For many corporate critics of the Sarbanes-Oxley Act, the 2002 law has become synonymous with added cost and work. But when they’ve voiced their frustration with regulators and congressmen, asking them to amend or repeal the law, they’re usually talking about just one of its provisions: Section 404.
After nearly five years of hearing concerns about uncertainty regarding management’s responsibilities under 404 and complaints about burdensome audits under its companion auditing standard, the Securities and Exchange Commission may formally make the first change to the provision before Memorial Day weekend. In back-to-back meetings, the SEC will vote on its proposed management guidance for complying with the internal-control rule on May 23, and the Public Company Accounting Oversight Board will decide whether to adopt its new companion auditing standard on May 24.
When drafting their changes to their internal-control standards, the regulators aimed to clarify how the rules are interpreted and implemented. The revisions encourage management and auditors to take a top-down, risk-based approach and concentrate on only those areas that could lead to a material misstatement when reviewing internal controls over financial reporting. Without that direction, corporate management had used the PCAOB’s Auditing Standard No. 2 as a de facto rule, and accused external auditors of using AS2 too cautiously, resulting in costly and overly conservative audits. “This approach failed to recognize the difference between the types of procedures and documentation that are needed by those who are coming in from outside a company to audit and report on its internal control, as compared to the insiders who created the internal-control system and interact with it on a daily basis,” said SEC chairman Christopher Cox when proposing the changes in December.
To help heal the disconnect between companies and their audit firms, the regulators proposed the following fixes: allow auditors to use the work of companies’ in-house staff, tell the firms to focus on materiality, and promote the use of professional judgment. The rules also attempt to make Sarbox scalable for smaller companies that have yet had to comply with the law. Sixty pages long and half the length of the original standard, AS5 — as PCAOB members have dubbed AS2′s replacement — is more principles based.
The regulators received more than 150 letters each to their proposals. Most of the comment letters worried that the differences between the two standards wouldn’t result in a change of auditor behavior; they could, in fact, give auditors more power, the writers argued. For example, companies that want auditors to “use the work of others” under AS5 may defer to their audit firms about how much work should be done. In a letter sent to various members of Congress pushing for the halt of AS5, Dennis Stevens, director of internal audit for the Alamo Group, worried that the result will be a “subtle shift of responsibility from management to the external auditor.” Worse, wrote Stevens, if management’s own evaluation of internal controls is dictated by what it thinks auditors will find acceptable, the result will be “essentially the same situation that has existed for the past three years.”
To resolve some of the differences between the standards, the SEC staff has worked closely with the PCAOB staff to make tweaks to AS5. The staffs were tasked with matching the tone and wording of AS5 with 404, clarifying how the standard can be scaled for small companies, using more principles-based language, and adopting a less-prescriptive approach for how auditors will decide to use the work of others. The changes between what was released publicly in December and what will be presented to the board on Thursday will not be major, according to Laura Phillips, the PCAOB’s deputy chief auditor, who is leaving the audit firm overseer later this year.
If the SEC adopts AS5 by late June, audit firms would have time to reference it for their 2007 financial-statement audits. All of the PCAOB’s rules need the commission’s approval. (The PCAOB was created by Sarbox as a nongovernment, corporate agency that falls under the SEC’s purview.)
Audit firms believe the regulators’ changes will indeed lead to improvements in the audits of internal controls, says Cindy Fornelli, executive director of the Center for Audit Quality. “The combination of the SEC’s new management guidance and the PCAOB’s AS5 should certainly achieve their goals of making the entire audit process more efficient and effective and at the same time still protect investor interests,” she told CFO.com.
Because auditors would presumably be taking less time to do their audits under the new standard, companies could see a reduction in the cost associated with internal controls, according to the PCAOB. In particular, this cost saving could be attributed to a significant clarification in AS5 — that auditors do not need to opine on management’s process for assessing internal controls, says Anthony Zecca, a partner at Cohn Consulting Group, a division of auditor JH Cohn.
On Wednesday the SEC will vote on whether to revise the rule that requires auditors to deliver two opinions on internal controls — on management’s assessment and the effectiveness of the controls themselves. If approved, auditors would have to opine only on the effectiveness of the controls. As a result, smaller businesses that do not yet have to comply with Sarbox could pay 20 percent to 25 percent less in auditing costs than they would have under AS2, Zecca told CFO.com.