Do you want to access the full text of articles?

Please see our digital edition archive for the full text of articles.

Alternatively:

If you are a Chartered Accountants Ireland member, please visit the RIS service where Accountancy Ireland is available free of charge via the EBSCO databases.

If you are an Accountancy Ireland subscriber (i.e. you pay each year to receive your copy of Accountancy Ireland) please contact our Subscriptions Department quoting your subscription number and include details of the article you want.

All other users should enquire from their local public or college library about accessing full text Accountancy Ireland articles.

Start / 2007 / August 2007 / Sarbanes Oxley Section 404

There has been plenty going on of late on the Sarbanes-Oxley s404 front. Niall O’Shea and Elaine Brownlee of Ernst & Young explore the new guidance in this area and consider its practical impacts.

When he was signing the Sarbanes Oxley Act of 2002 into law, President Bush described it as ‘the most farreaching reforms of American business practices since the time of Franklin Delano Roosevelt’. (1) Among the more controversial aspects of the Act was the requirement in section 404 for company annual reports to contain:

Among the more controversial aspects of the Act was the requirement in section 404 for company annual reports to contain:

a) management’s assessment of the effectiveness of the system of internal control over financial reporting as at the company’s year end; together with b) the company’s external auditors’ opinion on management’s assessment; and c) the company’s external auditors’ own assessment.

This reporting requirement came with a significant workload. 60% of companies which revenues greater than USD20bn each invested more than 100,000 man hours in s404 compliance related activities, even before taking account of external auditor hours. In the first year of operation, 70% of companies said the costs of s404 were 50% higher than original estimates .

There were also accusations that s404 was resulting in a stifling regulatory environment that was turning IPOs away from U.S. exchanges. Just 16 percent of global IPOs listed in the United States last year, which is down from 57 percent in 2001, while Europe's share doubled to 63 percent . President Bush touched on the same subject, noting that complying with certain aspects of Sarbanes-Oxley "has been costly for businesses and may be discouraging companies from listing on our stock exchanges" .

Following complaints relating to the costs of compliance, the PCAOB has seen the need to revise the Auditing Standard setting out the procedures required of external auditors for their control assessment (AS2) and the SEC has seen the need to issue guidance for management on the work required of them, to help companies and their auditors implement s404.

Auditing Standard No. 5

In May 2007, the PCAOB adopted Auditing Standard No. 5 “An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements”, (AS5), the Auditing Standard external auditors will have to comply with in issuing their opinion on the effectiveness of internal control over financial reporting. At the time of writing, the Standard has not yet been approved for issue by the SEC. Nevertheless, it is intended to be effective for financial years ending on or after 15 November 2007, with earlier adoption encouraged. However, compliance with AS2 remains mandatory until AS5 is approved by the SEC, when it will supersede AS2.

The key elements of AS5 are consistent with AS2 in that: - there is a single Standard for all companies; - it is based on reasonable assurance on both design and operating effectiveness; - it allows use of the work of others; and - there is no rotational testing of controls

While the PCAOB described AS5 as merely a refinement of the approach in AS2, the new Standard is less prescriptive and more principles based, and provides for greater use of professional judgement by auditors, thereby addressing many of the criticisms of AS2.

The Standard requires auditors to:

1) Focus on the most important matters i.e. a top-down risk-based approach, focussing on the areas with the greatest risk of a material misstatement. As a result, the risk assessment will drive the scope of the work. This risk-based approach is likely to result is a reduction in the level of controls deemed necessary, while the top-down approach is likely to result in the replacement of business process controls by company level controls (more on this later).

However, the Standard does emphasize the significance of fraud risk and anti-fraud controls, together with the financial statement close process. Management fraud in particular has been identified as an area of higher risk. AS5 includes a requirement for the auditor to evaluate controls intended to address the risk of management override of controls.

2) Include only the requirements necessary for an effective audit. As a result: - for multi-location entities, the focus should be on the risk and not the coverage of locations; - risk should be assessed at the financial statement component assertion level, and not at the control level; and - the limits on the extent of auditor reliance on the use of the work of others have been removed (i.e. no “principal evidence” requirement).

AS5 also provides some further interpretations on deficiencies. It includes a list of indicators of a material weakness but, in contrast to AS2, does not refer to them as strong indicators of a material weakness. It has also amended the definition of a significant deficiency to a weakness that is “less severe than a material weakness yet important enough to merit attention by those responsible for the oversight of the company’s financial reporting”.

SEC Interpretive Guidance for Management

The SEC interpretative guidance was issued in final form in June 2007 and is effective from 27 June 2007. In summary, the guidance is: - principles based and flexible; - top-down and risk-based; and - scaleable to a company’s size and complexity.

Prior to its issue, management had to rely on the PCAOB guidance for external auditors (AS2) for information on what was required for management to make its assessment of the effectiveness of internal control over financial reporting.

The SEC Guidance suggests that management:

1) Identify the company’s financial reporting risks and controls. The guidance acknowledges that this is a judgemental matter and that the risk assessment is scaleable based on the company’s individual characteristics.

2) Evaluate the evidence of the effectiveness of controls, tailoring testing procedures to the assessment of the risk characteristics of individual financial reporting elements and controls. The guidance acknowledges that the evidence about the effective operation of controls will vary i.e. the nature, timing and extent of procedures necessary to obtain sufficient evidence of the operation of a control depend on the assessed risk.

3) Evaluate control deficiencies, considering if they represent material weaknesses.

4) Maintain reasonable documentation of its risk assessment, identification of controls, testing methods and procedures and the basis for its conclusions.

Those who have already been through a SOx process might ask how this differs to the current position prior to the SEC Guidance i.e. in practice, where does the SEC Guidance provide help. In our opinion, the primary benefits of the SEC Guidance are, first and foremost, that it is principles based and confirms the appropriateness of the top-down, risk-based approach. In addition, it also provides clarity on what is and is not required. For example, the SEC Guidance specifically states that:

- it promotes efficiency by allowing management to focus on those controls that are needed to adequately address the risk of a material misstatement; - it does not require management to identify every control in a process or document the business processes impacting internal control over financial reporting. Rather management can focus its evaluation process and the documentation supporting the assessment of the controls that it determines adequately address the risk of a material misstatement in the financial statements; - if management determines that the risk of a material misstatement is adequately addressed by a company-level control, no further evaluation of other controls is required; and - management may be able to use more efficient approaches to gathering evidence, such as self-assessments, in low-risk areas and perform more extensive testing in high-risk areas.

This clarity can only help to reduce uncertainty over the level of work required, which should reduce the level of effort required to achieve compliance.

Finally, as it now has its own specific guidance, management may decide to adopt a different approach to its control effectiveness assessment to that adopted by the external auditors in their assessment.

So what?

At a practical level, if companies are to make best use of the new guidance, they need to reperform their assessment of their financial reporting risks and the controls over those risks if they are to maximise the opportunities to alter the nature of the controls and/or reduce the scope of the controls that need to be tested for SOx s404 purposes i.e. they need to adopt a top-down, risk-based approach.

Beginning with the risk assessment, companies need to identify the accounts at the consolidated financial reporting level that pose a higher risk of causing a material financial misstatement. The risk assessment helps an organization prioritise, to be more efficient with their testing efforts. For example, an assessment may help identify accounts, business processes and locations that require additional attention, as well as those accounts for which testing may be reduced.

Understanding and assessing the strength of existing company-level controls also allows organizations to create a compliance process that is more sustainable and cost efficient. By demonstrating the sensitivity, reliability and effectiveness of their company-level controls, organizations can then rely on those controls, which may drive efficiencies due to broader coverage or ease of testing.

However, at a practical level, before the scope of controls tested for SOx s404 is reduced, senior executive buy-in will be required. Some senior executives like the current testing coverage and may not want to reduce it, as they see the benefits for them in an extensive process confirming the operation of controls at a business process level. In addition, before the scope of testing is reduced, the agreement of the company's auditors should be sought as less company work could potentially (but not necessarily) lessen auditor reliance and consequently could increase the audit fees. Similarly, if management decides to adopt a different approach in its control effectiveness assessment to that adopted by the company's external auditors, the potential impact on audit fees should be considered.

Company level controls

Company-level controls set the tone of an organization’s overall system of internal control. This system includes the integrity of core business functions, as well as the level of attention paid to people, process and technology. Their influence on financial reporting internal controls at the process, transaction, and/or application level can have a significant impact on the nature, timing and extent of testing required for compliance.

Some company-level controls, such as hiring practices, IT general controls, the tone at the top, code of conduct etc impact the company’s control efforts in indirect, but important ways. Others, such as period-end financial reporting (including reconciliation and journal entries, financial statements and executive reviews) have a specific and direct effect on a financial reporting element.

As noted earlier, the top-down appoach enables companies to place more reliance on company level controls to reduce the number of business process controls that require testing. In general, this should facilitate a reduction in the overall number of controls that require testing.

An organization that can demonstrate the use of strong direct company-level controls sensitive enough to detect or prevent material financial misstatements may significantly reduce testing at a detailed transaction level, especially in lower risk areas. When assessing direct company-level controls to determine the level of assurance they provide, management should consider the following questions:

- Is the control sensitive enough to detect a significant error, deficiency, or fraud? - Is the control designed and performed effectively? Is the control performed frequently enough? - Is the control reliable and repeatable? Is the control appropriately reviewed? - Is the reviewer of the control competent and well-trained? In our experience, while people know many company-level controls exist, the problem lies in proving their existence, as well as the level of their precision. For example, senior management may meet on a regular basis with each business unit to discuss the business unit's results in detail. However, these discusssions are often undocumented, with minimal resultant output and may focus on different areas at each meeting. Consequently, it can be difficult to determine the precise level of error that such controls may detect. As a result, if such controls are to be relied upon for s404 purposes, they may need to be modified to satisfy a SOx s404 test.

In conclusion

The SEC Guidance and AS5 are essentially consistent. Both documents represent the culmination of a collaborative effort aimed at improving the effectiveness and efficiency of the implementation of s404. Both are principles based and support a top-down risk based approach. The mutual objective of the SEC and PCAOB was to develop guidance that would address concerns about the total costs of implementation while retaining the significant benefits to investors that s404 has provided. Let's make use of it.

Looking elsewhere

Globally investors are seeking higher standards around risk management programmes and communications with the market. As a result, some companies are responding by implementing what are sometimes termed as “SOx-lite” programmes. For example, some privately held companies and non-listed companies are implementing more structured internal control programs on a voluntary basis, particularly in regulated industries.

A number of countries outside the US, including Ireland and the UK, as they update their corporate governance requirements, have considered internal financial control effectiveness reporting requirements similar to SOx. While most have decided against a SOx s404 style approach, Japan is one of the markets to actually introduce new regulation in this area.

Nicknamed “J-SOx”, Japan’s Financial Instruments and Exchange Law was promulgated in June 2006 and applies to all public companies listed on Stock Exchanges in Japan. The requirement is scheduled to take effect in April 2008. Guidance was issued to Japanese companies in February 2007 on how to comply with these new requirements .

Niall O’Shea is a Director and Elaine Brownlee a Senior Manager in Ernst & Young’s Risk Advisory Services practice. The views expressed are personal and not necessarily those of Ernst & Young.

i Sheridan, Fiona, Life After SOx, Strategic Risk Magazine, 12 September 2006 ii Giannone, Joseph A., New York officials seek change to stay competitive, Washington Post/Reuters, 22 January 2007 iii Ball, Yvonne, Do Tough Rules Deter Foreign IPO Listings in U.S.?, The Wall Street Journal, 20 February 2007 iv The Internal Control Committee of the Business Accounting Council of the Japanese Financial Services Agency, Implementation Guidance for Management Assessment and Audit of Internal Controls over Financial Reporting, February 2007