SARBANES-OXLEY UPDATE for Non-Accelerated Filers
By Bob Bondy
Community Bank Advisor, 2007 Summer
In December 2006, the SEC and PCAOB issued separate press releases indicating future rule changes would provide for additional guidance on the implementation of SOX 404 for non-accelerated filers. This new guidance was approved by the SEC on May 23, 2007. Some registrants had hoped for additional delays or complete exemption from the provisions of SOX 404 for small companies. The reality is that the rules have not changed. However, there is now expanded guidance from the SEC for management, and the PCAOB has made changes in the auditor’s responsibility for compliance with SOX 404.
Adhere to a Strict Code of Ethical Conduct — At All Levels
The current rules require management of companies to issue a report on the design and operating effectiveness of the internal controls over financial reporting (ICFR) as of December 31, 2007. The report will be included in the annual Form 10-K and is required to include all material weaknesses that existed as of December 31, 2007. There is no requirement for a report to be issued by auditors in 2007. Auditors of non-accelerated filers are not required to issue separate opinions on ICFR until 2008.
Public Company Accounting Oversight Board (PCAOB) Developments
On May 24, 2007, the PCAOB voted to approve Audit Standard No. 5 (AS 5), which supersedes previous standards for audits of ICFR. The most significant changes resulting from AS 5 include:
- Removal of the requirement to audit management’s assessment of ICFR
- Emphasis on a risk assessment process and tailoring audit procedures to small, less complex companies
- Clarification of the role of materiality in the audit
The new standard is designed to focus the auditor on the matters most important to internal control, eliminate unnecessary procedures, simplify the standard by reducing detail and specificity, and make the audit more scalable for smaller and less complex companies. In a nutshell, the new standard intends to make the audits more effective and more efficient than the previous rules.
SEC Developments
Prior to the December press release, there was no formal guidance for management to use when completing their assessment of ICFR. This new guidance, scheduled to be released final in June, is intended to assist companies of all sizes to complete their annual assessment. The guidance focuses on a top-down approach, emphasizes spending more time on higher-risk areas, less time on low-risk areas, and allows management to scale the approach to fit their facts and circumstances. The direction issued from the SEC provides significant flexibility in management’s judgment of what constitutes adequate evidence in low-risk areas and allows for different testing approaches between management and external auditors.
What Should You Do Now?
With 2007 nearly half over, many companies need to revisit plans to become compliant with SOX 404, or risk a year-end frenzy of work. If you’ve started your documentation and testing plans, you’re on track to be compliant. If you’re still not sure of an implementation strategy, there is still time, but immediate attention is warranted. While the recent changes from the SEC and PCAOB help scale the assessment to the appropriate size, compliance is still a significant project to undertake. We encourage you to review your approach and consider the impact of the recent releases, including the benefits of the revised approach. Please contact your Plante & Moran representative if you have questions.
