Speech by SEC Chairman:
Remarks to the Annual Meeting of the Association of Audit Committee Members
Chairman Christopher Cox
U.S. Securities and Exchange Commission
June 1, 2007
Good afternoon. Thank you, Rod [Hills, former Chairman of the Securities and Exchange Commission] for that kind introduction. It's a pleasure to be with an old friend from whom I've learned so much over the years. Not only did Rod Hills set new standards of integrity during his stint as SEC chairman, but we share a distinction as onetime partners at Latham & Watkins. And of course, there's that California connection, which confers a temperate mindset. Not like the steamy, sultry disposition that the August weather in DC can induce — even when, as is the case today, there's a bit less hot air because Congress is in recess.
I am also delighted to be here with another of my predecessors, Harvey Pitt, who will address this gathering immediately after lunch. Just last week, at the agency's auditorium here in Washington, Harvey joined us as we convened the second annual Roundtable of former SEC Chairmen. It's great to be on the same program with him again so soon. I am thrilled as well to participate in a program that features such distinguished American business executives as Allen Freeman, Sanford Fich, Richard Roedal, and Fred Schwab.
Today's good news about higher job growth and wage gains in the last month are just the latest reminder that America's economy is poised to charge ahead — even though, as men and women in business well know, every day brings new challenges and risks, as well as opportunities. And because there's no more fundamental tool for executives or for investors in assessing business risks and market conditions than financial reporting, the collective expertise of the Association of Audit Committee Members is vitally important as the entire world wrestles with questions about the role of accounting standards, the complexity of accounting and the importance of internal controls over financial reporting.
At the SEC, as you know, we ourselves have been deeply involved in these topics. We have joined with the FASB and the PCAOB in an all-out War on Complexity in accounting. And we've nearly finished two years' worth of work in overhauling the Sarbanes-Oxley section 404 compliance process, which as you know is sorely in need of it.
The philosopher Alfred North Whitehead once said, "Civilization advances by extending the number of important operations which we can perform without thinking about them." He was arguing against the notion that we must think through absolutely every task we perform, heedless of the sometimes superior thought that previous performers of the very same task have already put into it.
As the SEC and the PCAOB have worked to revamp the compliance process under section 404 of the Sarbanes-Oxley Act, we've looked for ways to extend the number of important operations that can be performed without re-inventing the wheel each time. In so doing, we modestly hope to take one small step in the advance of civilization.
An efficient economy needs processes that are routinized — not so that we can stop thinking about them, but rather, as every great athlete and musician can attest, so that we can perform better. A process that operates in fits and starts, and that requires doing repetitive tasks without relying on the work of others, is at high risk of failure. At the very least, it will be highly inefficient and unduly expensive. If we are to gain the fullest measure of benefit from the new legal requirement for internal control assessments and audits, we have to efficiently routinize the compliance process, so that both management and their auditors can focus on what's truly important and perform better from the investor's point of view.
SOX was enacted to address the very real and serious problems for investors and our markets that flowed from the corrupt practices at Enron, WorldCom, Arthur Andersen, and too many other companies in the 1990s and at the turn of the century. The law has done a great deal of good. And there is no question that its benefits have far exceeded the costs — in all but one particular, and that is section 404, which governs the internal control assessment and audit. Here, while there have been undoubted benefits, the SEC and the PCAOB have been convinced that the costs have been far too high. And while there has been heartening news that many companies, on their own, have managed to reduce costs of complying with SOX 404, audit fees overall show no such decline.
That's why the SEC has just finalized new guidance for management, and why the PCAOB has issued a completely new Auditing Standard No. 5. It's high time these costs come down, and investors get their money's worth. The new standard and the new guidance will vastly improve the implementation of 404 so that audit committee members can focus on the material risks that investors care about.
Perhaps in the future you will find yourself saying: "Bliss was it to be alive/ When the regulators adopted AS Five!" It will be like poetry — though I should emphasize like poetry. As I often find myself saying to my teenagers, when they ask if they can stay out at night "until, like, 10": "Yes, you may stay out until a time 'like' 10 o'clock. But not until 10 o'clock."
We will check back with you next year, after you have had a test drive of the new process. Even if you do not serve on an audit committee, you undoubtedly recognize the importance of sound internal controls, and your judgments will be an important gauge of whether we have succeeded. You know that financial statements that management prepares under your oversight must be utterly and completely reliable. The integral role that audit committees play in the financial reporting of public companies — which includes hiring and firing the external auditor — provides many of you with firsthand knowledge of the challenges we've faced in getting 404 implementation right.
The approval last week of management guidance by the Commission, together with a new auditing standard by the PCAOB, represent over two years of work, and the completion of steps we first announced a year ago to improve the implementation of 404 for all companies. This represents the first time management will have guidance intended for its own use. No longer will the auditing standard be the definitive rulebook for management's compliance with our rules. This guidance enables cost-effective compliance with 404 for companies of all sizes.
Those already complying with our rules (that is, accelerated filers) can use the guidance to eliminate unnecessary make-work that does little to further the goal of providing reliable financial statements to investors. Those not yet complying (that is, non-accelerated filers) can benefit from the lessons learned. For them, the guidance will be a way to avoid wasteful and unnecessary compliance efforts that others have had to endure.
I should mention here that, because we deferred the external audit requirement for smaller companies complying with 404 for the first time, management will have a full extra year to develop its own cost-effective compliance approach. That will make it far easier to coordinate a cost-effective external audit when it's required in 2009.
The principles-based approach we used in the development of our guidance is intended to accomplish a number of important objectives. Not least of these is empowering management to focus its compliance efforts on those issues that pose the greatest risk to reliable financial reporting. We have heard repeatedly that this is what matters most to investors — and to you as audit committee members. This focus will improve not only the efficiency of 404 compliance efforts, but also the effectiveness of the 404 process, by ensuring the direction of resources toward likely problem areas.
This new approach will also be a boon to smaller companies. It will allow companies of different sizes and complexities to tailor their compliance efforts to their own individual facts and circumstances. Small companies will be able to apply the guidance to their unique control systems — rather than create costly or complex control systems for the sole purpose of complying with the guidance. By tailoring the documentation and evaluation approaches to their particular business, we can avoid the one-size-fits-all, check list approach that many companies have bristled under as they've tried to comply with 404.
The Commission's guidance recognizes that management's evaluation approach may be different from what the external auditor uses. And importantly in this respect, the PCAOB has eliminated the auditor's requirement to evaluate the efficacy of management's evaluation process. This requirement in old AS 2 often led to management's judgment about how best to evaluate its internal controls being supplanted by that of its auditors. I needn't tell you how that kind of interference with what is clearly management's responsibility under section 404 often resulted in wasted effort and cost.
With new guidance that allows management to scale and tailor evaluations — the better to focus on what matters most — and a significantly improved standard that enables auditors to deliver the most cost-effective audit services, one important step remains. The SEC and the PCAOB expect a change in the behavior of the individuals who are responsible for following these new procedures.
To that end, the PCAOB's inspection program will monitor whether audit firms are implementing the new auditing standard in a way that's designed to achieve the intended results. And the SEC, in our oversight capacity, will monitor the effectiveness of the PCAOB's inspections. So both the SEC's and the PCAOB's inspectors will be focused on whether audit firms are achieving the desired efficiencies in the implementation of 404.
Allow me, briefly, to walk you thru the improvements that have been made by the PCAOB's new auditing standard that will replace AS 2.
1. The new standard is shorter, less prescriptive, and easier to read.
It's less than half the length of AS 2. And the mandatory requirements (the "shoulds") have been significantly reduced. That means the auditor will be able to perform tests in those areas where, in the auditor's judgment, it's actually necessary.
Management and audit committees now can ensure that auditors are focused on what matters — risk and materiality — and not on rote compliance with a rulebook. They can avoid inefficiencies — especially the time-wasting focus on definitions, terminology, and proper approach.
2. AS 5 makes the audit scalable — so it can change to fit the size and complexity of any company.
Happily, there are notes throughout the new standard explaining how to apply the principles to smaller or less complex companies. So the companies' control systems won't have to be designed to fit the audit standard, but rather to achieve the intended objective of improving the quality of financial statements.
For example, the standard explains that for audits of smaller and less complex companies, the auditor can appropriately reduce the amount of internal control testing. The auditor can accept alternative controls, if management's ability to segregate duties is limited. And the auditor can use inquiry, combined with other procedures such as observation or reperformance, when the operation of controls by management results in limited or no documentation trail.
3. The new standard directs auditors to focus on what matters most — and eliminates unnecessary procedures from the audit.
It directs auditors to those areas that present the highest risk, such as the financial statement close process and controls designed to prevent fraud by management. It emphasizes that the auditor is not required to scope the audit to find deficiencies that don't constitute material weaknesses. And it allows auditors to use knowledge accumulated in previous years' audits to reduce testing.
AS 2 included detailed requirements to evaluate management's evaluation process. The new standard clarifies that the audit is not about the adequacy of management's process. It's about the effectiveness of the controls. In other words, it will eliminate auditors requiring companies to do work that isn't necessary.
4. Finally, it includes a principles-based approach to determining when and to what extent the auditor can use the work of others.
A principles-based approach allows auditors to apply professional judgment in determining the extent to which they'll use the work of others. The new standard itself expressly permits auditors to use, in the internal control audit, testing and other internal control work of persons other than internal auditors. This principles-based approach is in fact based on the auditor's consideration of the objectivity and competence of those performing work. Those are the most important factors in determining when and to what extent the auditor can use the work of others.
The new SEC guidance and the new PCAOB standard will mark a sea change in the efficiency of SOX compliance. I think you'll find this wonderfully easy to digest. It is our goal, as it was Alfred North Whitehead's, to spare you from redundancy, waste, and tedium — and to focus your effort on what truly matters to the quality of financial statements and to the investors in your companies. I hope you'll smile, thinking of the poetry of it all — and as you participate with renewed vigor in the advance of civilization, know that Professor Whitehead would be proud.