Editor: What developments have we seen in 2006 that affect SOX 404 requirements, and what other changes can we expect?
Goldenberg: In May of 2006, the SEC Advisory Committee on Smaller Public Companies made recommendations to the commission. Their report spurred several changes already, with more expected in the next year. Their recommendations were to either eliminate the requirements for the smallest public companies (and limit them for certain other smaller companies), or, as an alternative, amend the audit requirements to better reflect the limitations smaller companies have on meeting the standards. The SEC quickly responded that no US public company will be exempt from SOX 404, but conceded that there should be more guidance for management and revisions should be made to the auditing standards. The SEC also resolved to incorporate some of the lessons learned in the first two years of SOX 404 compliance.
Editor: What are the key dates for smaller companies under SOX 404 now?
Goldenberg: The SEC has once again recommended deferral of the compliance requirements for "non-accelerated" public companies until years beginning on or after December 16, 2006. Maybe more importantly, the audit of management's assessment would not occur until the year after management's assessment, allowing companies to furnish their initial assessment one year before being subject to the auditors' report.
Editor: Can we expect further delays?
Goldenberg: This latest deferral is meant to provide the SEC and PCAOB time to provide their guidance and revisions, and enough time to implement these changes. The SEC issued a Concept Release in July 2006 requesting public comment on how those changes should be made. The comment period just ended in September. Based on the extent of work to be performed, it would not be totally unexpected that the SEC or PCAOB would need some extended time. Therefore, the SEC has acknowledged that there could be further extensions if the related changes are not published in time to be useful to management and the auditors.
Editor: COSO's new guidance for smaller companies came out in July. How will it influence how management and the auditor's implement SOX 404?
Goldenberg: In July 2006, COSO issued Implementation Guidance for Smaller Public Companies. This useful guidance provides further clarification of the principles underlying the framework, as well as examples and toolsets. But it does not alter the underlying concepts of what elements support internal control. So it provides implementation guidance, as the title says, but little in the way of specific relief from the efforts that can be expected to complete the overall assessment.
Editor: What are the some lessons learned since SOX 404 began in 2004, that companies looking to start compliance can use now?
Goldenberg: First, use whatever time remains to make a smart assessment. I do not believe that any further guidance will dramatically change the way an assessment is performed, and there are certain basic considerations of the COSO framework that, if adopted, should be applied. Management can take an informed approach by first performing a risk assessment and scope, evaluating the key financial reporting areas and entity level controls as early as possible. Further, we learned that when management and the audit committee are fully committed to the assessment, it greatly influences the process and improves the outcome.
Editor: What went wrong with SOX 404 in the first years?
Goldenberg: There is still no specific guidance to help management make their assessment, which the SEC is addressing as previously discussed. Therefore, the process was too much driven by the auditing standard, which is also now subject to revision. These uncertainties lead to a shotgun approach, which was not focused on what's important.
Editor: What's the best strategy for a smaller company starting their assessment today?
Goldenberg: Consider what resources will be needed within each stage of the assessment. Besides the additional hours required in any assessment, you'll also need to involve people who understand internal controls, information technology, and other more technical aspects. Think about what you do well, and what you don't do well, early in the process.
Published October 1, 2006.