Home / News / Assessing the ‘real-world’ impact of new rules for auditing internal financial controls

Assessing the ‘real-world’ impact of new rules for auditing internal financial controls

As reported in the July issue of New England In-House, the Securities and Exchange Commission and PCAOB in June approved a new guidance designed to improve company and auditor assessments of the effectiveness of internal controls over financial reporting under Section 404 of Sarbanes-Oxley.
In sum, the guidance promotes efficiency by allowing management to focus on only those controls needed to prevent or detect material misstatements in financial statements. The guidance also revises the auditor attestation provision to require only one opinion on the effectiveness of internal controls over financial reporting, and eliminates the requirement for an auditor’s opinion on management’s assessment.
The new policy also codifies the definition of “reportable material weakness” (requiring a determination that internal financial controls are ineffective). It also proposes for comment a definition of “significant deficiency” (which SEC rules require to be reported to an audit committee and outside auditors along with material weaknesses) as a deficiency less than a material weakness, but important enough to merit attention by responsible parties.
The PCAOB approved Auditing Standard No. 5 (AS5), which is intended to achieve the following four objectives: (1) focus the internal control audit on the most important matters; (2) eliminate procedures that are unnecessary to achieve the intended benefits; (3) make the audit clearly scalable to fit the size and complexity of any company; and (4) simplify the text of the standard.
Ongoing efforts in Congress (previously reported in this column) to forestall the SEC’s enforcement of 404 died Aug. 9. President Bush signed the American COMPETES Act containing the Dodd-Shelby provision, which ever-so-softly expresses the Congressional sense 404 implementation should proceed but with the least possible burden on smaller public companies. So, we are left with 404 as interpreted by the SEC Guidance and AS5.
Many specifics contained in the Guidance and in AS5 are either common sense or derivative from the approaches previously taken (without palpable effect). Companies and accountants until now have failed safe to conservative approaches because the perceived ramifications of incurring reportable material weaknesses seemed so Draconian.
Only the most optimistic of readers would seriously contend that the new SEC rules and PCAOB auditing standard actually provide objective methods of determining whether 404 compliance has been achieved.
So, based on the many times the SEC has repeated its mantra that 404 procedures have been clarified by institution of “risk-based, principle-driven” standards, will that repetition cause a company’s management and its external auditors to actually “take a chance,” and to deal only with what they truly perceive to be larger risks?
When some reporting company suffers a material misstatement by reason of failure of internal controls, in an area originally perceived to represent low risk, what will the SEC do? The ultimate test will be what happens to a company that acts diligently and simply decides not to address the area of risk that actually does cause a material financial misstatement?
As Dirty Harry once famously asked: “How lucky do you feel?”
Stephen M. Honig is a member of Duane Morris’ corporate department in the firm’s Boston office. You can reach him at smhonig@duanemorris.com.

Leave a Reply

Your email address will not be published. Required fields are marked *