Comments on: Would SOX 404(b) Have Protected Koss? http://cfo.markbaileyco.com/accounting/would-sox-404b-have-protected-koss/ Resources for Public Company CFOs and Controllers Tue, 24 Jan 2012 16:45:34 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Richard Archer http://cfo.markbaileyco.com/accounting/would-sox-404b-have-protected-koss/comment-page-1/#comment-7485 Richard Archer Fri, 23 Apr 2010 16:25:43 +0000 http://cfo.markbaileyco.com/?p=420#comment-7485 Although I have had a lot of business over the last 8 years providing SOX compliance services to companies, I agree completely with the premise of this article that SOX 404(b) would probably not have either prevented or discovered the fraud at Koss. From comments by the CEO, it was clear that he placed no value on internal controls in any significant form. His lack of real business experience in any environment other than Koss and his total abdication of oversight in favor of trust placed in the principal accounting officer would likely have resulted in him finding ways to excuse the improper actions of the accounting officer, even if they had been identified. And, if the company had already been subject to 404(b) external audit of controls requirements, it could have minimized the potential for an adverse controls opinion by designing 2nd person review/approval procedures that could have given the appearance of effective control design and operation without actually providing any cross-check on control failure risk as a result of segregation of duties. As mentioned in the article, the size of the fraud was significant enough that normal auditing procedures, if the auditors had applied a reasonable level of auditor skepticism, should have been adequate to identify the fraud without SOX 404(b). However, I disagree with the view that SOX compliance does not provide benefits to smaller companies in relation to the costs incurred. Basically, I challenge the SOX compliance costs presented in the article. Any public company the size of Koss ($50 million in revenues) that is paying $250,000 even for 1st year compliance either has near zero internal controls at any level or is being grossly overcharged for both its compliance and internal control audit. Under AS 5, COSO for Smaller Public Companies, and the SECs guidance to management, there is no reason that a company under $100 million in revenue should be paying more than $100 thousand for compliance and $25 thousand additional for a 404(b) audit under the single audit, single report approach allowed under AS 5. In fact, for companies in the size range of Koss, there are tools & compliance methods available that should allow compliance for even less. And, as I've stated, that should only be for 1st year compliance. Compliance in subsequent years should be lower than that by at least 25%. If your company is a smaller public company and is paying $250,000 for SOX compliance, you need to find a new advisor or bring someone in assist you in defining a more cost-effective approach and negotiating with your external audit firm to achieve effective audit compliance meeting at all standards at a lower cost to the company. Although I have had a lot of business over the last 8 years providing SOX compliance services to companies, I agree completely with the premise of this article that SOX 404(b) would probably not have either prevented or discovered the fraud at Koss. From comments by the CEO, it was clear that he placed no value on internal controls in any significant form. His lack of real business experience in any environment other than Koss and his total abdication of oversight in favor of trust placed in the principal accounting officer would likely have resulted in him finding ways to excuse the improper actions of the accounting officer, even if they had been identified. And, if the company had already been subject to 404(b) external audit of controls requirements, it could have minimized the potential for an adverse controls opinion by designing 2nd person review/approval procedures that could have given the appearance of effective control design and operation without actually providing any cross-check on control failure risk as a result of segregation of duties. As mentioned in the article, the size of the fraud was significant enough that normal auditing procedures, if the auditors had applied a reasonable level of auditor skepticism, should have been adequate to identify the fraud without SOX 404(b).

However, I disagree with the view that SOX compliance does not provide benefits to smaller companies in relation to the costs incurred. Basically, I challenge the SOX compliance costs presented in the article. Any public company the size of Koss ($50 million in revenues) that is paying $250,000 even for 1st year compliance either has near zero internal controls at any level or is being grossly overcharged for both its compliance and internal control audit. Under AS 5, COSO for Smaller Public Companies, and the SECs guidance to management, there is no reason that a company under $100 million in revenue should be paying more than $100 thousand for compliance and $25 thousand additional for a 404(b) audit under the single audit, single report approach allowed under AS 5. In fact, for companies in the size range of Koss, there are tools & compliance methods available that should allow compliance for even less. And, as I’ve stated, that should only be for 1st year compliance. Compliance in subsequent years should be lower than that by at least 25%. If your company is a smaller public company and is paying $250,000 for SOX compliance, you need to find a new advisor or bring someone in assist you in defining a more cost-effective approach and negotiating with your external audit firm to achieve effective audit compliance meeting at all standards at a lower cost to the company.

]]>