MFA - Moody, Famiglietti & Andronico, LLP MFA - Moody, Famiglietti & Andronico, LLP
HOME CAREERS TAX ORGANIZER
About MFA MFA Solutions Clients MFA News & Resources MFA Blog Contact MFA

Archive for the ‘Audit’ Category

More SOX relief in the works?

May 18th, 2010 by Michelle Mackey

The SOX debate continues…. As noted in this recent Compliance Week post, the Senate is gearing up to take on financial reform, and the SOX 404 regulation discussion is emerging again; this time though it’s being debated by Congress and not by the SEC. Senator Mary Landrieu (D-LA), the Chairman of the Small Business and Entrepreneurship Committee and 6 other Senator co-sponsors have filed a 3-pronged amendment (S. 3785) within the Senate financial reform bill (S. 3217) that would exempt public companies with a market capitalization of under $150M from the auditor attestation requirements specified within the SOX 404(b) regulations. The amendment also calls for a new study to be completed to see how to reduce compliance burdens of companies with market capitalizations between $150M-$700M. And lastly, it includes a recommendation about whether the exemption should be extended further to larger companies above $700M.

Back in December 2009, the approved House version of the bill (H.R.3817) included a similar amendment to exempt companies with market caps of less than $75M. It’s worth noting, this amendment passed the House even with the strenuous objections of the Chairman of the Financial Services Committee, Congressman Barney Frank (D-MA).  As Compliance Week writes, the “issue is a lightning rod for controversy. Most business groups and companies support measures to reign in 404(b). However, most investor and consumer groups strongly oppose any exemption from the provision.”

The Sarbanes-Oxley regulation is considered to be the most costly regulation imposed on public companies.The two specific regulation components debated and talked about, since its inception, are 404(a) and 404(b).The difference between the two; SOX 404(a) only requires company management to report on their internal control environment while SOX 404(b) requires an actual external ‘audit’ of the company’s internal control environment.

For companies with market caps of over $75M, undergoing the external audit (the 404(b) component) has been an annual event since 2004. The SEC has waived the requirement for companies under $75M numerous times, but as it currently stands, all companies with fiscal year ends on or after June 15th, 2010 must complyunless Congress now changes this too.

Whichever direction the final bill takes, for the House and Senate must eventually agree on a market cap number, all companies will still be required to comply with SOX 404(a). The bottom line, whether you need to have an external audit completed or not, is that MFA still believes it is in the interest of every publically traded company to ensure they have adequate controls and support behind their internal control environment. Who wants to be the next SEC test case?

Minimizing risk with internal controls audits

January 13th, 2010 by Will Andronico

A recent fraud case caught my attention as it brought to life the concern I expressed in a November post (Small companies may get SOX audit relief). I wrote that “internal controls will always be a crucial piece of the business that streamlines financials and paves the way for airtight fraud prevention, regardless of audit requirements.”

Here we are less than two months later, and CFO Magazine is reporting on the fallout from a fraud case that could have been avoided with a better check on internal controls. The article cites the case of Koss Corporation, a small public company that was not subject to an internal controls audit and  which appears on the surface to have lacked sufficient segregation of duties — they paid dearly for it. A company Vice President is accused of skimming more than $4.5 million for personal expenditures over a two year period — a loss that a thorough audit of internal controls may well have uncovered or prevented.  As James D. Ratley, President of the Association of Certified Fraud Examiners indicated in the article, the fraud may have been prevented with the knowledge that auditors would be coming in to specifically audit internal controls.

This example will weigh heavily for those arguing against the permanent elimination of the audit requirement for non-accelerated public companies.

March deadline for Massachusetts Privacy law

January 5th, 2010 by Matt Pettine

One of the most significant tasks introduced in 2009 was presented by new guidelines under the Massachusetts Privacy Law, which requires a slew of changes to administrative and security processes.  Compliance calls for a significant overhaul for many companies, and the deadline is just around the corner: March 1, 2010.  The marketplace has demonstrated an urgent need for a new standard of  information protection, so we do not expect a great deal of leniency for those that fall behind.  Companies need to take the new law seriously, gear up, and put appropriate defenses in place around the personal information of their employees and customers.

This is without question a daunting call to action, however the need for the law remains unquestioned.  In fact, a report published by the Office of Consumer Affairs and Business Regulation [PDF] notes that since 2007, over 1 million Massachusetts residents have been impacted by security breaches.  The report states that 495 incidents were criminal in nature, while 312 “generally demonstrated poor employee handling of residents’ personal information, including transporting sensitive data, either in disregard of company policies, or in an environment without sufficient policies in place to secure such information.”

A few additional findings from the report include:

- The OCABR received 807 notifications of security breaches

- Most breaches (76 percent) were electronic in nature

- It may have been expected that financial services breaches impacted the highest number of individuals (707,305), but it is perhaps a bit surprising to find that the second greatest impact was felt from incidents involving the education sector (130,161)

The law takes aim at improving defenses against the criminal element while shoring up process to reduce risk of negligent handling of data.  And most importantly, it applies to — by the letter of the law — all persons that “own or license” personal information from a resident of the Commonwealth, specifically any individual or company that “Receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of goods or services directly to a person that is subject to this regulation.”

That means pretty much everyone.

The most important step to compliance might be the WISP - a Written Information Security Program (WISP) that ensures the security and confidentiality of personal information in both physical and electronic format. The actual scope and complexity of a WISP will vary depending on an organization’s size and scope of business, availability of resources, nature and quantity of data stored, and the need for security and confidentiality of both consumer and employee information.

There is of course much more to understand before diving in. We encourage you to take a look at this 2009 Perspectives article for more detail, including specific action items and consequences for failing to comply.