The Benefits of Early Controls Assessment
Prevention Is Better Than a Cure

By Anthony S. Chan

E-mail Story
Print Story
NOVEMBER 2006 - Until now, the Sarbanes-Oxley Act (SOX) section 404 landscape for smaller public companies has been rather quiet, driven in part by a second extension in the deadline for compliance. Moreover, given the negativity associated with the year-1 section 404 certification process and concerns over the high cost of compliance, many nonaccelerated filers have not even committed to any controls assessment process, while others are taking their time until further guidance is available.

In July 2006, the long-awaited COSO Internal Control over Financial Reporting—Guidance for Small Public Companies was finally released. This guidance outlines the fundamental principles associated with the five key components of internal control: control environment; risk assessment; control activities: information and communication; and monitoring. The guidance also defines each principle and describes its attributes, lists approaches smaller companies can use to incorporate the principles, and includes examples of how smaller companies have effectively applied the principles. [See also “Guidance for Smaller Public Companies Reporting on Internal Controls; An Overview and Assessment of the COSO Exposure Draft,” by David R. Campbell and Mary V. Campbell, The CPA Journal, September 2006.]

While it is too early to tell if this guidance will convince the skeptics, some smaller public companies are beginning their controls assessment process. This article summarizes the benefits of early controls assessment and describes the factors that contribute to implementing cost-effective controls.

Control Failures Are Avoidable

Over the past two decades, many companies have grown through acquisitions, but little has been done to upgrade the relevant controls. With accounting staffs stretched to cover the additional responsibilities associated with growth, there has been a marked deterioration in the quality of account reconciliations and related financial statement analyses.

The investing community doesn’t tolerate inaccurate financial reporting or control failures that could result in financial statement restatements. Control failures do not happen overnight; they are avoidable when appropriate resources have been dedicated to regularly assessing and improving the effectiveness of the underlying controls. Companies that haven’t dedicated sufficient resources to maintain their internal controls and don’t make it a priority to fix control weaknesses as they arise are most susceptible to control failures. Control failure has proved too costly for public companies and their senior management. To avoid this problem, management must develop and implement controls that are not only cost-effective but also balanced in improving the reliability and transparency of a company’s financial statements.

Prevention Is Better Than Waiting

Instead of waiting for a crisis to happen and responding to control failures after the fact, management should acknowledge the benefits of proactive risk management. While some large public companies have pegged SOX compliance to their company-wide risk-management program, others have beefed up their section 404 compliance teams to undertake a year-round evaluation of the effectiveness of internal controls.

In response to this renewed focus on building proper internal controls, some nonprofit organizations and private companies have also redirected resources to building the right corporate governance and to developing the appropriate mix of internal control over financial reporting. To help ensure that internal control gets the right focus, some companies have begun treating the maintenance of proper internal controls—and even the cost of ongoing Sarbanes-Oxley compliance—as a cost of doing business, and built it into their operating budget.

Fix Deficiencies Before They Get Worse

Executives cannot assume that controls are working without taking an active role in monitoring them. Companies that don’t take steps to validate the effectiveness of the underlying controls—until forced to by SOX section 404 provisions—take the unnecessary risk of material misstatement in their financial statements. Under these circumstances, control failure is bound to happen; it’s just a matter of time.

Control improvement should not be undertaken merely for the sake of section 404 compliance, however. When control procedures are designed properly and operated effectively by qualified and competent individuals, organizations are in a much better position to manage and mitigate fraud and financial reporting risks. By focusing on the right fundamentals, companies will be able to uncover control deficiencies and fix them before they get out of control.

Benefits of Early Assessment

Effective internal control is the result of a sound control environment, supported by appropriate monitoring by management and proper oversight by the audit committee. Getting an early start not only reduces the learning curve but also allows management to do the following:

  • Enhance the control environment and set the right tone at the top;
  • Establish proper ownership and accountability to “build controls into the culture” (from Internal Control over Financial Reporting—Guidance for Small Public Companies, July 2006);
  • Realign risks and controls with business objectives and drive value into the compliance process;
  • Maintain the right risk-management focus to reduce the organization’s exposure to fraud and errors that could result in material financial misstatements;
  • Determine the optimal number of accounting staff and the necessary level of competence;
  • Streamline or automate—and possibly simplify and standardize—the underlying business processes, to eliminate duplicate procedures;
  • Identify control issues that may have been overlooked in the past, including non-GAAP practices and accounting estimates;
  • Measure the control gaps and develop practical solutions to remediate them;
  • Develop and implement relevant antifraud controls;
  • Update and maintain relevant accounting policies and procedures;
  • Develop appropriate guidance to comply with SOX section 404 provisions; and
  • Confirm the proper remediation of control deficiencies.

With early controls assessment, resources are committed to designing and implementing front-end prevention controls, as opposed to a more costly back-end remediation. In short, early assessment helps save money in the long run.

Keys to Implementing Cost-Effective Controls

Although SOX section 404 compliance can be time-consuming, the effort can be made cost-effective if done correctly and with the right focus. The following advice can contribute to the effort.

  • Don’t procrastinate. Control issues must be promptly identified and addressed.
  • Don’t reinvent the wheel. Build an implementation plan based on the lessons learned from year-1 compliance.
  • Allocate the right resources and build a dedicated internal-control compliance team with the right talents. Seek expert help if needed.
  • Get support from the top, as well as continuous monitoring by senior management.
  • Use a risk-based approach to ensure proper scope and planning.
  • Draw up a comprehensive project plan with a reasonable timeline, practical milestones, and firm due dates.
  • Provide sufficient training and proper guidance to ensure the consistency and quality of control documentation, testing, and evaluation of control deficiencies.
  • Remediate control issues as soon as they are identified.
  • Ensure timely discussion, evaluation, and resolution of challenges encountered.

Moving Forward

With the time extension for SOX section 404 compliance, smaller public companies have been handed an opportunity to jump-start their risk assessment process and develop an early implementation program to fix control gaps. Moreover, management can leverage section 404 requirements to drive behavioral changes and implement controls to reduce the organization’s exposure to financial reporting risks and fraud. With appropriate up-front planning and support from the top, management can avoid the unintended consequences that larger public companies encountered in their first year of section 404 compliance. Early controls assessment, with an emphasis on proactive risk management and continuous process improvement, will greatly enhance management’s ability to reduce overall compliance costs while implementing cost-effective controls.

Anthony S. Chan, CPA, is a principal with Berdon LLP specializing in internal controls and Sarbanes-Oxley Act compliance. He is a member of the NYSSCPA’s SEC Practice Committee.





















The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices