If you think audits are tough now, just wait. Section 404 of the Sarbanes-Oxley Act of 2002 requires auditors to certify not just financial results but also the processes by which they are determined. The law mandates a formal audit — including documentation, testing, and certification — of a company’s internal controls. The new requirement will give auditors a real say in how CFOs run their operations.
Just how much of a say wasn’t totally clear until March, when the Public Company Accounting Oversight Board (PCAOB) issued its final standards, which stipulate that auditors give either a thumbs-up or thumbs-down to a company’s internal controls, starting with “accelerated filers” (market caps over $75 million) whose fiscal years end on or after November 15. (The standard was awaiting approval from the Securities and Exchange Commission as CFO went to press.)
Before this ruling, if the auditors identified any material weakness in internal controls, they would merely send a letter to the audit committee detailing the problem. Now, weaknesses such as neglecting to get a second signature on certain checks or failing to properly document legacy software systems could mean a failing grade on internal controls. True, the auditor may still approve a company’s financial statements. But failing the controls testing in a formal audit will undoubtedly lead investors to question the validity of financial results. And given the pressures auditors face, rumors are rampant that audit firms will fail a significant portion — some observers say 10 percent — of the companies they audit.
The prospect of failing the controls audit puts finance executives, who must issue their own assessment of internal controls (which also is subject to an audit), in a precarious position. They will have to find and publicly disclose any inadequate controls lest the auditors reveal them instead and report the company to the PCAOB. Then they can just hope that any resulting damage to their stock price and reputation from the disclosure is mitigated by admiration for their candor.
On the other hand, finance executives who are up to this challenge may gain a lot more internal clout as a result. “I have a big interest in well-controlled financial reports anyway,” notes Gary Perlin, CFO of Capital One Financial Corp. So if any employee objects to the process, says Perlin, “all I have to do is say, ‘Excuse me, it’s the law.’” In other words, he adds, “404 is a benefit, because it lets me get people’s attention.” Perlin isn’t the only finance executive who sees the rule in these terms. “I think I’m better for it,” insists Keith Sherin, CFO and senior vice president of General Electric Co. “It helps increase my confidence in our financial integrity.”
GE has already seen its payments to its auditor KPMG LLP increase 40 percent in 2003 (from $38.7 million to $55.3 million), in large part because of work related to Sarbox and Section 404. And 404 alone is expected to cost the average large company $4.6 million this year (including both internal and external expenses), according to a recent Financial Executives International (FEI) study. But that survey was conducted before the audit firms learned the full extent of their responsibilities. Given the provisions of the final standards, in particular the extensive testing requirements, the bills could be much higher than previously thought (see “Paying the Piper,” at the end of this article). The question is, will companies besides GE and Capital One find the money well spent?