An Accountant’s Look at the Changing Horizons within SOX 404 Presented to Colorado Bar Association’s Securities Law Group Presented by Bill Evert Hein & Associates LLP September 21, 2006

Why should companies care about controls? Fraud Lost revenues SOX 404 compliance Personal liability

SOX 404 – Management Requirements Currently effective for accelerated filers ($75MM public float, etc.): Incorporate within the Company’s Form 10-K a report that: –Acknowledges responsibility for establishing/ maintaining adequate internal controls over financial reporting –Identifies framework used (COSO) –Assesses effectiveness at end of fiscal year –Confirms independent auditors issued attestation report on management’s assertion

Example Reporting Scenarios Situation Management’s Report Auditor’s Opinion on Management’s Assessment Effectiveness of ICOFR No material weakness identified. Internal control effective. Unqualified Material weakness identified by management and auditor. Internal control not effective. UnqualifiedAdverse

Example Reporting Scenarios Situation Management’s Report Company has one or more material weaknesses, but management’s assessment indicates internal control is effective. Issue adverse opinions on both management’s assessment and internal control. Management fails to fulfill its responsibilities regarding the internal control assessment. Communicate to management and the Audit Committee. Disclaim opinions. Consider possible additional auditor responsibilities.

Deficiencies – Conceptual Definitions Classification of Deficiency Likelihood of Misstatement Potential Magnitude of Misstatement Internal Control Deficiency RemoteORInconsequential Significant DeficiencyMore than remoteANDMore than inconsequential Material WeaknessMore than remoteANDMaterial A deficiency is considered a significant deficiency or material weakness if, either individually or in the aggregate, after considering compensating controls, the following criteria are met:

Current Events – Moving Targets New guidance: Remediation Standard (AS4) New SAS standard New COSO framework for small businesses (July 11, 2006) Coming soon: New SOX 404 guidance regarding non-accelerated filers and IPOs Guidance for companies implementing SOX 404 Revised AS2

Issues/Pitfalls Encountered Lack of: ― Lead time/resources/game plan ― Effective communication between auditor and client ― Motivation in second year Issues: ― Late start (prevents integrated audits and rising costs) ― Multiple operations/foreign subsidiaries ― Company’s GAAP and SEC expertise ― Consequences of adverse and disclaimer opinions ― Controls at outsourced service providers

Why is SOX 404 so difficult (and costly)? 1.Definition of significant deficiency “more than inconsequential”: A misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. If a reasonable person could not reach such a conclusion regarding a particular misstatement, that misstatement is more than inconsequential. 1.Must have controls over all of the relevant assertions over all significant accounts and footnotes. 2.Materiality and deficiency evaluation. 3.Testing of attributes, not dollars - “What could go wrong; not what does.” 4.Adjustments the auditor finds.

Why should private companies adopt SOX? Better controls thereby: likelihood of fraud ― Decreasing the likelihood of fraud ― Increasing operational efficiency Exit strategy? SOX will eventually become the standard by which companies are judged New audit standards CHANGE IS GOOD YOU GO FIRST

Components of the Control Environment 1.Integrity and ethical values 2.Commitment to competence 3.Board of Directors and Audit Committee 4.Management’s philosophy and operating style 5.Organizational structure 6.Assignment of authority and responsibility 7.Human resources policies and practice

Why control environment is so important The following circumstances are at least a significant deficiency and a strong indicator of the existence of a material weakness per AS2. Restatement of previously issued financial statements. Auditor’s identification of a material misstatement in the current year audit that was not initially identified by the Company. Ineffective Audit Committee oversight. An ineffective internal audit or risk assessment function, if critical to reliability of Company’s financial reporting process. An ineffective regulatory compliance function in highly regulated companies if functions could have a material effect on the reliability of financial reporting. Identification of fraud of any magnitude on the part of senior management. Previously communicated significant deficiencies that remain uncorrected after a reasonable period of time. An ineffective control environment.

Oversight by the Audit Committee and Board Nature and frequency of meetings Consideration of fraud when reviewing: ― Accounting principles ― Non-routine transactions Evaluation of management’s assessment of fraud risk Discussion with auditor’s potential fraud areas

Risk Assessment Systematic process Consideration of potential fraud schemes: ― Types of fraud ― Fraud triangle Assessment of risk at all levels Evaluate likelihood and significance of risks Assessment of exposure Document oversight by Audit Committee