By Stephen M. Honig
As reported in the July issue of New England In-House, the Securities and Exchange Commission and PCAOB in June approved a new guidance designed to improve company and auditor assessments of the effectiveness of internal controls over financial reporting under Section 404 of Sarbanes-Oxley.
In sum, the guidance promotes efficiency by allowing management to focus on only those controls needed to prevent or detect material misstatements in financial statements. The guidance also revises the auditor attestation provision to require only one opinion on the effectiveness of internal controls over financial reporting, and eliminates the requirement for an auditor's opinion on management's assessment.
The new policy also codifies the definition of "reportable material weakness" (requiring a determination that internal financial controls are ineffective). It also proposes for comment a definition of "significant deficiency" (which SEC rules require to be reported to an audit committee and outside auditors along with material weaknesses) as a deficiency less than a material weakness, but important enough to merit attention by responsible parties.
The PCAOB approved Auditing Standard No. 5 (AS5), which is intended to achieve the following four objectives: (1) focus the internal control audit on the most important matters; (2) eliminate procedures that are unnecessary to achieve the intended benefits; (3) make the audit clearly scalable to fit the size and complexity of any company; and (4) simplify the text of the standard.
Ongoing efforts in Congress (previously reported in this column) to forestall the SEC's enforcement of 404 died Aug. 9. President Bush signed the American COMPETES Act containing the Dodd-Shelby provision, which ever-so-softly expresses the Congressional sense 404 implementation should proceed but with the least possible burden on smaller public companies. So, we are left with 404 as interpreted by the SEC Guidance and AS5.
Many specifics contained in the Guidance and in AS5 are either common sense or derivative from the approaches previously taken (without palpable effect). Companies and accountants until now have failed safe to conservative approaches because the perceived ramifications of incurring reportable material weaknesses seemed so Draconian.
Only the most optimistic of readers would seriously contend that the new SEC rules and PCAOB auditing standard actually provide objective methods of determining whether 404 compliance has been achieved.
So, based on the many times the SEC has repeated its mantra that 404 procedures have been clarified by institution of "risk-based, principle-driven" standards, will that repetition cause a company's management and its external auditors to actually "take a chance," and to deal only with what they truly perceive to be larger risks?
When some reporting company suffers a material misstatement by reason of failure of internal controls, in an area originally perceived to represent low risk, what will the SEC do? The ultimate test will be what happens to a company that acts diligently and simply decides not to address the area of risk that actually does cause a material financial misstatement?
As Dirty Harry once famously asked: "How lucky do you feel?"
* * *
Auditor breaks down details of new SOX financial reporting rules
In the wake of the new Guidance issued by the Securities and Exchange Commission and the PCAOB's new Auditing Standard No. 5, there has been much debate as to whether these changes provide useful guidance, will result in cost savings, or will reverse the trend of companies availing themselves of foreign securities markets or going private.
I asked Kevin W. O'Connell (kevin.w.oconnell@us.pwc.com), a principal in PricewaterhouseCoopers LLP's Boston office, to assess the impact these changes will have on reporting companies.
SEC Watch: The SEC now defines "material weakness" as significant deficiencies creating the reasonable possibility of material misstatement. Absent objective measurements, in what way will auditors classify deficiencies differently from the prior standard (more than a "remote likelihood" of misstatement)?
O'Connell: When assessing the severity of a deficiency, company management and the independent auditor consider the likelihood that the company's controls will fail to prevent or detect a misstatement of an account balance or disclosure. They also assess the magnitude of the potential misstatement. In evaluating any deficiency, management and the independent auditor are required to use well-reasoned professional judgment in assessing quantitative materiality and qualitative risk factors, including:
The nature of the financial statement accounts, disclosures, and assertions involved;
The susceptibility of the related asset or liability to loss or fraud (greater susceptibility increases risks);
The subjectivity, complexity, or extent of judgment required to determine the amount involved (greater subjectivity, complexity and judgment, such as related to an accounting estimate, increases risks);
The interaction or relationship of the control with other controls, including whether they are interdependent or redundant;
An indication of increased risk by a history of misstatements, including misstatements identified in the current year; and
The possible future consequences of the deficiency.
The new definition requires the same level of professional judgment, but clarifies the strength of evidence to consider when determining the existence of a material weakness.
SEC Watch: Companies must report significant deficiencies to the audit committee and to auditors. What is the standard for knowing whether something is merely a significant deficiency (less than a material weakness), absent quantitative and qualitative standards in the proposed SEC rule?
O'Connell: A significant deficiency can be defined as a deficiency that is less severe than a material weakness, determined through the application of professional judgment and assessment of the risk factors noted above, yet important enough to merit attention by those responsible for oversight of the company's financial reporting. One of the common assessment factors is whether the deficient control has additional complementary, redundant, or compensating controls that mitigate the risk of material financial misstatement and achieve the same control objectives.
SEC Watch: For larger companies already complying with 404, do you anticipate any changes in practice? Any impact on compliance costs?
O'Connell: AS 5 is a principles-based standard that emphasizes the effectiveness of a "top-down" approach focusing on only those controls needed to prevent and detect material misstatements in financial statements. Although this will not significantly change companies' compliance framework or methodology, it provides them with an opportunity to reassess the relevance of all previous in-scope risks and controls, and determine whether certain controls can be removed to achieve efficiency while maintaining effectiveness.
Companies have historically taken a conservative approach to identifying, documenting, and testing internal controls, and in many cases, included redundant operational or compliance controls with no relevance to the financial statements. These controls can be removed from scope and do not have to be tested.
Also, AS 5 emphasizes the importance of entity-level controls in a top-down approach by identifying three broad categories of entity-level controls and discussing their respective impact on the nature, timing, and extent of testing. The three categories are: (1) controls that have an important but indirect impact on the likelihood that a misstatement will be detected or prevented on a timely basis (e.g., the control environment); (2) controls that may not operate at the level of precision necessary to eliminate the need for testing of other controls but may reduce the required level of testing of other controls (e.g., controls that monitor the operation of other controls); and (3) controls that operate at a level of precision that, without the need for other controls, sufficiently address the risk of misstatement to a relevant assertion.
The impact of entity-level controls on the nature, timing and extent of testing has generated significant debate among auditors, management and other constituents. We believe the three categories of entity-level controls included in AS 5 are useful points to consider on a principles-based continuum that might be used to evaluate the impact of effective entity-level controls on the nature, timing and extent of testing of transaction or process level controls.
Controls that operate at a level of precision that, without the need for other controls, sufficiently address the risk of misstatement to a relevant assertion may eliminate the need to test other controls related to that risk.
It will be important for management and auditors to carefully consider the design of such controls, including the level of precision at which they operate, to determine whether the controls operate with the level of consistency and rigor to prevent or detect material misstatements on a timely basis. In some cases, we anticipate that management may determine it is necessary to enhance the design of these controls to achieve this objective.
Finally, AS 5 also allows the independent auditor to rely more upon the testing of company management and/or Internal Audit, potentially reducing the amount of independent testing required and costs of compliance.
SEC Watch: For newly compliant smaller companies, does AS5 promise materially lower CPA fees when auditors review a company's compliance? Will real savings be achieved when this "principles-based" approach is applied, with emphasis on scaling and greater latitude in relying upon the compliance determinations made by others?
O'Connell: As history dictates, compliance costs are the highest for companies in Year 1 in establishing, documenting, testing, and evaluating an adequate controls framework. Compliance costs, including independent auditor fees, decline in subsequent years as management's efforts move from discovery, training, and implementation phases to continuous self-sustaining maintenance and evaluation phases.
AS 5 addresses the lessons learned from the past three years through the following objectives: (1) focus the internal control audit on the most important matters; (2) eliminate procedures that are unnecessary to achieve the intended benefits; (3) make the audit clearly scalable to fit the size and complexity of any company; and (4) simplify the text of the standard.
Rather than a "one-size-fits-all" compliance standard, company management and their independent auditors are allowed to use a risk-based approach in exercising more well-reasoned, professional judgment as to the scope and sufficiency of internal controls over financial reporting. Assuming that newly compliant companies have robust controls frameworks in place, they should realize savings in time and resources (compared to what otherwise would have been the case under prior Auditing Standard No. 2) by primarily focusing on those controls designed to prevent or detect material misstatements to relevant assertions in the financial statements.
Stephen M. Honig is a member of Duane Morris' corporate department in the firm's Boston office. You can reach him at smhonig@duanemorris.com.
Reprinted with permission from New England In-House, a quarterly publication of Lawyers Weekly, Inc.
© 2007 Lawyers Weekly Inc., All Rights Reserved.
September 2007 / NEIH
