Paul_M
Posts: 91
Joined: Apr 2003
|
Friday July 20, 2012 11:38 AM
|
|
Just as a reminder, the PCAOB monitors the accounting firms. It does not have direct authority over registrants. That is the purview of the SEC. Any rules issued by the PCAOB apply to your auditors, not to you. The SEC issued its interpretive guidance to management in SEC Release No. 33–8810, June 27, 2007. The SEC’s guidance provides a broad framework that allows significant latitude to management in its approach to evaluating internal controls. To quote a few relevant sections from that guidance:
"The Interpretive Guidance reiterates the Commission’s position that management should bring its own experience and informed judgment to bear in order to design an evaluation process that meets the needs of its company and that provides a reasonable basis for its annual assessment of whether ICFR is effective. This allows management sufficient and appropriate flexibility to design such an evaluation process. Smaller public companies, which generally have less complex internal control systems than larger public companies, can use this guidance to scale and tailor their evaluation methods and procedures to fit their own facts and circumstances. We encourage smaller public companies to take advantage of the flexibility and scalability to conduct an evaluation of ICFR that is both efficient and effective at identifying material weaknesses.”
“The nature and extent of procedures implemented to evaluate whether those controls continue to operate effectively can be tailored to the company’s unique circumstances, thereby avoiding unnecessary compliance costs. The guidance assumes management has established and maintains a system of internal accounting controls as required by the FCPA. Further, it is not intended to explain how management should design its ICFR to comply with the control framework management has chosen. To allow appropriate flexibility, the guidance does not provide a checklist of steps management should perform in completing its evaluation.”
Since you’re a one-man operation in a smaller company, I would also recommend the SEC’s SOX Guide for Small Business. Part of that guidance says:
In a smaller company, you may not need to assign any special personnel to the task of gathering evidence on how internal controls are operating. Likewise, the procedures you follow to obtain evidence of operating effectiveness may be integrated with the daily responsibilities of the employees.
The SEC guidance also describes circumstances in which managers can rely on their own knowledge and supervision of controls — a common situation in smaller companies — as a way to limit the additional procedures, if any, that might be needed to gather evidence of operating effectiveness.
So, yes, we all agree that the textbook answer (which the external auditors seem to be pretty good at) is that another person should review your testing. The real world answer (which external auditors are typically not very good at) is that it would be a cost that would provide minimal value to your evaluation process.
|
|
|
|
|
