As we hear or read about what’s good and bad with Sarbanes-Oxley Section 404, there seem to be almost as many viewpoints as observers. Virtually everyone believes he or she has the right “fix” for what’s wrong with the well-intentioned law, and its requirements that management assess and report on the company’s internal control system, and that the external auditor audit the system and management’s assessment of it.
This column doesn’t look at the positives and negatives of Sarbanes-Oxley and Section 404; they were the subject of my February 2006 column. Rather, this column considers some of the recommendations that recently have come forth to repair the “damage”—what many call the unnecessarily high cost—of Section 404.
So here are the recommendations, and for what they’re worth, my reactions.
Provide Guidance For Management’s Assessment
A number of observers, including one Commissioner of the Securities and Exchange Commission, have said companies need practical guidance on how to conduct their assessments of internal control over financial reporting. My response is, absolutely yes!
Before elaborating, let’s get a related comment on the table: that COSO has its shortcomings and provides only limited guidance about specifically how to conduct an assessment. To this I say, hey, wait just a minute!
To put these suggestions into perspective, let’s take a 40,000-foot look at what the various standards really are about.
Sarbanes-Oxley Section 404. While good internal control over financial reporting has been required of public companies since the days of the Foreign Corrupt Practices Act, debacles including Enron and WorldCom indicated that at least some companies’ internal control systems weren’t very good. Sarbanes-Oxley requires companies to state whether their systems are good—or not.
COSO Internal Control—Integrated Framework. This framework sets forth criteria for determining whether a system of internal control is good—the operative word actually being “effective.” That is, this document serves as the standard benchmark for effective internal control against which a company’s system is measured.
PCAOB Auditing Standard No. 2. As the regulator overseeing the external auditing profession, the Public Company Accounting Oversight Board issued this standard on how auditors should audit the company’s system of internal control, as well how to audit management’s assessment of it.
It doesn’t take a very close examination to see that something is indeed missing. We have a requirement that management must assess and report publicly on internal control. We have a standard as to what effective internal control is. And we have a standard for auditors on what to do in an audit. What’s missing is something—a standard, guidance, or whatever—letting management know how to conduct its assessment.
Actually, such guidance isn’t entirely missing; it’s just misplaced. And it’s misplaced not in the sense of being lost, but of being in the wrong place.
Direction on what management needs to do in its assessment is provided in the PCAOB’s Auditing Standard No. 2. One might ask, “With the PCAOB having authority only over auditors, how can it set a standard for management?” Well, AS2 sets the standard for auditors to audit both internal control and management’s assessment process. In so doing, it basically says that for an auditor to issue a “clean” opinion on management’s assessment, management must have done a number of specified things. So, through what some might call the back door, the PCAOB has filled the void for what management needs to do.
Now, that doesn’t make sense in the long term. Many observers, including me, firmly believe an appropriate body needs to develop a standard or guidance on what management must do to conduct a proper assessment of the company’s internal control system. Whether that’s the SEC or another body is an open question, although presumably it should be done at least under SEC auspices.
What good would this do? The benefits include:
Getting the cart back behind the horse where it belongs. Guidance directed to management would remove the so-called back door approach. Because management is required to conduct the assessment, management should have material directly and explicitly provided to it suited for that purpose. Further, the guidance could and should be sufficiently comprehensive and focus on cost-effective means of conducting the assessment.
Putting the authority where it belongs. Managements of many companies have complained that their external auditor is in the driver’s seat when it comes to deciding what management should do in conducting its assessment of internal control. Under the current scenario, that’s understandable. Right now, the auditor has a regulator telling it what management must do for the auditor to be allowed to issue an unqualified opinion. A more logical approach would have a standard directed at management, giving management the ability to make more of those decisions itself. Of course, the auditor still would make determinations of whether management has met the standard, but the auditor would not be as involved in determining what that standard is.
Reducing cost. With the issue of 404 compliance costs at the front of people’s minds, there’s little doubt that whichever body sets a standard for management’s assessment, one sharp focus will be on making the assessment process cost-effective. Further, with less effort needed by auditors to help define what a company’s assessment process should look like, somewhat less auditor time will be needed.
Fix COSO’s “Shortcomings”
Let’s return to the allegation that the COSO framework provides only limited guidance about specifically how to conduct an assessment of internal controls.
Yes, it is correct to say that the framework provides limited (if any) guidance on how to conduct an assessment. But to call this a shortcoming is incorrect.
Why? Well, the COSO framework is designed to serve as a benchmark for what effective internal control is. It never was intended at a methodology or process for conducting an internal control assessment. That the framework does not address how an assessment is to be performed—which was never its objective—does not constitute a shortcoming.
Analogies can be useful, so here’s one that’s close to home. Consider the standards issued by the Financial Accounting Standards Board and its predecessors that today comprise GAAP. These standards provide the criteria for determining whether an entity’s financial statements are fairly stated. Does GAAP set standards for the process management should use to gather and process data and perform related activities in developing the financial statements? No. One might say that is what internal control over financial reporting does—which isn’t a standard set by GAAP, but by the COSO framework. Does that imply a shortcoming in GAAP? No, because it doesn’t cover a subject it was never intended to address.
Cut Down On Audit Work
There has been a continuing cry for auditors to reduce the amount of work in auditing internal control and management’s assessment process. The outcry seems directed not as much at the auditing firms as to the standard-setters, and with AS2 a primary focus, there are calls to simplify or reduce the auditing requirements.
The PCAOB is fully aware of these sentiments, and recently announced a four-step plan:
Amend AS2. The Board set forth several areas where this standard can be improved. Included is a plan to revisit and clarify the auditor’s role, if any, with respect to the evaluation process that a company uses to reach its own conclusion about internal control effectiveness. In addition to finding the words “if any” fascinating, this certainly is an admirable goal that hopefully will be achieved.
Reinforce auditor efficiency through PCAOB inspections. This too is an admirable goal, based on the idea that in carrying out its inspection process the PCAOB will focus on whether the auditor was efficient in doing its work.
Guidance and education for auditors of small companies. Here the PCAOB intends to develop, or to facilitate development of, implementation guidance for auditors of smaller public companies.
Continue PCAOB forums on auditing in a smaller business environment. In addition to providing education for managements and auditors of smaller public companies, the PCAOB intends to use these forums to monitor reaction to the various internal control-related implementation changes announced throughout the year.
Certainly, few would argue with this program. If successful it should help reduce costs related to 404. I would, however, suggest a word of caution. When it comes down to issuing audit opinions, auditors need to consider whether they believe they performed the right work, and sufficient work, to satisfy client needs and warrant putting their names on the line. Auditing standards always have set forth minimum requirements, and professional judgment is needed in deciding how much is enough. Doing too little work is also constrained by regulators (including the SEC and PCAOB) and the court systems. Too much work is constrained by the marketplace. Yes, standards requiring less work will likely result in less work being performed. But to take an extreme, if any regulator’s standard required no work, we can rest assured that would be seen as a minimum, and professional judgment would result in more effort being expended.
A Separate Standard For Smaller Businesses
There have been calls for a new internal control standard, sometimes referred to as “COSO lite.” The allegation is that the COSO framework is for big business, and not efficient for smaller businesses.
Analogize this to new home construction, saying that a large house must comply with requirements for property line set backs, height restrictions, and related building codes—but a small house does not. Reality is that these rules exist to protect prospective buyers and the broader community. A very large structure might require stronger material such as steel, while a small one might suffice with concrete blocks. The market for a larger house might call for sophisticated electronics systems while the smaller house might have simpler ones, but nonetheless both need to meet established code. Total costs will be higher for the large house, but relative costs to meet code might be higher for the small one. In any event, both houses need to comply with codes established to meet safety and other objectives.
Carrying over to the topic at hand, we’re talking about companies that have taken money from the public capital markets. It’s been decided that for those companies, specified standards need to be met to protect investors and the capital markets; those standards include reporting on whether the company has effective internal control over financial reporting. The COSO framework provides a benchmark that can be met in many different ways by companies of different structure, organization, circumstance and size, where each company can proceed differently in achieving the objective of effective internal control.
With this in mind, the SEC chief accountant asked COSO to develop guidance on how the existing framework can be used efficiently by smaller businesses. This is what COSO has set out to do, and is expected to issue the guidance shortly. Managements of smaller businesses should not expect relief in the form of a “COSO lite.” Rather, they should expect guidance that will describe how the standard can be met more cost effectively.
There’s little doubt that Section 404 implementation could use more efficiency. Certainly it’s positive that the dialogue—heated as it sometimes may be—is taking place, and positive action is coming. With a standard or guidance directed to management on its assessment of internal control, an audit standard with good balance, and guidance for smaller business, we should realize the benefits of 404 with greater cost-effectiveness.
No comments yet