The long-awaited implementation of Section 404 of the Sarbanes-Oxley Act requires public companies to include in their annual reports both:

• The company’s own assessment of internal control over financial reporting and

• An auditor’s attestation as to the effectiveness of such controls.

While the implementation of these rules has been in effect for larger companies for some time, the 2007 annual report marks the first report wherein management of small business issuers (as defined under Regulation SB) are required to provide an assessment. Nonetheless, the requirement that the company’s independent auditors attest as to the effectiveness of such controls was postponed for most smaller public companies until the filing of their 2008 annual reports.

The SEC has provided certain guidance to help companies assess their internal control. It can be found on the SEC’s Web site at http:/www.sec.gov/spotlight/soxcomp.htm. A summary of certain salient points follows.

Summary of management’s responsibility

We caution that, despite limited guidance, it is management’s responsibility to make sure that the company has, enforces, and maintains an effective system of internal controls to ensure the reliability of its financial statements. The officers certifying as to the accuracy and validity of the financial statements would have to certify as to their evaluation of the effectiveness of the company’s internal controls.

The main questions to be asked by every member of upper management are:

• Do employees and consultants understand the tasks and information needed in order to properly prepare financial reports?

• What information does management need to make sure that employees have done those things?

The guidance given by the SEC to date involves a three-step process.

1. What are your businesses risks, and how do you propose to address them?

First, management should identify the areas of financial reporting risks and weaknesses that are most likely to relate to them and also identify and implement the controls that affect them. This starts with an analysis of how the company’s business works, of the risks that normally affect businesses such as those of the company, and of risks that may uniquely affect the company. For example, is the company vulnerable to fraud? Are there risks in the way the company records transactions? Is management in place with experience in handling the financial risks of the company? These and other questions should be asked by management to determine its risks.

How you address these and other issues you identify is dependent on a variety of factors, such as company size, complexity, and organizational structure. The SEC noted that in smaller companies, management’s daily involvement with the business may provide it with a degree of knowledge that enables management to identify financial reporting risks and related controls.

2. Do your solutions work?

Said differently, once management has identified the company’s problem areas and implemented internal controls, are these controls effective?

In ascertaining whether or not management has sufficient evidence to support its conclusion that the effectiveness of a company’s internal controls are sufficient, it must first weigh both the risk that a control will fail to operate as designed and the level of risk of a material misstatement in its financial reports. The greater a potential for error, the more evidence that must be gathered by management that its controls are effective.

Use of objective personnel, more extensive validation of controls, and testing over longer periods are all controls that should be increased as internal control risk increases.

In all circumstances, management should have sufficient evidence to ascertain whether the controls are operating properly and consistently, how the controls are applied, and whether the personnel responsible for implementation of the controls are qualified to do so.

3. Disclosure on effectiveness: Is there a material weakness?

Annual reports for the 2007 year must include management’s assessment of overall effectiveness of their internal controls and an analysis of the above to determine whether or not there is a material weakness. If so, management cannot conclude that the company’s controls are effective. Therefore, management’s best practice is to place significant weight on determining what is a material weakness.

Conclusion and other sources

The SEC has issued various guidance publications on both record keeping and maintenance and on identification, implementation, and assessment of internal controls.
Additional relevant publications may be obtained from the Committee of Sponsoring Organizations of the Treadway Commission Web site at http://www.coso.org/publications.htm.