Paul L. Walker, Ph.D., CPA
November 27th, 2002
U.S. Securities and Exchange Commission
Re: File No. S7-40-02
Proposed Rule Disclosure Required by Sections 404, 406 and 407 of the Sarbanes-Oxley Act of 2002
To the Honorable Commission,
I applaud your effort to improve the flow of information between companies and investors. However, I believe there are some sharp limitations to the rule as proposed. I also believe the proposal hasn't gone nearly far enough. Briefly, the proposed rule is adopting an outdated view of controls. Furthermore, the proposed rule should mandate enterprise risk management (which would include coverage of internal and financial controls) and should include an assessment of corporate governance. These changes would help the proposed rule keep up with the current view of risk and control in businesses today, would provide investors with the real information they want and need, and would help the SEC once again take the lead as the key regulator and protector of capital markets around the world. I've outlined my arguments below based on the three areas in Section 404.
An assessment of the effectiveness of the company's internal controls and procedures for financial reporting based on management's evaluation as of the end of the most recent fiscal year.
- The Standard. What is the standard for saying controls are effective? Is it the original COSO Internal Control Integrated Framework written in 1992? That document is currently being revised/updated. Would companies be required to say controls are effective using the old COSO document or the new COSO document (which may not be ready in time for the next reporting period)? Would it be better to delay the rule until this new COSO document becomes published? A delay would also provide companies additional time to conduct a thorough assessment? This may be important given that many companies do not have internal auditors who can help with this process.
- Beyond Internal Control to a World-Class Approach. In my opinion, the two biggest concerns to executives and boards (post Enron) are enterprise risk management and corporate governance. Numerous surveys and work by the Institute of Internal Auditors, the Financial Executive Institute, the National Association of Corporate Directors, and two books I've coauthored with Dr.'s Shenkir and Barton, confirms the importance of enterprise risk management and corporate governance to boards and management. Let's not forget that many corporate reporting failures are first failures of bad strategy and risks that weren't identified or managed. Therefore, why not go for even greater reform and require an enterprise risk management process - one that requires a company to build processes for corporate governance, managing key business risks, and building controls? Turnbull legislates this approach for London stock exchange companies and Kontrag legislates a similar concept for German companies. Turnbull has two major differences from the proposed rule that the SEC should seriously consider. First, Turnbull does not limit their reporting to financial controls. Second, Turnbull adds the element of risk management. Let's set the standard in the U.S. for the world to follow so that we can once again be the best capital market in the world.
- Assessing Corporate Governance. A fortune 100 company called last year to ask how to assess corporate governance. Is it not obvious that boards, executives and investors want to know the effectiveness of their corporate governance process (perhaps even infinitely more so than knowing the effectiveness of controls over financial reporting)? Why not make a report on corporate governance part of the control reporting. I know this is possible as some companies are already doing this.
- The New COSO and Enterprise Risk. Note that the new COSO document - if it becomes the new standard - will include enterprise risk management. If you adopt a rule that says use COSO and then COSO incorporates concepts such as enterprise risk management that you have not considered, then there could be quite a lot of confusion. Although I have a few concerns about the new COSO draft that is coming out - the Commission could use it or similar concepts to mandate this broader and more important approach to compel companies to not just manage some financial controls, but to get management and boards to identify, assess and manage business risks, as well as build and strengthen corporate governance and controls.
- Are Auditors the Right Choice. Seriously consider if you want someone other than the current auditor signing the internal control report. I'm not saying which way is correct but if you believe in limiting the external auditor from doing internal auditing, then you should be able to justify why it is okay for that same external auditor to opine on controls (so as to avoid second guessing by the public and media). Furthermore, didn't Arthur Andersen issue an internal control report on Enron just before bankruptcy? Consider, for example, what will happen when auditors find "material weaknesses" and are concerned over how this disclosure will jeopardize their audit relationship - especially if that weakness relates to how the board governs the company or how the CEO might occasionally override policy or controls. Is it better to have someone else (besides the current auditor) assess controls? Perhaps, but first do a very thorough analysis before adopting this rule either way. Do not jump to any conclusions.
A statement that the company's public accounting firm has attested to and reported on management's assertion of effectiveness.
- Consider (as noted above) if it should be the company's auditor who makes this assessment.
- If you take the enterprise risk management and corporate governance approach I'm advocating above and that other countries have adopted, then the financial burden on companies must factor in the incredible upside of having these processes in place. Many studies (including the two books I've coauthored with Dr.'s Shenkir and Barton) discuss the value gained by companies that adopt enterprise risk management. This value outweighs the costs (in my view). Does any board member not want to know the key business risks and how effectively management is addressing those risks? Furthermore, I've read (but cannot find the exact reference) that today's capital markets place a premium on companies with good corporate governance. I believe even Standard & Poor's is trying to report corporate governance information so that investors can make an assessment. If true, this once again should strongly suggest that the SEC not adopt an outdated internal control perspective, but instead should adopt an enterprise risk management and corporate governance view.
A statement of management's responsibility for establishing and maintaining an adequate internal control structure for financial reporting.
- As is evident from my comments above, I do not believe it is of significant enough value to only have management comment on internal controls in the financial reporting area.
Thank you for allowing me to comment on your proposed rule.
Paul L. Walker, Ph.D., CPA
University of Virginia
McIntire School of Commerce