24, 2009
SOX PRIMER
3
SOX Primer
Selected History
• A Continuum of Financial Reporting Regulation & Guidance
– 1934 - The Securities Exchange Act
• Requires issuers to file 10 K’s & 10 Q’s
• Requires adequate books & records and internal controls
– 1977 – Foreign Corrupt Practices Act
• Requires internal accounting controls for financial reporting
– 1987 – The Treadway Commission
• Recommended steps to reduce fraudulent financial reporting
– 1991- The Federal Deposit Insurance Corporation Improvement Act
(“FDICIA”)
• Recommended management’s assessments and assurances over a bank’s
internal controls.
4
SOX Primer
Selected History
• A Continuum of Financial Reporting Regulation & Guidance
(continued)
– 1992 – The COSO Report
• Recommended framework to identify risks and design internal controls
• Framework embraced by SEC and PCAOB
– 2002 – Sarbanes Oxley Act
• Extension of the Securities Exchange Act of ‘34
• Requires an opinion from management and the external public accounting
firm over controls for financial reporting
– 2003 to 2008 – SEC Extends Multiple Deadlines
– 2009 – New Political Climate Makes Further Extensions Unlikely
• New SEC Appointee, Mary Schapiro “ It’s time that we bring uniformity to
the system”
4
SOX Primer
Who Must Comply
• All SEC Registrants:
– S-1 filers must comply with SOX
– Accelerated filers:
 Market cap > $75 million
 Year ends after November 15, 2004
– Non-accelerated filers:
 Market cap < $75 million
 Year ends after December 15, 2009
5
SOX Primer
Main 404 Elements
• Formalized, Annual, Two-Step Process:
– Section 404(a) – Management’s Assessment of
Internal Controls:
• Document and test internal controls
• Assert that controls are adequate (or not) for the
preparation of reliable financial statements
– Section 404(b) – Requires an External Audit of Internal
Control:
• Independently review management’s basis for Assertion
• Independently test controls
• Attest that management’s system of controls is adequate
(or not) for the generation of reliable financial statements
6
SOX Primer
Other Elements
The periodic reports
state that financial
information complies
with the Exchange
Act and fairly
presents financial
condition & results of
operations.
SECTION 409
SECTION 906
SECTION 302
Various representations by
certifying officers, similar to
Section 906 plus additional
representations related to
disclosure controls and
procedures, internal controls
and fraud.
7
Disclosure to public on
a “rapid and current
basis” material
changes to financial
condition or results of
operations.
SECTION 404
Perform ANNUAL
assessment of the
effectiveness of internal
controls over financial
reporting and obtain
attestation from external
auditors.
SOX Primer
Auditing Standard No. 5
• July 25, 2007 - SEC approved PCAOB’s AS #5
– Replaced Auditing Standard No. 2
– Provides interpretive guidance for external auditors
– Goal = improving the efficiency and effectiveness of their SOX 404
efforts
– Key Features:
• Less prescriptive than AS #2
• Provides audit scalability – matching size & complexity of client
• Requires a risk-based approach to focus to eliminate unnecessary
procedures
• Provides principles-based approach for reliance upon work of others
8
SOX Primer
Classifications of Deficiencies
• Under AS-5:
– Significant Deficiency:
• “A significant deficiency, or a combination of deficiencies, in internal
control over financial reporting that is less severe than a material
weakness, yet important enough to merit attention by those responsible
for oversight of a registrant’s financial reporting”
– Material Weakness:
• “A material weakness is a deficiency, or a combination of deficiencies, in
internal control over financial reporting, such that there is a reasonable
possibility that a material misstatement of the company’s annual or
interim financial statements will not be prevented or detected on a
timely basis”
9
SOX Primer
PCAOB Guidance - Small Public Companies
• January 2009 - PCAOB published guidance for Auditors of
Small Public Companies
• External auditor & management collaboration required:
–
–
–
–
–
–
–
–
9
Highlight Tone at the Top
Use a Top Down Approach to identify key controls
Concentrate on Areas of Risk
Evaluate and understand the risk of management override
Understand the significance of having informal documentation
Address Segregation of Duty (SOD) issues
Understand Information Technology Controls
Prepare for a financial reporting skills evaluation
NON-ACCELERATED CONSIDERATIONS
10
Non-Accelerated Considerations
Internal Control Defined
• Policies & procedures to ensure the achievement of an
objective:
–
–
–
–
12
Documentation
Performing reconciliations
Security
Organizational design
Non-Accelerated Considerations
Common Control Deficiencies
GAAP Application
Internal Control
Non-Accelerated Filers
Stock Options
Poor Control Environment
Segregation of Duties – esp. IT
Hedging
Non-routine Transactions
Treasury
Derivative Securities
Account Reconciliations
Lease Accounting
Ineffective Review & Approval
Inter-company
Foreign Subs
13
Complex Accounting Issues
IT – General Computing
Controls
Former Owner Influence
Board Effectiveness
Revenue Recognition
IT – Application Controls
Non-Accelerated Considerations
Inherent Challenges
• Internal Control – Inherent Challenges:
– Lack of accounting resources for effective segregation of duties
– IT staff with dual responsibilities – production & development
– Ability of senior executives to override controls
– Ability to recruit & retain sophisticated GAAP and IT talent
12
PRACTICAL APPROACH
14
Practical Approach
Lessons From Accelerated Filers
• What went right
–
–
–
–
Top-down approach – risk-driven scoping
Started project early
Honest evaluation of problems
Held key individuals accountable
• What went wrong
–
–
–
–
–
–
–
16
Late start
Limited collaboration with external auditors
Underestimated amount of work required
Attempted to self-test
Did not effectively involve business process owners
Did not take into account Information Technology
Staff project with people who had “day jobs”
Practical Approach
Optimizing AS5
EXTERNAL AUDITOR INVOLVEMENT AND COLLABORATION IS CRITICAL
Risk Assessment
Define Materiality
• Performed at the consolidated level (Balance Sheet, P&(L), Footnotes)
• Consider both qualitative and quantitative factors
• Determine definition(s) for risk rankings
• Assign risk at the account assertion level (i.e. completeness, valuation, existence,
accuracy, presentation)
• Determine and document the basis for materiality calculation (i.e. 5% of total
assets or 1% of revenues)
• Consider using a 3-year rolling average to account for volatility
• Define qualitative factors for measuring a material weakness, significant
deficiency or a deficiency
Entity Level
Assessment
• Take credit for how you manage, operate and monitor the business results
• Determine and document your entity level controls
• Link the entity level controls to the account balances on the risk assessment
Process Level
Controls
• Only perform when entity level controls are not sufficient
• Limit documentation and testing to those controls deemed significant at the
financial assertion level (i.e. do not document and test all controls within a
process but only those controls deemed the most significant)
Practical Approach
Optimized AS5 – Key Controls
Example: Single Location Distributor
“Traditional
Approach”
# Key Controls
“Optimized AS5
Approach”
# Key Controls
Entity Level
5-10
10-15
Policies & Procedures, Code of Ethics Board and Audit Committee
Oversight, Monthly/Quarterly Financial Reviews, Budget Process, Hiring
Process, Training, Schedule of Authority
Information
Technology
15-25
5-10
Access, Segregation of Duties, Change Management, Backup
Financial
Reporting
15-25
5-10
Reconciliations, Closing Checklists, Segregation of Duties,
Estimates/Judgments, Journal Entries, Applications
Order to Cash
15-25
5-10
Cutoff, Valuation of Reserves, Revenue Recognition, Authorization,
Segregation of Duties, Applications
Inventory
15-25
5-10
Valuation of Reserves, Costing, Physical/Cycle Counts, Applications,
Segregation of Duties
Purchase to Pay
15-25
5-10
Authorization, Segregation of Duties, Applications
Fixed Assets
10-20
3-5
Depreciation, Impairment, Disposals, Applications
Payroll
10-20
3-5
Authorization, Segregation of Duties, SAS 70, Applications
Treasury
15-25
4-5
Authorization, Segregation of Duties, Application
Taxes
10-20
5-10
Estimates/Judgments, Documentation, Approvals
125-220
50-90
1,200-2,000
500-750
Process
# Key Controls
Estimated Hours
Optimized AS 5 - Control Examples
Combined hours for Amper and client team.
Practical Approach
Phased Predictable Process
Plan
Scope
Document
Evaluate
• Identify Rules • Identify
• Key processes, • Control Design
&
Financial
risks and
• Plan to
Responsibilities Reporting
controls
remediate
objectives and • Link entity
• Develop
design
related
Project Plan &
level controls
deficiencies
processes
and
Timeline
to process risks • Track
business
units
and financial
• Define
remediation
• Identify key IT
reporting
Reporting
efforts
applications
objectives
Requirements
• Complete
• Assess
• Set the Tone
entity level
Segregation of
controls
Duties
assessment
Test
• Key controls
• Identify
ineffective
controls
• Track
remediation
efforts to
address
ineffective
controls
• Re-test key
controls as
necessary
Assess
• Evaluate
significance of
remaining
control
deficiencies
• Evaluate
effectiveness
of overall
control
environment
• Formulate Final
Conclusion
• Develop Report
Practical Approach
Success Factors
•
•
•
•
•
•
•
•
•
•
18
Don’t Delay
Educate yourself - Rules & Guidance
Create sustainable, top-down, risk-based approach
Build “Entity-level” controls
Limit reliance upon “Process-level” controls
Learn from Lessons past
Objective Assessment of Financial Statement Risk
Constant collaboration with External Auditor
Timely remediation of Control Deficiencies
Balance internal resources with external experts
Practical Approach
Control Deficiencies
• SOX = perfection not mandated
• “Living with” certain deficiencies = Management / Board
choice:
– Material Weakness - 10-K disclosure required
• Disclose reasoning for accepting material weakness
• Shareholders, prospective investors, lenders – ultimate judges
– Significant Deficiencies – no disclosure required
12
Practical Approach
Cost & Scope Factors
• Cost for Management Assertion & Auditor Attestation
impacted by:
– Nature & complexity of operations and financial reporting
– Extent of documentation supporting ICFR and Management testing
– Nature, timing and adequacy of management testing
• For single-location, non-accelerated entities:
– Typical cost = $30,000 to $75,000 for first year
– Requires 300 to 750 hours of client effort
– Unknown is remediation of control deficiencies
15
WRAP-UP
19
Wrap Up
Continuous ICFR Process
• Internal Control for Financial Reporting (“ICFR”):
– Focus on continuous process:
• “Once a year” event insufficient likely creating inefficiencies
– Ongoing Monitoring:
• Control deficiency remediation
• Process changes requiring documentation updates
• Efficiency opportunities
– Rolling Risk Assessment:
• Continuously update risk assessment, for old & new risks
– Establish a Control Culture:
• Embracing control culture
• Reduces surprises & fire drills
20
Wrap Up
The Amper Advantage
• Amper’s “SOX-in-a-Box” Service:
– Fixed Price Range – typically $25,000 to $60,000
– Scope of effort determined within first week
– Transparent scheduling and assignment of duties:
• Amper duties
• Client duties
– Industry-specific templates easily adapted to your company
– Experience rivaling any other provider:
• No one beats us in practical non-accelerated experience
– Over100 dedicated SEC compliance specialists near you
23
Contacts
Pete Bible
Leader, Public Company Practice
732-287-1000
[email protected]
Andy Barfuss
Leader, Business & Risk Advisory Services
732-287-1000
[email protected]
“The material contained in this presentation is for
general information and should not be acted upon
without prior professional consultation.”
24