Final 404 Rules Expected By June 2007

The Securities and Exchange Commission is stepping up pressure to alleviate the exacting audit standard companies currently endure under the Sarbanes-Oxley Act, vowing to work closely with the Public Company Accounting Oversight Board as the two agencies try to release final SOX compliance reforms by June.

The SEC and PCAOB have struggled for nearly a year to ease the compliance burdens of Section 404 of SOX, which requires a detailed assessment of a company’s internal controls over financial reporting. At a special open meeting last week, the SEC directed its staff to work the PCAOB as the latter writes up a new standard for auditors to follow when they audit a company’s internal controls.

The proposed amendments to Section 404 are twofold: SEC guidance to help companies understand their compliance obligations, and PCAOB guidance to help auditors understand how to audit their own assessments of a company’s internal controls.

While the PCAOB’s proposed new standard is viewed as an improvement over Auditing Standard No. 2—the standard it will replace, which has been blamed for the high costs and difficulties associated with implementing Section 404—it has been criticized as still being too prescriptive, particularly in comparison to the more principles-based approach used in the SEC guidance.

At last week’s meeting, SEC commissioners voted unanimously to approve staff recommendations for bringing the two proposals closer together. The SEC staff said it plans to work with the PCAOB on four major areas:

Alignment: Identifying and eliminating unnecessarily prescriptive requirements and harmonizing key terms and definitions in both proposals.

Scalability: Extending the scalability concepts throughout the new audit standard and ensuring applicability of the scaling concepts without unnecessary conditions.

Use of judgment: Ensuring auditors have latitude to use judgment to determine the level of testing and evidence required and to make use of management’s risk assessment and monitoring activities. The staffs will also look at auditor requirements related to communicating significant deficiencies, since management has responsibility for communicating significant deficiencies to the audit committee under SOX.

Use of work of others: Modifying auditor requirements relating to assessing competency and objectivity to make them more principles-based and providing clarifications as to when auditors can use work of others, including management monitoring activities.

Crucially, the Commissioners also indicated last week that they want final guidance published by the end of May, so companies have ample time to prepare for their Section 404 audits in the 2008 calendar year. Smaller public companies—the vast majority of public companies in the United States—have been exempt from Section 404 so far, but they must begin complying with the management attestation on internal controls at the end of this year, and the auditor attestations at the end of 2008.

SPEECH

Below is an excerpt of a speech PCAOB Chairman Mark Olson gave to the Securities and Exchange Commission on April 4, 2007.

We are looking closely at the comments on the topic of the alignment between the Board’s standard and the SEC’s management guidance and anticipate making some changes to address this issue. Management’s assessment and the audit of internal control are distinct, yet complementary, steps in the Section 404 process of providing assurance to investors about the reliability of companies’ financial reporting. It is important, therefore, that these steps be coordinated.

At the same time, we must not lose sight of the fact that management and the auditor have different perspectives on the company’s internal controls, and the assessment and audit have different objectives under Section 404. Management is more directly involved with the daily operations of the company and therefore works with the company’s controls on a constant basis. Therefore, management’s assessment of the effectiveness of the company’s internal control can, and should, reflect that familiarity. The auditor’s perspective, however, is quite different. Like the financial statement audit, the audit of internal control is intended to provide investors with an independent accountant's opinion, formed on the basis of procedures performed with appropriate professional skepticism, about whether the internal control is effective. The standard must therefore establish a process through which an independent auditor can form a sufficient basis for expressing such an opinion.

Because of the fundamentally different roles management and the independent auditor serve, the standard the Board proposed in December would not require the auditor to specifically evaluate management's assessment process. Our intention was to recognize that management may perform its assessment in a manner that may be different from the process the auditor uses to reach an independent opinion. Removal of the requirement to specifically evaluate management’s process, together with the SEC’s guidance to management, should see to it that the auditing standard does not become the de facto guide to performing a management assessment.

Just as management must prepare the financial statements to be audited, management also must establish internal control over financial reporting within the company and assess the effectiveness of its internal control, which the independent auditor must then audit. While there is a close relationship between management's and the auditor's work, this does not mean that the audit should not consist of any different or additional procedures other than what management has already performed as part of its assessment. By requiring an audit of internal control, the Act clearly mandated an independent process of testing and reporting on management’s assessment of whether the company’s internal controls are effective …

Improve Scalability Of The Audit

The proposed standard includes a section on scaling the audit for smaller, less-complex companies. This section incorporates discussion of both size and complexity. We received many comments on this section from all affiliation groups – auditors, issuers, investors, academics and others. In general, most commenters were supportive of the concept of scalability and the proposed standard's general approach but made several recommendations for change.

Regarding the proposal’s overall approach to scaling, a number of commenters held the view that scaling is an implicit aspect of the risk-based approach and specific tailoring approaches are a natural extension of complexity as a risk factor. Many commenters stated emphatically that this should not be a stand-alone discussion that applies only to smaller companies. Most commenters felt strongly that all audits should be tailored based on the complexity of the company even though the benefits of scaling are likely to be of greater benefit to smaller companies. Regarding the practical implications of scalability, there was general agreement among commenters that the attributes listed were sufficient and that the tailoring directions for auditors were adequate.

Source

Public Company Accounting Oversight Board (April 4, 2007)

Cox

“We’re now entering the home stretch of completing this important work,” SEC Chairman Christopher Cox said during the April 4 meeting. “We’re on track to consider the final adoption of our proposed management guidance, by perhaps by the end of May.”

Similarly, PCAOB Chairman Mark Olson said his Board is committed to finishing its revised standard for auditors, known as AS5, “as soon as possible, so the new standard will be in place for 2007 audits.”

Any PCAOB audit standard must be approved by the SEC before it can take effect. An SEC press release said the Commission expects the revised PCAOB standard to be submitted for review by the end of May or early June.

Staff Plans For Guidance

The two agencies each issued proposals for comment last December. The SEC received roughly 200 comment letters on its proposal, while the accounting oversight board received more than 170. Commenters on both plans raised concerns about a lack of alignment between the SEC’s proposed guidance for management and the PCAOB’s new rule for auditors.

SEC staffer Josh Jones noted that auditors in particular have questioned whether the PCAOB needs a separate standard on using the work of others and suggested the Board might be able to fine-tune its existing standard instead.

With regard to flexibility, Olson noted that based on the comments his Board received, it will “apply a critical eye” to each of the “must” and “should” requirements in the proposed AS5 to ensure all of them are necessary. He said auditors commented that the numerous mandatory and presumptively mandatory requirements in the current proposal would require auditors to do more work, not less.

In a statement, Cox said the result of the new auditing standard, together with the SEC’s new guidance for management “should make the internal control review and audit more efficient by focusing the effort on what truly matters to the integrity of the financial statements.”

Cindy Fornelli, executive director of the Center for Audit Quality, which represents roughly 800 accounting firms that audit public companies, including the Big 4 firms, said the SEC and the PCAOB “struck the right balance between making the audit both more effective and more efficient.”

In a statement in response to the meeting, Fornelli lauded the focus on scaling the audit, regardless of size, based on the company’s specific circumstances and on allowing the auditor to use his or her professional judgment in making that determination.

She said the group is also “pleased” that auditors would be left to determine the extent to which they would rely on the work of others in rendering an audit opinion.

Still, Dennis Stevens, director of internal audit at the Alamo Group and an outspoken critic of SOX compliance burdens so far, is skeptical the changes discussed at the meeting will result in significant changes.

Stevens

“The major effort here seems to be toward getting the PCAOB and the SEC on the same page with respect to their requirements,” Stevens says. “This must happen, and I think the four main issues that were raised must be addressed to achieve that end. So, yes, what the SEC approved will help in that regard.”

But, Stevens says, the discussions seem to suggest that the “top-down, risk-based approach will save the day” by focusing auditors on only those controls that are important.

“But it was also said that rotational testing would not be supported, all controls must be considered every year, and the only difference between high- and low-risk areas would be the extent of testing involved,” Stevens says. “Therefore, the only efficiency that results from the ‘top down, risk-based’ approach lies in determining how much testing will be done.”