7/28/2019 Guide for small business

1/4

u s S e c u r i l i e s a n d E n s h a n u s C o m m i s s i o n Sarbanes-Oxley LcI i01404 - I guide lor SMII Business

Sarbanes-Oxley Seclion 404

Small Business r+doesn't have to be a chor-

dcompanies3 nnual reports toinclude the company's own assessment of.internal control over financialreporting, andan auditor's attestation. Since the law wasenacted, however, both requirementshave beenpostponed for smaller public companies. Therequirement of an auditor's attestationwon'tapply to most smaller public companiesuntiltheir 2008 annual reports. The 2007 annualreport will be the first year that theassessmentwill need to be included.

This brochure is designed to hefirst time easier.

In June 2007, the SEC issued interpretiveguidanceto help companies assess theirinternalcontrols. This guidancewas developedspecifically with smaller companiesin mind.The pidance is voluntary. You can find it,along with other information summarized inthis brochure. on the Commission's websiteWe strongly encourageyou to review thisinformation.

7/28/2019 Guide for small business

2/4

What ' "' ' s EffectiveIn a small company, just as in a large one, it ismanagement's job to maintain a system of internalcontrols so that th e financial statements will be reliable.Th e SEC doesn't have specific rules that tell smallerpublic companies ho w to do this. There is, however,useful guidance available from other sources. One ofthese is the internal control framework set out by aprivate sector organization called the Committee of

Sponsoring Organizations of the Treadway Commission.Summaries of tw o of their publications, Internal ControlOver Financial Reporting- Guidance for Smaller PublicCompanies (2006) an d interm1 Control-integratedFramework (1992), are available without charge athttp~///www.coso.org/publications.htm.

BeginningYour EvaluationYour company's evaluation of the effectiveness of itsinternal controls begins by having the certifying officers

consider tw o basic questions:1) Do my employees understand what they needto do to properly prepare external financialreports?2) What information do I need to make sure theyhave done those things?Th e SEC's new management guidance suggestsconsidering these questions in three steps.

S t e p 1-Identifying FinancialReportingRisks,and ControlsThat AddressThem

Identifying risks in your company's financial reportingstarts with what you know best: ho w your businessworks. Use your knowledge of your company, as wellas of ho w generally accepted accounting principles applyto the business, to identify which parts of the financialreporting process could lead to material misstatements.Think about "what could go wrong" by considering:

Risk factors inherent in y our business, bothinternal and externalRisks in the way you autho rize, process andrecord transactions tha t are reflected in thefinancial statem entsYour company's vu lnerability to fraud

To identify w hich controls address those risks,consider the following:H ow do your entity-level controls relate tofinancial reporting elements? With wh at level ofprecision do they op erate?Is there mo re than one control tha t addressesthe sam e financial repor ting risk? If so, whichone provides the most efficient way for you t oevaluate how well it works?Is the control automated? If so, how sturdyare the relevant ITcontrols? O r is the controlmanual- and if so, what is the risk of humanerror?No t every control within a p articular processneeds to be identified- only those thatadequately address financial reporting risks.

Exactly how you go about identifying yourcompany's financial reporting risks and the controlsto address them will depend on your company's size,complexity, and organizational structure-as well as theparticu lars of the financial repor ting process you use. Ina sm aller company with centralized financial reporting,management's daily involvemen t with the business mayprovide it with ad equate knowledge to identify thefinancial reporting risks an d related controls.

At th e en d of this process, you will have identifiedthe financial reporting risks that ar e specific to yourcompany, as well as th e controls that will permit youto most efficientlydetermine whether th e company'sfinancial reporting is reliable.S t e p 2-DoYour ControlsWork in Practice?

Determ ining the effectivenessof the controls you'veidentified requires that you gather evidence abou t ho wthe controls actually operate. W hat kind of evidence youneed, and how much of it, depends on your assessmentof two kinds of internal control risk:

7/28/2019 Guide for small business

3/4

1) The risk of a material m isstatement in thefinancial repor ts2) The risk that the control will fail to operate asdesigned

The greater the internal control risk, the m oreevidence you'll need to supp ort a conclusion that thecontr ol is effective.

How Much Evidence DoYouNeed to EstablishThat Internal Controls Are Effective?

wbmRisk ofMisstatementInFlnanclals

Mmm RQRisk of Conbol Failure

In a smaller company, you may not need to assignan y special personnel to th e task of gathering evidenceo n how internal controls are operating. Likewise,th e procedures you follow to obtain evidence ofoperating effectiveness may be integrated with the dailyresponsibilities of the employees. As internal control riskincreases, however, yo u may need to consider:Using personnel who are more objectiveMore extensively validating th e controlsTesting over longer periods

The SEC's newly issued guidance provides examplesof financial reporting elements that ordinarily wouldbe considered higher risk, such as critical accountingpolicies. It also provides examples of controls that havehigher risk, such as those that ar e subject to overrideby management, involve significant judgment, o r ar ecomplex.

The SEC guidance also describes circumstances inwhich managers can rely on their ow n knowledge an dsupervision of controls- a common situation in smallercompanies- as a way to limit th e additional procedures,if any, that might be needed to gather evidence ofoperating effectiveness.

Once th e evidence is gathered, yo u then determinewhether the control is operating effectively. In makingyour assessment, you should consider:1) Whether the control operates as designed2 ) H o w it is applied3) Whether it operates consistently4) Whether the personnel responsible for th econtrol have th e authority, and th e competence,to d o th e jobIf management determines that th e control is no toperating effectively, then a control deficiency exists.As described below, each control deficiency must beevaluated to determine if it is a material weakness.

Step 3-ReportingYourConclusionsonOverall Effectiveness,and DeficienciesYour company's 2007 annual report will include

your assessment of the overall effectiveness of yourinternal controls. In making your determination ofwhether the company's internal controls are effective,you should begin by assessing any control deficiencies.Is any of them - alone or in combination- seriousenough to be a material weakness? If so, yo u can'tconclude that th e company's controls are effective. Thisputs a significant premium on knowing wh at constitutesa material weakness.Simply put, a material weakness is on e or morecontrol deficiencies that create a reasonable possibilityof a material misstatement in your company's annual or

interim financial statements. This does not necessarilymean that a material misstatement has occurred, bu t onlythat th e controls might not be good enough to detect orprevent a material misstatement o n a timely basis.The SEC's new guidance highlights th e factorsthat you should consider in deciding whether a controldeficiency is a material weakness. For example:

7/28/2019 Guide for small business

4/4

w H o w susceptible is th e related financialreporting element to loss or fraud?w H o w significant are the financial statementamounts or th e transaction totals that ar eexposed to th e deficiency?

If you identify an y material weaknesses, yo umust describe them in your assessment of th e internalcontrols that appears in your annual report. Youshould also consider including th e following in yourassessment:w An analysis of h ow th e material weaknessaffects the company's financial reporting andinternal controlsw Your current plans (or th e actions you'vealready taken) to address th e material weaknessFinally, yo u should describe these materialweaknesses to th e audit committee and your externalauditor, along with an y control deficiencies you've foundthat didn't rise to th e level of a material weakness, bu twhich yo u think ar e important enough to merit theirattention. Control deficiencies of this kind ar e definedas "significant deficiencies" in th e SEC's rules.

What Kind of Records Do INeed?Management is responsible fo r maintainingreasonable support fo r its assessment.The SEC'sguidance doesn't make this decision fo r you- becausewe recognize that what's reasonable will depend o nthe nature, size, an d complexity of each company. Itwill also vary based o n the internal control risk thatmanagement has identified.A smaller company's management might determinethat what already exists in th e company's books andrecords is sufficient for its assessment. Alternatively,

management may decide that it is better to keep separatecopies of th e evidence it evaluates. In all cases, thesupport that yo u rely on should include written recordsof th e following:w The design of the controlsw The way you gathered and evaluated the evidenceThe basis for your assessment of effectiveness

Other Sources of GuidanceTh e SEC has published many oth er sources of usefulguidance that ca n help smaller companies perform themanagement assessment of internal con trols underSarbanes-O xley Section 404. You should start with theSEC's website at httpJ/ww.sec.gov/spodight/soxcomp.hun . Oth er good sources are:W The SEC's June 200 3 Implementing Rules (ht tpd l

www.sec.gov/rules/finaV33-8238.htm)The SEC's June 2007 Interpretive Guidance (http:/1www.sec.gov/rules/interp/2007/33-8810.pdQ

W The SEC's Rules Defining Material Weaknessand Regarding Voluntary Use of the InterpretiveGuidance (http://www.sec.g0v/rules/fina1/2007/33-8809.pdf)W The SEC's Rule Defining Significant Deficiency(http:l~.sec.govlrules/finaV2007/33-8829.pdQw The SEC Staff's FAQs (http://www.sec.gov/info/

accountants/controlfaq.htrn)

Contactingthe SECTh e SEC's Office of the Chief Accountant is happy toassist smaller compan ies with Section 404 questions. Youcan subm it a question by email to 404smallbusiness@sec.gov. We will study it and the n set up a conferenc ecall with you to discuss it. Mo re information o n thiscan be found at: http~/\~~~.sec.gov/info/accountantocasubguidance.htm.For help with other com pliance issues of importanceto smaller companies, visit the Division of CorporationFinance's Office of Small Business Policy website a t http://www.sec.gov/info/sma1Ibus/reachsec.htm, or email us a tsmallbusiness@sec.gov.

ReoraductlonGuidelinesThis brofhvre was oreoared bv the staff of theUlited. .States Securitiesand Exchange C o m l n i o n a n d d oe s not necessarily rde c t thev i m of the Commission. It is not subject to rmzictlons an repradudon or useunder the laws of theunited Stater. This brochure ma y be reproduced in its mtirewmthout additional permission or fes .Thiswork cank afcssed on the Internet atm s a c . g o v .