SEC and PCAOB finally coordinate guidance on auditing internal controls
It has been a long time coming but it appears as though the SEC may have finally coordinated its Sarbanes-Oxley Section 404 guidance with that of other regulators. Companies and auditors have been complaining about the contradictory approach the groups were taking when it comes to assessing material weakness and other elements of Sox. The situation resulted in considerable tension between business and auditors who were forced to comply with the same rule in different ways – thus creating duplication of efforts and uncertainty about the accuracy of internal controls assessments.
A year ago, the SEC set out to offer guidance for the first time on internal control standard Section 404. Immediately afterward, the Public Company Accounting Oversight Board (PCAOB, created by Sarbanes-Oxley to be independent of government) said it would revise its equivalent auditing standard (AS2) to better highlight material weaknesses before they become material misstatements. The SEC and the PCAOB have since collaborated to align the tone and wording of Section 404 and the new audit standard (AS5). Adopting a top-down risk-based approach, they focused on issues like fraud risk assessments, which have stymied auditors and management for the past three years.
Very soon we will see if these revisions will prove to be successful. In May, the SEC sent out a press release stating they had ‘unanimously approved interpretive guidance to help public companies strengthen their internal control over financial reporting while reducing unnecessary costs.’ A day later AS5, the new auditing standard, was approved by the PCAOB, and is presently up for review at the SEC. If pushed through, it would be enacted in late 2007. The final guidance was due to be published at the end of June, taking into consideration the over 150 comment letters received by the SEC in response to the 70-page document released in December 2006.
While adding insight to Section 404 quandaries, the SEC also made the guidance easier to interpret by restricting assessment to four areas: aligning the PCAOB’s AS5 with the SEC’s proposed new management guidance under Section 404; scaling the 404 audit to account for circumstances of companies; encouraging auditors to use professional judgment; and following a principles-based approach as to what extent the auditor can use the work of others. The move toward a principles-based system should bring balance to the excessively detailed auditing standard, and also to the comparably irresolute guidance provided to management.
A principled approach
In writing Section 404 guidance, the SEC followed two principles: first, that ‘management should evaluate the design of the controls that it has implemented to determine whether they adequately address the risk that a material misstatement in the financial statements would not be prevented or detected in a timely manner,’ and secondly, that ‘management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk.’ To facilitate these processes, the interpretive guidance laid out steps to take in everything from evaluation to documentation.
The comment letters received by the SEC should provide essential feedback and direction in guidance revisions. Many centered on tone and wording alignment, asking for more coordination on different terms between the two regulators; the SEC used terms like ‘financial reporting elements’ and ‘financial reporting risk’ while the PCAOB used the terms ‘significant account’ and ‘relevant assertion.’ Companies also called for less aggressive insinuations, more discussion of fraud risk and fraud-risk controls at the beginning of the standard and an explanation of why auditors should conduct a walk through rather than requiring them to conduct a specific review. Wording was synchronized, and the SEC clarified the definition of ‘material weakness’ as ‘a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.’
The selection of general information technology controls was also included in the interpretive guidance, and ‘the level of controls documentation required at the entity level in circumstances where an entity has multiple locations.’
Less can be more
Lowering costs was a major driving force behind the alignment. In a recent press release, SEC chairman Christopher Cox said ‘investors will benefit from reduced compliance costs.’ He also said the intent of Section 404 was never to overwhelm, but rather ‘to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems, without creating unnecessary compliance burdens or wasting shareholder resources.’
Like Cox, James Angel, associate professor of finance at Georgetown University’s McDonough School of Business, thinks that the purpose of Section 404 has been abstracted, which has led to extreme regulations. In his comment letter to the SEC, he suggested looking back at the law and its purpose as a disclosure mechanism that should not dictate for any particular level of controls or control verification.
Others have different concerns. Because ‘regulators have focused primarily on the cost effectiveness of the compliance process,’ says James DeLoach, managing director at Protiviti, ‘there has been very little discussion … on the opportunity to improve the quality and sustainability of the internal control structure.’ He thinks there is room for more dialogue in this area.
And DeLoach suggests clarifying the top-down approach, being that it might deplete emphasis on the overall understanding of the control environment with its focus on key controls.
Working at opposite corners
Management often relied on AS2 in lieu of Sox requirements because it was easier to follow. With managers doing what the auditors were already doing, costs were compounded. Since auditors were directed to look at every possible risk to the financial statements, it was expensive.
PCAOB chairman Mark Olson says ‘management and the auditor have different perspectives on the company’s internal controls, and the assessment and audit have different objectives under Section 404.’
Michele Peters, vice president of external affairs at Xerox and chair of the corporate governance coordinating committee at the Business Roundtable, concurs with Olson. In her comment letter to the SEC, she stated that AS2 and Section 404 serve ‘distinct purposes’ but ‘need to be linked to avoid inefficiencies.’ The lack of clarity disabled management, she said. To remedy the problem she asked for increased detail regarding the ‘level of required documentation’ and ‘examples of material weakness.’ While the AS2 provides more detail than Section 404, neither offer clear examples.
Leave it out
Specific Section 404 guidance for management should change all of that. In the SEC’s new guidance, auditors are no longer responsible for assessing management’s evaluation of internal controls. The revised audit standard AS5 that replaces AS2 is therefore allowed to concentrate on high-risk areas that could lead to misstatement or fraud: ‘by integrating the risk-management approach and the top-down approach it’s clear that every control isn’t created equal,’ says Sharon Virag, the PCAOB’s associate chief auditor, recognizing that ‘the new standard focuses on fraud much more significantly than it did before.’ Interestingly, much of those risk areas are outside the financial statement.
But many feel that in spite of the explanatory detail, there is still a great deal of errata. Linda Slocombe, compliance manager at Stantec, thinks that even though the ‘elimination of the requirement to have auditors opine on management’s evaluation of internal controls of financial reporting (ICFR) is a definite improvement ... there’s still an element of redundancy there in that both the companies and the auditors are really opining on the same thing.’ Instead, she says there should be an option of choosing either an audit of management’s evaluation or direct audit of ICFR. But Virag disagrees: ‘There’s a lot of value to be had from both of those views.’
And as for audit costs, Virag says that with AS2 ‘there was so much detail … when in fact the audit is always better if the auditor is looking at the facts and circumstances they’re faced with and making judgments about what is the best way to do this in this circumstance.’ AS5 is making processes much more efficient by allowing auditors to exercise professional judgment and use a checklist process.
It’s up to you
Just as AS5 will give auditors more authority in terms of independent judgment, the SEC guidance for Section 404 is placing more emphasis on management’s judgment. One of the main areas this is clear is in audit’s increased reliance on management’s documentation. Virag likes this approach: ‘If management has fully documented all their controls, why would the auditor then go and do that?’
DeLoach is satisfied that the allowance for judgment in tandem with detail will achieve a balance and provide management with the right information: ‘I believe the SEC has been determined to provide management its own rulebook. Such that management will not have to consult the auditing standard.’
That said, independent judgment invites a slew of other potential problems. According to the SEC’s summary of all the comment letters, some accounting firms noted that ‘while the extent of documentation management prepares to support its assessment is a matter of judgment, a certain level of documentation is necessary,’ with respect to operation and design. Tom Basilo, partner at Sox compliance service provider WithumSmith+Brown Global Assurance, is concerned that subjectivity might add more discord: ‘Your opinion on how I should apply this and my opinion on how I should apply this could be totally different.’
For Angel, the proposed Section 404 guidance only compounds Section 404 difficulties by adding more vagaries to an already murky regulation ‘that lacks clear examples of a safe harbor.’ In his comment letter, Angel suggested solving the problem by implementing a graded system to disclose the level of controls, whereby companies can choose how important total compliance is to their corporation. His main complaint involves the ‘binary assessment of effectiveness rather than real disclosure of the current level of internal controls.’ Because assessment of controls is not a binary matter, a question of effective versus ineffective, it’s ‘basically a risk-management exercise,’ he writes.
Some comment letters expressed the view that Section 404 doesn’t offer any new insight into effectiveness or material weakness. Slocombe was one such critic. ‘The new definitions of material weakness and significant deficiency do not provide any better information on how to evaluate control deficiencies than the old definitions did,’ she says, adding, ‘the definitions still contain the reference to interim and annual materiality which is still subject to interpretation.’
Size doesn’t matter
Clarifications of Section 404 processes will be especially necessary for small companies who will need to comply this year. Though they might have liked more time, the fact that non-accelerated filers will not have their compliance deadline extended any further is a key indicator that the SEC is confident it has provided enough guidance in terms of scalability, says DeLoach.
Senators John Kerry (D-MA) and Olympia Snowe (R-ME), as chairman and ranking member of the Committee on Small Business and Entrepreneurship, are still concerned about small company compliance because costs are still great. In a June letter to the SEC, Kerry, Snowe and several other members of Congress requested the guidance offer small companies ‘a workable extension’ and ‘a small business compliance guide to assist small companies in implementing these new internal controls requirements’ and that ‘the SEC conduct … a final regulatory flexibility analysis as required under the Regulatory Flexibility Act.’ Later that same month, their requests were granted.
For the most part, companies were satisfied with the scalability guidance. Basilo thinks the increased guidance and flexibility for management and the SEC’s safe harbor provision mean the SEC is saying ‘you guys determine which method is appropriate for you to evaluate things.’
For some, the question isn’t so much whether the SEC has provided guidance to small companies, but whether it has provided sufficient audit guidance, which is deferred another year. DeLoach says the deferral of audit guidance is a good thing for small companies: ‘That gives the PCAOB more time to complete the work of the taskforce to provide more granular guidance to help auditors make AS5 more scalable.’
With regard to the improved audit standard, there is still work to be done and further clarifications are already pending. In his comment letter to the SEC, DeLoach drew attention to the ‘walk-around’ environment, and the lack of clarity involving the audit of the operating effectiveness of internal controls in such circumstances, and says communication is necessary in those situations.
But the issue of scalability doesn’t just apply to small companies, reminds Basilo: ‘The scalability issue is designed to address complex companies versus non-complex companies regardless of size.’
More regulation on the horizon
In spite of amendments to Section 404, further legislation may be on the horizon, championed by congressman Vito Fossella (R-NY) who was recently appointed chairman of the Republican task force on capital markets and US competitiveness. Like the recent efforts made by the SEC, Fossella wants to propose legislation to harmonize regulatory language used by the SEC and the PCAOB.
The difference is Fossella’s aims are not restricted to the PCAOB. His reach extends to shareholder rights and minimizing punitive damages on public companies. Formerly on the House financial services committee and now on the energy and commerce committee, Fossella has been meeting with Michael Ryan, who is the executive director of the Center for Capital Markets Competitiveness at the US Chamber of Commerce.
Henry Paulson is also doing some work on this end. In mid-May he assembled an advisory committee of regulators and industry experts chaired by former SEC Commissioner Arthur Levitt, an unusual choice given Levitt is an antagonist to Paulson’s angst-ridden view of the decline of US capital markets.
Not for everybody
New legislation may mute complaints already surfacing over the prospective final draft of the SEC’s guidance. There is a reprieve, in that the guidance is not mandated by the SEC and companies can continue using their old systems.
If your company is, however, considering going through with implementing these guidelines, Basilo says ‘the most critical thing … is that you have to have total and complete communication at all times among the audit committee, the people who are responsible within the company for running the 404 compliance, the external auditors and any other advisors coming to the table … making sure what is meeting external auditor expectation.’
As for the role of general counsel and corporate secretary, Simon Lorne, vice chairman and chief legal officer at hedge fund Millennium Partners and former SEC general counsel, says, ‘I think it will be understanding and counseling management in that function, it will also be to work with management and auditors to establish that management has in fact done everything that should be expected from them and that should be enough for the auditors.’
Vast improvement or pointless tinkering?
Even with alignment between management and audit, both factions need to be aware of each other’s processes. Slocombe says, ‘in doing the management evaluation you have to be cognizant of both requirements because you still have to pass that audit. I can’t see [anyone] ignoring the requirement of the PCAOB.’
The SEC is optimistic about easing the process: ‘The result of the new auditing standard for 404, together with the SEC’s new guidance to management, should make the internal control review and audit more efficient by focusing the effort on what truly matters to the integrity of the financial statements,’ said Cox.
But there are also legal issues, and Lorne is skeptical over the risks that may result from reduced detail in audit assessment: ‘There will be other problems out there, we all know it. And when those problems are found, I don’t see the SEC division of enforcement taking a position when fraud is discovered that the auditors proceeded reasonably and just didn’t catch this one and sometimes that’ll happen.’
If it’s true that all good things take time, it’s certainly applicable here. ‘With the guidance, the SEC and the PCAOB are sending a message to the courts as well. But it will take five or ten years before we see if the courts hear that message,’ says Lorne. And it isn’t the SEC’s job to do that, he continues, the SEC’s ‘whole approach to this is: as far as improving the operation effectiveness and efficiency of the business, it’s not our job to point that out to corporate America ... that’s the job of management.’