Taking on the Sarbox challenge

George Thomas provides some guidance

The Sarbanes-Oxley (SOX) Act, Section 101, established the Public Company Accounting Oversight Board (PCAOB). The PCAOB issued release No. 2004-001 on 9 March 2004 establishing the rulebook for external auditors to issue an “attestation” on management’s assessment of internal control over financial systems.

The act requires most public companies (i.e. accelerated filers that meet certain market capitalisation requirements) to report annually on the company’s internal control over financial reporting for fiscal years ended on or after 15 November 2004. The majority of the remaining non-accelerated filers and foreign private issuers will be required to comply with these requirements for fiscal years ended on or after 15 July 2006.

The PCAOB acknowledged that Section 404 requirements would “entail extra work and… expense”. The impact on banks was expected to be less than on other businesses. This dichotomy stems from the fact that banks have been subject to FDICIA (Federal Depository Insurance Corporation Improvement Act of 1991) which some have characterised as “baby SOX”.

To draw a parallel to Section 404 today, when FDICIA was enacted in 1991, President Bush (senior) criticised the legislation as “do[ing] little more than provide critical funding to the Bank Insurance Fund”, and he warned “this shortsighted congressional response to the problems we face increases taxpayer exposure to bank losses”. (1)

Asked about FDICIA, Federal Reserve Governor LaWare said: “How they had the audacity to call it an ‘improvement act’ I’ll never understand.” And my good friend, Karen Shaw, declared: “This legislation creates a system of arbitrary, draconian and inflexible regulatory criteria designed to ensure that no bank will ever again fail. In pursuit of this quixotic goal, the legislation will ensure that while few banks will ever fail, none will ever prosper.” (1)

Interestingly, though not surprisingly, the outcome is that depository institutions have prospered since FDICIA’s enactment. For example, commercial banks’ return on assets has more than doubled. It was 0.53% in 1991 and has ranged between 1.15% and 1.20% since then. Banks’ ratio of core capital to tangible assets has increased significantly. The percentage of commercial banks reporting net losses plummeted. (1)

What this tells us is that there are real benefits to be realised through understanding a business’ internal control processes.

Section 404 requires that a company’s annual report include:

• an internal control report of management that contains statements of management’s responsibility for internal controls over financial reporting
• identifying the framework used to evaluate the effectiveness of internal controls
• management’s assessment of the effectiveness of internal controls as of the end of the most recent fiscal year
• a statement that the external auditor has issued an attestation report on management’s assessment of internal controls over financial reporting.

To gain a real sense as to what is required for the first three bullets above, we must first understand what the external auditor will need to fulfil their obligations under the final bullet. To this end one must look to PCAOB rules.

PCAOB auditor requirements

Section 404 consists of parts (a) and (b). Section 404 (a) relates to management while 404 (b) relates to the auditor. In October 2003, the PCAOB issued a proposed auditing standard to address Section 404. This rule has been approved as PCAOB Auditing Standard No. 2.

The PCAOB notes “importantly, the auditor’s conclusion will pertain directly to whether the auditor can agree with management that internal control is effective, not just the adequacy of management’s process for determining whether internal control is effective”.

The provisions related to performing an audit of internal control over financial reporting, as detailed in PCAOB Auditing Standard No. 2, are shown in Figure 1. In addition to looking at company level controls, assessing the effectiveness of the audit committee’s oversight of financial reporting, identifying accounts, assessments, significant processes, etc, the auditor is expected to perform some level of independent testing. The auditor may not rely exclusively on management or internal audit testing. Additionally, there is language that requires the auditor to consider fraud in internal control assessments.

Auditors are charged with attesting to and reporting on the assessment made by a company’s management on the effectiveness of internal controls over financial reporting. The PCAOB standard clearly translates to more work for the auditor above and beyond that required for the historical attestation to the financial statements. Though the impact is incremental, it will be less so for well-prepared businesses.

Why comply with Section 404?

PCAOB rules come with teeth. Note that Auditing Standard No. 2 permits the auditor to express an unqualified opinion if the auditor has identified no material weaknesses in internal control after performing necessary procedures. However, if the auditor cannot perform all procedures deemed necessary by the auditor, then the auditor is permitted to qualify or disclaim an opinion.

There are two opinions related to Section 404, the first on management’s assessment and the second on the effectiveness of internal controls over financial reporting.

Recognising the potential impact of a qualified or disclaimed opinion under Section 404, the desire for an unqualified opinion is understandable.

The challenge ahead

In the absence of a clear sense as to the level of oversight required in year one, to err on the side of prudence, large numbers of controls were identified, documented and tested. Clients, consultants and auditors were in new territory. Where controls were missing, because of time constraints, manual controls were instituted. Still, with all this effort and expense, over 100 companies disclosed a material weakness by the end of March 2005, and no significant SEC response has been noted. More interestingly, the market response (stock price) does not appear to reflect these disclosures.

In fact, SEC registrants have been vocal about the costs related to Section 404 and the PCAOB has issued guidelines to reduce compliance costs. In essence, the PCAOB proposal is to move towards a risk-based approach. These guidelines are, however, not law and may receive limited attention from auditors. Further, while responsibility for fraud detection resides with management, auditors also carry a burden of liability in the event they do not take appropriate steps to detect fraud. It is unlikely that coverage demands by auditors are likely to diminish in the near future.

The challenge ahead, then, is to manage through years two and three to optimise controls and resource demands (including cost).

Steps to process optimisation

The key, then, is analysis and automation. Controls identified in round one should be scrutinised with an eye towards removing those that are not legally or otherwise deemed to be required to provide management the assurance needed for Section 404.

For those controls that remain, automation should be considered. Section 404 demands on the chief information officer (CIO) for years two and three are likely to be substantial. The top three technology issues related to Section 404 are commonly considered to be:

• appropriate segregation of duties. As controls for manual processes that included segregation of duties become automated, segregation needs to be considered for business and technology processes
• appropriate technology and business partner oversight of controls over the business process, change management, etc
• monitoring of exceptions and/or logs to identify both business and technology issues.

The role of the CIO in realising optimisation related to Section 404 cannot be over-emphasised.

The controls optimisation process, though it may require skilled business resources, will lead to more streamlined controls, resulting in improved value creation. Some leading consultants have initiated offerings targeted at identifying and eliminating redundant controls. The value proposition of these offerings being that removing unneeded controls lowers costs and speeds up the business process while meeting Section 404 requirements.

Conclusion

Year two will be another year of significant effort, but with effort directed at streamlining controls and control processes instead of building new controls. While these activities may generate long term value, one should not expect reductions in audit fees. Given that the PCAOB’s guidelines are just that - guidelines and not laws - these changes will be slow in realising fee reductions. Additionally, with the onus for fraud detection borne by the auditor, it is understandable that auditors would wish for more comprehensive testing. Careful planning and execution in year two can lead to process improvements that improve the bottom line. The author would suggest that timely and thoughtful action could make year two the foundation for a more effective organisation.

(1) Source: Department of the Treasury Press Room 1996 - RR-1417

George Thomas FCCA, CPA, CMA, CFIRS, is group audit manager at a $100+bn super regional bank in the Midwest, US.