Perhaps you’ve heard that the Reform Act was passed this summer which granted a permanent exemption from the audit attestation requirements of SOX 404(b) to the non-accelerated filers, which are those public companies with a market capitalization under $75 million.  I know those companies affected are breathing a sigh of relief, but let’s look at what this really means.

Non-accelerated filers must measure their market capitalization on the last business day of the end of their second fiscal quarter.  If the market cap is below $75M, they are considered non-accelerated filers and therefore not subject to the SOX 404(b) requirements, which require a company’s external auditor provide an opinion on the design and effectiveness of internal controls.   If your company is hovering near the $75M mark mid-year then planning for an internal controls audit is wise.

However, non-accelerated filers have been complying with SOX 404(a) for many years, which requires management’s assessment of internal controls, and they must continue to provide this assessment.  For many smaller companies this assessment was a rudimentary review of controls accompanied by a memo, at best.  But the requirements for 404(a) clearly state that a company must document its control structure and test the effectiveness of those controls.  In the past, the SEC has not commented on the thoroughness of management’s assessment based on the understanding that eventually an audit of the control structure would occur.  However now, with the exemption passed, it is likely that a non-accelerated filer will receive some evaluation from the SEC on the completeness of this work.  

In other words, a simple internal control memo may not be enough for the non-accelerated company.

Can it really be true?  Is it finally time for non-accelerated filers to comply with the Sarbanes-Oxley Act?

So far, there has been no further extension for SOX from the SEC or Congress and the current bill from Senator Dodd doesn’t even mention an exemption from the SOX Act.  There is still a chance for amendments to be made to the current Senate bill but will that happen before the June 2010 deadline, it’s doubtful.  Keep a close eye on the Dodd bill for updates, which is summarized on Senator Dodd’s website.

To be honest, I think every company should employ good internal controls.

I have seen the affects of well controlled companies getting rewarded, starting early in my career.  I worked during college at a VC backed start-up company and in typical fashion I wore many hats – receptionist, office manager, accountant, and executive assistant.  I distinctly remember the breaking point when the company grew big enough to require more structure and my role focused on accounting only.  A CFO was hired and I was trained by him to implement controls.  Oh, the drama of telling people they needed approval for purchases. Gone were the days of yelling across the hall for verbal approval of a $10,000 check (works fine when there are 10 employees, not so good when there are 100 employees). Adding these procedures while the company was growing was not a huge additional expense and controls quickly became embedded in the culture of the company and now the company was ready for an exit – be it IPO or acquisition.  In the end, the company was acquired by a Fortune 500 company.  Would this have happened without the strong control environment—maybe.  But was the acquisition process easier, was the value of the company higher, was the buyer more confident—definitely!

 So what’s all the fuss about Sarbanes-Oxley, good controls have been around for a long time?  The SOX requirement to document and test the controls takes time, and auditor review of those controls causes companies big headaches, the end result is increased costs.  But believe it or not, control documentation can be done efficiently.  Start early with control optimization and use the right people and the right compliance tool, and the process is painless!  Experience really counts when documenting controls since experts are familiar with 1) focusing on the risk of misstatement; 2) documenting controls succinctly; 3) using a tool for testing, workflow, and reporting; and most importantly, 4) interacting with auditors. 

Whether you’re public or private, get started now on a good control environment – just do it!

Sarbanes-Oxley Section 404(b) currently requires all non-accelerated public companies to get an outside auditor review of internal controls, effective for companies with fiscal year-ends on or after June 15, 2010.  This means those non-accelerated filers who have previously received extensions to this requirement year after year, finally must comply with an internal control audit.  Or do they?

When discussing the current extension, which was granted October 2009, SEC Chair Mary L. Schapiro clearly stated “there will be no further Commission extensions.”  But in November 2009 the House of Representatives passed a bill giving non-accelerated filers a permanent extension to the auditor attestation requirements.   For the bill to become law it must be approved by the Senate and that is where it currently sits. It seems the possibility of the Senate passing the bill by June 15 is unlikely, the Republicans are not interested in reform and the Democrats have a weak effort to push the bill along.  If this bill passes at all, it will probably be later in the year.

So, what is the non-accelerated filer to do?  My advice to them, get ready for a controls audit but wait one more month to bring in the auditors.  If the SEC Chair goes against her own words and issues another extension, it will be granted very soon to affect the June filers.  

The small public filers have been complying for years with the management assessment requirement of Sarbanes-Oxley Section 404(a) and should have key controls defined and assessed, ready for audit.  If this documentation is less than formal, make sure to document those controls now.   Bring in the auditors in Q4 if, and when, attestation is assured.

In the dynamic world of audit and audit related services an often overlooked benefit is the risk assessment process. In the world of the Internal Auditor it’s not only used to create the annual audit plan; the risk assessment creates a flexible framework to identify the keys to achieving an organization’s success. The process to create the framework, if done properly, should help build consensus across organizations, enable executive management to make more informed decisions and foster greater cooperation on audits.

The complexity of risk assessments is tied to industry and Internal Audit department maturity. An established IA department in a heavily regulated or highly complex industry, like banking, may use more complex risk assessment processes and tools. To contrast, a recently formed IA department for a retailer could most likely execute the risk assessment using Word and Excel. In both cases the final results are the same; a risk based assessment of a company’s processes.

Executive management, as always, plays the pivotal role. Think of the framework as the picture of a company. Individual’s pictures vary depending on level and position and it’s the CAE’s responsiblility to co-development with management a picture that fits (on at least some level) into a picture that everyone can easily understand. This is the basis for communication regarding risk, controls, how the company’s strategy ties into the framework, and the risk assessment results. When executive management understands the risk assessment framework and process they are more likely to support audits of sensitive areas and in some cases, actually ask for audits for processes under their supervision.

Communication skills are dynamic and in the business environment they are very difficult to measure and are often undervalued. Effective communication not only minimizes time, cost and workflow, it also leads to increased client satisfaction. Communication includes tone, style, and format and is most often the determining factor in failed audits. Here is the problem; people communicate differently from one another and often times are polar opposites. Below are a few thoughts on communication protocols and communication styles.

A strong service delivery methodology lays the foundation for an audit team to communicate consistently and effectively across all engagements. Key steps that include a scope meeting and standardized documents like the scope memo create structure and are tools of communication between the audit team and business owners. For example at an audit’s inception the audit objectives, high-level procedures, and deliverables are documented and agreed upon. With a clear understanding held by both the audit team and the business owners the likelihood of the audit succeeding is vastly improved.

Communication style includes format and tone and is the second key to executing audits, especially Internal Audit audits. In most instances a formal report is written and presented to executive management, the BOD and possibly the actual business owners. However, at each level there is a different style of communication with varying amounts of detail. For example, typically during the course of an audit smaller findings are not included in the formal report. These informal findings often times are communicated verbally to the business owner, but not necessarily to executive management and probably never to the BOD.

Be careful with Email! Email is not the preferred method to communicate issues, especially technical issues. First, let’s not confuse email with a formal written report. The processes to write an email compared to an audit report is the difference between making a paper airplane and a real one. Emails are also more difficult to control. I don’t know how many times I’ve seen simple issues turn into catastrophes because either an email was written in haste or misunderstood. Often times it was a combination of both. As an auditor a little courage must be exercised to pick up the phone or conduct a meeting to discuss issues face to face.

Without the proper protocols or effective means of communication Internal Audit projects can become painful experiences for both the auditee and the auditor. With them, sucess is more likely and easier to achieve.

In 2010, SOX as we know it may undergo a dramatic change.  There are two pending events about the Act that directly impact who it affects and how it is administered.  The first may eliminate a large number of companies that need to comply with the section 404(b) of the Act; the other may restructure the Act all together.

The first topic deals with businesses below $75 million in market capitalization and their requirement to comply with section 404(b), the requirement for independent auditors to attest the effectiveness of management’s assessment of internal controls.  In October 2009, the SEC once again extended the deadline for non-accelerated filers to comply with section 404(b) to June 15, 2010. This deadline, though extended numerous times in the past, is said to be the last extension.  However, due to recent legislation passed by the House Financial Services Committee, non-accelerated filers below $75 million in market capitalization may be exempt from 404(b) permanently.  There is still a long way for the amendment to pass the full House and Senate, and as with any anti-regulatory legislation, there are numerous pros and cons that come with it.

The pros are clear, if passed this piece of legislation will provide financial relief to smaller businesses from a requirement that has already been extended a handful of times and that provides a disproportionate cost.  A recent SEC Advisory Committee report noted that in 2004 companies with revenues over $5 billion spent .06% of revenue and companies under $100 million spent 2.55% (SEC report pages 33-34.) The cons are also compelling. The proposed amendment may reduce investors’ confidence in and increase their chances of fraud.  These combined may reduce investor activity in small public companies and further reduce their chances to raise capital. 

The second, more controversial topic is the Supreme Court case Free Enterprise Fund v. The Public Company Accounting Oversight Board.  At issue is whether or not the PCAOB created by the Act is constitutional.  The main argument of Free Enterprise Fund is that since the SEC appoints the board members, the President does not have adequate control over the Board as the Constitution requires of all Executive Branch agencies (i.e. violates the separation of powers between the Legislative and Executive branches).

Supporters of the Board say that the SEC has long since used the services of private self-regulatory organizations similar to the PCAOB such as the New York Stock Exchange and the Financial Industry Regulatory Authority.  They claim the Board is not an independent agency, but rather an entity that functions under the complete control of the SEC.  People for the reform of the Board, such as the Free Enterprise Fund, say that the Board is in fact independent from the SEC because the SEC can only remove members for cause as oppose to at will. A recent Wall Street Journal article sheds more light on the subject.

The impact of the potential changes is debatable.  However, it does open a Pandora’s Box to allow legislators a chance to create additional amendments to the Act, such as shielding banks from the fair value accounting requirement.   

The decade started with the bursting of the dot-com bubble and a litany of corporate scandals that led eventually to the creation of SOX.  2010 is lined up as a pivotal year to how U.S. public companies operate.

In my previous blog post I wrote about Internal Audit’s (IA’s) effectiveness. As a follow up, I thought I would write about a related topic, value. Just as IA varies between companies, so does the definition of value. IA’s value is situational and it changes as IA matures, varies by industry, and is directly related to a company’s risk appetite. Examples of value include; realized (or identified) financial recoveries/savings, increased productivity, more informed corporate decision making, and compliance with policies, procedures, laws and regulations.

Because each IA department’s value is situational it’s virtually impossible to describe all the potential definitions. Here are a few examples.

Fraud prevention. Take for example a multi-national company with business units in emerging economies; fraud prevention or strong anti-corruption practices is what may add the most value. The Foreign Corrupt Practices Act (FCPA) is not new, but with fraud cases (both in numbers and in value) on the rise it’s a focus of our government (e.g. Department of Justice, FBI, etc). The cost of potential fines and prolonged investigations is potentially very large, but also think about the impact to a company’s corporate image and eventually its stock price. Here is one recent case example from the Department of Justice (DOJ). IA can provide a perspective on the effectiveness of the compliance control environment and help prevent problems from occuring.

A common understanding of risk. Compare the situation above to a small retailer that has just created IA. The completion of a risk assessment is a building block to a successful IA department. The risk assessment process includes multiple interviews with key process owners using established risk rating criteria to create a comprehensive risk profile. The value: knowing what the key processes are to achieve the company’s strategic goals and having a common understanding of risk among the many stakeholders (executive management, process owners, BOD, etc).

Training. Whether it’s a store audit program or a FCPA compliance review, a successful compliance audit program should be designed to provide more than a perspective on the level of compliance. It should serve as a training opportunity for all of those involved. When a non-compliance issue is noted, it’s the perfect opportunity for IA to communicate what is wrong, what’s correct, and the most important, provide a perspective to why compliance is important. Employees are stretched thin (especially in times like these) and the importance and reasons for compliance related processes is often forgotten or lost in translation.

The word value is nebulous. What adds value to one stakeholder can be virtually useless to another and it’s up to the CAE to work with his/her stakeholders to co-develop the definition. Feedback from internal business partners, the audit committee, senior management, and peer departments, provides a comprehensive perspective from which the CAE can tailor to their specific situation. By co-developing the definition of value IA awareness is increased across the organization and the department’s vision is further vetted. So, what is your IA department’s value?

The economic downturn has produced a lot of stress on companies for obvious reasons, but there is one significant risk that companies often overlook: fraud.  A recent study from the Association of Certified Fraud Examiners (ACFE) found that employee fraud has risen in the last 12 months and that financial pressures were the biggest contributing factor.  The recession has given employees as well as managers in key roles the opportunity, motivation/pressure, and rationalization to commit theft and fraud.  However, the problem isn’t just identifying fraud; it’s knowing what to do once it’s discovered.

And, when fraud is discovered often times there is no one to turn to.  The FBI Financial Crimes Section at the moment has over 400 corporate fraud cases that they’re working through and pursuing only 3-6 new cases per month.  They are primarily focused on significant fraud against individuals, businesses, and industries, or organized crime activities that are international, national or regional.  State and local police departments are very busy as well.  I was recently told by a client that the police department from a large city (a population over three million) would not take her case if she couldn’t provide hard evidence worth over $40,000.  Translation: the skill set to execute the Internal Audit function just expanded to include forensic accounting, internal investigations, financial fraud investigations, SEC enforcement matters, and extensive compliance reviews.

Again, the factors that lead to fraud are opportunity, motivation/pressure, and rationalization.  The opportunity to commit fraud can consist of workers being stretched out to cover more roles, giving them more access to more areas of the company and fewer supervisors to oversee operations.  Smaller businesses are more prone to the opportunity risk as they have limited resources to provide adequate segregation of duties. Motivation can spring from anywhere, but in times like these the pressures of the recession, a spouse’s job loss, or a reduction in pay are sufficient motivators.  People can always rationalize their wrongdoings when there is enough pressure and stress to skew their sense of logic and ethics.  Despite these factors there are ways for any business despite their size to prevent or detect fraud and ways to appropriately recover your losses.

The first and cost effective step to help safeguard your company is to develop a good control environment.  By developing comprehensive policies and procedures, setting good examples of actions and accountability from the top down, establishing an anonymous whistle blower hotline, and a clear organizational structure, a company can reduce the threat of fraud.  The next step is to implement a system of internal controls to further limit the risk of fraud.  This usually consists of the following five areas: segregation of duties, proper authorizations, adequate documentation and records, physical controls over assets, and independent checks.  These two steps are a great start to preventing and detecting fraud and keeping your company afloat in a time of uncertainty.

In a time of recession the need to find ways to address fraud proactively and cost effectively is a key priority.

Here are some links for more information on this topic:
The Institute of Internal Auditors (IIA) Main Website
IIA Upcoming events (Fraud)
IIA Fraud resources
Association of Certified Fraud Examiners (ACFE) Main Website
ACFE Upcoming events

Two important questions asked by management in today’s economic climate are, “How do we know if our Internal Audit (IA) department is functioning effectively?  Is it providing the most possible value?”

A good place to start is a review of the Internal Audit department infrastructure.  The infrastructure includes the department’s roles and responsibilities and its authority.  IA should be independent from management with direct access to the audit committee.  Typically, the Chief Audit Executive (CAE) reports administratively to the CFO and formally to the audit committee chairman.   The IA charter provides formal clarity regarding the department’s authority to access company records, execute the annual audit plan, and the department’s vision.  The charter should be reviewed and approved by the audit committee and the CFO at least annually.

Other key questions to evaluate IA include:

• Are audits conducted in compliance with the International Standards for the Professional Practice of Internal Audit?
• Does IA have a quality assurance program and are the results reported?
• Has an external quality assessment been performed in the past five years?
• Is there an audit client feedback process?
• Does IA have the tools and resources it needs to complete the annual audit plan?
• Has the IA team acquired professional designations to demonstrate competency?

If the answer is yes to all of the questions, chances are the IA department is on the path to create value.  Nos identify areas for potential improvement that could lead to positive change for both the department and the organization.

With the constant expansion of technology and outsourcing of resources, more and more businesses are establishing an international presence. Even if your organization does not have a physical presence outside of the United States, it is not uncommon to have key affiliates located outside of the nation’s borders. Furthermore, it is hard to avoid noticing the large number of resources that are manufactured outside of the country.

With locations in 165 different countries and territories, The Institute of Internal Auditors (IIA) is keeping pace with the growing international needs of businesses. In fact, this past May the IIA held an international conference in South Africa, which brought together over 2000 members from all over the world.

Of course, such a large international presence requires that key standards are established in order to maintain comparability and understanding among internal audit professionals from all areas of the world. Fortunately, the IIA has done just that. The International Professional Practices Framework (IPPF) established by the IIA broadcasts a conceptual framework to all IIA members around the world. With the assistance of the IIA, the internal audit profession has clearly responded to the growing global needs of its clients.