In year two of the application of Section 404 of the Sarbanes-Oxley Act, the vast majority of US senior finance officers feel the costs outweigh its benefits.
By now, most of the worlds financial management community are familiar with the controversy over section 404 of the Sarbanes-Oxley Act, and more specifically, with the heated debates surrounding its substantial cost and what many consider to be its negligible benefits.
In May the Public Company Accounting Oversight Board (PCAOB) and the US Securities and Exchange Commission (SEC) hosted a round-table to understand the hands-on experiences of those who have gone through the compliance process. The list of panellists read like a Whos Who of regulators, industry movers and shakers, institutional investors, auditors and academics.
SEC chairman Christopher Cox and PCAOB acting chairman Bill Gradison set a tone that suggested the day would be much more like a Congressional testimony than a mere information-gathering exercise ... and it was. It was found that while accelerated filers have climbed the initial learning curve, many of the problems experienced in year one are still being felt in year two.
While costs may have come down for some companies, they are still substantially higher than the SECs initial forecast of $US90,000. An extreme example, Phil Ameen, VP and comptroller of GE, noted that in 2004 his companys 404 costs were $US33 million, and held fairly constant for 2005.
A recent Financial Executives International survey suggests the vast majority of US senior finance officers still feel that the costs of 404 outweigh the benefits. Colleen Cunningham, FEI CEO, says 85 per cent of respondents thought so. However, this figure declined from 94 per cent in 2005. She also says that despite the 13 per cent year-over-year decline in 404 audit costs, overall audit fees have remained relatively flat year over year. The 404 audit is becoming integrated with the financial audit, which may make it difficult to accurately differentiate between 404 audit costs and financial audit costs.
In addition to the hard costs of management time and audit, some point to the impact on the accounting environment as a whole as a soft cost associated with 404. As H. Rodgin Cohen, chairman of Sullivan & Cromwell LLP, explained: ... when you try and measure the benefits and the burdens, in addition to the costs, which presumably can be quantifiable, there is a more qualitative cost, and that remains the continuing very conservative environment in the accounting profession with respect to the internal controls procedure. We are seeing and continue to see almost a direct correlation between a failure to apply a complex accounting standard (FAS-133 is probably the best example) to a restatement and a material weakness. That line seems to be almost inevitable. Likewise, error seems to correlate directly to a significant deficiency.
Robert Davis, CFO CA Inc and a representative of the US Chamber of Commerce, also spoke about the soft costs associated with boards and upper management being too focused on protection and control. We are spending a disproportionate amount of time having management so focused on value protection that theyre not creating value, Davis says. Other concerns related to the burden SOX 404 imposed on small companies, and its impact on the innovative capabilities of US companies and on the relative attractiveness of US capital markets.
In this observers opinion, for the first time since the SEC inked the details of the rules respecting 404, we are the closest weve been to convincing the regulators to close this Pandoras Box. After all, Scott Taub, the acting chief accountant from the SEC, recently posed the question: How would managements process be different if audit wasnt there? This suggests there is some hope for a viable answer.
Realistically, the total elimination of the requirement for an audit opinion on a companys internal control over financial reporting is wishful thinking. However, if the regulators were paying attention to the panellists arguments, there is ample reason to believe they will take action to improve the implementation of 404 on a number of fronts. Most notably would be to provide additional guidance to the management of companies of all sizes on how to go about the assessment process, and thereby help to reduce costs. This echoes the results of a soon-to-be-released study commissioned by the Institute of Management Accountants that indicates the absence of a practical top down/risk-based approach is a root cause of SOX implementation problems.
One great virtue of having standards or guidance for management would be to be able to draw that distinction between the role of management in the process and the role of the outside accountants, said Sullivan & Cromwells Cohen. The bottom line of that, once everybody recognises the respective roles, would be a reduction in costs. Edward Nusbaum, CEO and executive partner of Grant Thornton, called for more practical guidance for both management and the audit community based upon real case study evidence. That kind of real, practical guidance that would be based on examples and case studies would allow us to use judgement, and allow companies to use judgement, says Nusbaum, who wants better guidance on the definition of material weaknesses and significant deficiencies. He says this would make companies more efficient going forward, and particularly benefit smaller companies.
With respect to the audit guidelines, as found under the Auditing Standard no. 2, (AS2) An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, Barbara Hackman Franklin, who is president and CEO of Barbara Franklin Enterprises and a former US secretary of commerce, has some thoughts. Its now time to amend the standard and literally take the guidance that you put forth last year and put it into the wording of the standard, she says. That will empower auditors in a way that they dont feel empowered to make a judgement right now. The second thing would be to give guidance to management about their role here, and particularly to small companies.
Samuel DiPiazza, PricewaterhouseCoopersglobal chief executive, points to several areas in AS2 that create audit difficulty. Theres guidance that we need in the profession as well, Di Piazza said. Restatements are a problem. First, evaluating a deficiency and the extent of a deficiency is hard enough. But then when you have a situation where deficiencies are a strong indicator, restatement is a strong indicator of a material weakness and vice versa, then youve got very serious issues about when a restatement leads to a material weakness and an adverse opinion. And if there is anything thats creating enormous stress in the system, its sitting right there. You know, from the professions viewpoint, every restatement doesnt mean you have a material weakness.
One week after the round-table both the SEC and the PCAOB announced their first steps towards getting it right. On 17 May, the SEC released the beginnings of its process to revise 404, while the PCAOB announced that it plans to propose revisions to AS2 and integrate the 16 May guidance, which emphasised that auditors need to incorporate the work of internal auditors and other parties in their controls attestations. The PCAOB will take a second look at what role the auditor should play in evaluating a companys process of assessing internal control effectiveness.
The actions the SEC intends to take are varied, offering more guidance on how to complete the assessment of internal control over financial reporting. SMEs will have to comply with 404, but compliance will be postponed until after the new and scalable guidance has been issued. In drafting this guidance, the SEC will seek external input on the appropriate role of outside auditors in connection with management assessment. It will also seek input on the manner in which outside auditors provide the attestation required by section 404(b), to assist in consideration of possible alternatives to the current approach.
The SEC will also inspect the PCAOBs inspection process. The staff (of the SEC) will examine whether the PCAOB inspections of audit firms have been effective in encouraging implementation of the principles outlined in the PCAOBs 1 May, 2006 statement, according to an SEC release. The statement said that it would focus its efforts on whether auditors have achieved cost-savings efficiencies in the audits they have performed under auditing standard no. 2.
For some, these giant steps may be met with a collective sigh of relief. Others, however, caution against creating yet more rules. I guess when I hear guidance, I get worried that were going to get another standard that will box management in to some degree, says the FEIs Colleen Cunningham. And I think its very, very important to understand that every company is run differently. Every company gets comfortable with their internal controls perhaps in a different way. We need to make sure that it (guidance) is principles-based, that the guidance focuses on the clarification of key terms and definitions, and [should include] a clarification that management is not expected to follow the same rules that the auditors are required to do.
Although many would agree that the SEC and PCAOB are attempting to undo many of the negative effects of SOX 404 implementation to date, this new round of guidance prompts several other questions. Will companies be compelled to undo their current evaluation process to meet SEC requirements, or will the new guidance be sufficiently robust to allow companies to proceed along their current path? Can the new guidance possibly meet both the needs of the (large) company accelerated filers and also the smaller companies that have yet to begin the assessment process? And how long will the process of issuing new guidance take? Will the auditors role be changed in a way that will substantially reduce the costs of 404 perhaps to the point where independent assessments of the effectiveness of a companys internal controls are no longer required?
Clearly, whether these giant steps help to close one Pandoras Box or merely to open another remains to be seen.
