Sarbanes-Oxley and Small Business Technology

In October, 2005, the long awaited draft called “Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting” was released for public comment.  The authors of the draft, the Committee of Sponsored Organizations of the Treadway Commission (COSO) addressed internal controls for the smaller publicly-owned companies in their 189 page manifesto.

The original COSO internal control framework, released in 1992, attracted attention with the passage of the Sarbanes-Oxley Act of 2002 thus providing a starting place for the industry.  However, the framework did not address the environment of the smaller public companies prompting the G-men to extend the compliance date of the smaller companies to just this side of Armageddon.  This extension enabled COSO additional time to address smaller companies, and adapt the framework that can work in the small company environment.

But then when you thought the PCOAB and the SEC were paddling in the same direction, the SEC Internal Controls Subcommittee to the Advisory Committee of Small Public Companies issued a preliminary report in December 2005 which took the oars out of the profession’s hands and exposed us to the murky waters of quasi-internal controls.  The recommendations of this committee included:

1. Exempt micro-cap companies (the bottom 1% of market capitalization, currently less than $128 million) from SOX sec 404 under certain conditions.
2. Exempt smaller companies (the next bottom 5% of market capitalization, currently less than $787 million) from external audit requirements under SOX sec 404 under certain conditions, or at least required a more cost-effective approach to these requirements.

Due to such developments from these different agencies, “smaller company” internal control technology is left in a bog.  Where should internal control-assisting technology go from here?  Does it stay the course, but, try to lighten the load?  Does it change radically, throwing out the first two years of Sarbanes compliance?

To answer these questions, we must look at the basic fundamentals of the two reports.  To give a more balanced analysis to this comparison, I have included comments from a CPA Sarbanes-Oxley consultant and a corporate internal-control specialist.

COSO Small-business guidance Background (COSO-SB)

The Small Business guidance (SB) uses twenty-six fundamental principles that constitute effective internal controls over financial reporting.  Even though these controls are applicable to companies of all sizes, they focused on smaller companies which implement internal controls in a different manner.

The original framework consisted of five components that intersect the three perspectives of financial reporting, operations, and compliance.  Similarly, SB identifies several themes, some which mirror the original framework.  The similar themes to the original framework are: control environment, risks, control activities, information technology (communication), and monitoring.  SB added the focus of personal responsibility for controls that are indigent to smaller businesses.

CPA Sarbanes-Oxley Consultant

“Really there was nothing earth-shattering about the new guidance.  Since we have been assisting companies with SOX compliance we have been using the approach suggested in the guidance when it made sense considering the structure of our client’s internal control environment, which was with substantially all of our smaller company clients.  The real challenge and big question is how will the auditors look at it, and whether or not they modify their audit approach.” started Kevin Holmes of Good, Swartz, Brown, and Berns when asked for his initial opinion about the new COSO-SB.  Kevin has spearheaded the SOX consulting practice of GSBB since the inception of the Act in 2002.  Like all reputable SOX consultants, he chartered the unknown territory of compliance after Enron, balancing the needs of the Act with the preferences of the outside auditors.

Kevin explained that one aspect of the SB framework that improved the original COSO framework intent is that it demonstrated that all five internal control components should not be addressed equally.  The initial framework gave the user the impression that all components should be given equal consideration.  This impression gave the outside auditors the ammunition to focus on their comfort zone, “control activities.” (See Exhibit 1)

Auditors, by nature, are very familiar in auditing control activities. When SOX emerged, they treaded in their familiar waters of control activities… maybe to a fault of overkill.  Thus, auditors emphasized process controls (in the control activities component) over all other components. (See Exhibit 2).  In fact, the PCOAB alluded to this fact in its May 16th guidelines directing auditors to use a more risk-based approach when certifying internal controls.

The new framework continued the PCOAB emphasis of   risk-based approach because smaller companies do not have the infrastructure for extensive control activities.  Many of their controls are embodied in the few high management persons who have a hands-on function in control activities.  Larger companies rely more on “process-level” controls because they are too big for upper management to authorize every transaction, vendor, and decision.  This is best displayed on page 19 of the COSO-SB framework where a graph depicts the control activities component as smaller than the previous framework.  (See Exhibit 3)

In addition, Kevin mentioned page 125 of COSO-SB which suggests the strength of “entity –level” controls over process-level controls.  Thus it is the “Tone at the Top” that small companies must present to its auditors in a concise format for assessment.  This, frankly, boils down to management involvement.  And secondly, management involvement is dependent on good managers.  This top-down approach will reduce the number of controls on the process-level since management’s involvement replaces the need for such controls. 

Although the COSO-SB guidance is a step in the right direction, alone it may not be sufficient to facilitate the reductions smaller companies are looking for in their compliance costs, Kevin indicated.  For example, a smaller company may emphasize its management “Tone at the Top” controls over process-level controls as it assesses its ability to manage financial reporting and fraud risk, but the guidance does not suggest how the auditors can factor this into their existing audit methodologies, which tend to focus significantly on process-level controls.  Kevin believes that if smaller companies continue to be subject to the reporting requirements of Section 404 that the PCAOB will have to develop a new audit standard that auditors can follow when auditing internal controls for smaller companies.  If such a new standard were developed and it clearly indicated how the auditors could evaluate and test entity-level controls in lieu of process-level controls then some real progress could be made to reduce company compliance costs, a significant portion of which relates to fees charged by the audit firms.  

Corporate Internal Control Specialist

Larry Russell, the chief Internal Control Officer of Bidz. Com, Inc. has been on both sides of table.  Prior to joining Bidz. Com, Larry was a Sarbanes consultant to public companies of all sizes.

Larry is encouraged by the example on page 97 that illustrates responsibilities. “I’m happy that this framework moves away from the checklist approach, and addresses internal controls from a risk-based point of view.” Larry commented. “This, of course, is the thrust of the May pronouncement.”

Larry stated that the biggest challenge to small structures internal controls is to prove that management has entity-level controls. The solution would be to independently document extemporaneous controls.

Technology

The COSO-SB, the SEC Advisory, and the May PCOAB Pronouncement necessitate a radical change in the technological approach to internal controls.  Currently, software companies emphasize process-level testing and controls which accommodate the preferences of the auditors.   

However, the current movement emphasizes an “entity-level” risk assessment approach that in turn dictates the proper focus on process-level controls. Technology should increase its emphasis on monitoring significant balance sheet accounts for smaller companies.  Once a company’s balance sheet is analyzed from this top-down approach, a risk-based analysis at the process level can be properly performed (See Exhibit 4) thus mitigating the risk of excessive testing and expense.   

After a tool has met the top-down process, then it can be mapped to internal control processes, and business cycles.  These process maps should include stop lights and alerts to warn managers when these processes are materially affected.

As seen in the relative graphs, the technology for smaller-structured companies should emphasize the increased role of the Control Environment and Monitoring.    The tool should also empower the limited number of a company’s financial staff with enough monitoring tools to react quickly to changes in the company atmosphere and internal control inconsistencies.

With updated technology, smaller companies can afford proper internal controls while satisfying the auditor’s internal control requirements.

But, does that mean the experience learned in the prior two years was irrelevant to the technology companies?  Absolutely not; SOX technology metamorphosis is like looking for a light switch in the dark. Some may just feel around the wall, while others purchase expensive night-vision glasses to find the switch.  The end result is that the light is turned on, but at what cost?  As the auditor requirements change, as outlined above, technology will meet the small business challenge with a less-expensive solution.