Responses to ACSPC Request for Public Input

SOX Section 404/Internal Controls

Question 10. In developing a "risk-based" approach for assessing and auditing internal control over financial reporting for smaller companies under SOX Section 404, what criteria would you use to categorize internal controls from the highest risk to the lowest risk controls?

The following answers have been received:

08/02/2005 17:44:12   Risk of loss or fraud would be high

08/02/2005 23:36:32   Financial statements must be accurate for all companies.

08/03/2005 01:39:17   This is a naive process designed in an academic manner. We have been forced to identify 2,500 controls for a company with only 12 - 15 job categories. To measure the risks involved (700 in our case), categorize them and design and document that many controls is completely unmanageable. That is 200 controls per job type. This is an auditor's dream, but just a dream. It is not function, practical or useful.

08/03/2005 07:01:34   n/a

08/03/2005 08:55:04   Accurate financial accounting with proper checks and balances the highest. Do not have a lowest, they all are very important.

08/03/2005 10:40:26   The same criteria we have always use; lending is the greatest risk! Now however, we have to have internal controls for everything including who checks whose computation regarding the most recent pencil order. Although this seems ridiculos, a control system has to be set up.

08/03/2005 11:03:25   Basically how the control affects the financial statements. Does the control have a material affect on a material balance.

08/03/2005 15:01:40   I like the old Coopers & Lybrand approach of documenting accounting control systems via flowchart and then referencing the flowchart steps to predefined internal control questionaires. If no answers are obtained on the questionaires then they must be referenced to a "Record of Control Weaknesses" or explained away as immaterial or a compensating control exists. Items on the "Record of Control Weaknesses" must be remediated and reported to management and the Board of Directors for correction. The systems are then audited and the audit steps are referenced to the internal control questionaires. Financial reports are then audited based on the results of these tests.

08/03/2005 15:22:49   Our managaement team is currently working on this risk assessment.

08/03/2005 16:58:51   what controls are necessary to minimize risk of material mistatement. Entity level controls seem to be the highest importance. For us, top level monthy reviews can identify most material differences. Activity level controls, while important, can be detected with the high level review and coporate controls. If auditors don't buy into this concept, we'll need to document and test just as much as the larger companies.

08/03/2005 18:01:35   Please look into item no 29

08/03/2005 18:30:29   x

08/03/2005 19:54:33   I have no opinion on this question.

08/03/2005 19:55:50   INTEGRITY!

08/04/2005 09:17:19   From a financial institution point of view, highest risk to the bank is going to be that instance where the bank has a transaction that costs the customer and itself alot of money. So the answer is in the area of transactional risk.

08/04/2005 09:37:56   this is beyong most small companies and is really perfunctory at best - talk with any auditor about how real a small company with be able to manage such requirements. Window dressing

08/04/2005 09:39:15   The quality of the control environment should have the biggest impact on risk. Small companies are much more influenced by senior management than larger companies.

08/04/2005 10:40:16   We started at the major/material financial statement line items and are working down.

08/04/2005 12:09:05   Exposure to loss. In our business, a teller can steal $50,000 and it will be embarrassing, but have little to no impact on our shareholders. The lending area, or the risk matrix on credit quality of the loan portfolio, can have a major impact on our shareholders. Fixed assets? For our business the risk of loss is minimal. No one steals a building where the majority of our dollars are invested.

08/04/2005 13:38:24   Legal and reputation risk would probably be the highest risk.

08/04/2005 14:20:27   I will have our CFO give his opinion here.

08/04/2005 18:05:44   Make sure management is held responsible for the financial statements.

08/05/2005 12:44:28   I don't think this applies yet to a foreign issuer, does it?

08/05/2005 15:34:53   Being a bank we already had internal controls. Our risk approach is two-fold, dollar and volume. The higher the ratings in each of those category, the more internal controls factors were considered in auditing and review processes.

08/05/2005 15:43:46   Highest risk: Added cost of new personnel with added expertise to replace skills former obtained from the accounting firm but lost because of independence rules. (Sound trite but true, In highly automated operations of smaller banks the "judgement and advise" of CPAs in councultaation with management helped to mitigate a number of FR risks. Lowest risks: IT controls because most IT controls are in systems from widely recognized service organization tested repeatedly in the market and through third party reviews. Tests or user responsibilities are resonably straight forward.

08/05/2005 16:45:38   I am not a risk auditor or assessor, but the highest risk items are those that are certified by executives and given to the public as accurate data. Those numbers have to be accurate, or there will be a problem in the market. What I have witnessed during the last few years has included "sandbagging", the practice of stretching sales over quarters to make the numbers appear less cyclical, or holding back sales to the next quarter to build up the next quarter report. There was once mention of not mentioning an earnings surprise, as it would boost a quarterly profit report for the most historically unprofitable quarter and other inappropriate actions, yet these were often dismissed as being "common practice." That is not acceptable. Personally, anything that makes reporting, auditing and assessing financial data a risk is a high-priority item for financial integrity.

08/05/2005 19:33:08   I would have very limited risk assesments for small companies. Mainly related to those issues that could have a significant impact on the business. Small companies will always have a risk associated with a shortage of personel.

08/06/2005 13:52:06   Look first a effect on financial reporting, then risk of error.

08/08/2005 11:10:11   the basics - segregation of duties; amount of direct management oversight, supervison, and review; inherent risk of error within each area - auditors already assess control risk to plan an audit, let auditors issue a report based on that assessment for small companies.

08/08/2005 11:39:29   Size as it relates to either a % of the balance sheet or income statement is important. Also the liquidity of the asset/liability involved (cash versus a desk).

08/08/2005 14:06:10   The criteria is simple. Test those controls that would have a direct and material impact on the financial reporting activities of the enterprise. The first place to start is with management, the so called tone at the top. That is the single most important area of control because management can override any other financial control if they want to. Secondly you would look to the significant balance sheet and income statement account balances that could become the subject of finanical fraud. Items such as receivables, inventory, payables, accruals should all be ranked or classified as being to their relative significance. Do not test areas where the risk of misstatement that is significant to the financial statements is small. Generally speaking, items such as cash and fixed assets usually are not areas where frauds would surface. I think one of the biggest problems in implementation of SOX 404 is using the COSO framework as the template for achieving compliance. COSO is onerous at best and those responsible for telling management what has to be done to achieve compliance have interpreted the COSO framework as dogma with little or no wiggle room. It has been reported that one of the areas of overkill noted in the early filers of SOX was the area of information technology. One needs to sit back and look at the IT infrastructure and assess the risk of financial statement misstatement that could arise out of the existing IT infrastructure, but take into consideration other compensating controls that are outside the IT infrastructure(such reconciliations of account detail to the G/L). An IT review under the COSO framework may well disclose areas of improvement that could be made to enhance the company's delivery of service etc,. Those items may only have a tangential impact on financial reporting, yet under the COSO framework, IT reviews under SOX devote signifcant resouces to these issues.

08/08/2005 15:43:24   Entity level controls Financial reporting controls Competency of management and financial management Changes in internal controls

08/08/2005 21:39:10   We believe that the current system of having external auditors review quarterly reports and perform a full audit at year end is sufficient to eliminate most risks. Operations of smaller companies are usually straight-forward and either bank statement reconciliation or cash-flow analysis is sufficient to highlight any potential irregularities.

08/09/2005 09:30:31   Highest to lowest controls: Data processing controls, management, adequacy of internal & external oversight functions, asset quality.

08/09/2005 16:26:34   I'm not sure I understand the question...our risk based approach is based upon the potential error and the magnatude of an error in either the income statement or the balance sheet. We then examine our controls to evaluate the resultant "adjusted" risk.

08/09/2005 17:25:10   COSO framework based. I would look at major business cycles, account balances and controls over them.

08/10/2005 09:04:41   no comment

08/10/2005 16:00:18   Ask the Federal Reserve, the FDIC, the compliance examiners, the state examiners, the audit firms, etc., etc., all of whom are looking at our internal controls on a regular basis. We now have regulators or auditors of one type or another in our bank most of the time. Do we really need MORE regulation????????????

08/10/2005 17:18:15   Significance of account; inherent risk of the account;

08/10/2005 22:09:27   Don't understand the question

08/11/2005 08:35:22   External auditors 'bucket'risk by account value. This is a simple minded, easily defendable but incorrect approach. The assessment should be based on qualitative factors relating to the level of judgement employed to develop a value. For example, "Loans held for Sale" has a 'higher level of judgement' than FHLB loans. The process employed to determine 'held for sale' is more subjective and prone to be a higher risk. A second criteria should be an evaluation of the process relative to the potential for fraud.

08/11/2005 20:27:22   I would use a common sense approach vs the PCAOB's approach that any perceived weakness is a significant deficiency or maybe even a material weakness.

08/12/2005 13:12:10   No opinion.

08/12/2005 14:46:45   Potential impact on finanical earnings and legal action.

08/12/2005 16:35:01   1. Cash collections/accounts receivable 2. Cash disbursements/accounts payable We are a very basic business yet still subject to SOX

08/13/2005 12:39:43   Control Environment Control Activities Information and Communication Monitoring

08/15/2005 14:27:30   The same factors that support all risk analysis: (1) the probability that a problem exists; and (2) the likely impact of the problem if it does exist.

08/15/2005 14:33:20   In banking, it is all about cash and who has access.

08/15/2005 15:10:05   Impact via factors of: account balance(s), Activity - Absolute Value of Debits and Credits $(000), Average Transaction $$, Transaction Volume, Transaction Metric. Also, Likelihood via factors of: Multiple Data Sources or Handoffs?, Process New or Changed This Year?, Frequent Adjustments?, Use of Estimates?, Valuation Issues?, GAAP Issues?, Comments -Likelihood

08/15/2005 15:13:01   Smaller companies are typically driven by cash. Accordingly this is the riskies area for these companies. Signed timesheets are not. As such, I think that the approach should focus on the number one risk and work down from there. For all other areas, the focus should be on how that control affects the number one risk (i.e. cash). This will/should reduce the audit and the company's internal time significantly.

08/15/2005 15:14:45   Percentage of balance sheet assets and liabilities and income and expense reflected on the consolidated statements.

08/15/2005 16:33:43   Management estimation is the highest- routine processes is the lowest.

08/15/2005 18:59:52   As I work with small businesses, I have not fully worked through the 404 implictions.

08/16/2005 09:51:21   Top three would be (i) controls around cash collection and disbursement. (ii) Controls around month end, quarter end and year end (particularly reserves) and (iii)IT controls regarding data integrity.

08/16/2005 10:13:05   For a small Company, internal controls at the transaction level are much LESS important than corporate governance and entity level controls ("tone at the top" controls).

08/16/2005 10:21:17   Need to stay focused on material risks to financial reporting. SOX has drifted into other areas, or focused on immaterial risks.

08/16/2005 10:26:28   criteria agreed by our Board

08/16/2005 10:27:48   It is obvious based on the length and breadth of the remaining questions that this survey is just like the legislation............you wear the participants out. Based upon the length and breadth of this survey, one can conclude that this survey is just as self serving and self justifing as the legislation. To heck with the time and effort the respondent has to devote to the process! It appears to be more about the process than it is about supporting and providing good direction to public comopanies. Long winded surveys may be appropriate for large multi-dimensional companies....but, not for small companies that I thought this survey was trying to address....We have got to get back to work....there is no-one else to do our job...This survey is the perfect metaphor of what SOX is doing to us!....

08/16/2005 10:42:02   Not enough time to answer that one...

08/16/2005 10:44:16   Review all business processes, identifying those with significant or critical risks. Identify the risks and controls, document the process, address weaknesses and mitigating controls. concentrate on areas of highest risk also addressing other processes impacting financial statement info.

08/16/2005 11:18:54   No opinion at this point

08/16/2005 11:52:16   System over rides Purchasing

08/16/2005 12:14:10   No comment

08/16/2005 12:42:56   Despite claims to the contrary by the Big4, we are effectively forced to declare risks as our accountants mandate. We have no significant input in this process, so it's silly to ask us.

08/16/2005 13:04:14   Both the probability of loss and the amount of potential loss.

08/16/2005 13:12:04   The highest risk area is revenue accounting/recording of revenue.

08/16/2005 13:19:29   In my opinion, this is one of the worst problems with SOX as it stands. How to categorize this lies not in the hands of our company or the SEC, but in the hands of our CPAs, who are by nature going to erro on the side of being excessivly cautious right now to avoid the potential of being the next Arthur Anderson. No one knows our risks better than we do, yet a third party that comes on site for two or three weeks a year has all the power to tell us that lower level risk items require treatment as high risk areas, and we have no ability to argue the point because

08/16/2005 13:20:23   We base our control risk assessment on the following: - potential impact upon financial statements - complexity of the process - volume of transactions - degree of centralization of process and - inherent risk of the process

08/16/2005 13:25:32   What is the area most likely to create a material misstatement in the financial statements? If not very likely to create a material misstatement, then do not assess or test. The debacles that caused the overreaction called SOX were generally not because of failed internal control systems, but because of collusion, management override and fraud. Those were illegal before, and the convictions and pleas currently in the news are on pre-SOX law.

08/16/2005 13:27:00   Impact on reported financial results.

08/16/2005 13:30:33   We rated accounts according to 9 factors which included, in order of importance: Size, Susceptibility to loss due to error or fraud, Volume of activity or complexity, Subjectivity, Accounting and Reporting Complexities, Related Party Transactions, Exposure to losses, Likelihood of significant contingent liabilities, Changes in account characteristics from the prior year.

08/16/2005 14:08:05   Material misstatment of the financials which would result in period differences seems to be the focus of most auditors.

08/16/2005 14:23:10   The "risk-based" approach for assessing and auditing internal controls needs to apply judgement. The current environment is focused on "Evidence" for the re-audit by the PCAOB, the Accounting Firms National Office, or the class action lawyers. The aggregation of the absolute value of errors or exposures is not a "risk-based" approach but it certainly protects the auditors from negative comments. A potential SOLUTION for the delima is for the PCAOB to take direct responsibility for the audits. Public companies could pay a tax to the PCAOB for the audit. The PCAOB then could do the auidt directly or engage the audit firms. This change would take the PCAOB from a role of second guessing to being responsible. There would be a budget. Currently the audit firms have a blank check for the audit fee with no budget. There is not connection between the value or risk protection vs. an audit fee that is only limited by the number of hours the public accounting firms can bill.

08/16/2005 15:15:12   A difficult question to answer. I believe that internal controls need to be audited for only the largest most volitile accounts. Only those transaction or account that are material to the total statement need by audited. The definition of material would have to be determined, but it should be a significantly large percentage of the total capitalization of the company.

08/16/2005 16:09:47   Public accounting firms has consistently shown a complete inability to accurately assess risk. The evidence of this inability is shown in all of the audit failures (well publicized and otherwise). So a risk based approach will likely lead to one of two extremes. Either the auditors will assume everything to be low risk or nothing to be low risk. In either case it will not be an improvement.

08/16/2005 16:16:04   Should not apply to smaller companies under a certain market cap.

08/16/2005 16:45:09   The risk of errors, the probability of an error in the income statement as measured by dollar value of the error on pre-tax income.

08/16/2005 18:35:41   1. Susceptibility to judgment (e.g. % of completion profit recognition, warranty reserves in a muffler company, loan loss reserves in a finance company or bank) 2. Dollar significance as a % of sales and profits.

08/17/2005 12:28:22   Size, change in operating environment (e.g. management, declining metrics), foreign or domestic, date of last visit.

08/17/2005 12:36:00   Knowing that these internal control efforts come from the Enron and Tyco-type situations, I can't begin to fathom how such lack of controls could exist in a smalller company. Therefore, SOX swings a club at many issues that just don't make sense to us--they may be potential risks and may be devastating if they occurred, but their likelihood is so limited that they are not worth the effort. When you consider a situation and conclude that the only way it could occur would be for widespread dishonesty across a large proportion of your company, and complicity with extrenal auditors, I don't see that as a logical risk. That leaves us with operational risks, fraud risks, mistaken reporting--while all serious, none are likely to have a material long-term impact on the company. We're left with concerns regarding fraud

08/17/2005 12:48:33   Competent people.

08/17/2005 16:18:39   Highest risk would be controls which, if absent or ineffective, could result in a material misstatement of revenue or expense. Lowest risk would be controls which, if absent or ineffective, would not likely result in a material misstatement of revenue or expense.

08/17/2005 18:49:20   A 'risk-based" approach is inherent in auditing in general. As it relates to SOX, one of the lessons learned from 2004 was that too many controls were documented and tested but that learning curve has already taken place. In smaller public companies, material misstatements of financials occurs at a lower absolute dollar level simply based on the size of the company. This coupled with generally less well controlled processes in smaller companies actually makes for a generally higher risk profle for smaller companies. As the external auditors have to opine on controls, and most processes are signficant, the criteria for risk needs to be based on a comprehensive "what could go wrong" analysis coupled with the significance of the transaction dollars (either in the aggregate or at a point in time) to the financial statements.

08/17/2005 18:49:27   materiality to the income statement and balance sheet

08/17/2005 19:31:08   Chance of fraud Chance of mistakes ??

08/17/2005 21:27:12   I think the 404 approach to the risk assesment is fine. It should be based solely on evaluation and assesment of risk on balance sheet and income statement accounts. The 404 approach to the overall control environment is useless for smaller companies.

08/17/2005 22:55:14   I believe the auditing profession needs specific guidance from regulators, especially the PCAOB, regarding what a risk-based approach should entail. One way to measure risk is to review restatements from small, public companies and categorize the underlying cause of the restatements. I would expect revenue recognition to be an area of high risk at small companies and fixed assets or payroll to be relatively low risk, for example. Currently, the auditors appear to be implementing a "no-risk" approach to SOX 404.

08/18/2005 08:03:31   To install simple check points for detection of fraud.

08/19/2005 02:56:12   Business Risk Risk of non-public non-contolled joint ventures having poor controls and putting large investment balances at risk. An over emphaisis on systems and too low an emphsis on audit committee and board effectivness.

08/19/2005 11:44:44   Financial items that are based primarily on management's assertions for its value should have the highest risk assigned. Next would be revenue recognition issues.

08/19/2005 12:28:03   I don't beleive that there is going to be any one criteria that will fit all "small" businesses.

08/19/2005 13:49:01   The criteria used to make a risk-based assessment regarding internal controls over financial reporting (ICFR) would be based on a review of the financial statements and accounts and by determining those areas, a) that represent the most material factors on the company´s financial statements, and b) that have the greatest probability of an error occurring that would cause an error of a material nature to be reflected in the financial statements. This assessment would be made based on knowledge of the company, the processes and associated controls, and the size and nature of transactions that are processed therein. The ‘key´ controls surrounding these areas would be noted and tested as part of this approach.

08/19/2005 14:40:28   Impact and probability. Impact based on materiality limits that should be slightly more lenient than larger companies. (i.e. consider 5% materiality rather than 1 - 3%) While still focusing on the most financially risky items, it would ease the workload burden at smaller public companies with more breathing room. This would allow the management to really focus on the important controls. From a probability standpoint I would recommend the the FAS 5 criteria. I would also suggest a third component -- work effort. Many remediation efforts will take several man-months to implement. Consideration to the level of effort expended to date to tighten these controls should be given. For example: If a control is 80% effective and 50% of the effort have been expended, and a clear management implementation plan is established with monitoring of current and future progress, is this a significant deficiency?

08/21/2005 03:34:34   I think the internal control did not add much to weighing correctly the risks invoved in a certain company.

08/21/2005 22:19:50   The quantitative effect of noncompliance.

08/22/2005 14:21:23   I will ask our CFO to respond separately to this section

08/22/2005 15:47:02   From my own knowledge of the business. As a contract manufacturer, inventory management is always a key risk area. If a customer cancels an order, the raw materials can not be used on other products. So the risk of obsolescence is very high.

08/22/2005 15:47:34   Relative size and complexity of the account and associated disclosure. Degree of automation Personnel Type of asset

08/22/2005 17:54:28   The normal business ranking for an internal process would focus on those which are economically important to running the business. Because of the heavy emphasis of SOX on sanctions and penalties, the ranking will shift toward those things which cause most legal, not economic, risk.

08/22/2005 17:56:59   Revenue recognition for us is the key, btu there are already clearly disclosed rules regarding this. Other than that for our company the expense side is very clear and uncomplicated.

08/22/2005 19:27:18   I thinik I would start with compensating controls and entity level controls. If a detail reveiw is performed, several individual transactions may fail to be controlled without impacting the overall statements, but SOX seems geared to testing at a detail level.

08/22/2005 20:10:17   Don't know

08/23/2005 00:42:38   based on inherent risk. judgement should be used and differences in opinion should be accepted unless egregious.

08/23/2005 15:56:30   I would give weight to CFO and CEO active involvement in day-to-day accounting decisions. I would also assess risk based upon accounting centralization.

08/23/2005 16:49:34   The accuracy of all financials is critical and would take top priority followed by reliable auditing by external auditors.

08/23/2005 21:11:03   Identify and standardize controls around the financial systems and ONLY those ancillary systems/transactions that DIRECTLY impact financial reporting integrity. At present the scope of the internal control frameworks, even a "risk based" approach is at the whim of the external auditor and is without any sense of standardization.

08/24/2005 08:50:18   Very easy - focus on controls over management and the executives (look where all of the fraud occurred); focus on potential for overrides in the financial/accounting system; controls over estimates; and adequate rev. rec. controls.

08/24/2005 10:14:02   1.Annual Revenue catagories (< $10 million should be exempt from all but very basic and prudent internal controls to detect and prevent fraud. Basic independent auditing practices are already in place at this level to provide necessary compliance assurance.

08/24/2005 12:24:07   Materiality Actual mistatements, not potential mistatements

08/24/2005 14:30:13   Determine those controls that are considered "key" are the highest risk. If those controls are not followed, there could be a material mistake or significant issue. Then there are lower risk controls such as a signature and date on certain documents such as a reconciliation which are just a formality that if someone didn't sign the reconciliation, it won't create a material error.

08/24/2005 16:19:27   1. complexity of accounting issues involved. e.g. derivatives would be high risk. 2. Client and auditor judgement- these people are smart enough to determine where risk is.

08/24/2005 16:26:56   No opinion.

08/24/2005 16:54:47   Most important is integrity of management, years of service, track record in prior companies, etc

08/25/2005 15:23:41   Would categorize higher risk controls as those areas of Management judgement or estimation, areas that are scrutinized by the external auditors, higher volume of transaction accounts, or significant accounts (based on a % of revenues or total assets).

08/25/2005 16:04:36   We recommend our proprietary SOXlite methodology for a risk-based, streamlined approach to SOX 404 compliance.

08/25/2005 16:26:29   Look at the types of users of the financial statements, teh size of the company, whether it is public debt or equity.

08/25/2005 17:02:43   A risk based approach would be fine; however, the "potential" materiality of an account to result in an error is likely too stringent of a criteria.

08/26/2005 12:41:42   I would follow the money.

08/26/2005 13:07:22   It will be based on dollar size and activity.

08/26/2005 15:31:29   Materiality

08/26/2005 16:22:08   Finanical statement balance, ability to cause a restatement

08/27/2005 11:21:03   First of all, whether material adjustments in the financials would even matter to investors - the original SEC test for materiality. Where such wouldn't, then no testing should be required (virtually all companies that have never had earnings from operations). Quantitative assessments for these companies are meaningless. All stock trading is speculation based on forecasted needs for the service or product being offered, not whether the company can manage growth.

08/28/2005 23:37:43   Financial accounting, recording of sales, cost of sales, and inventory valuation

08/29/2005 10:21:15   We would judgmentally consider their inherent risk of error due to complexity of the process (i.e., which would give much more weight to non-routine and estimation processes) as well as consider the qualifications of people involved in various processes and the amount of IT involvement (which would limit human error and therefore risk barring override capabilities). We would also give significant weight in our small environment to entity level controls over process level controls given management´s heavy involvement in day-to-day activities. We believe entity-level controls are much more important to providing materially accurate financial reporting results given the ethical tone set, as can obviously be seen with the lack thereof in the high-profile accounting and reporting issues such as Enron and Worldcom. These problems were not caused by failures of routine processes but by high-level fraud driven by management. In general, very few if any large-scale accounting issues material to investors in the capital markets have been caused, at least to our knowledge, by lapses in routine, and to an extent non-routine, process controls, which are bound to happen occasionally any time humans are involved. Why then should we focus significant time and expense in proving the viability of such controls that when and if they fail generally cause no significant issues to investors?

08/29/2005 10:21:25   We would judgmentally consider their inherent risk of error due to complexity of the process (i.e., which would give much more weight to non-routine and estimation processes) as well as consider the qualifications of people involved in various processes and the amount of IT involvement (which would limit human error and therefore risk barring override capabilities). We would also give significant weight in our small environment to entity level controls over process level controls given management´s heavy involvement in day-to-day activities. We believe entity-level controls are much more important to providing materially accurate financial reporting results given the ethical tone set, as can obviously be seen with the lack thereof in the high-profile accounting and reporting issues such as Enron and Worldcom. These problems were not caused by failures of routine processes but by high-level fraud driven by management. In general, very few if any large-scale accounting issues material to investors in the capital markets have been caused, at least to our knowledge, by lapses in routine, and to an extent non-routine, process controls, which are bound to happen occasionally any time humans are involved. Why then should we focus significant time and expense in proving the viability of such controls that when and if they fail generally cause no significant issues to investors?

08/29/2005 11:21:29   I would ask how much of an impact it has on the financial statements. I would also focus on key controls of an area

08/29/2005 14:18:47   I have no impression to share on this question.

08/29/2005 15:31:21   We have used the materiality of the business process to the overall financial picture of the Bank. For example, Loans and Investments are our most quantitatively material assets, thus the internal controls in this area are deemed the highest risk and most important.

08/29/2005 16:10:53   We are a bank holding company and are required by our regulators to have these policies in place. So now we are checking the checkers who checked the checks to be sure that the checkers didn't miss something! When is enough-----enough. When we are unable to provide a return that would cause people to invest?

08/29/2005 16:20:53   The highest risk would be to those items that could significantly impact capital or earnings in a significant manner.

08/29/2005 17:12:26   effect on possibility of a material misstatement of financial statements would go undetected.

08/29/2005 17:12:43   I think that companies with complicated inter-company arrangements, complex structures, and complex products (energy, telecom, etc...) should be assessed a higher risk level. Companies who trade at a much higher multiple than their peer group are also more risky of managing earnings.

08/29/2005 17:36:32   Unable to comment

08/29/2005 19:02:32   Maybe I don't totally understand this question. We have internally questioned our controls in different ares. We have dissected them and in only a few areas made changes. I think that internal controls are a loe priority for us.

08/29/2005 19:05:24   We would suggest the criteria to categorize risk be based on a historical analysis of the cause of significant and catastrophic accounting failures. We believe that nearly all such accounting failures are the result of a breakdown in tone at the top; few, if any, such accounting failures are the result of inadequate transactional processing controls or non-executive fraud. Therefore, the internal control evaluation and testing should primarily focus on tone at the top control issues.

08/29/2005 21:00:01   I think it is highly dependent upon the industry as well as being a small company. I have seen small companies that are multi-location that have several risks. The approach to a multi-location would be very different than from a biotech company. The risks I face at a biotech company stem from safeguarding cash. Analysts and investors are concerned with cash burn - not EPS. This is not true for a small manufacturing company. A biotech company's largest risk is on product development - therefore market analysis, cost to devleop, cost allocations, etc are extremely important from a decision making process, which is not always transparent to an investor. In a biotech company, the majority of my expense base is employee costs and clinical trial costs. The controls over these two functions are the most important from an expense basis and materiality isn't necessarily a function of loss, but rather a percent of cash burn. Therefore I think the risk based approach should focus on the industry or type of business and then drill down from there.

08/30/2005 15:04:16   The controls of balance sheet accounts with high level of inherent risk present the highest risk.

08/30/2005 15:07:00   Significance of accounts & likelihood of problems

08/30/2005 17:08:46   We would consider the highest risk internal controls to be those that protect areas with the highest probability of material error occurring and not being detected timely internally.

08/30/2005 18:26:14   Accounts for smaller companies should be evaluated as to their significance based on the percent each represents of total revenues or total assets. Key internal controls relating to each account can then be categorized from the highest to the lowest risk based on these percentages. Strong entity level and computer controls would decrease the risk of related lower level controls.

08/30/2005 18:48:02   N/A -- Really need a CPA to answer this one. The American Institute of Certified Public Accountants (AICPA) has resources where companies can obtain additional information on risk assessments.

08/30/2005 19:47:16   The criteria should focus on the likelihood of causing a misstatement in the financial statements. For smaller companies, SOX should focus on entity level controls only.

08/30/2005 21:07:56   HIgh: materiality, segregation of duties, proper reviews

08/30/2005 21:39:41   The criteria used should be focused around reporting and disclosure controls.

08/30/2005 23:57:28   Size

08/31/2005 08:31:59   Materiality and complexity of operations.

08/31/2005 10:19:14   The risk of employee fraud (ie. taking money), the dollars associated with the control area.

08/31/2005 10:21:37   Materiality, % of assets or % of revenue.

08/31/2005 14:00:16   The problem with SOX 404 is that it doesn't eliminate the issue for which it was created. SOX was enacted as a reaction to the corporate scandals of Enron, MCI Worldcom, etc. However, most people will admit that, if SOX had been in place years before, the Enron scandal would have still happened. It that's the case, what are we accomplishing by spending huge amounts of money to focus so much on the formalities of SOX that we forget (or don't have time) to run our businesses? Isn't that a direct contrast from the SEC's mission, which is to protect investors? Seems to me that we're actually exposing our investors to greater risk because we as management have taken our eyes off of the road in order to design and draw a map! Following that cycle further, the increase in costs incurred puts more pressure on CEO's and other management to "meet the numbers" because the market so severly penalizes companies for missing the expected mark on the short-term quarterly results. Management and the market should focus on long-term results. The impact of 404 clearly contributes to the short-term focus that puts pressure on CEO's to do whatever it takes to achieve the expected results. Finally, it is my opinion that ethics and integrity can not be regulated or mandated. These rules and compliance requirements don't stop the crooks from being crooks. They will not be deterred simply because their company's internal control system must be documented and assessed. So, the people who SOX is aimed toward to regulate are still going to get around the system. And the companies that have the integrity in place already are paying the price. The good guys are losing here.

08/31/2005 14:12:37   We believe the key factors in evaluating high vs. low risk controls should be the level of management judgment or estimate involved in the underlying account or process, the history of errors and control maturity of the account or process and the materiality of the account or process. Each of these factors must be considered together, not individually. For example, a control is not high risk simply because it relates to a material balance (such as payroll expense) if that process has little or no management estimates and a history of few errors. Similarly, a control is not high risk simply because it relates to estimates and the related controls are immature if the underlying account is insignificant. Ultimately, the highest risk controls should be those that relate to accounts or processes that are of most concern to the CEO, CFO, Audit Committee and audit partner.

08/31/2005 14:25:37   In banking our internal controls are assigned on an ongoing basis. Those controls are reviewed by our auditor on a regular basis. They are examined annually by our outside audit firm. They are examined every 12 - 18 months by state or federal bank examiners.

08/31/2005 15:19:27   Fraud Balances that are subject to judgement Financial Statement Error

08/31/2005 16:05:33   Amount of loss to the company.

08/31/2005 16:13:45   The highest risk to misstatement and magnitude.

08/31/2005 16:16:33   10. Smaller companies have certain riskier areas from an internal control point of view when compared to larger companies. Our company has consolidated various smaller companies into our SOX compliance program. The primary issues are control gaps associated with most small companies. This includes segregation of duties, lack of formal procedures, and a “small company” corporate culture. We have standard templates that we use for incorporating all new acquisitions into our SOX program. The risk criteria we use for these companies include whether financial statement accounts require judgment or have a material balance. Higher risk process areas always include the overall control environment, financial statement preparation and revenue recognition.

08/31/2005 16:29:59   Level of management involvement

08/31/2005 17:16:33   I think the external auditors need to help smaller companies identify the areas of risk. Guidelines should be developed so the Auditors aren't inventing things as they go along. Smaller companies particularly ones with simple business models shold be able to rank risk easily.

08/31/2005 18:22:30   We would assess the risk of controls based on the inherent risk of the area involved, the risk of fraud in the area, any risks identified based on analytical testing, and the impact of entity-level controls on the area.

08/31/2005 18:23:08   Nature of the account (estimates), complexity of the transactions, size of potential errors, and susceptibility to loss/fraud. If materiality based on net income is a factor for determining risk, then additional burden is placed on smaller companies because more (disproportionate number) almost all accounts become in scope because there is not enough scale to scope accounts out.

08/31/2005 19:16:05   10. There is no set formula for assessing internal controls. Every company´s needs will vary by the stage of development and industry they are in. In addition, a small company´s risks will be subject to numerous and frequent change as they commercialize products, build new plants, take on new financing, acquire new operations, etc. For small companies internal controls will probably need to be created and enacted in a more rapid fashion than the current regulatory process can approve and monitor.

08/31/2005 20:55:07   Internal controls have existed for many years and larger companies have internal control groups to monitor them. Smaller companies adapt from these controls to ensure accounting and reporting integrity. The auditors should test the controls where necessary over time to satisfy their commentary with repect to the adequacy of the internal controls.

09/01/2005 00:55:31   Impact on financial reporting and control environment, as well as, amount of subjectivity in siognificant account

09/01/2005 11:40:19   medium

09/01/2005 14:30:54   Dollar magnitude of account balance, complexity of transactions, segregation of duties and extent of upper management oversight.

09/01/2005 17:12:34   Risk of fraud and risk of material misstatement.

09/04/2005 07:42:16   N/A

Previous Question

All Survey Questions

Main Survey Responses

Next Question

http://www.sec.gov/info/smallbus/acspc/acspc_rpc10.htm