In 2007, the PCAOB issued Auditing Standard (AS) 5, replacing AS2 that had caused a great deal of ‘confusion’ and over zealousness regarding its application.  In October 2007, the PCAOB released its Guidance for Auditors of Smaller Public Companies; and, three-months prior, the SEC published an interpretive release to provide guidance for management regarding its evaluation and assessment of internal controls over financial reporting, effective June 27, 2007 (33-8810). Additionally, Sox 404 will extend into the Non-Profit sector and even very small companies ought to seriously consider implementing voluntarily to provide a competitive edge in negotiations with Vendors, Banks, Lenders and potential partners.

Critically important, is that Sox 404 needs to become imbedded within the corporate culture (a control mindset within each employee effectively) from the top down. This ‘change and/or attitude’ can only be achieved by training and incorporating 'compliance' into performance incentives and employee evaluations. For small (micro) entities (SMEs), this can create both cultural and political difficulties as management creates resistance as they view such controls as not adding value only cost. However, though this could be construed, within a very limited group (i.e. family-owned businesses), as probably true; when applied to the entire population of small-medium sized organizations and SMEs, this is a misplaced perception.

Evidence shows that management themselves may be dishonest and committing fraud and that employees with sufficient access can either keep transactions 'off-the-books' or create fictitious transactions with poor or inadequate internal controls in existence. The discovery of such acts could potentially destroy a business's reputation, and seriously damage key business relationships with customers, vendors and financial institutions especially with respect to raising capital and demonstrating the ability to comply with debt-covenants. Management will have to reestablish that they are in control and can be trusted, a less than simple task in a very competitive and unforgiving world.

Also, any private company that is planning an IPO (Going Public) needs to embrace the “Sox/control culture” at least a year ahead of the planned 'road-show'. Today the trend is towards packaging all compliance efforts into a single and targeted objective to manage all perceived risks. The Institute of Management Accountants recently issued a press release, IMA Launches New Finance, Governance, Risk and Compliance (FGRC) Research Practice with Discussion Paper on Root Causes of Financial Restatements (Montvale, N.J., February 12, 2008)
 “FGRC integrates three areas that have become critical factors for leading CFO teams around the globe: governance, the set of accountabilities and alignment of responsibilities in an organization; risk, including ERM (Enterprise Risk Management); and compliance, the system of internal controls to satisfy regulatory, industry and organizational requirements. IMA’s FGRC research practice is focused on broadening its advocacy initiatives and educating management accountants and organizations about producing right, reliable and relevant financial information for an organization’s stakeholders using risk, performance and quality assessment techniques across the supply chain.”

In addition to viewing Sox as part of a comprehensive approach to managing risk and compliance efforts, Sox 404 compliance will also impact the adoption of IFRS, (International Financial Reporting Standards). Key internal controls will need to be reevaluated and process flows reengineered as IFRS will change the way financial information flows amongst and between organizational units/subsidiaries and intra-company departments.
Where do we go from here?

• Sox compliance will become part of an integrated GRC approach.
• Sox compliance (PCAOB-AS5 and SEC Internal Control Guidance) is critical to pre-IPO planning and raising capital.
• Employees need training and understanding of controls and process flows (corporate culture).
• Human Resource managers will need to understand compliance, initiate training and reevaluate hiring criterion and interview techniques.
• Management will need to redefine performance standards and incentives and create strategic objectives to fully meet and embrace GRC concepts.
• IFRS convergence will create a need/demand to reevaluate process flows and identify new key internal controls.