Life Under A Scaled-Down SOX 404

With a new roadmap to help companies obey the Sarbanes-Oxley Act now in hand and compliance deadlines for non-accelerated filers officially set, the task of evaluating and reporting the effectiveness of internal controls should be a vastly different experience for the legions of small companies now preparing to comply with Section 404 for the first time, auditing experts say.

On Dec. 13, the Securities and Exchange Commission finally gave Corporate America what it has craved for more than two years: proposed new guidance to help companies understand how they should document and test internal controls over financial reporting, as required by Section 404. The new rules would allow smaller companies to focus only on the controls needed to address the risk of material misstatements in their financial statements by scaling their evaluations and procedures to their circumstances. The guidance emphasizes principles, rather than rules, and eliminates a separate auditor opinion on management’s assessment.

At the same time, the SEC approved revised deadlines so that non-accelerated filers—the vast majority of public companies in the United States—will start providing management’s assessment regarding internal control over financial reporting in annual reports for fiscal years ending on or after Dec. 15, 2007. Those filers will comply with the auditor-attestation requirement in annual reports filed for fiscal years ending on or after Dec. 15, 2008.

Meanwhile, the Public Company Accounting Oversight Board also has proposed a new standard to replace Auditing Standard No. 2, the punishingly detailed rule external auditors have used to assess a company’s internal controls so far. The new proposal would direct auditors to focus on top-level company controls, use a risk-based approach, scale audits to the size and complexity of the company, and rely more heavily on the work of others (that is, company management) when conducting its assessment.

All those changes, says Bob Hirth, global head of internal audit for the consulting firm Protiviti, mean that “In terms of effort, documentation, testing and the hours involved, the process will be reasonably to substantially different than what the pioneers in 2003 and 2004 had to do.”

Hirth

Hirth says the guidance—which he dubbed “a flight instruction manual for companies and management”—will give smaller, less complex companies leeway to do less extensive testing and documentation and to rely more on company-level controls in low-risk areas.

Still, since the guidance and new audit standard may not be final for months, Hirth cautions that many companies and their auditors may have to go through their first year of 404 without the benefit of the resulting changes. “It’s most likely companies with a September year-end or beyond that will have enough time to fully digest and implement the new rules,” he says.

Experts say accelerated filers, now already in their third year of Section 404 compliance, aren’t likely to change much as a result of the guidance, since they and their auditors have geared their approaches to fit the existing rules.

“They went through so much pain to get where they are, I don’t know if they’ll want to open that box again,” says Christopher Meshginpoosh, director of public company advisory services at auditing firm Kreischer Miller.

Anthony Zecca, partner-in-charge of the Cohn Consulting Group, however, says the new guidance will allow management and external auditors “to take a more pragmatic approach to how they assess the control environment, as opposed to AS2, which was one-size fits all.”

Evolution Of SOX Compliance

Much has changed since Section 404 first appeared on the horizon in 2003. Foremost, Hirth says, the early days saw little dialogue among accelerated filers and their auditors. “Now there’s a more appropriate relationship and a greater opportunity for dialogue,” he says, which means better alignment of expectations.

PROPOSAL

An excerpt follows from the SEC’s proposed interpretive guidance.

In order to determine whether a control deficiency, or combination of control deficiencies, is a material weakness, management evaluates each control deficiency that comes to its attention. Control deficiencies that are determined to be a material weakness must be disclosed in management’s annual report on its assessment of the effectiveness of ICFR. Management may not disclose that it has assessed ICFR as effective if there is one or more control deficiencies determined to be a material weakness in ICFR. As part of the evaluation of ICFR, management considers whether the deficiencies, individually or in combination, are material weaknesses as of the end of the fiscal year. Multiple control deficiencies that affect the same financial statement account balance or disclosure increase the likelihood of misstatement and may, in combination, constitute a material weakness if there is a reasonable possibility that a material misstatement to the financial statements would not be prevented or detected in a timely manner, even though such deficiencies may be individually insignificant. Therefore, management should evaluate individual control deficiencies that affect the same account balance, disclosure, relevant assertion, or component of internal control, to determine whether they collectively result in a material weakness.

The evaluation of a control deficiency should include both quantitative and qualitative factors. Management can evaluate a deficiency in ICFR by considering the likelihood that the company's ICFR will fail to prevent or detect a misstatement of a financial statement element, or component thereof, on a timely basis; and the magnitude of the potential misstatement resulting from the deficiency or deficiencies. This evaluation is based on whether the company's controls will fail to prevent or detect a misstatement on a timely basis, not necessarily on whether a misstatement actually has occurred.

Several factors affect the likelihood that a deficiency, or a combination of deficiencies, will result in a misstatement in a financial reporting element not being prevented or detected on a timely basis. The factors include, but are not limited to, the following:

The nature of the financial statement elements, or components thereof, involved (e.g., suspense accounts and related party transactions involve greater risk);

The susceptibility of the related asset or liability to loss or fraud (i.e., greater susceptibility increases risk);

The subjectivity, complexity, or extent of judgment required to determine the amount involved (i.e., greater subjectivity, complexity, or judgment, like that related to an accounting estimate, increases risk);

The interaction or relationship of the control with other controls (i.e., the interdependence or redundancy of the control);

The interaction of the deficiencies (i.e., when evaluating a combination of two or more deficiencies, whether the deficiencies could affect the same financial statement accounts and assertions); and

The possible future consequences of the deficiency.

Management should evaluate how the controls interact with other controls when evaluating the likelihood that the company's controls will fail to prevent or detect on a timely basis a misstatement that is material to the company’s financial statements. There are controls, such as general IT controls, on which other controls depend. Some controls function together as a group of controls. Other controls overlap, in the sense that more than one control may individually achieve the same objective …

In evaluating the magnitude of the potential misstatement to the company’s financial statements as a whole, management should recognize that the maximum amount that an account balance or total of transactions can be overstated is the recorded amount, while understatements could be larger. Moreover, in many cases, the probability of a small misstatement will be greater than the probability of a large misstatement. For example, if the deficiency is that errors identified during an account reconciliation are not being investigated in a timely manner, management should consider the possibility that larger errors are more likely to be investigated or identified through other controls than smaller ones.

Management should evaluate the effect of compensating controls when determining whether a control deficiency or combination of deficiencies is a material weakness. When evaluating a deficiency in ICFR, management also should determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial tatements in conformity with GAAP.

Source

Proposed Rule: Management’s Report On Internal Control Over Financial Reporting (Securities and Exchange Commission; Dec. 20, 2006)

Companies also fumbled along in their compliance efforts with poor definitions of exactly what a material weakness or significant deficiency was; those terms have subsequently been clarified. Also, during the first years of compliance, companies saw virtually all controls in any process get identified, documented, and often tested. Under the new guidance, “only the most key controls dealing with only the most important risks” will receive that close scrutiny, Hirth says.

Zecca

Zecca now believes that external auditors “may be able to scope down some of the work we’re doing in low risk areas,” and cites the payroll function as one example. Under AS2, all payroll processes were documented and tested, even though payroll is a low-risk function for material misstatements for most companies. Under the proposed new guidance, Zecca says less work may be required in that area, even for accelerated filers.

Another example from Hirth: Previously, all a company’s physical locations “seemed to get considered in some way.” Going forward, Hirth expects that companies will be able to evaluate whether a location is material and how susceptible it is to risk, which should mean less extensive documentation and testing.

In the rush to implement SOX in 2004, most companies ignored potential automation of their controls, leaving them with controls that had to be tested manually. Even when a control was automated, “it wasn’t clear how many times such control had to be tested,” says Hirth. Under the proposed guidance, if a company can demonstrate that it keeps a strong grip on its automated controls, and a control doesn’t change, it only needs to be tested in the first year of its existence.

Goldmann

And in a larger sense, the proposed changes end the previous practice where each year’s audit needed to stand on its own; that should lead to less re-documenting of internal controls and less testing. “That’s a big opportunity to improve the cost effectiveness of Section 404,” Hirth says.

Indeed, Ken Goldmann, an audit partner at accounting firm J.H. Cohn, says that change should benefit some accelerated filers, too. In cases where controls don’t change and the personnel and systems don’t change from day to day, some smaller companies will have the ability to use work performed in the prior year, he says.

Increasing Efficiency

Meshginpoosh says the ability to focus on company-level controls under the new guidance also should provide cost savings. To date, few companies and auditors have relied on such controls, in favor of transaction-level controls—which can be easier to identify individually, but more expensive to document and test in aggregate.

For example, many small companies perform budget-to-actual comparisons in the area of interest expense, which is a company-level control. However, they don’t always specify clearly the level of variance that would require investigation by management—a necessary step from a SOX perspective, to confirm that the control would identify material misstatements.

Meshginpoosh

“There’s a substantial opportunity for cost savings by clarifying those thresholds and making sure those types of reviews are sufficiently documented, so companies and auditors could rely on those controls in lieu of lower level process controls,” Meshginpoosh says.

The ability to rely more on monitoring activities also should reduce compliance costs. Meshginpoosh notes that smaller companies routinely prepare reconciliations that are reviewed by the chief financial officer or controller. “If properly documented and reasonably extensive, the reviews are a monitoring activity that the company could rely on as evidence of their SOX testing,” potentially eliminating the need for redundant testing, he says.

There is one item that Meshginpoosh believes won’t trim costs: the elimination of the auditor’s opinion on management’s assessment. “It will decrease the burden on management, but I’m not convinced it will result in a decrease in audit fees,” since auditors still have to document from initiation to processing, he says.

Richards

Dave Richards, president of the Institute of Internal Auditors, agrees. “Most of the audit cost rests in the opinion that [the] SEC kept: the outside auditor’s independent assessment of internal control,” he says.

Richards’ group says eliminating the opinion on management’s assessment raises a “concern that management might take the road of least resistance and do the least amount of work necessary, because nobody’s coming in to check.”

“It opens the door for management’s assessment to be less rigorous than it has been,” Richards says. While the SEC has made clear that management doesn’t have to follow the same process as the auditor [who] arrive[s] at its assessment, he adds, “They haven’t provided any how-to guidance on doing the assessment.”

Comments on the proposed guidance are due Feb. 27. For the text of the proposed guidance and instructions on how to comment, see the box, above right.