From: American Electric Power
American Electric Power
Jonathan G. Katz
Subject: Comment letter regarding AEPís experience with implementing and evaluating the Section 404 requirements. File number 4-497.
Dear Mr. Katz:
American Electric Power Company, Inc. (AEP) appreciates the opportunity to comment on our experience as an SEC registrant with implementing and evaluating the Section 404 (404) requirements. AEP, a Columbus, Ohio based energy company, is one of the largest investor-owned utilities operating in the United States, with revenues of over $14 billion and more than 19,000 employees. We provide energy to approximately 5 million customers in Arkansas, Indiana, Kentucky, Louisiana, Michigan, Ohio, Oklahoma, Tennessee, Texas, Virginia and West Virginia.
We support the Commissionís efforts in improving the reliability, accuracy and integrity of financial reporting of publicly traded companies. We understand that the purpose of the Sarbanes-Oxley Act of 2002 (the Act) is to help restore investor confidence and are in agreement with that principle. We believe implementation of the non-404 sections of the Act has improved corporate governance in this country. However, based on our experiences in implementing the requirements of 404, we believe that 404 requires a level of detail that is too costly and too laden with administrative paperwork. The 404 goals could be achieved more effectively and with less cost if focused at the appropriate level of corporate governance controls and the testing of controls differentiated between high risk and low risk activities. Furthermore, we believe that wholly owned subsidiaries of accelerated filer holding companies should be exempt from 404 under certain circumstances.
Our recommendations to better achieve the intent of 404 fall into four areas:
1. Focus 404 efforts on "Tone at the Top" controls where financial misstatements generally occur.
The focus of 404 efforts should be on "Tone at the Top" controls (control environment) where we believe financial misstatements generally occur.
The major financial reporting scandals that gave rise to the Sarbanes-Oxley Act of 2002 (such as Enron, Worldcom, Tyco, as well as Healthsouth and others that occurred after the enactment of the Act) were caused by failures in the control environment (e.g., an executive management override of the internal controls over financial reporting). Therefore, the focus of 404 should be on the control environment. However, in practice the major effort and corresponding cost has not been focused on the control environment. The primary focus both in managementís assessment and in the independent auditorís attestation is on detailed transaction-level processes where, generally, major financial misstatements do not occur. In our management assessment of internal controls, we evaluated and tested 2,445 control activities. Only 166 of these control activities related to the control environment. The focus of 404 should be on preventing and detecting "material weaknesses" in financial reporting. Instead, 404 currently focuses on detailed control activities that prevent and detect "control deficiencies". An example of this is a control deficiency identified by our independent auditor in their attestation, which indicated that we need to maintain documentation of the maintenance records of the air conditioning system for our computer data center. While we clearly understand the need for climate control of our data center, we do not believe this type of issue was what Congress had in mind in trying to improve financial reporting. In fact, we believe focusing effort on this level of detail detracts from the Actís original purpose.
AEP spent approximately $15.4 million to successfully implement 404 in 2004 consisting of approximately $7.8 million in internal staff time representing about 100,000 hours, $1.3 million in contractorís cost and $6.3 million in independent auditorís cost. We believe the administrative burden and cost could be decreased significantly if 404 were focused at the correct level. AEP paid the independent auditor $9.5 million for the financial statement audit, while we also incurred $6.3 million for 404 services. We believe the current costs of 404 outweigh the benefits when you compare it to the cost/value of the financial statement audit. There was a lack of integration between the considerable 404 effort and the financial statement audit. The scope of the financial statement audit was not adequately adjusted to reflect the benefits of the 404 work. Therefore, the natural benefit from the 404 effort was not fully recognized in the financial statement audit. We feel the cost of the 404 effort could have been reduced with the focus only on key controls over financial reporting and the cost of the financial statement audit could have been reduced by greater reliance on key controls determined to be effective in the 404 effort.
We recommend reducing the scope of 404 requirements in order to concentrate on "Tone at the Top" controls related to the control environment to prevent or detect "material weaknesses" in financial statements rather than detailed control activities that identify "control deficiencies" where financial misstatements are unlikely to occur. We also recommend that the PCAOB provide guidance to the external auditor regarding reliance on the relevant 404 key controls in the financial statement audit.
2. Significantly reduce annual testing requirements for low risk areas.
We recommend that the Public Company Accounting Oversight Board (PCAOB) annual 404 testing requirements be significantly reduced (every three years, for example) for low risk areas outside the control environment for both managementís assessment and the independent auditorís attestation.
The PCAOB rules related to 404 currently require annual testing of all major classes of transactions affecting a registrantís financial statements without any consideration of risk. While each company and their independent auditor would have to define the low risk areas for their company and these would differ from company to company and across industries, the following criteria could be used to help define low risk areas:
Routine automated transactions processed through computer applications that have been tested previously and have good "change control" processes in place.
Areas where judgment is limited and manual override is limited or well controlled.
Areas where the accounting process is straightforward (i.e., not complex).
Areas that have not exhibited "significant deficiencies" in prior testing.
Areas where no major changes occurred since the previous testing.
An example of a low risk area for AEP would be our payroll process which meets all the criteria listed above. We do not believe this area or other similar areas need to be tested every year due to the relative low risk.
This recommendation would focus the testing on controls related primarily to the higher risk areas where material financial misstatements are more likely to occur.
3. Remove the 404 requirements for certain non-accelerated filers that are wholly owned subsidiaries.
We believe the 404 legislation in its current form imposes an inappropriately heavy administrative burden on certain non-accelerated Securities and Exchange Commission (SEC) registrants. In AEPís case, compliance with the legislation at the individual subsidiary registrant level is arduous and not cost-beneficial to our shareholders or the general investing public.
The only AEP registrant that is as an accelerated filer, as defined in Rule 12b-2 of the Exchange Act, is the parent company, AEP. The other ten registrants are wholly owned subsidiaries of AEP, which qualified as non-accelerated filers because they had less than a $75 million public float. Therefore, the 100% wholly owned AEP subsidiaries do not have to comply with the 404 standard until after July 15, 2006. All of these subsidiaries currently comply with Section 302 disclosure controls and procedures. The ten wholly owned AEP subsidiaries are listed below:
AEP and its subsidiaries operate as an integrated system with many operational synergies. AEP designed and implemented highly centralized processes, systems, and controls that function universally across all eleven registrants. Through our compliance with the accelerated filer 404 requirements, AEP has effectively tested and validated a significant portion of the non-accelerated processes, systems, and controls. For instance, AEP utilizes the following centralized processes across all eleven registrants:
The remaining untested portion of the subsidiariesí processes, systems, and controls has a minimal impact on AEPís non-accelerated filers, except for certain centralized corporate allocations. These allocations would need to be added to the scope of AEPís accelerated filer review.
Even though AEP and many other companies have subsidiaries that are SEC registrants, the SEC has granted certain exemptions regarding the requirement that companies need to have audit committees at both the parent and subsidiary registrant levels. The rationale for this exemption is provided in SEC Release No. 33-8220; 34-47654 ("Standards Relating to Listed Company Audit Committees") dated April 9, 2003 under the heading, F2, Application and Implementation of the Standards, Securities Affected, Multiple Listings. Qualification for the above exemption allows AEP to have one audit committee at the parent level. AEP firmly believes that a parallel can be drawn between the above SEC position and our position that there does not need to be a 404 management assessment or independent audit attestation at the individual wholly owned subsidiary registrant level.
As an accelerated filer, AEP has successfully complied with 404 at the parent level. The control structures between the parent and the wholly owned subsidiary levels are very similar since our company is highly centralized from a process, system, and a corporate governance and control activity perspective. There is limited incremental benefit in implementing 404 at the wholly owned individual subsidiary registrant level since the benefits are derived at the consolidated level. The performance of a management assessment and an independent auditor attestation for all ten non-accelerated registrants is not cost-beneficial to AEP, our shareholders, or the general investing community.
We agree that 404 should apply at the parent company level. However, we believe that the standard in its current form will impose an inappropriately large administrative burden on non-accelerated SEC filers. Specifically, we recommend that the SEC remove the 404 compliance requirements at the individual registrant level for non-accelerated filers if the following criteria are met:
The parent company registrant has successfully complied with the 404 standards and Section 302 standards in the past [and is expected to be compliant in future years].
The non-accelerated registrant is a wholly owned subsidiary of the parent company;
The non-accelerated registrant meets the SEC audit committee exemption.
The accelerated filer has included in their management assessment those corporate allocation processes, systems, and controls that significantly impact the non-accelerated subsidiary filers.
4. Reduce 404 documentation requirements related to control activities.
We believe the current view of 404 documentation requirements related to control activities results in burdensome and unnecessary documentation practices. AEP understands this is a PCAOB issue but this feedback is part of our experience in implementing 404.
PCAOB Auditing Standard No. 2, paragraph 93 states: "Tests of controls over operating effectiveness should include a mix of inquiries of appropriate personnel, inspection of relevant documentation, observation of the companyís operations, and re-performance of the application of the control." Paragraph 97 of Standard No. 2 also states: "In circumstances in which documentary evidence of controls or the performance of controls does not exist and is not expected to exist, the auditorís test of controls would consist of inquiries of appropriate personnel and observation of company activities."
Unfortunately, the independent auditorís approach to evidence of the performance of a control activity is that "if it is not documented, it is not done." This interpretation of the standard has resulted in unnecessary documentation practices that exceed what the standard requires when inquiry and observation testing by the independentauditor would have been more practical.
Examples of control activities that inherently do not lend themselves to documentation include:
Working of on-line exception reports.
Printing and maintaining exception reports where there are no exceptions for a given day or period.
Review of on-line reports or data.
We ask the Commission to urge the PCAOB to re-affirm that inquiry and observation tests by independent auditors are appropriate for control activities that do not lend themselves to documentation.
Thank you for the opportunity to comment on this proposal and for considering our recommendations.
Leonard J. Kujawa