Section 404 of the SOX requires public companies' annual reports to include the company's own assessment of internal control over financial reporting, and an auditor's attestation. Since the law was enacted, however, both requirements have been postponed for smaller public companies, until now. The requirement of an auditor's attestation will begin for most smaller public companies with their 2008 annual reports. The 2007 annual report will be the first year that the management assessment will need to be included. To make the first time easier, the SEC has designed a brochure to assist the small business. Also, in June 2007, the SEC issued interpretive guidance to help companies assess their internal controls. This guidance was developed specifically with smaller companies in mind. The guidance is voluntary. You can find it, on the SEC website at the link below. Although applicable to small companies, it provides helpful information for all organizations. We strongly encourage you to review this information.

ABSTRACT: By Niranjan (Chips) Chipalkatti, Sanjoy Chatterji, and Sarah Bee

"According to a study conducted by research firm Glass, Lewis & Co., nearly 70% of the internal control weaknesses of companies that reported control deficiencies in the post-Sarbanes-Oxley Act (SOX) era were attributable to financial systems/procedures (59%) and revenue recognition-related (11%) issues. A study by Weili Ge and Sarah McVay ("The Disclosure of Material Weaknesses in Internal Controls After the Sarbanes-Oxley Act," Accounting Horizons, September 2005) obtained a similar proportion for revenue recognition-related weaknesses; it also documented that 40% of these were in the computer industry and 12% were from the pharmaceutical sector. In the post- SOX environment, CEOs and CFOs face a higher level of scrutiny with regard to complex revenue-recognition issues, such as those involving sales through distribution channels, and have a greater responsibility to identify, document, and test internal controls of their revenue cycles. Auditors of companies that sell through distribution channels must be alert to potential revenue-recognition risks like "channel stuffing" (i.e., significant increases in inventory in customers' distribution systems).
This article describes a formal revenue accounting system that could be used by companies that sell through distribution channels. The advantage is that it incorporates appropriate key controls that can be easily documented and evaluated for their effectiveness. The system also facilitates strategic data mining of distribution channel information."

In January 2008, KPMG's 404 Institute released the results of its November 2007 survey that asked its members to define the impact of the new SEC and PCAOB guidance on the cost of compliance for 2007. The information contained in this report of the findings indicates how their members expect compliance costs to change.

Several key results emerged from this flash survey.

First, in the Benchmark Survey conducted in March 2007, it was noted that deriving cost savings from "scoping controls" is at the point of diminishing returns-that is, companies are approaching the point at which they have identified the "right" number of controls. The flash survey validated that finding in that, for the first time, the top source of savings.

Second, half the respondents leveraged the new guidance to reduce costs, and the other half continued along their own evolutionary paths. The companies that leveraged the guidance focused on testing, scoping controls, and documentation as the major sources of savings. The companies that did not cite regulatory drivers used those and some other tactics to reduce costs, including, for example, location testing and self-assessments. We expect all companies to continue to evaluate the new guidance in the context of their 2009 efforts.

Third, smaller companies do not expect to reduce costs as much or as quickly as larger companies that have been at the effort longer and typically have made larger investments in evolving their programs. KPMG will address this finding in more detail in the 404 Institute's 2008 Benchmark Survey to see if smaller companies receive the benefits from the lessons learned by the larger companies.

Finally, in the past, the market provided accurate projections of cost savings, but in the flash survey the view of 2009 is not as clear. It is assumed that this result is due to the market's need to continue to absorb and understand the new guidance.

The Survey Highlights include:
1. Almost two thirds of the respondents expect 2007 compliance costs to decrease by as much as 20% compared with results in 2008.
2. The extent of savings differs depending on whether savings are driven by guidance or other factors. Companies that leveraged regulatory guidance posted larger cost reductions than other companies due to efficiencies in testing, reduced controls, and scoping. This result indicates further opportunities in 2009 for companies to explore the new guidance and its impact.
3. Results indicate that the rate of cost savings is decreasing year over year, which could indicate we are headed toward a savings "plateau" requiring the emergence of innovative processes to drive the next cycle of evolution.

A January 2008 article published in CFO.com reveals that a recent study claims small businesses are paying an average of $78,000 a year to comply with the internal-control provisions of Sarbanes-Oxley. Ever since companies began the daunting task of complying with Section 404 of the Sarbanes-Oxley Act in 2003, the question of how much it costs has been ripe for debate. The SEC didn't do much to clear things up when, that first year, it estimated the internal work would cost publicly traded companies an average of $91,000. Being an average, that figure didn't apply to any company in particular, and when the actual expenses associated with Section 404 started rolling in, many companies ridiculed it as grossly understated. And yet the $91,000 number came to attain an iconic status in the world of finance - including among small-business advocates, who have cited it in their calls to give small companies extensions in complying with 404 and for changes to the law itself. Last year, Nydia Velazquez, chair of the House Committee on Small Business, repeatedly asked the SEC to provide hard estimates on the cost of complying with 404. Now, a consultancy specializing in Sarbox compliance for small companies believes it has a much better idea of how much 404 compliance does cost. According to Worcester, Massachusetts-based Lord & Benoit, total first-year costs for complying with 404 currently average $53,724 for non-accelerated filers - those with market capitalizations below $75 million. That figure is based on empirical data from just 29 small companies that have put together their 404 management reports. Lord & Benoit also used research pulled from SEC filings and audit-fee data by Audit Analytics to show that when the second portion of 404 - called 404(b), or the auditor attestation report - takes effect it will, on average, cost the smaller companies an additional $24,750. However, the accuracy of projected 404(b) cost could be suspect. It is based on the audit fees of about 5,500 accelerated filers, and it does not incorporate the effects of the Public Company Accounting Oversight Board's new auditing standard for internal controls. Approved last year, Auditing Standards No. 5 encourages auditors to take a top-down, risk-based approach and aims to bring down the cost of internal- control audits. Under AS5, auditors no longer have to audit management's assessment process, but rather the controls themselves. There may still be a while to go before AS5 is put to the test for small companies. If SEC chairman Christopher Cox makes good on his word to propose a delay on 404(b), companies can defer that added expense for two years. Under Cox's plan, small filers' management internal-control reports will not be audited until fiscal years beginning in 2009. In the meantime, most non-accelerated filers have already formally assessed their internal controls to comply with 404(a). Lord & Benoit president Bob Benoit suggests his research could help government officials address the many requests for solid cost figures for 404. Cox has said the SEC will conduct a cost-benefit study for small companies and publish the results this summer. In Benoit's view, the SEC's management guidance released last year could also reap savings for large companies even though they have been complying with 404 for the past few years. They could save 30 to 50 percent if they adopted the SEC's guidance to focus only on areas of materiality and to feel comfortable using more professional judgment. According to Benoit, the accelerated filers haven't revisited how they put their management reports together. "Sometimes people are uncomfortable with change and continue to do things the old way," he told CFO.com.

When it comes to administration, the Swiss are famous for their efficiency and attention to detail. It is somewhat surprising, then, that a number of changes to company audit law are only now coming into effect. Most notably, from January 1, 2008 auditors must verify internal control systems at the companies they audit.

Inevitably, this evokes comparisons with the widely reviled Section 404 of the Sarbanes-Oxley Act in the US. Swiss officials, however, sought to avoid similarly onerous rules, explains Simon Marti, a partner at KPMG in Zurich. For example, early draft legislation required auditors to verify that internal control systems were "functioning," a term that was later removed "to avoid extensive operational effectiveness testing," Marti says. Under the new rules, audits need only to verify the existence of internal controls using a walk- through test of a single transaction. What's more, executives are not required to sign off or certify control systems.

For the many Swiss multinationals with secondary listings in the US or elsewhere in Europe, the new law changes little. However, Marti says, there will still be extra work to do "to formalise, standardise and improve controls" to meet the letter of the law. And it will lead companies without internal audit departments to set them up, he adds. A fair number of companies "could be caught on the wrong foot," says Christian Christen, an attorney at Lutz Rechtsanwälte in Zurich. For private firms, audits are now based on size rather than legal structure, Christen notes, ensnaring "certain smaller companies that didn't pay too much attention" to formal internal control procedures before. But in general, he says, "companies are prepared." Despite the many differences between the new Swiss rules and Sarbanes-Oxley, there is at least one notable similarity. Analysts at Credit Suisse recently published a bullish report on the Swiss corporate- services sector, noting "above-average demand potential" for auditors, lawyers and consultants in 2008.

A key resource for members is the sharing of information among the membership via articles. Subject matter including techniques for reviewing internal controls, discussion of available tools, case studies, etc. can assist both the new and experienced internal controls auditor/specialist. If you would like to submit an article or monograph on any subject matter that may be of interest to the membership, we encourage you to do so. You can direct any materials for my review to me at chairman@theiic.org.

TheIIC Board approved a new benefit for members, recommended by the Chairman, that will provide free CPE training for members who renew their membership. The CPE training will be part of the newly developed Program Development & Training Division headed by Michael Piazza. Under the policy, each member who renews their membership will be given one free CD-ROM based four or eight hour CPE Self Study Course. The first product will be available in the late summer of 2008. The course will have a value of $149 to $249 for non members and will more than offset the cost of the renewal dues paid by members. More information concerning this new benefit, as well as the course descriptions, will be made available in future editions of TheIIC e-Newsletter, as well as TheIIC website.

If you missed a previous edition of TheIIC
e-newsletter, or would like to retrieve a copy, you can now view archived editions of TheIIC
e-Newsletter on TheIIC website at http://www.theiic.org/publicationsnewsletter.html.

For first timers, I would like to welcome you to the TheIIC e-Newsletter. In the design of the newsletter we completed extensive research on how to make the e-newsletter successful. As you can see, the layout is a little different than you see in other e- newsletters. While most e-newsletters only give you a few lines of the article, with a link to the full article, we have decided to present an abstract type summary of each, with a link to the full article, when available. We feel that this allows you to get the substance of the article without having to link to another site. However, we do provide a link for those who want any additional details available. This also provides you with the ability to print out the newsletter and read it at your leisure. We encourage any comments or suggestions for improving the e-newsletter. Comments as well as contributions for publication should be sent to me at e-newsletter@theiic.org.

The Certified Internal Controls Auditor certificate is presented to Harry Armstrong (left) by Paul Kennedy, CICA (right), Director, Internal Audit, Defense Supply Center Philadelphia, at a recent ceremony.