Q.  What is "COSO" and how does it relate to SOX?

A.  COSO (Committee of Sponsoring Organizations of the Treadway Commission) is a private sector organization which provides guidance to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting.  The COSO framework is the most common foundation for performing SOX 404(a) and (b) assessments, and is recognized by the SEC as such.


Q.  What's the difference between an "entity level" control and a "process level" control?

A.  Entity level controls, sometimes referred to as corporate governance or "tone at the top", pertain to areas such as corporate ethics, organizational structure, human resources, control environment, and policies and procedures.  Process level controls occur at the functional level, such as a supervisory review of an account reconciliation or matching a purchase order to an invoice.


Q. As a smaller reporting company, how much will it cost me to comply with Section 404 (a) and (b) of the Act?

A.  There have been several studies done in this area, but the consensus is between $80,000 and $120,000.  This cost includes the external auditor assessment required under 404(b), and, since most smaller reporting companies do  not have an internal audit department, outside consultant fees to coordinate management's assessment under 404(a).  Your costs will depend on the size, structure, and complexity of your organization.  Clients of Audit Management Solutions, due to our innovative cost savings approach, are usually below this threshold.


Q.  How does our external audit firm following Auditing Standard 5 save on costs?

A.  First, AS 5 allows your external audit firm to avoid duplication of effort by being able to utilize all applicable internal control assessments performed during its financial statement audit when it conducts its 404(b) assessment.  Secondly, if management's assessment of internal controls is conducted under the COSO framework and meets standards set forth by the PCAOB and other regulatory agencies, the external auditors can reduce the amount of work required by establishing reliance on the work performed under 404(a).  Lastly, AS 5 requires a "top down" approach, assessing controls at the entity level first.  If controls are determined to be effective at the entity level, process level control testing can be reduced to the extent the entity level controls are deemed adequate as they apply to specific processes.

Q.  It's too costly to comply with SOX.  What happens if I don't do an assessment of  my internal controls?

A.  Non-compliance with the Act is not only illegal but costly.  Sarbanes Oxley is one of the few regulations out there that contains jail time along with stiff fines.  A corporate officer who does not comply or submits an inaccurate certification is subject to a fine up to $1 million and ten years in prison, even if done mistakenly. If a wrong certification was submitted purposely, the fine can be up to $5 million and twenty years in prison.

Q.  I recently read where the SEC gave an extension for smaller reporting companies on the SOX 404(b) assessment until June 15, 2010.  What does this mean for our company?

A.  You are correct.  On Friday, October 2, 2009, the SEC gave smaller reporting companies an extension on 404(b), which is the external auditors assessment on management's controls over financial reporting, for annual reports issued after June 15, 2010.  Your company is still required to complete its 404(a) assessment and report its conclusions in this year's 10-K.  This assessment must be completed and still must follow all applicable COSO and SEC requirements.  For the full text of the SEC's announcement, click here.


Do you have your own specific SOX related questions?  If so, send it to us via email at info@yourams.com