An Accountant’s Look at the ChangingHorizons within SOX 404

Presented toColorado Bar Association’s Securities Law Group

Presented by

Bill EvertHein & Associates LLP

September 21, 2006

Why should companies care about controls?

• Fraud• Lost revenues• SOX 404 compliance• Personal liability

SOX 404 – Management Requirements

Currently effective for accelerated filers ($75MM public float, etc.):

• Incorporate within the Company’s Form 10-K a report that:

– Acknowledges responsibility for establishing/ maintaining adequate internal controls over financial reporting

– Identifies framework used (COSO)– Assesses effectiveness at end of fiscal year– Confirms independent auditors issued

attestation report on management’s assertion

Example Reporting Scenarios

SituationManagement’s

Report

Auditor’s Opinion on

Management’sAssessment

Effectiveness of ICOFR

No material weakness identified.

Internal control effective.

Unqualified Unqualified

Material weakness identified by management and auditor.

Internal control not effective.

Unqualified Adverse

Example Reporting Scenarios

SituationManagement’s

Report

Company has one or more material weaknesses, but management’s assessment indicates internal control is effective.

Issue adverse opinions on both management’s assessment and internal control.

Management fails to fulfill its responsibilities regarding the internal control assessment.

• Communicate to management and the Audit Committee.

• Disclaim opinions.• Consider possible additional

auditor responsibilities.

Deficiencies – Conceptual Definitions

Classification of Deficiency

Likelihood ofMisstatement

Potential Magnitudeof Misstatement

Internal Control Deficiency

Remote OR Inconsequential

Significant Deficiency More than remote

AND More than inconsequential

Material Weakness More than remote

AND Material

A deficiency is considered a significant deficiency or material weakness if, either individually or in the aggregate, after considering compensating controls, the following criteria are met:

Current Events – Moving TargetsNew guidance:

• Remediation Standard (AS4)

• New SAS standard

• New COSO framework for small businesses

(July 11, 2006)

Coming soon:

• New SOX 404 guidance regarding non-accelerated filers and IPOs

• Guidance for companies implementing SOX 404

• Revised AS2

Issues/Pitfalls Encountered

• Lack of:

― Lead time/resources/game plan

― Effective communication between auditor and client

― Motivation in second year

• Issues:

― Late start (prevents integrated audits and rising costs)

― Multiple operations/foreign subsidiaries

― Company’s GAAP and SEC expertise

― Consequences of adverse and disclaimer opinions

― Controls at outsourced service providers

Why is SOX 404 so difficult (and costly)?

1. Definition of significant deficiency “more than inconsequential”:

A misstatement is inconsequential if a reasonable person would conclude, after considering

the possibility of further undetected misstatements, that the misstatement, either

individually or when aggregated with other misstatements, would clearly be immaterial to

the financial statements. If a reasonable person could not reach such a conclusion

regarding a particular misstatement, that misstatement is more than inconsequential.

1. Must have controls over all of the relevant assertions over all significant

accounts and footnotes.

2. Materiality and deficiency evaluation.

3. Testing of attributes, not dollars - “What could go wrong; not what

does.”

4. Adjustments the auditor finds.

Why should private companies adopt SOX?

• Better controls thereby:

― Decreasing the likelihood of fraudlikelihood of fraud

― Increasing operational efficiency

• Exit strategy?

• SOX will eventually become the standard by

which companies are judged

• New audit standards

CHANGE IS GOODYOU GO FIRST

Components of the Control Environment

1. Integrity and ethical values

2. Commitment to competence

3. Board of Directors and Audit Committee

4. Management’s philosophy and operating style

5. Organizational structure

6. Assignment of authority and responsibility

7. Human resources policies and practice

Why control environment is so important

The following circumstances are at least a significant deficiency and a strong indicator of the existence of a material weakness per AS2.

• Restatement of previously issued financial statements.

• Auditor’s identification of a material misstatement in the current year audit that was not initially identified by the Company.

• Ineffective Audit Committee oversight.

• An ineffective internal audit or risk assessment function, if critical to reliability of Company’s financial reporting process.

• An ineffective regulatory compliance function in highly regulated companies if functions could have a material effect on the reliability of financial reporting.

• Identification of fraud of any magnitude on the part of senior management.

• Previously communicated significant deficiencies that remain uncorrected after a reasonable period of time.

• An ineffective control environment.

Oversight by the Audit Committee and Board

• Nature and frequency of meetings

• Consideration of fraud when reviewing:

― Accounting principles

― Non-routine transactions

• Evaluation of management’s assessment of fraud risk

• Discussion with auditor’s potential fraud areas

Risk Assessment

• Systematic process• Consideration of potential fraud schemes:

― Types of fraud― Fraud triangle

• Assessment of risk at all levels• Evaluate likelihood and significance of risks• Assessment of exposure• Document oversight by Audit Committee