Mismatches between the internal-controls proposals of the Securities and Exchange Commission and the Public Company Accounting Oversight Board will keep compliance with Section 404 of the Sarbanes-Oxley Act overly burdensome and costly, CFOs think.
In letters to the SEC and the PCAOB commenting on the regulators’ proposed revisions to their guidelines, senior finance executives say the tone and wording of the rules are too different to accomplish their main goal: to get senior top corporate management and audit firms on the same page in assessing and attesting to a company’s internal controls over financial reporting.
The SEC and PCAOB released their proposed standards for public comment on December 19 and December 20, respectively. Before the comment deadline of February 26 for both, the regulators had each received more than 150 letters. One-fifth of the responses for AS5 — as the PCAOB’s proposed new auditing standard for independent auditors is informally known — came from finance executives. The SEC and PCAOB have yet to say when they will announce the next steps for their proposals.
CFOs used words like “disconnect” and “significant gap” to describe the relationship between the SEC’s proposed 404 corporate guidance and AS5. Because the suggested standards aren’t aligned, some executives predicted, auditors will ignore the regulators’ push to have them focus on the highest-risk areas.
Instead, some of the CFOs said that to meet the PCAOB’s requirements, audit firms will continue to take the overly conservative approach that has been widely blamed on the existing auditing standard, AS2. Many, however, had hoped the revisions would lead to cheaper auditing bills and more leeway for the use of professional judgment.
The comment letters made several suggestions for bridging what the finance chiefs see as a gap between senior management and their auditors that has widened since Sarbox was enacted five years ago. Some requests were minor, such as deciding whether to use the SEC’s term “entity-level controls” or the PCAOB’s “company-level controls” since the regulators seem to be referring to the same thing.
Other criticisms were broader. In particular, finance executives said, the tone of the new AS5 is overly prescriptive, while the SEC’s standard is too vague in comparison. The result: the detailed nature of AS5 likely will mean it will continue to be the de facto guideline for management.
That’s exactly what will happen at Pfizer, wrote vice president and controller Loretta Cangialosi. Her company will use AS5 because it won’t “incur incremental costs by doing management’s assessment one way and having the external auditors perform their assessment in another way,” she wrote.
Does that divergence leave the regulators, senior finance executives, and auditors back at square one? Until the SEC’s proposal, management had no principles for complying with 404 and turned to the auditing standard for help. The commission has acknowledged the mistake in not advising companies sooner — a mistake that exposed the most minor internal controls to auditor scrutiny, including some that seemed to have little connection to a financial report.