There are many issues which have led to the rewriting of Auditing Standard No. 2, and none has received more attention than the impact of internal control audits on smaller public companies.
Discussion of the application of the internal control requirements of Sections 103 and 404 of the Sarbanes-Oxley Act of 2002 to smaller public companies raises two fundamental policy questions:
What are the responsibilities of being a public company and, by inference, what are the implications for auditors of public companies?
Do investors deserve any less assurance over the "accuracy and reliability", to quote from the preamble of Act, of audited financial reports because a public company is small?
Congress has addressed these questions before and has been consistent in its policy: Neither the Act nor the Foreign Corrupt Practices Act of 1977 makes any distinction for company size. Not surprisingly, the statutory mission of the Public Company Accounting Oversight Board, which was created by Title I of the Act, is to protect investors, and no distinctions are made with respect to company size. It is, I think, significant that throughout the long and open process of crafting this new auditing standard to replace AS 2, there has been little or no sentiment from the investor community for carving out exceptions or "safe harbors" for small public companies simply because they happen to be "small".
This is not to say there is no support in the investor community for a scalable internal-control auditing standard that takes into account the complexity as well as the size of public companies; to the contrary, there is broad support among investors for a scalable standard, something the Board has labored long and hard, and I think successfully, to craft. Scalability need not, and in the case of Auditing Standard No. 5, does not, mean "404 Lite".
While public attention to corporate fraud focuses on large companies – the Enrons and WorldComs – the research is clear that the likelihood of corporate fraud is inversely related to company size. This, I believe, is a powerful argument for applying internal-control requirements to smaller public companies.
Much of the objection to applying Sections 103 and 404 to small companies is based on the costs of compliance. What is often lost in the discussion of costs is that it is investors who bear the costs of their own protection. When a public company pays the Accounting Support Fee, which finances PCAOB, the money actually comes out of the investors' pockets. When a public company pays its auditor, or hires internal-control consultants, or adds to its financial-management staff, the money actually comes out of the investors' pockets. In other words, those Sarbanes-Oxley seeks "to protect" – namely, investors – are the ones who pay for this protection, and as near as I can tell investors are quite willing to do so.
As evidence of this willingness, I would note that when investors speak through their actions in the marketplace, they tend to place higher values on the shares of companies with no known material weaknesses in internal controls than they do on the shares of companies reported to have such weaknesses.
External, independent audits of the effectiveness of a public company's internal controls are only a part – albeit an important part – of the regulatory framework which leads to investors' willingness to place a premium on holding securities subject to these regulations. Those who would throw in the towel at this early stage – when most public companies have yet to come under the internal-control requirements of the Act, and in the face of mounting evidence of the value and benefits of having adequate internal controls – are, to my way of thinking, losing their focus on the goal of protecting investors as the law demands.
Sarbanes-Oxley mandates several important changes in corporate governance in order to protect investors. For example, it adds new responsibilities and obligations for management through sections 404 and 302. It also makes fundamental changes that empower audit committees by requiring that audit committees, not management, hire and oversee the external, independent auditor. This means, necessarily and by design, that audit committees are intended to function as "traffic cops" – "deciders" if you will – when it comes to disagreements between management and the auditor over GAAP and over internal controls.
A good example of this new governance model has to do with significant deficiencies. These are defects in internal controls that are less severe than material weaknesses yet are serious enough as to merit attention by those in charge of the company's financial reporting, which is, first and foremost, the company's audit committee. Although auditors are, under AS 5, only required to seek out material weaknesses, they are nevertheless required to communicate "deficiencies of which they are aware", in certain instances to management and in others to the audit committee. By focusing the auditor on the identification of material weaknesses rather than on significant deficiencies, AS 5 has been carefully and deliberately crafted so as not to cause auditors to do more work than necessary.
Under the Commission's management guidance and the Board's AS 5, both management and the auditor will be required to report to the audit committee any significant deficiencies (as well as all material weaknesses) of which they are aware. Because both the SEC's guidance and AS 5 are principles-based, it is entirely possible that management and the auditors will, at times, disagree over what is, or is not, a significant deficiency or material weakness. I believe having the communication of significant deficiencies come from two separate sources will enhance the ability of audit committees to carry out their clear statutory responsibilities to investors.
Reaching today has been a long process – spanning almost two years. I am proud to have been a part of this effort which is focused on carrying out the direction of Congress to "protect investors."