This speech discusses some of the issues concerning first-year implementation of Section 404 reporting on internal control effectiveness that were raised at the April 13 SEC Roundtable.[*]
Several broad themes emerged from the discussion:
- Almost everyone underscored the importance of effective controls and expressed support for the objectives of Section 404.
- Reporting companies pointed to the high internal and external costs of compliance. Many felt that the first-year costs they had incurred far outweighed the benefits in terms of strengthened controls.
- Users of financial information generally praised internal control reporting. One institution suggested that, from the perspective of the investors who ultimately bear the costs, the benefits of more trustworthy reporting are worth the price.
There are five fundamental principles that some seem to have lost sight of during this past year. Correcting those misconceptions would go a long way toward reducing cost and unlocking the benefits of internal control reporting:
- Auditors can -- and should -- advise their clients on accounting and control issues. AS No. 2 does not erect a wall between auditors and clients.
- An effective and efficient audit of internal control requires the exercise of professional judgment. It should not be performed in a way that is mechanistic and does not reflect the application of professional judgment to the specific risks associated with the client’s financial reporting system.
- An audit of internal control is inherently a risk-based process. AS No. 2 encourages the auditor to start with a “top-down” evaluation of controls. By approaching the task in this way, the auditor is steered toward higher risk areas and away from those with less potential for a material impact.
- The financial statement audit and the internal control audit should be one integrated exercise. Exploiting the ways in which the internal control and the financial statement audits can support each other would reduce the cost and improve the quality of both.
- Small companies do not need the same types of controls or the same audit process as large multi-nationals. The work of the auditor should reflect that fact.
The costs of Section 404 compliance should fall, and the benefits become more pronounced, in the second and third reporting cycles. However, the ultimate test of Section 404, and of those charged with implementing it, is whether we succeed in restoring and maintaining the public’s confidence in the integrity and transparency of our capital markets.
Perspectives on Internal Control Implementation Issues and Reporting
Thank you. I am pleased to be here and to have the opportunity to be part of this conference. Over the last 31 years, this event has grown into one of the premier management accounting and financial disclosure conferences in the country. That so many of you are here today is a real tribute to Norm Meonske’s leadership and to the quality of this program. It’s an honor to be able to participate.
Three years ago, in 2002, or, as I like to call it, in one BSO -- that is, Before Sarbanes-Oxley -- it would probably have been difficult to think of five words more calculated to induce boredom, if not outright unconsciousness, among non-accountant corporate executives than “internal control over financial reporting.” It is probably unlikely that one in fifty public company CEOs could have described the key features of their company’s internal controls. If forced to guess, most would probably have said that COSO was something that could be found on the menu at an Italian restaurant. Control deficiencies were, at best, a topic of interest to auditors, internal and external. Even to many of them, the level of excitement generated was limited.
Today, all of that has changed. Section 404 of the Sarbanes-Oxley Act has made internal control over financial reporting, if not exactly a household phrase, one that is on the lips of many members of senior public company management. However, those lips are not always smiling. In fact, a Wall Street Journal editorial recently called Section 404 the “most notorious part” of the Sarbanes-Oxley Act. Further, in the past few months, several hundred public companies have reported material weaknesses in their controls. These disclosures, supporters say, demonstrate that Section 404 is doing exactly what it was designed to do. Critics respond that, whatever the benefits, they are dwarfed by the costs.
The measure of the success of Section 404 will be its ability to increase financial reporting reliability and to increase public confidence. I believe that the internal control audit will eventually become an ingrained and routine part of the annual financial statement audit process. I am also optimistic that the costs will fall and that the benefits will become more pronounced and more obvious as we go through the second and third reporting cycles. But, before those things can fully emerge, some fundamental misunderstandings that have appeared this year need to be cleared away.
I want to discuss some of those with you today. Of course, before I do that, I must remind you that the views I express are my own and not necessarily those of the Public Company Accounting Oversight Board or of its other members or staff.
I. Background -- Why Section 404?
I want to begin with the basics.
Broadly speaking, the goal of the Sarbanes-Oxley Act is to restore public confidence in financial reporting. Enron, WorldCom, the collapse of Arthur Andersen, and the shocking series of accounting scandals and auditing failures that preceded and followed those events, seriously eroded public confidence in public company financial statements and in our securities markets. Section 404 of the Sarbanes-Oxley Act aims to rebuild public trust by bolstering the controls that underpin the accuracy and reliability of published financial information.
It seems obvious that control effectiveness is closely correlated with the reliability of reported financial data. Section 404 seeks to build on this correlation by requiring that every public company annually issue and file with the Securities and Exchange Commission a management report concerning the effectiveness of the company’s internal control over financial reporting. The Act also requires that these management reports be accompanied by a public report from the company’s financial statement auditor attesting to the accuracy of management’s assessment and reporting on the auditor’s view of the effectiveness of the controls.
How does the PCAOB figure into this? The Sarbanes-Oxley Act created the Board. Along with other assignments, it directed us to establish professional standards for the work that the company’s independent auditor must do in order to prepare its Section 404 internal control report. On March 9, 2004, after an extensive process of public input, the PCAOB adopted Auditing Standard No. 2 to fulfill this mandate.
II. The Section 404 Debate
While the implementation of Section 404 is now the subject of intense debate, in the immediate aftermath of the enactment of Sarbanes-Oxley, Section 404 didn’t garner much attention. And, indeed, one might fairly ask what the big deal is now.
Internal controls certainly are not new. For almost 30 years, the Securities Exchange Act has required that all public companies maintain an adequate system of internal accounting control. The SEC has brought numerous cases over the years to enforce that requirement.
If anything, in the post-SOX world, companies would seem to have a still greater interest in being sure their controls are in place and working. SOX dramatically enhanced the penalties for false financial reporting, and both prosecutors and plaintiffs’ lawyers have become extremely aggressive in pursuing false financial reporting cases -- just ask Bernie Ebbers, Ken Lay, or the WorldCom directors. It might be assumed that directors and senior executives would rush to embrace anything that minimizes the risk that the financial statements that they must sign-off on are materially inaccurate or that their company’s controls do not meet the statutory requirements.
In fact, there is evidence that many executives do view Section 404 in that light. For example, 79 percent of 222 financial executives recently surveyed by Oversight Systems reported that their company has stronger internal controls after complying with Section 404. Seventy-four percent said that their company benefited from compliance with Sarbanes-Oxley and, of those, 33 percent said that compliance lessened the risk of financial fraud. Further, as of April 5, roughly eight percent of companies’ 2004 annual assessments reported material weaknesses in their internal control over financial reporting.  This data seems to show that Section 404 is having a real, positive impact on controls.
The controversy that surrounds Section 404 today does not stem from its benefits, but from its costs. In a recent survey, Financial Executives International found that, for 217 public companies with average revenues of $5 billion, total costs for first-year Section 404 compliance averaged $4.36 million, including $1.34 million in internal costs; $1.30 million in audit fees, and $1.72 million in other external costs (such as consulting and software). In terms of personnel time, the companies surveyed said that Section 404 consumed an average of nearly 27,000 hours. And, direct costs aside, it has been suggested that Section 404 reporting is diverting large amounts of executive time and company resources away from the fundamental profit-making objectives of the business. In fact, Section 404 is sometimes cited as a major incentive to go private or to refrain from going public.
The tension between the benefits and the costs of internal control reporting were on full public display two weeks ago at the SEC’s April 13 Roundtable on Section 404. More than 50 people, representing public companies large and small, auditors, analysts, and institutional investors, spoke to the standing-room-only crowd in the Commission’s open meeting room. Several broad themes emerged from the discussion:
- First, almost everyone underscored the importance of effective controls and expressed support for the objectives of Section 404. Many of the company representatives said that the 404 review process highlighted weaknesses and inefficiencies in their controls and that fixing those problems had paid dividends, both in more reliable financial reporting and in internal efficiencies.
- However, reporting companies also pointed to the high internal and external costs of compliance. Many felt that the first-year costs they had incurred far outweighed the benefits in terms of strengthened controls. Further, some companies thought that their auditors had lost sight of the big picture and were instead focused on extensive testing of process level controls that could not possibly have a material impact on financial statement accuracy.
- In contrast, users of financial information generally praised internal control reporting. One of the institutions present made the point that shareholders -- not managements -- ultimately pay the cost of Section 404 reporting. In that speaker’s view, from the perspective of the investor, the benefits of more trustworthy reporting are well worth the costs.
III. What Needs to Change?
All of the members of the PCAOB and its senior staff attended the Roundtable. We listened carefully and have also read the comment letters filed with the SEC regarding Section 404. At the end of the Roundtable, both SEC Chairman Donaldson and PCAOB Chairman McDonough promised to issue guidance designed to make the Section 404 reporting process more efficient and effective. In the case of the PCAOB, Chairman McDonough committed to act by May 16 -- just a little over two weeks from today.
I can’t yet tell you what the Board will have to say about the many issues discussed at the Roundtable. However, in my view, there are five fundamental principles that some seem to have lost sight of during this past year. Correcting those misconceptions would go a long way toward reducing cost and unlocking the benefits of internal control reporting. Here’s my list:
1. Auditors can -- and should -- advise their clients on accounting and control issues.
That proposition may seem self-evident, but one of the most common complaints is that, as a result of internal control reporting, companies can no longer turn to their auditors for advice on difficult accounting issues and that costs have increased as managements seek to fill the void by looking elsewhere for guidance. Why would internal control auditing have that effect? AS No. 2 provides that it is a “strong indicator” of a material control weakness if the auditor identifies a material misstatement in draft financials that management missed. This seems to have been read by some to mean that, to avoid prematurely spotting a problem, the auditor should maintain an arm’s length, if not an adversarial, relationship with it client. The problem is compounded by concerns about independence. Some auditors fear that, if they advise their client on auditing or control issues, they will be accused of performing management functions and of auditing their own work.
I want to respond as clearly as I can: AS No. 2 does not erect a wall between auditors and clients. A blanket refusal to give advice to clients serves neither the client’s nor the public’s interest. Auditors have long advised public companies on accounting issues and on internal control matters; Auditing Standard No. 2 does not preclude that kind of advice and discussion. Of course, management cannot treat the auditor as part of the controls by relying on it to catch errors. Further, management must be willing and able to make its own decisions on accounting issues. But, there is a clear difference between providing advice to a client so that its management can make a decision and making a decision for a client.
The bottom line is that, within some fairly broad limits, auditor-management free and open communications concerning financial reporting and internal control issues are still permissible. Judgment and common sense should resolve most issues.
2. An effective and efficient audit of internal control requires the exercise of professional judgment.
A second problem is that the new and unfamiliar responsibility of auditing internal controls, coupled with a more hostile legal environment, has made some auditors less willing to exercise professional judgment. When that occurs, the auditor becomes a slave to checklists and to a one-size-fits-all audit plan that may have little to do with the unique issues and risks of the particular client’s financial reporting processes. One result is increasing audit fees, as junior auditors devote endless hours to process-level control testing that contributes little to the search for material weaknesses.
While this is by no means universal, when it occurs it is the opposite of what a client is entitled to expect when it retains a highly skilled (and highly paid) professional firm to perform its audit. The whole point is for the auditor to exercise judgment in deciding how to obtain evidence that the company's control system reasonably assures that the financial statements do not contain material misstatements.
The Board is committed to using its inspection program to monitor how auditors do their work under Auditing Standard No. 2. We are not in the business of second-guessing good faith audit judgments. However, if the Board believes that an auditor has performed an AS No. 2 audit in a way that is mechanistic and does not reflect the application of professional judgment to the specific risks associated with the client’s financial reporting system, we will not hesitate to point that out.
3. An audit of internal control is inherently a risk-based process.
Another, closely related misunderstanding that has made the process more difficult this year is the erroneous belief that AS No. 2 requires the auditor to treat all controls equally and prohibits tailoring control testing based on risk. An audit of controls that does not concentrate on the greatest risks is likely to be both more expensive and less prone to identify real problems.
In fact, AS No. 2 envisions a risk based approach. First, it encourages the auditor to start with a “top-down” evaluation of controls. That is, it suggests the auditor focus first on company-level controls and then on significant accounts. By approaching the task in this way, the auditor is steered toward higher risk areas and away from those with less potential for a material impact on the financials. Second, the standard requires the auditor to obtain reasonable, not absolute, assurance regarding whether the company’s controls are effective. The concept of reasonable assurance means that the amount of testing performed should vary with the underlying risk that a particular control will result in a material misstatement. Once the auditor has reasonable assurance of effectiveness, testing can stop.
4. The financial statement audit and the internal control audit should be one integrated exercise.
Another problem that seemed to have plagued the first year was that the internal control audit and the financial statement audit were often treated as two separate, unrelated projects. In contrast, AS No. 2 envisions an integrated audit. Exploiting the ways in which the internal control audit and the financial statement audit can support each other would reduce the cost and improve the quality of both audits. For example, integration should enable auditors to place greater reliance on the results of their internal control testing in determining the nature, extent, and timing of their financial statement audit procedures.
Auditors have pointed out that it was hard to integrate internal control and financial statement auditing in year one, partly because of the time and personnel pressures stemming from the fact that managements often did not complete their control testing until late in the year. However, I think this is an area in which real efficiencies should be possible next year.
5. Small companies do not need the same types of controls or the same audit process as do large multi-nationals.
Finally, smaller public companies have been especially vociferous regarding Section 404. They point out that, as a percentage of revenues or assets, the costs of Section 404 compliance are higher for them than for larger entities. They complain that the one-size-fits-all audit approach means that some auditors may have applied expensive audit procedures that were designed for large multi-nationals to small companies and may have demanded a level of control sophistication that may be unnecessary in a small company environment.
It is certainly true that smaller, less complex businesses typically need less complex controls, and the work of the auditor should reflect that fact. At the same time, strong internal controls are at least as important to small issuers and their public investors as they are to larger businesses. In practice, smaller companies that have not had strong controls may incur costs to strengthen their controls in preparation for Section 404 reporting that are higher, relative to company size, than the costs incurred by larger companies that have more established controls. Conversely, however, Section 404 is likely to result in greater improvements in control and in greater increases in financial reporting reliability at smaller entities, as a group, than at larger ones. This should, in turn, result in lower capital costs for these companies.
There are several initiatives underway that focus specifically on the implementation of Section 404 reporting by small and medium-sized public companies. The SEC has formed an advisory committee to study and report on the impact of the Sarbanes-Oxley Act on smaller public companies. Further, the Committee of Sponsoring Organizations (“COSO”) -- the body responsible for the internal control framework that guides most Section 404 reviews -- has undertaken a project to issue guidance concerning the application of the COSO framework to smaller companies. The Board is participating as an observer in each of these initiatives. Together, they should result in a better understanding of how Section 404 can be implemented at smaller companies in a way that best matches costs and benefits.
IV. Bringing Costs and Benefits into Equilibrium
Those five points are certainly not a complete catalog of all of the issues that were raised at the Roundtable. However, I believe that correcting these problems would go a long way toward making sure that the costs and benefits of Section 404 reporting are aligned.
There are good reasons to think that compliance costs will fall significantly. First, much of the first-year costs related to correcting the effects of “deferred maintenance” and bringing controls up to the standard the securities laws have always required. Further, this is the first time through an entirely new process for both companies and their auditors. As managements and auditors gain experience with this new requirement, the costs will decline. In the FEI survey, 85 percent of respondents said they expected non-audit expenditures to decrease and 68 percent expect auditor fees to fall.
While much of the cost is up-front, many of the benefits of stronger controls and regular review of controls will appear over time. One could fairly expect that there will be fewer restatements, fewer SEC financial reporting cases, and fewer successful private actions involving accounting fraud as a result of Section 404. However, it will take several annual reporting cycles before we can determine whether these benefits are, in fact, accruing.
I want to conclude by reminding you of a point I mentioned at the beginning: The objective of the Sarbanes-Oxley Act is to restore confidence in financial reporting. Without the investing public’s confidence, our securities markets -- the engine of our national prosperity -- would cease to operate. The ultimate test of Section 404, and of those charged with implementing it, is whether we succeed in restoring and maintaining the public’s confidence in the integrity and transparency of those markets.
Thank you. I would be happy to answer any questions.
[*] The views expressed herein are solely those of the author and are not necessarily those of the Public Company Accounting Oversight Board or any of its other members or staff.
 “SOX and Stocks,” Wall Street Journal at A20 (April 19, 2005).
 “Financial Executives Call Sarbanes-Oxley Compliance a ‘Good Investment,’ According to Oversight Survey,” Press Release of Oversight Systems, Inc. (December 14, 2004).
 Source: Audit Analytics.
 “Financial Executives Institute Survey on SOX Section 404 Implementation” (March 2005).