New proposed guidelines from federal securities regulators should ease the costs and burdens of complying with the auditing requirements under Sarbanes-Oxley.
The new guidelines recently issued by the Securities and Exchange Commission focus on the integrity of corporate managers and the most risky aspects of a company’s financial reports.
“It’s more top-down, and risk-based,” said Scott O’Connell of Nixon Peabody in Manchester, N.H. “It helps every business focus their energy on wherever they have problems. That’s a difference. It’s a ‘material-issues’ focus, as opposed to an ‘everything’ focus.”
Craig Bradley of Stites and Harbison in Louisville, Ky., added: “The SEC action is certainly going to help management significantly. It will give them guidance on what internal controls they should be looking at and how to prioritize those controls.”
Securities attorneys also anticipate the proposed guidelines will curb the costs associated with complying with Section 404 of Sarbanes-Oxley. For a company with between $100 million and $500 million per year in sales, it is common for them to spend $1 million in auditing fees, Bradley said, and that’s been a sore spot since Sarbanes-Oxley became law in 2002.
Stephen Honig of Duane Morris in Boston said this guidance is merely the next phase of a program SEC set in motion last year when it refused to remove the Section 404 controls from affecting smaller, publicly held companies. But it’s good news, nonetheless, he said.
“The SEC is serious when they say they’re not going to make people kill themselves” over complying with Section 404, he said.
The public comment period on the new guidelines ends Feb. 26. The guidelines can be found at www.sec.gov/rules/proposed/2006/33-8762.pdf.
In the absence of SEC guidance for management about how to assess internal controls and procedures, management to date has attempted to adhere to the standards developed for auditors, Bradley explained. Current accounting standards require auditors to examine every control, forcing management to do likewise, he said.
The SEC guidelines indicate management should first evaluate whether a company’s internal controls guard against the possibility of a material misstatement in its financial statements. Then management should evaluate the operation of controls based on an assessment of the risk associated with those controls.
“The SEC,” according to Bradley, “makes it clear management should look at only the most significant controls and evaluate and test those, and they don’t necessarily have to test every single internal control.”
The SEC has “recognized that there needs to be judgment applied as far as what is really an important control and what isn’t,” said Russell Ryan of King & Spalding in Washington, D.C., and a former SEC staff member.
“For example, you may not need to test the control in place for who needs to sign off on buying paper for the copy machine, things like that. You should focus on the significant controls that present some real risk of material misstatement,” Ryan said.
The SEC has also extended the deadline by which smaller companies must provide management’s assessment of internal controls. Companies with fiscal years ending after July 2007 now have until Dec. 15 to comply, instead of July 15.
While this is good news, it doesn’t apply to many companies. Thomas Vaughn of Detroit-based Dykema noted it affects only 15 percent of companies covered by Sarbanes-Oxley.
The SEC also delayed for one year the auditor attestation on internal controls. In 2007, management will conduct its assessment, and then auditors will not have to review that assessment until 2008. This will allow companies to spread the cost of compliance over a two-year period, Vaughn explained.
Many had hoped the auditor attestation might be jettisoned altogether, but SEC rejected that request.
Auditing changes
As for auditors, the Public Company Accounting Oversight Board (PCAOB) recently issued proposed rules that would supersede Auditing Standard No. 2, which currently sets forth how an audit of internal controls should be conducted.
The PCAOB wants auditors to focus on the most important controls and emphasizes the importance of risk assessment. The board also proposes revised definitions of “significant deficiency” and “material weakness.” The proposed rules would remove the requirement that auditors evaluate management’s process for developing their internal controls, and would require auditors to tailor the process to smaller and less-complex companies.
The proposed new rule can be found at http://www.pcaobus.org/Rules/Docket_021/2006-12-19_Release_No._2006-007.pdf.
The public comment period on the proposed rules ends Feb. 26.
Securities attorneys hope the PCAOB’s clarification will help auditors dovetail their audits with the SEC guidance to focus on the most significant risks to financial statements and those controls most important to preventing and detecting financial misstatements.
Similar to the proposed SEC guidance, “the emphasis [of the PCAOB’s proposed rules] is on a risk-based analysis so you don’t need to evaluate and test every single control that relates in any way to financial reporting, but you [instead] focus on controls that are most important and most likely to present a risk that financial statements might become materially inaccurate if that particular control fails,” Ryan said.
Under another proposed rule, auditors would be allowed and encouraged to use the work of others when conducting subsequent audits. The current rule requires audits to start new each year.
“That’s where a lot of the expense came in,” Honig explained, “because the accounting firms felt, as a practical matter, they were compelled to almost go back to ground zero and look at all the procedures and to retest all the procedures. This, of course, is very expensive and time consuming.”
Scalability
The issue of scalability within Section 404 of Sarbanes-Oxley is important because without it, small companies often are hit with undue expense and having to undertake an extraordinary amount of work in relation to the size of their businesses.
Smaller companies are fundamentally different than larger companies, even if they are publicly traded, Bradley said.
“It doesn’t make any sense that you would apply the same auditing standard to a Fortune 100 company to a company that has just $100 million in sales,” he said. “The two organizations don’t have the same internal systems and complexities.”
The new SEC guidance and proposed PCAOB rules will allow smaller companies to “have a little more flexibility to adopt an evaluation process that fits with the size and nature of the company, as opposed to a one-size-fits-all,” Ryan said.
Securities attorneys agree that the proposed PCAOB rules, as well as the proposed SEC guidelines, as currently drafted will likely be the final versions, save some tweaking in the margins. This underscores the importance of commenting on the proposed rules during the public comment periods, both of which end Feb. 26.
“The SEC does make changes, particularly if people bring up problems that are more specific or more technical than, ‘I don’t like this and I don’t want to do it,’” said George “Chip” King, of Haynsworth Sinkler Boyd in Charleston, S.C. “We got to where we are because of complaints.”
Where to start
Scott O’Connell suggested that management should as soon as possible conduct a top-down, risk-based approach to figure out the potential landmines in the company’s reporting process.
“Really identify the high-risk, high-exposure areas for 404 compliance,” he said. “It’s different for every business. It depends on what kind of controls are in place, the industry, and the kind of software being used.”
Showing an effort to comply with the spirit of the new rules is key, too, should the worst happen and counsel need to defend a company’s actions before the SEC. “Pick a high-yield, high-exposure [control], and show progress working [toward] them. That’s the evidence a lawyer will need,” Scott O’Connell said.
Ryan suggested companies use the SEC guidance and proposed PCAOB rules as a template from which to design an internal audit and control program that will pass muster under the new guidelines and rules once they become final.
Susan O’Connell is president and CEO of Project Control Companies, Inc., which provides internal audit and Section 404 compliance services from its headquarters in Nashua, N.H. She noted the importance of helping auditors, because under Sarbanes-Oxley they haven’t been comfortable being part of the team working with management. Opening up communication is an important factor for a successful process, she said.
Information technology controls are also important, she noted. This is the “system that forms the backbone of your control environment. For small companies, this is a big weak area. It requires remediation, which takes time.”
In-house counsel should send the new SEC and PCAOB proposals to the chair and members of the audit committee, Honig suggested, as well as all compliance team members.
For those companies well ahead of the curve, the new guidelines provide an opportunity to reassess what’s been done so far.
“I think the SEC is fairly clear that if you have a state-of-the-art process in place, this is not going to require you to change that,” Ryan said. “You may want to evaluate your process in light of what the SEC is putting out as guidance. See if there’s maybe a possibility that you’re doing more than you need to, and if [you] may be able to cut your costs a little bit by reviewing the guidance and adopting a new process that’s a little less burdensome.”