Benefits of Early Controls Assessment
Prevention Is Better Than a Cure
Anthony S. Chan
2006 - Until now, the Sarbanes-Oxley Act (SOX) section 404
landscape for smaller public companies has been rather quiet,
driven in part by a second extension in the deadline for compliance.
Moreover, given the negativity associated with the year-1
section 404 certification process and concerns over the high
cost of compliance, many nonaccelerated filers have not even
committed to any controls assessment process, while others
are taking their time until further guidance is available.
July 2006, the long-awaited COSO Internal Control over
Financial Reporting—Guidance for Small Public Companies
was finally released. This guidance outlines the fundamental
principles associated with the five key components of internal
control: control environment; risk assessment; control activities:
information and communication; and monitoring. The guidance
also defines each principle and describes its attributes,
lists approaches smaller companies can use to incorporate
the principles, and includes examples of how smaller companies
have effectively applied the principles. [See also “Guidance
for Smaller Public Companies Reporting on Internal Controls;
An Overview and Assessment of the COSO Exposure Draft,”
by David R. Campbell and Mary V. Campbell, The CPA Journal,
it is too early to tell if this guidance will convince the
skeptics, some smaller public companies are beginning their
controls assessment process. This article summarizes the
benefits of early controls assessment and describes the
factors that contribute to implementing cost-effective controls.
Failures Are Avoidable
the past two decades, many companies have grown through
acquisitions, but little has been done to upgrade the relevant
controls. With accounting staffs stretched to cover the
additional responsibilities associated with growth, there
has been a marked deterioration in the quality of account
reconciliations and related financial statement analyses.
investing community doesn’t tolerate inaccurate financial
reporting or control failures that could result in financial
statement restatements. Control failures do not happen overnight;
they are avoidable when appropriate resources have been
dedicated to regularly assessing and improving the effectiveness
of the underlying controls. Companies that haven’t
dedicated sufficient resources to maintain their internal
controls and don’t make it a priority to fix control
weaknesses as they arise are most susceptible to control
failures. Control failure has proved too costly for public
companies and their senior management. To avoid this problem,
management must develop and implement controls that are
not only cost-effective but also balanced in improving the
reliability and transparency of a company’s financial
Is Better Than Waiting
of waiting for a crisis to happen and responding to control
failures after the fact, management should acknowledge the
benefits of proactive risk management. While some large
public companies have pegged SOX compliance to their company-wide
risk-management program, others have beefed up their section
404 compliance teams to undertake a year-round evaluation
of the effectiveness of internal controls.
response to this renewed focus on building proper internal
controls, some nonprofit organizations and private companies
have also redirected resources to building the right corporate
governance and to developing the appropriate mix of internal
control over financial reporting. To help ensure that internal
control gets the right focus, some companies have begun
treating the maintenance of proper internal controls—and
even the cost of ongoing Sarbanes-Oxley compliance—as
a cost of doing business, and built it into their operating
Deficiencies Before They Get Worse
cannot assume that controls are working without taking an
active role in monitoring them. Companies that don’t
take steps to validate the effectiveness of the underlying
controls—until forced to by SOX section 404 provisions—take
the unnecessary risk of material misstatement in their financial
statements. Under these circumstances, control failure is
bound to happen; it’s just a matter of time.
improvement should not be undertaken merely for the sake
of section 404 compliance, however. When control procedures
are designed properly and operated effectively by qualified
and competent individuals, organizations are in a much better
position to manage and mitigate fraud and financial reporting
risks. By focusing on the right fundamentals, companies
will be able to uncover control deficiencies and fix them
before they get out of control.
of Early Assessment
internal control is the result of a sound control environment,
supported by appropriate monitoring by management and proper
oversight by the audit committee. Getting an early start
not only reduces the learning curve but also allows management
to do the following:
Enhance the control environment and set the right tone
at the top;
Establish proper ownership and accountability to “build
controls into the culture” (from Internal Control
over Financial Reporting—Guidance for Small Public
Companies, July 2006);
Realign risks and controls with business objectives and
drive value into the compliance process;
Maintain the right risk-management focus to reduce the
organization’s exposure to fraud and errors that
could result in material financial misstatements;
Determine the optimal number of accounting staff and the
necessary level of competence;
Streamline or automate—and possibly simplify and
standardize—the underlying business processes, to
eliminate duplicate procedures;
Identify control issues that may have been overlooked
in the past, including non-GAAP practices and accounting
Measure the control gaps and develop practical solutions
to remediate them;
Develop and implement relevant antifraud controls;
Update and maintain relevant accounting policies and procedures;
Develop appropriate guidance to comply with SOX section
404 provisions; and
Confirm the proper remediation of control deficiencies.
early controls assessment, resources are committed to designing
and implementing front-end prevention controls, as opposed
to a more costly back-end remediation. In short, early assessment
helps save money in the long run.
to Implementing Cost-Effective Controls
SOX section 404 compliance can be time-consuming, the effort
can be made cost-effective if done correctly and with the
right focus. The following advice can contribute to the
Don’t procrastinate. Control issues must be promptly
identified and addressed.
reinvent the wheel. Build an implementation plan based
on the lessons learned from year-1 compliance.
Allocate the right resources and build a dedicated internal-control
compliance team with the right talents. Seek expert help
Get support from the top, as well as continuous monitoring
by senior management.
a risk-based approach to ensure proper scope and planning.
Draw up a comprehensive project plan with a reasonable
timeline, practical milestones, and firm due dates.
Provide sufficient training and proper guidance to ensure
the consistency and quality of control documentation,
testing, and evaluation of control deficiencies.
Remediate control issues as soon as they are identified.
Ensure timely discussion, evaluation, and resolution of
the time extension for SOX section 404 compliance, smaller
public companies have been handed an opportunity to jump-start
their risk assessment process and develop an early implementation
program to fix control gaps. Moreover, management can leverage
section 404 requirements to drive behavioral changes and
implement controls to reduce the organization’s exposure
to financial reporting risks and fraud. With appropriate
up-front planning and support from the top, management can
avoid the unintended consequences that larger public companies
encountered in their first year of section 404 compliance.
Early controls assessment, with an emphasis on proactive
risk management and continuous process improvement, will
greatly enhance management’s ability to reduce overall
compliance costs while implementing cost-effective controls.
S. Chan, CPA, is a principal with Berdon LLP specializing
in internal controls and Sarbanes-Oxley Act compliance. He
is a member of the NYSSCPA’s SEC Practice Committee.