SOX for private companies: How audit changes for 2007 will affect corporate America?

Beginning in 2007, CEOs of private companies will begin to feel the effects of the Sarbanes-Oxley Act (SOX), as new audit standards and practices are imposed that will interject business owners into the middle of the process.

The accounting failures of companies like WorldCom and Enron have had a substantial impact on the accounting and governance practices of public companies. In 2006, eight new audit (aka “risk assessment”) standards were issued. Designed to improve the quality of audits and make the process more effective, the new standards require greater involvement and personal accountability on the part of the CEO for information provided to auditors, even when the company’s stock is not traded on Wall Street.

“The change applies to private companies of all sizes,” says Rick Smetanka, partner with Haskell & White LLP. “This is an example of audit reform going through the public-company veil and piercing the private-company world.”

Smart Business spoke with Smetanka about what private-company CEOs can expect from the changes and how they can prepare to comply.

What do CEOs need to know about the changes in audit standards for 2007?

Accompanying the enactment of Sarbanes-Oxley in 2002, the authority for issuing audit standards for public-company audits was taken away from the American Institute of Certified Public Accountants (AICPA) and ultimately given to the Securities and Exchange Commission (SEC).

The recent changes in private-company audit standards reflect many concepts already adopted in public-company audits. They were conceived with the goal of improving the quality and effectiveness of private company audits. CEOs need to understand that prospective audits likely will be more focused on internal control, business risks and specifically tailored audit tests.

How will this change the way audits are conducted?

One impacted area is risk assessment. Now it will be necessary for the auditor to spend more time with the CEO and understand the key processes and controls the company has in place, in order to review and assess the effectiveness of the internal control system.

As an example, a controller at a small company may handle the complete flow of financial transactions, such as entering vendors in the system for payment, cutting checks, creating general ledger entries and performing bank statement reconciliations. As this is not ideal from a control perspective, we might recommend introduction of a key control to separate certain of these incompatible functions.

Further, in order to complete the balance of the risk assessment, the auditor will need to have a more thorough understanding of the business and the environment in which it operates. With this deeper understanding, the auditor will be better able to design specific audit tests that address identified external or internal business risks, such as competitive market forces, pressure from investors or lenders to satisfy financial benchmarks, or product obsolescence risks.

How can CEOs make certain their company is in compliance?

That responsibility falls principally to the auditor. After the CEO contracts with the audit firm, it is up to the financial professionals to know and execute the standards and to educate their clients with respect to changes in the audit process.

At the conclusion of the audit, the CEO should expect the auditor to present a letter summarizing deficiencies in the company’s internal control. Implementation of the new audit standards will require more time on the part of the CEO in order to share his/her perspective of the business and related risks, and more time on the part of the auditor to gather such information and assess it. While this might mean that audits will be lengthier and incur more billable hours, the private-company CEO will benefit from the opportunity to strengthen and streamline internal controls and business processes.

What actions can CEOs take now to be ready for these changes?

First, they can conduct an internal review of key processes and controls with the purpose of assessing the strengths and weaknesses of their system, and as a way to become familiar with the key controls they rely on and areas where the organization may have gaps in controls.

Second, they should adjust their expectations of the audit process, knowing that it will take more time and more involvement and commitment from both the CEO and the company’s accounting team.

Third, they should understand the spirit in which the recommendations are given. The accounting profession certainly has taken its lumps in recent years, but our goal is to improve our clients’ businesses and make them more effective and efficient.

RICK SMETANKA is the partner-in-charge of Audit and Business Advisory Services with Haskell & White LLP. Reach him at (949) 450-6313 or