Partner Jonathan Cramer Co-Authors NLJ Article on Small Company SOX Compliance

Smaller Companies and Sarbanes-Oxley Compliance
Michael Rhodes and Jonathan P. Cramer

The Sarbanes-Oxley Act of 2002¹ represents the most significant and far-reaching financial legislation since the enactment of the Securities Exchange Act of 1934. While this critical legislation was the result of large newsworthy corporate failings and fiscal misconduct, the goals are quite straightforward and simple — to enhance the reliability of financial reporting. By doing so, investor confidence in Corporate America should eventually recover.

Section 404 of the Act² requires, among other things, management of publicly traded companies to report upon their assessment of the effectiveness of the internal controls over financial reporting, from the "tone at the top" down to the transaction-level controls. The companies' external auditors will perform an annual attestation to that assessment. Companies will then be required to report in their subsequent annual and quarterly report any changes in internal controls that have materially affected or are likely to materially affect their internal controls. In order to evaluate the internal controls over financial reporting, management must adequately document and test the internal controls over financial reporting and make this evaluation available to the external auditors.

The U.S. Securities and Exchange Commission adopted rules implementing Section 404 in mid-2003. They can be found in Item 308 of Regulation S-K.³ In addition, the PCAOB adopted Auditing Standard No. 2⁴ in June 2004 to serve as the professional standard governing the auditor's attestation and reporting on management's assessment of the effectiveness of internal controls.

For "accelerated filers," primarily publicly traded companies with market capitalizations in excess of $75 million, the effective date for compliance with Section 404 of the Act is for fiscal years ending after Nov. 15, 2004. Accordingly, accelerated filers with calendar year-ends are required to comply in their upcoming Forms 10-K.⁵ However, "non-accelerated filers" have a delayed effective date, which is for fiscal years ending after July 15, 2005. The extended deadline on the surface would seem to be a great benefit. However, if not leveraged appropriately the benefit of this extension could be squandered by these smaller, publicly traded companies.

While Section 404 compliance will most naturally fall within the responsibility of a company's CFO, the general counsel of the company can greatly contribute to the overall compliance effort because of his or her firm understanding of the organization and involvement in compliance-related matters as well as a general understanding of the requirements of the Act, itself. Accelerated filers have found that the general counsel's role within Section 404 compliance initiatives was not well-defined and, therefore, the opportunity to fully engage the general counsel as part of the compliance team was missed. The purpose of this article is to highlight the lessons learned over the course of the last year as the accelerated filers worked toward compliance, to ensure that general counsel of smaller companies support their organizations to avoid encountering the same pitfalls, which could result in increased fees to achieve compliance, or worse, non-compliance.

Project Management

Project management is a critical component of a Section 404 compliance initiative. Any significant initiative within your organization will have a project management and planning aspect. Section 404 compliance is no different. Those assuming responsibility for completing the project should employ a logical, structured approach to both the evaluation and testing, which will be required prior to the attestation performed by your company's external auditors. There are several objectives to project managing a Section 404 compliance engagement. These include:

• Developing a realistic time line which should be reviewed and agreed to with the external auditors;

• Assessing the skills of the compliance team and assigning responsibilities accordingly;

• Developing a "documentation standard," approved by the external auditors, that all team members will employ to ensure consistency for ease of review as well as ongoing maintenance;

• Prioritizing work based upon a preliminary risk assessment.

While all plans are subject to modification, careful up-front planning and ongoing project management will ensure that the project runs as smoothly as possible and that any potential obstacles are identified and overcome on a timely basis.

Communication with the external auditors will be integral to compliance. Many companies learned the hard way that by not involving the external auditors early on and maintaining open lines of communication throughout the project, they experienced significant delays and increased project costs due to re-work. Last year, external auditors were in the same position as their clients — the Act was new to them too, and a clearly established picture as to what compliance would (or should) look like did not exist.

Accelerated filers grew frustrated by the sense that they were blindly throwing darts at a dart board and that their external auditors maintained the perspective that while they could not define compliance, they would know it when they saw it. Now, as accelerated filers begin to file their first year management reports on the effectiveness of internal controls, the external auditors have a better understanding of the requirements imposed on their clients, as well as themselves, and the overall compliance requirements. This understanding has been bolstered by the SEC's and the PCAOB's publication of two sets of frequently asked questions related to Item 308⁶ and Auditing Standard No. 2.⁷

Auditor independence issues, both real and perceived, surrounding the Act create an environment where, in most cases, your company's external auditors will not be able to provide all of the answers. In general, this is in order to ensure that the requisite auditor independence is established and maintained as well as to allow management to conduct an independent evaluation of their internal control environment, as required by the Act. Auditor independence, however, should not be confused with the elimination of their input during the compliance process. Keeping the external auditor's involvement to a minimum in order to manage, in the short-term, the fees incurred, will not be as cost effective in the long run as leveraging their real-world experience with other clients in addressing areas of concern that are identified in the course of your company's internal control evaluation.

Assembling a Team

Section 404 compliance will require a dedicated team with the appropriate skills. The range of roles and responsibilities within a Section 404 compliance initiative is vast. The people involved will include those who perform the internal controls documentation and evaluation effort; those with responsibility for identifying gaps and remediating any weaknesses; and those who serve as subject matter experts within a critical cycle ("process owners"). While your compliance team will certainly include people who cross all areas, the optimum team will include individuals with diverse technical expertise and know-how in the following fields:

• Financial reporting management and processes;

• Operational management;

• Auditing concepts, techniques and tools;

• Information technology;

• SEC regulation.

The work of the general counsel most likely touches on all of the above-mentioned fields. It is that cross-functional involvement that makes the general counsel invaluable to the team as a whole.

As important as the skills of the team members, is the level of commitment an individual team member can dedicate to the project. We have all worked on projects where people assigned to the team are not relieved of any of their current and pre-existing responsibilities. While this can work well in certain circumstances, Section 404 compliance is not one of them. In general, most individuals assigned to the initiative must be fully dedicated in order to complete the work. There is a deadline, and it must be adhered to. Your company's external auditors will, most likely, plan their work based upon the time line provided, and their attestation effort, over which your CFO will have limited control, is a critical component of the project. Additionally, coordinating process owner schedules to complete the required documentation will require flexibility and responsiveness. It will be hard enough to maintain momentum on this significant endeavor without adding potential scheduling conflicts into the mix. Driving the project forward and addressing all aspects required to achieve compliance will require people to be 100 percent dedicated.

Information technology is a primary consideration. An effective internal control environment will have a combination of manual and systemic controls. Financial professionals evaluating internal controls have a tendency to revert back to the "old days" by focusing on the manual controls that are in place affecting a company's ability to initiate, authorize, record, process and report financial data. However, most general ledger systems are supported by numerous feeder applications that provide critical financial data. These applications have embedded controls that are as integral to the internal control environment as the manual controls and must be considered in order to fully document the controls in place.

In addition to the application controls, from an overall control environment perspective, your compliance team must consider the general information technology controls that are in place, which support all functioning applications. Generally, this area should be treated as a separate component of the Section 404 documentation and should address the overall information technology environment. Specifically, this should include controls governing:

• Data center operations (job scheduling, backup and recovery procedures);

• System software controls (acquisition and implementation of operating systems);

• Access security;

• System development and maintenance controls (acquisition and implementation of individual software applications);

The information technology aspects of an internal control environment are critical to a successful documentation and evaluation effort, whether considering the impact of a specific application control or the general controls that allow the effective use of technology within the organization. Sufficient time and energy from knowledgeable resources must be allocated to this effort.

Ongoing Maintenance

Integrate knowledge transfer into the documentation and evaluation phase. Sarbanes-Oxley compliance is not a one-time event. Management must assess, and the outside auditors must attest to the effectiveness of, the company's internal controls over financial reporting on an annual basis. In addition, management must report on a quarterly basis any changes in its internal controls over financial reporting that have materially affected or are reasonably likely to materially affect the company's internal controls.

While initial compliance is an undertaking over which the finance organizations of most companies will assume overall responsibility, ongoing maintenance can be most efficiently and effectively managed at the process and control owner levels. This will create a dramatic shift in how companies think about internal controls. It will no longer be the sole responsibility of the controller's office to oversee internal controls over financial reporting. Non-financial management, including general counsel, will assume a significant role in the identification of internal controls' weaknesses and will be responsible for ensuring that any process improvements do not impact the documented and relied upon controls that are in place. Additionally, if a control is changed, there must be a means of informing the Chief Financial Officer of the change to ensure proper disclosure.

Even as the process is driven forward toward initial compliance, it is imperative that your company looks long-term and ensure that the knowledge and understanding are conveyed to the key process owners within the organization who can adequately maintain the documentation going forward. This may require educating people within the organization as to what internal controls are and how to recognize if the system of internal controls has been impaired.

Early on, many accelerated filers jumped into the documentation phase assigning responsibility for getting the project completed solely to financial personnel. This made sense for CFOs and controllers, and it certainly instilled a sense of confidence that those with the most knowledge of the overall financial reporting process and related internal controls would drive the project and analyze the results. As these projects neared completion, though, it became apparent that the ongoing maintenance aspects had not been fully considered and that knowledge gained about the processes or the related systems of internal controls was not being transferred to the correct individuals (i.e. process owners).

Pilot Process

Schedule a pilot process for documentation. A critical component of the planning phase of a well-executed Section 404 compliance initiative will include documenting a pilot process. After finishing the labor-intensive planning and preliminary risk assessment, it is not uncommon to want to get things started as quickly as possible. Your compliance team has been assembled, the external auditors have agreed with the overall plan and now everyone is anxious to gain some momentum because it appears that these projects can take longer than expected. However, selecting one process to serve as the project pilot will prove a cost-effective way of ensuring that expectations are managed and that the overall project plan is realistic.

Typically, a pilot process should be relatively straightforward and standard enough to be benchmarked against other companies, even if they are not in the same industry. Accounts payable is a good example. Once the pilot documentation is complete, your project management can constructively meet with the external auditors to ensure that the level of documentation is satisfactory and that the format of the documentation meets their needs and expectations. Any modifications that are agreed upon with the external auditors can be incorporated prior to the full-blown project kick-off.

Establish the overall objectives within a critical process. Internal controls should always be designed to ensure that the benefit of the control is greater than the cost to implement and maintain the control. Sarbanes-Oxley has not changed this. However, in the team's haste to complete the documentation, to design an effective system of internal controls and to achieve initial compliance with Section 404, the general counsel should help ensure that the team does not lose sight of the overall objectives of the business process under review.

It is critical to remember that an internal control system exists to support the business, not to impinge upon progress. Accordingly, as the compliance team documents and evaluates controls, it should always be mindful of the process' overall objectives. Effective internal controls will help achieve your company's business objectives and will ensure the information is available to monitor that these business objectives are being met. Additionally, given the limited resources available, focusing on the business objectives will result in the most effective and efficient internal control design.

Conclusion

The Sarbanes-Oxley Act has changed the way organizations think and how they conduct business. And the implications of complying with the Act can seem overwhelming and costly. While there is still much to be learned about how organizations will be affected by the Act over the long term, you can support your company's compliance effort and increase the likelihood of success while minimizing the overall cost of compliance to your company by encouraging the development of a plan that incorporates the lessons learned by others.

Your business is unique, and there is no "one size fits all" road to compliance, but there are opportunities to not only achieve successful compliance, but to benefit from the compliance effort itself. Invest the time and resources focusing on the specifics within your organization, not correcting problems that could have been avoided.

Michael Rhodes is director of the corporate governance practice at Citrin Cooperman & Company, a tax, accounting and business consulting firm. Jonathan P. Cramer is corporate partner with Ropes & Gray in New York.

Endnotes

1. Pub. L. No. 107-204, §116 Stat. 745 (2002).

2. 15 U.S.C. §7262 (2002).

3. 17 C.F.R. §229.308 (2004).

4. Public Company Accounting Oversight Board; Order Approving Proposed Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (Auditing Standard No. 2), Exchange Act Release No. 34-49884 (June, 17, 2004).

5. On Nov. 30, 2004, the SEC issued an order extending by 45 days the deadline for complying with the requirements of Items 308(a) and (b) of Regulation S-K. This exemption applies to accelerated filers having market capitalizations of less than $700 million and fiscal years ending on or after Nov. 15, 2004, through Feb. 28, 2005. These filers are required to file an amendment to their Forms 10-K no later than 45 days after the end of the 75-day filing period specified in Form 10-K to include the omitted information. Order Under Section 36 of the Securities Exchange Act of 1934 Granting an Exemption From Specified Provisions of Exchange Act Rules 13a-1 and 15d-1, Exchange Act Release No. 50754 (Nov. 30, 2004).

6. SEC Division of Corporate Finance, Office of the Chief Accountant, Management's Report on Internal Control Over Financial Reporting and Disclosure in Exchange Act Periodic Reports Frequently Asked Questions, available here (last modified Oct. 6, 2004).

7. PCAOB, Staff Questions and Answers No. 1-36, Auditing Internal Control Over Financial Reporting, available here (June 23, 2004, revised July 27, 2004), (Oct. 6, 2004), (Nov. 22, 2004).

Reprinted with permission from the March 14, 2005 edition of the National Law Journal © 2005 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.