News

Roundtable on SOX 404 Year Two

News Brief
May 12, 2006

By:  Cydney Posner

On Wednesday, the SEC and PCAOB sponsored a roundtable to discuss second-year experiences with the reporting and auditing requirements of SOX 404. Panelists discussed the benefits and improvements realized over the year, as well as the costs and other problems that continue to afflict the process. Numerous suggestions for improvements were made, and PCAOB Acting Chief Bill Gradison recognized that, based on current information, changes appeared to be in order.

Because the emphasis of the roundtable was on prior experience, most panelists focused on the larger company experience, although there was certainly some attention to the elephant in the room--the extent to which SOX 404 should be applied to smaller companies, which, to mix metaphors, appears to have become something of an open sore in these circles. One panelist contended that the business and professional community had lost perspective on SOX 404: it is really just a defensive measure and, by absorbing so much time and front-page attention, was obscuring necessary projects that would really improve financial reporting. As a result, he urged that the "question be called" on the application of SOX 404 to smaller companies so that the obsession with SOX 404 could finally be put to rest. In response to a question from new Corp Fin Director, John White, as to the status of the pending new COSO framework, the COSO panelist essentially reiterated prior COSO statements repudiating the concept of "COSO-lite," making clear that COSO does not plan to replace or modify the COSO framework for smaller companies. Rather, COSO is working on improving the guidance that it issued for public comment in October 2005, which was roundly rejected at the time. Panelist Alex Davern, a vocal member of the SEC Advisory Committee on Smaller Public Companies, indicated that the Committee had concluded that the mere issuance by COSO of new "guidance" would not help to bring costs down.

Generally, most panelists concluded that SOX 404 provided benefits and that year two witnessed increased focus, sophistication and efficiency in implementation of SOX 404, although, in each case, the extent of these benefits or improvements was a subject of some controversy. GE, for example, was able to reduce the number of controls tested from 40,000 to a mere 38,000. (GE spent $33 million in each of this year and last on internal control audits.) The percentage of material weaknesses reported was reduced from 16% to 7%, and many previously reported weaknesses had been remediated. Costs were generally down, although the amount of the reduction depended upon whose survey was consulted--the one commissioned by the audit firms or the one performed by business organizations. There was still too much duplication of effort, as accountants failed to adequately integrate the two audits. In addition, although costs for SOX 404 compliance were down, even the auditors' survey showed that other audit fees had risen to compensate for the reduction in SOX 404 fees, as auditors increased the scope of their audits and their focus on fraud detection. And, while external 404 costs may have declined, internal costs had not. Expressing disappointment with the self-congratulatory rhetoric he had heard at the roundtable thus far, Davern gave the regulators a failing grade for their lack of "realistic, commonsense thinking": in adopting the rules under SOX 404, the SEC had estimated the costs for compliance at about $90,000 per company and expected no difference in costs between large and small companies. Where judgments were so glaringly deficient, he argued, someone needs to reexamine their underlying assumptions. Moreover, the auditors had predicted last year that the costs in year two would decrease by 40%, and that prediction was likewise widely off the mark. Davern attributed many of the problems with cost to the effective price control exercised by the "Big Four oligopoly." Attorney John Huber countered that the cost of compliance with SOX 404 was significantly less than the costs associated with a serious restatement. Interestingly, Commissioner Glassman raised questions about the potential effect of a different role for the accountants, for example, if their role were limited to evaluating management's assessment rather than a separate audit of controls. (Of course, this suggestion met with a very negative response from the accountants on the panel.)

There was also some discussion of the effectiveness of SOX 404. Several panelists commented that auditors were still overly risk averse as a result of concerns regarding liability and PCAOB examinations. Joe Grundfest likened the problem to that afflicting the medical profession: the cost of medical tests are not borne by the doctor, but they provide protection for the doctor. These structural features push doctors to adopt a hyper-aggressive approach that results in defensive and excessive medical testing. The same structural features, he argued push auditors to inappropriate testing levels. While the guidance (see my emails of May 16 and 17, 2005) from the SEC and PCAOB in May of last year (which, for example, recognized the importance of the use of judgment in applying SOX 404, emphasized a risk-based approach and encouraged auditors to provide advice to their audit clients) was favorably received, it was not viewed as sufficient in most cases: many panelists noted that AS2 seemed to conflict with the guidance and, in the minds of many auditors, took precedence. As a consequence, many auditors continued to pursue a costly, check-the-box approach, resulting in a forest-and-trees problem because of an excessive focus on low-level controls. The Moody's representative noted that, in their examinations, they have seen very few controls that had anything to do with fraudulent reporting; only four companies that he had examined had controls related to fraudulent reporting, and each had had previous problems with fraudulent conduct. While reporting on controls should be forward-looking, instead he saw that reporting of weaknesses typically just followed a train wreck. Other panelists perceived the conservative environment as creating a (presumably problematic) direct correlation between the failure to apply a complex accounting standard leading to a restatement that resulted in a material weakness.

For the most part, panelists considered SOX 404 to have a positive effect on the market, helping to restore investor confidence in the integrity of the market following several major scandals. The panelist from Moody's noted that the market benefits could be seen in the lowered credit spreads prevalent today (as compared with the period of turmoil following the scandals), which had significant tangible financial benefit. However, Commissioner Glassman raised the issue of whether the market benefits were attributable to SOX 404 or to other provisions of SOX, such as the certifications required by 906 and 302 or the board independence requirements. Although a number of panelists expressed the view that SOX 404 was critical, several panelists concurred with the implications of her question and attributed much of the benefit to other aspects of SOX. A couple of corporate officers, including Davern, argued that SOX 404 was insignificant to investors, noting that no investor had ever asked them any questions about controls other than what the cost would be and when it would decrease. Davern reported that a soon-to-be-released Nasdaq survey of institutional investors showed that 86% believed that the costs of SOX 404 exceeded the benefits. Most interesting were the suggestions by several panelists that the calm reception the market has given to reports of material weaknesses was not a good thing. Rather, the failure of the market to react negatively to reports of material weaknesses signaled that the threshold for material weakness was too low, resulting in too many material weakness reports that were really not of interest to the market: a report of a material weakness should be a "canary in a mineshaft," a precursor of a serious problem that should create a market reaction.

Others expressed concerns about the impact of regulation perceived to be excessive on the competitiveness of the U.S. capital markets, citing as evidence the dramatic shift to listing on overseas markets (30 U.S. companies listed on the AIM and 1/3 of companies listing on the AIM in 2005 were non-U.K. companies). While companies may not like SOX 302, they "voted with their feet" on SOX 404. In addition, some smaller companies may have decided not to access the public markets at all because of their perception of the excessive costs of regulation.

Many of the panelists offered recommendations, with several recommending that the SEC and PCAOB do as little as possible to change SOX 404 on the theory that changes would require more start-up time, more education of auditors, more costs and more delays. Nevertheless, most of the panelists favored some type of action. These included:

  • The SEC should issue guidance for management with respect to implementation of SOX 404.AS2 was designed for auditors, and yet, in the absence of other guidance, auditors have been recommending that management follow AS2; management should have a broader array of tools to test internal control. Guidance could also assist companies in understanding the steps they can take to facilitate reliance by the auditors on work performed internally.
  • AS2 should be revisited. The recommendations for changes to AS2 included:
    • Formally incorporate the PCAOB's May guidance into AS2 to avoid any possible conflict or confusion;
    • Reexamine the definition of "materiality," "material weakness" and "significant deficiency." Grundfest parsed these definitions and arrived at a quantification of the threshold for "significant deficiency" at 05%, driving companies and auditors to look at processes that have an effect at a hair-trigger level. As a result, the language itself causes everyone to look at low-level controls. Similarly, the definition of "material weakness" should increase the probability requirement and the materiality threshold to ensure that material weaknesses do provide the warnings they were intended to provide. In addition, materiality should be assessed against the annual financials, not the interim financials;
    • Provide some relief with respect to the documentation requirements;
    • Permit greater reliance on work performed by others;
    • Reexamine the concept that each year should stand on its own by permitting rotational testing based on risk;
  • Place more emphasis on company-level controls and fraud controls;
  • Increase the power of auditors to use their professional judgments; and
  • Reexamine the principle that a restatement (or any material error in accounting treatment) is a strong indicator of a material weakness, which results in an almost default position.
  • The issuance and publication of PCAOB inspection reports should be expedited. Publication of these reports will communicate best practices and facilitate greater consistency among auditors and companies.
  • The SEC should adopt a safe harbor. A safe harbor could parallel the Delaware business judgment rule (due care, loyalty, good faith) and would provide that an auditors' informed, good faith judgment should not be penalized. This type of safe harbor might also be extended beyond auditors to Boards and others.
  • Adopt the Advisory Committee's recommendations regarding small companies, or don't. This topic was a hot potato with strong views expressed both ways. However, everyone agreed that at least some type of special guidance was required. For example, with respect to reliance on the work of others, small companies often do not have an internal audit function that can be relied upon by the auditors. The representative of the Council of Institutional Investors suggested that one more final extension of time prior to required implementation of SOX 404 for small companies might be appropriate. Several panelists suggested implementation of a pilot program prior to implementation across the board. Commissioner Glassman seemed to at least be considering the possibility of eliminating some level of auditor involvement for smaller companies. Davern cautioned that regulators should expect a serious backlash if appropriate action is not taken.
  • The SEC should agree with EU regulatory authorities on internal control convergence. If the EU adopted comparable internal control requirements, it could staunch the flow of companies listing overseas.
  • The accounting profession should develop and share best practices.
  • Competition in the market for auditors should be restored.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.