Responses to ACSPC Request for Public Input

SOX Section 404/Internal Controls

Question 11. Do you believe that at least some SOX Section 404 internal controls for smaller companies can be appropriately assessed less often than every year? If so, what SOX Section 404 internal controls do you think need to be assessed by management every year?

a) What controls do you think need to be assessed at least every two years?

b) What controls do you think could be assessed only once every three years?

The following answers have been received:

08/02/2005 13:57:44   Yes, much less often. And for some smaller companies, like small bank holding companies that are regulated and examined by federal banking agencies, 404 controls are generally duplicative and wasteful.

08/02/2005 17:44:12   Loss and fraud
a) Outside vendors

08/03/2005 01:39:17   Modifying this process by tinkering with the timing of, in our case 2,500 controls, is not the answer. This entire process is terribly flawed in concept. A company cannot manage with this many controls. The number have to be cut dramatically. The so-called "key controls" have to be reduced to a very few.
a) Again, I do not think tinkering with the audit in this manner is the answer. I'd prefer to make the entire process either voluntary or to have companies that choose to not comply, trade in a different category. I am very confident the tremendous expense of this audit can be better invested in business development.
b) Not the answer.

08/03/2005 07:01:34   n/a
a) dont know
b) dont know

08/03/2005 08:58:39   We are already regulated. SOX should be for unregulated companies.

08/03/2005 10:40:26   The high risk areas have been assessed every year by external loan review personnel, external auditors, internal auditors, and regulators. This should and will continue to be the process.
a) No comment
b) No Comment

08/03/2005 11:03:25   In our industry (banking) our internal controls are already closely monitored by Federal examiners, state examiners, and our internal and external auditors. Controls in place are tested and are working well for an organization of our size.

08/03/2005 12:17:58   yes.
a) all
b) all

08/03/2005 15:01:40   Important internal controls should be tested at least annually if they are relied upon by outside auditors for accuracy of financial reports. If internal controls have not changed then they do not need to be assessed.
a) See above.
b) See above.

08/03/2005 15:22:49   I can only address the financial services industry and strongly feel that all banking companies should be totally exempted from SOX since we already are heavily regulated.
a) Banks are assessed every year by the FDIC, the FRB, the Comptroller's Office or their state banking departments. Why must we also have this burden of complying with SOX
b) Again for banking, allow the current regulatory environment do the annual assessing.

08/03/2005 16:58:51   Entity level controls are vital. However, if no changes, we shouldn't have to do to much in terms of documentation and/or audit. Any changes should be documented and tested and audited.
b) Activity level controls and IT controls.

08/03/2005 18:01:35   Please look into item no 29
a) Please look into item no 29
b) Please look into item no 29

08/03/2005 18:30:29   x
a) put new heads of SEC in place every two years to stop the corruption, if possible.
b) x

08/03/2005 19:54:33   I have no opinion on this question.
a) I have no opinion on this question.
b) I have no opinion on this question.

08/03/2005 19:55:50   ALL SOX SECTION 404 INTERNAL CONTROLS NEED TO BE ASSESSED EVERY YEAR!

08/04/2005 09:17:19   Financials need to be assessed every year.
a) Those controls that have little impact on the financials. This would be based on the overall dollars in that area.
b) I don't think that should be considered. Three years without ever going through internal controls on at least all areas, is going to allows for too much leniency.

08/04/2005 09:37:56   Of course - and they should be - the new rules were a political knee jerk and are not based in reality

08/04/2005 09:39:15   No. Quite to the contrary. Small companies have the ability to change their business and the processes they use to account/report the business much quicker than large companies. Therefore, small companies internal controls are often less standardized and change very frequently. For example, if ExxonMobile wants to change its invoicing process, that would take 12 to 18 months to implement. However, if Joe's Radiator wants to change the way it invoices customers that can happen in 1 month. Furthermore, accounting staff at small companies tend to be much lower quality than at large companies. Therefore if a large company changes its control environment the change has more than likely been looked at from every angle and every situation. If a small company changes a process there is a strong chance only one person has analyzed the change and an even stronger chance that that one person does not understand financial reporting very well.
a) IT General Computer controls
b) IT General Computer controls

08/04/2005 10:40:16   I think the whole assessment issue is unwarranted for small companies, especially an industry as heavily regulated as banking.

08/04/2005 12:09:05   Allowance for losses
b) Everything else

08/04/2005 13:38:24   We rated the controls as being either primary or secondary. The primary controls need to be tested annually, but the secondary controls don't.
a) The secondary controls.
b) N/A

08/04/2005 14:20:27   I will have our CFO give his opinion here.
a) I will have our CFO give his opinion here.
b) I will have our CFO give his opinion here.

08/05/2005 10:54:31   Possibly but I beleive that almost all controls should be assessed at least annually.
a) None
b) None

08/05/2005 12:38:34   No!

08/05/2005 15:34:53   Internal controls are necessary in a bank on an on-going basis. The depth of documentation that was required by the accounting industry in 2004 is too much, even annually. I think any account that comprises over 25% of the balance sheet or 25% revenue should be required to be assessed by management every year.
a) I think balance sheet items and revenue items between 15% and 25% should be assessed every two years.
b) I think balance sheet items and revenue items between 10% and 15% should be assessed every 3 years.

08/05/2005 15:43:46   Not really. Once the assessment has been made, annual testing is not that difficult and is a good (best) business practice. The issue now is the degree of documentation that APPEARS to be expected when the auditors (external and internal) and examiners have been dealing with these systems for years. AS 2 & 3 are driving the 404 issues in small banks as between the client and the auditor. The bank understands the auditor's problem but the cost falls on the bank.
a) Repeat. The issue is not so much the recurrent testing; it is the extent of initial documentation.
b) Repeat. The issue is not so much the recurrent testing; it is the extent of initial documentation.

08/05/2005 16:45:38   Anything that would be a chnge in 404 policies must be addressed at the time of such chnage to be effective. If you did not assess this annually, someone will use that change to break the public trust. I find it pitiable that such controls have to be there, but the result without controls has not bene positive. Thank Enron, Worldcom, Tyco, Arthur Andersen, AIG and others for that fact.
a) I think that the control assessments need to be made by automated systems as much as possible, making human oversight (which is less reliable - fallible) only necessary in cases when the system points out problems. That system should be audited annually for accuracy - and some oversight will be required. Maybe such systems could be audited bi-annually.
b) None, that is too long to go without an audit.

08/05/2005 19:33:08   Most internal control issues should be assessed by the company annually but not necessarly by outside auditors. Failure to meet all of the requiements should only require a notice in the 10KSB without penalty.

08/06/2005 13:52:06   Yes. If they have not changed, assessment need not be redone as long as it is established that there is no significant change.
a) Very dependent on circumstances that may be specific to company.
b) Ditto

08/08/2005 11:10:11   it can be every year but SOX needs to be pared way back to a justifiable level of controls based on a company's size.

08/08/2005 11:39:29   The assessment of internal controls for most companies should not change year to year unless their is an sale or purchase of a new company, a major change in the companies balance sheet or income statement, or exceptional growth.

08/08/2005 14:06:10   IT can be assessed every three years. Management control, i.e., the tone at the top, should be assessed every year. Certain account balance testing items should be looked at on a case by case basis and be left to the judgement of management and the auditors as to how often those controls need to be tested.
a) I think you first have to look whether or not smaller companies need to tested in the first place. There just doesn't seem to be any valid cost benefit proposition to this exercise. I think you should allow smaller companies with market caps of under $1 billion the option of complying or not. If there is a perceived benefit, companies will evaluate it and make the proper decision. I really don't think that the investing public is as concerned about internal control compliance (something they really wouldn't understand anyway)as they are about financial performance, global trends, future business opportunities, foreign competition, world stability, interest rates, etc. SOX compliance is not going to stop financial fraud. I think there are other regulations that have been enacted, such as rules on independent boards and added independence rules for auditors and the companies that they audit, especially in the area of non-audit services performed, that are far more effective in stemming cases of financial fraud.
b) See answer 11.

08/08/2005 15:43:24   Entity level controls Financial report controls and staffing Key financial reporting controls areas which may result in a material mistatement of earnings.
a) This is too broad of a question.
b) This is too broad of a question.

08/08/2005 21:39:10   The answer to this question depends on what guidance is provided to public companies and their auditors as to what are appropriate internal controls for smaller companies.
a) The answer to this question depends on what guidance is provided to public companies and their auditors as to what are appropriate internal controls for smaller companies.
b) The answer to this question depends on what guidance is provided to public companies and their auditors as to what are appropriate internal controls for smaller companies.

08/09/2005 09:30:31   Yes. Annually assess critical controls and other operational controls where staff or procedures have changed significantly.
a) Areas to be identified by each registrant based on the nature of the company business. Tiered risk assessment to be reviewed and approved by Audit Committee.
b) same as above

08/09/2005 16:26:34   I don't see how you can check the controls less frequently than once a year...if your have the control requirements, they need to be checked. Either the system goes away or controls must be reviewed and documented based upon the risk.
a) Above
b) Above

08/09/2005 17:25:10   No need for SOX or its reporting requirements. Normal reviews and audits are enough.
a) See 11.
b) See 11.

08/10/2005 09:04:41   no comment
a) no comment
b) no comment

08/10/2005 13:44:39   We are early in the process, I haven't looked at the that closely at this time.

08/10/2005 16:00:18   NONE! We're small enough that we pull reports off of our mainframe system and walk across the hall and talk about it and verify it's accuracy and what we need to fix, if anything, without having to create reams of paper and additional audit fees.
a) See above.
b) See above.

08/10/2005 17:18:15   Yes - only general entity controls, IT controls, capital/equity, anti-fraud programs and management review of results (e.g. budget comparisons, financial reviews, reconciliation of accounts) need to be reviewed and tested annually.
a) High-risk areas, such as controls over revenue, inventory and tax
b) Low-risk areas and all other process-level controls performed at the clerk level

08/10/2005 22:09:27   SOX section 404 should be eliminated for whatever could be defined as small companies. Before SOX we were a lilly white company and with Sox we were still a lilly white company, sometimes being referred to as "boy scout accounting" pertaining to honesty. All SOX did was to incease our accounting cost four fold, at least. So the answer is do what we were doing. I think inventories and inventory values and depreciation are always at risk and I personally watched that very closely.
a) The two I mention above, at least
b) I think three years is to long to assess any part of your business

08/11/2005 08:35:22   A quarterly assessment of systems access controls is required to protect against fraud. An annual review of all payment processes should also be conducted.
a) All remaining controls.

08/11/2005 20:27:22   All companies need an internal control structure. I don't believe SOX Section 404 and the way its been interpeted provides the best solution. Prior to SOX, most smaller companies had control structures that fit their needs. With SOX that approach no longer is available.
a) question doesn't make sense
b) question doesn't make sense

08/12/2005 13:12:10   No opinion.
a) No opinion.
b) No opinion.

08/12/2005 14:46:45   All companies should be assessed every year. The key is to limit the number of controls tested to those that are extremey critical to the financial welfare of a company. I negotiated continously with the external auditors to limit assessment testing to the "Key Control". At a minimum all companies should make an attestion to corporate governance and general corporate controls every year.
a) Financial reporting - i.e. steps and controls over the compliation and preparation of accounting statements including estimates, off balance sheet items, off shore investments etc. Investments - ALCO adherence to company policy.
b) Inventory and production IT controls unless a major conversion has occurred.

08/12/2005 16:35:01   I believe the current rules are adequate and SOX is overkill.
a) I believe in assessing them every year but not to SOX extremes.
b) I believe in assessing them every year but not to SOX extremes.

08/13/2005 12:39:43   No
a) Need to be assessed each year
b) None

08/15/2005 14:27:30   The real problem with 404 and small companies was that it radically changed accounting standards actually applied to smaller companies and largely did so without warning or an opportunity to make a smooth transition. In the end, I think 404 will result in a modest cost increase and modestly improved financial information, most of which will be more useful to business managers than to the investing public. The problem in 2004-5 was that the rules (or their practical application) were being made in many cases after the fact and in a pathalogically defensive environment. The cost (in money, opportunity and focus, and spurious litigation) is both very large and, in hindsight, unnecessary.
a) I think it matters much less which controls are assessed when than it does that there is an understandable set of expectations with respect to when and how these assessments are made, by what standards they are judged and that changes occur with advance warning and and opportunity for a smooth transition.
b) See above

08/15/2005 14:33:20   I would say only about 10% needs to be looked at every year. The rest can be on cycles.
a) Fixed assets
b) Prepaids

08/15/2005 15:10:05   Only after the first intitial 404 evaluation and there wno significant deficiencies or material weaknesses existed, then it could go to a bi-annual cycle where 1/2 were reviewed in 1st year and 1/2 in second year.
a) The low risk ones. I believe companies should be evaluating their high risk key controls quarterly and reporting on their success or failure in the 8K (all companies should have Financial Close/Reporting and Disclosures and Revenue as high risk cycles plus others that are relevant. Medium controls should be evaluated annually and low risk every 2 years.
b) none

08/15/2005 15:13:01   Again, look at the number one risk associated with the company. If it's cash, most of the controls around cash should be tested annually (locked checks, proper signoffs, bank reconciliation, etc.) The ancillary controls like who stuffs checks in the mail probably don't need to be checked as frequently.
a) Materiality needs to come back into vogue with the 404 process. 1% of assets can still be a material item to the income statement. Which statement should materiality be driven from? Right now the process is such that everything gets looked equally regardless of whether it is material to the balance sheet or the income statement.
b) I would say employee handbook types of controls for the most part would fit into this category.

08/15/2005 15:14:45   Haven't thought about it.
a) See above.
b) See above.

08/15/2005 16:33:43   non-routine transactions which were reviewed in detail before 404 was put in place anyway. Inventory and receivable collectability or valuation. Bank reconciliations.
a) Accruals for sales promotions,
b) fixed asset registers, pension, 401-K, medical, dental,

08/15/2005 16:41:14   No
a) n/a
b) n/a

08/16/2005 09:51:21   If we are going to do the work, I do believe that an annual test is appropriate.

08/16/2005 10:10:36   No. The issue is the number of "key" controls, not the frequency of audit. Many key controls are identified and required that are in fact, not key.

08/16/2005 10:13:05   Yes, internal controls for small companies can be assessed less often than every year.

08/16/2005 10:21:17   No.
a) n/a
b) n/a

08/16/2005 10:26:28   key controls only, materiality should be used to help define this
a) lower threshold of materiality
b) lowest threshold of materiality

08/16/2005 10:42:02   This question does not make sense. SOX Section 404 does not prescribe any internal controls, so what is a 404 internal control vs a "non 404 internal control"?

08/16/2005 10:44:16   Definitely controls over significant and critical areas need to be addressed annually. Also areas of moderate risk, in my opinion. Low risk areas may be appropropriately addressed less frequently. CFO and CEO need to decide frequency needed to satisfy themselves controls are adequate.
a) See above.
b) Only super low risk areas. See above.

08/16/2005 11:18:54   No opinion
a) No opinion
b) No opinion

08/16/2005 11:41:07   Yes.

08/16/2005 11:52:16   Yes. Most of them.

08/16/2005 12:14:10   Some have limited applicaiton and a breakdown would have a small impact. Certainly there is nothing magical about reviewing these every year
a) No Comment
b) No comment

08/16/2005 12:40:54   No

08/16/2005 12:42:56   Yes, every control except the critical ones. Furthermore, it is imperative that IT not be arbitrarily made critical, as it currently always is.
a) For us, revenue recognition and consolidation.
b) For everything else, every three years is too often.

08/16/2005 13:04:14   Since I am not yet familiar with what 404 internal controls are, we are non-accelerated filers, I have no opinion. However, since the CEO and I both sign quarterly statements on internal control effectiveness, we need to assess controls each quarter.
a) Any control that if not working properly would cause a material error in financial reporting should be assessed at least once a year and certainly not less than every two years.
b) The controls that are in place to prevent minor theft or fraud by employees. While important to the business culture, the controls probably do not address the larger more material financial misstatements that could occur.

08/16/2005 13:12:04   The answer is yes but we are just not far enough into 404 to be helpful based on experience here; the deadline on 404 has been extened for smaller entities and we are only about 60% through the project.
a) If something is low enough in priority to be assessed every two years then normal outside Auditor proceedures of the Independent Auditor should be enough; SOX shold not try to prescribe medicine for all.
b) same statement as above

08/16/2005 13:19:29   Absolutely, although that may vary by industry. As a bank, we may easily go years with very limited if any structural change in our internal controls for financial reporting. In our internal controls, we distinguish between the formality of audit and a less formal monitoring/limited scale internal review. In my mind, it should be left up to the company and its CPAs to determine what controls are appropriate to be rveiewed annually versus every two or three years. Those not reviewed annually should be monitored rather than audited.
a) In my mind, it should be left up to the company and its CPAs to determine what controls are appropriate to be rveiewed annually versus every two or three years. Those not reviewed annually should be monitored rather than audited.
b) In my mind, it should be left up to the company and its CPAs to determine what controls are appropriate to be rveiewed annually versus every two or three years. Those not reviewed annually should be monitored rather than audited.

08/16/2005 13:20:23   I dont think that the annual requirement is too much of a burden. All risk areas should be addressed annually in my opinion to reflect changed circumstances
a) None- see above
b) None - see Q11 above

08/16/2005 13:25:32   I believe that the environment of honesty and integrity of a company should be continually assessed, that the procedures and review for the appropriateness of public disclosure should receive the same treatment. Control of critical accounting policies and procedures (income recognition, deferrals, capitalization policies, intangibles, whatever is significant to a business) should be assessed at least annually. But we do not need to pay our auditors to do this.
a) None that are important, although if no change, that assessment should be enough.
b) Same as above.

08/16/2005 13:27:00   If you have a system to document and test controls all "significant" controls should be tested each year. However, a better definition of "significant" is needed. Under SOX we identified over 200 "significant" controls in accordance with SOX guidelines. I believe that there are really less than 20 "significant" controls. I believe the SOX definition needs to be revised and then those controls that truly are significant should be tested each year/quarter. A more common sense approach is needed. Currently, controls that are not that significant are treated the same as controls that really are significant.
a) Insignificant controls, if at all.
b) Insignificant controls, if at all.

08/16/2005 13:30:33   Those relating to revenue, inventory reserves and cash.
a) all others
b) none

08/16/2005 14:08:05   Revenue related controls seem to carry the heaviest weight.

08/16/2005 14:23:10   I believe that the SOX 404 controls need to be assessed regularly. The issue is the level of documention, evidence, and cost vs value of the process. The cost more apparent at the smaller companies but it exists at all companies. I believe it needs to be fixed for all companies.
a) I do not believe that a two year approach is appropriate, I believe that all companies should be on the same playing field. The level of detail, evidence, and testing is excessive at all companies. The entire approach needs to be redesigned to align cost with value for all companies.
b) I do not believe that a three year approach is appropriate, I believe that all companies should be on the same playing field. The level of detail, evidence, and testing is excessive at all companies. The entire approach needs to be redesigned to align cost with value for all companies.

08/16/2005 15:15:12   I believe the frequency of control assessment is not the issue. Whether you test every year or every three years matters little. The need to test at all is where its at. For many if not most small companies the benefits of SOX are dubious, so any testing whether is be every three years or every month doesn't matter.
a) See previous answer
b) See previous answer.

08/16/2005 16:16:04   Existing annual 302 and 906 certifications are sufficient.
a) See above.
b) See above.

08/16/2005 16:45:09   High risk errors should be evaluated annually. Low risk errors should be evaluated when the risk profile changes materially or every two or three years.
a) Lower risk errors.
b) The lowest risk errors.

08/16/2005 18:35:41   Yes, I believe some should be assessed less often than annually. Controls that should be assessed annually included those susceptible to judgment (see 10. above).
a) ?
b) Revnues, purchasing and production, cash receipts and disbursements, payrolls, IT.

08/17/2005 06:57:10   I think it's reasonable to categorize certain controls as critical and assess them every year while others are done on a "rotating basis." Also, the definition of "significant process and significant account" should be relaxed somewhat.

08/17/2005 12:28:22   Unsure of the answer to this.
a) Do not know.
b) Do not know.

08/17/2005 12:36:00   I think a documentation system could be set up so that changes to systems are reviewed only as needed. As such, much of the transactional testing should be conducted only upon changes in the procedures or the system.

08/17/2005 12:48:33   Don't know.
a) Don't know.
b) Don't know.

08/17/2005 16:18:39   The review procedures prior to SOX were adequate to assess internal controls. The auditors made recommendations with respect to enhancing internal controls. Those procedures were effective. SOX was an over-reaction to frauds that occurred at Enron, Worldcom and Tyco. No control procedures would prevent the actions that occurred at those companies. Even if SOX had been in effect, those frauds would not have been prevented. People with integrity will not commit frauds. People without integrity will find a way around any control system.

08/17/2005 18:49:20   If there is a strong baseline year where all key controls are tested, then in subsequent years the following controls should be tested every year (entity level, IT, estimates and impairments, non-routine transactions, safeguarding of assets, fraud programs. As long as the risk assessment is updated annually, more transaction level controls can be cycled year to year for testing.
a) Transaction level controls as long as the risk assessment is updated every year, some analytical procedures are done and there have been no major changes in the underlying processes or systems. For example, I don't think you need to test the fixed asset capitalization policy every year nor payroll master file changes.
b) Every three years is useless.

08/17/2005 18:49:27   my view is that they should be assessed (against the materiality standard) annually by a CFO certification and audited externally once every three or five years
a) it depends entirely on materiality and that will vary by company and industry
b) ditto

08/17/2005 21:27:12   Yes. I think 404 is a waste of time and money. It documents and evaluates internal controls but does little prevent major intentional frauds of the Enron and Worldcom type.
a) None. There should not be any requirement to review internal controls annually. Instead I would recommend that one third of the control cycles be evaluated every year.
b) All. There should not be any requirement to review internal controls annually. Instead I would recommend that one third of the control cycles be evaluated every year.

08/17/2005 22:55:14   Yes, I do believe some SOX 404 internal controls can be appropriately assessed less often than annually. I think the financial reporting process, revenue recognition, inventory management and general security controls should be assessed every year.
a) Taxes, treasury and cash management
b) Planning process, employment practices, entity-level review, fixed assets, cash disbursements, equity

08/18/2005 08:03:31   To check for fraud consistently.
a) Pls see in answer no. 10.

08/18/2005 14:30:38   Yes. Board level controls and top level management controls - over buisness planning, busines authorizatiOn and approvals and analytical analysis of operating results.

08/19/2005 02:56:12   Absolutesly. As noted earlier, we found virtually no control issues. As VP Controller for a larger small company, I know which parts of the business are at greatest risk. Why test all parts all years when a better and more cost effective approach would be to test high risk areas annually and all other areas on a rotating basis. That we used to do before SOX and it worked well (as evidenced by so few deficiencies). Annual assessments should be made for enterprise level controls, general computer controls for high risk or high level processing centers, business cycles that comprise more than 40% of a company's revenues, joint ventures, unusual transactions, technical skills of the key finance management, controls over cash/wires/ACH's, and areas that have had prior significant or material deficiencies.
a) General computer controls, Development of accoutning policies, financial reporting, moderate risk accounts, areas with past control deficiencies, and GAAP compliance. Acccounts that comprise less than 10% of total assets.
b) computer application controls, low risk accounts, accounts that comprise less than 5% of total assets.

08/19/2005 11:44:44   Those controls over critical items in the financial statement within a particular industry should be assessed annually.
a) Controls are specific to industries and even to individual companies. As such, no one answer seems appropriate here.
b) Same as above.

08/19/2005 12:28:03   Yes there is at least that possibility.

08/19/2005 13:49:01   Yes, there are Section 404 internal controls that do not require review and assessment every year, however, they will vary with each company. In a company where there are large numbers of fixed asset purchases the assessment may have to be done annually, whereas in a company with only minor fixed asset purchases the assessment may need to be done only once every four to five years. The need to assess controls over fixed asset purchases would be made based on a review of all such purchases.
a) Certain controls would require assessment annually such as controls over Revenue Recognition, Accounts Receivable, Cash, whereas others could be less frequent, based on an assessment of the company data available. It would be inappropriate to make a categorical list of controls that would be done every second or third year; this would change based on individual company assessment.
b) See previous response.

08/19/2005 14:40:28   Definitely. The Institute of Internal Auditors has developed Practice Advisories for preparing an effective audit plan for internal controls. One of the basis premises of the PA is that controls can be tested less often if there is not a significant event that would trigger a higher risk to that control. For example, if the Controller is responsible for many review and monitoring controls and there is turnover within this position in a given audit period -- the controls should be retested. If there is not turnover within the given audit period, and the controls were operating effectively in the prior audit period, consideration should be given as to whether there is a current need to re-test these controls or limit the testing of these controls.
a) Many IT general controls if there has been no change in the operating environment. Entity level controls that the previous auditor had a high degree of confidence in. If there is a change in the operating environment, these controls should be tested sooner.
b) Monitoring controls over routine transactions. Controls that relate to documentation of policy and procedures. If there is a change in the operating environment, these controls should be tested sooner.

08/19/2005 14:50:07   As a small public thrift, our internal controls are examined annually by our regulators and outside auditors. Should the former find material weaknesses, we would be subject supervisory action. Material weakensses by the latter could result in a qualified opinion. Taken together, this level of third-party oversight should be more than sufficient.

08/19/2005 17:03:28   These should be assessed annually: Cash receipts Cash disbursements Payroll Authorizing and posting journal entries

08/21/2005 22:19:50   Yes. Those directy related to the preparation of financial statements and footnotes, should be tested every year.
b) IT general controls and application controls assuming mananement certifies that they are no material changes.

08/22/2005 15:20:23   This is a difficult question because I believe it would vary significantly from company to company.

08/22/2005 15:47:02   Revenue cycle, purchasing cycle
a) Fixed assets, payroll
b) IT, stock administration, general COSO controls

08/22/2005 17:54:28   The most difficult areas are those which require judgment, such as revenue recognition and inventory. These require annual review.
a) Areas which are routine and don't change much can be assessed less frequently--payroll, receivables, fixed assets, long-term liabilities, etc.
b) Same as above.

08/22/2005 17:56:59   No
a) None
b) None

08/22/2005 19:27:18   Yes. Concentrate on entity level controls year-to-year and a more detail assesment every three years.
a) Revenue recognition
b) Receipts/disbursements

08/22/2005 20:10:17   My feeling is not so much that it should not be done every year, but that 404 is not a one size fits all program. Small companies need a 404 compliance guide that would not require as much redudancy or manager to employee documentation. In a small company with 10 employees, we have 2 managers and 8 hired employees. There is no way we can comply with 404 the same way Ford Motor Company can. Perhaps there needs to be various compliance guides based on revenues, staff size, or other legitimate qualifier that would make a 404 compliance for a small company fit the operations.
a) Travel, R & D, and Payroll
b) ???

08/23/2005 00:42:38   all controls should be considered every time they come into place by the person responsible for the functioning of the control. this should be a part of the day-to-day functioning of a company/accounting department. Management relies on its employees to properly provide controls.
a) see 11.
b) see 11

08/23/2005 15:56:30   I believe self assessment should be allowed and that attestation should just involve a review of company procedures used to come to its internal conclusions. Self assessment should be annually as well as the limited scope attestations.

08/23/2005 16:49:34   Probably - but annual financials are a must.
a) Perhaps some internal procedures that are specific to certain environments would not need annual assessments.
b) No opinion

08/23/2005 18:10:00   Yes.
b) General Computer Controls.

08/23/2005 21:11:03   It is less a condition of frequency and more of "why do it at all". The basics over internal financial reporting controls should still be assessed every year but ONLY if the external auditors can perform integrated audits and ONLY if the basic compliance requirements are standardized.
a) Not a relevant option. If a control should only be assessed every two years it is clearly not a key control and one that may be good idea to have but why should it become a SEC compliance requirement
b) Same answer as two years.

08/24/2005 08:50:18   Once a year is fine and works - the quarterly certifications are over the top.
a) Annually should be fine once everyone gets the initial pass completed

08/24/2005 10:14:02   See item 10 response. Reviews of internal controls should still be conducted as part of the annual financial audits and filings...but the scope should be limited.

08/24/2005 12:24:07   No, should be less onerous but annual.
a) all
b) all

08/24/2005 14:30:13   Yes, such as income taxes could be done less frequently. For smaller companies, this is not usually a critical area especially in a loss position and building NOL's. You could cycle testing of certain areas over years as long as there were not material changes in the process or internal controls.

08/24/2005 16:19:27   Get rid of 404. It is a waste of our time and money. Try every 10 years.
a) All controls
b) Governance and IT controls

08/24/2005 16:26:56   We believe company level and information technology general controls are most important for smaller companies, which may have limited ability to provide for segregation of duties or multiple levels of review of processes or transactions. We believe the “tone at the top” of smaller companies can mitigate other control weaknesses. The frequency with which other controls need to be assessed is highly dependent on the circumstances of each company, which should be the subject of management´s assessment, in consultation with the company´s independent accountants. We do not believe that it is appropriate to prescribe the frequency of control assessment equally across companies in different industries.
a) See answer to the first part of item 11.
b) See answer to the first part of item 11.

08/25/2005 13:39:06   It seems to me that if the public accounting firms are doing their job, then SOX should not be required.

08/25/2005 15:23:41   Normal day-to-day transactions. Areas listed above.
a) Automation of software, top level controls.
b) Strategic plans etc.

08/25/2005 16:04:36   All key controls (and only key controls) should be assessed annually. The problem is, many companies have too many key controls and their external auditors are all too content to keep testing excessive controls. Our SOXlite clients enjoy adequate financial statement assertion coverage over their significant accounts and their external auditors agree.
a) operational controls
b) operational controls

08/25/2005 16:26:29   Yes - controls over outsourcing (SAS 70 Reports), IS controls if no major program or software changes.
a) controls over outsourcing (SAS 70 Reports), IS controls if no major program or software changes.

08/25/2005 17:02:43   Annually would be fine as long as it is focused on higher risk areas.
a) One of my greatest concerns for excess burden on small business is the Information Technology arena. Certainly, this could be every two years and perhaps only on a very high level of general controls.
b) Lower risk or clearly inconsequential controls if tested at all.

08/26/2005 12:41:42   SOX 404 for smaller companies should concentrate on a limited number of key controls for significant business cycles. If it is kept simple there will be no problem performing on an annual basis.

08/26/2005 13:07:22   Because we are a non accelerated filer we've yet to address this in enough detail to respond.
a) No Comment
b) No Comment

08/26/2005 15:31:29   The entity assessment/tone at the top is critical to the entire 404 initiative and should be updated annually. As well as major account reconciliations and major assumptions.
b) Payroll is more of an embarrasement than a Sarbanes-Oxley issue.

08/26/2005 16:22:08   I believe if its going to be done, it needs to be once a year.
a) N/A
b) N/A

08/27/2005 11:21:03   Yes - controls over financial statement reporting should be tested less often than annually. Controls over reporting of compensation and related parties should be annual.
a) None.
b) Controls over financial reporting, if any.

08/29/2005 07:07:37   Yes, but I am not into specifics.

08/29/2005 10:21:15   Assuming the need for full environment formal assessments, which we believe to be costly and unnecessary, we believe that much of the assessments should be less often than annually. The only controls that we feel would be beneficial for “every year” testing would be entity-level controls due to their effect on the tone and role in material irregularities in most companies with such problems.
a) Rotational testing schedules, if testing is deemed necessary at all in certain situations, could be performed in all cases barring significant process changes. Where rotational testing was used, routine, and to some extent non-routine, processes should be tested much less frequently than estimation processes, since this area holds the greatest potential for an error of significant financial statement impact.
b) See prior response.

08/29/2005 10:21:25   Assuming the need for full environment formal assessments, which we believe to be costly and unnecessary, we believe that much of the assessments should be less often than annually. The only controls that we feel would be beneficial for “every year” testing would be entity-level controls due to their effect on the tone and role in material irregularities in most companies with such problems.
a) Rotational testing schedules, if testing is deemed necessary at all in certain situations, could be performed in all cases barring significant process changes. Where rotational testing was used, routine, and to some extent non-routine, processes should be tested much less frequently than estimation processes, since this area holds the greatest potential for an error of significant financial statement impact.
b) See prior response.

08/29/2005 11:21:29   Yes, key controls should be assessed every year. But should not internal audit assess these key internal controls anyways
a) Every industry may be different. Management, the audit committee, and the internal audit should work together to assess what is needed.
b) Every industry may be different. Management, the audit committee, and the internal audit should work together to assess what is needed.

08/29/2005 14:18:47   I don´t believe that any SOX Section 404 internal controls for smaller companies can be assessed appropriately less often than every year. Shareholders rely on internal controls to preserve their interests every year; proper functioning only every other year is not sufficient. The only way to tell if it´s functioning properly is if it´s tested every year. Furthermore, less frequent audit testing poses interesting questions for an auditor. How should it be handled if the auditor tests a control every other year and finds out the control was deficient in the year that wasn´t tested - and there´s already an audit opinion in the public domain stating a clean opinion in the internal control system as a whole?
a) All of them every year.
b) All of them every year.

08/29/2005 14:53:30   No. Any control worth having should be assessed regularly and changed if it is not productive.

08/29/2005 15:31:21   Those controls that directly impact the accuracy of financial data, whether they be manual or automated controls should be tested annually. For example, internal controls that impact accurate loan input and maintenance are critical in that they directly impact the way loan information is captured and reported. These are critical controls and should be tested annually.
a) Internal controls that ensure regulatory compliance, but have no direct impact on financial reporting, should be tested every two years. For example, loan applications must meet the requirements of the Equal Credit Opportunity Act (Reg. B). The controls to ensure this compliance, while important, are not critical to the financial reporting process of loans, and thus should be tested less often.
b) Control for financial reporting areas that are considered low risk and have low transaction activity could possibly be put on a three year cycle.

08/29/2005 16:10:53   Of course---Also those companies with outside Federal regulators should be excempt from 404c. What changes each year? Your system, your methods or your procedures? Not in most companies.
a) Our controls are looked at every year now by outside auditors and the OCC----when is enough ---enough
b) see above

08/29/2005 17:09:27   Yes. As a federally insured financial institution, we are already subject to annual examinations by the FDIC, OTS, and State of Illinois.

08/29/2005 17:12:26   Yes I think some could be assessed more often than yearly, but I don't have an opinion yet of which ones.
a) Not sure
b) Not sure

08/29/2005 17:12:43   I think that entity-level controls should be examined every year. Non-standard journal entries (manual) should also be reviewed. Fraud questionnaires should be distributed down to a lower level of employee.
a) Revenue cycle, treasury cycle, inventory cycle.
b) Controls around payroll, payables, property & equipment.

08/29/2005 17:36:32   Un able to comment
a) Unable to comment
b) Unable to comment

08/29/2005 19:02:32   None need to be assessed each year automatically. When outside accountants arrive to do an audit, they could submit a list of areas of concern to management.
a) Same.
b) Same.

08/29/2005 19:05:24   Yes. Tone at the top should be evaluated every year. All other controls should be evaluated on a three year rotational basis.

08/29/2005 21:00:01   As I stated above - I think it is industry specific. For biotech companies revenue recognition, cash and payroll would definitely need to be assessed every year. However, intellectual property could be less often than every year.
a) Other controls that could be tested every two years could include: fixed assets, impairment of assets, equity (unless capital was raised in the current year), shipping, purchasing and receiving.
b) Controls that could be tested every three years could include; prepaids, investor relations, debt (unless highly leveraged), accounts receivable, tax provision, sec reporting.

08/29/2005 22:40:58   The only control that should be assessed on a regular basis are entity level controls, that include the "tone at the top" for management and the board of directors.
a) none
b) none

08/30/2005 15:04:16   Yes, entity level controls for every company should be assessed annually; however the nature of an organization should dictate the areas of risk and controls tested accordingly. Controls surrounding inherent risk accounts should be assessed annually and other controls can be assessed on a rotational basis.

08/30/2005 15:07:00   None. I would assess once every two years the company's systems of internal controls. I would limit those tests to truly sigificant areas such as revenue recognition.
a) All.

08/30/2005 17:08:46   Yes, SOX Section 404 internal controls for smaller companies can be appropriately assessed less frequently than once every year. We believe that governance controls and controls that have been noted as significant/material weakness in past three years should be assessed annually.
a) None.
b) We would assess once every three years those controls deemed to have at least a moderate probability of failure and for which such failure would result in a significant/material weakness.

08/30/2005 18:26:14   Entity level controls, antifraud programs, and controls on which other controls are dependent (e.g. computer controls) should be assessed every year.
a) Controls over the selection and application of accounting policies that are in conformity with GAAP, and controls over significant non-routine and nonsystematic transactions (i.e. accounts involving judgments and estimates) should be assessed every two years.
b) Controls over initiating, authorizing, recording, processing, and reporting significant accounts and disclosures and related assertions embodied in the financial statements, including controls over the period-end reporting process should be assessed once every three years.

08/30/2005 18:48:02   N/A -- Really need a CPA to answer this one.
a) N/A -- Really need a CPA to answer this one.
b) N/A -- Really need a CPA to answer this one.

08/30/2005 19:47:16   If the company's operations and processes are not changing, it is not necessary to assess them every year. Entity level controls should be reviewed every year.

08/30/2005 21:07:56   Yes, ie: annual - monitoring; bi-annual - control environment
a) Ie, Control environment

08/30/2005 21:39:41   We believe that at least some SOX Section 404 internal controls can be assessed less often than every year. Reporting and disclosure controls should be assessed every year.
a) Transaction/process controls can be assessed every two years, unless they change.
b) IT controls can be assessed every three years, unless they change.

08/30/2005 23:57:28   No comment
a) No comment
b) No comment

08/31/2005 08:31:59   Financial reporting by reviewing "what has changed" from year to year.
a) General controls.
b) Budgeting and forecasting controls.

08/31/2005 10:19:14   Yes. Business processs controls, financial close / reports controls.
a) General Entity Level Controls, IT General Controls

08/31/2005 10:21:37   a) Controls over accounts with lower materiality and volatility. In our case fixed assets is a good example.

08/31/2005 14:00:12   I don't see how an every "blank" year approach works. If such an approach were attemted, the controls tested most frequently should be the overall control environment.
a) See above.
b) See above.

08/31/2005 14:12:37   Absolutely. Many companies (large and small) have processes for routine transactions that change very little from year to year. Further, SOX 404 testing and internal/external audits have proved the effectiveness of these controls. We believe that controls related to routine transactions (including IT general controls) could be assessed by management every other year and only the highest risk controls (such as those whose individual failure could result in a significant deficiency) be tested every year.
a) We believe that controls related to routine transactions (including IT general controls) could be assessed by management every other year and only the highest risk controls (such as those whose individual failure could result in a significant deficiency) be tested every year.
b) We believe that all controls should be tested at least every two years. Three years is too long a period to reach a conclusion regarding control effectiveness.

08/31/2005 14:25:37   With the regulation and examination that banks ow have there is no need for SOX whatsoever. Our bank has had an internal risk assessment committee for three years. All bank regulators are doing a risk assessment each time they examine a bank.
a) See 11 A
b) See 11 A

08/31/2005 14:32:46   An annual review of all controls is probably necessary. Process changes, employee turnover, etc. can have a quick effect on systems working or failing. Long-term employees may try to find ways to circumvent the system to speed up areas of their workload. An annual review of everything should keep a company going in the right direction.
a) None
b) None

08/31/2005 15:19:27   Yes, critical cycles need to be addressed every year such as financial closing and reporting and IT and many of your detective controls.
a) Preventive controls (i.e. signoffs, routine transactions, etc.) could be considered for a multiyear assessment. Additionally IT controls for which changes are infrequent could also be included.
b) This may be getting out a little too far.

08/31/2005 16:05:33   Once internal controls are put into place and are proven to be effective annual audits from independent auditors could be less frequent then on a yearly basis to cut expenses.

08/31/2005 16:16:33   11. Controls that are assessed as little as once every three years should not be considered key controls. One of the problems with the initial SOX implementation was the large number of controls that were considered key controls. In the 2nd year of implementation, we were able to hone in on certain key controls that were truly important. Other controls, that were not considered key controls, were removed from the evaluation. At the end of the assessment, there are only a few controls per process that every company should have, whether they are a large company or a small company. Processes should be evaluated at least annually, though certain controls could be tested less often based on a sampling technique. This is where the PCAOB could help standardize the controls and evaluation periods under normal circumstances. The testing requirement should be directly related to the risk of the processes.

08/31/2005 16:29:59   yes, review documentation
a) review documentation
b) Review documentation

08/31/2005 17:16:33   I was unaware that the SEC had specific guidance on 404. The only statements I have seen are that maybe the big four have gone too far. Why wouldn't they? they have to protect themselves. I think the whole concept of 404 was rushed into and that a one brush paints all approach is the result.

08/31/2005 18:22:30   We suggest that all controls identified as key controls be assessed annually. However, this assessment, and the extent of testing of these controls in the current year for operating effectiveness, could be based on the results of prior year testing, identified changes in the controls and in entity-level controls, changes in personnel or systems, and other factors impacting the risk that the effectiveness of controls may have changed. Some controls at any size of company can be assessed less often than each year, and SAS No. 55 provides guidance to the auditor. Smaller companies are typically simpler, with fewer transactions, fewer types of transactions, fewer complicated transactions, less employee turnover, and so on, thus it is very likely that smaller companies need less monitoring than a large company and have a greater likelihood of being able to use a rotational approach to controls than a larger company.

08/31/2005 18:23:08   Entity Level Controls (Management Override), IT General Controls. For annual items, important to keep it focused on what´s important…the KEY controls.
a) Controls over transactions based on estimates, non-routine transactions, and Financial Statement Close process. For bi-annual categories, important to keep this practical vs. academic (again substance over form).
b) SAS 70 reviews, controls over routine transactions (exceptions being if a process significantly changed). For tri-annual categories, important to keep the benefit derived greater than the cost incurred.

08/31/2005 19:16:05   11. The answer to this question is no. A company either has a working internal control system or it doesn´t. If a control is not important enough to monitor every day, then it is not a control. Assessing the control is not the critical task, enforcing it is.

09/01/2005 00:55:31   Control environment, anti-fraud program, key controls over significant accounts with much subjectivity or judgment (i.e. allowance for loan losses, goodwill, income txes, etc) and any changes to key controls.
a) Process to determine this should be risk based. Moderate risk accounts could be assessed every 2 years.
b) Process to determine this should be risk based. Lower risk accounts could be assessed every 3 years.

09/01/2005 11:40:19   Yes, company level controls and high risk areas.
a) medium risk areas
b) low risk areas, or change of material assessment for those companies that are near breakeven and therefore, have everything scoped in.

09/01/2005 14:30:54   Most controls could be assessed on a rotating basis every two years, however depending on the type of business, controls over revenue recognition should be assessed annually. The majority of accounting irregularities seem to stem from the timing of a fraudulent reporting of revenue.
a) No comment.
b) No comment.

09/01/2005 17:12:34   Every year assessment needs to include general control environment perhaps IT controls. I am skeptical that a small company would really benefit from less often than once a year. Given the current structure I think management should assess the effectiveness of internal controls every year. If it is less often the control environment might slip as significant events happen in a small company. On the othre hand if the audit could happen less frequently that would eliminate some audit fees which would be good.
a) N/A
b) N/A

09/04/2005 07:42:16   No. Annual assessment is adequate.

Previous Question

All Survey Questions

Main Survey Responses

Next Question

http://www.sec.gov/info/smallbus/acspc/acspc_rpc11.htm