Small Public Companies Will Get No Further Reprieve From Internal Control Reporting

After years containing numerous delays, an additional six-month delay was granted. However, the new deadline is for real.
SEC Chairman Mary Shapiro took charge at the beginning of this year. After years containing numerous delays, she stated that further laxness in internal control reporting for small public companies would not occur. Although a six-month delay in implementation was granted this month, the new deadline is for real.
Despite years of multiple delays in requiring Sarbanes-Oxley Act (SOX) Section 404 compliance, the practical reality is that most small filers have not done what is required for a serious SOX 404(a) management internal control assessment. Most are certainly are not ready for SOX 404 (b) compliance involving outside auditor testing. Consequently, in October 2009, the Securities and Exchange Commission (SEC) again extended the date for non-accelerated filers (i.e., issuers with a market capitalization below $75 million) to comply with SOX Section 404(b). The new deadline affects annual financial reporting for fiscal years ending on or after June 15, 2010. This means that calendar-year companies have another year for compliance, but companies with a June 30 and September 30 fiscal year-ends have no additional time.
Companies other than non-accelerated filers have already been subject to SOX Section 404 compliance for years. Since the adoption of the rules implementing Section 404(b) on June 5, 2003, the time period for compliance by non-accelerated filers has been extended several times. However, this six-month extension will be the last. As part of the announced delay, Chairman Shapiro stated "Since there will be no further Commission extensions, it is important for all public companies and their auditors to act with deliberate speed to move toward full Section 404 compliance.” Commissioner Aguilar joined Chairman Shapiro by stating:
“Over the last seven years, in several separate instances, the Commission has deferred the compliance date for non-accelerated filers to provide the auditor attestation under Section 404(b). I know that, as a result, there is uncertainty among investors and among non-accelerated filers about whether and when compliance with Section 404(b) would actually be required.
In light of this uncertainty, I want to highlight that in today’s deferral, the Commission is for the first time resolving that uncertainty by making it clear that all public companies, regardless of size, will be required to comply with Section 404(b) of the Sarbanes-Oxley Act, and that non-accelerated filers will begin complying in their first annual report for fiscal years ending on or after June 15, 2010.
I join Chairman Schapiro in assuring investors that there will be no further extensions of the compliance deadline.”
Last year, non-accelerated filers began filing management's assessments of internal controls with their 10-Ks. SOX Section 404(b) requires companies to include in their annual reports an auditor’s report on the effectiveness of the Company’s internal control over financial reporting. This auditors’ report is in addition to the report on the financial statements.
To assist companies and auditors in complying with SOX 404 reporting, the SEC approved the issuance of PCAOB Auditing Standard No. 5 entitled “An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements” (AS5) in July 2007. AS5 replaced the PCAOB’s previous internal control standard which was viewed as more onerous. In addition, the SEC issued interpretative guidance to assist management of reporting companies in complying with the internal control evaluation and disclosure requirements. The SEC guidance included the following:
1. Management needs to exercise judgment to determine areas that are both material, and pose a risk to reliable financial reporting. Controls must be identified which address these risks. Once these risks and controls are identified, it is not necessary to include additional controls in management’s evaluation.
2. Auditors are now required to issue only one opinion on internal controls, instead of the two opinions on internal controls that were previously required. The remaining auditors’ opinion evaluates the effectiveness of internal control over financial reporting. The eliminated opinion involves management’s assessment of the effectiveness of internal control, which will now be encompassed in the single opinion. The hope is that, by decoupling the process of management’s assessment from the auditors’ standards, (i) management and auditors will not mechanically look to the audit standards for guidance in performing management’s assessments, and (ii) the auditors can appropriately focus their attention on the end results.
3. Documentation of the above process must occur, but the documentation can take different forms, and can be presented flexibly. The documentation does not need to include all controls within a process that ultimately affects financial reporting. The documentation can also include "ongoing daily interaction" of the business, such as information recorded in routine internal reports and memos, as evidence to support management’s evaluation of their company's controls.
On January 23, 2009, the PCAOB published guidance for auditors of smaller public companies describing how auditors can apply AS5. The guidance addressed issues that might arise in the audits of smaller, less complex public companies. The SEC directed its staff to study whether the SEC and PCAOB guidance were having the intended effect of facilitating more cost effective evaluations. The results of this study were made public on October 2, 2009.
The SEC’s Office of Economic Analysis completed its "Study of the Sarbanes-Oxley Act of 2002 Section 404 Internal Control over Financial Reporting Requirements," regarding whether the PCAOB’s and SEC’s 2007 guidance was effective in reducing compliance costs. Some companies were hoping that this report would suggest further alterations were necessary and new requirements would then become more lax. Instead, the SEC indicated that they believe that all steps and guidance to implement Section 404(b) for smaller companies has been completed and that no further guidance or alterations of the existing requirements is necessary. Because this SEC study was published less than three months before the previous December 15, 2009 deadline, the SEC determined that an additional six-month extension was appropriate.
In implanting internal controls, one step that should be included is a whistleblower reporting mechanism required under SOX 301(4). Every study on the subject of fraud detection identifies employee whistleblowers as the most important and most effective means of discovering malfeasance. Numerous small companies have not seriously addressed these whistleblower requirements. This should be fixed as part of SOX 404(b) compliance, particularly since an independent whistleblower reporting system is so inexpensive.
ABOUT THE AUTHOR: David Nolte
Mr. Nolte has 30 years experience in financial and economic consulting. He has served as an expert witness in over 100 trials. He has also regularly served as an arbitrator. Mr. Nolte has achieved the following credentials: CPA, MBA, CMA and ASA.
Copyright Fulcrum Inquiry
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.For specific technical or legal advice on the information provided and related topics, please contact the author.