The Public Company Accounting Oversight Board and the Securities and Exchange Commission have acknowledged that the costs of implementing Section 404 of the Sarbanes-Oxley Act may be higher than they should be.
“It is clear to us that the internal control assessment and audit process has the potential to significantly improve the quality and reliability of financial reporting,” said PCAOB chairman William McDonough, in a statement. “At the same time, it is equally clear to us that the first round of internal control audits cost too much.”
In response to an April 13 roundtable discussion on Section 404, hosted by the SEC and attended by the board, the PCAOB released a policy statement and a series of staff questions and answers. The board’s newly issued guidance is designed to help auditors implement Section 404 and to capture “the benefits of the process without unnecessary and unsustainable costs,” according to McDonough. (The PCAOB responded swiftly to the SEC roundtable, says senior writer Tim Reason, who asks, will its guidance do the trick?)
In its own follow-up to last month’s roundtable, the SEC released a “Staff Statement on Management’s Report on Internal Control Over Financial Reporting,” which asserted that Section 404 is producing benefits, including a heightened focus on internal controls at the top levels of public companies. Even so, the commission acknowledged that implementation in the first year came at great expense.
“While a portion of the costs likely reflect start-up expenses from this new requirement, it also appears that some non-trivial costs may have been unnecessary, due to excessive, duplicative, or misfocused efforts,” stated the SEC, adding that the implementation process “needs to be improved going forward, so that it is more effective and efficient.”
According to the PCAOB, its staff questions and answers “seek to correct the misimpression” that certain provisions of 404 must be applied so rigidly that auditors cannot exercise the judgment necessary to conduct an internal control audit in a manner that is both effective and cost-efficient.
The board’s policy statement recommended that auditors integrate their audits of internal control with their audits of the client’s financial statements, so that evidence gathered and tests conducted in the context of either audit contribute to completion of both.
The PCAOB also urged auditors to exercise judgment in tailoring their audit plans to the risks facing individual clients, instead of using standardized checklists that may not allocate appropriate audit work toward high-risk areas. In that regard, the board called for a top-down approach that begins with company-level controls, to identify for further testing only those accounts and processes that are relevant to internal control over financial reporting, and to eliminate from further consideration accounts that have only a remote likelihood of containing a material misstatement.
In its statement, the SEC concurred, stressing that management and external auditors must bring reasoned judgment and a top-down, risk-based approach to the 404 compliance process. “A one-size fits all, bottom-up, check-the-box approach that treats all controls equally is less likely to improve internal controls and financial reporting than reasoned, good-faith exercise of professional judgment focused on reasonable, as opposed to absolute, assurance,” it stated.
The commission added that in the future, it expects the internal control audit to be better integrated with the audit of a company’s financial statements. “If management and auditors can achieve the goal of integrating the two audits, we expect that both internal and external costs of Section 404 compliance will fall for most companies,” it stated.
The SEC also stressed its belief that internal controls over financial reporting should reflect the nature and size of the company to which they relate. “Particular attention should be paid to making sure that implementation of Section 404 is appropriately tailored to the operations of smaller companies,” it added.