Securities and Exchange Commission
100 F Street, NE,
Washington, DC 20549-1090
We would like to begin this communication by providing the Committee some background regarding our company and our efforts to comply with the Sarbanes-Oxley Act. Our company, a manufacturer of internet security appliances and provider of related security services, barely passed the early adopter revenue threshold, with 2005 revenues of just over $75 million. Although there have been some related benefits, costs to comply with the Sarbanes Oxley Act have been significant. The company is in the process of being acquired by an investment fund which plans to take the company private. Reduction of compliance costs is one area where material efficiencies and cost savings are expected to be realized.
Our company designed its control framework in accordance with the COSO framework because 1) it is considered the standard in industry and 2) due to a lack of awareness of viable alternatives. Development of other frameworks may be helpful to see if there is a more efficient approach, although at this point we are focused on optimizing the efficiency of the COSO based approach, and would be hesitant to implement a different framework unless significant efficiencies could be readily gained.
Additional guidance to management on how to assess the effectiveness of a company’s internal controls over financial reporting would be useful, particularly if it addressed issues facing small public companies. Guidance reflecting the significant differences in rapidly growing versus mature companies would also be very helpful. Interpretive guidance would be particularly valuable, as it could then be applied and put into practice by both management and the independent auditor. Ideally the interpretive guidance would include examples or scenarios to aid in effective application to diverse specific situations.
Following are some areas where we expect further guidance to be most beneficial:
- Example(s) of what a top down, risk based approach might look like for a small company, along with examples of risk assessments and related key considerations.
- Interpretive guidance and/or examples regarding how strong entity level controls could help mitigate risks arising from less than perfect segregation of duties often present in small companies. In our experience, little reliance is placed on entity level controls. This lack of reliance on entity level controls has resulted in our organization focusing on improving segregation of duties and adding review procedures in our processes. This has created significant inefficiencies particularly in the IT area and has hurt productivity.
- Interpretive guidance regarding how entity level controls can be relied upon to reduce the need for and reliance on key controls at the process level. In smaller companies as opposed to large companies, top management is often much more involved in day to day management of the business simply due to both the scope of the business and the absence of multiple management tiers usually present in larger organizations. The risks of fraud and defalcation are different and guidance in that area would be helpful.
- Further guidance regarding the consideration of quantitative and qualitative factors when assessing risk at the organization, including the risk of management override. Further clarification on the propriety of process owner self-testing is one topic we would like to see addressed. We feel that in small companies, users can improve their process performance by testing their own areas. Process owners deepen their understanding of their controls and processes by doing their own testing, and the exercise is much more economical than hiring third party testers or cross training internal personnel. However, independent auditors rely less on such results because of a lack of independent test performance. We think user self-testing can be powerful in a small company environment. Additionally, if external auditors would share their significant control listing, risk assessment, etc. with clients, this would greatly help to streamline the process and maximize compliance efficiency.forefficiency. for smaller companies.
- Examples of how management may document and rely on monitoring activities including cumulative knowledge of its experiences through daily interaction with its controls in its risk assessment process. In our experience, entity level controls have been identified independently from process level controls and affect process level evaluation primarily as mitigating controls when process level deficiencies are identified. Examples of how entity level controls impact the identification of process level controls would be helpful.
- Guidance regarding materiality used in assessing potential risks and evaluating the significance of control deficiencies, particularly in situations where the company has been incurring losses or is marginally profitable. This is one of the areas which we feel is adding most expense to SOX compliance. Because materiality thresholds are so low in smaller and breakeven companies, controls are required to be very comprehensive. External audit and internal company costs to develop, implement, document and test an excessively robust control framework, driven by an abnormally low materiality target has resulted in unwarranted compliance costs for small public companies.
We appreciate the Commission reaching out to its stakeholders and giving us this opportunity to influence the development of further guidance. Again, we encourage the guidance to be as practical and specific as possible, to lessen the potential of interpretive differences between management and the outside auditors, in order to achieve efficiency in the compliance process while not compromising the overall objectives of the legislation.
Bradley E. Sparks