Professional Documents
Culture Documents
Sarbanes-Oxley
to drive change
and mitigate risk
in small and
medium-sized
entities
Sarbanes-Oxley:
Friend o
I
s the Sarbanes-Oxley Act (SOX) a friend or foe to small and is to present top management with the benefits that may be had
medium-sized companies (SMEs)? Often, those entities will from utilizing SOX, such as driving change and mitigating risk.
answer “foe.”
Status quo may generally be the policy followed by PCAOB direction
SMEs, which are those publicly traded companies with The Public Company Accounting Oversight Board (PCAOB)
less than $75 million in market capitalization, as defined by the instructs external auditors in Auditing Standard No.5 (AS5)
U.S. Securities and Exchange Commission. Typically, SMEs will to “evaluate the extent to which he or she will use the work of
either scramble to document their processes just prior to their others to reduce the work the auditor might otherwise perform
financial audits or will rely on the external auditors to document himself or herself.” Further, the PCAOB allows the external au-
their processes for them. ditor to rely on the work of “internal auditors, company person-
nel (in addition to internal auditors), and third parties working
Explaining the status quo under the direction of management or the audit committee.”
For SMEs, SOX can seem to be an exercise in documenting This statement should pique top management’s interest.
what actually occurs. This may seem tedious and without merit. Any documentation or procedures that are performed in house
Each department knows what they do and may wonder why they should save money on the overall audit. Top management should
need to write a narrative explaining their duties. encourage external auditors to utilize any viable internal docu-
Often the answer to this question is “because the auditors mentation. This alone should have management interested in
asked for it.” However, SMEs might do better to engage the performing SOX procedures in house.
various departments and show them how they can benefit from In AS5, the PCAOB directs the external auditor to ask him or
SOX. The first step to getting department managers on board herself “What could go wrong?” in determining likely sources w
Examples are present?” Don’t discount the less than best. The
stories of the less than successful will give
Mitigating risk you an idea of the risks that you might
of risk Enterprise Risk Management (ERM) face. For instance, stories of employee
has become the best practice for larger theft can help you to understand the prac-
Strategic risks corporations. The “Enterprise Risk Man- tices that lead to that risk materializing.
Higher-level risks mainly external to the agement — Integrated Framework” from Perhaps the company failed to segregate
company the Committee of Sponsoring Organiza- duties surrounding cash or failed to physi-
•• Change in interest rates tions (COSO) of the Treadway Commis- cally secure assets.
sion, published in 2004, defines ERM as Best practices research is usually inex-
•• Customer buying behavior change “a process, effected by an entity’s board of pensive. The Internet is a wealth of infor-
directors, management and other person- mation, and you can find information at
•• Substitutes enter the market
nel, applied in strategy setting and across the library. You can network and conduct
•• Technological advances the enterprise, designed to identify poten- research through professional organiza-
tial events that may affect the entity, and tions. Furthermore, once you identify
•• Trade embargos manage risk to be within its risk appetite, organizations and people you should talk
•• No business process improvement to provide reasonable assurance regarding to, you can initiate informal chats on the
the achievement of entity objectives.” subject matter.
Operational risks The article further stratifies the com-
Lower-level risks mainly internal to the pany into four categories susceptible to Interviews
company risk: strategic, operations, reporting and You can begin your organization’s SOX
•• Fraud compliance. Strategic risks are those that documentation once you understand the
affect the company at a high level and best practices and key risks surrounding
•• Workplace safety tend to be external to the company. Many each process. The first step is to interview
strategic risks can be explored through the manager of the process, who can ex-
•• Product flaws
the entity-level assessment performed plain everyone’s role in that area. Addi-
•• Business disruption in SOX. Operational risks are those that tionally, he or she will be able to provide
affect the company at a lower level in its you with a bird’s eye view of the process
•• Damage to physical assets day-to-day operations. Reporting risks and its controls. Keep in mind you are fol-
•• System failures are those risks that affect the reliability of lowing a transaction from its inception to
financial reporting, and compliance risks all the stops it makes along the way prior
Reporting risks affect compliance with applicable laws and to hitting the general ledger.
Risks relating to the reliability of financial regulations. The interview process should feel like
reporting Many of the operational, reporting and an informal conversation rather than an
•• Transactional errors compliance risks can be examined and ad- interrogation. The interviewee should
dressed in the various process documents feel comfortable and relaxed. Stay in
•• Miscommunication created through SOX. See Table 1 for control of the conversation and keep the
more information on risks. interviewee on topic. Make sure to use
•• Data entry or loading error
open-ended questions rather than leading
•• Accounting error Best practices questions. You want to know who, what,
Various department heads should when, where, how and why. You don’t
•• Inaccurate external report be encouraged to go through the SOX want to ask yes or no questions. See Table
•• Missing transactions process of interviews, walkthroughs, gaps 2 for question examples.
and management action plans. A company Keep in mind that silence is a strong
Compliance risks employee documenting processes with a stimulus for conversation. Typically, your
Risks relating to applicable laws and critical eye and a sense of the big picture silence is an indicator that the other per-
regulations can help the various departments run son should be talking. People tend to want
•• Changing or new laws and regula- smoother and with less error. Addition- to fill silence with conversation. Once the
tions ally, he or she can help the various depart- interviewee is responding to the open-
ments work together to mitigate risk. ended questions, you can follow up with
•• Inadequate staff training It’s important to understand best more direct questions to clarify details.
practices and potential risks before start- When you understand the process from
•• Miscommunication
ing the SOX documentation process. start to finish, make sure to repeat the
•• Human error Best practices are the current standard. process back to the interviewee. Make
When researching best practices, you are sure to mention all the key employees’
endeavoring to learn from the experience names. Repeating the information back