Home / News / The painful evolution of SOX §404

The painful evolution of SOX §404

Words! Words! I’m so sick of words! I get words all day through; first from him, now from you! Is that all you blighters can do? Show me! (My Fair Lady).
The problem with understanding how to comply with §404 of Sarbanes-Oxley is one of implementation: The regulators provide us with a plethora of words (they call them “principles”), but no one knows what to do next.
In December 2006, the Securities and Exchange Commission proposed a draft “SEC Guidance” to provide safe harbor for companies seeking to comply with 404’s mandate to establish internal control over financial reporting.
On the same day the PCAOB, the SEC’s de facto captive self-regulatory agency controlling accounting firms, issued a draft amendment to its Auditing Standard No. 2 (New AS-2), which is the accounting road map for CPAs to perform their annual report on the adequacy of financial controls instituted by management.
Both proposals are subject to public comment through Feb. 26.
The fundamental difficulty, however, is that the SEC Guidance and New AS-2 are just words, and must be interpreted by human beings (accountants at that). It is these humans who have failed us in the past.

Understanding history
The statute itself requires management to implement internal financial controls and report on those controls. Accountants have to give management a report card on that process.
Accountants up to now often have required virtually every transactional process to be subject to a tested control. The result: runaway costs.
The fallout has been a violent objection from the business community, particularly by smaller public companies (non-accelerated filers). In the face of business and political pressure, the SEC continually has delayed the implementation of 404 with respect to smaller companies. Such companies now need comply with only the management reporting portion of 404 for fiscal years after Dec 15, 2007 (and one year thereafter with respect to the accountant’s report).
So the question is: Will the combination of proposed SEC Guidance and New AS-2 solve the confusion and high costs? While it is presumptuous to answer at this early stage, allow me to do so anyway: Not likely.

Summary of proposals
The SEC Guidance presents a “safe harbor.” If a company complies with the SEC Guidance, it can declare its internal financial controls effective (without material weakness).
The road map to such result, according to the SEC Guidance, is a top-down, risk-driven analysis identifying only issues that are material, and applying only such controls as will eliminate material risk.
Larger public companies already in compliance may maintain their current system or avail themselves of the safe harbor. Presumably non-accelerated filers, becoming subject to 404 for the first time, also would be allowed to choose some other route, but as a practical matter the “safe harbor” will become the model of choice for currently unregulated smaller issuers.
In a move that was not surprising given that the SEC has seized control of PCAOB, New AS-2 adopts the same SEC themes: evaluate risk, select material controls, scale review to the magnitude of the enterprise.
These two new proposals must be evaluated in political context:

  • SEC Chairman Cox has decreed the combined SEC and PCAOB action “will significantly reduce, and in many cases wholly eliminate, the inefficiencies and excessive costs behind 404, while retaining all of the good.”
  • At the same time, boards of directors, with responsibilities broader than 404 compliance, are now turning greater attention to identification and mitigation of risk on an enterprise-wide basis, concerning themselves not only with financial controls but also market risk, technology risk, IT risk, reputational risk, political risk and all other risks applicable to a particular business. Directors are resisting a continued focus on complying with §404. They understand that 404 impacts reporting, but enterprise risk shapes business in the first instance.
  • Business groups with different viewpoints continue to lobby the SEC and Congress. The Council of Institutional Investors and the Consumer Federation of America worry about erosion of financial reporting, while the Institute of Management Accountants and the United States Chamber of Commerce fret that the new proposals will perpetuate high costs without addressing mitigation of risk. The bolder critics continue to remind the SEC and Congress that 404 may simply be fundamentally misdirected: “An evaluation of the major scandals from the late 1990s and early 2000s shows that internal control was never an issue. This is a solution to a problem no one ever had.”

    What to look at?
    I suggest ignoring the SEC Guidance in the first instance. If the goal is to simplify and make less costly corporate compliance with 404, the key is at the accounting level. What will actually happen when internal accountants and their external advisors actually design 404 compliance programs, and what will happen when the CPAs (under New AS-2) actually review these new standards?
    This is where the plethora of “words” cuts into our analysis. There are few, and purposely few, actual examples in either the SEC Guidance or New AS-2. In response to an inquiry by SEC Commissioner Paul Atkins as to why the SEC Guidance lacked specific examples, SEC Deputy Chief Accountant Zoe-Vonna Palmrose said the staff was fearful that detailed examples would establish de facto rules, and defaulted to articulation of general principles (words, not examples).
    With this backdrop, we drill down into New AS-2. It is this document that the accountants will enforce, and consequently that designers of internal financial controls must consider.
    Here is a somewhat jaundiced summary of New AS-2:
    1. Auditors are directed to look at the most important controls.
    2. The draft emphasizes the importance of top-down risk assessment.
    3. The draft next attacks the infuriating definitions that appears in present Accounting Standard No. 2, where significant deficiencies and material weaknesses (obviously bad things) presently are defined in ways that have caused the CPAs to declare trivial failures as major problems. The admonition of New AS-2 is that CPAs should think about financial control weaknesses using the same standards of materiality utilized in audits. This admonition highlights the key issues. CPAs have applied stricter standards to controls than to evaluating financial statements themselves.
    4. The PCAOB has replaced certain words with other words, and suggests that the new words will cause accountants to be more lenient.

  • Disclosure today is driven by the risk that likelihood of misstatement is “more than remote.” Noting that auditors have misunderstood “more than remote” to “mean something significantly less likely than a reasonable possibility,” the PCAOB wants to replace “more than remote likelihood” with “reasonable possibility.”
  • Instead of defining “material weakness” as a “significant deficiency,” the PCAOB suggests the term “control deficiency, or combination of control deficiencies.”
  • Where the present accounting standard defines a significant deficiency in terms of likelihood of a “misstatement that is more than inconsequential,” we are now invited to think about a control deficiency in terms of whether it is “significant,” which in turn is defined as “less than material yet important enough to merit attention by those responsible for oversight of the company’s financial reporting.” The PCAOB then asks whether this definition is sufficiently descriptive.
    5. New AS-2 eliminates the rule that any significant deficiency that remains uncured must result in a determination that internal financial controls are ineffective. PCAOB now acknowledges that “the auditor may find that the company evaluated the significant deficiencies and reasonably determined under the circumstances not to correct them.”
    6. New AS-2 attempts to eliminate unnecessary accounting procedures. Accountants need no longer evaluate the process by which management generated its internal financial controls. The redraft also permits using knowledge learned during prior audits, and using work prepared by others. Finally, the PCAOB changes the standard for “walk-throughs” or specific testing of internal controls, requiring walk-throughs for entire processes rather than for each particular control (allowing the selection of overall monitoring controls).
    7. Most important is the discussion of scaling the audit for smaller companies. New AS-2 recognizes that a company’s size and complexity is important for designing controls.
    8. PCAOB itself admits that the present proposals really don’t help us very much in how to save money for smaller companies. The PCAOB notes in its release that while the section on scaling includes general discussion of six areas often affected by smaller size, in “this part of the standard we provide the foundation for planned guidance on auditing internal control in smaller companies to be issued next year [meaning 2007]. That guidance, which is currently being developed with the assistance from a task force of small company auditors and input from smaller companies, will expand on the principles.”

    Where are we?
    In the past we had accountants behaving like accountants. Now we have new, proposed principles (“words”) which tell accountants that they were acting too much like, well, accountants.
    What does a smaller company do now, aside from turning to its accountants and saying: “Oh, don’t tell me that, the SEC says that’s not what you’re supposed to do”?
    Must the company wait not until the SEC Guidance is finalized and not until the New AS-2 is finalized, but until the “planned guidance on auditing internal controls in smaller companies” is issued at some unspecified date during 2007?
    And how will the timing and content of that “planned guidance” interface with the SEC’s often-articulated promise that if the PCAOB cannot provide clarity to smaller registrants in sufficient time to assist with 404 compliance by December 2007, then the SEC will further roll back the compliance date for non-accelerated registrants?
    At this point, this lawyer has to agree with Eliza Doolittle’s plaint in My Fair Lady: “I get words all day through; Show me!”
    Stephen M. Honig is a member of Duane Morris’ corporate department in the firm’s Boston office. You can reach him at smhonig@duanemorris.com.

  • Leave a Reply

    Your email address will not be published. Required fields are marked *