Editor: Please tell our readers about the scope of your duties.
Valaitis: I am responsible for Amper Risk Advisors, which is the risk- consulting division of Amper, Politziner & Mattia, the ninth largest auditor of public companies and the thirtieth largest public accounting firm in the U.S.
Amper Risk Advisors has two primary practice areas - the technology risk services group and the internal audit services group. We service middle market to Fortune 2000 clients in all industries, including biotechnology, insurance, healthcare, manufacturing, banking, pharmaceutical and high tech.
Schroeder: I am the officer leading the technology risk services practice. We provide a number of services associated with the identification and management of technology-related risks to the markets that Ed mentioned. For example, we help our clients manage risks associated with financial processes, financial reporting, network security and privacy, as well as compliance with various regulations such as Sarbanes-Oxley, HIPAA, SAS 70, Systrust and banking regulations. We also identify and manage risks associated with business operations and the risk that your technology and business processes may not be supporting the effective operation of your business.
Smith: I am the director of the internal audit services practice of Amper Risk Advisors. We provide internal audit resources, outsourcing and co-sourcing of traditional and nontraditional internal audit services for clients. In recent years, we have been putting forth a significant effort into Sarbanes-Oxley documentation, compliance testing and assistance to management in a number of different consulting capacities in addition to co-sourcing internal audit functions
Editor: What have you found in your experience to be the most vulnerable areas of companies' internal controls?
Smith: We find that management understands their revenue and expenditure cycles - what cash is coming in and what cash is leaving their businesses. Some areas of concern that have been identified are in financial reporting and information technology. These are significant risk areas with fewer documented controls where there has been a reliance on their auditors to find and correct mistakes.
We look for the tone at the top of an organization. We examine if a company is control-oriented, finance-oriented, or if it is very entrepreneurial in nature. On an entity level many smaller and mid-level companies are very entrepreneurial in nature, interested in getting the contract signed and in-house. There can be more risk in an entrepreneurial organization. There is nothing wrong with being entrepreneurial as long as there are internal controls, providing checks and balances.
Editor: Do you still find consistency in revenue recognition a problem for some companies?
Smith: That goes back to the reliance that many smaller companies had on their external auditors to be their accountants and advisors. With accounting these days there can be very technical issues on revenue recognition. Companies do not always have adequate in-house technical resources to understand and come up with the appropriate conclusion, in many cases owing to cost cutting of in house resources. Now with independence rules for public companies, we are finding in our internal controls work that we have become the external consultants in accounting to many of these clients assisting them via our technical expertise.
Valaitis: A particularly vulnerable industry for revenue recognition issues has been the software industry.
Editor: Just recently the SEC proposed some relief for smaller public companies, foreign private issuers and recently filed IPO issuers in filing management's first assessment of the effectiveness of internal controls and an auditor's attestation report. Even though more breathing room has been granted, what do you suggest that companies falling into these categories do today in preparation for these filings?
Schroeder: We would suggest that companies take advantage of this time and not be lulled into thinking that they should not be starting now to get their houses in order. Effective governance can take some time to deploy and implement, especially if done in a cost-effective manner. When done properly, Sarbanes-Oxley Section 404 can be a great yard stick and motivator to improve overall governance.
We know from the experience of accelerated filers that delaying the start of SOX 404 compliance initiatives increases the cost and complexity of compliance and reduces the company's options in terms of deploying cost effective approaches to achieve 404 compliance. In some cases compliance can be achieved in a short period of time, but not cost effectively. When companies take a comprehensive risk-based approach to Sarbanes-Oxley, they can identify the full range of options for improving supporting businesses and the technology infrastructure, both of which improve business effectiveness and efficiency. Well designed processes and the alignment of technology can yield a solid cost effective control structure. This takes a well thought out approach and much more time than scrambling together an assessment in a few months.
Valaitis: Sarbanes-Oxley has become the de facto U.S. standard for an acceptable level of internal controls, documentation, monitoring and testing. From a legal counsel perspective, whether you are a public, private or nonprofit company if there are ever fraud, revenue recognition or internal control issues of any kind, it is likely that the judiciary standard will be related to Sarbanes-Oxley. Judges and juries may look at whether your firm's executives achieved the level of fiduciary responsibility Sarbanes-Oxley legislation established. Companies have the burden of making sure they have implemented this high standard of internal controls or otherwise risk being viewed as negligent.
Editor: As a firm that will give an auditor's attestation report, what direction do you give management in order to make your report complete and without conditions?
Smith: We give them the advice to start early and put together a comprehensive risk assessment - analyze from the top down what the company is about and what the risks are within the company. In the first year of an audit we need to perform a complete review of the internal controls, the first year being the time when more scrutiny is given than in subsequent years. Companies should document and test controls early so that any issues can be corrected quickly.
We explain to management that they need to start from the top down and work through all the documentation needed for management's assessment. Management should advise their external auditors throughout the process so that they understand the methodology and the steps taken to complete the assessment.
Schroeder: One point of emphasis that has been problematic for many filers is to understand what a comprehensive risk-based approach means. They should start with that understanding along with a logical definition of how they define controls that are relevant and meaningful for Sarbanes-Oxley purposes. They should also look at how they established those controls, conducted the tests of controls, compiled supporting evidence, and documented their overall conclusions. If the external auditor is to rely on management's assessment, the logic associated with that assessment needs to be transparent and obvious. Any tests and results that they concluded would be replicable by the auditors. If management follows a risk-based approach, conducting and documenting their test accordingly, then the external auditor may be able to rely on the tests conducted by management. That, in turn, will affect the external auditors' substantive test plans and make the audit activity much more efficient than it would be otherwise.
Editor: Do you recommend educational programs for employees?
Schroeder: Exposures and vulnerabilities can arise throughout a company now that everyone is networked in - with email and Internet access. The responsibility for effective security really is incumbent on every employee in the company. In a lot of cases the understanding of the controls and how to test them and their relevancy, even from a technology perspective, may not be obvious to even the IT management personnel. Delivering that service and managing the technology require a knowledge of what the controls are and how to ensure that they are operating effectively.
Smith: Education is very important. Everyone in the company should understand what internal controls are as well as the tone of the organization. People within a company need to have the ability to push back, suggest additional controls and question things that are going on. With the help of training, each business process owner will understand what those controls are and be ready to implement them.
Valaitis: Training throughout an organization is a must. For example, regarding 302 certifications process owners often have to sign sub-certifications, agreeing that internal controls are being observed.
Editor: Does the firm often play the role of reviewing a company's control systems preliminarily to the audit done by the primary audit firm for purposes of SEC reporting?
Smith: Yes. Management is requiring that there be preliminary audits and tests of internal controls to give the companies a chance to remediate any potential issues that arise. Preliminary audits are on the rise.
Editor: Would you comment on the interplay between compliance and good governance?
Valaitis: Amper Risk Advisors' core philosophy incorporates the three concepts of governance, risk and compliance. There is definitely a convergence occurring in the marketplace. While they will not converge into one concept or function, there is a closer interplay among all three as a requirement going forward. Anecdotally, I was at a recent compliance conference designed originally for finance executives where nearly 50 percent of the attendees were general counsel. It is apparent that the issues relating to appropriate governance and compliance and risk impact all areas of the organization, requiring a higher level of communication and cooperation than has historically been true. When people talk about the ROI of Sarbanes-Oxley, one of the eventual returns on investment could be as a direct result of the increased levels of communication and cooperation throughout the firm as these three areas of responsibility start to converge. Everyone has part of the responsibility for understanding the controls environment and potential risks,
Schroeder: Governance and compliance are not mutually exclusive. In many respects if we look back at how we structured organization processes and technologies, both can be achieved simultaneously. The leverage resulting can drive more efficiency.
Editor: How do you view the prospects for new demand for counseling services?
Smith: We see a large requirement for a second accounting/consulting firm that assists the mid-level and small companies in completing their filings and complying with internal controls. Firms like ours have a great opportunity to provide that service to these companies.