In May 2007, the U.S. Securities and Exchange Commission (SEC) approved its interpretive guidance to management on implementing Section 404 of the Sarbanes-Oxley Act of 2002. What’s new with respect to this guidance? What hasn’t changed? What’s the impact and opportunity for management and the audit committee? This issue of The Bulletin will explore these and other questions.
The SEC adopted substantially what they proposed in December 2006. The Commission also adopted amendments to make it clear that an evaluation complying with the guidance would satisfy the requirements of Section 404, as well as eliminate the audit opinion on management’s assessment process. The SEC also modiﬁed the deﬁnition of the term “material weakness,” and raised the “line of sight” on the part of management and auditors to focus the compliance process on identifying only those matters involving a reasonable possibility of a material misstatement. Finally, the SEC proposed an amendment to redfine the term “signiﬁcant deﬁciency.” The SEC guidance became effective on June 27.
For reference, Protiviti’s SEC Flash Report dated May 23, 2007, SEC Finalizes Guidance on Management’s Assessment of Internal Control Over Financial Reporting, available at www.protiviti.com, summarizes the key differences from the December proposal.
The SEC also decided not to extend further the Section 404 compliance deadline for non-accelerated filers. The bottom line is that smaller companies must stay on course to comply with the current filling requirement, which is for fiscal years ending on or after December 15, 2007.
The Public Company Accounting Oversight Board (PCAOB) also has been busy. They issued Auditing Standard No. 5 (AS5), staying true to the Board’s four objectives of focusing the audit of internal control over financial reporting (ICFR) on the most important matters; eliminating unnecessary audit procedures; providing guidance on scalability to smaller and less complex companies; and simplifying the standard. The effective date is fiscal years ended on or after November 15, 2007, with early adoption available after the SEC approves the standard (which is expected in
July). If the auditor does not early adopt after SEC approval, the auditor must use the AS5 definition of material weakness, which is the same as the SEC’s definition.
Also available on www.protiviti.com, Protiviti’s PCAOB Flash Report dated May 24, 2007, PCAOB Finalizes the Revised Auditing Standard, summarizes the primary differences in the ﬁnal AS5 compared to the December proposal. These changes were more significant because they aligned AS5 with the SEC interpretive guidance.
What hasn’t changed?
A recent survey published by Financial Executives International indicated that four out of ﬁve CFOs remain dissatisfied with the costs and benefits of Section 404 compliance.
While down slightly from the prior year, that finding indicates that concerns regarding the cost-effectiveness of the compliance process remain on the radar screen.
The goal also is unchanged. The objective is a sustainable and cost-effective compliance process that is top-down, not bottom-up. It also should be risk-based, and not inhibited by arbitrary rules leading to unnecessary work and non-value-added activity.
The opportunity also remains for improving the quality of upstream business processes and the sustainability of the internal control structure. For many companies, the value proposition around improving the quality, time and cost performance of processes affecting financial reporting, including the financial close process, and how those improvements will make the Section 404 compliance process even more cost-effective, is still largely unexplored. If companies do not evaluate this value proposition, they are at risk of applying a top-down, risk-based approach to a high-cost internal control structure.
What’s the impact?
The new SEC and PCAOB pronouncements have changed the rules of the game:
- Management’s approach will no longer be auditor-directed. Previously, companies were forced to react and align their approaches to those of their external auditors. Auditing Standard No. 2 (AS2), which has been superseded by AS5, served as a de facto standard for registrants. Now, management can step back and think through its approach with an entirely different frame of reference. However, an organized plan and documented approach still is required and remains the best pathway to reducing total compliance and audit costs.
- It only matters if it could result in a material weakness. Companies can design their evaluation approach and tests of controls to focus only on those risks and areas that could cause the financial statements to be materially misstated. For example, the process no longer needs to be designed to ﬁnd signiﬁcant deficiencies; although, it is possible that some might be identied while searching for material weaknesses.
- The Sarbanes-Oxley world has been turned upside down. Previously, companies typically started at the bottom and primarily built a body of evidence around process-level controls. Now, the approach is different. Companies are encouraged to begin the evaluation process by assessing their critical ﬁnancial reporting risks, including the likely source of those risks. Then, they should consider entity-level controls that mitigate those risks, and ﬁnally, the process-level controls that address the residual risk after considering the effect of entitylevel controls. This approach can change the nature of and signiﬁcantly reduce the number of controls tested.
- Management can achieve a form of “safe harbor” by following the SEC guidance. The SEC has issued guidance speciﬁcally directed to management. In addition, the Commission has modiﬁed its rules to make it clear that management will be deemed to be in compliance with Section 404 if it follows that guidance. If the documentation supporting management’s conclusion that ICFR is effective provides evidence that the assessment process conforms to the guidance, then management will have the proof needed to conclude that the assessment process is Section 404 compliant. One idea to consider is incorporating the risk factors suggested by the SEC into the company’s assessment methodology to ensure they are considered. That said, the SEC doesn’t require companies to modify their approaches to conform to its guidance.
- Think risk throughout the process. If it relates to signiﬁcant ICFR risk, then focus on it; if it doesn’t, then it’s probably not important. As deﬁned by the SEC, “ICFR risk” consists of both the risk of material misstatement and the risk of control failure. From a practical standpoint, the SEC’s guidance asserts that a risk-based approach evaluates continuously the extent of ICFR risk throughout the compliance process, rather than assessing risk primarily on the front end of the process. The days of treating every account, ﬁnancial reporting assertion and control the same – regardless of the relative risk – are over.
- Entity-level controls are a critical component, not an after- thought. Companies need to understand what is being done in this area, and also, the difference between entity-level controls that directly and indirectly affect ﬁnancial reporting, as well as controls that monitor other controls. Companies also need to consider improving and enhancing these controls, with the objective of reducing process-level controls testing, particularly in lower-risk areas.
- Management is an insider, and that makes a difference. Through management’s daily involvement with the business, it knows more about the company’s risks and internal controls than the auditors do. For example, management’s hands-on involvement with managing and monitoring key business processes creates a different starting point in terms of the understanding of, and familiarity with, performance and other key issues. Management should take advantage of this knowledge, document its rationale (which is a one-time investment), and work with its auditors to help them beneﬁt from everything that management knows and does.
- There is more ﬂexibility in using the work of others. The efforts of management and internal audit have become more valuable. While the evaluation criteria of “competence” and “objectivity” remain in place, AS5 has eliminated the confusion as to whether external auditors can use the work of company personnel other than internal auditors and third parties functioning under the direction of management.
What’s the opportunity for management?
The new SEC guidance allows management to take a fresh look at its organization’s compliance process. It also provides companies with an opportunity to do no more than what is necessary to comply with Section 404 by focusing on risk as they execute the process. The guidance invites management to examine how it manages and monitors the business, with the objective of giving itself credit for effective monitoring controls and entity-level controls that operate at a sufﬁcient level of precision with respect to preventing or detecting material misstatements to signiﬁcant ﬁnancial reporting accounts and disclosures. And it enables management to channel some of the cost savings into process and control improvements by improving the quality of upstream business processes; thus, compliance costs are reduced further.
Opportunities never come without a price:
- Everyone responsible for Section 404 compliance needs to understand the new playbook. Understanding the new SEC guidance is a prerequisite to applying it.
- The SEC increased the focus on the risk of fraud. During the Commission’s May 23 meeting, the SEC staff stated that they enhanced the ﬁnal guidance by explaining that the risk of fraudulent reporting will exist in almost all companies. The existence of fraud risk does not necessarily mean that fraud has occurred. Likewise, the absence of fraud does not mean that fraud risk does not exist. A rigorous evaluation would address fraudulent reporting risk, including the risk of management override in the ﬁnancial reporting process. The SEC staff asserted that most companies should consider these matters. Therefore, companies of all sizes should have controls to prevent and detect management override.
- A robust approach is the only way to be sure a top-down, risk-based approach has been applied. For example, Protiviti has a methodology for rationalizing risks, controls and cost-effective test plans that is aligned with the new SEC guidance.
Time is of the essence if companies seek an impact on the 2007 audit cycle. They should be prepared to challenge the status quo, answer questions audit committees are asking about the new guidance and engage proactively in a dialogue with the external auditor.
What’s the responsibility of the audit committee?
An effectively functioning audit committee is an integral component of an effective control environment because it augments the “tone at the top” that is so vital to that environment. With respect to the risk of management override of established ﬁnancial reporting processes and controls, both the SEC staff and PCAOB staff have stressed the importance of audit committee oversight. For example, the SEC expects the audit committee, as part of its oversight responsibilities for the company’s ﬁnancial reporting, to be knowledgeable and informed about the Section 404 evaluation process and management’s assessment results. The committee should ensure that a rigorous evaluation is conducted to address fraudulent reporting risk, including the risk of management override in the ﬁnancial reporting process. The committee should review management’s summary documentation articulating the overall approach to and the results of the Section 404 assessment process, as well as exercise appropriate oversight responsibility over ﬁnancial reporting and internal control.
Ineffective oversight by the audit committee of the company’s ﬁnancial reporting and ICFR is an indicator of a material weakness. Because an effectively functioning audit committee is an integral part of the control environment, AS5 requires the external auditor to “assess … whether the board or audit committee understands and exercises oversight responsibility over ﬁnancial reporting and internal control.”
Eight key decisions
There are eight key decision points along the Section 404 compliance process that warrant a fresh look by every SEC registrant subject to Sarbanes-Oxley compliance requirements. These decision points represent vital areas for aligning management’s assessment approach and the auditor’s attestation process:
- Select the signiﬁcant accounts and disclosures (or ﬁnancial reporting elements).
- Identify the ﬁnancial reporting assertions relevant to each signiﬁcant ﬁnancial reporting element.
- Select the key controls that address the most critical ﬁnancial reporting assertions, considering the effectiveness of their design.
- Decide on the documentation standards for different levels of risk.
- Consider the relative ICFR risk levels when deciding the evidence needed to support a conclusion as to the effectiveness of controls operation.
- Determine the locations and units to include in scope.
- Understand the competency and objectivity standards driving the auditor’s use of the work of others.
- Establish the methodology for assessing the severity of control deﬁciencies at the conclusion of the evaluation process.
While these decisions themselves are not new, under the new SEC guidance they are approached differently than in the past. It is critical that companies understand these differences.
While, in theory, the SEC guidance allows management much more ﬂexibility in exercising judgment during the risk assessment and scoping process, any signiﬁcant disconnects between management and the auditor on the above decisions will usually drive up costs, present problems if issues should arise, and potentially spawn increased litigation risk.
There is another vitally important reason why these decision points are so important. If management and the external auditor can agree on them, it leaves open the one remaining critical decision – the testing of operating effectiveness. This particular decision is the most natural point of divergence between management and the auditor in their respective evaluations.
Since management is an insider and the auditor is not, the two parties do not begin at the same point of knowledge when designing the necessary tests of operating effectiveness. However, the difference between management and the auditor in their respective approaches to testing operating effectiveness will be much less if there is convergence on the eight decision points. A well-documented management assessment maximizes audit cost-effectiveness.
For more information on the eight decisions, including why and how they are approached differently, see the Protiviti white paper at www.protiviti.com, How the New SEC Guidance Impacts Eight Key Decisions Driving a Cost-Effective Section 404 Assessment Process.
There certainly isn’t a cookie-cutter approach to implementing the new rules. Each company’s situation is unique.
For example, some companies wait for advice from the external auditor. While that is certainly important, these companies need to realize it is their responsibility – not the auditor’s responsibility – to read, understand and apply the new SEC guidance. They must become educated about the eight decisions outlined in this publication.
Non-accelerated filers should use the eight decisions as a basis for ensuring alignment when the auditor performs an audit of ICFR the following year. For accelerated filers with few locations and many centralized processes who believe they already have implemented much of the SEC guidance, now is the time to focus their efforts on improving the quality of their upstream business processes. These are just a few examples.
What it all boils down to is this: The Section 404 compliance process is a whole new ball game requiring some reeducation and application of new knowledge and principles. The changes are not difficult to implement and are a good thing because they lead to a more cost-effective approach. The companies most knowledgeable about their opportunities, and that have the capabilities
to capitalize on them, are in the best position to focus on the eight decisions we outlined above and increase the cost-effectiveness of their compliance processes. The audit committee also has an important oversight role to play in this process.
Key Questions to Ask
Key questions for board members:
- Have you discussed with management the SEC’s changes in the deﬁnitions of a material weakness and signiﬁcant deﬁciency? Is there a sufﬁcient understanding around how the new deﬁnitions will be applied over the next 12 to 18 months to ensure that the audit committee is apprised timely of internal control issues that merit its attention?
- Does management have an articulated plan and approach for the risk assessment process and mitigation of risk? Have the results been presented to the external auditor and coordinated effectively to reduce the auditor’s scope and mitigate any concerns? Does the plan provide the audit committee with a timeline for evaluating the effectiveness of management’s dialogue with the external auditor over the course of the audit and the timeliness of the auditor’s input?
- Are you satisfied that there are established controls to prevent and detect management override of established financial reporting processes and controls? In light of the AS5 expectations of the external auditor in this area, have you asked the auditor about his or her concerns with respect to fraud risk? Do you conduct executive sessions with the internal auditors and the appropriate executives responsible for financial reporting to give them an opportunity to surface issues?
Key questions for management:
- Have you taken, or are you taking, a fresh look at the company’s Section 404 compliance process to ascertain whether there are opportunities to further reﬁne it by applying a robust top-down, risk-based approach? Have you considered the eight key decision points introduced in this publication and discussed your conclusions with the external auditor?
- Have you conducted a rigorous evaluation of the risk of fraudulent reporting, including the risk of management override in the ﬁnancial reporting process, and reported the results to the audit committee? Are there any gaps or signiﬁcant fraud risks requiring attention?
- Have you transformed the focus of your internal dialogue regarding Section 404 compliance from “pass-fail and managing external audit costs” to “process capability and managing total compliance costs”? For example:
- Are there any unremediated signiﬁcant deﬁciencies? If so, is there a plan to remediate them, and has it been communicated to the audit committee?
- Are you benchmarking your upstream ﬁnancial reporting processes and sourcing root causes of quality, time and cost performance gaps to improve the operational effectiveness and efﬁciency of these processes?
The Bulletin (Volume 2, Issue 12)