The Wall Street Reform and Consumer Protection Act of 2010 – passed in July 2010 -- permanently exempted non-accelerated filers (public companies with a market cap <$75M) from Sarbanes-Oxley, Section 404(b), which requires an external audit review of a company’s internal controls over financial reporting. Instead, non-accelerated filers can continue to “self-certify” the adequacy of their internal controls under the requirements of Sarbanes-Oxley, section 404(a).
But non-accelerated filers beware – the government let you off the hook for an external audit, your auditors and other regulatory agencies are renewing their focus on internal controls!
- Many auditors indicate they will apply more scrutiny to 404(a) statements made by their clients, to ensure that there is a real basis for self-certification.
- At the same time, the newly aggressive SEC and DOJ are expanding personnel and focusing on Corporate Governance and the role of Audit Committees, Directors and Company Officers in Compliance and Financial Reporting. The SEC also lists “ineffective internal or disclosure controls” as number seven on their previously published top 10 list of risk factors.
- The liability and consequences of inaction can be severe. New precedents for fines, civil/criminal charges, and even jail sentences have been set recently and new stories are emerging regularly.
Internal Controls Requirements for 404(a)
Section 404(a) includes many of the same requirements that 404(b) sought to examine and may become a new yardstick by which external auditors will evaluate annual financial reports. Hence many of the same questions asked during a 404(b) audit will apply to non-accelerated filers in a 404(a) audit. If auditors cannot find basis for these certifications, it may open up a new area of investigation that could inevitably lead to the same type of scrutiny (and cost) applied to a 404(b) implementation engagement.
Section 404(a) specifies the following requirements that provide a good framework for any type of company wishing to implement robust internal controls:
· The annual assessment must be performed by both a Competent and Objective party per SEC guidelines
· Companies must still include a certification by the Chief Executive Officer and Chief Accounting Officer that they tested financial controls as part of annual 10K statements.
· The establishment and documentation of internal controls around financial reporting and the systems used to produce financial reports (this includes IT-related controls).
· Testing of these internal controls to prove that they are in place and functioning as specified.
· Attestation (Section 302) by executive management that all controls are in place and have been tested as working.
In my next post, I will describe an effective approach for a strong internal controls system designed to meet SOX 404(a) and ultimately 404(b).