Ever since the two words — Sarbanes-Oxley (SOX) — began resonating in the hallways of public companies, small businesses have been bracing themselves for the anticipated sleepless nights and onslaught of headaches due to the newly legislated corporate governance guidelines.
After three years of delays and countless horror stories from larger companies (accelerated filers) that have already complied with SOX, smaller companies (non-accelerated filers) are now faced with the task of beginning the journey toward Sarbanes-Oxley compliance that many feel will be long and costly.
On May 23, 2007, the Securities and Exchange Commission (SEC) voted to publish guidance for management on the evaluation of internal controls over financial reporting. Subsequently on May 24, 2007, the PCAOB issued a new auditing standard — Auditing Standard No. 5 (AS5) — to replace the existing AS2. Simply stated, the new guidance and standard focuses management’s assessment and the audit of internal control over financial reporting on a top-down, risk-based approach that retains AS2’s core principles, but provides for a less prescriptive approach that is hoped to reduce implementation costs.
Controls-based vs. principle-based approach
As accelerated filers looked back on the compliance process, they learned that more is not necessarily better. Since there was no precedent to follow, many erred on the conservative side deferring to their external auditors for guidance. AS2 became the de facto guidance followed by many. As a result, companies documented and tested nearly every procedure and control, not just those that mitigate the “relative” financial assertion risks over financial reporting. While this “controls-based approach” does meet the compliance requirements, the cost and time to comply utilizing this approach can be excessive.
Both the new SEC guidance and AS5 offer a “principles-based” approach. The SEC has now clearly expressed the “intent” of the law and provided issuers’ management with principles-based guidance that can be applied to the facts and circumstances of each organization. This affords management much more latitude in defining the approach it will take and allows management to focus on those mitigation activities needed to adequately address the risk of a material misstatement in its financial statements. The SEC anticipates that the new guidance will afford smaller organizations many benefits, including increasing value to the organization by significantly reducing costs and effort.
Utilizing a risk-based approach
The new guidance also states that management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk, and provides an approach for making these risk-based judgments. In addition, entitywide controls can and should be relied upon if they are “precise enough” to eliminate or drastically reduce the cost and effort of compliance.
Many executives are also finding that by defining the entity-level controls, they are uncovering tools and dashboards that assist them in understanding where the exposures to the business are located. As a result, management may be able to use more efficient approaches to gathering evidence in low-risk areas and perform more extensive testing and evidence-gathering in high-risk areas. Effectively monitoring the risk environment will allow management to identify trends before they negatively impact the business or the value of the business.
Benefits of new guidance for small businesses
While these provisions do not create a separate standard for smaller companies, AS5 does explicitly require the external auditor to tailor the nature, extent and timing of testing to meet the unique characteristics of less complex entities. The SEC guidance also allows management to tailor its compliance activities to the organization’s specific needs based on size and complexity. This allows smaller organizations to comply and add value to the organization without excessive costs or time commitment.
The compliance clock for smaller public companies is ticking. Fortunately, the path to compliance is now clearer. With some forethought and planning, companies can reap the benefits of a solid assessment of internal controls over financial reporting without the undue burdens of past years. Perhaps financial executives can even sleep more soundly when they hear the words Sarbanes-Oxley.