News

Highlights of the Roundtable on SOX 404 Internal Controls

News Brief
April 19, 2005

By: Cydney Posner

Last week, the SEC held its roundtable on SOX 404, internal controls. It was clear that the time and cost involved had exceeded everyone's expectations, and, although costs were expected to decline in subsequent years, costs for smaller companies were still disproportionately large. With some exceptions, the general gloss at the roundtable was that the problem was less with the SOX internal control requirement or even with the PCAOB's Auditing Standard No. 2, and more with the excessively conservative manner of implementation of those rules. The three most recurrent problems raised were:

  • the serious deterioration in auditor/client communications;
  • the absence of a risk-based approach to implementation; and
  • the very low threshold in the definition of "materiality."
These problems resulted in enormous costs in money, hours and opportunity. The internal control drill has caused some companies to forego purchasing new information technology or to forsake acquisitions, for fear of not being able to integrate the new systems or companies on a timely basis. Surveys showed an average cost of $4.3 million and 26,000 hours. The highest level of testing and documentation for one company was reported at 80,000 separate controls and about 1 million hours spent on the process. Some attributed the excessive conservatism in implementation of the SOX 404 requirements to concerns by auditors with the upcoming firm inspections by the PCAOB and the trauma of witnessing the demise of one their sibling/rival firms. Bill McDonough, Chair of the PCAOB, advised that the PCAOB inspections were just as likely to find that work done was excessive as to find it was inadequate and, if the PCAOB finds that the auditors were excessive, the PCAOB will have a "direct and severe" discussion with top management of the firm.

Both panelists and regulators seemed to accept as a given that SOX and progeny had had a chilling effect on the relationship between auditors and companies. Companies were concerned that they could not seek advice from their outside auditors for fear that the consultation itself would be viewed as a deficiency in expertise, a type of control weakness. Similarly, companies were reluctant to furnish their auditors with early drafts of their financial statements (a common practice in the past), for fear that detection by the auditors of errors in the drafts would result in control weaknesses. Moreover, accountants were concerned that providing too much advice in advance could place the accountants in the position of auditing their own work, an independence issue. The erosion in communications was viewed as most acute at smaller companies, which often did not have sufficient staff to address arcane accounting issues and were faced with the possibility of engaging more outside advisors as resources. (There did not appear to be much discussion attributing these problems to specific SEC or PCAOB pronouncements: For example, in its FAQs, the PCAOB maintained that identification by the auditor of a material misstatement in current-period financial statements that was not initially identified and reserved by the company as incomplete was a strong indicator of a material weakness even if management subsequently corrected the misstatement. The PCAOB emphasized that a company must have effective internal control over financial reporting on its own, and the benefit of auditing procedures could not be taken into account when evaluating the company's internal control.)

The concept of the "risk-based" approach was raised numerous times as a proposed solution to many issues. Auditors were blamed for being too prescriptive in their approaches and failing to exercise any judgment as to the relative importance of various controls, Some panelists complained that, as a result, a comparable level of testing and documentation was required for all controls. In addition, a large proportion of testing was related to information technology controls, although, according to one panelist, IT had not historically been the source of any major scandals. (Another panelist countered that the major scandals were not created "with a pencil.") Similarly, concerns were raised about excessive duplication of effort resulting from the requirements that (i) each audit stand on its own (i.e., not build on testing performed in prior years) and (ii) auditors needed to audit both management's report on internal control and their own. Unnecessary duplication also resulted from the reluctance of auditors to use the work of others. Panelists argued that, with a risk-based approach, the scope of documentation and testing could be significantly reduced, as auditors would test only the most important controls every year and test the remaining controls on a rotating schedule over a period of years. Again, all of these problems appeared to be more acute at smaller companies, where understaffed audit firms plunked their least seasoned audit teams with the least willingness and ability to exercise any judgment at all. Moreover, smaller firms had less leverage to negotiate with their auditors regarding the scope of the audit and extent of testing. All seemed to agree, including auditors on the panel, that the auditors needed to make better use of the work of others and to integrate more effectively the financial statement audit and the internal control audit. One of the auditors on the panel almost went so far as to tell the corporate panelists to stop whining: SOX 404 was intended to be a robust exercise, not a mild exercise, and, as such, would necessarily be costly. SOX 404, he continued, should be view as a "business improvement opportunity." (Well, it certainly was for accountants!)

A "material weakness" exists if a significant deficiency "by itself or in combination with other control deficiencies, ... results in more than a remote likelihood that a material misstatement in the company's annual or interim financial statements will not be prevented or detected." (The same standard applies to significant deficiencies, except that the misstatement need only be "more than inconsequential.") A number of panelists questioned whether the standard of "more than remote likelihood" was an appropriate threshold, arguing that it drove companies and auditors to excessive levels of testing.. Others argued more obliquely that more guidance was required as to the meaning of materiality. One panelist commented on the inherent problems of the "could" factor--no error has actually occurred, but one could occur. Another panelist asked whether the well-reasoned but incorrect decision that results in a misstatement should be treated as a material weakness.

Investors present at the roundtable were rapturous about SOX 404, and there was some concern that investors generally may have inflated expectations of the benefits that SOX may provide. However, they viewed themselves as the ones that foot the bill for all of these efforts, and they believe the costs were worthwhile. One investor described the process of corporate fraud as commencing with collapse of the business model then moving on to "exotic" accounting and then to efforts to circumvent internal controls. It was emphasized, however, that SOX 404 was unlikely to prevent or perhaps even detect collusive efforts to commit fraud or circumvent internal controls, with one panelist predicting that one of the companies that had no material weakness rap sheet would certainly be the subject of a major fraud at some point along the way. One commenter noted that the best that can be hoped for is that SOX 404 results in more prompt disclosure of any fraud that does occur. Most seemed to be willing to distinguish among types of material weaknesses and some had developed their own standards to create distinctions.

Similarly, some corporate panelists whose province was internal audit were clearly enjoying the glamour of the spotlight and proud to show off their sparkly new systems and models developed in response to SOX 404. They remarked that it was useful to have management "inside the tent" and "taking ownership of the controls issues," not to mention all the additional personnel, and generally found the process to be salutary. Some were disappointed that the grading system was only pass/fail and would have appreciated more nuance.

At the end of the day, the panelists were divided on solutions and there was a tension between the two approaches that emerged: some wanted more rules with more certainty; others wanted to allow more judgment and flexibility. Those advocating flexibility were concerned that more rules, if issued, would once again be oriented toward large issuers. These panelists suggested that the regulators needed to retreat on specificity and instead provide more general guidance and best practice examples. One panelist expressed foreboding about a potential "Russian doll" of multiple overlays of definitions, such as the meaning of the word "could.' Instead, he urged, words should be applied with the meaning they have to the individual company in its context. One panelist cautioned the regulators that they needed to recognize that the use of judgment by companies and auditors would inevitably mean variability of outcomes, an effect that the regulators would need to accept at some level. Regulators were also cautioned to be cognizant that, for small companies, internal controls would need to be adapted to the informality and multi-tasking approach characteristic of entrepreneurial small companies. Companies were encouraged to embed the process and to use automated and preventive controls.

In closing comments, Bill Donaldson, SEC chair, advised that he would instruct his staff to improve the guidance available. Bill McDonough recognized that improvement was necessary with respect to the cost/benefit ratio of the internal control process, especially for smaller companies. He also contended that auditors needed to improve their use of judgment. He promised to issue staff guidance by May 16 and to consider further action, including whether to reopen AS 2, at the next meeting of the PCAOB's Standing Advisory Committee. He also reassured auditors that, as long as they are trying to improve service, the PCAOB will work with them; the inspections are designed to show where improvement is needed, and the necessary best practices will evolve from that process.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.