Sarbanes-Oxley turns five this year,
marking a zero-tolerance response to
corporate scandals like Enron, and a new era in auditing and internal controls
reporting designed to protect investors and
help companies establish more effective
systems.
But complying with Sarbanes-Oxley,
more casually known as SOX, is costly and
redundant when you figure that outside
auditing firms must perform double audits,
first on managements’ assessment of internal controls, then again by testing the controls and forming a conclusion about the
effectiveness of internal controls.
“New guidance from the SEC and Public
Company Accounting Oversight Board
(PCAOB) is the first major step toward
addressing excessive compliance costs,”
says Chris Meshginpoosh, director of
Management Advisory Services for
Kreischer Miller, Horsham, Pa.
Indeed, cost-prohibitive assessment and
auditing procedures have driven some
smaller companies to avoid an initial public offering, or to go public in overseas markets instead. Large public companies
spend hundreds of thousands of dollars
complying with SOX, and companies with
market capitalization of less than $70 million confront similar costs — a disproportionate burden.
Smart Business spoke to Meshginpoosh
about ways companies can mitigate SOX
compliance costs even before final guidance is expected to be passed in mid-2007.
What exactly does the proposed guidance
mean by a ‘top-down, risk-based’ approach
to internal controls assessment?
Basically, this approach involves starting
at the financial statement level and working your way backward through internal
control processes as opposed to beginning
from the ground up. During their first year
of compliance, many large companies
started by asking process owners to document every process, with almost complete
disregard to the size or risk profile of the
related account balances or disclosures. In
other words, even if the controls in these processes failed, it would be of no concern
to investors and, ultimately, would have
very little impact on the company’s bottom
line. Given the size and geographic dispersion of many large companies, this type of
an approach was exhausting.
Instead, the SEC and PCAOB are once
again stressing the importance of a top-down risk-based approach. Which account
balances are material? Which accounts
involve a high degree of risk? Are there
high-level controls such as detailed variance analyses that address the risk, or do I
need to rely on lower-level process controls?
Where might relying on entity-level controls
might be appropriate?
Let’s take payroll. Most companies rely
heavily on employees to conduct operations and, as a result, payroll balances are
generally material to financial statements.
But let’s take an example where a company primarily employs salaried workers and
experiences very little employee turnover.
Because payroll balances would be relatively predictable, detailed budget versus
actual comparisons performed by management that require investigation of variances in excess of defined thresholds might represent a highly effective entity-level control associated with certain payroll assertions.
However, if the company employs a large
number of hourly employees, has a high
rate of turnover as well as substantial cyclicality, a budget-to-actual comparison might
not be as effective. Therefore, the company
might need to rely on lower-level controls
such as supervisory reviews of timesheets.
Are there areas where companies need to
spend more time?
One of my biggest concerns is that companies have spent a considerable amount
of time on low-risk areas, but have not
focused closely enough on areas that
require an understanding of complex
accounting issues. However, if you look at
the nature of material weaknesses disclosed by public companies, a substantial
majority involve errors associated with the
application of complex accounting pronouncements.
If companies employ effective top-down,
risk-based approaches, they should identify these types of potential issues in the
planning process. Once identified, companies should think long and hard about the
qualifications of their personnel and decide
whether augmenting internal resources
with outside accounting expertise is warranted.
What resources can companies refer to as
they consider ways to implement the proposed guidance now?
The Committee of Sponsoring
Organizations (COSO) of the Treadway
Commission established a framework a
decade ago that still serves as the de facto
standard for internal control assessments.
Also, the SEC’s proposed guidance is available on its website, www.sec.gov. Finally,
companies can always consult third party
advisors to assist them in their evaluation
efforts.
CHRIS MESHGINPOOSH is director of Management Advisory
Services for Kreischer Miller in Horsham, Pa. Reach him at
[email protected] or (215) 441-4600.