Much has been written about the proposals from the Securities and Exchange Commission and the Public Company Accounting Oversight Board on Sarbanes-Oxley Section 404. If you’ve been dealing with 404 implementation, you’re probably already familiar with what the proposals say, so I won‘t bore you with another recitation.
I do, however, have some observations that may provide a new perspective, and I’d like to share them here. We'll focus particularly on what you as a CFO, SOX 404 project leader, chief audit executive, or audit committee member should know about the implications of these forthcoming changes.
Impassioned Calls for Change
Soon after the SEC and PCAOB proposals hit the street, the call came for those agencies to change what they had put forth. There were requests to remove any external auditor role entirely, so only management would report on a company’s internal control over financial reporting. Other commentators, recognizing the low likelihood of that occurring at least for the foreseeable future, complained that the PCAOB’s proposed rule is too prescriptive and detailed, amid allegations that management will be coerced into following it rather than the higher-level, more principles-based SEC guidance.
Still others asked that the PCAOB’s rule for auditors be scrapped entirely, leaving only the SEC rule in place for all to follow. And others claimed that the bar still is too high and asked for changes, such as allowing a company to report that internal control is effective even where a number of material weaknesses exist. And then there were institutional and other investors on the other side of the fence, fearing that the proposals will have the effect of watering down quality and opening the door to inconsistent audits, and consequently negate the benefits flowing from 404.
These comments (and many others that have swamped the agencies’ files) are wide and far reaching, but this column isn’t about commenting on the comments. Rather, it’s about what you can do to deal with these new rules. Yes, they are going to be tweaked before final issuance. The SEC has stated there will be changes, including better alignment between the SEC’s and PCAOB’s documents, as well as greater scalability, allowable use of judgment, and use of the work of others. But for the moment let’s presume that these documents—which the SEC expects to issue in final form about the same time this column is published, and the PCAOB plans to issue soon after—will be improved but will not differ very much in substance from the initial drafts. Let’s take a look at how best to deal with them.
Auditors No Longer Report On Management’s Process
Probably the most significant change from the existing rules is removal of the requirement that the auditor issue an opinion on management’s assessment process. As you know, management will continue to assess the company’s internal control system and report on its effectiveness, and the auditor will continue to report on the financial statements and on the effectiveness of the company’s internal control itself. But no longer will the auditor report on what management did to arrive at its conclusion.
And now the SEC is issuing guidance aimed directly at management, letting management know what it needs to do to be positioned to issue its report. Until now, a void existed regarding what assessment process management needed to follow, which by default was filled by the PCAOB’s Auditing Standard No. 2. With its new rule, SEC is taking over setting the standard for management.
The implications are significant and mostly positive for management, but with some counterbalances. Because the SEC’s guidance is principles-based and without the auditor having to opine on what management does, management has considerable leeway in deciding just what it wants to do. In many cases there will be less effort and cost in the assessment process. Some commentators take exception with this analysis, saying that management will somehow be forced or coerced into following the more prescriptive PCAOB rule, tentatively named AS5. But the fact is that management can either continue doing what is has been doing in past years, or follow the SEC’s new assessment guidance as a “safe harbor,” in doing what it must under 404.
There are, however, a couple of offsets to this benefit.
One is that management—including the CEO and CFO signatories—will still want to do enough work on its assessment process to feel comfortable with the 404 filing. Similarly, the audit committee and board will also want management to do sufficient work for the directors to have confidence in the reliability of the filing.
Another reality is that the less work management does in its assessment process, the more work the auditor will need to do (and vice versa). This is more so the case under the new rules, which allow greater use by the auditor of management’s work.
With that said, it should take less effort for an auditor to use management’s work in forming its opinion on the internal control system than it takes to form an additional, separate opinion on management’s assessment process. So the overall net benefit should be positive, in terms of less effort and cost.
Achieving Additional Efficiencies
Both the SEC and PCAOB proposals emphasize a top-down, risk-based approach to scoping and testing. While guidance issued in May 2005 discussed the relevance of this broad-based approach, now it will be included in the rules themselves, providing a sounder foundation. Managements and auditors who hesitated to embrace this approach should be more willing to do so going forward.
Similarly the added emphasis on entity-level controls, particularly monitoring controls, should for many companies significantly reduce the need to focus on detailed, process level controls. And managements and auditors should be positioned to take advantage of opportunities to use knowledge gained in prior years, and to scale work down in smaller companies.
Looking further at the PCAOB’s proposed rules, we see additional areas for reduced work:
Auditors are encouraged to take a truly risk-based approach to multilocation testing, where testing controls over a “large portion” of the company are no longer required;
Auditors will no longer need to obtain the “principal evidence,” and there are greater opportunities to use management’s work;
There will be less work in performing “walkthroughs,” because it takes less effort to walk through each significant process rather than each major class of transactions. And less work will be needed in testing the design of controls, as the rules say a sufficient evaluation of design is done during the walkthrough.
Another area where reduction in effort will often be possible is in “benchmarking” IT controls. That is, where IT general controls remain effective and a baseline on IT application controls was established in prior years, little (if any) work may be needed. Although at some companies auditors already have software in place for automated testing of IT application controls, efficiencies may be gained by avoiding the need for extensive testing each year.
Some Changes Provide Little Help
At the same time, there are elements of the new rules that won‘t be of much help in reducing cost. For example, changes to the definitions of “material weakness” and “significant deficiency” won’t modify auditors’ behavior, unless the auditors misunderstood the prior rules. Certainly there are some who did just that and audited to too low a level—that is, they planned the audit to search for deficiencies below the level of a material weakness. The new rules should show them the light. But otherwise, these changes won’t help much.
And to the extent auditors already implemented the May 2005 guidance to conduct a truly top-down, risk-based approach, it may be difficult to wring further efficiencies from that element of the new rules.
The Bottom Line
The net result is that the new rules certainly provide opportunities for significant efficiencies, on the part of both management and auditors. The extent of cost reduction will, however, vary by circumstances.
Regardless, it is useful to manage expectations on the extent of cost reductions, keeping in mind the environment in which we operate. Managements and boards want to be sure their filings are reliable; they want to be confident that a reported conclusion of internal control being effective is indeed accurate. And auditors certainly will keep an eye on those peering over their shoulders—be it a firm’s own internal inspection program, the PCAOB and the SEC, or ultimately the court system. Some auditors are concerned the PCAOB inspection process might result in second-guessing judgments made under the new rule, and they are all too familiar with the litigious environment in which they operate. The reality is that a particular audit partner is likely to suffer greatly if he or she is deemed to have done too little work resulting in a deficient audit.
Further, there are some who anticipate that auditors will not cut back on work from a standpoint of generating fee revenue. While there may be instances where that’s the case, I believe reputable firms will strive to make 404 audits increasingly efficient to foster long-term client relations as well as to do the right thing for their clients and the capital markets.
Gaining The Benefits
What can you do to help ensure that the intended benefits are realized? Well, first, continue to work with your auditors in understanding what they plan under the new rules, and how they will take advantage of the opportunities. In-depth discussions from a sound knowledge of the rules and your company’s circumstances should lead to identified efficiencies.
In addition, you can determine exactly what changes you and your management colleagues are planning with regard to the company’s assessment process and how those changes may affect the auditor’s work. Coordinating the two processes should result in combined efficiencies. This doesn‘t mean the auditor should dictate what you want to do, but working together toward a common goal will be useful.
Finally, you can discuss with your auditor the extent to which they plan to perform a truly integrated audit. We’ve seen instances where little benefit was gained in reducing effort in the financial statement audit, despite the significant work done in the 404 audit. You can help make sure that your auditor carefully considers the results of the 404 work in scoping the work for the financial statement audit.
For more information on the new rules and their implications, you may want to refer to the white paper, “SEC and PCAOB Proposed Guidance/Rules—Summary and Analysis,” available from Open Pages.
No comments yet