Speech by SEC Commissioner:
"Internal Controls Over Financial Reporting -
Putting Sarbanes-Oxley Section 404 in Perspective"
Commissioner Cynthia A. Glassman
U.S. Securities and Exchange Commission
Twelfth Annual CFO Summit
May 8, 2006
Thank you, Amanda. I am very pleased to be here at the 12th Annual CFO Summit. Your conference organizers have not only scheduled a provocative agenda, but also organized what I hear was a successful golf outing yesterday. I arrived late yesterday and didn't get to play. The same thing happened to me at another event I spoke at earlier this spring here in Florida. I went to the dinner, and they handed out awards for their golf event. I was disappointed that I hadn't participated, because I know I could have won their prize for highest score hands down, without even trying. Needless to say, I could use a lesson or two. So much goes into the golf swing keeping your head down, the backswing, keeping the left arm straight, shifting precisely from one foot to the other
So many seemingly independent but inter-related parts ultimately determine whether the shot is successful or not. Which brings me to Section 404 of Sarbanes-Oxley, the focus of my remarks today. There is actually a connection here, which I will explain later. But before I begin, I have to give a standard disclaimer. The views I express here today are my own and not those of the Commission, the other Commissioners or the staff.
From my point of view, the most pressing regulatory issue confronting CFOs relates to the Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley),1 particularly Section 404. That section and the Public Company Accounting Oversight Board's (PCAOB's) Audit Standard No. 2 (AS2) have presented the toughest challenge to public companies of any regulatory issue I have encountered during my 4 ½ years at the Commission.
I have focused on and spoken about the Section 404-internal controls issue ever since I saw the first draft of AS2. Many others have joined the discourse. I think we all recognize that effective internal controls over financial reporting are necessary to help ensure that companies provide investors with accurate financial statements. This is essential for the vitality of our financial markets and our economy. This country has created the deepest and most robust financial markets in the world, and this success is first and foremost predicated on our free-market economy. Our regulatory scheme, which is based on full and accurate disclosure, provides transparency, which fosters the success of the financial markets. If investors lose faith in the accuracy and completeness of companies' financial statements and other disclosures, they will be less willing to invest, and our financial markets will suffer. But, regulators must strive to ensure that the burdens associated with the regulatory scheme do not outweigh the benefits, or our markets will be hampered.
Full and accurate disclosure has always been important, but this point was driven home after Enron, WorldCom and the other corporate frauds that came to light in late 2001 and in 2002. Thereafter, more than ever, Congress and regulators realized that to elicit fuller and more accurate disclosure, the laws and rules needed to change. Effective corporate governance and internal controls became paramount to restoring investor confidence. The result was multi-faceted: Sarbanes-Oxley; new rules and regulations; increased civil and criminal enforcement activity; and a new market environment.
Today, the overarching question is, are the new rules and regulations moving us forward effectively and efficiently toward the goal of promoting high standards of corporate behavior, full and accurate disclosure, and ultimately investor protection? To answer this question, we should not look at just AS2 or Section 404. The goal is not controls for controls' sake. A more holistic perspective is needed. We should look at Section 404 and AS2 as part of the larger whole of new law and regulation, along with the new market environment, that have followed the scandals. Remember what I said about my golf swing? "Many seemingly independent but inter-related movements ultimately determine whether the shot is successful or not." It's the same idea since the laws and regulations all work in combination with one another, they need to be analyzed that way to determine if they are working effectively and efficiently.
First, we need a starting point from which to tee off the discussion. Let's compare the relevant laws and regulations as they existed in 2001, before Enron, to those existing today. It is startling to recall that, in 2001, the only person who had to sign the quarterly report was the principal financial or accounting officer.2 Today, as you well know, Sarbanes-Oxley Section 302 requires the CEO and CFO each to sign personal certifications as to the completeness and accuracy of the information in the quarterly and annual reports, including the financial disclosure. They also have to represent that they are responsible for the internal controls and that they have made certain disclosures to the auditors and the audit committee about the internal controls, as well as other representations.
Today, the CEO and CFO also have to provide separate certifications under Section 906 of Sarbanes-Oxley for filings containing financial statements. They must represent that those filings comply fully with the disclosure rules and that, in all material respects, the financial condition and results of operations of the issuer are presented accurately. During my time at the Commission, I have voted on thousands of recommendations from the SEC Division of Enforcement, but I have not nor will I ever see an enforcement recommendation pertaining to this latter certification. That's because those matters are handled by the Department of Justice (DOJ). And unlike the Commission, the DOJ can put people in jail. On top of all this, under Item 307 of Regulation S-K,3 companies now have to disclose the conclusions of their officers regarding the effectiveness of the company's disclosure controls and procedures.
Today, there are also new rules and laws that apply to audit committees and the internal audit function.4 Audit committees are more independent and more empowered in carrying out their responsibility for selecting and overseeing the issuer's independent accountant, and have to establish procedures for handling complaints. I could go on and on, as there are many other new provisions and market factors that have shaped the post-Enron regulatory and market environments.
And, of course, there is Section 404, which requires company management to assess and publicly report on the effectiveness of the company's internal controls. AS2 imposes the additional requirement that auditors not only publicly attest to management's assessment, but also provide a separate opinion on the effectiveness of the internal controls. While on their face, Section 404 and AS2 address a company's internal controls, they are measures whose real purpose is to ensure that financial statements are accurate. This intention is laudable, but many have argued that the benefits of compliance with these provisions may be outweighed by the costs.
In April of last year, a Commission-sponsored roundtable of public company officers, directors, investors and auditors made abundantly clear that the implementation of Section 404 had often inappropriately shifted the focus from a top-down, risk-based management perspective to a bottom-up, "check the box" auditor perspective.5 After the roundtable, the Commission and the PCAOB issued new guidance reminding management and auditors to use reasoned judgment and a risk-based approach in the process.6 Nevertheless, I continue to hear more about the misfocus of the Section 404 process and the associated costs, and I have spent even more time talking to companies, auditors and others to try to understand why we still seem to be off-track. Further, to better understand and evaluate these concerns, the Commission and the PCAOB have scheduled another roundtable for the day after tomorrow.
As I have said before, I have always believed in the concept behind Section 404 and the other provisions I have mentioned that management should establish and maintain effective internal controls to ensure accurate financial statements. This is necessary to manage risk, and it is just plain good business. But are the benefits coming from the same place as the costs? What portion of the benefits and costs are generated by management's assessment versus by the auditor's attestation process?
Surveys indicate that public companies spend more money to comply with Section 404 than any other provision I have mentioned.7 One survey indicates that total costs for Section 404 compliance that's the total cost of internal personnel, consultants and auditors averaged about $4.5 million and $3.8 million per issuer in years one and two, respectively.8 While it appears that total costs have decreased in year two by about 16%, this is far shy of the 46% decrease that was projected last year by the large accounting firms.9 Another survey indicates, however, that total Section 404 compliance costs declined more significantly in year two by as much as 31% or 44%, respectively, for smaller and larger companies.10 That survey also indicates that total audit fees for 2005 for financial statement and internal control audits were about the same as they were for 2004. Importantly, in terms of the costs and benefits, another survey indicates that 85% of company executives believe that the costs of Section 404 compliance exceed the benefits.11 I hope to get more information on the cost/benefit issue from the roundtable and related comments.
In addition to the costs, there have been some negative unintended consequences. For example, I understand that because of Section 404, some companies have delayed acquisitions and new projects, and spent substantial sums on IT they otherwise wouldn't have. I have heard that the burdens of Section 404 compliance are straining accounting and financial personnel resources that some companies are having a difficult time meeting their internal staffing requirements, and that auditors may not have sufficient personnel to service all of their clients, particularly smaller, non-public companies. I also hear that the costs of Section 404 compliance may be causing fewer foreign companies to list in the U.S., and even that some U.S. companies are listing abroad to avoid 404 costs.
However, I do not dismiss the benefits of Sarbanes-Oxley, including Section 404. I have no doubt that internal controls are better at many companies, and this is important for investor protection. In addition, Section 404 has caused some companies to streamline their business processes, implement better IT systems, improve documentation of their internal controls and eliminate redundancy.
And of course, there were a large number of public-company financial restatements in 2005.12 However, I do not believe that all of these financial restatements are due to Section 404. First, of the 1,195 companies that restated in 2005, less than half were accelerated filers, which means that a majority of the restatements were by companies that did not have to comply with Section 404. In addition, many of these restatements resulted from differing views on applying complex accounting rules, such as those related to lease accounting, hedging transactions and stock options. Further, some of these restatements could have been related not to Section 404, but to the increased financial statement review by Commission staff resulting from Section 408. That's the provision of Sarbanes-Oxley that requires the Commission staff to review the financial statements of every public company once every three years. The diligent and hardworking staff members of the Commission's Division of Corporation Finance reviewed over 6,000 public companies' filings last year, a record number of reviews. Finally, even for those restatements that resulted from Section 404, it would be useful to know if the restatements were the result of management's assessment or auditor review.
As to the other provisions I have mentioned, numerous CEOs and CFOs and other market constituents have told me that the Section 302 and 906 certifications have really forced management to focus on establishing, maintaining and regularly evaluating disclosure controls, as well as internal controls, and making sure that financial and other disclosure is complete and accurate. The certifications are making a difference. Interestingly, however, I have seen a study that indicates that companies subject to Section 404 that are deemed to have ineffective internal controls are far more likely to self-report deficiencies in the same period that an adverse Section 404 opinion is issued, than the periods immediately preceding the adverse 404 report.13 The conclusion of this report is that companies cannot be left to self-report.
But could there be another explanation? Isn't it possible that the burdens and frustrations associated with Section 404 compliance are driven by a disconnect between management teams and their auditors as to what is necessary to conclude that controls are effective? Management teams are motivated to have effective controls because of a number of Sarbanes-Oxley provisions and the new market and enforcement environments I have described. They also recognize that it's just plain good business. Management teams know their businesses better than anyone, and they, not their auditors, should be in the best position to assess risks using a top-down approach. If management can sleep at night, comfortably and soundly, satisfied with its internal controls and filed 302 and 906 certifications, why doesn't this satisfy the auditors? Why can't the auditors sleep at night?
Well, the requirements of AS2 for one thing. Many have said these requirements are inflexible and overly prescriptive, and do not provide for enough auditor judgment and a tailored approach. In addition, auditors are confronted with a PCAOB inspection process which, I am told, has typically pushed them during the last year to do more testing and work in all facets of the audit, including the internal control portion, despite the SEC and PCAOB guidance issued last May. In that regard, I am encouraged that the PCAOB stated last week that this year, the inspection process will focus on audit efficiency. What else is causing auditor insomnia? Auditors also have greater liability concerns post-Enron, and they have to contend with their own documentation requirements, mandated by PCAOB Audit Standard No. 3.
While the auditor attestation may provide a benefit, the cost is high. According to an industry survey, the average cost for the Section 404 auditor attestation in year two of implementation as a percentage of total audit costs was 45%.14 Think about that; almost half the cost of an audit these days is for the internal control attestation. In addition, according to surveys, the cost of the management assessment part of 404 has declined much more dramatically than the cost of the auditor attestation in the second year of 404 compliance.15
In my view, it is imperative that changes be made to get management and auditors on the same page and ensure an appropriate benefit and cost balance. Current efforts to change or reform the Section 404 process are siloed and disjointed. These efforts need to be integrated, and the different constituents need to work together, with a holistic perspective. Remember my golf swing? As regulators, we need to address the disconnect between what management and the auditors are doing to comply with Section 404, and to make the process more efficient. There are four areas that I believe we need to consider addressing.
First, it appears that companies need more practical guidance as to how to conduct their assessments and evaluate and document their internal controls. While the Commission has deemed the COSO framework acceptable for management to use in conducting its assessments,16 COSO has its shortcomings. COSO is a broad, general framework intended to allow issuers flexibility in designing and implementing controls; however, it provides only limited guidance on how to actually conduct an assessment and the types of controls that should be implemented. COSO is developing more specific guidance for smaller companies (Note: the comment period expired in January 2006), which may be helpful. Perhaps there may be other appropriate alternatives. The Commission, issuer groups, COSO and other constituents should consider building upon the current standards and formulating more practical guidance for management on how it should actually perform an assessment. A management consultant with expertise as to management's control processes might be best suited to lead this effort and ensure that the best practices for compliance from management's perspective are captured and articulated. Any practical guidance should be premised on a risk-based approach, be scalable for companies of all sizes, and address how management should perform and document its assessment. The guidance ought to address how management can more effectively use ongoing monitoring activities as opposed to separate evaluations to complete its assessment more efficiently. It should also incorporate a materiality standard and be cost effective.
Second, the role of the auditor needs broad reconsideration. What is the most effective and efficient role for the auditor in the 404 process and the appropriate scope of the auditor's assessment? Should auditors be evaluating and testing a majority of the controls, and attesting as to their effectiveness? Or should the auditors be examining and attesting as to management's process and its assessment only, and not separately testing the controls themselves? It is my understanding that Section 404 was modeled after the Federal Deposit Insurance Corporation Improvement Act (FDICIA),17 so, as in FDICIA, perhaps the public accountant could attest to, and report separately on, the assertions of management contained in management's report. Or should the auditor's role be more similar to what it is on the financial statement side where the auditor conducts much more limited sampling and assessments based on materiality and risk? Or is there another model? Consider the Food and Drug Administration's (FDA's) drug approval process. In that process, the FDA authorizes drug developers to conduct tests, opines on the design and scope of those tests, and then examines the data the drug developer derives from conducting its tests. Based upon that data, the FDA asks the developer questions and ultimately decides whether or not to approve the drug. The FDA doesn't test the drugs themselves. Perhaps the auditor's role in the Section 404 process could be more similar to the FDA role in the drug approval process, namely, opining upon management's assessment without redundant testing. If this works for something as important to human health as approving drugs, it might be sufficient for internal controls particularly once management is given more practical guidance.
Third, absent significant modification to the auditor's role, revisions to AS2 should be considered. At a minimum, a variety of changes to AS2 should be considered, including, but not limited to, the following.
Incorporate a more risk-based approach, so low-risk areas are not subjected to auditor testing.
Provide for significantly greater reliance on company-level controls, to reduce and eliminate testing at the process and transaction levels a top-down approach.
Permit reliance on prior audit work versus each audit having to "stand on its own."
Make documentation standards for what the auditor expects from management consistent with the management guidance that I mentioned and ensure that the standards are cost-effective.
Make the large-portion coverage requirement for multi-location entities less prescriptive and allow for more judgment based on risk and materiality.
Refine the process for identifying significant accounts, which would materially affect the amount of work performed.
Minimize updating, especially where monitoring controls have been employed throughout the period.
Eliminate assessing controls that impact the effectiveness of IT functions but do not contribute to the accuracy of the financial statements.
Encourage more reliance on the work of others, such as the internal audit function. This can be more easily accomplished once "others," meaning management teams, get more practical guidance.
Fourth, we need to deal with the challenges regarding smaller filers. As I have stated before, my current thinking is that it would be better to ensure that 404 is applied appropriately for all companies, and tailored, if necessary, based on company size and complexity, than to exempt certain companies from 404 completely. However, I believe the Commission should consider requiring these entities to perform the management assessment portion of 404 as soon as better guidance is available. I also believe that the role of the auditor should be clarified, so that Section 404 works efficiently and effectively for smaller as well as larger issuers. As Chairman Cox recently said, "My goal as Chairman is to find a way to make 404 work
It should not be a question of whether to apply it to companies of all sizes, but how."
In closing, I would like to reiterate that, over the past four years, the goal of promoting high standards of corporate behavior and full and accurate disclosure has been advanced significantly. All of the factors I have mentioned and others work in tandem to help achieve this end. As we regulators try to improve the Section 404 compliance process to make it more efficient and effective, I believe we should maintain the holistic perspective I have described, and be mindful that Section 404 and AS2 don't exist in a vacuum. They are but one part of the whole of laws, regulations and the market environment that require and induce higher standards of corporate governance, more complete and accurate disclosure, and more effective internal controls. Importantly, as to the changes that I recommend be considered, I believe it is imperative that any new management guidance, and provisions and requirements pertaining to auditors be not only cost effective, but consistent with one another. The seemingly independent but inter-related parts must be coordinated to resolve the disconnect and achieve success in better protecting investors.