SOX 404(b): A Practical Approach for Smaller Public Companies
July 30, 2009
Guy M. GrossPartnerMcGladrey & Pullen LLP
Michael HartleyPartner McGladrey & Pullen LLP
Eileen A. KamerickSVP, CFO, and Chief Legal Officer Tecta America Corp.
Robert J. WildPartner, CorporateKatten Muchin Rosenman LLP
2
Meet our Speakers
• Michael Hartley, Partner, McGladrey & Pullen LLP
• Guy Gross, Partner, McGladrey & Pullen LLP
• Bob Wild, Partner, Katten Muchin Rosenman LLP
• Eileen Kamerick, SVP, CFO and Chief Legal Officer, Tecta America Corp.
Overview
3
Auditor Attestation
• What can you expect from your Independent Auditor?
• What involvement should Audit Committee have?
• What were some of the lessons learned from initial ICFR attestation?
Overview
4
Effectiveness of Section 302
Source: Lord & Benoit SOX Consulting Firm www.section404.org using AuditAnalytics.
Implementation
5Source: Lord & Benoit www.section404.org and AuditAnalytics www.auditanalytics.com
Implementation
6
17.6%101Accounting for deferred, stock based compensation, debt, warrants, derivatives
5.0%29Restatements, regulatory compliance
5.2%30Accounting for income taxes (SFAS 109)
8.2%47Accounting for expenses (payroll, SG&A, leases)
10.3%59Controls over inventory/cost of sales
10.4%60Controls over property, intangibles and depreciation
10.8%62Revenue recognition issues
11.3%65Accounting for Liabilities, payable, reserves and accrual estimates
13.2%76Accounting for Accounts/loans receivable, investments cash issues
13.9%80Untimely or inadequate account reconciliations
16.2%93Foreign, related party, affiliate, merger, acquisition, consolidation issues
16.7%96General ledger close process
19.1%110Audit Committee – Ineffective, non-existent or understaffed
20.5%118Information technology, software, security & access issues
33.4%192Reliance on outside auditors for material adjustments
54.1%311Ineffective design of controls not mitigated with compensating controls
68.5%394Departures from FASB/GAAP/Disclosures
78.1%449Issues with competency, training, tone at top, ethics
96.5%555Ineffective accounting procedures
% of Companies
Companies DisclosingMaterial Weaknesses Issue
Material Weaknesses Identified Management Report Disclosures
Disclosures Note: this table provides a list of issues identified by the 575 companies that disclosed in their Management Report that their Internal Controls over Financial Reporting (ICFRs) were ineffective. Because some disclosures identify more than one material weakness, the same company can be listed for more than one issue. As a result, the aggregate of percentages displayed above is over 100%. Source: Lord & Benoit www.section404.org using AuditAnalytics Peer Group Builder
Implementation
7
Characteristics of a Smaller Public Company• Personnel constraints and limitations on segregation
of duties
• Potential for management override of controls
• Manual controls versus automated controls
• Less complex IT transaction processing systems
Implementation
8
Utilization of COSO’s Guidance for Smaller Public CompaniesEntity Level Controls
• Implementation of and reliance on entity level controls
• Use of entity level controls to mitigate other potential control deficiencies
• Use of operating controls as internal controls
• Audit committee oversight
Implementation
9
Utilization of COSO’s Guidance for Smaller Public CompaniesIT controls in a less complex environment
• Concentrate on security, access, and change management IT controls
• Only identify those controls that impact the financial reporting process
COSO’s guidance for smaller reporting companies can be purchased at www.cpa2biz.com
Implementation
10
Working With Your External Auditor
• Identification of controls within the financial reporting process only
• Know your risks, get concurrence on risks and how it impacts the financial statement audit
• Utilization of control testing to reduce substantive audit testing
Implementation
11
Oversight Responsibilities
• Integrity of Internal Control over Financial Reporting (ICFR)• Manage the interaction of management, internal audit and
external auditor related to ICFR• Selection, Qualification and Performance of internal audit
function• Understand from management the internal control
environment and framework for management’s assessment• Understand external auditor audit plan for attestation on ICFR• Review any material weaknesses, significant deficiencies, and
deficiencies with external auditor and management• Address whistleblower complaints related to ICFR
Corporate Governance
12
ICFR Fundamentals
Exchange Act definition of ICFR“The term internal control over financial reporting is definedas a process designed by, or under the supervision of, the issuer's principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that....” (Exchange Act Rule 13a-15(f))
Corporate Governance
13
ICFR Fundamentals (continued)
SOX 302 CEO and CFO Certification5. The registrant's other certifying officer(s) and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant's auditors and the audit committee of the registrant's board of directors (or persons performing the equivalent functions): All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the registrant's ability to record, process, summarize and report financial information; and Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal control over financial reporting. (SK 601(b)(31))
Definition of Financial ExpertIncludes as to ICFR“An understanding of internal control over financial reporting...” (SK 407(d)(5)(iii)(D))
Corporate Governance
14
ICFR Fundamentals (continued)
Listing Standards Relating to ICFR Responsibilities of Audit Committees• Complaints. Each audit committee must establish
procedures for:
– The receipt, retention, and treatment of complaints received by the listed issuer regarding accounting, internal accounting controls, or auditing matters; and
– The confidential, anonymous submission by employees of the listed issuer of concerns regarding questionable accounting or auditing matters.
(Exchange Act Rule 10A-3(b)(3))
Corporate Governance
15
ICFR related Audit Committee Charter Provisions(from the AC Charter of NASDAQ OMX (NASDAQ:NDAQ)
Statement of PolicyThe primary function of the Audit Committee is to assist the Board of Directors in fulfilling its oversight responsibilities by reviewing the financial information, which will be provided to the shareholders and others, the systems of internal controls, which management and the Board of Directors have established, and the NASDAQ OMX Group’s audit, financial reporting and the legal and compliance process.
Corporate Governance
16
AC Charter Provisions (Continued)
Responsibilities and Processes3. The Committee shall discuss with the internal auditors and the independent auditors the overall scope and plans for their respective audits including the adequacy of staffing, compensation, and resources. Also, the Committee shall discuss with management, the internal auditors, and the independent auditors the adequacy and effectiveness of the NASDAQ OMX Group’s internal controls, including systems to monitor and manage business risk, and legal and ethical compliance programs and financial reporting. Further, the Committee shall meet separately with the internal auditors and the independent auditors, with and without management present, to discuss the results of their examinations. The internal auditors shall report directly to the Committee and have free and open access to information deemed necessary by them to perform their assessments. The Committee shall provide oversight over the system of internal controls, relying upon management's and the internal and independent auditor’s representations and assessments of the controls.
Corporate Governance
17
AC Charter Provisions (Continued)
Responsibilities and Processes
7. The Committee shall have responsibility for, and oversight of, a confidential and anonymous process and procedures for the receipt, retention and treatment of submissions regarding accounting, internal accounting controls or audit matters. All such relevant submissions must be reported to the Committee.
Corporate Governance
18
Audit Committee Liability Considerations • Fiduciary Duty
• Business Judgment Rule protections
– lack of conflict of interest
– good faith
– due care
Corporate Governance
19
Initial Stage in 2004
• First year of 404 implementation for accelerated filers—chaotic and expensive
• Audit fees tripled (or more)• Very little certainty on how to apply the new rules—
external auditors had very different approaches• PCAOB newly formed and just beginning to get a
handle on the 404 process• Not clear how much external auditor could “assist” the
company in complying with 404 or even discussing how to meet the requirements
CFO Perspective
20
Initial Stage in 2004 (continued)
• Heavy focus on documentation
• IT controls became focus as process mapping comes to the fore and many controls were IT based—particularly when segregation of duties issues involved
• Management assessment and auditor’s assessment of management’s assessment were separate and distinct from the audit process—cumbersome
• Record number of restatements—Wall Street shrugged it off—is that good?
CFO Perspective
21
Evolution of 404
• What has changed/improved?
• External audit fees have come down—perhaps not enough, but have moderated
• AS 5—focus on integrated audit—much more productive
• Greater reliance on management assertion and testing by internal audit
CFO Perspective
22
Evolution of 404 (continued)
• Number of restatements for immaterial matters has moderated
• ICFR is now the job of not just the CFO/internal audit but also the CEO—attestation by CEO and focus of the Board
• More companies fail 404 for tax control issues (particularly following implementation of Fin 48) than any other issue
CFO Perspective
23
Benefits and Limitations of 404
• Better controlled companies generally perform better
• Helps companies identify risks and control issues to design risk mitigation and internal audit programs
• 404 only “backward looking” and not effective enterprise risk management tool
– focus limited to accounting fraud and integrity of financials
– no protection from overinvestment in the housing segment and the current economic crisis
CFO Perspective
24
Skillsets of Audit Committee
• Difficult to serve on an Audit Committee unless a financial expert (or close)
• “Professionalizing” of the Audit Committee with the coming of 404—many more in-depth technical GAAP and internal control discussions with management and external auditors
Audit Committee Chair/Member Perspective
25
Roles of Audit Committee
• Fiduciary ensuring that financial statements serve the financial statement reader
• Assessing deficiencies and discussing/debating them with management and external auditors
• Approving audit fees and fees for non-audit work, as is now required
• Direct oversight of internal audit—IA must report to the AC Chair
• Monitoring whistleblower and hotline calls
Audit Committee Chair/Member Perspective
26
Q and A
Questions and Answers
Guy M. GrossPartner, McGladrey & Pullen LLPp_847.517.7070 x6357 f_847.517.7067 [email protected]
Michael HartleyPartner, McGladrey & Pullen LLPp_312.634.3476 f_312.634.3410 [email protected]
Eileen A. KamerickSVP, CFO, and Chief Legal Officer Tecta America Corp.p_847.581.3888 [email protected]
Robert J. WildPartner, CorporateKatten Muchin Rosenman LLPp_312.902.5567 [email protected]
Contact Information
27