Marie Leone, CFO.com | US
March 17, 2006

What does work

The only feedback I have from the CFO's of those companies least likely to have controls, and least likely to comply with SOX, or anyother known standard, is that it costs too much. So, tell me exactly what does fit in your world of milking the company dry? Know what your lunitic rhetoric reminds me of: If we can't play heads I win and tails you lose, I'm going to get my ball and go home.

Posted by Robert Olds | Mar 22, 2006 4:13 PM ET

The Core of It...

Understanding the plight of smaller companies facings SOX compliance and the associated financial burden, it appears that the issue at hand, at the core of it, is the archaic methods used to achieve SOX compliance. The methods proposed by the Auditors are lengthy and onerous and frankly are overkill to nearly all organizations big or small.



Three simple steps can quickly narrow the scope for small organizations and keep costs down.



• First, significantly narrow the scope through a risk-based approach and assessment. Assessing not only the 'Severity' of risks to financial reporting but also the 'probability of occurrence' as well. Priority of which risks to focus on can be obtained by using a scale of 1 to 10 to measure a risk's Severity and Probability of Occurrence. These are then added together to give you a priority number. Small business can narrow their scope by concentrating on the risks with the highest ranking or priority number.



• Second, apply one(1) control to one(1) risk where the control has significant strength to neutralize the risk ? again demonstrated by ranking using a scale of 1 to 10 to measure the strength of the control. For example, a control with a ranking of 1 is unlikely to detect or prevent the risk whereas a control ranked as 10 will always detect or prevent the risk. By reducing the number of controls that require year-over-year testing the cost is further reduced.



• Third, anyone with a business degree can prove 'quantifiable control' over financial reporting in an efficient manner by applying statistics to prove internal controls are in control. All it requires is that management's defines a tolerance range of acceptable performance of their controls, and then monitoring the performance measurements.



This final step requires the adoption by the PCAOB as a valid method to prove internal control. Statistical methods to demonstrate organizational health have been used successfully for a number of years, and applied in this method would drastically reduce the scope and costs associated with SOX compliance.



Susan Smith, President

Lean SOX Inc.

www.leansoxINC.com

Posted by Susan Smith | Mar 18, 2006 6:42 PM ET

detail vs goal

As usual we are trying to regulate the detail process by rules instead of setting the goal and measuring compliance. Example. When to record revenue? Answer when you have equity. What is equity. Equity is that part of the transaction free from any 3rd party control AND represented by undisputed documents of recievables and or contract provisions that transfere equity during the process of the transaction.

the college professors and legel folks can make that definition more universal but that type of standard is easy to audit, easy to establish control over and is not burdensom to any size businsess. AND, it will take up a lot less reading time vis a vis 404.

Posted by Milton Bulloch | Mar 17, 2006 12:01 PM ET