SEC Gets Earful On Needed 404 Guidance

The Securities and Exchange Commission has received an earful from the public about the need for more guidance to companies on how to assess internal controls over financial reporting, even as opinions differ deeply on what form that guidance should take and exactly what issues it should address.

The SEC announced in July that it wanted to give more guidance to companies, struggling with sky-high compliance costs for Sarbanes-Oxley and particularly its Section 404 requirements to attest to the effectiveness of internal controls. But the agency only issued a 28-page concept release, soliciting comment on 35 questions the SEC posed but otherwise offering little insight into what the Commission might ultimately do.

Among other points, the concept release asked whether additional guidance would be useful, whether it should take the form of a rule or interpretive guidance, and whether previously issued guidance should be incorporated into whatever final document emerges. The SEC also sought comment on the role of outside auditors and on guidance needed to help management implement a “top-down, risk-based” approach to identifying risks to financial reporting and related internal controls.

Days before the Sept. 18 deadline for comments, most public companies that responded said more guidance is desperately needed and that the SEC should incorporate its May 2005 statement on implementing a risk-based approach and its October 2004 list of frequently asked questions about the management report on internal controls over financial reporting.

Vicki Hitzhusen and Ann Criswell, chief accounting officer and director of accounting and SEC compliance, respectively, at U.S. Oncology, wrote that “overall principles-based guidance in this area, supplemented with examples, general definitions and expected ranges, are necessary.” Martyn Webster, director of finance at XenoPort, suggested that non-accelerated filers should not have to attest to Section 404 until management guidance is provided.

Meshginpoosh

Another frequent theme was the need for examples to help companies understand what they should do. Christopher Meshginpoosh, director of public company advisory services at the auditing firm Kreischer Miller, called for “detailed guidance for registrants, including hypothetical examples illustrating alternatives available to management that might differ from those available to auditors.”

Meshginpoosh also voiced a chief complaint: Without guidance specifically for managers, companies have been forced to give in to auditors’ insistence that internal controls be assessed using the Public Company Accounting Oversight Board’s Auditing Standard No. 2, which has been widely criticized as far more exhaustive and costly than really necessary.

Many people, including Hitzhusen and Criswell, said the SEC’s previous guidance either should be included by reference or inserted directly into the new document precisely so that auditors will be more willing to consider it. “In our experience, our external auditors discount the guidance in the [May 2005] Staff Statement and the FAQs, and have placed an emphasis on their firm’s interpretation of AS No. 2, even when it does not appear to be appropriate based on subsequent guidance,” Hitzhusen and Criswell wrote.

Meshginpoosh said incorporating both documents into the new guidance “might eliminate the need for management teams to sift through multiple publications, thus increasing efficiency in management’s assessment process.”

Questions Of Rules And Roles

Views diverged on whether the new guidance should be in the form of a rule or interpretive guidance. While the SEC says it expects the guidance to be issued as a rule, it appears to have left the question open, asking for comment on that matter in the concept release.

Nancy Dryburgh, SOX compliance manager at Winterthur U.S. Holdings, favored a rule “because they are easier to follow, more clear, and less open to erroneous interpretation.” Likewise, Dennis Stevens, director of internal audit at The Alamo Group, preferred a rule because past efforts at interpretive guidance “have not had a substantial effect on the amount of work, expense or benefit presently associated with SOX 404 compliance.”

COMMENTS

Below are excerpts of comments the SEC received on its forthcoming guidance about Section 404 compliance.

Christopher Meshginpoosh, director, Kreischer Miller:

“The PCAOB and the SEC have generally made it very clear that AS2 dictates the responsibility of the auditors -not registrants-and that the methods utilized by registrants might differ substantially from those utilized by the auditors. Driven by both the fear of an adverse opinion as well as the absence of detailed guidance, registrants have generally employed assessment techniques based upon the guidance issued to public company auditors by the PCAOB in AS2 as opposed to fully leveraging existing monitoring practices to eliminate redundant assessment efforts. Accordingly, we believe that detailed guidance for registrants, including hypothetical examples illustrating alternatives available to management that might differ from those available to auditors, would be extremely useful to management teams in their attempts to formulate sound approaches that comply with the

spirit of Section 404.”

Jeffrey Stratton, corporate controller, Alcon Inc.:

“An enterprise must have the ability to be flexible as operational needs arise, and the ability to implement changes in accounting systems, accounting methodologies, and the underlying internal controls around financial reporting as reporting needs change. A control environment is dynamic and should appropriately change with changes in operations. In order to maintain any sense of efficiency, companies must be allowed to use their judgment in designing, implementing and monitoring changes to their respective control environments with changes in operations.”

Arnold Hanish, chief accounting officer, Eli Lilly & Co.:

“We believe the requirement of two internal control opinions from the external auditors is overly burdensome, redundant and warrants revisiting. Section 404 of the Act requires each registered public accounting firm to “attest to, and report

on, the assessment made by management of the issuer”. This has been interpreted during implementation, in conjunction with Section 103 of the Act, to require a standalone auditor opinion on the effectiveness of internal controls. This has clearly

added to the cost of compliance, as it requires a level of planning, testing and documenting by the external auditors that greatly exceeds the level required to evaluate management’s assessment.

“If an external auditor disagrees with management’s assessment, an adverse opinion on management’s assessment would be expressed. The scarcity of such adverse opinions in the first two years of SOX 404 compliance indicates that management assessments

have been accurate and that a second opinion from the auditor is likely excessive and the incremental cost unjustified. Therefore, we would like additional guidance to allow for more discretionary judgment by the external auditor and management.”

Source

Securities and Exchange Commission

Meshginpoosh, however, believed detailed guidance “would be much more valuable” than more generalized rules. While “an abundance of general information [is] available for registrants,” he wrote, “what appears to be lacking is clear interpretive guidance that management and auditors can use as a basis to support judgmental issues encountered during the assessment process.”

The SEC also sought input on the role of outside auditors in connection with the management assessment and the auditor attestation required by Section 404. The latter—which currently requires external auditors to perform two attestations, a review of management’s assessment and an independent attestation on the organization’s internal controls—has been under fire by companies as being at least partly to blame for the sky-high costs associated with 404.

Paul Townsend, vice president of risk management and internal audit at Teekay Shipping Corp., said external auditors only should sign off on management’s work and not down their own assessment of internal controls, “which is complete duplication, especially since our auditors have refused to rely on our work.”

Stevens wrote that changes to the outside auditor’s role “are absolutely necessary.” The company laid out an alternative approach, which would permit management to develop a test schedule that spans several years and wouldn’t require all controls to be assessed annually.

Commentators also said more guidance is needed regarding how to define “material weakness” and “significant deficiency.” Stevens complained that the definitions should be “substantially revised … While the overall direction of management’s assessment goes toward a ‘top-down, risk-based’ approach, the definitions of ‘control deficiency,’ ‘significant deficiency’ and a ‘material weakness’ … do not contain the word ‘risk’ and do not otherwise appear to be risk-based,” Stevens wrote.

Dryburgh at Winterthur said it would be “most helpful” if guidance regarding the definitions of those terms were “scalable to be meaningful to companies of various sizes.”

Additional Guidance, Specific Examples

While responding companies had their own ideas about the specific types of guidance that they’d like to see from the SEC, most asked for additional guidance and specific examples on at least some, if not many, aspects of Section 404.

Dryburgh said her company wants to see specific examples of how to implement a “top-down, risk-based” approach to identifying risks to financial reporting and the related internal controls, as well as guidance on when entity-level controls can be used and on how much quantitative and qualitative factors, such as likelihood of an error, should be used when assessing risks and identifying controls for the entity.

While Hitzhusen and Criswell said new guidance should focus on principles “and avoid mandating specific methods and procedures,” they also wrote that it should “provide examples, definitions and general ranges so that each reporting company is able to interpret and apply the concept to its organization.”

Meshginpoosh said hypothetical examples “would be most useful” to help management identify risks to financial reporting. For instance, he noted, “examples of how conclusions regarding the effectiveness of entity-level controls could be utilized to reduce specific process-level control testing would clarify one aspect of guidance that continues to present difficulties in application.”

The effort to develop management guidance comes as the SEC is mulling changes to the Section 404 implementation schedule for non-accelerated filers. In August, it proposed, among other things, extending the date by which non-accelerated filers must start providing a management attestation to the effectiveness of internal controls and extending the deadline for external auditors’ attestations for those issuers. The comment period on those proposals ended last week.

The SEC also pledged to work with the PCOAB to make AS2 more palatable for companies complying with Section 404, and to inspect PCAOB efforts to improve Section 404 oversight. [See related box at right].