The Big Picture of SOX 404

03 Oct The Big Picture of SOX 404

Since many large public companies are well into the third year of their Sarbanes-Oxley (SOX) 404 assessments over financial reporting internal controls, this is a good time to pause and reflect on this onerous requirement. In speaking across the United States on good internal control practices, I hear from hundreds of board members, CFOs, controllers, and internal auditors exactly how painful implementing 404 has become for their companies.
The costs have been much higher than predicted, as evidenced by the Security and Exchange Commission’s annual cost estimate in (June 2003) of $91,000 for the average U.S. public company to implement 404, not including external audit fees. The actual number has been closer to $2 million in average annual costs, based on several surveys. Of course, actual costs will vary widely based on the size, industry, and operating characteristics of individual companies, but the one common thread is often excessive resources.
Yet, most people also acknowledge benefits from their 404 process, including: a greater awareness of healthy internal controls, elimination of non-value added redundant controls, identification and remediation of significant control deficiencies, and the enhancement of accountability. While the benefits of strong internal controls have never been questioned, statistical evidence now is coming out to better quantify benefits. Recent studies show a correlation between strong controls and positive performance in shareholder returns, profitability, risk mitigation, dividend yields, and cost of capital.
For example, the study entitled; The Effect of Internal Control Deficiencies on Firm Risk and Cost of Equity Capital, April 2006, written by Ashbaugh-Skaife, Collins, Kinney and LaFond (and available at www.ssrn.com), shows a benefit of about 100 basis points. This is the first study linking companies that report internal control deficiencies to a higher cost of capital. The main conclusion is that companies reporting internal control deficiencies under 404 have less reliable financial information, thus increasing risk leading to an increase in the cost of equity of about one percent.
This means that a company with a market capitalization of $1 billion reporting internal control deficiencies can expect an increase in capital cost of $10 million. This same concept applies to non-public companies, such as private companies seeking funding or nonprofits competing for grants. As funding sources read less risk to the organization, they will be more inclined to provide money at lower costs.
Is benefit > than cost?
The challenge of 404 is turning it from a value destructive exercise (costs > benefits) to one of value creation (benefits > costs). While easier said than done, there is reason to be optimistic as the Public Company Accounting Oversight Board (PCAOB) is currently revising its auditing standard #2 (AS2) to clarify the external auditor’s role in 404. Indeed, many of the cost pressures of 404 have been driven by external auditors who operate very cautiously in the post-SOX environment of PCAOB inspections. The more effort the auditors demand of the 404 process, the less risk they absorb with their audit opinions, while at the same time maximizing billings.
Earlier in the year, PCAOB announced it would focus their 2006 inspections on whether auditors have achieved cost-saving efficiencies in the audits performed under AS2. The SEC and PCAOB are expected to continue emphasizing a top-down and risk-based approach to 404, both for companies and external auditors. A top-down approach means evaluating controls in a sequential manner starting with entity-level controls, while a risk-based effort focuses resources in the highest risk areas relative to financial misstatement.
In many cases, too much effort has gone towards traditional accounting controls at the expense of entity-level and IT controls. Accounting controls like approvals, reviews, and reconciliations are easily understood by auditors. Since they are comfortable in documenting and testing these controls, these have been the ones to receive the most attention despite not necessarily being of the highest risks.
Entity-level controls, such as tone-at-the-top, are much more difficult to assess since there often is no paper-trail and the controls involve officers and audit committee members who control the purse strings of the internal and external auditors charged in doing the work. Technology controls are becoming better understood, but still too many companies do not have an adequate handle on IT risks and controls. A continuing challenge on the 404 front will be balancing resources smartly between accounting, entity-level, and IT controls to best address the risk of financial reporting misstatement. This is why a risk-based approach is essential in successfully implementing 404.
I believe the 404 pendulum of cost-efficiency and effectiveness is evolving to a more reasonable range due to multiple developments, led by the SEC and PCAOB. Companies must continue to streamline and sustain the process for the long-haul. This will likely involve a combination of invoking a top-down, risk-based approach, as well as increasing reliance on automated controls and understanding what are truly “key” controls in preventing and detecting errors and fraud. The goal needs to be a simpler and stronger understanding of objectives, risks, and controls to reach objectives by mitigating risks.
SOX won’t be knocked off
Love it or hate it, SOX ushers in a new chapter of business accountability through rules and regulations. SOX will likely continue to be tweaked, but will not go away. While the need for SOX can be argued, the spirit of the legislation in improving the reliability of financial reporting and disclosures is indeed paramount in growing investor confidence.
No legislation can successfully mandate ethics, but with proper implementation companies can turn SOX 404 into a value enhancing initiative by imbedding strong controls into the fiber of board, management, and employee activities. A strong ethical corporate culture will pay dividends well beyond financial reporting to help companies also meet strategic, operational, and compliance objectives beyond SOX.
Other articles by Ron Kral
• Ron Kral: Star panel re-evaluates Sarbanes-Oxley one year in at SEC headquarters
• Ronald Kral: Observations from the Sarbanes-Oxley trenches
• Ronald Kral: Technology Implications of Sarbanes-Oxley
• Ronald Kral: “My View” – State Government Needs Integrity To Build Investor Confidence