United States: Taking Control of Internal Control Reporting to Improve Disclosures and Reduce Costs

Originally published May 20, 2005

With a season of experience under their belts, the Public Company Accounting Oversight Board (PCAOB) and the Securities and Exchange Commission (SEC) recently issued new guidance regarding management assessments and outside auditor attestations of internal control over financial reporting under Section 404 of the Sarbanes-Oxley Act of 2002 and related regulations (SOX 404). Taken together, the guidance statements can in the future lead to more efficient assessments and attestations, more informative disclosure, and significant cost savings.

The new guidance encourages: (1) risk assessment that starts with company-level controls and proceeds down through significant accounts, then significant processes, and finally, individual controls - a "top-down" analysis - to better identify higher-risk areas; (2) better management-auditor communications throughout the assessment process, coupled with an integration of the financial statement audit and the internal controls audit; (3) increased reliance on third-party work; (4) reduced assessment of general IT controls not related to financial reporting; and (5) better explanations of identified material weaknesses, their causes and impact, and management's corrective measures.

The SEC and PCAOB discourage rigid, mechanical, "check-the-box" application of the rules and aggressively endorse a reasoned and individualized approach. Both agencies acknowledge that, while SOX 404 compliance has improved internal controls and corresponding financial reporting, the advances have come at a high, and in some cases unnecessary, cost. Procedures can and should become more refined and efficient. This will improve outcomes and reduce needless stress on human and capital resources and, we believe, the nerves of management. This article highlights key elements of the recent guidance that should help you better control the assessment and attestation process, manage your costs, and improve your disclosure.

Three common themes emerge in both the PCAOB and SEC guidances:

• One Size Does Not Fit All. Assessments and audits should be tailored to the size, business, operations, risks, and procedures of each company, not directed by standardized checklists. This should more precisely identify potential problems, promote more efficient allocation of resources, and focus on outcomes rather than on processes.
• Top-Down/Risk-Based Approach. The review should start at company-level controls and work down to identify significant accounts, significant processes, and then individual controls. The information gathered at each level can improve the risk assessment at the next level down. This process should make it easier to identify the risks of a material weakness in a given area, and permit the allocation of resources to processes and classes of transactions that are most likely to materially affect the company's financial statements. It will also permit a more effective review by reducing the time and effort devoted to areas that do not affect the likelihood of a material misstatement.
• Auditor-Client Communications. Dispelling common misconceptions at both the client and auditor levels, the PCAOB and SEC encourage companies and their outside auditors to discuss accounting and internal controls issues, provided that management, and not the outside auditor, makes the final determinations. Companies also can provide draft financial statements to the auditors, even if incomplete, and auditors can give companies technical advice on the proper application of Generally Accepted Accounting Principles, including suggestions for management's consideration to improve disclosures and financial statement quality. Draft spreadsheets, research memoranda, and worksheets can be discussed to determine preliminarily the auditor's views on company assumptions. We, as well as PCAOB, suggest that these discussions be oral, rather than in writing, to encourage open communications. Discussions with the auditors, or errors in draft documents, do not in and of themselves compromise the auditor's independence or require a determination that there is an internal control deficiency.

The Division of Corporation Finance and the Office of the Chief Accountant provided specific guidance for SOX 404 compliance in addition to the common themes described above, including:

• Focus on Material Errors. A fundamental goal of SOX 404 is reliable and materially accurate financial statements. While it is important to identify control deficiencies and significant deficiencies, the overall focus should be on items that could result in material errors in the financial statements.
• "Zone of Reasonable Conduct." Auditors should recognize that there is a "zone of reasonable conduct," such that there will likely be several acceptable implementation methods for a given situation. Different companies may reach different conclusions regarding what testing or methodologies are required to confirm a reasonable assurance regarding the reliability of financial reporting, and these differences do not necessarily imply improper implementation.
• Scope of Assessment. In determining the scope of an assessment, management must consider both qualitative factors (such as the risk associated with particular accounts and processes) and quantitative factors (including, in some cases, a set numerical threshold). Knowledge gained in prior assessments may properly affect current assessments by, for example, permitting varying levels of testing in different areas from year to year. In most circumstances, the scope should be based on annual and company measures, rather than interim or segment measures. However, if a deficiency is identified, its significance must be measured using both quarterly and annual measures and, if applicable, segment measures.
• Timing. Although SOX 404 reports must speak "as of" the fiscal year-end, testing is not necessarily limited to that period. Some controls may lend themselves to testing earlier in the year, and management may be able to use ongoing monitoring thereafter to determine that such controls function effectively as of the fiscal year-end without additional detailed testing.
• Evaluating Deficiencies. When evaluating deficiencies, management should consider the significance of the deficiency and whether there are any compensating controls. Both qualitative (nature of the deficiency, its cause, assertions it was designed to support, effect on the broader control environment) and quantitative analyses should be applied.
• Restatements. The rules do not require that a material weakness be found in every case where a restatement results from an error. Management and the auditor must use judgment in analyzing the reasons for the restatement.
• Enhanced Disclosure Regarding Material Weaknesses. In disclosing material weaknesses, companies should consider discussing: (a) the nature of the material weakness; (b) its impact on financial reporting and the control environment; and (c) management's remediation plans. Investors should be able to assess the impact of each material weakness.
• IT Controls. For purposes of a SOX 404 assessment, the SEC staff does not expect testing of general IT controls that do not pertain to financial reporting. These include controls over program development, program changes, and computer operations.
• IT Upgrades. The SEC staff specifically rejected a proposal to grant a grace period for assessment of new IT systems and upgrades.

PCAOB - Policy Statemet²

In addition to the common themes, the PCAOB staff offered several recommendations for auditors:

• Integrate internal control audits with financial statement audits, to leverage information gathered in both contexts and complete both audits in a coordinated and efficient process.
• Use the work of others, as permitted by the PCAOB and other accounting standards, to reserve more time for high-risk areas and reduce unnecessary duplication of effort and expense.

The PCAOB staff supplemented the Policy Statement with new FAQs³ focused on the scope of the internal control audit and the level of testing required. In addition to fleshing out some of the matters covered in the Policy Statement, the FAQs address several matters of note, including:

• Auditors should use previous knowledge about a company's internal controls in the assessments of risk in the current year.
• Under specified conditions, auditors could conclude that entirely automated application controls continue to be effective without repeating prior-year tests on that control.
• The adequacy of management's assessment should not depend on whether management's testing was as extensive as the auditor's testing - management can use procedures different from those employed by the auditor and still have an adequate basis for its assessment.
• Auditors are not required to test every control which management identifies as a "key" or "significant" control. The auditor should obtain evidence about the effectiveness of controls for all relevant assertions related to all significant accounts and disclosures in the financial statements, whether or not management has identified them as key or significant controls.

We view the SEC and PCAOB statements as management's road map to greater control over the SOX 404 assessment and attestation process. We encourage management to discuss the guidance statements with their outside auditors with a view towards improving the audit process and controlling costs.

Footnote

^{[1] Division of Corporation Finance/Office of the Chief Accountant of the SEC, Staff Statement on Management's Report on Internal Control Over Financial Reporting (May 16, 2005). View »}