Why Should Small Businesses Care about SOX?
FIVE REASONS WHY SMALL BUSINESSES SHOULD CARE ABOUT SOX
Here are five reasons why small businesspeople should care, and be enthused, about SOX.
1. The current trend is toward holding CFOs or other senior management criminally liable for veracity of financials and tax returns.
2. Banks that are publicly traded entities prefer to have clients who are in compliance with SOX.
3. Best practices that emerge with SOX compliance are becoming the gold standard for management.
4. Boards are being held more accountable.
5. Sources of capital (VC firms) will demand transparency. Being in compliance offers small companies a competitive advantage
Bonus Reason—Save Money and Improve Competitive Advantage
SOX can help your company save money in a number of ways:
a) Get better interest rates. Interest rates on loans are based on the lender's perception of risk. Being in compliance with SOX requirements and implementing the best practices that emerged from the SOX legislation will help your firm improve its credit rating and demonstrate that is a better credit risk.
b) Get more competitive terms for loans or lines of credit. As your company adopts SOX requirements and best practices, these efforts could have a positive effect on the firm's credit rating, as noted above. Additionally, being able to demonstrate that your firm is in compliance could be beneficial in negotiating the terms of a loan or line of credit.
c) Be in a better position to negotiate a more favorable fee from auditors. Although there has been significant media coverage on the increasing costs of audits, it's important to point out that many of these fee increases have been imposed when the client firms are not in compliance. If you feel that your auditor's fees are too high, bid out the job! Don't settle for less than complete value for your auditing dollar. Consider using smaller accounting firms. Supply information on your firm's compliance practices to prospective auditors and aggressively negotiate the fees.
d) Obtain insurance coverage at more a competitive premium. Insurance underwriters are highly reluctant to extend coverage to businesses that are not in compliance with SOX. Remember, compliance is today's management gold standard, and underwriters are looking for evidence that your company has taken the initiative to integrate SOX requirements and best practices into your day-to-day operations. Doing so tells the underwriter that you know what you are doing and are serious about managing risk in your business.
e) Create additional value from current company relationships. Bringing your small business into compliance can be facilitated by discussions with your company's banker, legal counsel, and insurance professional IT professionals. These people should know your business inside out. If they don't, then you need to seriously consider finding advisors who can meet these expectations. Leverage their knowledge of your firm and their professional expertise. They can tell you how to come into compliance in an efficient and cost-effective manner. CPAs can help companies use SOX compliance as a stepping stone to improved decision-making procedures, more efficient processes, and greater confidence in financial reporting. Some of these improvements may help companies offset the high cost of complying with the act (Harrington, 2005). (Chapter 8 explains more fully how to work effectively with these professionals.)
f) Position your company to increase sales. Let the world know that you are in compliance. Demonstrating that your company is in compliance will position your company to increase sales by:
o Being an attractive vendor or subcontractor to larger firms.
o Leveraging SOX compliance as a marketing tool—differentiate your business from that of your competitors by taking action to come into compliance.
o Retaining current clients by bolstering confidence in your firm's integrity and transparency. Demonstrating compliance will serve to reinforce your firm's value as a vendor.
o Presenting the business "credentials" that are essential in securing contracts with public sector (governmental) entities.
o Positioning your company as a more attractive prospect if you want to sell the business. Being able to demonstrate compliance and best practices can serve to secure a higher price from a buyer.
Here's how SOX compliance and best practices can reduce overhead costs:
a) Internal controls are in place to standardize procedures. Having solid internal controls, policies, and procedures introduces a standardized approach to operations and administration. Good internal controls serve as an active deterrent to fraudulent activities, which can drain your company of money and materials.
b) Files are organized in a more efficient manner. SOX compliance and best practices help you to establish a more efficient system for managing files, databases, and other forms of information.
c) Whistleblower protection policy encourages early warning of waste, fraud, or abuse. This SOX requirement is probably the most effective method of detecting waste, fraud, and abuse—if you design a system that encourages reports of waste, fraud, and abuse.
d) IT systems are integrated, or in the process of being integrated, to sustain internal controls. Developing solid internal controls begins with ensuring that your IT system is designed to meet your company's size and needs. The money you spend to ensure that your IT framework will support the necessary internal controls is a solid investment for your company's growth and sustainability.
SOX Value Proposition—Why Now?
As businesses engage in compliance at higher levels, they "increase the value extracted from processes and key initiatives, regardless of the regulatory and auditing environment" ( Jefferson Wells, 2005). The added value of SOX requirements and best practices centers on the review of processes on a companywide basis. Examining processes during compliance forces companies to consider how and why they were doing things. When the processes overlap or are illogical, compliance activities stipulate more efficient methods and the elimination of unnecessary steps. More importantly, SOX compliance activities cause senior managers to think about how their companies are organized (Harrington, 2005).
"The evaluation process has led to improvements in basic internal controls such as reconciliations and segregation of duties. There were substantial improvements in the control environment that came about as a direct result of the process … companies have more confidence in their control structure and are evaluating accounting risks, which should enable investors to have more confidence in the reliability of unaudited data furnished to the securities market" (Hermanson, 2005).
OLD TOOL IN A NEW DIMENSION: COSO INTERNAL CONTROLS-INTEGRATED FRAMEWORK
Fraud occurs as "the result of certain environmental, institutional, or individual forces and opportunities" (COSO, 1987). Examples of these forces that are applicable to small businesses include:
- Weak or nonexistent internal controls
- Weak ethical climate
- Desire to postpone dealing with financial difficulties
- Personal gain, such as additional compensation, promotion, escape from penalty for poor performance
- Unrealistic budget pressures, particularly for short-term results
- Absence of a board of directors or audit committee that properly oversees the financial reporting process
- Ineffective internal audit employee
The Internal Controls–Integrated Framework that emerged from this study is a tool for organizing and developing an effective internal control system. It breaks effective internal control into five interrelated components:
a)control environment,
b)risk assessment,
c)control activities,
d)information/communication, and
e)monitoring.
Control Environment
Control environment factors include:
- Integrity and ethical values. The owner and managers of the business model the company's integrity and ethical values. If you, as the owner, do not behave in an ethical manner, chances are, your managers and employees will not either.
- Attention and involvement of board of directors. Does your company have a board of directors? If so, its members need to be actively involved in setting the tone within the company.
- Commitment to competence. The business owner and management need to make a highly visible commitment to competence. This means that mediocrity and incompetence have to be rooted out. This might also mean that some people in the firm either will have to be reprimanded and put on probation, to curb their influence, or, if need be, terminated.
- Management philosophy and operating style. SOX requirements and best practices offer you, the business owner, and your management team an opportunity to upgrade your management philosophy and improve your operating style.
- Adherence to authority and responsibility. SOX requirements and best practices will make it easy for your company to comply with the law, as well as to step up to the responsibility you have as an owner or senior manager.
Risk Assessment
Every business faces a variety of external and internal risks that can threaten the achievement of its objectives. Risk assessment is the identification of those risks and their potential severity. Once the risks have been identified, the business can take steps to manage, eliminate, or mitigate their effects.
Obviously, before the business can assess and take the necessary steps to manage risks, the company objectives must first be established, both at the organizational level and at the activity or process level. The three broad categories of objectives are: operations, financial reporting, and compliance.
- Operations objectives relate to effectiveness and efficiency of the operations, including performance and financial goals and safeguarding resources against loss.
- Financial reporting objectives pertain to the proper preparation of reliable financial statements, including prevention of fraudulent financial reporting.
- Compliance objectives pertain to meeting the requirements of laws and regulations at the federal, state, and local levels.
Within the three broad categories of objectives, there are multiple levels of subobjectives, each with a narrower focus. For example, within the category of financial reporting are the subobjectives of proper preparation of the balance sheet, proper preparation of the statement of operations, and proper preparation of the statement of cash flows. Within the subobjective of proper preparation of the balance sheet is the sub-subobjective of accurate valuation of assets. At each level, the focus becomes more specific.
The level and type of risk varies among businesses, as each is unique in its design and conformation. For example, a business that has many daily cash transactions might face a more severe risk to operations objectives than a business that rarely has many cash transactions. Or a business that has inadequate staffing in its accounting function might face a more severe risk to financial reporting objectives than a business that has an adequately staffed accounting department and provides extensive training for its employees.
Control Activities
Control activities are the policies, procedures, and processes that help ensure management directives are carried out properly and in a timely manner. They help ensure that necessary actions are taken to address risks to the achievement of the organizational objectives.
Control activities occur throughout the organization, at all levels, and in all functions and cover a diverse range, from approvals, authorizations, verifications, and reconciliations to reviews of operating performance, security of assets, and segregation of duties.
Information and Communication
Pertinent information must be identified, captured, and communicated in a form and time frame that enables the owner, managers, and employees to carry out their responsibilities. Effective communication must occur in a broad sense, flowing down, across, and up the organization. Information, both internal and external, must be effectively communicated to management in a timely manner, to enable the board and senior management to make informed business and reporting decisions.
All personnel must be given a clear message from top management that information and communication responsibilities are to be taken seriously. They must also be given a means of communicating significant information up the corporate ladder.
Monitoring
Internal control systems need to have a monitoring process, one that assesses the quality of the system's performance over time. Monitoring is an ongoing activity, which leads to refinement of the internal control system. It occurs during the ordinary course of operations, and includes regular management and supervisory activities and other actions personnel take in performing their duties that assess the quality of internal control system performance.
The scope and frequency of separate evaluations depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported up the business hierarch, with serious matters reported immediately to senior management and the board of directors.
In monitoring the internal control system, it must be stressed that it is necessary to evaluate not just the control activities component of the system. The monitoring system itself needs to be evaluated, as do the information and communication component, and the risk assessment component. If the effectiveness of the internal control system is not based on all five of the system's components, the effectiveness rating may be higher or lower than the actual rating.
For more Information
* Sarbanes-Oxley IT Compliance, COSO, ERM, COBIT, IFRS, BASEL II, OMB's A-123, ASX 10, OECD Principles, Turnbull Guidance, Sarbanes-Oxley Act Section 404, *
FIVE REASONS WHY SMALL BUSINESSES SHOULD CARE ABOUT SOX
Here are five reasons why small businesspeople should care, and be enthused, about SOX.
1. The current trend is toward holding CFOs or other senior management criminally liable for veracity of financials and tax returns.
2. Banks that are publicly traded entities prefer to have clients who are in compliance with SOX.
3. Best practices that emerge with SOX compliance are becoming the gold standard for management.
4. Boards are being held more accountable.
5. Sources of capital (VC firms) will demand transparency. Being in compliance offers small companies a competitive advantage
Bonus Reason—Save Money and Improve Competitive Advantage
SOX can help your company save money in a number of ways:
a) Get better interest rates. Interest rates on loans are based on the lender's perception of risk. Being in compliance with SOX requirements and implementing the best practices that emerged from the SOX legislation will help your firm improve its credit rating and demonstrate that is a better credit risk.
b) Get more competitive terms for loans or lines of credit. As your company adopts SOX requirements and best practices, these efforts could have a positive effect on the firm's credit rating, as noted above. Additionally, being able to demonstrate that your firm is in compliance could be beneficial in negotiating the terms of a loan or line of credit.
c) Be in a better position to negotiate a more favorable fee from auditors. Although there has been significant media coverage on the increasing costs of audits, it's important to point out that many of these fee increases have been imposed when the client firms are not in compliance. If you feel that your auditor's fees are too high, bid out the job! Don't settle for less than complete value for your auditing dollar. Consider using smaller accounting firms. Supply information on your firm's compliance practices to prospective auditors and aggressively negotiate the fees.
d) Obtain insurance coverage at more a competitive premium. Insurance underwriters are highly reluctant to extend coverage to businesses that are not in compliance with SOX. Remember, compliance is today's management gold standard, and underwriters are looking for evidence that your company has taken the initiative to integrate SOX requirements and best practices into your day-to-day operations. Doing so tells the underwriter that you know what you are doing and are serious about managing risk in your business.
e) Create additional value from current company relationships. Bringing your small business into compliance can be facilitated by discussions with your company's banker, legal counsel, and insurance professional IT professionals. These people should know your business inside out. If they don't, then you need to seriously consider finding advisors who can meet these expectations. Leverage their knowledge of your firm and their professional expertise. They can tell you how to come into compliance in an efficient and cost-effective manner. CPAs can help companies use SOX compliance as a stepping stone to improved decision-making procedures, more efficient processes, and greater confidence in financial reporting. Some of these improvements may help companies offset the high cost of complying with the act (Harrington, 2005). (Chapter 8 explains more fully how to work effectively with these professionals.)
f) Position your company to increase sales. Let the world know that you are in compliance. Demonstrating that your company is in compliance will position your company to increase sales by:
o Being an attractive vendor or subcontractor to larger firms.
o Leveraging SOX compliance as a marketing tool—differentiate your business from that of your competitors by taking action to come into compliance.
o Retaining current clients by bolstering confidence in your firm's integrity and transparency. Demonstrating compliance will serve to reinforce your firm's value as a vendor.
o Presenting the business "credentials" that are essential in securing contracts with public sector (governmental) entities.
o Positioning your company as a more attractive prospect if you want to sell the business. Being able to demonstrate compliance and best practices can serve to secure a higher price from a buyer.
Here's how SOX compliance and best practices can reduce overhead costs:
a) Internal controls are in place to standardize procedures. Having solid internal controls, policies, and procedures introduces a standardized approach to operations and administration. Good internal controls serve as an active deterrent to fraudulent activities, which can drain your company of money and materials.
b) Files are organized in a more efficient manner. SOX compliance and best practices help you to establish a more efficient system for managing files, databases, and other forms of information.
c) Whistleblower protection policy encourages early warning of waste, fraud, or abuse. This SOX requirement is probably the most effective method of detecting waste, fraud, and abuse—if you design a system that encourages reports of waste, fraud, and abuse.
d) IT systems are integrated, or in the process of being integrated, to sustain internal controls. Developing solid internal controls begins with ensuring that your IT system is designed to meet your company's size and needs. The money you spend to ensure that your IT framework will support the necessary internal controls is a solid investment for your company's growth and sustainability.
SOX Value Proposition—Why Now?
As businesses engage in compliance at higher levels, they "increase the value extracted from processes and key initiatives, regardless of the regulatory and auditing environment" ( Jefferson Wells, 2005). The added value of SOX requirements and best practices centers on the review of processes on a companywide basis. Examining processes during compliance forces companies to consider how and why they were doing things. When the processes overlap or are illogical, compliance activities stipulate more efficient methods and the elimination of unnecessary steps. More importantly, SOX compliance activities cause senior managers to think about how their companies are organized (Harrington, 2005).
"The evaluation process has led to improvements in basic internal controls such as reconciliations and segregation of duties. There were substantial improvements in the control environment that came about as a direct result of the process … companies have more confidence in their control structure and are evaluating accounting risks, which should enable investors to have more confidence in the reliability of unaudited data furnished to the securities market" (Hermanson, 2005).
OLD TOOL IN A NEW DIMENSION: COSO INTERNAL CONTROLS-INTEGRATED FRAMEWORK
Fraud occurs as "the result of certain environmental, institutional, or individual forces and opportunities" (COSO, 1987). Examples of these forces that are applicable to small businesses include:
- Weak or nonexistent internal controls
- Weak ethical climate
- Desire to postpone dealing with financial difficulties
- Personal gain, such as additional compensation, promotion, escape from penalty for poor performance
- Unrealistic budget pressures, particularly for short-term results
- Absence of a board of directors or audit committee that properly oversees the financial reporting process
- Ineffective internal audit employee
The Internal Controls–Integrated Framework that emerged from this study is a tool for organizing and developing an effective internal control system. It breaks effective internal control into five interrelated components:
a)control environment,
b)risk assessment,
c)control activities,
d)information/communication, and
e)monitoring.
Control Environment
Control environment factors include:
- Integrity and ethical values. The owner and managers of the business model the company's integrity and ethical values. If you, as the owner, do not behave in an ethical manner, chances are, your managers and employees will not either.
- Attention and involvement of board of directors. Does your company have a board of directors? If so, its members need to be actively involved in setting the tone within the company.
- Commitment to competence. The business owner and management need to make a highly visible commitment to competence. This means that mediocrity and incompetence have to be rooted out. This might also mean that some people in the firm either will have to be reprimanded and put on probation, to curb their influence, or, if need be, terminated.
- Management philosophy and operating style. SOX requirements and best practices offer you, the business owner, and your management team an opportunity to upgrade your management philosophy and improve your operating style.
- Adherence to authority and responsibility. SOX requirements and best practices will make it easy for your company to comply with the law, as well as to step up to the responsibility you have as an owner or senior manager.
Risk Assessment
Every business faces a variety of external and internal risks that can threaten the achievement of its objectives. Risk assessment is the identification of those risks and their potential severity. Once the risks have been identified, the business can take steps to manage, eliminate, or mitigate their effects.
Obviously, before the business can assess and take the necessary steps to manage risks, the company objectives must first be established, both at the organizational level and at the activity or process level. The three broad categories of objectives are: operations, financial reporting, and compliance.
- Operations objectives relate to effectiveness and efficiency of the operations, including performance and financial goals and safeguarding resources against loss.
- Financial reporting objectives pertain to the proper preparation of reliable financial statements, including prevention of fraudulent financial reporting.
- Compliance objectives pertain to meeting the requirements of laws and regulations at the federal, state, and local levels.
Within the three broad categories of objectives, there are multiple levels of subobjectives, each with a narrower focus. For example, within the category of financial reporting are the subobjectives of proper preparation of the balance sheet, proper preparation of the statement of operations, and proper preparation of the statement of cash flows. Within the subobjective of proper preparation of the balance sheet is the sub-subobjective of accurate valuation of assets. At each level, the focus becomes more specific.
The level and type of risk varies among businesses, as each is unique in its design and conformation. For example, a business that has many daily cash transactions might face a more severe risk to operations objectives than a business that rarely has many cash transactions. Or a business that has inadequate staffing in its accounting function might face a more severe risk to financial reporting objectives than a business that has an adequately staffed accounting department and provides extensive training for its employees.
Control Activities
Control activities are the policies, procedures, and processes that help ensure management directives are carried out properly and in a timely manner. They help ensure that necessary actions are taken to address risks to the achievement of the organizational objectives.
Control activities occur throughout the organization, at all levels, and in all functions and cover a diverse range, from approvals, authorizations, verifications, and reconciliations to reviews of operating performance, security of assets, and segregation of duties.
Information and Communication
Pertinent information must be identified, captured, and communicated in a form and time frame that enables the owner, managers, and employees to carry out their responsibilities. Effective communication must occur in a broad sense, flowing down, across, and up the organization. Information, both internal and external, must be effectively communicated to management in a timely manner, to enable the board and senior management to make informed business and reporting decisions.
All personnel must be given a clear message from top management that information and communication responsibilities are to be taken seriously. They must also be given a means of communicating significant information up the corporate ladder.
Monitoring
Internal control systems need to have a monitoring process, one that assesses the quality of the system's performance over time. Monitoring is an ongoing activity, which leads to refinement of the internal control system. It occurs during the ordinary course of operations, and includes regular management and supervisory activities and other actions personnel take in performing their duties that assess the quality of internal control system performance.
The scope and frequency of separate evaluations depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported up the business hierarch, with serious matters reported immediately to senior management and the board of directors.
In monitoring the internal control system, it must be stressed that it is necessary to evaluate not just the control activities component of the system. The monitoring system itself needs to be evaluated, as do the information and communication component, and the risk assessment component. If the effectiveness of the internal control system is not based on all five of the system's components, the effectiveness rating may be higher or lower than the actual rating.
For more Information
* Sarbanes-Oxley IT Compliance, COSO, ERM, COBIT, IFRS, BASEL II, OMB's A-123, ASX 10, OECD Principles, Turnbull Guidance, Sarbanes-Oxley Act Section 404, *
0 comments:
Post a Comment
Place Your Comments Here