Companies across the country have complained loud and clear that the internal control reporting mandates of Sarbanes-Oxley have spawned rigid, minutiae-driven accounting audits.
As a result, federal regulators aiming to establish a more balanced, less expensive process recently issued a “guidance” calling for better communications between companies and external auditors, as well as more of a risk-based focus in assessing internal financial controls under Section 404 of the Act.
The guidance – issued by the Securities and Exchange Commission and Public Company Accounting Oversight Board – followed a roundtable meeting this spring where companies voiced their concerns and frustrations with Section 404.
The guidance isn’t binding and companies can’t report auditors who don’t comply, but they may be able to “vote with their feet.”
Accounting firms have the “opportunity at this point to distance themselves in how they react to guidance. I think that will evolve over time,” according to Don Griffith, who practices in the Washington, D.C. office of Foley & Lardner.
And, according to Derek Meisner, a former branch chief of the SEC, companies “may have a bit more flexibility in avoiding regulatory scrutiny, and may receive a bit more regulatory deference in light of this reasonableness standard employed by the SEC” if an auditor is fired over a good-faith dispute.
Catherine L. Bridge of Barnes & Thornburg in Indianapolis encourages management to be assertive with auditors. “If the auditor is not tending to [be flexible] when working with you, I think you could call them to task and say, ‘The SEC said this is the nature of your obligation to us, to work with us in that way,'” she said.
The continued attention to Section 404 by SEC and PCAOB suggests that it will remain in flux for the foreseeable future.
“We’re talking to clients about the pendulum analogy,” said Pierce Atwood’s Chris Howard, in Portland, Maine. “We’ve gotten through the first year under Section 404, and the auditor internal controls, and we see the pendulum really swinging way off at one end of the spectrum. I think the effect of this [guidance] is to try to stop the pendulum from swinging back in the other direction. How effective it will be and what will it actually do to the real world, on-the-ground situation, only time will tell.”
While public companies hope for a loosening of the Section 404 strictures, Stephen M. Honig of Duane Morris in Boston cautioned: “There is a limit to the level to which the regulators will allow the process to swing. It’s quite clear from the SEC hearing that nobody expects there will be any change in Section 404. Accountants will apply a rigid discipline to the task they are assigned to.”
Open Questions Remain
While many attorneys say the guidance demonstrated the SEC and PCAOB listened and acted on the concerns companies expressed during the roundtable, difficult issues regarding the agency advisory remain.
Indeed, whether the guidance will even have the desired impact – better communication and less cost – remains unknown.
Honig is skeptical: “I’m not sure how effective the PCAOB can be in simply declaring parties ought to communicate better.”
Some say it’s too little too late, particularly for the early filers and international corporations required to report in 2006 – companies that have already begun the process of developing and evaluating internal controls.
“Now you have to go back and say, ‘Are these processes still required?’ There may be a savings as a result of that, but there’s going to be a little bit of cost in figuring out what you don’t have to do,” said Griffith.
Lack of practical advice in the guidance is another concern.
“They don’t say, ‘Here’s a suggestion of what you might do.’ They say what you shouldn’t do and what would be nice,” said Rick Denmon of Carlton Fields in Tampa, Fla.
And some aspects are left out of the guidance completely. For example, Auditing Standard No. 2 – dealing with internal controls in conjunction with the audit of financial statements – has yet to be amended, particularly the definitions of “material weakness” and “deficiencies,” which remain ambiguous.
“The auditors are still required to do separate opinions on the company’s internal control effectiveness. Management must assess [internal controls] and then auditors come in and assess the effectiveness of management’s review,” Griffith said. “The auditors have worked out what they think they mean. There’s not a whole lot of clarification on that.”
The SEC has said that guidance on these concepts is forthcoming from the PCAOB.
Independence is yet another area where the industry hopes for additional help.
“A wall went up between the external audit and accounting function and the company’s internal financial system and controls,” said Howard. “There was a lot of concern about independence. One thing the PCAOB didn’t say was clearly in the background of all this is the whole question of independence, and what does it mean to be independent. Is it the SEC’s and PCAOB’s intent to define it?”
Hoped For Impact
Pierce Atwood advises its clients that the most important message within the guidance covers communication between companies and their auditors, Howard said.
“The SEC and PCAOB realized the system now just can’t be maintained at the current level of rigidity and cost,” he said, “so the agencies advise auditors to work with clients as they had in the past, answering questions and giving advice without it having implications for the auditors’ later assessment of material weaknesses.”
Also telling is that the SEC and the PCAOB are telling auditors to take a risk-based approach to internal control evaluation. Most have been doing this anyway, hoping it was the right thing to do, but now they know it is.
“The biggest impact is that the SEC has reiterated that registered public accounting firms should recognize that there is, as they describe, a zone of reasonable conduct that is appropriate and acceptable in the context of a Section 404 analysis,” said Meisner, of counsel to Kirkpatrick & Lockhart in Boston. “Stated differently, there’s no need to control everything.”
Meisner indicated that companies need to assess and test accounts and processes that are relevant to internal controls over financial reporting but don’t need to go beyond that. “Even within the confines of financial reporting, what needs to be tested are the areas posing the greatest risk to the integrity of financial reporting,” he explained.
Bridge added: “The SEC was pretty definite that you don’t need to test every single control with the same depth of focus [each year]. It’s all based on risk. Let’s focus on the most significant accounts and what relates to them, look at what the risk profile is.”
Small companies may feel a weight lifted as it appears under the guidance that they needn’t be subjected to the same kind of scrutiny as a Fortune 500 company.
“The SEC and PACOB suggest there is room for auditors’ experience and discretion,” Griffith said.
The notation by the SEC and PCAOB that each company should be evaluated on a case-by-case basis means the determination of whether a material weakness exists will be tailored much more closely to the actual company’s actual controls.
If auditors actually take this guidance to heart it should result in less expensive internal reporting fees, Bridge said.
Reduced Compliance Costs?
Some of the largest companies in the world trading on U.S. exchanges estimate costs of nearly $30 million to $40 million over just a few years to implement Section 404, given the high internal and external audit costs, Griffith said.
On a more moderate scale, companies doing perhaps $2 billion in business are estimating costs of $4 million to comply, he noted, and smaller companies routinely pay hundreds of thousands of dollars.
For some the cost isn’t worth being publicly traded. Clients are going private or simply not going public.
“We have a client that’s proceeding to go private because of the expenses of Sarbanes-Oxley,” said Jan Neuenschwander of Barnes & Thornburg. In the first year the client spent $200,000 to comply with Section 404 and estimated it would cost approximately $50,000 per year to continue to comply, she said.
One reason the cost is so high is companies are essentially required to hire two separate auditors – one to consult on the development of the internal controls and another to evaluate the controls. The idea is that an auditor can’t objectively evaluate controls it helped create, Denmon said.
Role For In-House Counsel
While the marching orders given by the guidance are directed at management, auditors and audit committees, in-house counsel have an important role to play.
“[They can] provide information and input to audit committees so they can pursue with vigor the cost-saving opportunities that the guidance provides,” Honig suggested. “Make sure to the extent appropriate for particular companies that the guidance is availed of to reduce costs.”
In-house counsel should encourage the audit committee to discuss with the accountants each opportunity for cost savings outlined in the guidance. This will reveal “the degree to which the auditor can be induced to believe the guidance and lighten up on the quantity and intensity of review,” he continued.
Until there is clear guidance about what companies will be held accountable for, Denmon suggests audit committees continue to document everything they’ve reviewed and approved.
In-house counsel can also advise management on how this guidance factors into the company’s overall compliance functions, Griffith noted.
“Get your compliance people involved with the program. See what your internal compliance folks are they seeing. What deficiencies are they discovering that might be better dealt with from the writing of the new compliance policy?” he said. “Talk amongst yourselves. The corporate function, internal audit compliance, PR, they get siloed and they’re not talking to one another. [With] more people, the better the chances are you’re going to establish the kind of control environment that assures you’re reporting correctly and people aren’t breaking the law.”
* * *
What the Guidance Says
While Section 404 of the Sarbanes-Oxley Act of 2002 has provided a “heightened focus on internal controls at the top levels of public companies,” according to the Securities and Exchange Commission, implementation in the first year resulted in extraordinarily high costs because of “the mechanical, and even overly cautious, way in which those rules and standards have been applied.”
In the guidance issued May 16, the SEC encourages managers and auditors to “bring a reasoned judgment and a top-down, risk-based approach to the 404 compliance process.”
“A one-size fits all, bottom-up, check-the-box approach that treats all controls equally is less likely to improve internal controls and financial reporting than reasoned, good faith exercise of professional judgment focused on reasonable, as opposed to absolute, assurance,” the SEC wrote.
The guidance goes on to encourage frequent and frank dialog among management, auditors and audit committees without fear that discussion of internal controls will be deemed a deficiency in internal controls.
In the wake of Sarbanes-Oxley, businesses became afraid that if they asked their auditors how to account for a particular transaction, the auditors would consider that confusion or inquiry a symptom of weak internal controls.
SEC expert Stephen M. Honig of Boston urged in-house counsel and audit committee members to read the entire guidance.
“I think an audit committee would benefit from understanding the texture of the answer and the audit committee will be better prepared to deal with the auditors if they make the investment in actually reading the guidance,” Honig said.
To read the SEC’s Statement on Implementation of Internal Control Reporting Requirements as well as the SEC Staff Statement on Management’s Report on Internal Control Over Financial Reporting, go to the “important documents” page of New England In-House’s website.
Questions or comments can be directed to the publisher [email protected].