Compliance Roundtable Paints AS2 As Target

Auditing Standard No. 2, the thicket of regulation tying public companies’ audits of internal controls into Gordian knots, is increasingly emerging as the likely target for any potential reform of the Sarbanes-Oxley Act and its painfully expensive Section 404.

At last week’s crucial roundtable meeting of regulators, auditors and corporate executives, critics of Sarbanes-Oxley pounded away at AS2. Their main complaint: a lack of guidance on how to implement it, leading audit firms to adopt a take-no-prisoners approach to the audits of internal control over financial reporting required by Section 404, and consequently pushing the cost of 404 compliance sky-high as they test every control regardless of its real impact on financial reporting.

While most arguments heard at last week’s roundtable weren’t anything new, debate over how to reform Sarbanes-Oxley is reaching new heights because vast numbers of small public companies will need to start complying with Section 404 for fiscal years ending in the latter half of 2007. Since those companies will need to start preparing for that deadline well in advance, the pressure is on regulators to make any modifications to their current standards—such as revising AS2 to make it more palatable for small companies—in short order.

DeMint

Feeney

What’s more, Congress may soon intervene. Sen. Jim DeMint, R-S.C., and Rep. Tom Feeney, R-Fla., plan to introduce legislation that would require the Securities and Exchange Commission to create alternative requirements for companies that wish to opt out of Section 404, and would instruct the SEC and its Public Company Accounting Oversight Board to change the standard of what a true material weakness is.

Speaking at one of five panel discussions at the day-long roundtable, Ann Yerger, executive director of the Council of Institutional Investors, was among those who urged the SEC and PCAOB to act quickly. “We need to move forward,” Yerger said, noting that the CII believed Section 404’s sore points could be massaged through more guidance from the SEC and PCAOB. “If the SEC and PCAOB don’t act, Congress will, and we think that’s a sub-optimal response.”

While CII doesn’t necessarily favor another extension for small issuers, Yerger said, the group could deal with “one additional, modest, final extension,” but she urged regulators to “get on with it.”

Similarly, Michael Cook, audit committee chairman at Comcast Corp., Eli Lilly and other companies, also urged the SEC simply to settle—one way or another—whether Section 404 will apply to smaller companies, which he said is “creating a lot of heat.”

SEC Chairman Christopher Cox said the SEC and PCAOB will evaluate the comments from the roundtable as the agencies “consider what next steps we’ll take to improve the efficiency and effectiveness of the process.” And while the event largely focused on large, accelerated filers that have now experienced two years of Section 404’s internal control requirements, Cox noted that the SEC is sensitive to the concerns of smaller companies, which cropped up in the day’s discussions anyway.

Revising AS2

Cox

As they have in many public forums recently, regulators again last week made clear that they’re open to amending AS2 and providing more guidance on how to implement the standard. In opening remarks during the discussion, Cox noted that Sarbanes-Oxley has “great potential” to improve the accuracy and reliability of financial reporting, but only if implemented “properly” and in “the manner Congress intended.”

“In process,” Cox continued, “it hasn’t always worked out that way.” Cox went on to say he hoped the roundtable would bring regulators “closer to the finish line of getting 404 right sooner rather than later.”

Gradison

Meanwhile, PCAOB Acting Chairman Bill Gradison said he and his colleagues “always had flexibility in mind” when they voted to adopt AS2. While Gradison said he has “concerns” about small audit firms that have yet to conduct the internal controls audits required under 404, “I believe we’ll succeed if we communicate that AS2 is not only flexible, but scalable.”

Participants appeared to agree that Section 404 has produced both costs and benefits, but had widely differing views on which aspect holds greater weight, whether changes to AS2 were needed, and what adjustments or additional guidance are warranted. While many stressed the need to amend AS2 and for more guidance on implementation, others cautioned against revisiting AS2 just as issuers and auditors are getting comfortable with the existing process.

GAO AND 404

The excerpt below is from, "Sarbanes-Oxley Act: Consideration of Key Principles Needed in Addressing Implementation for Smaller Public Companies," published by the U.S. Governmental Accountability Office, April 2006:

Smaller Public Companies Have Incurred Disproportionately Higher Audit Costs in Implementing the Act, but Impact on Access to Capital Remains Unclear

Based on our analysis, costs associated with implementing the Sarbanes-Oxley Act—particularly those costs associated with the internal control provisions in Section 404—were disproportionately higher (as a percentage of revenues) for smaller public companies. In complying with the act, smaller companies noted that they incurred higher audit fees and other costs, such as hiring more staff or paying for outside consultants, to comply with the act’s provisions. Further, resource and expertise limitations that characterize many smaller companies as well as their general lack of familiarity or experience with formal internal control frameworks contributed to the challenges and increased costs they faced during Section 404 implementation. Along with other market factors, the act may have encouraged a relatively small number of smaller public companies to go private, foregoing sources of funding that were potentially more diversified and may be less expensive for many of these companies. However, the ultimate impact of the Sarbanes-Oxley Act on smaller public companies’ access to capital remains unclear because of the limited time that the act has been in effect and the large number of smaller public companies that have not yet fully implemented the act’s internal control provisions.

Smaller Public Companies Incurred Disproportionately Higher Audit Costs

Our analysis indicates that audit fees have increased considerably since the passage of the act, particularly for those smaller public companies that have fully implemented the act. Both smaller and larger public companies have identified the internal control provisions in Section 404 as the most costly to implement. However, audit fees may have also increased because of the current environment surrounding public company audits including, among other things, the new regulatory oversight of audit firms, new requirements related to audit documentation, and legal risk … [W]e found that (1) audit fees already were disproportionately greater as a percentage of revenues for smaller public companies in 2003 and (2) the disparity in smaller and larger public companies’ audit fees as a percentage of revenues increased for those companies that implemented Section 404 in 2004. For example, of the companies that reported implementing Section 404, public companies with market capitalization of $75 million or less paid a median $1.14 in audit fees for every $100 of revenues, compared to $0.13 in audit fees for public companies with market capitalization greater than $1 billion. Among public companies with market capitalization of $75 million or less (2,263 in total), the 66 companies that implemented Section 404 paid a median $0.35 more per $100 in revenues compared to those that had not implemented Section 404.

However, using publicly reported audit fees as an indicator of the act’s compliance costs has some limitations. First, the audit fees reported by companies that complied with Section 404 should include fees for both the internal control audit and the financial statement audit. As a result, we could not isolate the audit fees associated with Section 404. Second, the fees paid to the external auditor do not include other costs companies incurred to comply with Section 404 requirements, such as testing and documenting internal controls and fees paid to external consultants. While the spread between what smallest and largest public companies that implemented Section 404 paid as a percentage of revenue increased between 2003 and 2004, we also noted that, as a percentage of revenue, the relative disproportionality between the audit fees paid by smaller public companies and the largest public companies remained roughly the same between 2003 and 2004. However, unlike audit fees, these costs are not separately reported and, therefore, are difficult to analyze and measure.

Source

Governmental Accountability Office (April 2006)

During an opening session billed as an overview of the second year of 404, several panelists cited improvements as a result of Section 404, such as fewer material weaknesses and improved investor confidence. Still, most also seemed to agree with a sentiment expressed by Barbara Hackman Franklin, former U.S. Secretary of Commerce and now a board director and audit committee chair for various companies, who said, “There’s more work to be done to balance the costs and benefits.”

Franklin and other speakers, including Comptroller General David Walker, who heads the Governmental Accountability Office, urged regulators to amend AS2 to incorporate guidance they issued last year. Many panel members also agreed that the SEC should provide guidance for management to do its own attestations of controls. AS2, issued by the PCAOB, provides guidance only to auditors—but since no similar standard exists for management, issuers say it has become the default standard for everyone.

While panel members cited surveys showing steep declines in second-year compliance costs, Colleen Cunningham, president and chief executive officer of Financial Executives International, said, “We still hear from our members that the costs [of 404] still far outweigh the benefits.” Cunningham cited an FEI study showing that while 404 compliance costs dropped in 2005, they did not fall as much as most issuers had predicted in 2004.

Ed Nusbaum, chief executive at audit firm Grant Thornton, conceded that the “underlying principles” of AS2 do work, but called for more principles-based guidance on internal controls—especially “real-life examples” and case studies, he added. Nusbaum and others also called for regulators to better define material weaknesses and significant deficiencies.

During the last panel of the day, Bob Kueppers, deputy chief executive of Deloitte & Touche, said he was “ambivalent” about re-opening AS2. While he supported amending the standard to incorporate last year’s guidance, he said, “There is a certain amount of risk to opening up standard.” Likewise, Nick Cyprus, a member of the board of the Committee of Sponsoring Organizations, warned regulators to be “extremely cautious about making changes to AS2 … Audit firms and management understand the guidance out there.”

Other Criticism

Separately, a number of speakers throughout the day, including Franklin, urged that PCAOB inspection reports be more timely “to get the most out of the process and give feedback and guidance to auditors.”

During a discussion on Section 404’s effect on the market, several panelists noted that the internal controls provision has improved investor confidence in the U.S. capital markets, but they also said the disclosure and internal control assessment and reporting processes could be improved. Some speakers suggested lengthening the testing cycle of non-critical controls so that low-level controls wouldn’t have to be tested annually.

Another speaker, Robert Pozen, chairman of MFS Investment Management, suggested the SEC and PCAOB examine models such as that of Great Britain, which offers a “more flexible approach and optional approach” to financial reporting obligations, and which includes some guidelines along with rules.

Sounding a harsher note, Alex Davern, chief financial officer of National Instruments, said the SEC “deserves a failing grade for the implementation of Section 404.”

Davern

“We’ve all been patting ourselves on the back because things got a little better,” he said, but noted that back in 2003, the SEC estimated the costs Section 404 compliance at about $90,000 and expected that cost to be relatively level for all companies. And at last year’s roundtable, auditors predicted that external audit costs would come down sharply—when, Davern claimed, those costs haven’t come down at all.

In comments the day after the roundtable, one participant, Peter Minan, KPMG’s national managing partner for audit, said, “After two years of implementation work, regulatory guidance and marketplace discussion, a vast reservoir of information now exists around the implementation of Sarbanes-Oxley, especially Section 404.”

Minan suggested that representatives from the SEC, the PCAOB and the audit profession “should meet regularly to have a dialogue about all of the knowledge that now exists regarding financial reporting” with the objective of identifying best practices to improve the implementation process. “We should seize this great opportunity,” he said.

Related resources, commentary and coverage can be found in the box above, right.