From: Cheryl Savage
In response to your request for comment on the following question: "Are there particular areas within the proposed interpretive guidance where further clarification is needed? If yes, what clarification is necessary?":
Yes. In COSOís new guidance for smaller public companies, an excellent point is made in their statement that earlier compliers failed to take enough credit for financial reporting controls that they already had in place. To a great extent, based on my experience with a number of first year compliers, this was due to auditorsí and SOX consultantsí conservative exceptions taken to managementsí claims that its controls were sufficiently evidenced. Processes with what seemed to me to be acceptable controls were required to be re-engineered, re-documented and re-tested, costing companies a significant percentage of their SOX related expenditures.
While some might claim that practically speaking this is too much of a gray area for you to address (inasmuch as the competency of evidential matter is subject to professional judgment), I firmly believe that this guidance needs to give management a negotiation basis for defense against excessively conservative auditor and SOX consultantsí evidential matter expectations and assertions.
In fact, the excessive costs associated with compliance seem to have occurred primarily due to conservative auditorsí and management SOX consultantsí interpretation of acceptable evidential matter. I.e., inasmuch as one would expect any competent non-negligent management team to employ processes capable of producing reasonably reliable financial statements, the ICFR documentation and monitoring costs would seem to be normal costs of doing business, and therefore not excessive).
However, many auditors examining managementís ICFR testing look for and expect to find contemporaneous direct evidence of control performance, such as signoffs and dating of approvals and reviews. It would be beneficial to specifically clarify that this is not always required.
For example, in testing a manual SOD control that provides that Warehouse Personnel (WP) physically receive all ordered shipments into the company from vendors, since the Purchasing Manager (PM) enters orders for requisitioned goods into the financial system and also enters receipts into the system based on the BOLs forwarded to the PM by the WP, must the WP sign and date the BOLs or is the fact that the shippersí BOLs are attached to the system receipts and related POs and requisitions in the PMís or Accounts Payable files, along with corroborative inquiry of WP, PM and Operations Management personnel, sufficient? (Compensating controls of daily margin reports to executive management and the BOD and reconciliation of monthly physical inventories to the G/L help to ensure that all BOLs are properly receipted into the system and that the related physical goods are not misappropriated.)
And, just as COSO's new guidance gave examples, it would be helpful if your guidance would too.
While it is certainly true that many public companies did not have acceptable ICFR (as evidenced by the high level of recent restatements), many companies do in fact have strong controls ensuring that the numbers they publish are fairly stated. I believe that smaller public companies will typically have relatively stronger financial reporting controls as their managementís are closer to the transaction processing (approving purchases, signing checks, reviewing sales and margins reports) and financial close and reporting processes (direct oversight of Balance Sheet reconciliations and budget to actual P&L analytics) than it is possible for top managers of larger companies to be. Whether smaller public companies can or should have to afford to evidence this to the extent that earlier compliers have been made to is another thing. Clarify that for them, and for all issuers, and you will significantly alleviate the SOX excessive cost problem.
To the extent that this is clarified, compliance costs should in fact be negligible--at least for the more competent management teams. The ICFR expenditures that they do make will be investments in more consistent processes which can be more effectively and efficiently monitored and that will therefore create more timely and reliable management information as well as enhance their companies' access to capital markets. And making the regulation implementation more reasonable than it has been in this regard should make the US markets more attractive for IPOs and to sophisticated investors.