The Sarbanes-Oxley Act of 2002 requires the documentation and testing of a company’s internal controls. This is known as “Section 404 Compliance”. These controls not only must be put in place, but they must be documented, and management must review them for effectiveness. Management must then disclose the results of their review of controls.

The SEC has recognized that compliance with this requirement could be a significant burden for small public companies (with a market capitalization less than $75 million), and has postponed small company compliance a total of four times, most recently in November, 2009. The SEC has stated that there will be no further postponements, and small public companies will be required to have their internal controls audited beginning with their fiscal year ended after June 15, 2010.

IncFin, LLC was founded by a CPA and former public-company CFO. We understand small-company financial reporting from management’s perspective: We have been there. We have developed a very cost-effective, efficient process for helping small public companies meet their Section 404 requirements.

We have based our process on The SEC’s Interpretive Guidance, on the COSO small company framework, and Auditing Standard No. 5. We have also designed our process in a flexible fashion, allowing company personnel to do as little or as much of the work as management would like.

IncFin’s approach to 404 compliance takes full use of the SEC’s guidance, which strongly recommends a risk-based approach. We do not waste time documenting and evaluating a process which has a small likelihood of generating a material error. Instead, we focus on high-risk areas.

Here is the summary of our approach

I. Establish the Process:

• Communicate with management, the board of directors, and outside auditors.
• Set up a program of weekly conference calls with company personnel. Note that we will visit the site if appropriate, but we have found that costs can be significantly reduced if we work remotely from our office.

II. Process and Controls Identification:

• Identify the company’s processes, and write narrative descriptions.
• Create flowcharts only when necessary for complex processes.
• Identify Key Controls and enter into Controls Matrix.
• Review any prior restatements resulting from disclosure errors.
• Identify entity level processes and controls.

III. Risk Evaluation:

• Review each process for the likelihood that a material error could be generated.
• Include an analysis of the risk of fraud.
• Enter risks into the Controls Matrix.

IV. Evidence:

• Gather evidence regarding the structure and effectiveness of controls.
• Focus on Key Controls, and on high-risk processes.

V. Work Product:

• Controls Matrix
• COSO Matrix
• Narratives and risk analysis

VI. Evaluation and disclosure:

• Review results and evidence, and help management develop their assessment.
• Assist management in developing the appropriate 10-K disclosure.

We would like to emphasize the following points:

• The current SEC guidance emphasizes the use of judgment, and reliance on entity level controls. We feel this approach is very reasonable and allows small companies to comply with Section 404 in a cost-effective manner.
• Our approach is flexible in that the Company can do as much or as little of the hands-on work as they choose. This allows for significant cost savings.

We urge you to contact us before beginning a costly, inefficient Section 404 compliance process. We think you will be pleasantly surprised. Call Eric Hopkins at 512-450-5010 for more information.