Grappling with Section 404: panelists at a Web-based event discuss the impact of Sarbanes-Oxley and offer thoughts on the legislation's future implications

Internal Auditor magazine

A RECENT IIA WEBCAST PROVED THAT INTEREST IN the U.S. Sarbanes-Oxley Act of 2002 has remained strong since an April 13, 2005, U.S. Securities and Exchange Commission (SEC) roundtable that allowed participants to provide feedback on the act's Section 404 provisions. From Venezuela to The Netherlands, viewers around the globe tuned in more than a month later to the live webcast, conducted in partnership with the National Association of Corporate Directors (NACD). More than 2,000 people signed in to listen to regulators and representatives of the four legs of corporate governance--boards of directors, executive management, internal auditors, and external auditors--share perspectives and insights on Section 404.

"Fine-tuning Compliance," broadcast near The IIA's headquarters in Altamonte Springs, Fla., included a question-and-answer (Q & A) session as well as brief presentations by the six panelists: Mary K. Bush, president of Bush International, an international financial advisory firm; Dan Goelzer, a member of the U.S. Public Company Accounting Oversight Board (PCAOB); Amy Hargrett, assistant chief accountant of the SEC; Robert Lipstein, KPMG's national partner in charge of Sarbanes-Oxley 404 services; David Buckel, chief financial officer of Internap Network Services Corp.; and Paul Sobel, vice president of internal audit at Atlanta-based energy firm Mirant Corp., who moderated the panel. The panel members each provided insight from their respective areas of expertise and answered audience queries in real time, addressing current issues and allowing for dialogue between panelists and viewers.

PCAOB PRONOUNCEMENTS

The webcast came on the heels of a PCAOB publication clarifying the auditor's role in Sarbanes-Oxley efforts, Auditing Standard No. 2 (AS2), "An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements." AS2 is the standard auditors must use to satisfy their obligations under Section 404 of Sarbanes-Oxley.

The guidance, which consists of a Policy Statement regarding AS2 implementation and a Q & A segment aimed at helping the external auditor plan the scope and testing of the audit, was announced May 16 in response to concerns voiced at the SEC roundtable. The PCAOB tips focus on using a top-down, risk-based approach to planning and performing an audit, which includes using the work of other competent professionals, including internal auditors.

Although a giant step in the right direction, according to those long waiting for some guidance, the PCAOB tips are only the beginning when it comes to smoothing out Section 404 kinks, webcast participants said. "The statements that we put out on May 16 certainly are not the end of the PCAOB's efforts to try and make more efficient and effective the implementation of Section 404," Goelzer said.

The process of gathering and evaluating information to determine where additional guidance may be needed also is being reviewed by The Committee of Sponsoring Organizations of the Treadway Commission (COSO), which in August will release an exposure draft to help small businesses with Section 404 implementation. In addition, the SEC has appointed an Advisory Committee on Smaller Public Companies, and the PCAOB Standard Advisory Group, which advises the PCAOB on auditing issues, met June 8 and 9 to discuss specifically the interpretation of the definitions of material weakness, significant deficiency, and other related terms.

During the webcast, Sobel noted that the recent PCAOB guidance did not include such definitions. Goelzer's response: "In the shortest possible time frame--30 days after the SEC round-table--we wanted to issue guidance pertaining to scope. As to the evaluation and application of definitions, we needed a little more information about what the practical problems had been in the past year--our advisory meeting will be a good way to do that."

RESPONSES TO SEC ROUNDTABLE

A series of introductory presentations by the panelists reinforced many of the recommendations that had been shared during the earlier SEC roundtable, including the importance of enterprise risk management and controls other than those limited to financial reporting; guidance regarding reporting on the status of remediation efforts to handle material weakness disclosures; cost-effective provisions to eliminate the requirement that each issuer's external auditor attest to the assessment made by management; greater reliance on the work of internal auditors; and communication between the audit committee, external auditors, and management. The consensus was that there should be more reliance on the work of others related to their assessment of the control environment, and more reliance on the use of work performed by a competent and independent internal audit function.

"The top-down approach in a risk-based assessment is something everyone will probably hear a lot of as we go through the second year [of compliance with Section 404]," Hargrett said.

Sobel, who has 17 years of experience in the internal audit profession, summarized the challenges that remain as organizations move forward into year two of Section 404 implementation:

* Determining the true "key controls" and finding the balance between preventive and detective controls.

* Determining which deficiencies "make the list" via activities such as establishing the difference between inconsequential and trivial and testing discrepancies and deficiencies.

* Aligning internal audit testing with the needs of a truly integrated audit.

* Designing tests of internal controls in advance of late-in-the-year system implementations of upgrades.

Buckel agreed with previous statements that too many controls during the first year of Section 404 had been defined as "key." "To us, a key control is a control that can materially affect the financial statements--we didn't want to miss any. What we need to do this year is work with our external auditors, narrow some of the key controls, tell them why these controls are key, and work with them up front as to where we are going."

QUESTIONS ANSWERED

During the webcast's Q & A session, audience members asked questions about everything from the best ways to integrate information technology (IT) into auditing to the most effective role for internal auditing in Sarbanes-Oxley implementation.

Buckel said that about 40 percent of the deficiencies within his organization were IT-related. "Quite honestly, we're still struggling," he said. "We've remedied the deficiencies, but to take the next step into automation and eliminate them from the future, we're not there yet."

Such IT deficiencies are typical in many organizations, according to Sobel. "Companies really need to pay particular attention to IT-dependent controls and develop a good strategy for how to test those in an effective and efficient way," he said.

As far as the role of internal auditing, Buckel said, "I believe the internal auditor should have an expanded role within the company. The internal auditor should take most direction from the audit committee or board of directors."

Bush, who, in addition to her role at Bush International, serves as audit committee chairman of Mortgage Guaranty Insurance Corp., said that emphasizing the importance of Section 404 must begin at the top of the organization. "But in terms of organizing the work and getting other parts of the company involved with their specific assignments, I think internal auditing can play a very important role," she said.

KPMG's Lipstein remarked that leading organizations have embedded ownership of controls into the business. "That requires in some cases a mindset change, and lots of training," he said. "If they do that, they elevate internal auditing to be a monitor in control--to come in and periodically test the ownership and testing processes that go along with it. That sets up the discussion on the use of the work of others nicely for the external auditors to really rely on their work."

GEARING UP THE PRIVATE SECTOR

When asked whether private companies should be prepared for Section 404 to head their way, Geolzer said many already have prepared for that possibility. "We are starting to see lenders and other kinds of stakeholders in private companies take an interest in whether the company is 404 compliant, and it certainly is a major issue for companies who may go public in the future."

Buckel said private companies already should be moving in the direction of 404. "We're in a world where industries consolidate," he said. "I think quite clearly they need to be compliant, because when someone like my group goes in and looks at a small company that might be a value add, [compliance] is now one of the things we look at with due diligence--and it might be one of the things that makes us walk away."

The entire IIA/NACD webcast can be viewed for free via The IIA's Web site, Visit www.theiia.org and search for "Fine-tuning Compliance."

To comment on this article, contact us at editor@theiia.org.

STEPHANIE DOYLE

BUSINESS WRITER

RELATED ARTICLE: Extended Session

Due to time limitations, many questions posed by webcast audience members could not be addressed during the event. Afterward, however, several panelists agreed to share their thoughts on some of the audience's key queries.

Who should own the Sarbanes-Oxley process going forward? It seems to be a conflict of interest for the controller's area to own this process.

GOELZER: From a PCAOB perspective, companies are free to make their own decisions about who in management should have primary responsibility for assessing the effectiveness of the company's controls. AS2 requires the auditor to obtain an understanding of management's assessment process and to reach a decision as to whether there is a reasonable basis for management's conclusions. However, AS2 does not make the evaluator's independence from the financial reporting process a factor in the auditor's determination.

Of course, companies do have a strong incentive to have an internal audit staff that is independent of financial reporting management conduct the testing that supports management's assessment. Under AS2, the ability of the auditor to rely on testing performed by company personnel depends, among other things, on the objectivity of the testing authority. Therefore, when a company assigns responsibility for the testing that supports management's assessment to a group that is independent of the officers who are responsible for financial reporting, the company's auditor will be able to make greater use of the testing results to support its own work. That, in turn, should reduce the cost of the internal control audit.

SOBEL: I agree that there is an apparent conflict of interest with it falling to the controller's organization, since many of the key controls are executed by that organization. However, I think it's tough to find an organization where there isn't some conflict. I think the key is to make sure that the Sarbanes-Oxley leader is positioned sufficiently high in the organization, and that a competent and independent internal audit department exists to provide validation that the Sarbanes-Oxley function is achieving its objectives.

If a company's enterprise business system is being implemented at one of the company's business units in the fourth quarter, what documentation, if any, is needed for quarters 1-3 for that business unit?

GOELZER: PCAOB frequently asked question (FAQ) No. 6, issued June 23, 2004, addresses the situation in which management implements, late in the year, a new accounting system that significantly affects the processing of transactions for significant accounts. The response to this FAQ says that the auditor is not required to test the controls over the old system, since the auditor's report on the effectiveness of internal control is as of the end of the year. Stated differently, elements of the company's internal controls that are no longer in operation at the end of the year need not be tested as part of the AS2 audit. As a corollary, the auditor need not review documentation with respect to controls that are no longer in use.

However, as FAQ No. 6 also points out, in conjunction with the financial statement audit, the auditor should understand the internal controls that operated at any time during the year. In addition, to assess control risk for specific financial statement assertions at less than the maximum, the auditor is required to obtain evidence that the relevant controls operated effectively during the entire period. Therefore, if the auditor intends to rely on the controls that were in place during quarters 1-3 as part of the financial statement audit, the auditor would need to have access to evidence demonstrating that those controls were effective.

Could you provide more information/examples of how additional reliance on company-level controls will reduce the amount of testing of control activities?

GOELZER: PCAOB FAQs No. 38 and No. 43, issued May 16, 2005, address how the top-down approach and the auditor's risk assessment affect the nature, timing, and extent of control testing. The auditor's evaluation of company-level controls can result in increasing or decreasing the testing that the auditor otherwise would have performed on controls at the process, transaction, or application levels. Pervasive company-level controls can have a significant effect on the auditor's testing of other controls, particularly when strong company-level controls that have a direct relationship with lower-level controls result in the auditor decreasing the testing he or she otherwise would have performed. The relationship between particular company-level controls and particular process, transaction, or application-level controls varies from company to company, and the PCAOB has not issued any specific examples of that relationship.

What is the advice for management and its audit committee when it comes to defining whether a weakness is material enough to report?

GOELZER: Materiality has the same meaning in the Section 404 context as it does for SEC financial statement reporting purposes. In general terms, therefore, the determination of whether a control deficiency is material should be approached from the perspective of the user of the financial statements. If there is a reasonable likelihood (i.e., more than a remote possibility) that a deficiency, or combination of deficiencies, will result in an error or misstatement in the financials that would be significant to a reasonable investor, the deficiency is material. If the impact of the deficiency on the financial statements is not one that a reasonable investor or other user would care about, then the deficiency is not a material weakness.

HARGRETT: As the SEC highlighted in its May 16, 2005, staff statement, management must exercise judgment in a reasonable manner in the evaluation of deficiencies in internal control over financial reporting, and such evaluations may appropriately consider both qualitative and quantitative analyses. Among other things, the qualitative analysis should factor in the nature of the deficiency, its cause, the relevant financial statement assertion the control was designed to support, its effect on the broader control environment, and whether other compensating controls are effective.

There has not been much market reaction to the weaknesses disclosed in SEC filings. Does this mean investors are indifferent to these disclosures on internal controls, and if so, is there real benefit from Section 404 to investors?

HARGRETT: The feedback we received from our April 13, 2005, roundtable discussion on the implementation of the internal control reporting provisions and the written submissions from the public regarding Section 404 made clear that companies have realized improvements to their internal controls as a result of implementing the requirements, and that the requirements have led to an improved focus on internal controls throughout organizations. Additionally, we have heard from rating agencies and investor groups that they are focusing on the types of material weaknesses and disclosures reported, and that all material weaknesses are not viewed the same. Ultimately, we believe improved internal controls and increased focus on internal controls improve the reliability of financial reporting and therefore benefit investors.

GOELZER: I do not agree with the generalization in the premise of this question. A 2005 Goldman Sachs study, Sarbanes-Oxley Section 404--Analyzing Stock Market Reaction to Negative Disclosures, concluded that the stock price reaction to negative Section 404 disclosures depends on three issues:

* The nature of the disclosure. For example, the market treats a laundry list of deficiencies more harshly than an isolated problem.

* The market's pre-disclosure expectations. If the market already knows that a company has weak financial and accounting practices, and has already discounted that in the stock price, there may not be a notable reaction to an adverse Section 404 disclosure. However, if a company has traditionally been known as having strong financial reporting, an adverse opinion is new--and negative--information.

* The presence or absence of other, offsetting company news. Positive developments related to the company's operations, or to the overall macroeconomic or capital markets environment, may overshadow negative Section 404 disclosures.

In my view, clear and complete disclosure concerning material weaknesses will reduce investor uncertainty and minimize market impact. If there is good disclosure about the nature of the material weakness, its potential effect on the company's financial reporting, and when and how it will be remedied, I would expect a minimal market impact. That does not mean Section 404 disclosure is irrelevant to investors. It means that, when the market understands the significance of the material weakness, it will not be forced to discount the stock for uncertainty concerning the possible consequences of the problem.

How should audit committees determine the allocation of internal audit resources between Sarbanes-Oxley and other audit work? What type of information should the chief auditor provide to help the decision?

SOBEL: This will vary from company to company based on the internal audit charter, the organization's appetite for risk, and other organizational considerations. I believe the chief audit executive should proactively provide the following information to the audit committee:

* The proportion of the audit plan devoted to Sarbanes-Oxley versus other areas.

* A description of the nature of risks not being covered--or audits deferred--because of heavy focus on Sarbanes-Oxley.

* Benchmarking against similar organizations.

* Examples of what additional audits might be covered under alternative staffing scenarios.

What changes do you anticipate regarding general IT control testing in areas such as security, access control, and change management? Was testing in these areas too stringent in the first year of Section 404?

GOELZER: I can't address generally what was done in the first year. The PCAOB is just beginning its inspections of 2004 audits, including internal control audits. Further, the level of testing of IT general controls undoubtedly varied from company to company and from audit firm to audit firm.

PCAOB FAQ No. 45 indicates that "benchmarking" is permissible and therefore that, in appropriate cases, the level of testing over application controls may be lower in years subsequent to the initial AS2 audit. A benchmarking strategy for automated application controls necessarily relies on effective IT general controls. In that regard, testing of IT general controls will continue to be important.

If systems implementation happens toward the end of the year, will management still need to attest to the operating effectiveness of the controls that existed in the old system?

SOBEL: Management must attest to the effectiveness of the controls in place as of year-end. If a new system is implemented late in the year, management may elect to run parallel through year-end to assure the controls are operating effectively at that time. However, it may be possible to test the new program implementation in sufficient detail to satisfy Section 404 requirements. Alternatively, other mitigating controls may be in place that could be tested to gain comfort. In both of those scenarios, it would not be necessary to test to the old system. Of course, if the old system processed a large volume of significant transactions, it may still need to be tested to support the audit of the financial statements.

HARGRETT: The SEC's rules require companies subject to the reporting requirements of the Securities Exchange Act of 1934, other than registered investment companies, to include, among other things, in their annual reports management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year. Accordingly, management should attest to the operating effectiveness of the controls that are operating as of the date of its assessment. The SEC staff statement issued on May 16, 2005, specifically addresses this issue as it relates to new system implementations. Additionally, PCAOB FAQ No. 6 (issued June 23, 2004) addresses this question from an external auditor's perspective.

What type of top-level controls would reduce the need to review/test detailed control activities?

SOBEL: A few come to mind. First, a comprehensive, robust process to evaluate monthly budget to actual fluctuations may serve as a detective, monitoring control that is relied upon for many of the processes. Second, an upward certification process to a disclosure committee may cover disclosure controls embedded in individual processes. Third, a strong change-control process in IT may reduce the nature and extent of roll-forward testing if a change occurred since the initial testing. Fourth, strong compliance and anti-fraud programs may reduce the amount of detailed testing surrounding fraud scenarios. Finally, audits performed by a competent and independent internal audit function may reduce the nature, timing, and extent of testing required in certain areas.

Do you think that Section 404 shifted risk management from the hand of the managers to the internal control system?

SOBEL: I believe the system of internal control is a subset of enterprise risk management (ERM); therefore, risk managers still have an important role. I also believe that, as a result of Section 404, many companies are placing less focus on nonfinancial reporting risks, which could have adverse long-term ramifications. However, the discipline required from Section 404 may also serve to strengthen these companies' ERM programs such that the overall risk management improves in the long run.

The U.S. Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. The views expressed by Amy Hargrett are her own and do not necessarily reflect the views of the commission or of Hargrett's colleagues upon the staff of the commission.