Ultimately, is there a silver bullet for preventing fraud?
To have auditors understand that, with relatively few exceptions, they should find it. To me, the relatively few exceptions are those cases where you would have some extremely dedicated, capable crooks. In most cases, though, the crooks are either not that smart or they don’t cover their tracks that well.
The firms have a 12-month window to fix weaknesses without disclosing them. Companies don’t receive the same treatment under Section 404. Isn’t that a double standard?
That aspect of the statute is clearly controversial. The positive side is that 12 months is not a very long time, and therefore it puts tremendous pressure on the audit firms to get things fixed. But should the statute have been written so that [weaknesses] are immediately cleared with the public? I don’t know, because I didn’t write the statute. I deal with it as it was written. [Overall, however,] I think the algebraic total is that it’s a good thing.
Did you anticipate how all-consuming Section 404 would be for companies?
For companies with strong internal controls, essentially they have to document them; that is not all-consuming. If, on the other hand, a company does not have particularly good internal controls, my attitude is that they should have. I don’t have a lot of sympathy for the scrambling they have to do. I have great sympathy for the small and midsize companies that in some cases actually have very good internal controls, but are much less formal than a large, complicated company.
We’ve heard rumblings that since companies are spending so much time on 404, they’re neglecting growing their businesses.
I’ve heard that. I don’t think there’s a whole lot to it. CFOs and their staffs will undoubtedly be spending a lot of time on 404. But I don’t really know any documentable cases in which the strategic future of the company is being adversely affected. I suppose I could waggishly say, “Well then, they ought to spend weekends working on one and the rest of the week working on the other.”
How can you be so sure that 404 passes the cost-benefit test?
In getting the right cost-benefit relationship, there is going to be some tugging and pushing between the audit committee and the outside auditor. The audit committee might say, “We really want you to do a lot of testing,” and then there’s nothing to discuss. On the other hand, the auditor might say, “We need to do this much testing,” and the audit committee will say, “We don’t really see that.” But at the end of the day, the auditor has to say, “[This] is what we have to do to attest.” We don’t expect the auditor to either run up hours or be difficult. It’s a judgment that we expect to be rational.
Some people are concerned that many companies will fail these audits.
I don’t think anybody knows that until we get into them. Another thing no one knows is whether there will be cases where the auditor gives a clean opinion on the financial statement, but not on the internal-control assessment. Nor do we know the reaction of the marketplace. Would it be, “Oh my gosh, tank the stock!” or “This is the first year of 404; that’s not too surprising”?