On May 23, 2007 the SEC stated that they had unanimously approved interpretive guidance, particularly aimed at non-accelerated filers[1] to help these publicly traded companies strengthen their internal control over financial reporting (ICFR) while reducing unnecessary costs.

The SEC intends that the new guidance enhance compliance under Section 404 of the Sarbanes-Oxley Act of 2002 by focusing company management on the internal controls that best protect against the risk of a material financial misstatement.

Like the almost 6,000 public companies compelled to follow Sarbanes-Oxley beginning in 2002 (“Accelerated Filers”), over 6,000 small and micro-cap companies (“Non-Accelerated Filers”) now will be required to implement the SOX requirements.

Under the new rules:

• Management reporting requirements of Section 404 become effective for non-accelerated filers for fiscal years ending on or after December 15, 2007.
• Auditor reporting requirements of Section 404 become effective for non-accelerated filers for fiscal years ending on or after December 15, 2008.
• Section 404 management and auditor reporting requirements become effective for newly public companies beginning with their second annual report.

WHAT DOES THIS MEAN TO ME AS A NON-ACCELERATED FILER?

If your Fiscal Year End is December 31, you must file a management report with the SEC by the end of 2007.

WHAT IS A MANAGEMENT REPORT AND WHAT DO WE NEED TO DO?

As a way to protect investors, the Management Report has been designed to describe management’s view of how well their Risk Control Framework (for Financial Reporting) is both designed and working. Further, it offers evidence to support that view.

A Risk Control Framework explains the risks to a company that could significantly impact that company’s financial statement, such as various types of fraud, and then matches that risk to a control (or controls) designed to mitigate it. Specifically, meeting the requirements of Sarbanes–Oxley 404 means that a company will go through the following five step process:

1. Explain their risk control framework.
2. Decide and describe how well management believes their controls should cover their risks.
3. Show evidence that they have tested the controls well enough to ensure the controls actually are operating.
4. Remediate any problems found. For instance, to design controls where risks are considered high enough and are poorly controlled or to fix a well-designed control that is not working properly.
5. File the Management Report with the SEC that identifies material weaknesses in the framework.

When a non-accelerated filer is in its second year of filing, another step is required:

6. Pay for an independent Audit to attest to management’s findings. These auditors review management’s work and independently test the control structure and deliver their own opinion as to how well the risk control is designed and how well it is working.