Panel on Sarbanes-Oxley Act Compliance: Cost and Benefits

Colleen [Cunningham, President of FEI] asked me to take a few minutes to give you my perspective on what happened in 2005, what is happening now, and what the Section 404 future looks like. Before I do that, I should note that the views I express are my own, and not necessarily those of the Board’s other members or staff.

A. What went right and what went wrong in 2005?

The first year of internal control reporting was enormously challenging for all involved. Section 404 of the Sarbanes-Oxley Act prompted the biggest change in the auditor’s work in 70 years. In particular, both firms and issuers were challenged by –

  • Staffing -- There was a shortage of personnel; especially experienced people. We know that the major firms were scrambling for personnel, including even importing talent from their foreign offices. This did not always produce happy results, either in terms of work efficiency or client relations.
  • Training -- Everyone had to learn how to conduct a new type of audit. With the exception of those who had worked in the world of financial institutions subject to FDICIA, there was literally no one who had prior experience in evaluating and testing controls for purposes of rendering a separate opinion on internal control.
  • Timing -- Many companies started their evaluation later than they should have. As a result, the auditors started late, too. Often, the whole process was compressed and had to be performed in a kind of crisis environment.
  • Lack of guidance for management – PCAOB Auditing Standard No. 2 tells the auditor, in concept at least, how to conduct an internal control audit. But, the SEC chose not to tell managements how to perform a management assessment of controls. Along the same lines, except for references to COSO -- which, in my view, few on the working level in most companies understand very well -- the SEC offered little guidance as to the standards against which controls should be measured.
  • Fear factor -- Auditors tended to take a conservative approach, in part because of uncertainty -- fear -- about how the PCAOB’s inspection program would view their work. At minimum, many were reluctant to make judgments in the field or to give advice to clients.

At the same time, considering the complexity of the challenge, I think many things went right.

  • Certainly, a lot of deferred maintenance was accomplished. Since 1977, all public companies have been required to have effective internal controls and, since 2003, CEOs and CFOs have been required to certify that they have effective disclosure controls (which encompass internal controls). It seems clear that the 404 exercise exposed -- and corrected -- some ways in which those obligations were not being met. As of August 31: 3,230 reports were filed; 2,785 of the reports (86.2 percent) were clean -- that is, no material weaknesses were detected; 444 (13.8 percent) reported ineffective internal controls, meaning that one or more material weaknesses in the company’s controls existed; and, in one report, the auditor disclaimed any opinion.
  • The markets generally didn’t over or under react. Disclosure seems to have been pretty good.
  • Everyone learned a lot. There has been much focus on how to make the process better.

B. What are we doing to improve the process?

On May 16, the Board issued guidance in response to concerns about the cost and efficiency of the first year of accelerated filer Section 404 reporting. Basically, that statement makes five points:

  1. The financial statement audit and audit of internal control over financial reporting should be integrated.
  2. Auditors should exercise judgment specific to the client’s circumstances and should tailor their audit plans to the risks facing each audit client.
  3. Auditors should use a top-down approach. That is, the audit should proceed from the entity-level controls to the process-level, not the reverse.
  4. There are more opportunities than were taken advantage of for auditors to rely on testing performed by competent and objective internal auditors
  5. Auditors and companies should engage in direct and timely communication throughout the audit process.

The Board recognized that it was not enough to merely announce these principles -- which everyone seems to agree with. Instead, the Board has also addressed the problems more directly. Over the summer, we looked at the way the eight largest firms implemented the standard. That work is now done and the results have been conveyed to firm management. They are largely what you would expect. Although some auditors may have implemented the standard well, it is apparent that some auditors did not.

  • Many firms did not effectively apply a top-down approach, i.e., identifying controls that carried the highest risk of causing a misstatement and concentrating their work on evaluating and testing those controls.
  • Firms did not conduct integrated audits of financial statements and internal control. This appears to have resulted from the fact that most of this work was performed late in the year. Consequently, the amount of reliance placed on controls in planning the financial statement audit work was limited.

We have also taken some other steps to try to make sure that the philosophy of the May 16 guidance is part of the Year 2 audit process:

  • The staff met with each of the largest firms to discuss their Auditing Standard No. 2 methodology and how they intend to change it in the second year. The firms said they have made changes to their policies, procedures and training.
  • The Board has also reviewed and assured itself that the largest firms have conveyed the substance and importance of the Board’s May 16 message to their partners in the field. We believe the firms’ leadership have gotten the Board’s message and pushed it out to their people.
  • We have tried to address the “fear factor” problem by using our inspection program. As I mentioned, in the 2005 inspections of the eight largest firms, the Board evaluated the methodologies and processes of selected first-year audits of internal control. Auditors should now have tangible evidence that we are looking at these audits. It is necessary to listen to the comments we give carefully. For example, the statement, “You failed to analyze the sources of real risk of financial statement misstatements and to use that analysis in planning the audit,” might be heard by some as “You didn’t do enough work.” In fact, however, this kind of comment is better understood as, “You wasted time and effort on testing without focusing your efforts on the areas of greatest risk.”
  • In order to expedite feedback to the firms, the PCAOB instituted a process of communicating preliminary findings from inspections of integrated audits directly to top management of each firm as these findings are identified and prior to the formal drafting of reports of inspections.

I anticipate that, before the end of November 2005, the Board will issue a public report on its Auditing Standard No. 2 inspection findings. And, in that context, we may also deal with some other interpretive points. For example, two issues that still seem to generate confusion are --

  • “More than remote” in the definition of material weakness means “reasonably possible” not “remote” or “possible.”
  • The object of the Section 404 exercise is to determine whether there are material weaknesses, not to look for lesser deficiencies.

There is a certain “damned-if-you-do, damned-if-you-don’t” aspect to the problem of interpretive guidance. I hear often that Year 1 was hard because new guidance was emerging on a daily basis. I think that, if you go back and look at what we and the SEC actually issued, we were in fact quite circumspect. But, the comment illustrates the point that, every time you issue anything new in this area, hundreds of auditors and thousands of companies have to stop what they are doing, review the new pronouncement, and assess whether and how it affects them. There is a cost associated with that. 

C. What can we expect in 2006 and beyond?

In the second reporting year, costs -- internal and external -- should fall. How much is unclear. For managements:

  • It will not be necessary to repeat the documentation exercise that consumed so much time the first year of internal control implementation, except where there have been changes.
  • Much of the focus should shift to monitoring.

I also expect that in the second year:

  • Audit committees are going to expect that their auditors apply the May 16 guidance and are likely to be asking questions aimed at finding out whether that is the case.
  • The financial statement and internal control audits will come closer to being a single integrated process.
  • There will be more time spent on risk analysis and less on process-level testing. As a corollary, there will be more willingness, consistent with Auditing Standard No. 2, to rely on internal audit testing at the process level.

Like everything else that emanates from Washington, we should expect Section 404 reporting to be able to meet a cost/benefit test. If not, something will have to change about the implementation or requirements. But, the costs tend to be upfront and the benefits spread over time. I think we are on the right track. 

Related Information