Gains on Key Controls May Stall

It’s a fear corporate accounting executives have had for months: that the number of internal controls subject to testing and auditor scrutiny won’t decline all that much, despite new guidance calling for more of a risk-based approach to Sarbanes-Oxley compliance.

Now, exclusive Compliance Week research shows those fears may well come true.

According to a Compliance Week survey of 280 public companies, most companies have managed to reduce their “key controls” that must be documented and tested under Section 404 of Sarbanes-Oxley—some by a considerable amount. But a large majority don’t expect significant reductions in the future, even with the new risk-based approach to auditing espoused by Auditing Standard No. 5.

More than half of respondents said they expect to reduce their key controls by no more than 10 percent, and another one-fourth anticipate a drop of only 10 to 20 percent. In total, the results suggest that more than 80 percent of companies expect no better than a 20 percent reduction in their key controls.

The good news: three-quarters of the companies participating in the survey say they have already pruned back their key controls by anywhere from 5 percent to 60 percent in their own evolving efforts to comply with SOX. On the extremes, 13.4 percent reported cutting their key internal controls by 5 percent or less, while 14 percent reported whacking their key controls anywhere from 60 to 80 percent.

Compliance Week’s research also provides an interesting glimpse into just how broadly a key control can be defined. For example, the average number of key controls for companies with revenue greater than $50 billion is 1,567, but respondents’ specific answers in that group range from only a few hundred to as many as 5,000.

Narain

Sanjay Narain, a principal with Ernst & Young and a firm leader in internal control solutions, attributes that to the lack of any standard way to count controls. “At one company, if a reconciliation is done at 10 different places, that’s 10 key controls,” he says. “At another company, that’s one key control at 10 different places.”

Identifying which company controls are “key” to the accuracy of financial statements is crucial to a company keeping its SOX compliance costs under control. “The No. 1 cost driver in the compliance process is the number of key controls that are selected,” says James Deloach, managing director at the consulting firm Protiviti.

DeLoach says the wide variety of key controls across companies reflects what he sees. “It depends on their industry, the complexity of their organization, the number of locations, whether they’re centralized or decentralized, whether they have an ERP system or not, the maturity of their processes, whether they have different legacy systems,” he says.

One of the most pressing questions in the financial reporting community right now is whether Auditing Standard No. 5 and accompanying Section 404 guidance from the Securities and Exchange Commission will be of any practical help to companies. Many suspect not; they fear their auditors will continue to force their own interpretations of key controls and SOX compliance onto the company, regardless what AS5 theoretically allows a company to do.

Daniel Harper, vice president and assistant controller at Time Warner, said in a recent Deloitte Webcast that he doesn’t expect a great deal of new efficiencies to be realized in the assessment and audit for 2007 financial statements. “We were gravitating toward the spirit of the SEC guidance as we implemented our self assessment, and we rationalized controls in 2005 and 2006,” he said. “We continue to look at this process as a journey. Over time, we continue to get smarter at what we do.”

An internal auditor at a $130 million technology company, who asked not to be identified, tells Compliance Week that his external auditor isn’t even interested in management’s risk assessment, and instead will use the audit firm’s framework or checklist for defining which controls should be tested.

The internal auditor says his company has rationalized controls somewhat in the past few years, but “per our audit partner, key controls will not disappear … My risk assessment is not taken into account when they determine key controls. It’s still determined by the audit firm when they map it into their framework.”

PAST PERFORMANCE

Below is a summary of what companies reported for decreases in their key controls since the first year of SOX compliance in 2004.

Drop

No. of Cos.

As % of Total

0 to 5 percent

37

13.4 %

5 to 10 percent

27

9.7 %

10 to 20 percent

30

10.8 %

20 to 30 percent

36

13.0 %

30 to 40 percent

40

14.4 %

40 to 50 percent

34

12.3 %

50 to 60 percent

34

12.3 %

60 to 70 percent

21

7.6 %

70 to 80 percent

18

6.5 %

Subtotal

277

Did Not Respond

3

Total

280

Source

Compliance Week Key Controls Survey (March 3, 2008).

The internal auditor says he believes the audit firm is simply trying to protect revenue. “If you take a rationalized approach, it would drop the cost 15 to 20 percent, and that hits their bottom line,” he says. “The partner has a target just like everyone else in a business unit. Firms have taken these approaches and different interpretations to minimize the loss on fees. That’s what's happening in my world. No one wants to hear it, but that’s what it is.”

DeLoach counters that management must be ready to assert itself. “The lead step in this dance is and will always be management,” he says. “If management doesn’t lead the way, there is no way external auditors have the responsibility to do that. The external auditors are going to follow management’s lead.”

What Are We Talking About?

Part of the rub between management and auditors remains in the notion that there’s no single, accepted criteria for what constitutes a “key” control for purposes of the Section 404 assessment and assertion, says Glenn Davis, head of corporate governance services for accounting firm J.H. Cohn. The definition most commonly held is that a key control is one that, if it failed, there’s a reasonable likelihood the failure would result in a material error in the financial statements.

While companies may be patting themselves on the back for reducing the number of controls to be tested, Davis worries that leads to a misdirected focus. “It doesn’t change the number of controls a client exercises or the process,” he notes. “It doesn’t do anything except reduce the number of controls they have to rely on and test.”

If the regulatory gavel were in Davis’s hand, he says he would suspend compliance long enough to allow companies to right-size their entire control environment, without concern for who defines which control as key and, therefore, subjects it to testing and scrutiny. That would allow companies to focus on which controls are important to successfully managing and reporting on the business, and then all controls would be “key,” he says.

“We need to get away from the obsession of what is a key control,” he says. “When I was a CEO of a company, I never asked, ‘What are the key controls?’ I asked ‘Are our systems well controlled?’”

Schrock

Kathy Schrock, a partner at the consulting firm Tatum, says companies must also remember the difference between SOX objectives and their own business objectives.

“SOX doesn’t really care if the company made a good business decision,” she says. “It’s only concerned with whether it was recorded properly. While companies are focusing on streamlining controls and SOX compliance efforts, they need to be sure they are not losing sight of the other key controls or processes that are important to achieving business goals and effectively managing risks.”

For SOX purposes, consultants and auditors say companies can still gain more efficiency by reducing the number of controls considered key to financial statement assertions. Tom Connors, an audit partner at Deloitte & Touche, says companies should more fully leverage AS5 direction to focus on entity-level controls as key controls.

FUTURE RESULTS

... And below are estimates of how much companies expect to reduce their key controls in the future.

Drop

No. of Cos.

As % of Total

0 to 5 percent

78

28.3 %

5 to 10 percent

85

30.8 %

10 to 20 percent

65

23.6 %

20 to 30 percent

36

13.0 %

30 to 40 percent

6

2.2 %

40 to 50 percent

6

2.2 %

50 percent or more

0

0 %

Subtotal

276

Did Not Respond

4

Total

280

Source

Compliance Week Key Controls Survey (March 3, 2008).

He says companies also still have a lot of manual processes in place that, if automated, would reduce the number of controls considered key. “A big source of inefficiency is the routine sampling of transactions where there is very little risk of significant misstatement,” he says.

Deloach also stresses that AS5 and the SEC’s new Section 404 guidance was published too late last year to have much effect on Corporate America’s 2007 financial statements, which are hitting the street now—so further reductions in key controls are still very possible.

“That did not give companies sufficient time to think through this, which is one of the reasons why there is still further opportunity to reduce key controls,” he says.

Where to Find Improvements

Trent Gazzaway, managing partner of corporate governance for Grant Thornton, says continued improvements will come with time. “There is still room for improvement, and that will come with experience,” he says. “You can’t legislate good judgment. You have to have experience, and it takes time to get there.”

Connors says Deloitte’s own surveys suggest a significant number of companies still plan to rationalize controls by further assessing which are most important to assuring reliable financial reporting.

Bill Watts, head of the consulting SOX practice at Crowe Chizek, says some companies haven’t yet given up their spreadsheet programs, which don’t offer a great deal of safety or security. “There are still a lot of opportunities around that,” he says. “There’s a lot more room for reliance on technology and automation.”

Gazzaway says the soon-to-be finished framework on monitoring controls should help companies reach a new plateau in control assessments. The framework is in development by the Committee of Sponsoring Organizations (COSO); Gazzaway is part of the task force developing the guidance.

“If you don’t monitor controls, they eventually deteriorate,” he says. “Monitoring provides the people responsible with information they need to conclude the system is working the way it’s supposed to, and it provides a level of oversight. Good internal control requires some level of monitoring, and if that’s the case, what does good monitoring look like?”

The framework will address the issue in detail, Gazzaway says. He hopes the guidance will be completed by summer.

The Institute of Management Accountants recently issued a call for an entirely new regulatory process to help eliminate the variability in internal control assessments. The IMA says there should be a new regulatory body to create standards for how to assess internal controls.

Sharman

“The IMA is suggesting the creation of a level playing field for corporations in their efforts to implement SOX 404,” says Paul Sharman, president of the group. “This means the development of a set of standards by folks who understand business and the way in which corporations actually design and implement internal controls using practices, procedures, and processes such that they function in a controlled state.”

Sharman says AS5 still trumps SEC’s management guidance in directing the 404 process. “SEC management guidance was sufficiently open to interpretation that auditor guidance continues to prevail,” he says. “Unlike financial accounting standards, which are absolute, the SEC management guidance leaves it to AS5 to be definitive. It should be the other way around.”