The March 16 deadline for public companies to complete an audit of their internal controls over financial reporting under the requirements of Sarbanes-Oxley Section 404 has come and gone. Now that we have gone through the first run of this mammoth compliance effort, it’s time to review what we have learned and identify ways to improve the annual certification process going forward.
To comply with Section 404 and provide management and auditors with data to support certification, companies had to ensure the reliability of their accounting systems by documenting nearly everything about their assets, from the way they manage their inventories, to how they bill their customers, to how they handle payroll. While this was a useful exercise in many respects, it also cost much more than originally projected and forced many companies to delay more strategic IT and personnel investments.
The SEC originally estimated Section 404 would cost companies an average of $91,000 annually. But actual compliance costs in year one has zoomed exponentially beyond that figure. In a survey of 218 companies just concluded, Financial Executives International found member companies spent an average of $4.3 million for added internal costs and additional fees spent on auditors and other consultants and software. Companies over $5 billion in revenue spent more, $10.4 million on average, and internally, employees logged an average of 64,768 hours to comply with the regulation, some dramatically more, as Intel was quoted in December as having dedicated 125 full time staff to the effort.
The requirements of Section 404 have had the unintended consequences of causing companies to delay installing new IT systems by six months or more. The rules make it impractical to add a new IT system late in the year, since many new software systems simply can’t be installed and tested before year end. The compliance burden will be a drag on future corporate productivity and profitability. Companies should be permitted to exclude new IT projects from testing until the following year’s certification, and not let an accounting rule drive strategic decisions.
Many point to the downfall of Enron, WorldCom, and others as justification for companies to invest this level of time and money to ensure that similar failures won't happen again. But Section 404 may provide a false sense of security. We should be honest about Section 404’s ability to prevent fraud. Though touted as one of the law’s potential benefits, it is likely not to have much impact. Most frauds are uncovered by insider tip-offs and the work of internal audit staff, some even by accident. But even though procedures can be documented and tested, anyone hell bent on stealing will devise ways around the safeguards. Better fraud prevention and detection can come from expanded whistleblower protections and increased prosecution.
Things could be made significantly less costly and time-consuming going forward, without any reduced benefit, but regulators will need to step up. A more efficient process is key. The SEC and the PCAOB can do more to clarify “how much is enough” in terms of documentation and testing of internal controls. Auditors seemingly operated in year one, without boundaries, in pursuit of absolute assurance, and often over-audited, wasting time and money. Companies do not need to pay auditors $200 per hour or more to attend a meeting to prove it took place, for example.
Essentially, Section 404 is well intentioned, but guilty of overkill. The spirit was right on, but the zeal to document low-risk, routine transactions regardless of their significance is far more than necessary and allows almost no room for judgment. The work is so granular as to lose sight of the financial statements as a whole. Materiality does not play a strong enough role in determining what is covered.
Regulators should also embrace the wisdom of allowing auditors to rely on the cumulative knowledge gained from earlier 404 work, and not simply start from scratch when it is time to re-certify companies.
We suggest a true risk-based audit approach that defines key controls, allowing for auditors to obtain a reasonable assurance of the integrity of a company’s systems. Auditors should also be permitted to test controls throughout the year based upon risk and not wait until year-end. Audit firms have been entrusted to deliver value for their work. They have been afforded latitude in terms of the scope and depth of documentation and testing, and should exercise care in spending shareholder dollars. In the FEI survey, 70 percent of companies believe the work of their auditor improved internal controls only minimally or not at all.
Companies’ concerns over Section 404 are being heard. The SEC held a roundtable in April to consider what's working and what's not and to determine if the process can be streamlined to ensure that investors are getting useful and relevant information regarding internal controls, in a cost-effective manner. We support finding a way to reduce the burden without reducing the effectiveness. As one of the first business groups that supported Sarbanes-Oxley, we don’t see the need for an overhaul, just smarter adoption of the existing rules.
The column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.
What did you think of this column? If you'd like to react or respond, we urge you to write a letter to the editor.
No comments yet