Subject: File No. 4-497
From: Matthew Leitch

April 1, 2005

If the SEC is to protect investors as it seeks to while still lightening the regulatory load on companies then we need to look again at the techniques companies and their auditors are using to gather assurance to comply with section 404.

As a former controls audit specialist with PricewaterhouseCoopers it has been clear to me for some time that there are excellent opportunities to cut down the cost of compliance without reducing the strength of the regulations. If anything, assurance of effective control might be increased.

Furthermore, virtually no rule changes are necessary, though there are probably rule changes that would help in other ways.


The strategy companies and their auditors are relying on at the moment is to:

1 assess the apparent quality of the design of the controls and control system as a whole; and

2 test that the individual controls are being operated diligently as designed.

This strategy is weak, people can feel it, and so they drive for a huge amount of detail and pile extra controls on if there is any doubt at all.

The main problem is that assessing design quality is very hard to do reliably, and often impossible. Even a small gap can be serious if it happens to match a source of error or fraud. You can easily find that something that looks well designed and that operates as intended still does not stop an embarassingly high number of errors coming through. Accurate risk assessment is not possible.


Fortunately, there is no need to rely solely on this kind of assurance.

Businesses can and usually do collect information that directly indicates the effectiveness or otherwise of internal controls. For example, we can look at the number and types of errors actually found, customer complaints about bills, the amount of unmatched cash, the amount of suspense items, and so on.

While none of these tells us the size of undiscovered errors and fraud they do correlate with that risk. This is highly valuable and cost effective evidence and should be given high prominence in any assurance approach.

At present we have a situation where people are looking at controls that produce this kind of direct effectiveness measure, gaining assurance from the fact that the controls exist and even from the fact that management is monitoring the measures, but not looking at what those measures are saying.

In short, instead of evaluating whether the controls really are effective companies and auditors are evaluating whether they look as if they should be effective.

A more efficient assurance strategy than assessing design and individual operation of controls is to assess evidence of three types:

1 evidence of inherent risk level;
2 evidence of design and operation of controls; and
3 direct indicators of effectivness.

By taking the most cost effective evidence from this wider pool it is possible to design much more efficient assurance approaches. There are some limitations, and it works best for high volume processes, but overall the impact would be large, even for smaller companies.


Many companies are already making use of some of this kind of information but they could go further. Others are not using it but could start.

At the moment it is rare to find companies that have the confidence to do this when so many people are focused entirely on design and operation. The logic is irrefutable but it is risky to be different. It means pressing your case with your external auditor, who will think you are ignoring the PCAOBs standards.

In fact the PCAOBs standards to not exclude the extra types of evidence I mentioned above, nor shifting reliance towards them to reach confidence more efficiently. The standards simply dont mention the other types of evidence. Consequently, all the attention goes to the things the standards do write about, and at length.

The SEC and PCAOB should explore the assurance strategy described above and satisfy themselves that it is sound. They should then write a brief standard on how to use this extra evidence and combine it with design and operation evidence to produce a more efficient total approach. They should promote this strategy strongly.

Reforming the techniques companies and their auditors use to gather assurance on controls effectiveness is a way to reduce the costs of compliance without reducing the effectivness of the regulations.