Two Step's Private Company Equity Management Blog

At a recent Two Step Software webinar entitled “Lessons Learned in 2007: A Recap of Stock Option Reporting Updates,” more than half the audience of financial executives responded that they had not taken any steps to prepare for the new risk assessment auditing standards that apply to non-public companies (Statement on Auditing Standards 104-111) despite the fact that according to Dan DeVasto, the CEO of Wolf & Company, P.C., these changes to the audit standards are some of the most significant in two decades.

As explained by his partner Scott Goodwin, although non-public companies are not required to provide the same types of certifications and management reports as public companies, since they are not subject to the Sarbanes-Oxley Act, the audit standards by which the internal controls of non-public companies are going to be reviewed are now relatively similar to those of public companies (SAS 104-111 from the AICPA for non-public companies; Auditing Standard 5 from the PCAOB for public companies). In both cases, auditors will be using a COSO type framework to assess whether a company’s internal controls over financial reporting are sufficient and will need to advise the audit committee if they are not. Of course, for a non-public company there is no requirement that the executives provide a Sec. 302 certification, that management provide a Section 404(a) report, or that the auditors provide a Sec. 404(b) opinion (which is not yet required for smaller public companies).

Question: Why are public companies spending significant amounts of money addressing their internal controls to comply with Sec. 404 of SOX and satisfy AS 5 while GAAP reporting venture-backed companies are largely paying little attention to satisfying SAS 104-111, although the exercise that their auditors will be going through evaluating the sufficiency of the internal controls over financial reporting for both types of companies will largely be the same.

Answer: For a non-public company, there is no threat of public embarrassment, lower share price, and criminal penalties for the company and management if they do not satisfy the internal controls requirements. There is only the risk that an audit will take longer, become more costly, and the audit firm will be required to document and communicate any material weaknesses to management and “those charged with governance” (SAS 112).

Let’s Ask: With the impact of SOX clearly being felt by non-public companies already, whether based on pressure and covenants from investors, lenders, insurers, and other stakeholders, is it really necessary to add the threat of criminal sanctions to encourage companies that plan to be acquired by publicly-held companies in the near future to raise the level of their internal controls over financial reporting?

I hope not. Maybe by sufficient education on the benefits that companies receive by adopting good corporate governance and appropriate internal controls over financial reporting, we can avoid “SOX Lite” from becoming mandatory for companies without public investors. Hopefully, instead, sufficient oversight can be provided by audit committees and directors of venture-backed companies that hope to one day become public themselves or be acquired by publicly-held companies. Better internal controls over financial reporting are relevant to any company that is looking to increase its value in the financial marketplace. Every venture-backed company finds this out during the business due diligence process which is eventually when the “rubber meets the road.”

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently announced the release of its discussion document: Guidance on Monitoring Internal Control Systems. The guidance which is extensive and goes into great depth applies to the internal control objectives over financial reporting, as well as the objectives related to effective operations and compliance.

According to COSO Chairman Larry Rittenberg, Ph.D., "This guidance more fully develops the monitoring component of COSO’s Internal Control - Integrated Framework,” and is appropriate for organizations of any size or structure to improve the quality of their internal controls systems for multiple business purposes, but especially those dealing with the reporting requirements under the U.S. Sarbanes-Oxley Act of 2002, Section 404.”

Of the two documents, the second, Internal Control – Integrated Framework Executive Summary, is an excellent summary of the five interrelated components of effective internal control (of which monitoring is the 5th component.) The five are: control environment; risk assessment; control activities; information and communication; and monitoring. COSO makes the point that while entities of different sizes may implement them in different ways, they are applicable to business of all sizes, large and small. The framework set out by COSO is worth reviewing at least annually by any organization and then choosing how to apply the framework, particularly for those where internal controls are not mandated by SOX.

COSO seeks feedback on the concepts in this discussion document until Oct. 31, 2007; they want to know if they are clearly articulated and if you agree with the conclusions reached. They also want to receive examples of innovative approaches you have taken in monitoring the effectiveness of internal control. They will consider these observations in the development of their final guidance. Accompanying the release of the discussion document is access to a Web-based feedback portal on the COSO Web site at www.coso.org/publications.htm.

The second phase of the monitoring project, scheduled for release after comments are received on this discussion document, will provide examples, case studies, and tools to assist all organizations in implementing effective and efficient monitoring. COSO’s intent is to release an exposure draft of the full implementation guidance later this year and to release the final guidance in the first quarter of 2008.

I encourage you to read both documents and consider how your equity compensation technology fits in with your overall internal controls and compliance objectives.