13 Apr Star panel re-evaluates Sarbanes-Oxley one year in at SEC headquarters
Washington, D.C. — A full house packed the Securities and Exchange Commission headquarters on Wednesday for a public forum to discuss the most onerous section of The Sarbanes-Oxley Act of 2002 (or Sarbanes-Oxley), Section 404.
The event was a roundtable of public companies, auditors, investors, and members of the legal community to discuss the pros and cons of the section now that many large public companies have completed their first year of compliance. Section 404 requires companies who report to the SEC under the Securities Exchange Act of 1934 to evaluate and report upon their internal controls over financial reporting. The company’s external auditor must then render an opinion on management’s report, as well as another opinion on the effectiveness of those controls.
It was a “who’s who” list of panelists, as well as all SEC commissioners and board members of the Public Company Accounting Oversight Board. PCAOB is the organization created by Sarbanes-Oxley to register and monitor the performance of audit firms.
Panelists included top executives or board members from the NYSE, NASDAQ, CalPERS, GAO, the Big-4 accounting firms, and some of the biggest names in corporate America, including General Electric, Microsoft, Dow Chemical, Lockheed Martin, Eli Lilly, and Aetna. SEC Chairman William Donaldson said the roundtable is “an opportunity to hear how the process really works.”
While the participants were a diverse group, with different interests, the themes were consistent. The most popular topic was the need to control the substantial and unanticipated costs of 404 compliance. The general consensus was that it is not the legislation which needs to be fixed, but rather the implementation of 404 through the auditors, PCAOB, and SEC that needs to be addressed.
Auditors are very conservative these days in light of their heightened liability environment and the unknowns regarding PCAOB‘s relatively new inspection process. Companies are responding to the most significant regulatory changes since the Securities Exchange Act of 1934 with little guidance, and the regulators themselves are working frantically to issue new standards, rules, and guidance.
While both costs and benefits can be difficult to accurately quantify, the escalating cost estimates do not even include “opportunity costs,” the lost time board members and management teams are losing to 404 compliance. The hope is that costs in subsequent years of compliance will be significantly lower than in year one, since a baseline of documentation will be in place and the frequency of testing may be safely eased.
Another way to potentially reduce costs is the implementation of risk-based evaluation approaches on the behalf of companies, and an integrated audit approach by external auditors with the financial audit process. Colleen Cunningham, CEO of Financial Executives International, said that her group’s survey shows that 85 percent of companies responding believe their costs will decrease in the second year of 404 reporting.
While most of the panelists spoke of traditional accounting controls, controls based on information technology were also mentioned – and still remain a mystery to some.
Auditors do not always understand IT, yet have a responsibility per PCAOB standards to consider and test them. Audit firms and companies alike are competing to bring on qualified IT auditors, which are difficult to find. It creates a stressful and potentially dangerous situation when a junior auditor is trying to tell an experienced CIO how to run their shop.
Tone-at-the-top was discussed as an area that audit firms and companies may be under-emphasizing. Some may be spending too much time on traditional accounting controls at the expense of entity-wide controls such as control environment (which includes tone-at-the-top), risk awareness, monitoring, and information and communication. If management is not exhibiting proper ethical values and actions consistent with sound controls, this weakens the entire foundation of controls.
Similar to IT, many auditors are not well versed in evaluating these types of controls. Those who can are in hot demand by audit firms and companies alike.
Attendees said Sarbanes-Oxley has strengthened awareness of board members and management teams on the importance of controls over financial reporting. Transparency has been improved as investors now know of material weaknesses and can make judgments for themselves on possible valuation consequences. Several companies said that the 404 process forced them to take a hard look at all their controls, including those which were redundant and not necessary. As a result, some of these controls were eliminated thus improving cost-efficiency.
Finally, no one could state that Sarbanes-Oxley will prevent future Enrons and Worldcoms. Controls can only provide reasonable assurance that objectives will be met, including the prevention of fraud. The bottom line is that if someone wants to commit fraud badly enough, they can do it with or without Sarbanes-Oxley.
The hope is that Sarbanes-Oxley will make it more difficult for fraudsters, and investors will continue to gain confidence in corporate America. This alone should make the Sarbanes-Oxley exercise worthwhile.