Jonathan G. Katz
Securities and Exchange Commission
450 Fifth Street, NW
Washington, DC 20549-0609
RE: File Number 4-497
Feedback on the Implementation of Sarbanes-Oxley Internal Control Provisions
Dear Mr. Katz:
Thank you for the opportunity to submit our comments for the April 13, 2005 roundtable discussion regarding the implementation of the Sarbanes-Oxley Section 404 internal control requirements. After now completing our first Section 404 attestation, we appreciate having a forum where concerns and issues can be heard.
As detailed in the Securities and Exchange Commission’s RIN 3235-AI66, “The strength of U.S. financial markets depends on investor confidence. Recent events involving allegations of misdeeds by corporate executives, independent auditors and other market participants have undermined that confidence. In response to this threat to U.S. financial markets, Congress passed and the President signed into law, the Sarbanes-Oxley Act of 2002 (the “Act”), which effects sweeping corporate disclosure and financial reporting reform.”
While we agree with what the Act is attempting to accomplish as stated above, the work effort and cost involved with the Section 404 internal control compliance requirements is far more extensive, burdensome and costly then anyone ever intended. What the Act in its current state has done is substantially increase the expenses at every publicly-traded company while increasing the revenue of the independent auditing firms. This could impact the ability to restore investor confidence in the independent auditors and in the financial markets.
We believe that the initial year implementation costs exceeded the benefits and now the topic has turned to how companies will streamline the process for Year 2 and beyond which will reduce costs and add more value. But this cannot fully happen without changes to the Act. Our recommended changes include:
1. Guidance on Definition of Key Controls
- There has been constant discussion regarding only documenting and testing the “key controls” but unfortunately there is no clear definition of what a key control is and therefore this is open to wide interpretation. Additional guidance needs to be provided so companies and independent auditors can reach consensus on what constitutes a key control.
2. Clarify Definitions of Significant Deficiency, Material Weakness and the Aggregation of Deficiencies
- Clarify the definitions of significant deficiency and material weakness. The definitions are too broad and as a result a different definition has been formulated by each independent auditing firm.
- Provide more guidance on aggregating deficiencies which could potentially rise to the level of a significant deficiency or a material weakness.
- The requirement that management and the independent auditors must report on the effectiveness of internal controls as of the end of the fiscal year is not sensible.
- This creates an all out effort for companies and independent auditors to test late in the year and also to perform update testing for controls that were previously tested earlier in the year.
- Also, having another aggressive year end deadline is a challenge for Finance Departments that are already burdened with the recently shortened SEC filing deadlines.
- It would be beneficial for companies if some type of risk rating could be assigned to significant processes and then depending on a rating of low, medium or high risk each process could be tested at different times throughout the year to satisfy the testing requirement or change the attestation date to an interim filing date.
4. Reliance on Internal Audit Testing
- Many companies have utilized their Internal Audit departments to perform their Section 404 testing. The independent auditors then perform their diligence to determine if the Internal Audit professionals have the appropriate competency and independence. The frustrating part is that the Public Company Accounting Oversight Board (PCAOB) then restricts what the independent auditor can rely on.
- If the independent auditors are satisfied with Internal Audit’s qualifications then they should be allowed to rely more on their work pertaining to the pervasive controls (i.e. bank reconciliations, entity level controls, etc.).
5. Control Testing Rotation
- The fact that all key controls need to be tested and documented each year should be reevaluated. This is an extremely costly undertaking.
- A better option would be to follow the typical audit plan of an Internal Audit Department which would include rotational audits (i.e. do not test all of the audit entities/processes every year). A process should be implemented for Section 404 compliance where a biennial control testing rotation is implemented so all key controls for each significant process do not need to be retested every year.
6. Exclusion of Current Year Significant IT Projects
- The Act was not written to dictate when a company should or should not acquire another company. An exclusion for documenting and testing the controls of the acquired company was rightfully included in the final legislation. This same concept must be applied to significant IT projects and implementations during the year. The letter of the law should not dictate when a company can implement or modify their IT systems.
- TA delay in an IT application that would improve efficiency impacts the value to shareholders when it could be delayed up to three months because the company may be unable to document and test the controls by year end and is forced to wait until the next fiscal year to implement this system.
In conclusion, while we completely support the need for publicly-traded companies to be held accountable; we also feel that certain changes need to be made to ensure that Section 404 of the Sarbanes-Oxley Act is sustainable for the long term.
Thank you for your review and consideration of the issues and suggestions contained herein.
Holly L. Nelson
VP - Controller