In addition, 28 percent of the surveyed executives indicated that they have based their Section 404 programs, at least in part, on Auditing Standard No. 2 — a guideline for external auditors put out by the Public Company Accounting Oversight Board (PCAOB). By scoping out the auditor-aimed AS2, public issuers are attempting to anticipate what their auditors will look for, thus limiting the work they must perform. In a sense, they are gaming the Sarbox system. Acknowledges one finance executive: “The biggest factor is pleasing your external auditors.”
Pleasing external auditors may not have been what legislators had in mind when they passed Sarbox. The guessing game, while understandable, worries some. “The absence of guidance is a call to regulators, stakeholders, and external audit committees,” insists Joe Atkinson, operations leader of the governance risk and compliance practice at PricewaterhouseCoopers. “They need to help managers understand what effective internal controls look like.”
Everything in Triplicate
COSO was intended to provide that sort of help. First released in the wake of the savings-and-loan scandals of the late 1980s, the Coopers & Lybrand–developed framework was largely ignored by the corporate world until Congress passed Sarbox a decade later. Suddenly facing a looming deadline to report on the effectiveness of their controls over financial-reporting systems, executives at publicly traded companies began scrambling for guidance.
Many glommed on to COSO. For some, it was an obvious choice — particularly since the Securities and Exchange Commission and the PCAOB soon recommended (but did not require) the use of the framework. Recalls Dominique Vincenti, chief advocacy officer at The Institute of Internal Auditors: “If you were already using COSO, the only new piece [as a result of Section 404] was the disclosure.”
Few companies were in that position, however. Instead, IMA board member Malcolm Schwartz says many finance managers applied the “audit” approach during the first year of Sarbox compliance — that is, they tried to record every single control. That has proven costly. The SEC’s initial projections indicated that each public company would spend less than $100,000 to meet internal-controls reporting requirements. Later surveys showed the actual costs were, on average, 20 times that amount.
Eric Balzer, CFO of Colorado Springs, Colorado-based Ramtron International, says that when he joined the semiconductor-device company just over a year ago, it did not have its internal-controls procedures set up for Sarbox. Since then, Ramtron has mapped many of its controls to the COSO template in flow charts, with headers that list the activity’s control objectives and risks. This practice puts Ramtron in the process-focused risk-assessment camp. As opposed to the more backward-looking coverage approach (examining financial account numbers and then attempting to document controls related to them), the process-focused approach targets work activities that might generate accounting errors. That, in theory, enables problems to be fixed before they land in the financial statements.
In Ramtron’s case, the objectives and risks of an activity are linked to related compliance requirements. When purchasing services and supplies, for instance, the Sarbox-based objective of paying appropriate prices is listed with the risk of outdated or incomplete price information. By monitoring the performance of controls through a process approach, employees become responsible for controls. Thus, the monitoring component of COSO gets linked to the control environment. “If you do that,” argues IMA’s Schwartz, “you can substantially reduce the amount of separate evaluations by the internal-audit department.”