A Guideline for US Non-accelerate Filers to Comply with Sarbanes Oxley Act

Transcription

1 The Unique Alternative A Guideline for US Non-accelerate Filers to Comply with Sarbanes Oxley Act General Introduction From December all nonaccelerated filers must have completed a self-assessment report on internal control over financial reporting, and when submitting an annual report for a fiscal year ending on or after this date must file an auditor s attestation on internal control. These requirements were laid out in the SEC s final rule Internal Control Over Financial Reporting in Exchange Act Periodic Reports of Non-Accelerated Filers. For most Chinese non-accelerated filers, even those that have been listed on US stock markets for several years, internal control remains an unfamiliar topic with a high level of non-compliance. This guideline note aims at assisting filers by outlining the necessary schedule within which to comply, discussing issues of compliance an independent consultant can help with, and likely conclusions resulting from the audit process. The chart below summarizes relationships between a company s goals, risks, controls, the self-assessment process, and an auditor s work SOX 404 Requirements The Target of the Company Risk Self-assessment Audit Controls COSO Framewor k Scoping Risk assessment and control identification Walkthrough Compliance Testing Remediation Work Basis of Auditor Self-assessment package Auditor s Report Audit on Effectiveness Standard of the Internal No.5 Control Horwath refers to Horwath International Association, a Swiss verein. Each member of the Association is a separate and independent legal entity. 1

2 Definition of Non-accelerated File and Their Compliance Time Definition The term "non-accelerated filer" defines an Exchange Act reporting company with a public float under $75 million, or a company that fails to meet other criteria for an "accelerated filer" (as defined in the Exchange Act Rule 12b-2) based on reporting characteristics. The Compliance Timetable Below we have laid out a basic timetable outlining stages in compliance for a nonaccelerated filer, the schedule is based on the assumption that the financial year of the Company ends on 30 June 2**9. Aug 09 Sep 09 Jul 09 Mgmt Sep 2010 Initial interview and process documentation Completene ss of walkthrough Q1 to Q4 compliance testing Report Auditor report What We Can Help With The SEC and PCAOB rule assigns responsibility to a filer for producing a selfassessment report either independently or with the help of an independent consultant. In order to assist clients effective completion of a self-assessment package we have developed an assessment methodology outlined in six key steps: Scoping-Top-down Approach Understanding Process Identifying key control Evaluating effectiveness Evaluating identified deficiencies Remediation 2008 entity. 2

3 These six key steps are outlined in more detail below: I. Top-down approach in scoping PCAOB Audit Standard 5 suggests auditors use a top-down audit approach in the area of internal control over financial reporting. Accordingly, self-assessment by management on internal controls may also follow in the direction of AS 5. Under this approach internal control assessment should start with entity-level controls and work down to significant accounts and disclosures, and their relevant assertions that present a reasonable possibility of material misstatement to financial statements and related disclosures. Major steps include: Identifying entity-level controls, Identifying significant accounts and disclosures, and their relevant assertions, Identifying transactions which generate a significant amount account balances in order to determine key processes, and map them to each in-scope account. Means to an end: Risk Assessment A risk-based top-down approach enables management and third-party consultants to focus an assessment on relevant controls. This reduces costs of compliance for Section 404. II. Understanding processes To identify mitigating controls, those performing testing need to obtain an understanding of the operation of key processes by inquiring with process owners, observing operations, inspecting relevant documents, or re-performing certain actions. They should document the process combined with their understanding in forms of process flow charts or narratives. Means to an end: Flowcharting III. Identifying key controls In documenting processes, process-level controls are identified. Among identified process-level and entity-level controls, key controls used to mitigate misstatement risks should be determined. Means to an end: Risk Assessment IV. Evaluating effectiveness Effectiveness evaluation of controls may fall in two steps, firstly in assessing design effectiveness, and secondly testing operating effectiveness. Walkthroughs may be an effective way of achieving dual purposes of identifying key risks, controls, and assessing the design effectiveness of a certain control. Means to an end: Walkthroughs V. Evaluating identified deficiencies Testing the result of a control allows a control to be categorized as adequate, design deficient, or operationally deficient. To illustrate the severity, identified deficiencies may be labeled as deficient, significantly deficient, or as having a material weakness. Action plans should be made to remedy identified deficiency. Retesting should be performed, if possible, to evaluate the effect of improvement. Means to an end: Risk & Control Matrix, Issue Log What the Auditor Will Do? The client s auditor is required to issue an attestation report on internal control over financial reporting. The opinion (Whether the internal control over financial reporting is effective.) of the auditor will be presented based on key factors: The self-assessment package prepared by the management or its independent consultant; Auditor s audit procedure and samples selected. The auditor has to perform the integrated audit based on the instruction of PCAOB audit standards entity. 3

4 About Risk Advisory Service of Horwath Our Risk Advisory Service ( RAS ) focuses on risk advisory related services such as Internal Control Review ( IAR ), Complete Risk Assessment ( CRA ) and assisting compliance requirements stemming from SOX Section 404. US/Japan Security Market Requirement Compliance Assistance Service; (US SOX and Japan SOX) Securities markets are establishing an increasing amount of monitoring regulations and laws, the implementation of which tends to be strict, of which US SOX 404 compliance and Japan SOX are examples of. Horwath provide a deep level of experience and a rich, well established methodology in compliance issues. Our approach, and the way we work: We work with management in order to speed the breadth and depth of familiarity with legal and regulatory compliance; We train on methodologies to approach, and required knowledge of legal requirements; Management is assisted in how to assess their control environment and risk; We assist in establishing a project team; We help to assess the area of risk, and drafting of risk matrices; We assist the project team and take charge of control identification and control activity designing where necessary; We design control activities and audit programs; We then assist the Company in conducting walkthrough and compliance testing; And we assist companies in evaluating testing results, and help in designing action plans to monitor and remedy future works. Outsourcing & Co-sourcing of Internal Audit, Risk Assessment and Corporate Governance Service An increasing number of foreign invested enterprises ( FIEs ) are seeking a professional service provider for the outsourcing or co-sourcing of internal audit functions ( IA ). Common reasons cited include: Cost savings resulting from freeing-up full time staff; A professional specialist can provide internal audit and risk management services with an independent eye; A professional service provider has strong and complete networks, resources and support staff; A fresh, varied and experienced service provider brings a valuable approach to internal operations and management. Our approaches: How we approach internal audit outsourcing and cosourcing: We perform a risk assessment before conducting field works; We assess the control environment of a Company; Based on the result of the risk assessment we evaluate, review and create processes and controls; Any significant deficiencies, material weakness, or other issues are noted and delivered to management in a comprehensive report; The internal audit report is discussed with management as part of a 2-way communication process; We provide any necessary professional suggestions and recommendations for improvement; We are keen to feedback on any needed follow-up works suggested by management or ourselves entity. 4

5 Complete Enterprise Risk Evaluation and Process Improvement In June 2008 the China State Security Authority issued an internal control framework applicable to ALL Chinese private companies, foreign invested companies and listed companies. Since July 2009 the framework has been effective for ALL China listed companies. In common with the US SOX Act or Japan s SOX, the China Enterprise Internal Control Framework requires an enterprise to build up an appropriate control system to enhance the reliability of financial statements, and to protect the rights of investors and stakeholders. In order to assist clients to pass this legal assessment the Horwath Risk Advisory Team has developed a compliance methodology tailored for clients operating in the Chinese economic environment, some of whom might include: Companies listed on a stock market in China, but yet to establish an internal control framework; Small or middle sized foreign invested enterprises which have not yet established an internal control framework; Local enterprises planning a stock market listing but without yet completing an internal control framework. Our Methodology Includes the Steps Below: We seek to gain a thorough understanding of the control environment; We assist enterprises in building up compliant operation cycles and processes We interview management and process owners to confirm existing controls and risks in existing processes; We conduct a walkthrough and compliance test for confirmed processes and controls, and identify control deficiencies and material weaknesses; We assist the enterprise in designing effective action plans to tackle the issues and weaknesses noted, and provide a re-testing of the revised controls; We assist the enterprises in building up a complete control framework based on the China Enterprise Internal Control Framework. For more detailed information about our China services, please contact: Dr. David Yu-Beijing Tel: entity. 5