Internal control is the lynch pin to accurate and reliable financial statements. Reliable financial reporting and investor confidence in the financial reporting process simply cannot exist without an effective system of internal control. This concept is not debatable. What is debatable, however, is how much one should pay for an increase in the reliability of financial reporting, particularly when the value of increased reliability is not amenable to precise measure. Three things are certain.
- First, creating and maintaining an effective internal control system has a cost; it is not a cost-neutral endeavor.
- But, second, this cost cannot be unlimited. The value to shareowners of the increase in reporting reliability must have an appropriate relationship to the costs of providing this value – costs that are also ultimately born by shareowners.
- Third, although at the time that Congress adopted Section 404 of the Sarbanes-Oxley Act and both the SEC and this Board took steps to implement it, an increase in costs was always anticipated, the total costs incurred to date far exceeded expectations. These costs are not sustainable over the long-term.
These three certainties have been clearly and nearly unanimously communicated to this Board over the course of the past 2-1/2 years. I hope that, through our action today, we clearly demonstrate that we have listened. We have listened to the companies who have cited not only out-of-pocket costs, but diversion of resources from other important activities. We have listened to the small business community, which has raised valid concerns regarding both the disproportionate cost impact on small companies with little revenue, as well as the practicalities of implementing the COSO framework in a small and non-complex business environment.
We have also listened to investors who, as I mentioned earlier, bear the ultimate costs and reap the ultimate rewards of effective internal control systems. This sector has unequivocally told us that they expect us to better balance audit costs with benefits, but that we must not achieve this goal by putting greater risk on company owners. Moreover, investors have expressed great concern that the existing auditing standard encourages auditors to focus more on past mistakes in reporting than on preventing future mistakes.
Lastly, we have both listened to and observed the auditing profession. We have watched them absorb both AS2 and subsequent guidance from this Board, and have observed increased efficiencies. We have heard the profession caution against wholesale repudiation of the principles behind AS2, while at the same time point out areas in which AS2 has been perceived as a barrier to even greater efficiency.
During this tremendously helpful period of input, this Board and our staff have also been in the process of challenging ourselves. We tried to ask the hard questions: What is the role of professional auditing standards – should standards represent a floor, below which auditors are subject to discipline, or aspirational best practices? Do standards need to be written with the same tone and style that is familiar to auditors, or should they be written in a way that can be understood by a wider audience, such as CFOs? How does the grant of auditor discretion affect the effectiveness of the PCAOB's inspection program?
Mr. Ray and his colleagues have described very well the changes that this proposal would make to practices under existing AS2, and I won't repeat those here. Rather, I'd like to focus on a few things that this new proposed standard does not do.
- The proposal will not diminish or "water down" any of the existing AS2 principles. Not only will the quality of internal control audits remain high, I believe this new standard will increase the quality by placing greater focus and attention on risk.
- The proposal does not create a different auditing standard for different sizes of companies. Rather, the proposal will explain how the standard's provisions can be applied more efficiently in companies that are smaller and less complex. These provisions, as explained earlier, will be supplemented in the spring with more detailed guidance. Together, auditors should clearly understand how to translate the principles of the proposed standard to the unique circumstances of each company.
- The proposal will not allow auditors to rotate their testing of controls, in that every significant control must be tested annually. Instead, the nature and extent of that testing can be significantly reduced in subsequent years, based on the results of previous years' audits and risk analysis. As mentioned earlier, low risk controls may need to only be tested by a walkthrough, with this test confirming the lack of change affecting the control from the previous year.
- The proposal will not reduce audit costs by X percent for all companies. However, I believe that this proposal will result in significant costs savings across all companies, and even more importantly, better align costs with the significant benefits that good internal control provides to shareowners.
As you can tell from my comments, I am very proud of the way in which my colleagues on both the Board and staff have responded to the criticisms and suggestions that we have received over the course of the past 2 years. However, I am also quite confident that the decisions reflected in this proposal can be improved upon, and I am sincerely looking forward to a robust public comment period. I urge all interested parties – and particularly those from the investor community – to take advantage of this 70-day comment period to analyze the proposal and suggest alternative approaches. This Board has never adopted in final a rule or standard that has not been significantly changed as a result of the comment period, and I am certain that will be the case with this proposal as well.