Sarbanes-Oxley internal control audit mandates modifiedfollowing industry feedback

Washington

Actions by two federal accounting regulators will reduce thecost of compliance with the controversial Section 404 of theSarbanes-Oxley Act by providing insurance companies and auditorswith greater flexibility, several industry groups asserted.

The new guidance from the U.S. Securities and ExchangeCommission and the Public Company Accounting Oversight Board alsoshows the willingness of the agencies to be responsive to industryconcerns about the cost of compliance with the regulation, as wellas determining precisely how the agencies are interpreting theprovision, the trade groups said.

At the same time, the regulators refused to support calls bypowerful industry groups for the law to be repealed.

For example, William J. McDonough, chairman of the PublicCompany Accounting Oversight Board, said, “it is clear to us thatthe internal control assessment and audit process has the potentialto improve significantly the quality and reliability of financialreporting.

“At the same time,” he added, “it is equally clear to us thatthe first round of internal control audits cost too much. Throughthe guidance we issue today, as well as our upcoming inspections,we are committed to seeing that [the regulation] is implemented ina manner that captures the benefits of the process withoutunnecessary and unsustainable costs.”

Mr. McDonough also said that the PCAOB and the SEC continue towork to “facilitate implementation” of Section 404 of SOX by theauditors of the smaller U.S. public companies and foreignfirms–which, by SEC rule, need not comply until 2006.

What The Rule Says

Section 404 of the Sarbanes-Oxley Act and the SEC's relatedimplementing rules require certain companies to include in theirannual reports a section on management's assessment of theeffectiveness of internal controls over financial reporting.

Section 404 also requires auditors to attest to and report onthe internal control assessments made by management. PCAOB AuditingStandard No. 2–which refers to the auditor's attestation as anaudit of internal control over financial reporting–is the standardauditors must use to satisfy their obligations under Section404.

Effectively, staff guidance issued by the SEC and the policystatement by the PCAOB allows companies to comply with Section 404by creating a system that works best for their own specificorganization.

Phillip Carson, senior counsel for financial reporting at theAmerican Insurance Association, said he believes the new regulatoryguidance “is positive for all companies subject toSarbanes-Oxley.”

He explained that it was issued by the two agencies in responseto an April 13 roundtable with industry officials. Mr. Carson saidthe benefit of the new guidance is that it addresses some of theissues that drive the cost of internal control audits–specificallythe issue of audit scope.

“It looks to the auditor to apply more judgment rather than relysimply on excessive transactions testing, which drives cost,” hesaid. “It emphasizes the need to develop the audit in terms of riskassessment–that is, focus on the higher risk areas, as opposed tomaking it apply equally to low-risk areas, as well.

“In other words, it is a quality vs. quantity issue, theagencies have said,” Mr. Carson explained.

New Guidelines

The new guidelines will allow external auditors to communicatedirectly with management and tailor audits to individual clients,explained Richard Whiting, executive director and general counselfor The Financial Services Roundtable. He said that externalauditors also will be able to use the work of internal auditstaff.

“Further, the new guidelines will allow for an integrated auditof internal controls and financial statements,” Mr. Whitingsaid.

“The guidance is a constructive step in providing greaterclarity and focus on Sarbanes-Oxley requirements,” he added. “ThePCAOB clearly has heard the message that there are aspects ofSection 404 that are not working,”

The SEC staff statement explains that “an overarching principleof this guidance is the responsibility of management to determinethe form and level of controls appropriate for each organizationand to scope their assessment and testing accordingly. One sizedoes not fit all, and control effectiveness is affected by manyfactors.”

Sarbanes-Oxley was designed to combat the corporate misdeedsthat led to the Enron and WorldCom scandals.

Accelerated filers with the SEC were required to be incompliance with these new rules for the fiscal year ending Nov. 15,2004. The guidance follows the April 13 roundtable discussion withindustry officials, in which the agencies listened to comments fromissuers on how the process worked in its first year ofimplementation.

“The feedback made clear that companies have realizedimprovements to their internal controls as a result of implementingthe requirements and that the requirements have led to an improvedfocus on internal controls throughout the organization,” the staffstatement said.

“However, the feedback also identified implementation areas thatneed further attention or clarification to reduce any unnecessarycosts and other burdens without jeopardizing the benefits of thenew requirements,” the agencies added.

Flexibility Offered

In its guidance, the statement noted that the SEC has decidednot to issue a prescribed system for internal auditing specificallyto allow companies to determine how to best monitor themselves.

“In adopting its rules implementing Section 404, the Commissionexpressly declined to prescribe the scope of assessment or theamount of testing and documentation required by management,” thestaff statement said.

“The scope and process of the assessment should be reasonable,and the assessment [including testing] should be supported by areasonable level of evidential matter,” the statement added.

“Each company also should use informed judgment in documentingand testing its controls to fit its own operations, risks andprocedures,” the agencies went on to say. “Management should useits own experience and informed judgment in designing an assessmentprocess that fits the needs of that company. Management should notallow the goal and purpose of the internal control over financialreporting provisions–the production of reliable financialstatements– to be overshadowed by the process.”

The theme of ensuring the spirit of Sarbanes-Oxley rather thanadherence to a specific set of guidelines also was apparent in thestaff statement's view of how companies are monitoring themselves.Rather than examining their own firms using a risk-based approach,the staff statement noted, many companies began using a“mechanistic, check-the-box” system.

“This was not the goal of the Section 404 rules, and a betterway to view the exercise emphasizes the particular risks ofindividual companies,” the statement said. “Indeed, an assessmentof internal control that is too formulaic and/or so detailed as tonot allow for a focus on risk may not fulfill the underlyingpurpose of the requirements. The desired approach should devoteresources to the areas of greatest risk and avoid giving allsignificant accounts and related controls equal attention withoutregard to risk.”

The evaluation of Sarbanes-Oxley implementation will continue,the staff said, adding that companies also should work to learnfrom each other about which approaches to monitoring theirfinancial data reporting work best.

“There is a desire for the sharing of best practices so thatcompanies and auditors can benefit from the substantial learningthat has taken place from the first year of implementation, and westrongly encourage those efforts,” the staff statement said, notingalso that the evaluation of Sarbanes-Oxley implementation after oneyear also has created a significant amount of data that could bestudied by academics or other experts.

“The staff desires that the benefits are achieved in a sensibleand cost-effective manner,” the statement read. “We will continueto consider whether there are other ways we can make the processmore efficient and effective while preserving the benefits.”

The PCAOB said that the guidance, in a question and answerformat, “seeks to correct the misimpression that certain provisionsof Auditing Standard No. 2 need to be applied in a rigid mannerthat discourages auditors from exercising the judgment necessary toconduct an internal control audit in a manner that is botheffective and cost-efficient.”

“Through the guidance we issue today, as well as our upcominginspections, we are committed to seeing that [the regulation] isimplemented in a manner that captures the benefits of the processwithout unnecessary and unsustainable costs.”

William J. McDonough, Chairman

Public Company Accounting Oversight Board