In my work with smaller companies I’m seeing that there’s still much more they can do to strengthen their control environment, create efficiencies and reduce compliance costs in their SOX 404 program by taking a top-down risk-based approach—focusing more effort in higher-risk areas and relying on preventive and monitoring controls in lower-risk areas.
While the Dodd-Frank Act of 2010 eliminated the requirement of an external audit of financial reporting controls for nonaccelerated and small-company filers (companies with a public float of less than $75 million), they still need to document, test and certify valid internal controls. And they have to comply with the same complex accounting requirements (revenue recognition, equity accounting, inventory and asset valuation, etc.) that big companies do, but often they have limited technical accounting resources.
If you’re in this category (and even if you’re not), you should take a fresh look each year to identify the processes and controls that pose the greatest risks for errors in your financial statements. When you know where your greatest risks lie, you should spend the most time and resources evaluating the design and operating effectiveness of controls in those areas, and spend less time on those you’ve identifed as lower risk.
Similarly, small companies don’t always have a second set of eyes to review the accounting for highly complex transactions, so it might make sense to consider having an outside expert assist in their review—you can bring in accounting expertise only when you need it and reduce your risk of error.
Because management has greater visibility of activity across the organization in smaller companies, you have the opportunity to identify and leverage entity-level (monitoring) controls that mitigate financial statement risks for lower-risk processes. As an example, you could rely on monitoring controls such as account reconciliations rather than multiple transactional controls. Relying on monitoring controls that are performed on a weekly, monthly or quarterly basis will require less testing than transactional-level controls, saving time and money.
Taking a risk-based approach to SOX 404 gives companies a real opportunity to focus on what matters most and improve ongoing processes. As a bonus, you can save time and money, too.