Even though standards or deadlines are not yet mandated, many companies are spending inordinate amounts of time — or should be — beefing up their internal controls. Much of this activity is at the prodding of the independent auditors, whose attestation fees are often estimated at a level at least as high as the current audit fees.
[As an aside, many companies are being approached by their auditors to do internal controls remediation work. Most companies are concluding that the independence rules are not clear enough to permit this. These companies also are wary of paying additional non-audit fees to their auditors for investor relations' purposes.]
Closer Than You Think
Section 404 of Sarbanes-Oxley requires that the SEC adopt rules regarding internal controls attestations. Unlike many other provisions, Section 404 does not impose a deadline on the SEC. However, the SEC staff is determined to adopt rules so that they apply to filings made in 2004. The SEC's outstanding proposal indicates that the final rules would apply to filings made after September 15th of this year, but that does not appear likely at this point.
Although these dates appear far away at first glance, much work remains until then to reach compliance and avoid negative disclosure. In reality, companies want to go through one cycle of the attestation process one quarter before it's mandated — no matter how sound an internal controls system is, there almost certainly will be exceptions found.
Lots of Uncertainty
As for what standards to apply, this is a matter of debate at the moment.
The Public Company Accounting Oversight Board, which officially must be constituted by April 26th, has made it clear that it has taken the standard setting reins from the AICPA.
However, the AICPA recently issued standards for internal controls attestations. And it is rumored that the PCAOB acting chair recently stated that new standards in this area are not necessary at this time. If true, then maybe the AICPA standards can be utilized.
Lots of uncertainty; more to come.
Rules For The Road
Huber
TheCorporateCounsel.net recently hosted a Webcast featuring John Huber of Latham & Watkins, who is a former Director of the SEC's Division of Corporation Finance. Partners from PricewaterhouseCoopers and KPMG also participated on the Webcast, and here are "Ten Rules of the Road" that came out of the session:
Get Started Now - Section 404 is not going away, and implementation will be expensive; so don't wait until the 404 rules are finalized before you begin the process.
Plan Ahead - Analyze what you have and assess the scope of what you will evaluate.
Differentiate Types - Understand the differences between three categories of controls:
Internal controls that the company already has;
Existing controls that will be altered or enhanced; and
New internal controls to be established
Part of this process is evaluating what effect if any that the changes that we're making in terms of 404 implementation will have on the certification rules and Item 307 of SK disclosures.
Go With COSO - Use the COSO standards as a benchmark. The Committee of Sponsoring Organizations of the Treadway Commission standards have been used by many financial institutions since 1993 in complying with FDICIA, which requires managements of certain financial institutions to make representations concerning internal controls to their outside auditors.
Coordinate With Outside Auditors - While the outside auditor can't be responsible for designing or implementing 404 systems, it should be involved in the process.
The outside auditor can evaluate, review, recommend and assist with internal control reporting requirements — management must take ownership of the decision-making process and the end result.
This is a real time process, and since the auditor is going to attest to this under 404, it's better for the company to know sooner rather than later what the auditor's views are.
Inherent Tension - Implementing 404 is a very big undertaking — one in which the process itself is important.
It's different than the 302 and 906 certifications since the outside auditor is going to render an attestation opinion under 404. According to Huber, "There is an inherent tension in my mind between the certification under 302 and 404. For example, backup certifications used to satisfy 302 and 906 will probably not be the primary way of satisfying 404."
Continually Evaluate - Until the IC process is finished, Huber recommends people continually evaluate how it's working. Test it for reliability. Adjust it for changing circumstances, particularly the adoption of the final rules under 404.
Disclosure Integration - Coordinate your efforts to implement 404 with your existing disclosure controls and procedures in the disclosure committee. Have a clear understanding of the relationship between internal controls and disclosure controls and procedures.
One Size Does Not Fit All - Fit the 404 systems to meet the needs of the particular company. One size does not fit all. Don't adopt 404 systems that won't be followed or are not understood. So training is a necessary component of this process.
Tracking - You'll need an automated tracking system if you're a global company. 404 will also affect when you can implement new systems and when you can upgrade existing systems, even if you're not a global company.
This column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.
No comments yet