SOX meets tech: as control requirements change, technology must meet small-business challenges.

• Author: Norris, Rick
• Position: Sarbanes-Oxley Act of 2002 - Committee of Sponsoring Organizations

The Committee of Sponsoring Organizations of the Treadway Commission's long-awaited draft, Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting, was released in October 2005 to address internal controls for smaller publicly owned companies.

COSO's small-business guidance uses 26 principles that constitute effective internal controls over financial reporting and identifies several themes, including control environment, risks, control activities, information technology (communication) and monitoring.

The small-business guidance also added the focus of personal responsibility for controls that are necessary to smaller businesses.

Shortly after COSO's draft was released, the SEC Internal Controls Subcommittee to the Advisory Committee of Small Public Companies issued a preliminary report in December 2005 that exposed the profession to the murky waters of quasi-internal controls.

This subcommittee recommended to:

1. Exempt "micro-cap" companies with market capitalization of less than $128 million from SOX Sec. 404 under certain conditions; and

2. Exempt smaller companies with market capitalization of less than $787 million from external audit requirements of Sec. 404 under certain conditions, or at least require a more cost-effective approach to these requirements.

Due to these developments, "smaller company" internal control technology is left in a bog. Where should internal control-assisting technology go from here? Does it stay the course, but try to lighten the load? Does it change radically, throwing out the first two years of SOX compliance?

DIFFERENT APPROACH

The COSO-SB, the SEC advisory and the PCAOB pronouncement that directed auditors to use a more risk-based approach when certifying internal controls necessitate a radical change in the technological approach to internal controls. Software companies emphasize process-level testing and controls, which accommodate the auditor's preferences.

However, the new movement emphasizes an entity-level risk assessment approach that dictates the proper focus on process-level controls.

Technology should increase its emphasis on monitoring significant balance sheet accounts for smaller companies. Once a company's balance sheet is analyzed in this top-down approach, a risk-based analysis at the process level can be properly performed (Exhibit 1)...