Companies Say Risk-Based Approach Remains Elusive

Corporate executives gave regulators an earful of complaint last week that hopes of a risk-based, top-down approach to audits of internal control still have yet to take root, despite extra guidance and two years of experience.

Speaking at a much-anticipated roundtable discussion among auditors, regulators and corporations to review progress in the second year of compliance with Sarbanes-Oxley, executives said that guidance issued in the wake of last year’s roundtable has helped reduce the transaction-level focus that dominated the first year of SOX compliance. But the desired goal of a top-down, risk-based approach to internal control assessment and auditing hasn’t fully developed, they added.

Gillan

In two panel discussions at the day-long event, officials from the Securities and Exchange Commission and the Public Company Accounting Oversight Board agreed that they have heard much the same. As PCAOB member Kayla Gillan described it, “We’re hearing anecdotally that the [2005] guidance has not been fully incorporated into what is happening on the ground.”

James Turley, chief executive officer of Ernst & Young, didn’t argue the point. “We’ve made an effort to bake that in quickly,” but audit firms’ implementation of that guidance takes time, he said.

Wondering how they could improve Sarbanes-Oxley compliance or whether existing rules need revision, regulators also asked how auditors have affected the compliance process generally. Scott Taub, acting chief accountant at the SEC, pointedly asked: “How would management’s process have been different if auditors were not going to be involved with testing controls?”

Taub and his cohorts were trying to determine whether last year’s guidance should have been more tightly woven into the language of Auditing Standard No. 2—the PCAOB’s blueprint for audit firms to assess internal control over financial reporting, which has been sharply criticized as too exacting. Much of this year’s roundtable debates centered on whether AS2’s prescriptive nature should be softened to allow auditors a more judgment-based, principled audit approach.

Corporate executives embraced the latter idea. “We would have committed more of our resources at the entity-level, tone-at-the-top-type controls,” Lee Level, corporate vice president and board member for Computer Sciences Corp., said in answer to Taub’s question about controls testing sans auditors. “The reality is our process was driven by the auditor’s opinion of controls. We went about determining what they needed to reach their conclusions and we went down that path.”

Level said his company would prefer guidance directed at management, to give companies some specific direction of their own instead of leaving the process to be driven by auditors’ needs.

Testing: AS2 vs. COSO

A study due out in June by the Institute of Management Accountants will support the notion that auditors’ interpretations of AS2—rather than management’s decision-making—are driving executives’ actions to comply with Sarbanes-Oxley and specifically the internal control provisions in Section 404. According to the IMA study, 62 percent of financial executives it surveyed say most of their internal control assessments were dictated by AS2, not the 1992 COSO framework that the SEC has endorsed as a roadmap for managing and assessing internal controls. Some 70 percent agreed that a significant part of SOX compliance costs stem from a lack of guidance on how to distinguish between an effective or an ineffective internal control system.

Gordon

Susan Gordon, chief accounting officer for CBS Corp., didn’t fully agree that the external audit function is driving the compliance process. “I don’t think there would have been a difference,” she said. “Management is responsible for assessing controls.” She conceded, however, that CBS still wrangles with its auditors over how much testing is enough.

For example, she said, “a healthy tension” exists over the extent to which CBS should test spreadsheet controls. It’s a “very interesting battle” with the company insisting it can rely on automated computer technology, while the auditors want the controls tested, she said.

Panelists generally agreed that regulators—principally the SEC—should provide some new direction on how management and auditors decide what is material and what needs testing.

Lisa Flavin, vice president of audit for Emerson Electric, gave the example of accrued vacation, an account at her company which both management and auditors agree is not significant to financial results. Yet the dollar value exceeds a quantitative threshold the firm has mandated as bringing an account into scope, so Emerson spends 500 to 1,000 of labor hours on that account alone with little value added to the process.

“The cost-benefit equation doesn’t make sense,” Flavin said, but auditors are too fearful of the PCAOB’s inspection of their work or potential litigation to reduce the testing. “A monitoring control would be much more efficient,” Flavin said. “We need more guidance on where qualitative factors may override a quantitative threshold.”

Rotational Approach

Regulators also asked whether a testing rotation system might work, testing various controls every few years. Frank Brod, the newly hired chief accounting officer for Microsoft, said the concept has been proposed by a corporate reporting committee at Financial Executives International, which he chaired until recently.

Brod

“You learn from what you have, and you spend your time on those things that need the attention,” Brod said. “We shouldn’t have to call for a complete retest of everything every year.” Investors might also like the idea more if it were called benchmarking instead of rotational testing, he added.

Jay Howell, an associate director of assurance with BDO Seidman, was skeptical. “If auditors are going to issue an opinion, it should be based on testing,” he said.

Brod also took his panel appearance as an opportunity to implore the PCAOB to speed up its “disappointingly slow” inspection reporting process. “The 2003 financial report is inspected in 2004, and then the report is issued in late 2005,” he lamented, leaving no opportunity to incorporate any lessons learned into the financial reporting process for this year’s annual report season.

Related resources, guidance and coverage can be found in the box above, right.