This speech discusses some of the issues that have arisen regarding the costs and benefits of internal control reporting under Section 404 of the Sarbanes-Oxley Act. The importance of strong controls is beyond question, and it might be assumed that directors and senior executives would rush to embrace anything that minimizes the risk that the financial statements that they must sign off on are materially inaccurate. There is evidence that many executives do view Section 404 in that light and that it is serving its purpose.[*]
There is, however, also considerable concern about costs and counter-productive Section 404 impacts. As to some implementation issues that have been raised --
Section 404, like any other regulatory requirement, should be able to stand the scrutiny of cost-benefit analysis. However, several things should be borne in mind --
There are several important initiatives underway to analyze the operation of Section 404. The Board will be an active participant in these. The ultimate test of Section 404, and of those charged with implementing, is whether we succeed in restoring and maintaining the public’s confidence in the integrity and transparency of our capital markets. <
Thanks, Dick, for that generous introduction.
For anyone who is just entering the room and missed Dick’s comments, let me dispel your confusion by repeating that I am not Bill McDonough. And, for those of you who heard Dick’s introduction and are now thinking about leaving the room because I am not Bill McDonough, let me say that I know that Bill regrets very much that a scheduling conflict prevented him from being here today. I’m glad, however, to have the opportunity to fill in.
The letter inviting Chairman McDonough to address you suggested that he offer his perspective on what constitutes appropriate regulation and oversight in the post-SOX environment and on how we should strike the balance between costs and benefits. I certainly would have liked to hear Bill’s views on that very challenging topic. However, I thought that I would set a more modest goal for myself. I would like to focus on what seems to be rapidly becoming the most famous -- or infamous -- provision of the Sarbanes-Oxley Act -- Section 404.
As most of you are probably already well-aware, Section 404 established requirements for management and auditor reporting on the effectiveness of public company internal controls. Section 404 is today the focal point in the debate over the costs and benefits of the changes in corporate practice mandated by Sarbanes-Oxley. While I think it is premature to reach conclusions about the ultimate impact of internal control reporting, I would like to offer some thoughts on that topic that I hope will help to better frame the debate.
Before I begin, I should note that the views I express are my own, and not necessarily those of the Board’s other members or staff.
First, some background. Broadly speaking, the goal of the Sarbanes-Oxley Act is to restore public confidence in financial reporting. The shocking series of accounting scandals and auditing failures that led to the enactment of SOX seriously eroded that confidence. Section 404 aims to rebuild public trust by bolstering the internal controls that under-pin the accuracy and reliability of published financial information. It seems obvious that control effectiveness is closely correlated with the reliability of reported financial data and that public confidence in a company’s controls is therefore closely correlated to public confidence in its reporting.
Section 404 of the Sarbanes-Oxley Act seeks to build on this correlation by requiring that every public company annually issue and file with the Securities and Exchange Commission a management report concerning the effectiveness of the company’s internal control over financial reporting. Section 404 also requires that these management reports be accompanied by a public report from the company’s financial statement auditor attesting to the accuracy of management’s internal control report. Another part of the law, Section 103, requires direct auditor reporting on the effectiveness of public company internal controls. These provisions can be viewed as corollaries to the longstanding requirement in the Securities Exchange Act of 1934 that all public companies must maintain accurate books and records and an adequate system of internal accounting control.
How does the PCAOB figure into this? The Sarbanes-Oxley Act directs the Board to establish professional standards for the work that the company’s independent auditor must do in order to prepare its internal control report. On March 9, 2004, after an extensive process of public input, the PCAOB adopted Auditing Standard No. 2 to fulfill this mandate. After additional public comment, the SEC approved AS No. 2 in June 2004.
We are now in the midst of the first round of annual Section 404 reporting. For large, established companies -- what the SEC calls accelerated filers -- the initial Section 404 reports must be included in their annual Form 10-K filings for fiscal years ending after November 14, 2004. For calendar-year companies, that means that the due date was March 16, and we will likely be seeing press reports -- and market reactions -- this week based on the content of those first filings.
The SEC has allowed accelerated filers with market caps below $700 million an additional 45 days to file their internal control reports. For non-accelerated filers and foreign companies with securities traded in the U.S., Section 404 reporting will begin in 2006.
In the immediate aftermath of the enactment of Sarbanes-Oxley, Section 404 didn’t garner much attention. And, indeed, one might fairly ask what the big deal is now. Internal controls are not new. As I noted, public companies have long been required to establish and maintain effective internal controls, and the SEC has brought numerous cases over the years to enforce that requirement. Further, the importance of strong controls is beyond question. SOX dramatically enhanced the penalties for false financial reporting, and both prosecutors and plaintiffs’ lawyers have become extremely aggressive in pursuing false financial reporting cases -- just ask Bernie Ebbers, Ken Lay, or the WorldCom directors. It might be assumed that directors and senior executives would therefore rush to embrace anything that minimizes the risk that the financial statements that they must sign-off on are materially inaccurate or that their company’s controls do not meet the statutory requirements.
In fact, there is evidence that many executives do view Section 404 in that light and that it is serving its purpose. For example, 79 percent of 222 financial executives recently surveyed by Oversight Systems reported that their company has stronger internal controls after complying with Section 404. Seventy-four percent said that their company benefited from compliance with Sarbanes-Oxley and, of those, 33 percent said that compliance lessened the risk of financial fraud. Further, according to Compliance Week, 27 companies with revenue of more than $75 million disclosed material weaknesses or significant deficiencies in internal controls during the month of January 2005, compared to only seven that made such disclosures during the same month in 2004. This data seems to show that Section 404 is having a real, positive impact on controls.
There is, however, also considerable concern about adverse and counter-productive impacts of Section 404. It has been suggested that Section 404 reporting is diverting large amounts of executive time and company resources away from the fundamental profit-making objectives of the business. Section 404 is also sometimes cited as a major incentive to go private or to refrain from going public. Specific criticisms seem to fall into two categories -- that the way the requirement is being implemented has resulted in unintended consequences, and that the costs of Section 404 exceed the benefits. Let me first address some of the issues in the unintended consequences category.
One of the most common charges is that, as a result of internal control reporting, companies can no longer look to their auditors for advice on difficult accounting issues. AS No. 2 provides that it is a “strong indicator” of a material control weakness if the auditor identifies a material misstatement in draft financials that management missed. This seems to have led some to conclude that management and the auditor should maintain an arm’s length, if not adversarial, relationship.
AS No. 2 is not intended to erect a wall between auditors and clients. Auditors have long advised public companies on accounting issues and on internal control matters; Auditing Standard No. 2 does not preclude that kind of advice and discussion. Of course, management needs to perform its own control evaluation; it can’t delegate that responsibility to the auditor or treat the auditor as part of the controls by relying on it to catch errors. Conversely, the auditor needs to reach his or her own independent judgments, not negotiate those judgments with management. But, within these limits, auditor-management free and open communications concerning financial reporting and internal control issues are still permissible. Common sense should resolve most issues.
A second complaint is that AS No. 2 leaves too much -- or too little -- room for auditor judgment and that more -- or less -- detailed guidance is needed. It is true that, while AS No. 2 is lengthy, it is not highly prescriptive. Internal control auditing, like financial statement auditing, requires auditors to exercise a considerable amount of professional judgment. Accordingly, AS No. 2 lays out the objectives that the auditor must accomplish in developing the evidence to support an opinion on internal control. AS No. 2 is not, however, a “cookbook“ of auditing procedures. Because companies and their financial reporting systems vary so widely, it is hard to see how the Board could define more precisely how controls should be tested -- the point is for the auditor to obtain evidence that the company's control system, within reason, assures that the financial statements do not contain material misstatements.
At the same time, some companies have charged that auditors are taking advantage of the flexibility AS No. 2 affords and are performing costly but unnecessary tests on the ground that their efforts are “required by the PCAOB.” Since AS No. 2 contains few specific requirements, statements like this are almost never true. Further, the Board is committed to using its inspection program to ensure that auditing firms are properly applying AS No. 2 and are not using it as an opportunity to generate fees through unnecessary work. While I do not think it is possible -- or desirable -- for us to try to supplant auditor judgment with detailed procedures, we are committed to monitoring how auditors exercise their judgment and to making sure they do not go to needless extremes.
Another frequent charge is that auditors have adopted a “check the box” mentality about control testing and are focusing on minutiae that could not possibly affect the financial statements. In auditor-ese, AS No. 2 requires testing to the extent necessary to obtain reasonable assurance that controls are effective with respect to all relevant assertions for all significant accounts in the financial statements. In plain English, this means that the auditor has to test the controls that are intended to make it probable that the financial statements are materially correct. While it is necessary for the auditor to understand the overall control system and to “walk through” the operation of all significant processes, the focus should indeed be on what is material to the financials, not on the trivial.
Perhaps the most serious charge is that small companies are being disproportionately burdened because auditors are not tailoring their procedures to the client. Smaller, less complex businesses typically need less complex controls, and the work of the auditor should reflect that fact. The Board stressed this point in both the proposing and adopting releases for Auditing Standard No. 2. Board members have stated publicly that we will also use our inspection program to make sure that smaller companies are not subjected to needless cost and burdens. Internal control auditing, like financial statement auditing, is not a “one-size-fits-all” exercise.
At the same time, strong internal controls are at least as important to small issuers and their public investors as they are to larger businesses. In practice, smaller companies that have not had strong controls may incur costs to strengthen their controls in preparation for Section 404 reporting that are higher, relative to company size, than the costs incurred by larger companies that have more established controls. Conversely, however, Section 404 is likely to result in greater improvements in control and in greater increases in financial reporting reliability at smaller entities, as a group, than at larger ones. This should, in turn, result in lower capital costs for these companies.
None of this addresses the argument that, whatever its benefits, Section 404 is imposing costs that are out of proportion. There is no doubt that internal control reporting is not free. Based on the most recent survey of its members, Financial Executives International says that the expected average first-year cost is 27,000 hours of internal time for companies with an average of $5 billion in sales. As to anticipated total costs of compliance, FEI found that the average first year expenditure was $4.36 million, including $1.34 million in internal costs; $1.30 million in audit fees and $1.72 million in external costs (consulting and software). 
Of course, to keep these numbers in perspective, it is necessary to also bear in mind the billions in investor wealth that were lost in the Enron and WorldCom collapses alone, coupled with the very real costs of public cynicism concerning the integrity of our financial markets that those and similar cases generated. But, I would certainly agree that Section 404, like any other regulatory requirement, should be able to stand the scrutiny of cost-benefit analysis. However, in undertaking that analysis in the future, several things will have to be borne in mind.
Weighing the costs and benefits of a provision that is aimed at building public confidence would not be a simple task. That does not mean that it should not be undertaken. However, the costs tend to be more obvious and easier to track. The trick is in capturing and quantifying all of the benefits.
On the other side of the coin, in my view, many of the Section 404-related costs and burdens that are currently attracting public attention are a consequence of the first-time implementation of what is inherently a complex and far-reaching new statutory requirement. In some cases, auditors and managements may be over-reacting with measures that go beyond the objective of determining whether controls are in place that provide reasonable assurance that the company is able to generate financial statements free of material error.
There are several initiatives underway to analyze and correct these kinds of problems. The SEC has announced that it will convene a public roundtable on Section 404 implementation issues on April 13, 2005, and has also announced formation of an advisory committee to study and report on the impact of the Sarbanes-Oxley Act on smaller public companies. Further, the Committee of Sponsoring Organizations (“COSO”) -- the body responsible for the internal control framework that guides most Section 404 reviews -- has undertaken a project to issue guidance concerning the application of the COSO framework to smaller companies. The Board will be an active participant in each of these initiatives. Together, they should result in a better understanding of how Section 404 can be implemented in a way that best matches costs and benefits.
I want to conclude by reminding you of a point I mentioned at the beginning: The objective of the Sarbanes-Oxley Act is to restore confidence in financial reporting. Without the investing public’s confidence, our securities markets -- the engine of our national prosperity -- would cease to operate. The ultimate test of Section 404, and of those charged with implementing, is whether we succeed in maintaining the public’s confidence in the integrity and transparency of those markets.
Thank you. I would be happy to answer any questions.
[*] The views expressed herein are solely those of the author and are not necessarily those of the Public Company Accounting Oversight Board or any of its other members or staff.
“Financial Executives Call Sarbanes-Oxley Compliance a ‘Good Investment,’ According to Oversight Survey,” Press Release of Oversight Systems, Inc. (December 14, 2004).
”Adverse Opinions Emerge in Internal Control Disclosure,” Compliance Week (March 2005), p. 16.
”FEI Survey on SOX Section 404 Implementation” (March 2005).