Wednesday, I mentioned that I spoke with Vibato's Teresa Bockwoldt, who said that some would see the alleged $31 million embezzlement at headphone maker Koss as an example of why small businesses should not be exempt or receive further reprieve from Sarbanes-Oxley 404(b) compliance. She however, does not agree with that assessment.
[When] Grant Thorton came out and said the reason they weren't taking any responsibility was because [Koss] had yet to be subjected to a 404(b) audit, I was appalled...What are they trying to say, that a regular audit doesn't have any merit? That it doesn't matter unless Sarbanes-Oxley 404(b) is involved? It doesn't make any sense.
In fact, she noted that one of the new trends she's seeing this year is that auditors are asking for the controls documentation Vibato has done for its non-accelerated filer clients, and they're doing some testing -- even though those filers are not subject to a 404(b) audit of internal controls. Though she couldn't definitively put a finger on why, she said she suspected it was because of SAS 104 through 115, which address risk assessment in the audit function.
Those standards, she said, have been in place since 2006, but until now, aside from asking to see controls documentation so they could have it for their files, few auditors have actually tested those controls. When I asked why now, Bockwoldt said:
[M]y only thought is they're incorporating the internal control review into their overall audit plan, period