This speech discusses some of the issues that have arisen regarding the costs and benefits of internal control reporting under Section 404 of the Sarbanes-Oxley Act. The importance of strong controls is beyond question, and it might be assumed that directors and senior executives would rush to embrace anything that minimizes the risk that the financial statements that they must sign off on are materially inaccurate. There is evidence that many executives do view Section 404 in that light and that it is serving its purpose.[*]
There is, however, also considerable concern about costs and counter-productive Section 404 impacts. As to some implementation issues that have been raised --
- One charge is that companies can no longer look to their auditors for advice on difficult accounting issues. AS No. 2 is not intended to erect a wall between auditors and clients. Auditor-management free and open communications concerning financial reporting and internal control issues are still permissible.
- AS No. 2 is not a “cookbook” of auditing procedures. It is not possible -- or desirable -- to supplant auditor judgment with detailed procedures, but the Board is committed to monitoring how auditors exercise their judgment.
- While it is necessary for the auditor to understand the overall control system and to “walk through” the operation of all significant processes, the focus should be on what is material to the financials, not on the trivial.
- Smaller, less complex businesses typically need less complex controls, and the work of the auditor should reflect that fact. Internal control auditing, like financial statement auditing, is not a “one-size-fits-all” exercise. Board members have stated publicly that we will also use our inspection program to make sure that smaller companies are not subjected to needless cost and burdens.
Section 404, like any other regulatory requirement, should be able to stand the scrutiny of cost-benefit analysis. However, several things should be borne in mind --
- This is the first time through an entirely new process for both companies and their auditors. “Learning curve” costs are inevitable.
- Much of the initial costs relate to correcting the effects of “deferred maintenance” and bringing controls up to the standard the federal securities laws have always required.
- Section 404 is one piece of a broader change in corporate culture. Managements and boards will have to have confidence in their controls in order to fulfill their new responsibilities. In a sense, if Section 404 did not exist, it would be necessary for companies to invent it.
- The financial statement audit and the internal control audit are supposed to be a single, integrated exercise. Stronger controls and greater auditor understanding of those controls should pay dividends in terms of audit efficiency.
- While much of the Section 404 cost is up-front, many of the benefits of stronger controls and regular review of controls will appear over time. It will take several annual reporting cycles before we can determine whether these benefits are accruing.
There are several important initiatives underway to analyze the operation of Section 404. The Board will be an active participant in these. The ultimate test of Section 404, and of those charged with implementing, is whether we succeed in restoring and maintaining the public’s confidence in the integrity and transparency of our capital markets. <
The Costs & Benefits of Sarbanes-Oxley Section 404
Thanks, Dick, for that generous introduction.
For anyone who is just entering the room and missed Dick’s comments, let me dispel your confusion by repeating that I am not Bill McDonough. And, for those of you who heard Dick’s introduction and are now thinking about leaving the room because I am not Bill McDonough, let me say that I know that Bill regrets very much that a scheduling conflict prevented him from being here today. I’m glad, however, to have the opportunity to fill in.
The letter inviting Chairman McDonough to address you suggested that he offer his perspective on what constitutes appropriate regulation and oversight in the post-SOX environment and on how we should strike the balance between costs and benefits. I certainly would have liked to hear Bill’s views on that very challenging topic. However, I thought that I would set a more modest goal for myself. I would like to focus on what seems to be rapidly becoming the most famous -- or infamous -- provision of the Sarbanes-Oxley Act -- Section 404.
As most of you are probably already well-aware, Section 404 established requirements for management and auditor reporting on the effectiveness of public company internal controls. Section 404 is today the focal point in the debate over the costs and benefits of the changes in corporate practice mandated by Sarbanes-Oxley. While I think it is premature to reach conclusions about the ultimate impact of internal control reporting, I would like to offer some thoughts on that topic that I hope will help to better frame the debate.
Before I begin, I should note that the views I express are my own, and not necessarily those of the Board’s other members or staff.
I. What is Section 404?
First, some background. Broadly speaking, the goal of the Sarbanes-Oxley Act is to restore public confidence in financial reporting. The shocking series of accounting scandals and auditing failures that led to the enactment of SOX seriously eroded that confidence. Section 404 aims to rebuild public trust by bolstering the internal controls that under-pin the accuracy and reliability of published financial information. It seems obvious that control effectiveness is closely correlated with the reliability of reported financial data and that public confidence in a company’s controls is therefore closely correlated to public confidence in its reporting.
Section 404 of the Sarbanes-Oxley Act seeks to build on this correlation by requiring that every public company annually issue and file with the Securities and Exchange Commission a management report concerning the effectiveness of the company’s internal control over financial reporting. Section 404 also requires that these management reports be accompanied by a public report from the company’s financial statement auditor attesting to the accuracy of management’s internal control report. Another part of the law, Section 103, requires direct auditor reporting on the effectiveness of public company internal controls. These provisions can be viewed as corollaries to the longstanding requirement in the Securities Exchange Act of 1934 that all public companies must maintain accurate books and records and an adequate system of internal accounting control.
How does the PCAOB figure into this? The Sarbanes-Oxley Act directs the Board to establish professional standards for the work that the company’s independent auditor must do in order to prepare its internal control report. On March 9, 2004, after an extensive process of public input, the PCAOB adopted Auditing Standard No. 2 to fulfill this mandate. After additional public comment, the SEC approved AS No. 2 in June 2004.
We are now in the midst of the first round of annual Section 404 reporting. For large, established companies -- what the SEC calls accelerated filers -- the initial Section 404 reports must be included in their annual Form 10-K filings for fiscal years ending after November 14, 2004. For calendar-year companies, that means that the due date was March 16, and we will likely be seeing press reports -- and market reactions -- this week based on the content of those first filings.
The SEC has allowed accelerated filers with market caps below $700 million an additional 45 days to file their internal control reports. For non-accelerated filers and foreign companies with securities traded in the U.S., Section 404 reporting will begin in 2006.
II. The Implementation of Section 404
In the immediate aftermath of the enactment of Sarbanes-Oxley, Section 404 didn’t garner much attention. And, indeed, one might fairly ask what the big deal is now. Internal controls are not new. As I noted, public companies have long been required to establish and maintain effective internal controls, and the SEC has brought numerous cases over the years to enforce that requirement. Further, the importance of strong controls is beyond question. SOX dramatically enhanced the penalties for false financial reporting, and both prosecutors and plaintiffs’ lawyers have become extremely aggressive in pursuing false financial reporting cases -- just ask Bernie Ebbers, Ken Lay, or the WorldCom directors. It might be assumed that directors and senior executives would therefore rush to embrace anything that minimizes the risk that the financial statements that they must sign-off on are materially inaccurate or that their company’s controls do not meet the statutory requirements.
In fact, there is evidence that many executives do view Section 404 in that light and that it is serving its purpose. For example, 79 percent of 222 financial executives recently surveyed by Oversight Systems reported that their company has stronger internal controls after complying with Section 404. Seventy-four percent said that their company benefited from compliance with Sarbanes-Oxley and, of those, 33 percent said that compliance lessened the risk of financial fraud. Further, according to Compliance Week, 27 companies with revenue of more than $75 million disclosed material weaknesses or significant deficiencies in internal controls during the month of January 2005, compared to only seven that made such disclosures during the same month in 2004. This data seems to show that Section 404 is having a real, positive impact on controls.
There is, however, also considerable concern about adverse and counter-productive impacts of Section 404. It has been suggested that Section 404 reporting is diverting large amounts of executive time and company resources away from the fundamental profit-making objectives of the business. Section 404 is also sometimes cited as a major incentive to go private or to refrain from going public. Specific criticisms seem to fall into two categories -- that the way the requirement is being implemented has resulted in unintended consequences, and that the costs of Section 404 exceed the benefits. Let me first address some of the issues in the unintended consequences category.
- Section 404 reporting is undermining financial statement accuracy because companies can no longer get advice from their auditor.
One of the most common charges is that, as a result of internal control reporting, companies can no longer look to their auditors for advice on difficult accounting issues. AS No. 2 provides that it is a “strong indicator” of a material control weakness if the auditor identifies a material misstatement in draft financials that management missed. This seems to have led some to conclude that management and the auditor should maintain an arm’s length, if not adversarial, relationship.
AS No. 2 is not intended to erect a wall between auditors and clients. Auditors have long advised public companies on accounting issues and on internal control matters; Auditing Standard No. 2 does not preclude that kind of advice and discussion. Of course, management needs to perform its own control evaluation; it can’t delegate that responsibility to the auditor or treat the auditor as part of the controls by relying on it to catch errors. Conversely, the auditor needs to reach his or her own independent judgments, not negotiate those judgments with management. But, within these limits, auditor-management free and open communications concerning financial reporting and internal control issues are still permissible. Common sense should resolve most issues.
- The control audit process leaves too much room for judgment; there should be more detailed guidance and less reliance on general principles.
- The control audit process leaves too little room for judgment; there should be less detailed guidance and more reliance on general principles.
A second complaint is that AS No. 2 leaves too much -- or too little -- room for auditor judgment and that more -- or less -- detailed guidance is needed. It is true that, while AS No. 2 is lengthy, it is not highly prescriptive. Internal control auditing, like financial statement auditing, requires auditors to exercise a considerable amount of professional judgment. Accordingly, AS No. 2 lays out the objectives that the auditor must accomplish in developing the evidence to support an opinion on internal control. AS No. 2 is not, however, a “cookbook“ of auditing procedures. Because companies and their financial reporting systems vary so widely, it is hard to see how the Board could define more precisely how controls should be tested -- the point is for the auditor to obtain evidence that the company's control system, within reason, assures that the financial statements do not contain material misstatements.
At the same time, some companies have charged that auditors are taking advantage of the flexibility AS No. 2 affords and are performing costly but unnecessary tests on the ground that their efforts are “required by the PCAOB.” Since AS No. 2 contains few specific requirements, statements like this are almost never true. Further, the Board is committed to using its inspection program to ensure that auditing firms are properly applying AS No. 2 and are not using it as an opportunity to generate fees through unnecessary work. While I do not think it is possible -- or desirable -- for us to try to supplant auditor judgment with detailed procedures, we are committed to monitoring how auditors exercise their judgment and to making sure they do not go to needless extremes.
- We are bogged down in a “check the box” mentality about control testing that focuses on minutiae that could not possibly affect the financials.
Another frequent charge is that auditors have adopted a “check the box” mentality about control testing and are focusing on minutiae that could not possibly affect the financial statements. In auditor-ese, AS No. 2 requires testing to the extent necessary to obtain reasonable assurance that controls are effective with respect to all relevant assertions for all significant accounts in the financial statements. In plain English, this means that the auditor has to test the controls that are intended to make it probable that the financial statements are materially correct. While it is necessary for the auditor to understand the overall control system and to “walk through” the operation of all significant processes, the focus should indeed be on what is material to the financials, not on the trivial.
- Small companies do not need the same types of controls as do large multi-nationals. Yet, auditors have adopted a uniform, inflexible approach.
Perhaps the most serious charge is that small companies are being disproportionately burdened because auditors are not tailoring their procedures to the client. Smaller, less complex businesses typically need less complex controls, and the work of the auditor should reflect that fact. The Board stressed this point in both the proposing and adopting releases for Auditing Standard No. 2. Board members have stated publicly that we will also use our inspection program to make sure that smaller companies are not subjected to needless cost and burdens. Internal control auditing, like financial statement auditing, is not a “one-size-fits-all” exercise.
At the same time, strong internal controls are at least as important to small issuers and their public investors as they are to larger businesses. In practice, smaller companies that have not had strong controls may incur costs to strengthen their controls in preparation for Section 404 reporting that are higher, relative to company size, than the costs incurred by larger companies that have more established controls. Conversely, however, Section 404 is likely to result in greater improvements in control and in greater increases in financial reporting reliability at smaller entities, as a group, than at larger ones. This should, in turn, result in lower capital costs for these companies.
III. How Should We Evaluate the Costs and Benefits?
None of this addresses the argument that, whatever its benefits, Section 404 is imposing costs that are out of proportion. There is no doubt that internal control reporting is not free. Based on the most recent survey of its members, Financial Executives International says that the expected average first-year cost is 27,000 hours of internal time for companies with an average of $5 billion in sales. As to anticipated total costs of compliance, FEI found that the average first year expenditure was $4.36 million, including $1.34 million in internal costs; $1.30 million in audit fees and $1.72 million in external costs (consulting and software). 
Of course, to keep these numbers in perspective, it is necessary to also bear in mind the billions in investor wealth that were lost in the Enron and WorldCom collapses alone, coupled with the very real costs of public cynicism concerning the integrity of our financial markets that those and similar cases generated. But, I would certainly agree that Section 404, like any other regulatory requirement, should be able to stand the scrutiny of cost-benefit analysis. However, in undertaking that analysis in the future, several things will have to be borne in mind.
- While management has long been responsible for establishing and maintaining effective controls, much of the initial costs relate to correcting the effects of “deferred maintenance” and bringing controls up to the standard the securities laws have always required.
- This is the first time through an entirely new process for both companies and their auditors. “Learning curve” costs are inevitable. While it is difficult to estimate how much is first year cost and how much will be recurring, it seems clear that, as managements and auditors gain experience with this new requirement, the costs will fall.
- Section 404 is just one piece of a broader change in corporate culture. Sarbanes-Oxley has imposed new responsibilities on audit committees; created certification requirements for CEOs, and CFOs; increased and speeded-up disclosure of material current events; and, in a host of other ways, forced public companies to put a new emphasis on the reliability of their financial reporting. Managements and boards will have to have confidence in their controls in order to fulfill these new responsibilities. In a sense, if Section 404 did not exist, it would be necessary for companies to invent it.
- From the perspective of the auditor, the financial statement audit and the internal control audit are supposed to be a single, integrated exercise. Stronger controls and greater auditor understanding of those controls should pay dividends in terms of the efficiency of the audit process.
- Finally, while much of the cost is up-front, many of the benefits of stronger controls and regular review of controls will appear over time. One could fairly expect that there will be fewer restatements, fewer SEC financial reporting cases, and fewer successful private actions involving accounting fraud as a result of Section 404. However, it will take several annual reporting cycles before we can determine whether these benefits are, in fact, accruing.
Weighing the costs and benefits of a provision that is aimed at building public confidence would not be a simple task. That does not mean that it should not be undertaken. However, the costs tend to be more obvious and easier to track. The trick is in capturing and quantifying all of the benefits.
On the other side of the coin, in my view, many of the Section 404-related costs and burdens that are currently attracting public attention are a consequence of the first-time implementation of what is inherently a complex and far-reaching new statutory requirement. In some cases, auditors and managements may be over-reacting with measures that go beyond the objective of determining whether controls are in place that provide reasonable assurance that the company is able to generate financial statements free of material error.
There are several initiatives underway to analyze and correct these kinds of problems. The SEC has announced that it will convene a public roundtable on Section 404 implementation issues on April 13, 2005, and has also announced formation of an advisory committee to study and report on the impact of the Sarbanes-Oxley Act on smaller public companies. Further, the Committee of Sponsoring Organizations (“COSO”) -- the body responsible for the internal control framework that guides most Section 404 reviews -- has undertaken a project to issue guidance concerning the application of the COSO framework to smaller companies. The Board will be an active participant in each of these initiatives. Together, they should result in a better understanding of how Section 404 can be implemented in a way that best matches costs and benefits.
I want to conclude by reminding you of a point I mentioned at the beginning: The objective of the Sarbanes-Oxley Act is to restore confidence in financial reporting. Without the investing public’s confidence, our securities markets -- the engine of our national prosperity -- would cease to operate. The ultimate test of Section 404, and of those charged with implementing, is whether we succeed in maintaining the public’s confidence in the integrity and transparency of those markets.
Thank you. I would be happy to answer any questions.
[*] The views expressed herein are solely those of the author and are not necessarily those of the Public Company Accounting Oversight Board or any of its other members or staff.
“Financial Executives Call Sarbanes-Oxley Compliance a ‘Good Investment,’ According to Oversight Survey,” Press Release of Oversight Systems, Inc. (December 14, 2004).
”Adverse Opinions Emerge in Internal Control Disclosure,” Compliance Week (March 2005), p. 16.
”FEI Survey on SOX Section 404 Implementation” (March 2005).