WEBMASTER NOTE: This is the unedited transcript of the
Roundtable Discussion on Implementation of Internal Control
Reporting Provisions held on May 10, 2006 which we received
directly from the court reporter. We are posting the
transcript in this form to make it available as soon as
possible.
1 THE UNITED STATES SECURITIES AND EXCHANGE COMMISSION
2
3
4
5
6 ROUNDTABLE DISCUSSION ON
7 SECOND-YEAR EXPERIENCES WITH INTERNAL CONTROL
8 REPORTING AND AUDITING PROVISIONS
9
10
11
12 Wednesday, May 10, 2006
13 9:00 a.m.
14
15
16
17
18 SEC Headquarters
19 100 F Street, N.E.
20 Washington, D.C. 20549
21
22
23
24 Diversified Reporting Services, Inc.
25 (202) 467-9200
1 C O N T E N T S
2 PAGE
3 Opening Remarks 4
4 Chairman Christopher Cox, U.S.
5 Securities and Exchange Commission
6
7 Acting Chairman Bill Gradison,
8 Public Company Accounting Oversight Board
9
10 Introduction and Panel One - Overview of the Second Year 16
11 Moderators:
12 Thomas Ray, Office of the Chief Auditor, PCAOB
13 Nancy L. Salisbury, Office of the Chief Accountant, SEC
14 John W. White, Division of Corporation Finance, SEC
15
16 Panel Two - Management's Evaluation and Assessment 59
17 Moderators:
18 Laura J. Phillips, Office of the Chief Auditor, PCAOB
19 Scott A. Taub, Office of the Chief Accountant, SEC
20 John W. White, Division of Corporation Finance, SEC
21
22 Lunch Break
23
24
25
1 C O N T E N T S (CONTINUED)
2 PAGE
3 Panel Three - The Audit of Internal Control Over Financial
4 Reporting 118
5 Moderators:
6 Laura J. Phillips, Office of the Chief Auditor, PCAOB
7 Thomas Ray, Office of the Chief Auditor, PCAOB
8 Nancy L. Salisbury, Office of the Chief Accountant, SEC
9
10 Panel Four - The Effect on the Market 176
11 Moderators:
12 Thomas Ray, Office of the Chief Auditor, PCAOB
13 Carol A. Stacey, Division of Corporation Finance, SEC
14 John W. White, Division of Corporation Finance, SEC
15
16 Panel Five - Next Steps 220
17 Moderators:
18 Thomas Ray, Office of the Chief Auditor, PCAOB
19 Scott A. Taub, Office of the Chief Accountant, SEC
20 John W. White, Division of Corporation Finance, SEC
21
22 Closing Remarks
23
24
25
1 P R O C E E D I N G S
2 MR. WHITE: I'm John White, the Director of the
3 Division of Corporation Finance at the SEC, and I want to
4 welcome you to today's Roundtable on Second-Year Experiences
5 with Internal Control Reporting and Auditing Provisions.
6 The roundtable is being hosted, as you know, by the
7 Securities and Exchange Commission and the Public Company
8 Accounting Oversight Board. We have a full agenda today that
9 I'm sure you will find very informative and a very
10 interesting program. We're going to start this morning with
11 brief statements from Chairman Christopher Cox of the SEC and
12 Acting Chairman Bill Gradison of the PCAOB.
13 It's my pleasure now to turn the podium over to
14 Chairman Cox to start the roundtable. Chairman Cox?
15 CHAIRMAN COX: Thank you very much, John. Thank
16 you to all of you. Welcome. This is a beautiful spring day.
17 We're going to spend it indoors with no windows.
18 But I know that it's going to be a vigorous and
19 substantive discussion. I'm very much looking forward to it
20 myself. I'd like to thank each of our panelists, many of
21 whom were kind enough to join us last year as well, for their
22 willingness to come to Washington today and to devote their
23 energy and constructive thinking to a topic of great
24 importance to the nation's public companies.
25 I would also like to extend a particular welcome to
1 Acting Chairman of the Public Company Accounting Oversight
2 Board, Bill Gradison, and the PCAOB Board members who are
3 holding this roundtable with us as well.
4 The Sarbanes-Oxley Act was a critical step in
5 addressing an unprecedented string of corporate scandals that
6 were rooted in very serious governance, accounting and audit
7 failures. The Act, and in particular its internal control
8 requirements embedded in Section 404, has great potential to
9 improve the accuracy and reliability of financial reporting,
10 and it's already done so in many ways.
11 That potential, however, can only be realized if we
12 implement the statute properly, and in the manner that
13 Congress intended it when it passed the Act in 2002. In
14 practice, it hasn't always worked out that way. But we at
15 the SEC are committed to making sure that the provisions of
16 the Act work for public companies and for investors for whom
17 this is all designed. And I have no doubt that the PCAOB
18 shares this commitment.
19 Strong internal control over financial reporting
20 has long been recognized to be important to the reliability
21 of financial information. For that reason, companies have
22 been required to have such controls since the Foreign Corrupt
23 Practices Act was passed in 1977. The requirement to assess
24 and report on these controls, however, is new. It began with
25 Sarbanes-Oxley. Our accelerated filers have now been
1 required to comply with the internal control reporting
2 requirements for two years.
3 During the initial year of reporting, approximately
4 3,900 companies reported on the effectiveness of their
5 internal controls over financial reporting, with almost 16
6 percent of those companies concluding that their internal
7 control over financial reporting was not effective. A total
8 of approximately 1,500 material weaknesses were reported.
9 These reported weaknesses reflected a variety of control-
10 related topics.
11 During the second year of reporting, through April
12 25th, 2006, approximately 3,000 companies have reported, with
13 7 percent of those companies concluding that their internal
14 control over financial reporting was not effective. A total
15 of approximately 400 material weaknesses were reported, again
16 reflecting a variety of control-related topics.
17 At the roundtable that we sponsored last year, we
18 heard about the time, energy and resources that went into
19 implementing the internal control requirements in the first
20 year. We also heard a great deal about first year
21 inefficiencies in the process. We and the PCAOB took this
22 input and issued additional guidance shortly following that
23 roundtable.
24 The purpose of today's discussion is to hear
25 directly from those who have experienced now two years of
1 compliance with the internal control reporting requirements.
2 We hope to hear very specific feedback that will allow the
3 Commission and the Board to further assess the implementation
4 of the internal control requirements and to find out whether
5 impediments remain to reaching a sustainable process that is
6 both efficient and effective.
7 We are particularly eager to hear whether there are
8 actions that we can take to improve the internal control
9 documentation, assessment, reporting and auditing processes.
10 For example, the PCAOB's Auditing Standard Number 2 gives
11 guidance to independent external auditors tasked with
12 determining whether a company's internal controls are
13 effective.
14 No similar guide, however, exists for companies and
15 for their management. And in the absence of direction from
16 us, companies have been basing the assessment of their
17 controls on AS-2. Management and auditors clearly have
18 different duties and responsibilities. Wouldn't management
19 benefit from having guidance from the Securities and Exchange
20 Commission on what constitutes adequate controls?
21 The ultimate goal, of course, is to have good
22 controls and complete disclosure so that investors can make
23 informed decisions without unduly impacting a company's day-
24 to-day business. I'm certain that the distinguished and
25 diverse group of panelists that we've assembled will let us
1 know how the process has really worked for issuers in general
2 in year two.
3 As we did last year, the SEC and the PCAOB
4 solicited written feedback in connection with this
5 roundtable. In addition to what we hear today, therefore, we
6 will be considering the written submissions that we've
7 received. Those submissions are available to the public on
8 the SEC's and the PCAOB's web sites.
9 Today's proceedings come on top of reports from the
10 Government Accountability Office and the SEC's own Advisory
11 Committee that we set up last year to report on the problems
12 peculiar to small business. I hope and expect that today's
13 roundtable will bring us much closer to the finish line, and
14 we have every intention at the SEC and the PCAOB of getting
15 404 right sooner rather than later.
16 As compared to the importance of our topic, we have
17 a limited amount of time today. So I'm going to keep my
18 remarks brief. Our moderators will be going through the
19 rules of the road for the panel discussions in more detail,
20 but I hope that we can engage in a focused and useful
21 discussion, just as we did last year.
22 Again, let me express my thanks to all the panelist
23 who have agreed to be here today. We appreciate the time
24 that specific you're taking out of your very busy schedules
25 in order to share your views with us. We'll be listening
1 carefully. And I can assure you that we intend to consider
2 all of the different views expressed today.
3 Now I'd like to give Bill Gradison, the Acting
4 Chairman of the PCAOB an opportunity also to say a few words
5 of welcome. Bill?
6 MR. GRADISON: Thank you, Chairman Cox. On behalf
7 of the Public Company Accounting Oversight Board, welcome to
8 today's roundtable.
9 The Board and staff of PCAOB have been actively
10 monitoring the implementation of the internal control
11 reporting requirements of Sarbanes-Oxley, and this roundtable
12 is an important aspect of our information gathering.
13 We expect the panelists will share their
14 experiences with the internal control requirements, the nitty
15 gritty that doesn't always come across in the surveys that
16 we've seen. In that sense, this roundtable is much like the
17 congressional testimony that Chairman Cox and I are familiar
18 with from our days -- our years, actually -- in the House of
19 Representatives. Like the testimony that we heard from
20 congressional witnesses, what we hear today will give us
21 guidance for adjusting and improving the rules that govern
22 the assessment of internal control by auditors and
23 management.
24 After last year's roundtable, the SEC and PCAOB
25 both made mid-course corrections with respect to reporting on
1 and the auditing of internal controls. Without prejudging
2 anything we'll hear today, based on the information we
3 already have, it would seem that some further changes may be
4 in order.
5 The SEC, of course, writes the rules and oversees
6 the implementation of companies' responsibilities for
7 assessing and reporting on internal control. PCAOB writes
8 the standards for and oversees the implementation of the
9 auditors' responsibilities with regard to internal control.
10 Section 404, along with the SEC's implementing
11 rules, and the PCAOB auditing standard, Auditing Standard
12 Number 2, or AS-2, as it's affectionately known, won't by
13 themselves drive all the necessary improvements in financial
14 reporting.
15 It is important to keep in mind that public
16 companies by their very nature have special responsibilities
17 to their owner investors. Indeed, the Sarbanes-Oxley Act
18 recognizes by stating in the preamble that it is, quote, "an
19 Act to protect investors by improving the accuracy and
20 reliability of corporate disclosures." Close quote.
21 In furtherance of this goal, Congress was quite
22 explicit when it mandated in Section 404 of the Act specific
23 requirements for companies and their external auditors with
24 respect to internal control over financial reporting.
25 Yet at the same time, Congress gave PCAOB and the
1 SEC considerable flexibility in determining how to implement
2 these requirements. Indeed, both Senator Sarbanes and
3 Chairman Oxley have stressed this flexibility repeatedly. My
4 Board colleagues and I have always had flexibility in mind
5 when dealing with AS-2.
6 From the time we voted to adopt it, we've
7 emphasized that the application of significant auditor
8 professional judgment is an essential part of the standard.
9 My sense is that auditors as well as management of public
10 companies should exercise even more judgment as they look to
11 the third year of implementing the internal control
12 requirements.
13 My fellow Board members and I at PCAOB are
14 particularly concerned about small audit firms that have yet
15 to perform internal control audits. We hope to encourage
16 these firms to continue auditing public companies by helping
17 them prepare to implement AS-2. I believe we will succeed if
18 we can communicate to them that AS-2 is not only flexible but
19 scalable. And a standard can only be properly implemented by
20 exercising good, sound professional judgment.
21 A key part of any action we take must address
22 implementation of AS-2 in the internal control audits of
23 smaller public companies. PCAOB is uniquely positioned to
24 understand how well auditors are fulfilling their
25 responsibilities through our inspections of registered public
1 accounting firms. We've heard some say that our inspections
2 have driven auditors to do more work under AS-2 than is
3 necessary.
4 In this regard, the Board last week announced that
5 our inspectors will focus on audit efficiency, that is
6 whether auditors meet the -- whether audits meet the
7 objectives of AS-2 with the least expenditure of efforts and
8 resources.
9 In addition, our inspections, that actually began
10 last week, will combine our inspections of internal control
11 audits with our inspections of financial statement audits,
12 much as auditors are expected to integrate their audits of
13 internal control with the audits of financial statements.
14 Consistent with past guidance, our inspectors will
15 also be looking for top-down approaches to audits, whether
16 auditors properly assess and respond to risk, and whether
17 auditors use the work of others to the greatest extent that
18 is appropriate.
19 We believe that focusing our inspections in this
20 manner will be a significant step towards preserving the
21 parts of the auditors' work that are truly necessary and
22 essential while cutting out unnecessary costs. Because of
23 the importance of our inspections, some of the questions for
24 panelists will focus specifically on our inspections program.
25 We look forward to hearing panelists' reactions to our 2006
1 inspections approach.
2 As our monitoring of the reporting requirements
3 continues, the Board welcomes ideas about how the
4 implementation of Section 404 can be made scalable to
5 companies of all size.
6 I was a general partner of a New York Stock
7 Exchange firm that built its business around the needs of
8 smaller businesses and investors of modest means. From that
9 experience, I firmly believe there is significant public
10 interest in providing investors in all companies with the
11 same level of assurance as to the accuracy and reliability of
12 financial reporting, which of course is what Sarbanes-Oxley
13 is all about.
14 Addressing the various implementation issues in a
15 constructive manner will require action by PCAOB, the SEC,
16 issuers and auditors, which must of course be geared toward
17 investor protection. Whatever actions are taken, we'll
18 certainly be informed by today's roundtable.
19 With that, let me turn the floor back to John
20 White.
21 MR. WHITE: Thank you, Chairman Cox and Acting
22 Chairman Gradison. We have a very full day ahead of us with
23 five terrific panels to walk us through a range of issues
24 that people have faced as accelerated filers have completed
25 their second year of compliance with Section 404's
1 requirements.
2 Before we get to the roundtable itself, however, I
3 need to make a few introductory points and lay out the rules
4 of the road, as Chairman Cox described. First, we are very
5 fortunate to have here today all of the members of the two
6 hosts of the roundtable, the SEC and the PCAOB. Seated at
7 the table to my left starting nearest to the audience we have
8 the five SEC Commissioners, Chairman Chris Cox, whom you have
9 met, Commissioner Cynthia Glassman, Commissioner Paul Atkins,
10 Commissioner Roel Campos, and Commissioner Annette Nazareth.
11 Sitting at the table to my right we have the four
12 current members of the PCAOB. Again starting at the end
13 closest to the Audience, Acting Chairman Bill Gradison, who
14 just spoke, Charles Niemeier, Kayla Gillen and Dan Goelzer.
15 The Commissioners and the Board members will be here
16 throughout the day for all five panels, and for that I say in
17 advance they have my gratitude and admiration, because it
18 will be a long day. The rest of us get to come and go up
19 here.
20 The rules of the road for today's program are I
21 think actually fairly simple. The lead moderator on each
22 panel will introduce the panelists, and the other moderators
23 for that panel, and I'll do that in just a moment for the
24 first panel. But I want to cover a few other things firs.
25 As Chairman Cox said, we have asked each of the
1 panelists to submit written comments if they choose to, and
2 many have done that. And their submissions, along with the
3 other submissions received from the public, are all available
4 on the Commission's web site. The PCAOB also has public
5 comments posted on its web site.
6 And finally, a transcript of today's program will
7 posted on the Commission's web site once it's been prepared.
8 In the interest of time and so we can move quickly
9 through the proceedings today, we have asked the panelists
10 not to make opening statements so that we can start questions
11 right away with each panel. The moderators will take the
12 liberty of directing certain questions to certain panelists,
13 and in some cases follow-up questions to panelists. But at
14 the same time, we do encourage the participation of all the
15 panelists when you have something to say and would like to
16 make a comment.
17 But there is one very important rule for all that,
18 and that is, so that we can maintain order, if you would like
19 to speak, you need to take your tent card like this and set
20 it up like that, and then we will know that you wish to be
21 called on.
22 The Commissioners and the PCAOB Board members have
23 also agreed to follow the same tent card rules to the extent
24 that they have questions, or at least I hope so.
25 With that, I'm going to introduce the first panel,
1 and we're going to get started. So, the first panel.
2 PANEL ONE - OVERVIEW OF THE SECOND YEAR
3 This panel has been set up to look at the
4 experiences people have had specifically with their second
5 year of compliance with 404. And we are especially
6 interested in changes in the second year as companies and
7 their auditors have gained more experiences, whether
8 resources have been allocated efficiently and effectively in
9 the second year, and whether progress has been made towards
10 the goal of improving the reliability of financial reporting
11 in the second year.
12 To work through those issues, we've assembled a
13 very impressive panel, and I will go through and introduce
14 each of the panel members. Starting on the left, we have
15 Philip Ameen, the Vice President and Controller of GE.
16 Next we have Mary Bush, the president of Bush
17 International. Ms. Bush is also a member of several boards
18 of directors of public companies, including one in which she
19 serves as the chair of the audit committee. Rodg Cohen, who
20 is the chairman of the law firm of Sullivan & Cromwell.
21 Colleen Cunningham, President and CEO of Financial Executives
22 International, or as I think many of us know it, FEI. Bob
23 Davis, Chief Financial Officer of CA, Inc. Mr. Davis is also
24 here representing the U.S. Chamber of Commerce at today's
25 roundtable.
1 Next, Samuel DiPiazza, Global Chief Executive
2 Officer of PricewaterhouseCoopers International, if I got all
3 that right. Barbara Hackman Franklin, President and CEO of
4 Barbara Franklin Enterprises and a former U.S. Secretary of
5 Commerce. Ms. Franklin is also the director of several
6 public companies, including one of which she serves as the
7 chair of the audit committee.
8 Next, Joe Grundfest, who is a professor at Stanford
9 Law School. Professor Grundfest is also a former SEC
10 commissioner, although I bet he was not in such a nice room
11 as this. And he is a director and audit committee member of
12 two public companies.
13 Seated next to Professor Grundfest is Dennis
14 Johnson, who is the Senior Portfolio Manager, Corporate
15 Governance Office of CALPERS, the California Public Employee
16 Retirement System.
17 And finally, Ed Nusbaum the CEO and Executive
18 Partner at the accounting firm of Grant Thornton.
19 The moderators for Panel One are myself, John
20 White, to my right, Nancy Salisbury, the Senior Associate
21 Chief Accountant in the Commission's Office of the Chief
22 Accountant, and to my left, Tom Ray, the Chief Auditor at the
23 PCAOB.
24 So, that's I think all the introductions, so let's
25 turn to the substance of the first panel. And we'd like to
1 organize this first panel along the lines of five topics with
2 roughly equal time for each one. The first topic will be the
3 benefits and costs of 404, speaking broadly.
4 The second is the specifics of second year
5 compliance compared to first year compliance for accelerated
6 filers. Third, we want to talk about costs and a couple of
7 studies that have been done on costs. And then we want to
8 move to experiences with the management's assessment and then
9 close with experiences with the audit.
10 So those are basically our five topics to get to
11 our first topic. We want to hear about the second year
12 compliance and whether the panelists believe that the
13 requirements of 404 have helped improve the quality and
14 reliability of companies' financial statements.
15 And I guess I'd like to actually call on three
16 panelists to get a variety of perspectives. So I'd like to
17 pose these questions in that area first to Barbara Franklin,
18 then Rodg Cohen, and then Dennis Johnson. And those are,
19 what are the improvements we've seen in 404? What are the
20 source of those improvements? What are the countervailing
21 costs? How do you see the balance of the benefits and the
22 cost?
23 We start with you, Ms. Franklin. You need to turn
24 your mic on.
25 MS. FRANKLIN: Thank you. I would like to first
1 thank the SEC and the PCAOB for holding this roundtable again
2 this year. Last year's was very productive, and so was the
3 guidance that emanated from it, and I assume that will happen
4 this time, too.
5 To answer your question, to begin to answer, of
6 course I speak as an audit committee chairman and member. I
7 think the second year implementation of AS-2 has been
8 smoother and in general, control systems are more effective.
9 Fewer material weaknesses have been noted. And presumably,
10 that does mean stronger reliability of financial statements.
11 But there are ongoing costs, and the balance
12 between costs and benefits has improved, but it still isn't
13 quite right. On the benefits side, hard to quantify, but
14 what I've noted about management is, that there's been a
15 change in mindset from a semi-crisis to a more steady state
16 ongoing effort. There's more understanding of the function
17 and importance of controls, more ownership of them throughout
18 management, not just the financial side.
19 There have been some efficiencies. Deferred
20 maintenance has been taken care of. One caveat, though, is
21 small companies. I think there's some guidance that is
22 really needed there.
23 With respect to auditors on the benefit side, I
24 think they have done better with respect to risk, risk-based
25 approach, more reliance on the work of others and just a
1 little less nervous. But I still think that there is still a
2 lot of sticking to the literal wording of the standard with
3 good reason, fear of litigation, of the memory of Arthur
4 Andersen, what the PCAOB inspections might turn up, all of
5 that.
6 And then with respect to audit committees, I think
7 audit committees now are more engaged. From the beginning,
8 the planning of the scoping of the process to the final
9 opinions and the oversight that has to go on in between.
10 On the cost side, there are these surveys that
11 we'll I'm sure hear about later. And in every one of them,
12 the cost has gone down. There is not agreement about how
13 much the cost has gone down, and generally I think there's
14 still the view that the costs are still a little bit too out
15 of line.
16 I think with respect to management on the cost
17 side, it was very hard to predict what the second year was
18 going to be like. So maybe the estimates early on were not
19 quite accurate, and there is an ongoing cost to maintaining
20 and testing controls.
21 With respect to auditors, I've said I think there
22 is an issue there about the overdoing some kinds of testing
23 because of the literal interpretation of the standards, and
24 about audit committees, we spend more time on this, but, hey,
25 that goes with the territory.
1 So I think there's still more work to be done to
2 balance the costs and the benefits, and it's really important
3 to get this right, because you don't want to create an undue
4 regulatory burden. You don't want to discourage companies
5 from our capital markets, and you don't want to do anything
6 to diminish the entrepreneurial risk-based culture that has
7 made this U.S. economy what it is today.
8 I've got two quick comments to throw in, and then I
9 will stop. I think it's now time to amend the standard. And
10 literally take the guidance that you put forth last year and
11 put it into the wording of the standard, and that will
12 empower auditors in a way that they don't feel empowered to
13 make judgment right now.
14 Second thing would be to give -- SEC would have to
15 do this -- give guidance to managements about their role
16 here, and particularly to small companies.
17 MR. WHITE: Thank you. Mr. Cohen, do you want to
18 give us your insights?
19 MR. COHEN: Thank you very much. And again, I
20 would echo Barbara's comments, how positive it is that the
21 Commission and the PCAOB are doing this.
22 At the risk of apostasy, I really do believe that
23 there are significant benefits from 404. You have it at the
24 individual company level where companies have discovered
25 problems before they became far more serious. You have it in
1 the capital markets because there is greater confidence in
2 the capital markets. And something I spend a lot of time
3 doing, which is consolidation, you have a major benefit,
4 because there is greater reliability.
5 So the effort really needs to be on balancing the
6 burdens, the costs, against those benefits to make the
7 equation work.
8 I do think it's fair to say that the burdens have
9 declined in the second year based on what we are hearing from
10 clients. To some extent, that is a function of experience.
11 I think to an extent maybe not fully realized, it is a
12 function of the guidance which the Commission did provide
13 last year.
14 But I think when you try and measure the benefits
15 and the burdens, in addition to the costs, which presumably
16 can be quantifiable, there is a more qualitative cost, and
17 that remains the continuing very conservative environment in
18 the accounting profession with respect to the internal
19 controls procedure.
20 We are seeing and continue to see almost a direct
21 correlation between a failure to apply a complex accounting
22 standard, FAS-133 is probably the best example, to a
23 restatement to a material weakness. That line seems to be
24 almost inevitable. Likewise, error seems to correlate
25 directly to a significant deficiency.
1 Further guidance from the Commission would be very
2 helpful in trying to lighten that environment, and if the
3 environment is made easier, then costs will go down.
4 Thank you.
5 MR. WHITE: Thank you. Mr. Johnson, can you give
6 us your perspective, I guess I would say an investor
7 perspective, from CALPERS?
8 MR. JOHNSON: Yes, from CALPERS' perspective, we
9 believe the second year has been a positive. The benefits
10 are several. Number one, there's been improvements in
11 disclosure, and we believe that's very positive for
12 investors.
13 Secondly, you may be familiar with our focus list
14 initiative at CALPERS. And as we have engaged companies
15 through this initiative, focusing specifically on the audit
16 committee, we have determined that the members of the audit
17 committee are of better quality, they're far more engaged,
18 and there's better planning that seems to be taking place at
19 the board level.
20 Also as a result of our focus list initiative,
21 there have been fewer concerns around internal control
22 weaknesses in the last 12 months versus previous periods.
23 And then last, I would just point to a study that
24 was published recently by Lord and Benoit that talked about
25 companies without internal control problems outperforming
1 companies with internal control problems since the
2 implementation of SOX 404. So we look at these as being
3 examples of the benefits of the second year of
4 implementation.
5 In terms of cost, we would note two. Number one
6 being the increase in audit expenses. And then secondly, we
7 note a Wall Street Journal article that was published
8 recently that talked about the perceived cost related to 90
9 percent of the non-U.S. IPOs occurring outside of the United
10 States, and so therefore a perception of market opportunity
11 or investment opportunity being lost.
12 But in summary, we view the benefits as being
13 positive. We believe as a result of the second year of
14 implementation here, market integrity continues to improve.
15 Investor confidence continues to rise, and these two
16 characteristics are very vital for an institution like
17 CALPERS in order for us to be fiduciaries and make the
18 benefit payments to our 1.4 million members.
19 Thank you.
20 MR. WHITE: Thank you. I guess I'd like actually
21 to move to our second topic, which is to try to get an
22 understanding of the second year experience under 404
23 compared to the first year experience. And I guess I'd like
24 to approach that from -- hear from that from the perspective
25 of management, the independent auditor and the board of
1 directors.
2 So I'm going to pose -- at least start my questions
3 with Phil Ameen, Ed Nusbaum and Mary Bush. And the questions
4 really are, how did the second year of assessing, reporting
5 and auditing differ from the first? Were there changes? Are
6 there other changes that you would like to see? And I guess
7 if possible, I'd particularly like you to address whether
8 companies and auditors were successful in your view in
9 implementing the guidance that the SEC and the PCAOB issued
10 last May right after the first roundtable.
11 So, Mr. Ameen, can you give us the GE perspective?
12 MR. AMEEN: I'm not sure I'm speaking for all of
13 GE, but I'll be happy to share what I can on that from that
14 angle. First of all, thank you for the opportunity to be
15 here today and to share the views.
16 We were not at GE actually in our second year in
17 2005. We started implementation and documentation in 2003,
18 and therefore, when we went into the 2004 period with which
19 I'm going to give you the comparisons, we already had a
20 pretty good set of documentation. So our cost and hours data
21 are probably not typical of what you'd see. But I'd say they
22 are typical of implementation of a complex undertaking, which
23 this certainly was.
24 We said last year that our total costs of 404
25 approximated $33 million, and they ran about the same in
1 2005. We did in probably acknowledgement of Commissioner
2 Glassman's observation that no company should have 40,000
3 significant controls, we managed to restrict that number to
4 38,000 that were tested.
5 And I think in sort of sitting back and looking at
6 the overall conclusions that we can reach, one, we're
7 certainly more focused on controls, both in our underlying
8 operations and in operations that we're assessing for
9 acquisition.
10 Two, we are more sophisticated in those
11 assessments, and we're more targeted in analyzing and
12 assessing the controls that are important to our reporting
13 process.
14 And thirdly, we have a common vocabulary for
15 talking about the controls. So, overall, on balance, I think
16 the management team, the board of directors and people down
17 in the trenches actually doing the testing are favorably
18 impressed with the progress that's been made in the second
19 year of 404.
20 MR. WHITE: Okay. Mr. Nusbaum? From the auditor
21 perspective.
22 MR. NUSBAUM: Thank you. Well, first of all, the
23 first observation from an auditor perspective is that the --
24 in the second year, management's documentation was much
25 better. It had already existed. It was refined and
1 improved. Some of the bugs in the software were gotten out,
2 and companies did a much better job in the second year, a
3 much more efficient job in documenting their controls.
4 From our perspective as auditors at Grant Thornton,
5 I think at all the firms, we truly embraced some of the
6 concepts that came out of last May's discussion. We
7 conducted integrated audits where we combined the testing for
8 internal controls with the substantive testing, which made us
9 more efficient, certainly reduced redundancies, duplicative
10 questions and processes and testing, which made our clients
11 happier.
12 It also allowed us to place reliance on those
13 controls, which made us more efficient. And we took a risk-
14 based approach, a very top-down approach to make our audits
15 effective and efficient.
16 So I believe one of your specific questions was,
17 was the guidance last year helpful, and did we succeed in
18 implementing it? I think as a profession and certainly our
19 firm found the guidance extremely helpful, and I believe we
20 did succeed in implementing it in many different ways.
21 The principles of AS-2, which some have suggested
22 mending, I think Barbara mentioned that, clearly the
23 underlying principles of AS-2 I believe work. And while one
24 could debate some of the specifics, the principles should be
25 kept.
1 Having said that, I think we do need more guidance
2 on internal controls, whether it comes from the SEC or
3 whoever it comes from, it should be in my view very
4 principle-based guidance, principle-based standards, and then
5 specific guidance should come from a panel or a consortium of
6 relevant interests, including corporations, preparers,
7 preferably from the FEI or other groups, from investor
8 groups, whether it's CALPERS or others, and from of course
9 the auditors. And then also with strong representation from
10 the SEC, the PCAOB and maybe any other regulators.
11 That kind of real, practical guidance that would be
12 based on examples and case studies would allow us to use
13 judgment, and allow companies to use judgment, but provide
14 better guidance on the definition of material weaknesses,
15 significant deficiencies, which I think would make us more
16 efficient going forward, particularly benefit smaller
17 companies, as Chairman Gradison talked about, which we're
18 particularly concerned about and making it as easy as
19 possible for those companies to be able to enact the rules.
20 I think that Chairman Cox and Mr. Johnson have
21 talked about the benefits to the investors and so forth, but
22 we could continue to make the process better from an
23 auditor's standpoint by looking at best practices in the
24 audits of 404 going forward.
25 MR. RAY: Excuse me, Ed. I have a short follow-up
1 question on a remark you made just a moment ago. You gave a
2 very positive report on your implementation of the May 16th
3 guidance from last year. Do you think you fully implemented
4 that guidance, or if not, how many more -- how much more time
5 do you think it will be for auditors to really get most of
6 the, or all of the efficiencies that the Board had intended
7 when issuing that May 16th guidance?
8 MR. NUSBAUM: Thank you, Tom. It's an excellent
9 question because -- and I know you were once an auditor --
10 the process for the audit really evolves over time. And as
11 with all the big firms, it takes us time to modify our
12 approaches, modify our software, and it's really an
13 evolution. There's no finish line on any of these endeavors.
14 As soon as the May rules and May guidance came out,
15 we embarked on a process and issued guidance by August,
16 revising our computerized audit tools, our software, and
17 providing guidance to all of our people in August of 2005.
18 Having said that, I think that further
19 modifications in our case and in all the firms can be made to
20 implement that guidance, and particularly by looking at best
21 practices. The PCAOB can identify, and I know through the
22 inspection process this year will look at further
23 efficiencies we can adopt, because they see all the reports,
24 and they see the underbellies of every firm. So they can
25 help us provide best practices.
1 And I think the accounting firms have already begun
2 discussing how we can work together better, and we need to
3 work together better to identify best practices and figure
4 out how we can further implement this guidance.
5 I don't think we're complete on this at all. I
6 think it is a multiyear. I think we've accomplished it.
7 Some will happen next year, and some will even happen in
8 future years.
9 MR. WHITE: Okay. Ms. Bush, can we get the board
10 of directors' perspective?
11 MS. BUSH: Yes, certainly.
12 MR. WHITE: You need to turn your mic on.
13 MS. BUSH: Yes. Thank you. I think there were
14 changes from year one to year two, in many ways some internal
15 to the companies, some from the outside auditors, and some in
16 the ways in which those bodies interact with each other.
17 I think that managements overall are taking more
18 responsibility, more personal responsibility for controls,
19 rather than simply leaving it to the internal auditors.
20 Internal auditors are in many cases I think pushing
21 managements to take more responsibility.
22 Managements are beginning to integrate the control
23 process into their everyday operations, into the work
24 processes. And this in many ways can be a benefit to the
25 company to its operations. So, in some ways, what one might
1 say is that we're experiencing sort of a cultural change
2 within companies in terms of the emphasis that they're
3 placing on controls.
4 Secondly, I think that -- or certainly the internal
5 audit departments with which I deal, are placing much more
6 emphasis on designing controls as a method of prevention of
7 problems as opposed to detecting problems after the fact.
8 This is also a good thing when it comes to financial
9 reporting and when it comes to safeguarding shareholder
10 assets.
11 Also, independence was an issue with the outside
12 auditors. In many cases in year one, many firms felt that
13 they could not engage with the company or advise them, shall
14 we say, on finding the best approach to financial reporting
15 on whatever the specific accounting matter might have been.
16 I find a mix of experiences there. I find that
17 some outside audit firms are engaging more if they do not
18 feel that they are sacrificing their independence by advising
19 companies when they're trying to choose the best method for
20 accounting for transactions or whatever. I find, on the
21 other hand, I hear comments that some still refuse to engage
22 in talking with the auditors with the financial management
23 early on regarding methodologies. And that I think is a
24 problem.
25 I believe that in the guidance last year, which I
1 also compliment both bodies on, that outside auditors were
2 encouraged to engage more with financial management on how
3 they would account for certain transactions and the like
4 early on rather than after the fact.
5 The checklist approach is still an issue, I think.
6 And what I mean by that is that there still seems to be as
7 much emphasis placed on low level controls, low level process
8 controls, as there in on controls that really have a risk for
9 incorrect financial reporting. That is an issue that I think
10 needs additional attention.
11 And as for guidance, I think there is still room
12 very definitely for guidance, and that that guidance, one of
13 the areas on which I would focus if I were doing it, is on
14 giving guidance with regard to what is truly important in
15 terms of misreporting on financial statements, and this goes
16 back to the issue of that there are areas where there is
17 extraordinary risk for accurate financial reporting, and that
18 there are areas where there is almost no risk at all. And if
19 some guidance could be given to managements as well as to the
20 accounting profession with regard to that issue, I think that
21 it would be very helpful.
22 MR. WHITE: Okay. Thank you. Before we move to
23 the cost issue, Mr. DiPiazza, you have another comment on the
24 first year versus the second year from the auditor
25 perspective?
1 MR. DiPIAZZA: Thank you, John. I just thought it
2 would be helpful to maybe put a few more facts out there that
3 -- and I agree with the comments that Dennis, Mary and Ed
4 have all made.
5 The chairman said that -- he said that we were down
6 from 16 percent material weaknesses, adverse opinions a year
7 ago, now to 7 percent. Over 75 percent of the companies that
8 had material weaknesses a year ago have found those
9 remediated and are not repeating.
10 When you begin to look inside the control
11 atmosphere and the activity inside companies, there's some
12 very clear things that have happened, and we like to think
13 that they are the result of 404 focus. Standardizing
14 processes, eliminating redundant controls, integrating far-
15 flung activities around the world. Bringing new employees
16 quickly into the control environment versus not doing that.
17 A lot of these things were things that were pointed
18 out in the first time through in 404 and clearly have
19 affected the way companies are behaving. And we think the
20 regime of management certification and auditor testing has
21 created that.
22 A couple of more facts. The key controls and all
23 the surveys we're going to talk about, we'll probably talk
24 about cost. But those surveys also did some other things,
25 and I'm not sure which one, whether it was the FEI or the
1 Internal Auditor Survey, but it said that key controls are
2 now down 20, 25 percent from where they were a year ago. So
3 there clearly has been a change in the way key controls are
4 being looked at.
5 So what you are seeing are some pretty clear
6 changes in behavior. The May 16th guidance has clearly had
7 an impact in the way we behave, and I think the way the
8 companies, the standards in which they're holding their
9 auditors, but there's more to come, especially along the
10 lines of reliance.
11 As management and companies become more confident
12 and more independence in their testing, we'll be able to test
13 fewer controls as well.
14 MR. WHITE: Okay. Thank you. So I would like now
15 to turn to cost, which we have heard a lot about. And when
16 I'm talking about costs, I mean costs incurred by companies
17 in complying with 404.
18 There are two studies out there, and I would like
19 Ms. Cunningham and Mr. DiPiazza to talk about the two
20 studies. And then I guess I would like then to go to Mr.
21 Davis to give us the Chamber of Commerce's view on costs, but
22 why don't we start with Ms. Cunningham and the FEI study?
23 MS. CUNNINGHAM: Thank you. And thank you for
24 having us again this year.
25 A little bit about our study. We've done them
1 since 2003. Our last survey that we've done was in March of
2 2005. We did do a survey recently in March 2006 where we
3 asked our members' registrants to answer questions regarding
4 404 and their year two implementation efforts.
5 We had 274 companies respond, of which 238 were
6 accelerated filers. I think before I get into the specifics
7 of the results of our survey, I think, you know, it's
8 important to state that all of the surveys that have been
9 done recently note some -- there are a lot of similarities.
10 They all note similar benefits.
11 For example, in our survey, 56 percent of the
12 respondents stated that there's greater investor confidence
13 in the financial reporting. Forty-four percent felt that the
14 financial reports were more reliable. Thirty-eight percent
15 felt that they were more accurate, and 33 percent felt that
16 404 helped prevent or detect fraud.
17 And as one of the sponsoring organizations of COSO,
18 we've long supported the position that effective internal
19 controls are vital to the integrity of financial reporting.
20 That said, on the cost side, we still hear from our
21 members, and it's evidenced in the survey results, that the
22 costs still far outweigh the benefits. In fact, in our
23 survey, 85 percent of the respondents believe that the cost
24 outweigh the benefits. And this compares to 94 percent who
25 responded that way last year.
1 So it has come down a bit, and I will say we did
2 bifurcate our results based on size of companies. And I
3 think the large companies view it more favorably than the
4 smaller companies for good reason.
5 On the cost side, the respondents in our March '06
6 survey reported that their costs have come down about 16.3
7 percent compared with last year. The bulk of that was
8 internal time that they spent -- I'm sorry, it was the use of
9 external consultants and audit fees. the internal time that
10 staff spent did not go down as much as companies anticipated.
11 I think part of that is the consultant work moved to internal
12 resources.
13 On the audit fee side, our members responded that
14 audit fees declined about 13 percent, not as much as we
15 anticipated, but I think a piece of that relates to the
16 supply and demand issue associated with the resources needed
17 in the audit firms and the salaries that are now required to
18 be paid to maintain those resources. And clearly, 404 added
19 a lot of work to the auditors' staff. So, therefore, they
20 needed to make sure they retained staff. And also I think
21 the practice protection costs have also gone up, which caused
22 the audit fees to go up.
23 I think, you know, there has been discrepancies, a
24 lot of discussion about the discrepancy and the amount of
25 decline between the various surveys, and I think the point
1 here is that they did go down. Most surveys' respondents
2 state that they just didn't go down as much as we
3 anticipated, but I think that can be kind of explained.
4 Also, I should point out that because it's an
5 integrated audit, it might have been difficult for the
6 respondents to identify the pieces that relate to 404 versus
7 the financial statement audit. So studies that have been
8 done related to the overall audit fees based on proxies will
9 note that they've stayed relatively flat when you include
10 both the financial statements and the 404 audits.
11 MR. WHITE: Okay. I guess the other survey, Mr.
12 DiPiazza, is the one that was done, I guess commissioned by
13 the Big Four. And if you could comment on that one, that
14 would be useful.
15 MR. DiPIAZZA: I'm very happy to. And I agree with
16 Colleen. The surveys are all taking sort of a different
17 direction in terms of methodology and where they're coming
18 from. I mean, NASDAQ did a survey. The Institute of
19 Internal Auditors did a survey. And I think it's fair to say
20 that the averages are coming out where costs are down
21 somewhere between 15 and 25 percent.
22 Our survey, we looked at both small companies,
23 large companies. We looked at -- and it was done by CRA. It
24 was an independent survey. We basically gave them access to
25 information and let them accumulate it. The total cost for
1 large companies were down in the 40 percent range, and that
2 included external use of consultants and costing of internal
3 resources and auditor costs as well. And the specific
4 auditor cost for large companies went down about 20 percent.
5 Small companies, the cost went down a bit less, 30 percent in
6 total and 20 percent from the auditor's side.
7 So there is in fact, as I think everyone will say,
8 a scalability issue a bit with the smaller companies. The
9 reasons, and we probed to find out where is coming down,
10 where are we seeing the differences, and they're the obvious
11 ones.
12 Documentation, big savings in documentation. I do
13 think the risk-based approach and the reliance on management
14 testing had a big impact. Integrating the audit does provide
15 advantages, but it makes it a little more difficult, as
16 Colleen said, to figure out what really is the long-term
17 effect.
18 There's a learning curve going on. We don't think
19 in the profession that we're done yet by any means in
20 becoming more efficient. But I do think we would say that
21 the curve is not going to stay at the current rate, because
22 we are now reaching, over the next year or two, we will be
23 reaching what we hope a more steady state as we look at this.
24 MR. WHITE: Mr. Davis from the Chamber of Commerce
25 perspective.
1 MR. DAVIS: In a nutshell, the costs are too high.
2 But --
3 MR. WHITE: How did I know that was coming?
4 MR. DAVIS: I'll be happy to elaborate a little
5 bit. I think the -- I think it's been a very healthy
6 dialogue. I appreciate the SEC and the PCAOB having us here
7 again this year. I do think the guidance that came out a
8 year ago as a result of that roundtable was helpful. Cost
9 improvements have been made. I do think shareholder
10 confidence is up. So, a lot of the original intents of
11 Sarbanes-Oxley have been achieved.
12 But the cost improvements that have been made to
13 date, particularly around 404, are nowhere near dramatic
14 enough. And I would tend to agree with Barbara's comments
15 about the only way that you could really propel that is to
16 amend or revise AS-2 and potentially have some guidance from
17 the SEC come out to management.
18 Because I think one of the things you're seeing
19 right now, too, is there's a lot of variance in practice. So
20 even if the Big Four may have, you know, one set of practices
21 they're trying to proliferate a lot of times I think -- at
22 least I hear anecdotally, there will be variances by local
23 offices.
24 And it's just that despite Ed's comment about
25 everybody wants to be principle-based and rule-based, until
1 AS-2 is revised, you keep going back to AS-2, and management
2 doesn't really have their version of AS-2, as the chairman
3 said.
4 So I think in this risk-adverse environment, as
5 Mary said, we're just continuing to test too many lower level
6 controls that are really to some degree missing the forest
7 for the trees.
8 And I think the only thing that the Chamber
9 specifically highlighted, which hasn't been addressed here,
10 is that I do also think there are a lot of soft costs
11 involved. There's a lot of time being spent by boards and
12 senior management, which I would probably argue, you know,
13 the audit committees, that's their job. That's the CFO's job
14 and the controller's job, but are we spending a
15 disproportionate amount of time having management so focused
16 on value protection that they're not creating value? I mean,
17 clearly, a few years ago the pendulum was way too far toward
18 value creation. It's now potentially, you know, in the other
19 direction.
20 And then the final thing that I will mention of the
21 Chamber that we brought up in the letter is that one of the
22 other things, too, I think in the risk-adverse environment is
23 there's been a big increase in restatements, that I think
24 most of the time if you actually look at what's driving the
25 restatements, most investors are, I think to some degree,
1 mystified as to the rationale or the reason for doing it.
2 And I tend to think that could be, while we're
3 trying to increase investor confidence with these control
4 opinions, having less judgment than you would expect by
5 auditors and management and being risk-adverse and doing
6 restatements, I think has a countervailing impact which is
7 not positive.
8 MR. WHITE: You had another question, Tom?
9 MR. RAY: Yes. I have a short follow-up question
10 for Mr. DiPiazza, and I think perhaps Mr. Nusbaum and maybe
11 others also might have a view on this point. In the CRA
12 survey, it does show a fairly substantial reduction in the
13 audit fees associated with 404. But on the other hand, other
14 increases in audit fees pretty much make up the difference,
15 so we had a fairly steady overall audit fee cost from year to
16 year. I wonder if you could comment on the reasons for those
17 other audit fee increases?
18 MR. DiPIAZZA: Happy to, Tom. There's no question
19 that the integrated audit, the financial audit, has a scope
20 increase going on. That's coming from demands from audit
21 committees and boards, and frankly, from our own sense of
22 responsibility of what proper coverage is for auditing.
23 So there's clearly scope that has been increased in
24 the pure financial audit. But there are other things.
25 They're the incorporation of new standards, changed standards
1 that we are having to deal with. There's more focus on the
2 detection of fraud, more involvement of forensics that we
3 three years ago didn't have as much as we have today.
4 There are changes going on inside the systems of
5 company, frankly, in part because of 404, where there's more
6 integration happening. There's the systems adjustments or
7 process adjustments as a result of 404, which means the basic
8 audit process is adapting to those things.
9 Over time, that ought to mitigate or reduce the
10 audit fee, but in a year of change, you've got to deal with
11 it. Transactions, a pick up in the transaction environment
12 over the last year, clearly meant that there were more audit
13 fees going on.
14 So, you know, from our perspective, it's a
15 balancing factor. Now we do think that after this year you
16 will see that mitigated as well. But this was another year
17 of change for increase in scope in the audit process.
18 MR. WHITE: Ms. Bush?
19 MS. BUSH: Yes. Thank you. I of course haven't
20 done surveys on costs. My information is anecdotal from the
21 companies where I serve on the boards and from others from
22 whom I talk who are on boards or who are on audit staffs.
23 But from that anecdotal evidence, there seems to be
24 a good deal of differentiation with regard to the cost
25 reductions that we have experienced, and that a lot more,
1 significantly more, of those cost reductions are coming from
2 inside the companies because there is less need for
3 documentation because a lot of what is needed was put in
4 place in the first year.
5 But that the cost reductions in terms of the
6 outside auditors are much, much lower.
7 MR. WHITE: Mr. Cohen?
8 MR. COHEN: Thank you, John. Chairman Cox I
9 thought raised a key question which has been commented on
10 briefly by several panelists and then made a key statement,
11 and I'd like to be presumptuous to try and bring those two
12 together.
13 The question was whether there should be some form
14 of standards or additional guidance for management. And the
15 statement was the distinction which needs to be drawn between
16 the role of management and the role of the outside auditors.
17 At the beginning, it was inevitable that the
18 process would involve duplication, that the outside auditors
19 would almost necessarily have to be highly intrusive and very
20 comprehensive.
21 One great virtue of having standards or guidance
22 for management would be to be able to draw that distinction
23 between the role management in the process and the role of
24 the outside accountants. And I think the bottom line of that
25 would be, once everybody recognizes the respective roles,
1 would be a reduction in costs.
2 MR. WHITE: Well, I guess that will actually leads
3 into our fourth topic, which is management assessment. I
4 think my principal question here was to get a view on the
5 need for guidance or not the need for guidance in the
6 management assessment area.
7 I think we've heard that expressed by several of
8 the panelists already. I don't know, does anyone else --
9 would anyone else like to comment on the need for management
10 guidance? Mr. Nusbaum?
11 MR. NUSBAUM: Thank you. There were some comments
12 earlier about the need for guidance for management, but I
13 just want to caution that -- and I believe that that's
14 necessary, but that guidance, just to clarify my point about
15 principle-based, the overall guidance and standards should be
16 principle-based, whether they come from the SEC or others.
17 But the implementation really needs real life
18 examples and practical guidance that can be used on a day-to-
19 day basis by management and also used by the auditors and the
20 audit committee as they deal with real life situations.
21 And whether it's through a panel, as I mentioned
22 earlier, or through some other means, what we need is, is not
23 just a set of rules issued, but some examples and practical
24 guidance with real life examples that will make life easier
25 for management, and frankly, easier for the auditors as well.
1 MR. WHITE: Ms. Cunningham?
2 MS. CUNNINGHAM: Yeah. I know you said not to echo
3 would previous speakers said, but I think Ed's right. I
4 guess when I hear guidance, I get worried that we're going to
5 get another standard that will, you know, box management in
6 to some degree.
7 And I think it's very, very important. Every
8 company is run differently. Every company gets comfortable
9 with their internal controls perhaps in a different way. And
10 I think we need to make sure that it is principles-based and
11 the guidance focuses on, you know, the clarification of maybe
12 key terms and definitions, and clarify that management is not
13 expected to follow the same rules that the auditors are
14 required to do.
15 MR. WHITE: Boy, I'm almost afraid I asked this
16 question.
17 MR. DiPIAZZA: Actually, John, I wanted to be sure
18 that -- we are talking about management guidance, but there's
19 guidance that we need in the profession as well in AS-2.
20 And, frankly, that's what I wanted to make a comment on.
21 There's several areas, and I think someone earlier
22 actually made the reference to it. Restatements are a
23 problem. When a deficiency, first evaluating a deficiency
24 and the extent of a deficiency is hard enough. But then when
25 you have a situation where deficiencies are a strong
1 indicator, restatement is a strong indicator of a material
2 weakness and vice versa, then you've got very serious issues
3 about how a restatement, when a restatement leads to a
4 material weakness and an adverse opinion. And if there is
5 anything that's creating enormous stress in the system, it's
6 sitting right there.
7 You know, from the profession's viewpoint, every
8 restatement doesn't mean you have a material weakness. But
9 there is a default assumption that that's what you've got.
10 So we're going to need some help there.
11 We probably also need help with materiality. The
12 interim materiality, how it's judged, what are the impacts on
13 known errors, known misstatements on the interim basis versus
14 something that's not a known misstatement but a problem on an
15 interim basis. Those are things that we need some help with
16 in AS-2. I don't think you have to reopen AS-2 to do it, and
17 we can talk -- I know you'll get to that in a second.
18 We actually think that AS-2, the May 16th guidance
19 of last year has already been incorporated in our policies
20 and procedures. You're not going to get a big bang by
21 incorporating them into AS-2, because we're already treating
22 them as if they're part of the standard.
23 But I do think there are some things we need to --
24 we need some help with.
25 MR. WHITE: Ms. Franklin?
1 MS. FRANKLIN: A footnote. I was going to raise
2 what Sam did about the materiality definition and those --
3 I've had a bee in my bonnet about the definitions of
4 significant deficiency and material weakness for a long time
5 in the standard, that there ought to be some better way to
6 articulate what we're trying to do and to bring materiality
7 back.
8 With respect to the management guidance, where I
9 was really going with that is to emphasize that this would be
10 a way for the SEC to help with the small company dilemma
11 rather than granting a blanket exemption of some kind that
12 would hit 70 or 80 percent of micro small cap companies. I
13 think that's the way to handle that particular problem.
14 But the SEC I believe is the only one who can do
15 that. The Board cannot.
16 MR. WHITE: Okay. We're going to move in a moment
17 here to the audit experience side of this, but, Mr. Ameen, do
18 you have one more comment on the management side?
19 MR. AMEEN: Just a couple of observations. First
20 on the relationship between a restatement and a material
21 weakness. It seemed to us when we ran into our FAS-133
22 circumstance that the relationship between the two is almost
23 axiomatic and very difficult to escape, that having a
24 material error in financial statements that needed to be
25 corrected was evidence, prima facie, and almost irrefutable,
1 that there was a material weakness.
2 In fact, by the time we reported the restatement,
3 we had corrected the weakness, although it was nine months
4 later before our auditors could acknowledge that fact, itself
5 a problem.
6 But it doesn't seem to be a problem to me to relate
7 the two so long as -- and I think that ought to be
8 acknowledged.
9 Secondly, I have some concerns about standard
10 setting through examples, if case studies become the way that
11 we communicate the interpretations. The internal control
12 environments and the decisions that are made about what are
13 significant controls and significant weaknesses are very
14 complex and very specific to individual companies. I would
15 be concerned that we'd be able to capture that complexity in
16 a case study environment, and therefore I'd caution against
17 that approach.
18 MR. WHITE: Okay. So why don't we move to the
19 audit experience in the second year. Professor Grundfest,
20 you have been extraordinarily patient. So I think I'm going
21 to ask you a few questions.
22 MR. GRUNDFEST: It's early in the morning
23 California time.
24 MR. WHITE: Ah. I knew there was something. I'd
25 actually like to ask you about the PCAOB inspection process
1 and its effect on the audits of internal control. And there
2 have been a number of comments about that in different
3 places, and there was certainly the recent statement I guess
4 on May 1st that the PCAOB put out on how the inspection
5 process was going to be conducted in 2006. And I know you
6 have some thoughts on this, so I'll --
7 MR. GRUNDFEST: Thank you very much, John. And I
8 think the inspection process is really going to be central to
9 the future of the operation of 404 because it is through the
10 inspection process that the audit firms are going to get very
11 clear messages from their proximate supervising body as to
12 whether they've gone too far in terms of the procedures that
13 they're following, whether they haven't gone far enough, and
14 too sloppy on the 404 front, or whether, in Goldilocks'
15 terms, you've got it just about right. All right.
16 For perfectly understandable reasons, society and
17 regulators don't have the greatest credibility when the
18 companies being audited complain about the audit process.
19 The greatest credibility in terms of being able to signal
20 that the process has gone too far will likely come from the
21 PCAOB and the inspections there.
22 Now, in that context, I think it's very important
23 for the PCAOB and the profession to understand that there are
24 some structural features of this process that push it towards
25 hyper aggressive enforcement of the 404 standards. And it
1 may be useful to take a step back and to understand that the
2 audit profession is not unique in this regard.
3 The phenomenon of defensive medicine is something
4 that all of us are aware of. We all know that the medical
5 profession is subject to great litigation pressure, and if,
6 for example, you're an oncologist, one of your great fears is
7 being sued because of the failure to diagnose lawsuit, a
8 diagnose situation.
9 So it is a natural tendency in the medical
10 profession to prescribe tests that you typically would not
11 prescribe but for the possibility of litigation. And then
12 there's some other incentives around the testing environment.
13 For example, the cost of the test is not borne by the
14 physician that prescribes the test.
15 Prescribing the test gives a benefit to the
16 physician because it reduces the probability that there will
17 be litigation against them. And in many situations, the
18 physician makes more money because they're also applying the
19 test.
20 If we have a look at the predicament that the audit
21 profession has been subject to, it's almost a direct parallel
22 to the situation we find in the medical profession where the
23 same natural economic forces push people with good intentions
24 to engage in hyper aggressive enforcement, and in the medical
25 context, to start applying controls that really are
1 suboptimal because of external social pressures.
2 We've got exactly the same situation at work here,
3 and in order to solve that situation, I really do think we
4 need, you know, a two-bullet approach. Number one, we've
5 been talking about strong improvement of the inspection
6 process. But I also think we need to change the substance of
7 what it is that's being inspected against.
8 Several of my colleagues have already mentioned the
9 importance of the term "materiality" and the role that the
10 phrase "significant deficiency" plays in the analysis of the
11 process.
12 Yes, we're all supposed to look for material
13 weaknesses, but the standard also cautions us that an
14 accumulation of a sufficient number of significant
15 deficiencies can itself constitute a material weakness. So
16 let's, as one of my colleagues likes to say, dilate on the
17 definition of the term "significant deficiency."
18 If you stop and think about it for a moment, it
19 makes your head spin, all right, because go back, read AS-2,
20 and it says that a significant deficiency will kick in -- and
21 here I paraphrase -- where you have more than a remote
22 probability of a more than inconsequential misstatement.
23 All right. Grab your breath and let's try to
24 quantify what these words mean, okay? Rough rule of thumb,
25 all right. And I know SAB-99, there's all sorts of other
1 literature that says, Joe, you can't make it this simple, but
2 let's make it real simple.
3 Materiality. If you've got a number that's at 5
4 percent of the revenues, you're at materiality, okay. That's
5 a common rule of thumb, okay. All right. I've even got the
6 auditors shaking their head, I'm with you.
7 MR. GRUNDFEST: You've got literature generated by
8 the audit profession itself saying that you are not
9 inconsequential if you are at less than 20 percent of the
10 materiality standard. Right, guys? Okay. Twenty percent of
11 5 percent. If somebody will correct my math, that's 1
12 percent, okay?
13 Then we're talking about a more than remote
14 probability of a more than inconsequential misstatement.
15 What does the word "remote" mean? Now the profession and the
16 PCAOB have been orthodox in taking the position that we're
17 not going to put a number to the word "remote."
18 Allow me to be unorthodox. Let's assume that the
19 probability is 5 percent or 10 percent. It really doesn't
20 make much of a difference. Let's say it's 5 percent. So,
21 what's the expected value of a -- of 20 percent of 5 percent
22 multiplied by 5 percent? That's five one-hundredths of one
23 percent. That's five basis points. So a very natural
24 quantification of the language contained in AS-2 drives you
25 to look at processes that have an effect of five basis
1 points. And we wonder why people are complaining about low
2 level process controls, because the very language is -- thank
3 you!
4 MR. GRUNDFEST: I was surprised it took that
5 long, Sam!
6 MR. DiPIAZZA: I really tried, Joe!
7 MR. GRUNDFEST: And you know, sure, the audit
8 standard is not supposed to look only for significant
9 deficiencies, but it's hard to ignore the language in the
10 rule itself that gives so much importance to that term.
11 MR. WHITE: I think we have to give Mr. DiPiazza a
12 response here.
13 MR. DiPIAZZA: I'm not going to go through the
14 standard because, Joe, I don't understand exactly what it
15 says, either, sometimes. But I will say, you can't do it the
16 way you just did it.
17 You can't take the multiplication of those two
18 numbers and say that is what we're measuring, because when it
19 hits, it's not five basis points. Okay? It's not.
20 That may be how you view the probability of remote.
21 But, in fact, if you have an event on a weakness in a
22 control, you are going to get bigger than that issue.
23 And so what we are looking for are places where
24 that might occur. So I just -- math is great. And I know at
25 Stanford you do a great job with it. But that's not the way
1 it actually works in the real world.
2 MR. WHITE: Mr. Nussbaum. You going to echo the
3 same thing? There are a lot of auditor comments going on up
4 here?
5 MR. NUSSBAUM: I agree, of course, with Sam. But I
6 do think we need to look at materiality. But it's not just
7 materiality over material weaknesses, as you point out,
8 Professor Grundfest. I think all of our heads are spinning
9 as a result of, not just the standard, but the various
10 interpretations of it.
11 But what we need to do is look at financial
12 statement materiality as well. Because that, as you
13 mentioned, SAM 99, does cause us to result in a significant
14 number of restatements that maybe don't need to be made, as
15 someone talked about earlier.
16 My being concerned about a financial statement
17 materiality issue when you are looking at it from a top-down,
18 risk-based approach, could result in a lot more testing than
19 needs to really be done.
20 But we are sort of stuck with that -- those
21 standards on financial statement materiality, both in the
22 guidance and SAM 99. But more importantly, in the way it is
23 being interpreted. So, I do think that there is some
24 validity to looking at materiality, but I would extend that
25 look to financial statements beyond.
1 And if I could just comment on another thing you
2 said, Professor Grundfest, and that is that the PCAOB
3 inspection process should make sure that we should do enough
4 auditing to ensure that there is good quality. And also make
5 sure that we don't over-audit so that we don't charge too
6 much. And I agree with that. And I think the inspection
7 processes here will clearly do that.
8 But I want to acknowledge that this perfect, just
9 about right, really probably is a fairy tale from Goldilocks.
10 There is so much judgment involved here in the course of an
11 audit, whether it's Grant Thornton or any other firm, that we
12 have to acknowledge that there is a range of acceptable
13 answers, and there's no single perfect answer, both in
14 management's documentation and the definition of material
15 weakness, or what the internal controls are, financial
16 statement materiality or what are the appropriate audit
17 procedures.
18 And we have to be willing to accept that auditor's
19 judgment and management's judgment in that process.
20 MR. WHITE: I see we have a few more cards up, but
21 actually, we only have about two minutes left. And I did
22 have one question that I wanted to put to Professor
23 Grundfest, on restatements. But you only have two minutes.
24 MR. GRUNDFEST: I'll take 30 seconds. On
25 restatements, there are two --
1 MR. WHITE: Well, let me ask the question because -
2 - I told you I was going to need --
3 MR. GRUNDFEST: You are going to get what I want to
4 say, anyway. So --
5 MR. WHITE: The restatements went up a lot last
6 year, from 600 to 1200. And there are a lot of comments
7 about whether that was -- how that relates to 404.
8 Now say whatever you wanted to say.
9 MR. GRUNDFEST: There are two things. First,
10 let's -- so the question is, restatements, 404, what's the
11 connection. Does it prove that 404 is really working. Let's
12 divide the proposition into two parts.
13 First, let's assume that restatements are related
14 to 404. And then we are going to challenge that assumption,
15 because it's really incorrect.
16 The vast majority of restatements have no material
17 effect, if you measure materiality by stock price response.
18 This is going in, looking at a bunch of accounting issues,
19 cleaning up a bunch of accounting issues, and disclosing the
20 information to the stock market.
21 What did investors say? We could care less.
22 Well, if that's right, then what that suggests at
23 one level is that all the expenses that went into the
24 restatement process didn't lead to a restatement that was
25 material in the sense the stock market cared about. And that
1 would be consistent with the hypothesis that 404 is causing a
2 lot of wasteful expenditure that investors themselves do not
3 value, once the information is actually presented to them.
4 So, what is interesting about that argument is, if
5 you add the fact relating to stock market price response, it
6 actually is consistent with the hypothesis that 404 has gone
7 too far, and is imposing inefficient costs.
8 Now, take a step back, and say, well, gee, has 404
9 really led to all these restatements? The short answer to
10 that is, only a minority of them, if at all.
11 And there, I think Commissioner Glassman's recent
12 speech has a one-liner in it that explains -- wait a minute,
13 about half of these restatements came from companies that
14 were weren't subject to 404 requirements, anyway. So,
15 therefore, how could you say that 404 caused that? I think
16 that analysis is entirely correct. And you add that with the
17 observation that restatements have no material effect. And
18 then you get an entirely different picture of the situation.
19 MR. WHITE: It is 10:30, but the moderators have
20 made the executive decision to steal five minutes from the
21 next panel, so, Mr. Ameen?
22 MR. AMEEN: I just wanted to point out that five
23 basis points on my revenues is $75 million, about which I do
24 care.
25 MR. WHITE: Ms. Bush?
1 MS. BUSH: I would just say that the complexity of
2 the measuring or defining or figuring out significant
3 deficiencies, material weaknesses, what is really material,
4 what should cause a restatement. It's all shown up, shall we
5 say, by the conversation between Mr. Grundfest and Mr.
6 DiPiazza.
7 That, in my mind, also points out the costs,
8 because these kinds of conversations go on with companies, in
9 companies as well. Those costs also, I think, can lead to
10 less focus on the strategic and operational audits that
11 companies should be engaging in. Also, just in terms of the
12 business itself, the strategy, the operations, the business
13 to create value, as Mr. Davis alluded to earlier.
14 MR. WHITE: Okay. So, Ms. Franklin, you opened
15 this panel. We'll let you close it.
16 MS. FRANKLIN: With just a comment about
17 inspections. I think to really get the most out of the
18 inspection process, and to give feedback and guidance to the
19 auditors, they have got to be more timely.
20 I think you are all aware of the fact that there
21 were delays in when the auditors got the reports the last
22 time. And maybe that was a start-up issue, with respect to
23 the newness of the board, but I really think that that
24 process needs to be accelerated.
25 The substance of it needs to be right, but the
1 timeliness of it does, too.
2 MR. WHITE: Well, I would like to thank our
3 10 panelists. We very much appreciate your being here. We
4 are going to adjourn this panel, and the next one, which will
5 be on Management's Assessment, will resume at 10:45.
6 Thank you.
7 (A brief recess was taken.)
8 PANEL TWO - MANAGEMENT'S EVALUATION AND ASSESSMENT
9 MR. TAUB: Our first panel was very successful. We
10 certainly hope to continue the very high level of discussion
11 and discourse throughout the day.
12 This second panel is intended to focus in on
13 management's assessment process, and the evaluation work that
14 management does under 404 in order to render its opinion on
15 the effectiveness of internal controls.
16 My name is Scott Taub. I am the Acting Chief
17 Accountant at the Commission, and I will be the lead
18 moderator for this panel.
19 To my left is Laura Phillips, Deputy Chief Auditor
20 at the PCAOB. To my right is Carol Stacey. She is the Chief
21 Accountant in the Division of Corporation Finance, Office of
22 the Chief Accountant. We will be moderating this second
23 panel.
24 We have an excellent panel assembled in order to
25 have this discussion.
1 From my left to right, we have Bill Brunner, CFO,
2 Vice President and Treasurer of First Indiana Corporation,
3 and the Chairman of the ABA -- American Bankers Association,
4 have to specify which ABA -- Accounting Committee.
5 Then, Kimberly Parker Gavaletz, the Vice President
6 and Deputy of Global Sustainment at Lockheed Martin. Did I
7 get the title right? Okay.
8 Sue Gordon, Senior Vice President,
9 Corporate Controller and Chief Accounting Officer at CBS
10 Corporation, having survived the spin-off from Viacom.
11 Moving on. Keith Holmberg is the Vice President of
12 Finance and Control Processes at British Petroleum.
13 Lee Level, Corporate Vice President and Board
14 Member at Computer Sciences Corporation. He also serves on
15 several other boards of directors, and indeed, chairs audit
16 committees at some of those other boards.
17 Peter Minan, National Managing Partner of Audit at
18 KPMG, one of the Big Four firms.
19 Stephen Sherwin, is a doctor and the Chairman and
20 CEO of Cell Genesys, Inc. He also represents to some extent
21 the Biotechnology Industry Group.
22 Moving on. Dr. Albert Teplin, Audit Committee
23 Chair at Viad Corporation, and also an Audit Committee on
24 other boards of directors.
25 And, finally, Jim Turley, the Chairman and CEO of
1 Ernst & Young.
2 Thanks to all of our panelists for agreeing to be
3 here today. We look forward to a good conversation. I am not
4 going to repeat all of the rules of the road that John White
5 gave us this morning.
6 We will remind panelists, as well as commissioners
7 and board members, please turn up your tent cards and, as an
8 added reminder, once your turned-up tent card has worked, and
9 we have called on you, please turn down the tent card while
10 you speak. I understand that CNBC and MSNBC would like to
11 see everybody's faces clearly as you speak.
12 The Commission's rules require that management
13 assess, at the end of each fiscal year, the company's
14 internal controls over financial reporting and report on its
15 assessment of the effectiveness of those internal controls.
16 At last year's roundtable, several commenters
17 questioned whether management's approach to completing its
18 assessment of internal control over financial reporting was
19 appropriately top-down out, risk-based and focused.
20 Moreover, several commenters suggested that too
21 many controls and processes were documented and tested.
22 Feedback from some commenters indicated that they expected
23 that some of the cost and effort involved in documenting
24 internal controls over financial reporting did represent one-
25 time start-up costs that might not be repeated in subsequent
1 years.
2 The Commission and Board are now seeking input on
3 whether and how companies have improved the efficiency and
4 effectiveness of the process for assessing internal control
5 over financial report in the second year of compliance.
6 The Commission and Board are also soliciting views
7 about the challenges in designing a sustainable assessment
8 process that is both effective and efficient.
9 The first question I am going to first direct it at
10 Ms. Gavaletz, and then to Dr. Teplin.
11 The question is whether the guidance that the SEC
12 and PCAOB issued last May has been helpful in improving
13 management's assessment process, whether indeed the
14 management assessment was more risk-based and more focused in
15 the current year, and then perhaps a discussion of any
16 remaining challenges that you are aware of in management's
17 assessment process.
18 Ms. Gavaletz?
19 MS. GAVALETZ: Thank you for the opportunity to be
20 here today, and to be able to comment both to the PCAOB and
21 the SEC and to engage with the other panelists here.
22 I do want to say that yes, the guidance last year
23 from the May Roundtable was helpful to management but, I
24 believe, to everybody involved. I think it depended on where
25 you were in the maturation of your own internal control
1 environment, and how that was helpful to you.
2 First, for those that were very mature, I think it
3 reaffirmed the use of that top-down approach, and that risk-
4 based approach. For those that might have been just
5 inventing, it really helped them. It affected them and
6 changed them mid-course to make any corrections, maybe, to
7 further go that way.
8 And for those that were just starting, it certainly
9 helped them with a basis of how to start and get started. So
10 I think it was timely for that.
11 I think, as far as its overall effect, though, in
12 the first year, that after that guidance, it was probably
13 still just getting started being effective, because actually
14 the time of that to affect last year's activity, was probably
15 just at the tip of the iceberg as far as seeing the
16 effectiveness of that.
17 I think we'll see continued effectiveness this year
18 and as we go forward and as people mature across the curve
19 that guidance will be reaffirming. I think that was
20 illustrated by a lot of the surveys that have been commented
21 on in the first panel.
22 The Institute of Internal Auditors' survey said
23 that, in the first year, 42 percent of the chief auditor
24 surveyed believed the top-down approach was used, but in the
25 second year, 75 percent believed it. So I think that is
1 significant in itself. And so I think there is more to come.
2 The second part of the question, or processes for
3 evaluating control more risk-focused, I believe they were.
4 But of that 75 percent that said they had used more of a top-
5 down approach, there still was a perception by 58 percent of
6 that 75 percent that they saw the external auditors testing
7 things that were not, in their view -- and again I am not
8 sure how much of that was confirmed with the external
9 auditors -- based on a risk-based approach or that could
10 affect the company materially.
11 So I think some of that is some understanding, some
12 communication -- there was a lot of improvement in
13 communication across this last year, but I think there's
14 still some coming together on what is the risk-based
15 approached and top-down that needs to happen.
16 As far as what's left, I think part of our
17 challenge is staying course and keeping the faith. I look
18 back on this country, and any significant legislation, and
19 you go back all the way to the founding of the country on our
20 Constitution, our Declaration of Independence, some really
21 sound things in that first body. I think there are some very
22 sound things in the 404 on AS-2 that are there.
23 I think the other guidance and things coming out
24 are important, but I believe -- I would caution on
25 legislating, regulating too much there. I think we need to
1 really look at what are the questions being asked and satisfy
2 those questions.
3 And when people ask for guidance really understand
4 what they are asking for guidance about. In talking to
5 people getting ready for this panel, I have heard that. And
6 I have seen that in the comment letters. And I have surveyed
7 others. And what I have been hearing more, and I would like
8 to make sure we hit that a little bit, that the small company
9 side of it is definitely there.
10 But I hear some cry for relief, but I think there
11 is a lot more of a cry for how-to. And an easy way to
12 implement, which I am not sure is what the SEC and PCAOB is
13 supposed to necessarily be telling.
14 I think there are other providers for that. I think
15 they can utilize the COSO framework and hopefully the small
16 business framework that's coming out. And other providers
17 will be there to help them with some how-to's. I think that
18 is more what's being asked there.
19 I would welcome input from others. I know relief
20 would always want to be there, but I think the principles are
21 still there, and if you want to change something for the
22 small businesses, large businesses here would like to hear
23 about it as well, because I think, again, the soundness of
24 our internal controls apply to both. And I think investors
25 in small or large businesses are equally -- that's equally
1 important to both of them. So understanding and satisfying
2 the need.
3 I think the other thing that's out there for this
4 risk-based, top-down in other areas if really from the
5 management versus the external auditors. And it's kind of --
6 well, the external auditors have this, and so it's driving
7 management.
8 I am not sure that something that is a competing or
9 leading effort won't cause us -- well, my books says this,
10 your book says that. I would rather foster the relationships
11 between the two to talk through these and work through the
12 issues than necessarily competing standards as we are going
13 forward.
14 And I do hear some standards versus informal
15 guidance. I would, again, just say go slowly in converting
16 things into standards. I think guidance -- as people have
17 said, the guidance that was issued last year has been hugely
18 helpful, as evidenced by people and their proceeding forward.
19 If we get too voluminous, if we do each year, and
20 add -- ten years from now where would we be from this.
21 I think it was important last year. I think it
22 will be important this year. And, again, I thank you for the
23 opportunity to be here.
24 MR. TAUB: Okay. Thank you. Dr. Teplin, do you
25 have anything to add on these questions?
1 DR. TEPLIN: Well, I don't know if I have something
2 entirely new to add, but I do have a different perspective.
3 I thought, first of all, to answer the question very
4 directly, the guidance last year was very helpful,
5 particularly, I believe, in reestablishing the useful
6 cooperative communication between management and the external
7 auditor.
8 There had been substantial confusion in that. And,
9 as an audit chair and audit committee member myself, I found
10 myself very much in the middle of that. And I think that the
11 guidance that was issued last year, there were a few
12 sentences in there that were extremely helpful in
13 reestablishing what has been, as we move through this
14 process, a much more efficient and better way of doing
15 things.
16 As far as going to more of a top-down, risk
17 assessment, in scoping the assessment and improving it, I
18 think that what is happening is a clear winnowing down
19 towards that. I am seeing now at least that -- I would argue
20 that 2006 is going to be the year that you are going to see
21 significant improvements.
22 Two thousand and four, we got through it. And
23 there was a lot of discomfort though the entire process.
24 Two thousand and five, at least we knew what to do.
25 Since we had already attained an assessment. And cost didn't
1 come down, as we had hoped, and so on.
2 But I think in 2006, management, the audit firms,
3 and the audit committee indirectly, are working towards
4 becoming much more efficient in this process. That's not to
5 say that things can't be improved more. I think that there
6 needs to be more clarity in what guidance that there is on
7 the use of the internal auditor in the firms.
8 You know, where management takes ownership and is
9 doing their job, and the internal auditor is doing their job
10 in testing and so on, and then you've got another auditor
11 coming in, if everybody is cooperating, and there is
12 oversight by the audit committee, and so on, I think that
13 tremendous efficiencies can be attained by using the internal
14 auditor.
15 I am not at all worried that corporations will find
16 -- will take out the inefficiencies. They have the
17 incentives to do so. But as we scope a project such as this,
18 and so on, there are different incentives for the public
19 auditor and the corporation. And they audit committee has to
20 make sure those are balanced correctly.
21 I think I'll leave it at that.
22 MR. TAUB: Mr. Brunner, the banking sector has long
23 had some reporting on internal controls under fiducia.
24 Nonetheless, I am aware of comments that the 404 process was
25 certainly different, or additive to, what had been happening
1 under fiducia.
2 Can you tell me, from your point of view, was the
3 guidance that we provided last year helpful in the process?
4 And are the audits of internal control becoming more risk-
5 focused?
6 MS. BRUNNER: First of all, I agree. It was very
7 helpful. But I would underscore that the largest portion of
8 the help was opening the gates to the more cooperative
9 relationship with the auditor. I just can't underscore that,
10 given that, given the working relationship, that positive
11 things will come out from all avenues.
12 Yes, there are a lot of tactical things. In
13 looking and comparing to how the banking industry has been,
14 which not only had fiducia, but by the sheer nature of the
15 industry, it has always been a very control-based
16 environment. Our products and services lend themselves to a
17 very, very strict control. We have always had a very risk-
18 sensitive model in the first place.
19 I think the difference between what we see in 404
20 and what we have seen in the past was the prescriptive nature
21 and the degree of focus on things that can be tested and
22 measured.
23 Now, maybe that's a hazard of our professions in
24 that we like things that we can see, observe, test and
25 measure. But one of the things that -- and it varied from
1 company to company -- but certainly we see that some
2 improvement can be made, and that opportunity exists.
3 We largely saw that entity-level controls were done
4 in one silo. And activity-level controls were done in
5 another silo. And, of course, we think a lot of energy went
6 into testing and pounding out and measuring and documenting
7 things with lots and lots of paper of doing it.
8 But I think the real lift is yet to come, because
9 when you get to the point you can step back and look at the
10 risks of your business, look at the tone at the top. Look at
11 the environment you are in, and be able to really integrate
12 the -- call it tone at the top, call it entity level,
13 whatever it might be -- and you can integrate that with how
14 much mathematical testing do I need to do. We can start
15 taking some of the burden.
16 Because certainly from the banking industry the
17 difference largely was the amount of documentation and way of
18 going about it.
19 MR. TAUB: Thank you. Move on to another set of
20 questions and start directing this set to Mr. Level and to
21 Ms. Gordon.
22 How would management's process have been different
23 if the auditors were not also going to be involved in
24 assessing internal controls?
25 Were there instances where management believed that
1 it had found and implemented an effective way to test
2 controls but the auditors made suggestions for additional
3 testing that management didn't necessarily think was
4 necessary? And, if so, in the end was that helpful to
5 management's assessment process, or did it merely add to the
6 burden?
7 Mr. Level? I'll start with you.
8 MR. LEVEL: Thank you. And we appreciate the
9 invitation to be back. And the interest of the Commission
10 and the PCAOB in considering again this year the
11 possibilities to make what we are doing better, quicker and
12 faster. And cheaper.
13 We would have, as you have already heard from the
14 first panel and a couple of the comments already from this
15 panel -- we would have committed more of our resources and
16 spent more time on the entity level tone at the top-type
17 controls if we had no audit of the management's assessment.
18 But the reality is, frankly, that our process in
19 the end was driven by the auditors' opinion of internal
20 controls and so we went about determining what they needed to
21 derive and to reach their conclusions and for their opinion,
22 and went down that path.
23 We also did what we felt we needed to do to make
24 them comfortable, of course, with our assessments supporting
25 our opinion. You all know about the typical differences
1 between COSO and AS-2, around an issue that I think is quite
2 important, and that is the ability to recognize that some
3 controls exist, even if they are not documented.
4 We spent a lot of time, frankly, in the last two
5 years, documenting controls that already existed in order to
6 support both the auditor's opinion and our opinion and their
7 own.
8 As you all know, we have been pen pals with the
9 Commission and have submitted comments for the last several
10 years about this topic. And we did again in connection with
11 this panel and this roundtable. And I would urge you to
12 refer back to that as to more specifics we have in that area.
13 But I would -- in thinking about -- on the way from
14 California out here, about this matter again, I feel that we
15 really need to deal with the three-opinion opinions. And we
16 need to integrate the auditor's opinion and make it one
17 opinion, both on internal controls and on fairness of
18 financial presentation. Remove them from the management's
19 opinion of controls and management should, of course,
20 continue doing that.
21 We would support some guidance from the Commission
22 around management's assessment. But we are fearful, frankly,
23 that we would end up with a whole new set of rules and an
24 approach to management's assessment, and we would have to go
25 ahead and expand on what we already do there.
1 And we would find, frankly, that we would have to
2 continue to do everything that we have done, including --
3 unless you deal with AS-2 -- dealing with making our auditors
4 comfortable in the way in which their -- the standards that
5 apply to their opinion would mandate that they behave.
6 Now, having said all of that, I do want to close in
7 saying that your guidance last spring was quite helpful. It
8 was a little late, but helpful.
9 And I want to echo what I heard from both of the
10 previous panelists here, that the tone between the auditors
11 and management was probably the single most important result
12 of that guidance.
13 Thank you.
14 MR. TAUB: Thank you. Ms. Gordon, if you could
15 comment on how your auditors affected management's process.
16 MS. GORDON: Well, thank you. And once again thank
17 you for letting me come and speak in front of the group again
18 this year. What a difference a year makes. It's true for
19 the success of 404, in my mind. And also true in splitting a
20 company into two media companies now.
21 So, I have a lot to say also on the small. We were
22 large, and now we are two moderate size. So, I found that
23 question very interesting.
24 But first, to speak to what the guidance did for
25 us. The guidance was extremely helpful, echoing what the
1 people have said on the panel. But also it confirmed our
2 approach, that management is responsible for assessing risk.
3 And then we then take that risk assessment and coordinate it
4 with our internal audit, and then coordinate it with our
5 external auditors. So that is the approach that we had taken
6 from the beginning with this, the guidance confirmed that.
7 To the question of what would have -- how our
8 assessment would have been different had we not had an
9 independent audit, I have to truthfully say that I don't
10 think there would have been a difference.
11 And that maybe seems strange in some way, but I
12 think by taking the approach that management owns the
13 certification, and management is responsible for the
14 controls. The CFO, the controllers at the divisional level
15 and at the corporate level, have to say that this assessment
16 for risk is their assessment.
17 Now, the discussion comes in once management has
18 sat down and the financial groups at all the locations
19 throughout the world for us, sit down and look at it. We
20 then have the challenge of working with internal audit and
21 the independent auditor and saying is this sufficient? Is
22 this enough?
23 And throughout the course of the first year, it was
24 certainly much more debate than there was the second year.
25 The second year, we got down to talking about issues where we
1 may have had a different point of view on the auditor's
2 position on re-performance of controls versus our position
3 where we thought it was sufficient to verify evidence that
4 control had been performed.
5 So that we had to work with the independent audit
6 team and we had to go back and forth and debate what is
7 sufficient.
8 Also, the issue where I think we still continue to
9 debate, something as challenging or un-challenging as
10 spreadsheet controls. The auditors will come in and say that
11 this is the most important control that you have to have.
12 You have to go and recalculate and re-add and check all the
13 spreadsheets that you have that are in key processes, and you
14 have to find a team of people that are going to do this.
15 This tends to be a very interesting battle.
16 Because I can remember the computer came out many, many years
17 ago. You didn't have to re-check or re-add them up, but we
18 find that there's a healthy tension between us, as far as we
19 are going to go. So, as far as guidance on that, if we were
20 to look at what we need to do, maybe that's something that
21 information to the external auditors or to internal auditors
22 might be helpful, from that standpoint.
23 So, those were some of the issues that we still
24 continue to debate, but I still think minor compared to what
25 the issues were in the first year.
1 As I said, it's been an unbelievable year. I
2 applaud Phil from GE, who said that controls are in the
3 vocabulary. And speaking from a media company, we have a
4 year where controls are so embedded in the minds of both
5 business operations people, financial people and top
6 management. It's a success to what Sarbanes-Oxley really did
7 for us. So, I applaud it. And any other questions?
8 MS. PHILLIPS: In terms of auditor involvement,
9 changing what management otherwise would have done, Pete
10 Minan, you have some firsthand experience implementing AS-2
11 and working with companies. Can I get your perspective on
12 that?
13 MR. MINAN: Certainly. First of all, let me thank
14 the Commission and the Board for inviting me back to speak
15 again. I am happy to be here as well.
16 In year one, clearly the auditors had a significant
17 amount of input in management's assessment process. The
18 standards were new. The concept was new. And at the time
19 there was no guidance for issuers really as to what to
20 follow. Some of the issuers, of course, looked to their
21 auditors for guidance. The auditors in turn looked to AS-2
22 for guidance, and basically almost held AS-2 as the default,
23 the de facto standard for management's assessment.
24 The May 2005 guidance was particularly helpful in
25 dealing with that and in a particular area. One area that
1 the May 2005 guidance did was clarify the recognition that
2 management has a broader array of procedures that they can
3 use to test their assertion -- basically their assertion did
4 not have to look -- their test of their assertion does not
5 have to look like what we as auditors are used to seeing.
6 And that really opened the door. I think that went a long
7 way to reducing if not eliminating some of the duplication of
8 efforts. It certainly improved efficiencies in many
9 respects, and took a lot of stress out of the system.
10 Now, are we there yet? No. Clearly, as both
11 issuers and auditors gain more experience, I think we are
12 going to move further down the learning curve on that. As we
13 get more experience as to how managements document their
14 assessment, I think we are going to get better at auditing
15 that assessment and reaching our conclusions.
16 Particularly in the area of risk assessment -- I
17 mean, we talk about risk assessment, risk-based auditing, but
18 the concept is -- the hard part of risk assessment is the
19 qualitative aspects of risk assessment. And we as external
20 auditors have been doing risk-based auditing of financial
21 statements for years. We've got an accumulated knowledge
22 over the years auditing financial statements that help us
23 make those decisions and evaluating risk.
24 With respect to internal controls, the mind set is
25 a little different. We don't have the years of experience.
1 We don't have the accumulation of data. And certainly
2 management and issuers do not have the data as well. So,
3 it's a little harder. So we need to gain more experience to
4 help us evaluate the risk there.
5 Particularly in the area we heard mentioned
6 earlier, and that's linking the company-wide controls to the
7 financial statement assertions. That's an area where I think
8 we are going to gain more experience and become better at,
9 and I think you are going to see some efficiencies come out
10 of that particular area.
11 MS. PHILLIPS: Jim Turley. In your firm's comment
12 letter, you suggested that AS-2 shouldn't be amended because
13 its sound and scalable as it is. We have seen in comment
14 letters and heard a number of folks talk today already about
15 the May 16th guidance being helpful, additional benefits
16 still to come, and that we are not going to see the full
17 benefits, in terms of changing audit behavior, unless the
18 standard is amended. To change the rule text itself to
19 articulate those same concepts as in the May 16th guidance.
20 Would you be supportive of that type of amendment
21 of AS-2?
22 MR. TURLEY: Yes. Let me make a couple of comments
23 first. You asked a very interesting question about how 404
24 would have been done differently by management if it wasn't
25 audited and you asked Peter the same question.
1 I have every confidence that CBS would have done
2 exactly as was said. Sadly, I don't think that's the case
3 for every company in the country.
4 Our experience has been that there were many
5 occasions where we had to, sadly, hold some feet to the fire,
6 if you will. And some of those companies -- in fact, if
7 companies weren't committed to doing what CBS was committed
8 to doing, they were not clients of ours, and the other firms
9 had the same reaction. There are a lot of companies who
10 don't serve anymore.
11 So I think that at some level what you measure does
12 get improved. I think the investor community sees the value
13 of independent auditing, and so I wish, deeply in my heart,
14 that all companies had the kind of commitment that CBS has
15 articulated.
16 To the issue of amending AS-2. The May 16th
17 guidance was extremely helpful. As some of my colleagues in
18 the previous panel talked about, that guidance has been
19 already implemented in every one of our processes and
20 methodologies in communications to our partners and our
21 staff. And we have been very transparent with the PCAOB, as
22 you know, about how we have communicated not just the May
23 16th guidance, but all the Qs and As that have also talked
24 about 404.
25 So to that end, I don't think amending AS-2 to
1 include the May 16th guidance would have any substantive
2 impact on the performance of the profession.
3 Having said that, I think we are in a dilemma as a
4 collective group. We are hearing some great companies say
5 that additional guidance for issuers may not be needed
6 because it might change what is now beginning to work very
7 effectively, and increasingly very effectively.
8 But we have a number of companies that have not
9 implemented 404 yet. So I actually believe that having
10 issuer guidance for smaller companies is really important as
11 we move forward. What evidence is needed for management to
12 make its assessment. How should they think through the
13 intersection of work required versus risk. What level of
14 documentation is needed. How should they think through the
15 comments that Lee had about entity level controls.
16 I think those things are subject to some guidance
17 for those issuer communities -- the issuer community that has
18 yet to implement 404.
19 And then I think making sure that AS-2 is aligned
20 with that guidance would be very, very important so we don't
21 have competing standards. To the extent that PCAOB wants
22 to -- if there is back-door issuer guidance in AS-2, to take
23 that out. But merge together the guidance that's out there
24 on the street today because it has been very effective.
25 And I think that we wouldn't object to that. But I
1 think that having wholesale change to AS-2 is not necessary
2 because, as our letter said, it is scalable and it is being
3 effective.
1 MR. TAUB: Thank you. We've heard a little bit I
2 think in these last few minutes some perhaps differing views
3 about whether guidance is needed for management. And perhaps
4 I can just pose the question first to Mr. Holmberg from a
5 large company environment and then to Dr. Sherwin whose
6 coming from a smaller company environment.
7 Is there sufficient information available to
8 management regarding internal control frameworks and
9 regarding how to assess the effectiveness of an internal
10 control system at a company? Start with Mr. Holmberg.
11 MR. HOLMBERG: Thank you. Again, thank you for
12 this invitation. I know I also somewhat representative a
13 number of foreign filers today, and I can tell you from my
14 interactions with them that they spent 2003 and 2004 in some
15 bemusement about what was going on with their American
16 counterparts and 2005 with some trepidation, and this year
17 you see the fear in their eyes.
18 So, fortunately for BP, we've essentially finished
19 our first-year assessment based on last year's results, and
20 so are kind of starting our second year.
21 I'd have to say that when I saw the corp's finance,
22 we wrestled with it because we have not from a large company
1 perspective spent a lot of time saying we don't have enough
2 guidance as to what management's assessment should be.
3 I would actually say we've probably felt like we've
4 benefitted from the fact that we didn't have as much
5 guidance, and therefore were not constrained and bound as our
6 external auditors were by the degree of rigor and precision
7 which AS-2 provided them with. And I think we somewhat
8 benefitted from therefore being able to use judgment where
9 appropriate.
10 Going into our second year, we have, much I guess
11 like many U.S. companies, have significantly changed what we
12 believe to be materiality levels for what we've looked at,
13 and we've gotten in fact very, very quick agreement with our
14 external auditors on some of those changes; so quick that I
15 wonder if we didn't push far enough on that, but I won't say
16 too much because I share the dais today with the chairman of
17 our audit firm, so --
18 And so we feel pretty comfortable about what it
19 takes to do management assessment. I think what we've --
20 anytime you have compliance you're better off within a
21 company if you can get business management to buy into it
22 because it's a good idea, and not because you're doing it for
23 compliance sake.
24 And I think we've been -- I feel like we've been
25 relatively successful with business management in saying it's
1 useful to identify which controls you should have for your
2 major processes; they buy into that. You should determine if
3 those controls are good enough or if they need to be
4 remediated; they can buy into that. So we should test
5 controls on an -- basis; they'll buy into that.
6 Where I lose them is when they say, we also need to
7 -- in order to assess those each year, we need to test those
8 internally with the people who perform the controls; we need
9 to test them with the internal auditors; we need to test them
10 with our external auditors; all of this testing activity in
11 order to get to that assessment. And that's when from a
12 business management perspective they kind of say that's
13 sounds more like compliance than it does good business
14 practice.
15 And so for us that's probably been the biggest area
16 of frustration that, not only were we doing a lot of work
17 internally, but also the auditors following the AS-2 needed
18 to do a fair amount of their own. And so that's the one
19 thing from a foreign filer perspective that's been in our
20 minds.
21 MR. TAUB: Dr. Sherwin, I know you come from a
22 smaller company environment, so perhaps some thoughts from
23 that end of things.
24 DR. SHERWIN: Well, thank you. And I'd also like
25 to thank the Commission and the Board for an opportunity to
1 speak today.
2 I noted that I am the only physician on any of the
3 five panels; I'm not sure that's a good advertisement
4 considering the wealth and widely held views about how we
5 deal with money in my profession.
6 But I'm also here as CEO of a smaller public
7 company, as you all know. And I note that I'm also the only
8 officer of a small public company on any of the five panels,
9 and so I feel a particular responsibility to speak on behalf
10 of the hundreds and hundreds of small public companies that
11 are under the burden of Section 404.
12 As a representative of the Biotechnology Industry
13 Organization, I have particular knowledge of how that
14 regulation is playing our in our industry. Remember that we
15 are largely small and emerging companies working in important
16 areas of health care, food supply, improving sources of
17 energy and alternative fuels.
18 We are also part of an industry in which the U.S.
19 still maintains a global position, and we don't want to lose
20 that; we don't want our global leadership to fall prey to the
21 burden of this regulation as well as the convergent
22 regulations that you're all aware of with respect to FAS
23 123R.
24 So I could spend a couple of minutes, but I won't,
25 talking about the real costs in terms of dollars and
1 personnel that are devoted to the implementation of this
2 regulation. We've surveyed our members; we have the date
3 from our own industry survey.
4 I really don't follow the surveys from the
5 accounting firms: at least a half a million to a million of
6 added expense; over 1,000 hours of personnel time -- these
7 are real numbers to small and emerging companies -- a greater
8 than 250 percent increase in internal controls in the
9 accounting departments.
10 And we don't see any prospects for any change,
11 because to your question about guidance and feedback, we're
12 forced to go to other audit firms in order to get the
13 information we need to address the questions of the primary
14 audit firm.
15 But you know what's more important -- and bear with
16 me -- I think in talking about the real dollar and personnel
17 cost is talking about the opportunity costs in small
18 companies, and this would be true in any of the industries
19 where there are smaller public companies.
20 But in Biotech, which I know well, and as a
21 physician, I can tell you what it means to spend a million
22 dollars on an implementation of these regulations and not on
23 research and development for the new cancer treatments that
24 we're working on at Cell Genesys and that many other
25 companies are working on.
1 So I would urge you all to think about opportunity
2 costs -- obviously much harder to survey and measure -- and
3 the effect on our business model. I happen to have the
4 privilege of having been involved in starting three
5 companies, one of which is still private.
6 And when I sit on the board of that company and
7 listen to venture capital investors wonder whether that
8 company should go public at any point because of the costs of
9 these regulations, or whether in fact they should list
10 overseas, I'm terribly concerned as a 25-year veteran of the
11 Biotech industry that we not step on our own toes and imperil
12 the business model that has created the great companies that
13 you know about today.
14 I'll stop now. I'm not sure I even really directly
15 answered your question. But I appreciate an opportunity to
16 speak, and I felt I needed to do that, given that I am the
17 only small company officer who had that chance today. Thank
18 you.
19 MR. TAUB: Thank you.
20 We have a couple of cards up. First Kayla Gillen,
21 and then we'll go to Bill Brunner.
22 GILLEN: Thank you. I wanted to sort of follow up
23 on the question that --
24 MR. TAUB: If you could put your card down, Kayla,
25 so they can see you on TV.
1 GILLEN: Oh, that's my goal.
2 I'd like to follow up on the question that Ms.
3 Phillips asked Mr. Turley regarding amendments to AS-2. Now
4 I understood from your comments that you can see a need for
5 possible amendments that would make sure that AS-2 is aligned
6 with whatever management guidance the SEC might issue, but
7 that you were concerned about, for example, incorporating the
8 May 16th guidance principles into the standard itself.
9 And what I understood you to say is that your
10 reason for concern is that you didn't think it would be
11 necessary because your firm has fully embraced the guidance.
12 Yet we continue -- we at the Board, and I believe the
13 Commissioner has experienced this as well -- continue to hear
14 anecdotally, from your clients as well as the other firm's
15 clients, that the May 16th guidance has not been fully
16 incorporated into what is actually happening on the ground.
17 And so I wondered if we could have a little bit
18 about what harm would happen versus what benefit some of us
19 think might happen if we amended the May -- AS-2 to
20 incorporate May 16th guidance.
21 MR. TURLEY: Kayla, thank you for asking that. I
22 must -- I may not have been clear in my remarks. I don't
23 have any concern about incorporating the May 16th guidance
24 into AS-2 as long as AS-2 is in -- consistent with whatever
25 management guidance, initial guidance would be, and including
1 even the Qs and As would not be a problem.
2 On the comment that the clients on the ground
3 aren't always feeling, you know, the exact perfect execution
4 of the May 16th guidance, you know, I an my colleagues, would
5 probably plead guilty. I think each of the firms made very
6 sure, very quickly, to bake in the May 16th guidance to all
7 of our methodology and processes in everything we've said and
8 everything we did and all the education we delivered.
9 Having said that, we deliver service through
10 thousands and thousands of people all around the country and
11 all around the world. And I'll be the first to admit that
12 on-the-ground execution has not been 100 percent consistent
13 with what was then new guidance, and I think we are, you
14 know, making every effort to continue to improve that day by
15 day by day.
16 And I think, as one of the other commentators said,
17 I think '06 will be better than '05, and I think we'll
18 continue to improve from there on out, because it's a focus
19 of our firm and all of the firms.
20 MR. TAUB: Mr. Brunner.
21 MR. BRUNNER: Thank you.
22 This question that we were working on around, is
23 there enough information out there, we have a lot of debate
24 amongst our members. The American Banker's Association
25 represents some of the largest companies in the work -- in
1 the United States down to some of the smallest public files
2 in the United States.
3 And what we find is the larger the company, do they
4 need more guidance, more tools? Not necessary. There's a
5 lot of depth of resources within those companies that, you
6 know, they, so to speak, can figure it out themselves and
7 work on it.
8 But as we get down to the membership and you wind
9 up with organizations that are smaller and don't have a lot
10 of redundancy of professional talent in accounting or
11 control, that search -- that field thins out.
12 And so potentially. some additional guidance for
13 that group would be helpful. But, back to a little bit of a
14 question, maybe I'm bleeding into the next question in this
15 whole area is: You get to those smaller organizations and yo
16 start to run out of the ability to take the current model and
17 apply it to them.
18 I sometimes use the example: You have the doer;
19 you have the checker; and you have the checker of the
20 checker." In many cases, there is a more than -- more than
21 one -- certainly, sometimes more than two, and definitely not
22 three qualified personnel present to do that kind of work.
23 Earlier, I had mentioned the concept of trying to
24 pull up to taking more of any entity view, more of some other
25 way other than the documentation frenzy around really trying
1 to do it that way, and take more of a risk approach on it.
2 Potentially, you take more of a view of more
3 observation and inquiry rather than going through several
4 layers where you may end up having engaged outside experts
5 that are experienced in a given field, putting them to work
6 on the clock, for a cost, to go in and check the work that's
7 already been done; just sort through your document trail.
8 So I think the long answer to the short question
9 of, "Is more guidance needed," I think different guidance is
10 needed as you go down the scale of the companies; the big
11 folks can handle it. Don't mean to speak for them, given I'm
12 in a small company myself -- had more resources to be able to
13 do so.
14 MR. TAUB: Thank you very much. We've got a couple
15 of more cards up. Acting Chairman Gradison, and then Ms.
16 Gordon.
17 MR. GRADISON: Dr. Sherwin, you have indicated the
18 -- and pointed out quite properly the opportunity costs
19 involved in public companies as a result of what we're
20 talking about today and that you have experience on non-
21 public company or more as well.
22 Is it your judgment that operating nowadays in the
23 private forum with whatever private capital might be
24 available today or not available today impairs the ability of
25 the private company to innovate to the extent that the public
1 company can do because of its access to public funds?
2 In other words, is the public suffering, in your
3 judgment, in your field, in the areas that are important to
4 all of us, innovation, job creation, competitiveness and so
5 forth, because the cost of being a public company has been
6 rising?
7 MR. SHERWIN: I think the short answer is yes. I
8 think there is no question that the venture capital
9 financiers of small emerging companies are taking a very hard
10 look at the value equation and taking those companies public
11 and are beginning to consider alternative liquidity events,
12 acquisition and the like in greater frequency.
13 And the concern I have about this is what it will
14 do to the start-up opportunities, particularly in my
15 industry, because it all works backwards from the liquidity
16 event, as we all know.
17 So I think I've heard enough conversations myself
18 at board meetings where venture capitalists are beginning to
19 question the public offering liquidity event and thinking of
20 alternatives and then wondering, frankly, whether they want
21 to continue to invest in this area.
22 It's hard to measure. Opportunity cost is always
23 much harder to measure, but I believe it's a real phenomenon.
24 And that's why Bio supports, as I think you all know, the
25 Small Business Advisory Committee recommendations to the
1 Commission in terms of scaling the implementation of 404.
2 MR. GRADISON: Thank you.
3 MR. SHERWIN: You're very welcome.
4 MR. TAUB: Okay.
5 Ms. Gordon.
6 MS. GORDON: I just wanted to say a few words about
7 echoing the belief that larger filers don't really need
8 additional guidance on what is needed; okay. And I believe,
9 Bill, you kind of nailed it on the head -- we have all of the
10 resources internally.
11 When you look at it, we have business unit managers
12 at each location; we have comptrollers; we have a corporate
13 staff that is experienced in internal audit controls as well
14 as external audit controls. So providing additional guidance
15 for large filers, I would echo that point of view.
16 One of the interesting things that we always face,
17 we have acquisitions throughout a year. And we always go out
18 -- and we're looking -- we acquire a small, little company
19 that has not had any of these controls. So they're coming in
20 -- it's a small radio station, small television station,
21 maybe a small new up-and-coming new media.
22 And we kind of go in and say, here is this large
23 behemoth company coming in and trying to put controls in.
24 And we kind of get an experience on how different that is for
25 a small filer to come into and fall into our ranks.
1 If you look at it, you see the challenges that they
2 have, but you also see the resources that we automatically
3 have available to give them. It's very interesting when we
4 look at this to see how helpful you can be as a large filer
5 and the struggles that you have as a small entity coming in.
6 So I would go on the side of less guidance for
7 large issuers, but some relief for the small companies coming
8 in.
9 MR. TAUB: Okay. Kimberly Gavaletz, you've got
10 your card up, and then I'm going to move on to some questions
11 that get at some more specific aspects of the assessments.
12 MS. GAVALETZ: Thank you.
13 I'd like to comment a little further on this
14 opportunity costs that's lost, but also on maybe some other
15 unintended consequences that we sometimes see as negative but
16 that might actually be positive here from as the companies
17 are getting that venture capitalist interest and then
18 proceeding on to being a public company to the point where
19 they might be interested in being acquired.
20 To your point, Susan, we, when we're looking at
21 companies, it is part of our -- we're bigger, and can bring
22 them in. But we're finding it's very beneficial if they've
23 already started some of this effort.
24 One of the things that got addressed in the first
25 panel is the vocabulary or vernacular of controls is being
1 very helpful if nothing else for when you are incorporating
2 and acquiring and then integrating and then getting the true
3 value out of that company as quickly as possible.
4 So I can almost see a continuum as companies go
5 public that they might need to be on -- in a maturity curve
6 that needs to happen as they mature in that effort, and it
7 might be very different to do that, but as, if nothing else,
8 this discussion is helpful in the control environment for the
9 people being acquired, if that's their ultimate goal or for
10 those that are acquiring them.
11 And also just as the company grows, you'll hear
12 controls -- even some of the earlier Microsoft stories of
13 when they were very small the level of controls they needed -
14 - then as they grew the level of controls -- and this was
15 more in the engineering realm, but it still applies, I think
16 equally as well here, to be able to control the company, they
17 had to get configuration management. They had to do all of
18 the other things; put the internal controls in place.
19 And I think it is that maturation that we're
20 talking about there. So I think there are some saving that
21 occur in the long-run, but how that works into not de-
22 incentivizing the entrepreneurial spirit of this country and
23 our inventive spirit, but at the same time positioning such
24 that the investment community is equally served as well as
25 them having the opportunity to grow and to be just viable
1 citizens in the acquisitions side of things is very important
2 as well.
3 So I think we're really planting some seeds, if
4 nothing else, like I said, in the vocabulary side, but in the
5 long-run, I think some of these become more common practice,
6 and won't be as hard to do, because people will have known
7 how to do them.
8 And the people that the small companies hire might
9 be some folks that know how to do it, and it becomes more
10 common practice; whereas right now you kind of got what you
11 got.
12 MR. TAUB: I'm going to move on to some questions
13 that get a little more specific on certain areas. We've
14 heard a couple of people suggest that the consideration of
15 company-level controls is very important and that effective
16 company-level controls ought to be able to reduce perhaps the
17 amount of work that's done on lower-level or processing
18 controls.
19 I'd like to ask the question first to Mr. Brunner
20 and then Mr. Holmbery as well as others who would like to
21 chime in. What types of company-level controls really do
22 have the greatest impact or should have the greatest impact
23 on the scope and extent of additional testing?
24 MR. BRUNNER: Well, I would first off -- and you
25 have to step back just a bit even from the control that's in
1 place -- is a recognition of the business model that you're
2 in. What are the controls, and what are the environment that
3 you exist in on a daily basis?
4 But stepping down into the entity-level controls,
5 it would be -- I think you cannot escape things such as
6 very top level processes, the involvement of management, the
7 involvement of the business leaders in the finance reporting
8 and the amount of review and the kind of work that goes on at
9 that level, the processes at entity-level that I've done, so
10 to speak, to close and analyze and look at the business.
11 I get that in one sense it's a process but another
12 sense it's clearly a tone at the top of the engagement of
13 understanding, the depth of understanding that goes on within
14 a company.
15 The focus on ethics and approach that the people
16 take to the business, those are the type of things that can
17 be very, very helpful. For example, just by how a company
18 analyses and understands their business, they may know --
19 even though they may be smaller -- good, solid information
20 about what drives the business, what drives the revenue, what
21 are the metrics of performance.
22 I think those are higher level controls that need
23 to be given a lot of weight in finding and discovering
24 discrepancies versus going down and saying, "I'm going to
25 check five of these and document them down and put them in a
1 file."
2 There are certain ways that that mitigating control
3 is going to catch things at a much higher level. I hope that
4 answers your question.
5 MR. TAUB: Thank you.
6 Mr. Holmberg, you could address the same topic.
7 MR. HOLMBERG: I think, obviously, a lot of
8 companies have tone-at-the-top-type company controls that
9 have been in place, but I think your question is more
10 specific to other kinds of controls that we've looked at.
11 And, as we go into our second year, we are really
12 focussing that in two areas: One, BP, like many companies,
13 has a significant profitable, profitability forecasting
14 process that it uses. Maybe ours is more significant than
15 others, but the very fact that you can compare actual results
16 with forecasted results and find discrepancies there provides
17 a lot more comfort than we realize.
18 But the process always worked; we didn't rely on it
19 as much as possible. But I think the biggest area that we're
20 focussing on is in IT where we are trying to put in place
21 more what we'd call IT operating standards.
22 And if such standards are working effectively, then
23 we are essentially moving away from IT testing at the
24 application level for every application that's considered
25 significant. And that's a -- quite a big philosophical
1 change, but one that we believe is justified, and one that we
2 so far our external auditors' supported.
3 MR. TAUB: I'd like to actually roll with that.
4 You mentioned IT, and IT controls are another area where
5 we've received a lot of comments, heard a lot of discussion
6 that the level of working being done related to IT controls
7 was perhaps not optimal.
8 In fact, let's start with Mr. Level.
9 Your thoughts on whether the evacuation of
10 information technology controls is being done in the most
11 effective way and whether -- if you believe improvement is
12 needed there, or whether we have started moving in the right
13 direction?
14 MR. LEVEL: We've been pretty direct in our
15 comments. It is very important that baselining, benchmarking
16 be allowed and that the current guidance around what the
17 criteria that are necessary to be achieved before one can use
18 this approach are frankly more expensive than starting all
19 over.
20 And so -- and we think we know something about
21 information technology. And, by the way, in that regard,
22 there was a comment earlier about using registrant
23 experiences in and advisory way. And we would certainly
24 volunteer to participate.
25 And I know there are any number of information
1 technology companies in the country; if there's anything that
2 we have a strength in, it's that -- who would be happy to
3 help you deal with that issue.
4 And frankly, we've found that this is an area where
5 maybe we've spent too much time on application controls based
6 on the way in which the guidance evolved and not enough time
7 on other controls around information technology, physical
8 controls, network controls and so on.
9 And I think you would find that you have a more
10 constructive and a more appropriate conclusion to support
11 your assessment of information technology controls if we
12 could benchmarking, baseline and spend equal amounts of
13 resources over areas.
14 MR. TAUB: I've seen a number of people nodding as
15 we've gone in the IT discussion.
16 And, Ms. Gordon, I believe you were one.
17 MS. GORDON: My response to -- ISNT moved in the
18 right direction, but we still have a very long way to go.
19 And I think that kind of, we just all reconvened the group
20 for the company on 404. And I think we -- our takeaway was
21 that, you know, for the business processes, we're where we
22 want to be; want to keep going.
23 But ISNT, we've got to get there, to a place where
24 right now I think from an -- audit firms are still taking the
25 approach of a control questionnaire approach, so they're
1 coming in and giving us canned questions, so it hasn't really
2 been tailorized. They're not maybe looking at a risk-based
3 approach for the IST review.
4 In addition, companies are finding I think that all
5 of our controls are manual, so that we are faced with maybe
6 90 percent or greater of our control and how to instruct to
7 automate these control so that we can make the control
8 process and the evacuation from the company's standpoint more
9 effective, quicker, as well as kind of work with the outside
10 auditors not to have this group of ISNT experts come in and
11 evaluate us and be basing their information off of a
12 questionnaire.
13 So the goal this year is to move from more then 90
14 percent of our controls are manual to maybe 80 percent. And
15 ISNT is on board with this. And I think they see this as a
16 great opportunity.
17 So as you're going in and building a new system,
18 take the initiative from day one to actually go in and
19 building those controls; embed them in the system so that you
20 have that.
21 But I think that that was the greatest
22 disappointment. If I had any disappointment for '04 and 2005
23 it was that we didn't move ahead on ISNT as much as I wanted.
24 MR. TAUB: There are a few cards up. Ms. Gavaletz,
25 Dr. Sherwin, and, Jim, did you have your card up and it fell?
1 MR. TURLEY: It keeps falling off.
2 MR. TAUB: All right. Well, why don't we turn to
3 Jim Turley first, and then we'll go back to Kim Gavaletz.
4 MR. TURLEY: Yeah. Real quickly, Scott. I think
5 these last two questions on both the company-wide or entity
6 controls and the IT controls are all linked. You know, when
7 I look at companies, I think there needs to be a balance of
8 prevent controls, detect controls and entity-level controls;
9 some automated; some not.
10 And I think that balance changes depending upon
11 whether you're a small company or a large company. And if
12 you think about prevent-, detect-, entity-level controls, I
13 think actually the nature of some of the company-wide or
14 entity-level controls is actually different at bigger
15 companies than at smaller companies; much more focus around a
16 monitoring of whether other controls are effective; whereas
17 in some smaller companies, it's a monitoring of operations
18 themselves.
19 And so I -- this is one of the reasons why I think
20 it's really important that we get more focussed guidance for
21 smaller companies because there is difference between the
22 control environments. And so I, you know, encourage, you
23 know, Coastal to complete their efforts and the SEC to
24 consider smaller company internal control guidance. And I
25 think that will help balance, keep that balance appropriate.
1 MR. TAUB: Thank you.
2 Ms. Gaveletz?
3 MS. GAVELETZ: In the IT area, I believe we really
4 have been going through some evolution. As was mentioned
5 earlier with 404 we really went into the external auditors
6 having to, not only look at the integrity of the financial
7 reports themselves, but the controls backing them up.
8 I think the next step really was the IT that backed
9 up -- that was really doing the controls. And I think we
10 brought a whole lot of folks into doing that IT work that
11 might have been on the fringes.
12 One of the -- another unintended consequence that's
13 been great has been the integration of our IT work with the
14 actual applications that they're serving. They did them, but
15 there hadn't been that ongoing relationship, and the control
16 environment had really -- the focus on that has really caused
17 that, and so that learning has happened.
18 But what I think it's resulted in is to date we've
19 seen more bottoms up risk assessment. Because, to be honest,
20 a lot of people that did a lot of that high-level risk
21 assessment before may or may not have had the IT knowledge,
22 or they brought in the IT specialist into an investment that
23 they hadn't previously been in.
24 So I think some of that's going to correct itself
25 as the people are in the same rooms having the same
1 conversations. And I think as internal auditors, external
2 auditors and the colleges graduate more folks that have the
3 IT background that's part of their normal curriculum that
4 they're going through, we'll also start providing that as
5 part of the work force.
6 But right now, we're having to blend some
7 communities together that quite honestly weren't always in
8 the same room in those conversations; they might have existed
9 in the same corporations, the same firms, but not necessarily
10 together, so I think that's got to happen.
11 But there really is that integration going on. I
12 think there is lots of things going on right now. The
13 Institute of Internal Auditors is working on some guidance in
14 this area at a more top level. The IT governance institute
15 that does covers also working that. So I think there is
16 guidance coming out on that.
17 The thing I would be most concerned is making sure
18 that we get it into more of a top down, because I think we
19 have done a lot more actually looking at it in detailed level
20 work that may not be as efficient and effective as it could
21 be to really answer the question on the effectiveness of
22 internal controls relative to financial reporting.
23 MR. TAUB: Thank you. If I can turn to Dr.
24 Sherwin.
25 DR. SHERWIN: Thanks. I just wanted to make a
1 brief comment about how 404 oversight in the IT area is
2 particularly onerous to smaller companies, because I think it
3 illustrates the general points I was making earlier. And I
4 could just as well comment on the application in accounting
5 areas or human resources.
6 And, in a nutshell, the problem is that the lack of
7 adequate staff and infrastructure forces the hand of the
8 smaller public company to seek outside consultative support
9 to carry out the necessary testing, and usually that means a
10 second audit firm.
11 And therein lies the catch 22 in terms of our never
12 having any confidence that the cost requirements of
13 implementing these regulations as they're now defined will go
14 down over time. So, again, the need for scaled reform. I
15 want to emphasize how important it is and how the IT area
16 illustrates this.
17 MR. TAUB: Thank you.
18 We've got a couple more tent cards on this one, and
19 then we'll move on to a couple of more subjects in the
20 remaining 15 minutes or so.
21 Mr. Minan?
22 MR. MINAN: Thank you.
23 First, with respect to IT, generally speaking, my
24 experience is probably the IT area more than any others that
25 benefitted a lot from the 404 experience. I think both the
1 company's assessment process and the external auditor's
2 review of the IT area, I think shined a light on the IT area,
3 generally speaking, and identified some areas that probably
4 hadn't gotten some attention in the past.
5 Opportunities to improve both financial controls
6 and operational controls, I think we saw some deficiencies
7 that hadn't previously been focused on, and I think we saw
8 some opportunities for companies to migrate from detective
9 manual controls to preventative systems-based controls. So I
10 think that areas gained a lot of benefit just as a result of
11 the 404 process, and I think it's important to not lose sight
12 of that.
13 I think in year 2 and year 3, we'll continue to get
14 benefits and improvements, at least from an external audit's
15 perspective as well as management's assessment perspective
16 relative to benchmarking. This is an example where the May
17 guidance came out; was very, very helpful; and was embraced,
18 but not all of the benefits are necessarily realized.
19 With respect to benchmarking, as companies continue
20 the migrating towards preventative systems-based controls and
21 continue to get comfortable with documenting the controls
22 over changes to systems, I think you'll see more and more
23 benefits reflected in lower audits -- narrower audit scope
24 and less audit hours; I think that's pretty important.
25 I also think it was point out earlier that the
1 integration of the audit, which we did much better this year
2 than we did in year one -- again, we did that early in the
3 year this year. And I think in some degrees the integration
4 didn't occur in light of the May guidance. We started the
5 integration process in April and March and kind of did the
6 lessons learned at the end of year one.
7 And I think it was in some respects that it went a
8 little bit too far down the road to change things for scale
9 as it relates to the full benefits that come out of the May
10 guidance relative to IT.
11 So I think -- I'm very, very optimistic that in
12 year 3 this is an area where I continue to see -- continue to
13 expect to see benefits and efficiencies both on the
14 management's assessment side as well as the external audit
15 side.
16 MR. LEVEL: Well, it depends on which side of the
17 glass you're looking. Thank you, Peter. I just wanted to
18 point out that one of the consequences of the increased
19 interest in IT is increased cost around IT.
20 Our SAS 70 cost is up about three times year over
21 year as a result of the increased focus in this area. So
22 there is a cost to go with the benefit of the focus, but we
23 love it.
24 MR. TAUB: Commissioner Atkins, I see that you have
25 a question.
1 COMMISSIONER ATKINS: Yes. Before we leave this
2 topic of company-level controls as well, because from my
3 perspective that's what this is all about, and where things
4 sort of veered off course, and you all have brought up some
5 of the more picayune aspects, I guess, of the process where
6 you're asked to recalculate spreadsheet calculations and
7 things like that.
8 I'm curious, because I do think, you know, we
9 probably do have to change the definitions that was heard
10 from the first panel. But I was wondering how could we arm
11 you all, as management, in order to be able to push back on
12 some of the more, you know, picayune granular demands and
13 keep things at really the entity-level, which is what this
14 process was meant to do in the first place?
15 MS. GAVALETZ: I would just comment your comment
16 right there helped. Okay. Just staying at -- to stay at the
17 entity control level, raise it up, you know, apply the same
18 top-down approach, which I think will cause companies to look
19 at themselves and see what is their governance structure
20 around their IT environments.
21 How does that affect their financial reporting, and
22 actually ask those questions and make sure that the top level
23 is there, which I think will have the overall consequence of
24 working throughout the system.
25 So I think your comment right there was very
1 helpful.
2 MR. TAUB: Mr. Level, your response.
3 MR. LEVEL: I agree with Kimberly, and keep it up.
4 I think we would most appreciate increased focus on the fact
5 that COSO agrees that documentation is not necessary to have
6 good control.
7 The whole distrust, if you will, of the fact that
8 management represents a particular control takes place, and
9 the auditor knows it does but they have forced issues like
10 minutes of meetings. They walk by the same conference room,
11 you know, with class and see that people are holding the
12 meeting every time. But it's just a -- it's a major, major
13 issue, and it isn't picayune.
14 MR. TAUB: Okay. Ms. Gordon, did you have another
15 response to Commissioner Atkins?
16 COMMISSIONER GLASSMAN: I was just going to echo
17 that, that relief on the documentation for the auditor would
18 be of great help, and also continuing the emphasis on the
19 entity-level controls, which I think the company as a whole
20 makes that decision.
21 When we look at it and we say, you know, the most
22 important thing for us is that we have effective business
23 code of conduct that we have employees sign; that we have an
24 internal audit recommendation process, where every point's
25 going to be addressed, or where we have strong analytics on a
1 monthly or quarterly or annual basis.
2 If that's management's view, and management's
3 position on how they get comfortable, then it should be
4 sufficient to say that that's the tone at the top. That's
5 the direction we're moving in, and the auditor should take
6 some solace in that, we would hope.
7 MR. TAUB: Okay. A couple of more cards went up.
8 Mr. Holmberg and then Mr. Brunner.
9 MR. HOLMBERG: Well, just to be somewhat
10 responsive, I do think that's why you hear some people
11 pushing back, that we do need to modify AS-2, because even
12 though the guidance last year was helpful, at least in our
13 particular concern we still have auditors feeling compelled
14 to say the guidance is useful, but we're still bound by AS-2.
15 So the comments about having to walk throughs and
16 not rely on the work of others. The guidance is helpful, but
17 we're still bound by AS-2. I think modifying AS-2 to be a
18 little less prescriptive and a little bit more judgment on
19 the behalf of auditors, would actually be very helpful.
20 MR. BRUNNER: This might be a little more of a
21 philosophical answer to your question. But when I look back
22 and you say what is driving this documentation, what is
23 driving a lot of this detail thing rather than stepping up or
24 taking more observation views.
25 Some of it, I think, is just a recognition of
1 environment. I'm not quite sure how we fix all of it, is
2 being cognizant that issuers, auditors, everyone, and it's
3 been mentioned particularly in the first panel, are so
4 sensitive to risk, and risk of 20-20 hindsight, and being
5 called on the carpet, so to speak, for whatever they have.
6 It is certainly a wind or a trend that we're having
7 to fight against. What is a common answer to that? Paper it
8 up. Document it up. So whatever we can do in that vein that
9 try to reduce some of the fear, if one might say, of doing
10 that would be very helpful.
11 MS. STACEY: I'm wondering if we can wander down a
12 slightly different path. This has been very helpful, but I
13 wanted to explore a little bit on some additional guidance
14 that people thought might be helpful.
15 We've heard about entity-level controls and how
16 that impacts the scope of the remainder of the testing. One
17 of the things that we really haven't explored yet is exactly
18 how that testing actually happens.
19 Is it ongoing monitoring? Is it testing at points
20 in time and rolling forward to the end of the year? I
21 haven't heard a lot about any problems in that area, or
22 whether additional guidance is needed on exactly how you
23 actually perform the assessment. I'm wondering if anyone
24 would care to comment on that. Yes, Kimberly.
25 MS. GAVALETZ: As I kind of made statements
1 earlier, I'm not a huge extra guidance. You know, keep it as
2 simple as you can. But I think relative to going forward,
3 there could be some additional, you know, emphasis on the
4 entity controls, and kind of turning the equation back the
5 way I think actually the standard is written.
6 But we've gone, you know, in our rush to having to
7 be compliant in the early years, we've really gone all the
8 way down to the full end of the spectrum. You had to solve
9 the whole equation, so you did everything.
10 But I think we've still -- if we could get back to
11 those entity controls and reinforce that level of it, because
12 that is really where you get the tone of the top. It is
13 really where you get the overriding controls that make
14 everything happen.
15 When you're -- I used to like to look across all
16 the businesses in my internal audit role, to be able to see
17 what was going on across all of them, versus having to audit
18 at each place.
19 If I didn't have the appropriate organizational
20 structure, the appropriate policies and procedures in place,
21 you can't audit it in. So the importance is there in the
22 entity controls.
23 I think also in doing the risk-based approach on
24 things, I think people are struggling a little bit. I think
25 I would intuitively agree. But implementing risk-base when -
1 - we haven't really hit it on the panel today, but in the
2 past, last year we did on all the work you have to have
3 looked at, you know, in that year.
4 I didn't have the phrasing quite right there. But
5 I think people haven't quite figured out all the ways that
6 they can really look at something and do the work in that
7 year, but the work might have been from prior years.
8 But they would do either minimal testing or assert
9 that they don't need to do any testing, because they tested
10 it two years ago and they've checked the change logs and
11 change records and there weren't any changes. They don't
12 have to do anything.
13 Some areas are getting that into their -- some
14 companies I talked to are getting that into their processes.
15 Others, you know, it's a significant area. We've got to do
16 it every year.
17 So I think some things there. Also once something
18 gets scoped into the risk environment, getting it off the
19 list is very difficult. So being able to be flexible and
20 really "Okay, that risk went away," or we need to maybe
21 monitor that. How are you monitoring that?"
22 Checking how we're monitoring it, just really more
23 of a dialogue on the whole thing at the top level, I think
24 will help really make the environments that we're trying to
25 create get there a lot faster, versus just the individual
1 more robotic sort of testing.
2 MR. TAUB: Dr. Teplin, did you have something to
3 add here?
4 DR. TEPLIN: Yes. When I thought about the whole
5 list of questions and so on that we were reflecting on, this
6 whole idea of each year stands on its own has bothered me a
7 good deal over time.
8 As the panelists indicated, testing done this year
9 for a medium risk or a near-high risk may not need to be done
10 each year.
11 I think that this type of -- by the statement "each
12 year has to stand on its own" has forced companies and forced
13 the external auditors, the independent auditor, to feel that
14 every year we're going to do all these tests again.
15 I think that that has prevented some of the cost
16 efficiencies that we could use. So I would ask that this be
17 reconsidered, or at least modified in a way that makes --
18 perhaps makes it clear that you didn't mean that every
19 control has to be tested every year and so on.
20 I think that that's somewhat of a confusion in
21 there.
22 MR. TAUB: Mr. Level.
23 MR. LEVEL: Carol, your question reminded me --
24 sorry. Your question reminded me of a comment that we've
25 included in all of our letters during the last couple of
1 years, and I would just like to reiterate it, that we think
2 there should be some focus on the 302-404 interrelationship.
3 We've gone from annual reporting or quarterly
4 reporting and annual audits to continuous auditing, and that
5 has gone into, obviously into the control areas in space. It
6 would help if we could moderate the representation to a
7 knowledge and belief, for example, or take some other
8 approach.
9 MR. TAUB: Okay. We've got about three or four
10 minutes left. Throughout this panel, we've heard a number of
11 people suggest that to the extent more guidance from
12 management is needed, it is needed more and more as the
13 company gets smaller and smaller, and that perhaps the size
14 of the company indeed does impact what kind of additional
15 work is needed on management's assessment process.
16 If I could ask, what are the particular challenges
17 that small companies face, and how could they be addressed in
18 terms of making the assessment process more effective and
19 efficient, and if I could start with Dr. Sherwin.
20 DR. SHERWIN: Thank you. As I stated earlier, it's
21 hard for me to see how the circumstances with smaller
22 companies in Section 404 can be addressed by way of guidance,
23 because of the lack of infrastructure and inadequate
24 personnel to make the process more efficient.
25 The subsequent requirement to have secondary
1 outside firms performing the internal testing is going to fix
2 the cost at a certain level, and I frankly don't see how it's
3 going to be diminished.
4 That's why Bio supports the recommendations of the
5 Small Business Advisory Committee with respect to a scaled
6 application of 404 reflecting, as you well know, market
7 capitalization and level of revenues.
8 MR. TAUB: Kimberly.
9 MS. GAVALETZ: That's a test for all of our
10 speakers. I think that it almost makes me want to go start a
11 small business, to address the concern of the small
12 businesses, because I do see the concern that's being
13 addressed.
14 Because you don't have the staffs that larger firms
15 have, that they utilize. You know, they don't have -- if
16 their businesses were -- if our businesses were all broken up
17 into small components, we wouldn't have the ability either.
18 But because we have the economy of scale, we have the folks
19 there.
20 But I'm thinking that some of the things, that the
21 small businesses need our resources. They're also needing
22 some more "how to" and some more almost start-up kits that
23 would allow them to know, you know, here is what -- and I
24 don't like hugely checklists and things.
25 But I think in some of these areas, if you're
1 coming from just starting a company, something that would be
2 just very useful. But again, I don't know, kind of back to
3 your question of guidances, is what's needed there or
4 service, some service that needs to be provided to be able to
5 assist the small businesses.
6 I don't know if that needs to be looked at from a
7 government perspective. I think again as an entrepreneurial
8 company and country, there ought to be something there to
9 help serve in a cost-effective manner, the need that's out
10 there, because I do believe the need is there.
11 MR. TAUB: We are running quite short on time, but
12 I see Commissioner Glassman wanting to either ask a question
13 or make a comment here.
14 COMMISSIONER GLASSMAN: It's a question, thank you,
15 and it's related to the small businesses. Thanks. Given
16 that you have to do 906 and 302 certifications, how much of a
17 problem would it be to do at least the management assessment
18 part of 404, without the auditors being involved?
19 DR. SHERWIN: I think that's an important question,
20 because with the requirements for certification, we take
21 things very seriously. I believe that that is an element of
22 oversight that has been overlooked inc considering the
23 additional burden of 404.
24 So that would be helpful. Now there certainly is
25 an added component, with the external out of station, and it
1 would be better with respect to just having the focus on the
2 internal certification.
3 But even so, the scaled approach remains our
4 primary focus in terms of our viewpoint as defined by the
5 Small Business Advisory Committee. Thank you.
6 MR. TAUB: And we've got time for one more comment,
7 and we've got coincidentally one tent card up. So Mr.
8 Brunner, you get the last word.
9 MR. BRUNNER: To continue on your question a little
10 bit, because it kind of jumps into where I wanted to go, was
11 what do I think would make a difference? I think it would
12 assist in companies being able to do exactly what I was
13 talking about earlier, of looking at a risk-based approach to
14 it.
15 You'd have yet another avenue that isn't in your
16 way or another view or that, you know, quite honestly likes
17 to build a documentation base. You'd be able to give them a
18 little more freedom to take on a risk-based approach.
19 I can't underscore -- I'm not sure giving small
20 companies tactical things to do is an answer. It's giving
21 guidance and understanding of risk, and the guidance and
22 understanding of how to think about risk can be very helpful.
23 We as well, you know, support the proposals out
24 there for the small companies. Thank you.
25 MR. TAUB: Okay. With that, we've come to the
1 close of our panel on Management's Evaluation and Assessment.
2 I'd like to thank the panelists for your contributions.
3 Thank the Commissioners and the Board Members as well for
4 their attendance and their contributions.
5 We now have a break until 1:15, when we will return
6 with our third panel. Thank you everybody.
7 (Whereupon, a luncheon recess was taken.)
8 PANEL THREE
9 THE AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING
10 MR. RAY: Good afternoon and welcome back to the
11 roundtable on internal control reporting and auditing
12 provisions. I'd like to just briefly summarize the rules of
13 the road since we've all had a lunch break now and perhaps
14 some of you arrived over the lunch break for this roundtable.
15 We don't have a whole lot of time as you've probably noticed
16 from the schedule to cover a lot of ground and hear from a
17 fairly large number of panelists, and we want to hear from as
18 many of you as possible on each question that we're about to
19 pose to you. There are no opening statements. We want you to
20 focus on the questions that the moderators will be posing to
21 you. So also please keep your comments as brief as possible
22 while clearly making your points, again so that we can hear
23 from as many of you as possible on each of the questions. I
24 do plan to direct some of the questions to specific members
25 of the panel, to get the discussion rolling. But after that,
1 I certainly do hope that each of you will volunteer by
2 placing your name tents up, to also participate in the
3 discussion of each of the questions.
4 If I don't see many name tents up, I probably will
5 call on one of you. Of course, because of time, I can't
6 necessarily guarantee that I will be able to call on
7 everybody for every question.
8 But I certainly anticipate that we will call on
9 everyone at some point during this panel. So let me
10 introduce the panelists. Beginning on my left, we have Frank
11 Brod. He is Corporate Vice President of Finance and
12 Administration, and Chief Accounting Officer at Microsoft
13 Corporation.
14 Next to Frank is Lisa Flavin. She is Vice
15 President, Audit at Emerson Electric Company.
16 Next to Lisa is Tim Flynn. Tim is Chairman and
17 Chief Executive of KPMG, LLP.
18 Next to Tim is Jay Howell. Jay is Associate
19 Director of Assurance for the Northwest Region of BDO
20 Seidman, LLP.
21 Next to Jay is Leo Kessel. Leo is Senior Client
22 Partner, Deloitte and Touche, LLP.
23 Next is to Leo is Bruce Renihan. Bruce is
24 Executive Vice President and Controller, Canadian Imperial
25 Bank of Commerce.
1 Next is Gary Stauffer. He's a senior partner,
2 National Risk and Quality Practice at PriceWaterhouseCoopers,
3 LLP.
4 Next we have Shelly Stein. Shelly is Chief
5 Operating Officer of Grant Thornton, LLP.
6 Next is Tom Szlosek. Tom is Vice President and
7 Controller, Honeywell International, Inc.
8 And finally Rick Veltschy. Rick is Executive in
9 Charge of Financial Institution Audit Practice at Crowe
10 Chisick and Company, LLP.
11 Now let me introduce the moderators. My name is
12 Tom Ray. Of course, we've all been introduced this morning.
13 Accompanying me on this panel are Laura Phillips with the
14 PCAOB and Nancy Salisbury, from the SEC staff.
15 This panel will address the auditor's role in the
16 internal control process. The objective of this panel is to
17 discuss how the auditor's process for evaluating internal
18 control over financial reporting changed in the second year,
19 and how the audit process may be further improved to achieve
20 greater efficiency and effectiveness.
21 There will be five areas that I wish to cover over
22 the next hour and a half. The first is a response to risk
23 and complexity of the organization. The second relates to
24 the identification and testing of internal controls.
25 The third relates to the effect of company level
1 controls on the audit process. The fourth deals with using
2 the work of others, including internal auditors. Finally, we
3 will discuss the effect of the PCAOB inspections process on
4 the audit of internal control.
5 Now I know we've covered a couple of these subjects
6 already this morning, but they're very important subjects,
7 and I think it's important that this panel, which is composed
8 of different people and a different mix of people, also
9 address those questions.
10 So I feel like I've already spoken too much. So
11 let me go ahead and get started with the first question,
12 which I am going to direct to Gary Stauffer, to get us
13 started in the discussion.
14 So Gary, first question here is how well did
15 auditors vary the nature, timing and extent of their internal
16 control work, based on the assessment of risk of material
17 misstatement, and what sort of strategies we'll employ to
18 make sure that this happened?
19 MR. STAUFFER: First of all, let me thank you for
20 inviting me to participate today. It's good to be here.
21 From an overall perspective, I think companies and auditors
22 modified and significantly changed their audit approach to
23 improve the efficiencies in evaluating internal controls over
24 financial reporting in Year 2.
25 They moved clearly to a more risk-based approach.
1 That allowed them to change the scope of their work, and it
2 also allowed them to vary the nature, timing and extent of
3 their testing.
4 We made significant changes in our approach. We
5 embedded the risk-based approach into our core methodologies,
6 and all our Year 2 training. That includes incorporating in
7 that process the assessment of risk and how it plays on the
8 nature, timing and extent of testing; the use of the work of
9 others and how important that is; how to evaluate and test
10 only key controls.
11 We've heard a lot about the fact that people have
12 tested way too many controls. Finally, we've incorporated
13 into that process a theme on integrating the two audits, to
14 ensure that we get the most beneficial economies out of the
15 audit process.
16 Now in doing that, we issued a briefing paper
17 called "Achieving the Right Balance in the Integrated Audit,"
18 and we've issued that to all our audit personnel around the
19 world, to make sure that they have a good understanding of
20 those four areas.
21 As it relates to your question on nature, timing
22 and extent, that paper goes into fairly detail around how one
23 needs to assess risk, and apply that risk assessment to the
24 nature of the testing, the extent of the testing that one
25 does.
1 It's clear from the discussions this morning that
2 people keep speaking about too many people are testing lower
3 level transactional controls, and not looking at the risk
4 effect.
5 I think the May 16th guidance clearly brought that
6 forward, and I think most of us in the profession have
7 clearly driven that home, that the nature of the test, the
8 timing of the testing and the extent of testing should vary
9 greatly, depending on if you're looking at a routine control,
10 or a control that has substantial impacts and complexities to
11 the financial statements as a whole.
12 Now these changes were considered not only to
13 consider effectiveness, but also to make sure that from an
14 audit perspective, we still gain the right amount of audit
15 evidence, to make sure that we're achieving a quality and
16 effective audit.
17 Now all that being said, as you've heard this
18 morning, we did not achieve the full benefits of what I would
19 call the May 16th guidance and the issues that I just listed.
20 We went a long way to get there, but we still have more
21 benefits to be gained, and we clearly are pushing forward
22 that in our current audit training processes and guidance
23 that we're putting out to our practices, and would hope to
24 achieve that as we move forward.
25 MR. RAY: Thanks, Gary. I noticed there are some
1 tent cards up, but I'm looking over to Lisa Flavin, because I
2 think that as an internal audit executive, you might have
3 some perspective you might share with us.
4 MS. FLAVIN: I think overall, our audit team did a
5 very good job of looking at the nature and complexity of our
6 organization, and determining where they were going to test,
7 especially given the multi-location nature of Emerson.
8 But just like everything else, there are -- and we
9 primarily agree with the scoping and the testing that they're
10 doing. But there are some areas that still need to be
11 tweaked, and I'm going to give you an example of that,
12 because I think it's an example that brings home many of the
13 points that were talked about earlier in the first two
14 panels. We have an account that management has determined is
15 not a significant account due to a number of qualitative
16 factors. That account is accrued vacation, and our external
17 auditors agree with that assessment except for the fact that
18 it exceeds a quantitative threshold that their firm has
19 mandated, that causes it to be scoped in as a significant
20 account in any event. Now they've done a good job of varying
21 the nature, timing and extent of their testing given these
22 qualitative factors, and their external audit time and cost
23 is very minimal.
24 But what that fails to incorporate is the time that
25 the entity takes as a result of that being a significant
1 account. What I mean by that is now we are also considering
2 it a significant account. We don't want to have a
3 deficiency in our assessment process.
4 We're also testing the controls over that account
5 because we want to maximize reliance. That involves testing
6 the controls at all the end scope locations. It involves
7 management document controls, pulling documentation so that
8 we can test.
9 It involves tracking deficiencies, although they
10 are very insignificant, to see if they're remediated and
11 documenting the ultimate conclusion. All of that takes, you
12 know, 500 to 1,000 hours of our Company time with very little
13 value add.
14 So there's an example I think of where the cost-
15 benefit equation doesn't make sense. In addition, I think
16 it's an example of what, you know, one of the earlier panels
17 said of this fear of litigation, and maybe fear of the
18 unknown in the inspection process, that the firms, you know,
19 have to institute these minimum thresholds, that they don't
20 want -- they want to make sure they're covering all the bases
21 even though there may be qualitative factors that make that
22 not make sense.
23 It's also a good example of if we are going to test
24 in that area, a monitoring control would be much more
25 efficient in covering off the risk of the material weakness.
1 So I think that's another example that we need to -- I think
2 we need more guidance on where or examples of where
3 qualitative factors may override a quantitative threshold.
4 MR. RAY: Thank you. Bruce Renihan.
5 MR. RENIHAN: Thank you. I'd certainly agree with
6 many of the statements that were just made. My starting
7 point would be that in Year 2, I think it was more about
8 increasing the effectiveness of the SOX work, including the
9 SOX audit work.
10 I think Year 1 was pretty much of a scramble, and
11 it was done reasonably well, but just to use some indicative
12 metrics, we probably ended up the year with a order of
13 magnitude a few hundred small deficiencies, you know, some
14 aggregated up to a significant deficiency, but in the
15 aggregate just a range of areas that we needed to make modest
16 improvements in our control environment.
17 Over the course of year 2, we remediated 90 percent
18 of those. In spite of which, we managed to find probably
19 close on 200 other deficiencies in Year 2 that really clearly
20 existed in the prior year. So I think Year 2 for us was
21 about getting better at understanding what the key controls
22 are, testing them, just generally getting smarter. I think
23 that was a journey for management and for the auditors.
24 Now we're getting to the efficiency aspects in Year
25 3, and certainly the issue, for example, of scope of
1 coverage, in our view being somewhat inconsistent, to say you
2 must, you know, cover 70 percent of the financial statement
3 dollars.
4 For example, in your coverage, without regards to
5 the risk of those individual accounts, that drives the range
6 of work and you were provided an example of that.
7 So the thing certainly that we would find very
8 useful would be to be able to reduce the amount of low level
9 testing, to be able to leverage off the company level
10 controls and including, very importantly, the very
11 significant SOX compliance processes that we have, and that
12 are subject to audit, and that our auditors make use of, as a
13 basis to meaningfully reduce the amount of work.
14 MR. RAY: Thank you. Frank Brod.
15 MR. BROD: Well, thank you Tom, and thanks for
16 having me amongst all of you today. I did want to make a
17 comment on the guidance that was issued last year. I think
18 it was extremely helpful, and it really brought a bit of a
19 change, more of a sea change, in the way auditors and their
20 clients acted together in a much more collaborative fashion.
21 The guidance came out in May, though, and many of
22 these internal control audits for the calendar year 2005 were
23 already underway and already been scoped and all. So it
24 wasn't -- it wasn't fully implemented in 2005. So we'd
25 expect some additional benefit.
1 The organizations that I'm familiar with actually
2 worked with the auditors through an enterprise risk model,
3 looking at those things that impact financial reporting, and
4 by way of that together reduce the number of critical
5 controls that have identified from very large numbers.
6 There was a reduction at both Dow and at Microsoft
7 in the 30 percent range in the second year, and then probably
8 a very similar amount in the next year, to test those things
9 that really matter and not every supplementary and
10 complementary control, during walk-throughs have been done
11 between internal audit and the auditors. So that's also been
12 helpful in terms of disruption to the organization.
13 The guidance, though, still is in conflict, though,
14 with AS-2, and that you know, I would urge the PCAOB and the
15 SEC to address, because it does push you down to a very low
16 level of detail on a transaction basis.
17 This more than a remote possibility of more than
18 inconsequential drives you down to the transaction levels,
19 and that goes against this looking at the high level of risk.
20 You also -- this every year should stand on its
21 own. You know, we wouldn't be here talking about Year 2 if
22 these years are on a continuum. You know, what you learn in
23 a previous year is very important, as to how management
24 behaves, but also how the auditor should go through things.
25 I would very much urge you to look at that, to find
1 a way that the knowledge gained in one year can be used to
2 benchmark and be part of that risk analysis and the testing
3 in the years to come.
4 Because if you have a stable process, whether it be
5 an IT control or a management control, if it hasn't been
6 altered, it continues to operate. You know, there's not --
7 you know, you can do some sampling testing.
8 You don't have to go through a whole walk-through
9 again to tell yourself that everything's fine, either from
10 management's side or the auditor.
11 So those were some of the things that I would want
12 to add. When we get into the inspections later, I think that
13 -- the fact that those reports are not out in any sort of a
14 timely fashion. You know, here we're two and a half years
15 into this, and as a registrant, I have no idea of what they
16 found in any, you know, the PCAOB inspectors had found on an
17 internal control audit.
18 You know, this cloud that hangs over this process
19 does impact people's behavior, because no one wants to get on
20 the wrong side of the inspector, whether you're the auditor
21 or the registrant. We need to find a way to accelerate that
22 information, make it useable and put it in a format that is
23 helpful to the overall process.
24 MR. RAY: Thanks. I'm going to call on Jay Howell,
25 and then we're going to pose a follow-up question in this
1 same area. Go ahead, Jay.
2 MR. HOWELL: Thanks, Tom. At BDO, we also found
3 the May 16th guidance to be very helpful, and we don't --
4 we've integrated it into our policies, in our tools. We've
5 trained our people on that guidance.
6 We don't feel strongly about integrating the May
7 16th guidance into the existing standard or not either way,
8 from our perspective.
9 What we really think is needed for us in Year 3 is
10 just the additional experience and judgment going forward.
11 As we proceed, we've gained the benefits now in Year 2. We
12 have a tremendous amount of additional experience and
13 judgment, and that's what we're focusing on within our
14 training, and in our people is the education and judgment
15 factor.
16 Judgment is crucial. It takes time to develop, and
17 my biggest concern with respect to judgment is that we're not
18 being consistent, one within BDO but then two, out within the
19 profession. So I think that the consistency factor is
20 important for the PCAOB in particular to focus on in the
21 inspections.
22 We're really hoping to get additional insight from
23 the inspection process as to what we're doing, and ways we
24 can do it better, and being consistent with the marketplace
25 as well. Thanks.
1 MS. PHILLIPS: So far the discussion really has
2 covered responding to risk and complexity broadly. I would
3 like to focus the discussion now on the types of adjustments
4 that auditors have made to their audit approaches for less
5 complex and smaller accelerated filers.
6 How have auditors scaled their work to these types
7 of entities, and is there a need for additional guidance or
8 changes to the rules or standards in this regard?
9 MR. RAY: Yes, go ahead Leo. You had your card up
10 earlier.
11 MR. KESSEL: Yes. First, I appreciate the
12 opportunity to be here. I do want to just echo that I think
13 there have been measurable benefits that came out of this
14 process, and I think the May guidance was particularly
15 helpful.
16 But clearly companies and auditors did sit down
17 before the May guidance. We did a post-mortem when we
18 completed them. I'm actually a partner who has signed
19 internal controls reports. So I've been through the process.
20 We sat down with management through the CFO level
21 and we discussed what are the opportunities to improve the
22 efficiency and maintain the effectiveness.
23 One of the key things that I think many companies
24 wrestled with is how do you make Year 1, which was a project,
25 into a sustainable process? So we spent time thinking about
1 that.
2 I think in the areas where the guidance was helpful
3 is improving, you know, the way we looked at multi-locations.
4 We placed greater reliance on internal audit. The company I
5 was responsible for has many, many small manufacturing
6 plants, and the level of work that internal audit had done at
7 that allowed us to leverage a lot of that work.
8 Certainly, and also just as an example, they had
9 many legacy systems. They're not on common systems and
10 processes. So I think the company learned something through
11 this process as well, the importance of moving to common
12 systems and processes.
13 But in Year 2, we didn't feel the need to test all
14 of those legacy systems. We did enough work to satisfy
15 ourselves that there hadn't been changes, substantive changes
16 in the systems or processes. So we took advantage of that.
17 Then also, you know, just in terms of defining the
18 classes of transactions, we looked at that at a higher level,
19 to again make sure we were focused on the highest risk areas.
20 I think as the companies, not only the auditors,
21 get more experience in dealing with the risk assessment
22 process, I think you're going to see improvement in Year 3 in
23 that arena as well.
24 MR. RAY: Rick Veltschy.
25 MR. VELTSCHY: Directly to Laura's point of
1 scalability or reaction for smaller companies, I think that
2 the key thought process needs to be that smaller companies
3 are not all about the technical compliance with the standard
4 and with the SEC rule.
5 The challenges with the smaller companies also
6 often surrounds simply the organization of the process, to
7 get an internal control assessment done. Our experience was
8 that in Year 1, many of those companies struggled with those
9 project management aspects of this new challenge.
10 If you recall, the Commission and the PCAOB
11 provided an extended time period for companies to file their
12 initial internal control reports.
13 More than two-thirds of our accelerated filer
14 clients took advantage of that accelerated time frame, which
15 speaks to the fact that perhaps things were not as well
16 organized as they could have been, or as timely and so forth.
17 So really one of the strategies, I think, that
18 public accounting firms had to employ in working with those
19 companies was simply focusing on logical work flow sequences
20 that could make an integrated audit take place.
21 The good news is that in Year 2, if you look at
22 just that project management aspect of things, I think all
23 but one of our clients were able to timely file, and it
24 allows -- and now that the project management aspects have
25 been taken care of, you now can begin to focus on the
1 technical issues associated with an integrated audit, and
2 look at the opportunities for efficiency that would derive
3 from better reliance on the work of others and so forth.
4 I think this project management mind set and factor
5 is a very important issue, as it relates to again the smaller
6 end of the accelerated filer group. It will be an even more
7 important factor to the extent that those companies that have
8 not yet implemented the internal control requirements do have
9 to come on stream.
10 MR. RAY: Gary Stauffer.
11 MR. STAUFFER: Directly to your question, Laura, we
12 do believe that AS-2 is scalable. We would agree, as many
13 have said this morning, that additional guidance,
14 particularly practical guidance on how to scale it to smaller
15 companies, is important.
16 We would not believe that AS-2 needs to be
17 fundamentally changed. In fact, we think the fundamentals of
18 AS-2 around reasonable assurance, materiality, principle
19 level of evidence and integrated audit, are clearly
20 fundamentals that need to stay and apply to both large and
21 small companies.
22 I'd like to just address one point that was
23 mentioned earlier, and also Frank mentioned it. It goes to
24 this issue around significant deficiencies, and the point
25 that Professor Grundfest made this morning.
1 The idea that the auditor is in some way setting
2 their scope on the basis of materiality at an inconsequential
3 level. That's not what AS-2 would provide for, nor do I
4 believe the profession is doing.
5 I think scope is set at materiality levels,
6 equivalent to how the auditor has historically judged the
7 financial statements, and that's just used as a benchmark,
8 five percent of pre-tax income.
9 So when you speak about inconsequential and the
10 size of that number being so small, that's not where the
11 scope of the audit is being set, and therefore is not
12 affecting the level of work that's being done.
13 Now once an exception or a deficiency is found,
14 there is an effort to try to evaluate that deficiency, into
15 whether it's a significant deficiency or a material weakness.
16 That's where the process comes in of using the
17 words "inconsequential." So there's not an effort to do that
18 from a scoping perspective in setting the work. One final
19 comment on the materiality, quantitative materiality.
20 It's difficult to walk away from an account that's
21 15 percent of your overall pre-tax income, and could result
22 in a material misstatement to the financial statements, just
23 because it's qualitatively immaterial.
24 From a qualitative perspective, people wouldn't
25 look at it as qualitatively immaterial. It can result in a
1 material misstatement to the financial statements, and I
2 think you only need to look at Worldcom and the issues around
3 fixed assets there.
4 Most people would say fixed assets is a very low
5 risk control. In fact, many of the problems at Worldcom were
6 caused by lack of controls over capitalization in the fixed
7 asset area. So absolutely you shouldn't spend a lot of time
8 on it. Neither management or the auditors need to spend a
9 lot of time on it.
10 We can vary the nature, time and extent of the
11 testing to a relatively low level. But some level of effort
12 needs to be put on that account, because in fact it is
13 material to the financial statements and could cause a
14 material misstatement.
15 I agree wholeheartedly with a comment made earlier,
16 that monitoring controls could be just that control that
17 could be looked at, so you don't have to go down into the so-
18 called weeds to test transactional controls in the account
19 that qualitatively isn't viewed as material, but
20 quantitatively is. You can use that monitoring control to
21 achieve the same objectives.
22 MR. RAY: Thank you. Commissioner Glassman?
23 COMMISSIONER GLASSMAN: Thank you. I have a
24 question that I guess goes to all of you, although I would
25 especially appreciate the feedback from the businesses that
1 are represented.
2 Can you conceive of a different role for the
3 auditors, rather than having the auditors test the controls
4 themselves, which seems to be what's happening? Have the
5 auditors reviewed your process and your implementation of
6 that process to determine whether your assertion seems
7 reasonable?
8 MR. RAY: Go ahead Tom Szlosek.
9 MR. SZLOSEK: Yes. I'll try that one. Yeah,
10 actually you know, we've given that one a lot of thought.
11 Maybe in the first year I would have said that it's
12 inconceivable that you could move int hat direction.
13 But as the guidance came out, and as the clarity
14 and the consensus and the collaboration between the auditors
15 and management have improved in Year 2, and I think in Year 3
16 even more so, you know, I start to see a blurring of the
17 lines between, you know, the management testing on controls
18 and the auditor's testing of controls.
19 You know, we agree in almost all aspects of scope.
20 We agree on locations. We agree on key controls to tests.
21 We agree on how to evaluate findings. So you know, we're
22 working hand in hand, and to think that they're two separate
23 processes.
24 At this point, as I said, the distinctions between
25 the two of them are blurred. So I really think, and I'm not
1 sure whether it's a legislative relief or whether, you know,
2 it's within the scope of PCAOB, but to look it as yes, you
3 need a report on internal control, but that report comes from
4 management.
5 You know, the role of the auditor could be what it
6 is in the first part, which is to issue a report on
7 management's report, and you know, not to have that second
8 report.
9 MR. RAY: Would others like to comment on that?
10 Oh, I'm sorry. Frank.
11 MR. BROD: No, that's fine Tom. I was just going
12 to concur with what our friends from Honeywell said. This
13 process has moved sufficiently or significantly from the
14 first year to the second and now the third, where there is a
15 level of redundancy.
16 But both the auditor and the registrant are very
17 much tied together from a process standpoint, and have the
18 same understanding of what needs to be tested and all. So
19 there could be some efficiencies in that without having any
20 negative impact on the quality that results.
21 The auditor still needs to do some level of
22 internal testing as part of their scoping, which has been the
23 traditional internal control they did prior to SOX.
24 MR. RAY: Shelly Stein.
25 MS. STEIN: I think Frank hit on some of the points
1 that I wanted to make in response to that. But it's
2 important to recognize that if the auditors are going to do
3 some testing, they actually have to be able to test
4 management's assertions on these things.
5 You can go back to the days of when FIDICIA was
6 implemented, whereas we relied on what management said. Yet
7 we have found through the testing, as it related to SOX, that
8 there have been a number of issues where we found material
9 weaknesses.
10 So there's got to be an appropriate balance here,
11 and it can't be all one way or another, and I think we've got
12 work at it in terms of determining what the appropriate
13 balance is.
14 MR. RAY: Okay. I'd like to hear from Bruce
15 Renihan, and then I'm going to move onto the next question.
16 Thank you.
17 MR. RENIHAN: I think that the owner's involvement
18 within our firm in respect of our overall SOX compliance
19 process is very significant, and it's highly transparent.
20 So I think the end result of a range of work that
21 is done by the external auditor is not so much driven by
22 whether they, and this is obviously my assessment, whether
23 they believe that they will find a control issue or
24 deficiency, but it's driven by documentation requirements,
25 because there's enough interaction for them to have a sense
1 of comfort with respect to the controls.
2 When you get therefore to a situation where now
3 there's a sample size that has to be addressed, indeed I
4 think what we're seeing is kind of a hard stop at the level
5 of 50 percent of whatever that sample is, you know, equals
6 principle evidence that the auditor will -- the external
7 auditor will identify the transaction and do the testing, and
8 obviously we're scrambling around to try to provide all of
9 that information.
10 Now that's down from close to 100 percent in Year
11 1, where all of the testing was selected by the external
12 auditor. So there is some leveraging off the work of
13 management and internal audit.
14 But it's still very quantitatively driven, in my
15 experience.
16 MR. RAY: Okay. I'd like to move on to more
17 specifically to question directed to the identification and
18 testing of controls, and I'm going to ask Lisa Flavin to
19 comment and get us rolling on this subject first.
20 The question is, did management and the auditors do
21 a better or worse job at identifying significant accounts,
22 significant processes and major classes of transactions this
23 year, and how did that affect the number of controls tested
24 by management and tested by the auditors? Lisa Flavin.
25 MS. FLAVIN: We certainly did a much better job in
1 Year 2. I think we scoped out roughly 20 to 25 percent of
2 the controls that were tested in Year 1. We also got
3 agreement on those controls, between management and the
4 external auditors. So I feel very confident that we're
5 headed in the right direction in that respect.
6 As I said before, the only issue we have and the
7 only tweaking is with respect to significant accounts, and we
8 still have a couple of discrepancies in that area.
9 MR. RAY: I'd like to go ahead and add a follow-up
10 question, and if you want to comment on that one, the
11 previous question, please feel free to do so.
12 Perhaps a little bit more pointed question here.
13 Would it be appropriate to allow some kind of rotation of
14 testing from year to year, and how would that work while
15 still providing the auditor with sufficient evidence to
16 support his or her opinion on internal control.
17 I think I saw Frank's card go up first.
18 MR. BROD: Well thank you. As the former chair of
19 the Committee on Corporate Reporting at FEI, we have
20 suggested that very topic in each of the comment letters
21 prior to AS-2 being developed, at last year's roundtable and
22 again in our comment letter this time.
23 It is an area where I think this concept of
24 learning as you go through this audit, that you should
25 -- just as you do in all other aspects of life, learn from
1 what you have, and you know, spend your time on those things
2 that need the attention.
3 Part of that assessment is just how good things
4 were in the past, and whether anything has changed at all in
5 their effectiveness in time. It shouldn't have to call for a
6 complete retest on everything every year.
7 So this -- you know, I know the word "rotation"
8 doesn't set well with a lot of people, but maybe the word
9 "benchmarking of controls" may be a better term for that.
10 But to set what the acceptable level is and test to
11 see if there's been change, you know, on a limited basis and
12 where they find there's some variability, then you go in and
13 do a much more detailed test.
14 But that is something we have advocated, I think
15 would cut down on the cost. You touched on cost earlier, you
16 know, and everybody's happy that the cost of compliance has
17 gone down in Year 2. But remember, if you just look at audit
18 fees, they went up 50 percent the first year. They've gone
19 down about 20.
20 There is an embedded permanent 30 percent increase
21 in audit fees that's going to go on forever, and with
22 integrated audits, we'll never be able to separate the two
23 again.
24 MR. RAY: So Mr. Brod would you envision that there
25 could be some accounts where neither management nor the
1 auditors tested them specifically in a particular year.
2 MR. BROD: When you use the word "account," I would
3 say "yes, there are," because you should be queuing on those
4 critical accounts, and if you do a good job of identifying
5 those, you know, you will have some -- you know the auditor
6 may not test every account every year, just as they don't
7 test every transaction now. But they're looking for relative
8 assurance, not absolutely assurance.
9 But you would look at your -- management is going
10 to have people looking at all accounts. That's part of the
11 whole financial reporting process. So I wouldn't give the
12 impression that they're untouched or unlooked at in that
13 process.
14 But the auditor may not look at all internal audit
15 does in our companies, but do a rotation of tests based on
16 risk and geographic complexity as well.
17 MR. RAY: Lisa Flavin.
18 MS. FLAVIN: Tom, I think this one relates directly
19 to a conversation we had earlier on one of the panels about
20 the fundamental improvement, I think, that we can make, is
21 finding that right balance between company level and
22 monitoring controls, and the process transactional controls.
23 In some cases, we had deficiencies at the processor
24 transaction level, that are not going to rise to the level of
25 material weakness because of these overall company level and
1 monitoring controls.
2 However, we don't want to totally ignore those
3 detailed transaction controls either, because they are
4 important. But maybe the equation of finding the right
5 balance is focusing on company level monitoring controls on
6 an annual basis, and rotating those more detailed transaction
7 process level controls.
8 MR. RAY: Jay Howell.
9 MR. HOWELL: My view is that the auditor is going
10 to issue an opinion on the effectiveness of controls each
11 year, and that should be based on testing of significant
12 accounts in each year, by either the auditor and/or the
13 company.
14 I think that you can have some degree of rotation
15 of that testing, and that the standard currently permits
16 that. Paragraph 126 indicates in the use of the work of
17 others, that the auditor can in certain instances for a low
18 risk account, fixed assets, payroll accrual for instance,
19 rely entirely on the work of others in a given year.
20 You might not choose to do that every year, but I
21 think that there should be some testing by either management
22 or the auditor, of that account. I think every account
23 that's significant will probably have some degree of risks
24 that should be looked at each year and say, you know, is
25 there something new; are we really addressing this account
1 effectively.
2 There's new accounting standards that come out
3 periodically; with respect to even vacation accruals there's
4 a new accounting standard that is going to probably trip some
5 companies up and have restatements as a result in that
6 account.
7 So I think most accounts that are materially
8 significant, say the five percent level, should be scoped in
9 each year.
10 MR. RAY: Tom Szlosek.
11 MR. SZLOSEK: Yes, Tom. Not that I like it, but I
12 think the quantitative approach for risk assessment that was
13 kind of alluded to, you know, earlier in this panel and other
14 panels, I think that kind of inhibits rotation, in the sense
15 that if you're looking at the number of locations that you
16 want to test to get your coverage, whether it's 60 percent or
17 70 percent.
18 I mean somebody at lunch said you needed to get 80
19 percent, but I chose to ignore that. But you know, you're
20 going to do what you would expect. You'd go from the 8020
21 rule and pick, you know, all the big sites until you got, you
22 know, close your coverage.
23 Well you know, every year, you know in a reasonably
24 stable company, those sites are going to be the same. You
25 know, you're leaving out 40 percent or 30 percent of the
1 other sites where, you know, arguably there was more risk,
2 because they're remote sites, they're smaller, they're in you
3 know, emerging markets or whatever, and they have a greater
4 chance of having a misstatement.
5 So I think if we're again being more conscientious
6 about qualitative as much as quantitative risk that you
7 referred to.
8 MR. RAY: Okay. We'll hear from Rick Veltschy and
9 Gary Stauffer on this question, and then we have another
10 follow-up question in this area we would like to pose.
11 MR. VELTSCHY: Tom, I think that, I guess to answer
12 your question most directly, I think that it would be
13 possible to have that type of rotation in some fashion. I
14 really think this question drives to the concept that was
15 alluded to on an earlier panel, that we really need to see
16 more and more, I believe, divergence between how management
17 conducts its assessment and how the auditor conducts their
18 assessment.
19 I believe that management has a great deal more
20 information available to them on a day-to-day basis, because
21 of the operation of their company, in terms of opportunities
22 to detect control weaknesses. Production people see changes
23 in volumes. Things happen because, you know, Betty and Steve
24 were talking over the water cooler and notice a behavioural
25 change.
1 Companies gather and have available to them much
2 more than the auditor, and I don't think that that
3 distinctiveness of knowledge has been taken into account very
4 well because of the lack of company guidance and some what I
5 like to call is an auditor-centric approach. So I think as we
6 see the company assessments evolve and mature, particularly
7 in the smaller companies. I think that we'll be able to see
8 auditors taking different approaches to getting to their
9 level of comfort, perhaps relying in more imaginative ways on
10 management's assessment process.
11 So I really do think that the concept of being able
12 to say I'm going to perhaps not test a particular area in a
13 particular year, I think you may be able to get there as you
14 learn more about how companies do their own assessments.
15 MR. STAUFFER: I think in general the concepts of
16 rotation are clearly achieved in just a pure concept of
17 varying the nature, timing and extent of work, and changing
18 predictability in the audit process, and using the work of
19 others.
20 I think all the firms have a concept that in low,
21 routine controls, the auditor can rely 100 percent on the
22 work of others. So if there are those areas that are less
23 risky, have low inherent risk, low complexity, non-pervasive,
24 no history of errors, that work can be limited dramatically,
25 just by varying the nature, timing and extent of the testing,
1 and still gain enough evidence to be able to draw the
2 conclusion on internal controls over financial reporting as a
3 whole.
4 I would just want to make one follow-up comment to
5 Commissioner Glassman's comment about just auditing the
6 assessment. In my view, the audit clearly -- the internal
7 controls over financial reporting clearly adds value, just as
8 an audit of the financial statements adds value to the
9 reliability of those financial statements and the public
10 trust in those.
11 By evaluating only the assessment, the auditor only
12 evaluating the assessment, you will not get that same
13 reliability and public confidence as you do by auditing the
14 internal controls, and be satisfied that they're
15 appropriately working.
16 MS. PHILLIPS: Before we leave the area of
17 identifying and testing controls, I want to be sure that we
18 focus at least briefly on testing IT controls, which got some
19 discussion this morning.
20 But I want to get some insight from you panelists
21 on the remaining challenges that face auditors as it relates
22 to identifying and testing IT controls.
23 MR. RAY: Lisa Flavin.
24 MS. FLAVIN: This is one area that we actually
25 scoped in more controls in Year 2 than in Year 1, in the IT
1 general control area. I think there's confusion in this
2 area, because of the term "pervasive," that there's a
3 tendency in the IT general control to put too much emphasis
4 on those controls.
5 If you take any, virtually any given single control
6 in the IT general control area, those controls -- that single
7 control doesn't necessarily have a pervasive effect
8 individually.
9 There needs to be more of the risk-based approach
10 in determining which controls we're going to test in that
11 area, and maybe we start out with looking at access controls
12 and program change controls, and if there's issues in those
13 areas, then expand. But not scope in every single IT/GC
14 control.
15 MR. RAY: If no one else would like to comment on
16 that, I'm going to move on to the next subject. Gary
17 Stauffer, did you want to comment?
18 MR. STAUFFER: Yes. I think general computer
19 controls are very important, and I think historically, many
20 companies have had a difficult time achieving those controls,
21 particularly in access controls and change control
22 procedures.
23 The benefits are huge, as it was discussed earlier.
24 If you can have IT general computer controls in place and
25 working, the level of testing on the automated application
1 controls will drop dramatically.
2 That in itself should change substantially the
3 level of work both management and the auditor can do, and
4 that's the benchmarking concepts that I think are well
5 brought-out in the May 16th guidance, and can be taken
6 advantage of.
7 So I think IT general computer controls are a very
8 important process and can be a major impact on the
9 efficiencies of the process.
10 MR. RAY: Frank Brod.
11 MR. BROD: Yes. Let me just echo Lisa's comment.
12 So that's very important. You need to test the IT general
13 computer controls, but you should do it on a risk basis,
14 because not every general control has an impact on financial
15 reporting.
16 I think that's been lost in some of the audits that
17 have been done on internal control, which has resulted in a
18 lot of extra work in a lot of companies. I know we heard
19 that quite a bit from our CCR member companies.
20 MR. RAY: Thank you. I'm going to move on now to
21 the next subtopic, which is the effect of company level
22 controls on the audit process, and I'm going to ask Jay
23 Howell to start us off in that discussion on this question,
24 which is how well do auditors understand the concept of
25 company level controls, and what effect does the testing of
1 those controls have on the auditor's work on other key
2 controls? Jay Howell.
3 MR. HOWELL: Thanks, Tom. First with respect to
4 company level controls, some companies also refer to them as
5 entity-level controls, and in general I think of them as
6 comprising the control environment, tone at the top,
7 monitoring controls, risk assessment, IT/GC.
8 They generally wouldn't include the control
9 activities component of the five components of COSO. I
10 believe the company level controls are an essential element
11 of an effective control environment, and they're very
12 essential in considering the risk down approach.
13 But I also believe that the control activities, the
14 more detailed controls are also an essential element of an
15 effective control environment, and that testing of both the
16 company level controls and the control activities needs to
17 occur. You can't just rely on testing of the company
18 controls. They're just one component of an effective
19 internal control environment.
20 Paragraph 54 of AS-2 indicates in fact the testing
21 of company level controls alone is not sufficient, and I
22 would agree with this.
23 When company level controls are strong or
24 effective, and I prefer to use the word "strong," because I
25 think of it as a continuum; it's not an on/off switch, an
1 auditor might choose to rely entirely on the work of internal
2 audit or others in some low risk areas, like we discussed
3 earlier.
4 So there's tremendous benefits to having a strong
5 control environment, company level controls with respect to
6 efficiency. You know, and the rotation concept or what Gary
7 described earlier, and varying the nature, timing and extent
8 of the auditor's testing, the auditor will have a lot more
9 flexibility with respect to their testing approaches, in a
10 strong control environment, and where strong company level
11 controls are established.
12 Where we fall short is that the company level
13 controls within AS-2 is probably the least described areas,
14 as far as how an auditor is going to go about testing that
15 controls. So I believe that additional guidance would be
16 useful in that area for the auditor, in testing company level
17 controls.
18 Then for companies, I also think that the guidance
19 is fairly minimal in what a company needs to do to document
20 and test their company level controls. I used to think that
21 this was limited primarily to the smaller companies, but I'm
22 now suspecting that all companies probably could use more
23 guidance in this area.
24 I noted the recent Institute of Internal Auditors
25 report that was published a few days ago, that's a management
1 guide on implementing Section 404. That guide talks about
2 the importance of company or entity-level controls, and that
3 failures in entity-level controls caused a number of the
4 major financial failures over the past few years.
5 However, when you go through the details of that
6 guide, there's really very little guidance in that guide for
7 management, on what they should do to document and test
8 company level controls. I think that for me highlighted the
9 need for that type of guidance.
10 MR. RAY: Bruce Renihan, and I think I also saw Tom
11 Szlosek raise his card. So as soon as Bruce is finished,
12 please go.
13 MR. RENIHAN: Yes. Our entity-level controls, in
14 our view, are critical, and we see those as something that
15 need to be looked at annually. We've found the process of
16 looking at those controls, all the way through, you know,
17 what's happening at the board level, all those
18 responsibilities, accountabilities, and you know, testing,
19 competency of staff.
20 Those range of issues are critical to the
21 management and in a continuing look at those reinforces their
22 importance, and also provides, I think, you know, a lot of
23 comfort to both management and auditors. We diligently
24 document that, and our auditors pay due attention to it.
25 I'm concerned that SOX processes and the work that
1 we've all gone through has diminishing value going forward,
2 relative to work effort, because in the first instance, it
3 was very important for many companies to actually come to
4 understand what their key controls were, and it wasn't
5 necessarily all that transparent.
6 It's been a significant learning effort, and it's
7 allowed a number of us to have a better understanding of
8 processes and consistency of processes and standardization of
9 key controls and the like.
10 I think that we built up a significant SOX
11 infrastructure to support the work that is going on. I'm
12 much more interested in leveraging that infrastructure
13 against issues of legislative compliance and operational
14 process controls, which in particularly the last is, you
15 know, where companies can most significantly benefit, I would
16 say.
17 So to fully implement COSO against, you know, the
18 infrastructure that we've in effect been forced to put in
19 place, but very valuably were forced to put in place, I am
20 concerned, though, to repeat on diminishing returns to that
21 initial value.
22 MR. RAY: Tom Szlosek.
23 MR. SZLOSEK: Yes. On company-level controls, I
24 hear what everybody's saying about the importance of them. I
25 mean AS-2 is clear that, you know, the whole sequence starts
1 with company level controls. The whole audit sequence starts
2 there.
3 I also agree with what Jay said, that you know,
4 after that there's not a lot of additional guidance. That's
5 maybe why what I've seen in practice, both you know, our own
6 management testing as well as, you know, our external
7 auditor's testing.
8 The company-level controls, you know, for the first
9 two years have been more of a check the box at the end of the
10 process kind of exercise, really. Or as a means of
11 mitigating or identifying compensating controls for, you
12 know, the detailed process controls that you've tested and
13 found deficiencies in.
14 So it's kind of unfortunate that, you know, it does
15 have the prominence in everybody's mind. But I think in
16 practice, you know, there is much more opportunity to use at
17 the front end to help with the risk-based audit approach.
18 So you know, in the third year, our Audit Committee
19 has actually picked up on this point. We spent 30 minutes in
20 our last meeting with them in the first quarter, just going
21 through our company level control framework, and what the
22 elements of it are and how we're testing it.
23 They're looking for us and for our auditors to
24 place a much bigger emphasis on that. So I think we've got
25 to keep going on that.
1 MS. SALISBURY: Just a quick follow-up on that. I
2 mean, do you have in mind what exact changes you might be
3 making, placing reliance on your company-level controls? I
4 mean, what are you guys thinking?
5 MR. SZLOSEK: Well, first we've defined our
6 framework. So for us, it starts with a baseline of all our
7 policies and procedures, like our code of ethics, our
8 controllers accounting policies, the company policies and
9 procedures. Then at the top is, you know, the oversight, you
10 know.
11 The Audit Committee, we have what we call a SOX
12 Committee, which is, you know, all the controllers and
13 control managers in the business, and we have internal audit
14 out there in the oversight. Between the two is, you know,
15 all of the execution of the different company-level controls.
16 So for example, you know, somebody alluded to a
17 monthly operating review, where you're comparing your actual
18 results to, you know, budget and looking at variances, to see
19 if there's not only an operational issue but, you know,
20 whether there's -- the actual numbers make sense.
21 So we've kind of defined that in a very
22 prescriptive framework, and have taken that out to our
23 controllers, and are taking it out to all of our reporting
24 locations, so that they can understand what we mean by every
25 element of the framework, and that they have to develop
1 specific test plans to ensure that those are in place and can
2 be relied on.
3 Then, you know, from that, we are changing our
4 scope of location, so that we can -- if the company-level
5 controls are in fact demonstrated to be in place. But we
6 want to go to other locations that we haven't hit in the last
7 couple of years, and make sure they're starting to get
8 rotated on the process. So it's an opportunity for us.
9 MR. RAY: Gary Stauffer.
10 MR. STAUFFER: Yes. It's interesting. Company-
11 level controls in Year 1 were left to last, weren't well-
12 understood, were referred to as "the softer components," and
13 didn't have a lot of guidance.
14 So I agree with many of the comments. They weren't
15 necessarily considered in Year 1. I think the guidance put
16 out on May 16th, with the top-down approach in mind, clearly
17 refocused that effort.
18 We spent a lot of time trying to put that in
19 perspective, to make sure our audit teams that into
20 consideration. Company-level controls become an important
21 element in determining the nature, level and extent.
22 If you have strong company-level controls, low
23 complexity, routine controls, low inherent risk, in an
24 account like accrued vacation that should have a substantial
25 impact on the level of testing you're going to do. So I
1 think company-level controls directly play into that.
2 If you have a company-level control that operates
3 at the level of precision that allows you to achieve the
4 objectives that you're trying to test for, you can eliminate
5 all the routine testing.
6 That gets back to the comment made earlier about
7 monitoring controls. Those monitoring controls many times
8 can achieve that level of effectiveness and precision.
9 So if it does, you can eliminate the process. So
10 we're gaining on company level controls. I don't think we
11 have it right yet. I think there's more benefits to be
12 gained, and we continue to push on that. But I think it's a
13 very important aspect of the overall audit process.
14 MR. RAY: Thanks, Gary. Let's move on to the next
15 subject here, which is using the work of others. I'm going
16 to ask Tom Szlosek to start us off on a discussion on that
17 point, and specifically did auditors increase or decrease the
18 degree to which the work of others, such as internal
19 auditors, was use din the second year?
20 Specifically, are there opportunities to increase
21 reliance on that work in the future?
22 MR. STAUFFER: Yes. Thanks, Tom. When I think of
23 work of others for auditors, I first think of our internal
24 group, and our group, our internal audit organization is
25 headed by a former Big Four partner.
1 They have been able to demonstrate competent
2 subjectivity, independence from management. In fact, they
3 don't participate in any of the management testing. You
4 know, our Audit Committee has kind of drawn that line that,
5 you know, they're going to be independent and not involved in
6 that. So there's a very clear opportunity that this is a
7 group that can be relied on.
8 Unfortunately in practice, we just haven't seen it.
9 We haven't seen anything beyond, you know, sharing of audit
10 reports maybe, and that tends to create more work as opposed
11 to less work, because you know, when the external auditors
12 see findings in the audit reports, in the internal audit
13 reports, they tend to want to spend more time in those areas
14 as opposed to trying to understand how we've rectified them.
15 So we've sat down with our external auditors this
16 year and we both have kind of seen that this is an
17 opportunity. We're looking at it to create efficiency, and
18 you know, we're now at the point of sharing risk assessment,
19 one another's risk assessment, and ensuring that instead of,
20 you know, a direct supervision kind of arrangement, that the
21 external auditors are actually spending time understanding
22 how and where our internal auditors are working, where they
23 see the risks and how that can contribute to the evidence
24 that they need to collect for the opinions they need to
25 issue. So it's an opportunity, and we're on it for Year 3.
1 MR. RAY: Rick Veltschy.
2 MR. VELTSCHY: I think our experience would mirror,
3 to some extent, what Tom's described. I earlier described
4 what I felt was a situation where in Year 1, it was very
5 difficult to integrate the audit due to project management
6 issues.
7 I think in Year 2, the audit got integrated in
8 terms of the auditors, control on substantive audits, as well
9 as good project management and logical time lines with the
10 registrant.
11 In our firm, we are working very hard to accomplish
12 what Tom just described, which is begin the audit planning
13 with the concept of maximization of reliance on the work of
14 others.
15 That's just very roll up your sleeves detail work,
16 and we're accomplishing that by simply sitting down with our
17 clients and going through every key control, asking the
18 questions jointly, does this control need to be tested to
19 achieve the objectives. Then asking the next question, which
20 is if it's tested sufficiently by others, do we as the
21 auditor need to test that particular control ourselves?
22 I think what we're finding is that we're trying to
23 change our mind set. AS-2 has a principle evidence standard.
24 That standard is that the auditor needs to -- you know, they
25 need to themselves gather the principle evidence from which
1 their report rests.
2 We think that when you work through the parts of
3 the audit where the auditor must, is compelled by AS-2 to do
4 the work themselves, that you may have come a long way
5 towards that principle evidence standard.
6 So we're beginning with the idea that if we think
7 management's assessment is good, we can rely on the work. As
8 we are going through this optimization process, I think we're
9 finding quite a few areas where in fact in Year 2 we did not
10 rely on management's work for our conclusions, where I think
11 we will in Year 3.
12 MR. RAY: Jay Howell.
13 MR. HOWELL: I'd like to point out that a lot of
14 companies don't have a dedicated internal audit function. So
15 the use of work of others can refer to where there is an
16 objective internal audit function that reports to the Audit
17 Committee.
18 But it can also refer to management's self-
19 assessment or companies that hire an outside firm to come in
20 and help it perform some of the testing. AS-2 provides some
21 guidance that indicates where the internal audit function
22 doesn't report to the Audit Committee, or is not as competent
23 and objective, that the auditor should use the work of others
24 to a much lesser extent.
25 So I wanted to focus on that language "much lesser
1 extent." Because that's the box that we find ourselves in
2 quite regularly with our clients, where they don't have a
3 dedicated internal audit function, and particularly where
4 they've hired outside help to come in and help with the
5 documentation and testing of controls.
6 Often that outside help reports primarily to
7 management instead of the Audit Committee, and the guidance
8 in AS-2 would tend to indicate that would be a factor we
9 would consider from an objectivity standpoint, and probably
10 use that work to a lesser extent.
11 So I just wanted to highlight that as one of the
12 barriers we perceive in the use of others.
13 MR. RAY: Thanks, Jay. You're great at quoting AS-
14 2. But that's an important point, and as others comment on
15 this, we'd be interested in hearing your further thoughts on
16 that as well. Lisa Flavin.
17 MS. FLAVIN: Most notably, we saw an increase in
18 reliance in Year 2 in the area of IT general controls. In
19 Year 1, there was no reliance. In Year 2, it was 50 percent,
20 which was the maximum allowed by the firm.
21 So I felt pretty confident that we're maximizing
22 reliance right now in accordance with what the standard will
23 allow and firm guidance. An area I'd like the PCAOB to
24 consider also allowing reliance is in the company-level
25 control process.
1 There are certain controls within company-level
2 controls that are very non-subjective, compliance-oriented
3 controls, such as employee background checks, code of conduct
4 acknowledgment forms and personnel files, ethics hotline
5 postings at certain locations.
6 I really think it would be helpful if we were
7 allowed to have reliance on the work of others in those
8 areas. Going along the lines with what Jay said a minute
9 ago, I think there is a wide discrepancy in what audit firms
10 will accept in terms of reliance.
11 I know some companies where the audit firms will
12 accept management's testing, where one process owner tests
13 another process owner and will rely on that work, where
14 there's other cases where audit firms will only rely on the
15 work of a corporate internal audit department.
16 So there seems to be within a wide degree of
17 discrepancy on what's acceptable and what's not, in terms of
18 reliance.
19 MR. RAY: Leo Kessel, you had your card up. Would
20 you still like to comment?
21 MR. KESSEL: Please. Just to build on a number of
22 comments that have been made, I think there is a significant
23 opportunity to work with internal audit and management in
24 terms of scoping, and the amount of reliance that should take
25 place on that scoping, particularly in multi-location
1 entities, where you've got hundreds of small entities.
2 I think you can help the company by having a joint
3 risk assessment, deciding which of those locations are going
4 to be important and who's going to provide that coverage for
5 the audit committee or for management.
6 So I think doing that in a multi-location, you
7 certainly have an opportunity to vary the timing, extend the
8 tests, and provide some broader coverage on an overall basis
9 as well.
10 MR. RAY: Thank you. So let me move into the last
11 subsection here on this panel, which is talk about the effect
12 of PCAOB inspections on the audit of internal control.
13 I'm going to ask Tim Flynn to get our remarks
14 started in that area, and specifically it's a very general
15 question, Tim, but how are the PCAOB's inspections affecting
16 the implementation of Auditing Standard No. 2?
17 MR. FLYNN: Thanks, Tom. First, let me say that
18 there's no doubt in my mind that the PCAOB inspections the
19 last three years have really helped improve financial
20 reporting and audit quality.
21 So if you look at the integrative audit moving into
22 Year 2 of 404 inspections -- you're heading for the second
23 year -- what are some of the challenges?
24 When you look at what's happened so far in the
25 inspection, as to improve the audit quality, what are some of
1 the attributes of that? It's really improved the rigor that
2 auditors are applying to their work.
3 In my view, it's also improved the documentation of
4 judgments being made across the audit spectrum, and
5 conclusions being reached.
6 Now there's many factors that have contributed to
7 this change, sense of our responsibility as professionals,
8 focusing back on our core being the audit, and more engaged
9 board members and audit committee members.
10 But I think what's central to it and what's driven
11 the most change has been the PCAOB inspection process. Now
12 if you look at specifically the inspection process to the
13 integrated audit, in the first year last year, it was
14 relatively limited in scope from my point of view.
15 The PCAOB inspection process was really to gain an
16 understanding, kind of a baseline of how do the firms really
17 go about implementing AS-2. Also take a look at some of the
18 key things coming out of the May 16th guidance, official
19 guidance, around integrated audit, top-down approach, risk-
20 based assessment.
21 How would things have looked differently in '04 had
22 that guidance been in existence at that point in time, and
23 came out with some additional information on that in November
24 of last year.
25 As we moved through the inspection process for
1 2005, that was a real opportunity to gain some additional
2 insights into how we're applying 404 across the profession.
3 As I look at it, as we move into this process for
4 next year, we talked about a lot of attributes here today
5 about entity-level controls. We talked about sample sizes.
6 We talked about significant accounts.
7 This is complicated stuff, and there's a lot of
8 judgment that comes into play. We're new at this. This is
9 the only second year and we're in the third year of this
10 process.
11 To me what would really help in the inspection
12 process is to engage in a really meaningful debate, and
13 really understand what were the judgments being made? What
14 were thought processes gone through by the auditors in
15 selected accrued vacation? What drove them to that decision?
16 Because these are people, professionals applying
17 judgment, doing the best they can to apply AS-2. What drove
18 the judgments around those areas, and then have the PCAOB
19 look at that as well and say what might have been some of the
20 things that they would look at to say maybe those judgments
21 weren't what they should have been. What drove us there,
22 what should we do differently, how should we have looked at
23 that?
24 I'm encouraged by some of the early discussions
25 about the inspection process for next year. We're going to
1 focus on the quality of AS-2, but also focus on the
2 efficiency components of it, and take a look at the guidance
3 that came out on May 16th of last year. How was that
4 guidance really implemented, and look at that through the
5 inspection process?
6 I hope coming out of that we can look at best
7 practices as well, kind of the best practices, and then sit
8 back and have a meaningful debate around what were the
9 judgments made and why.
10 I'm also encouraged by talking to the PCAOB
11 recently, that they're going to include individuals from the
12 Standards Group into the inspection process more this year.
13 So I think we can get a view of what was intended? What was
14 the picture that when we set the standard, we thought 404
15 would look like?
16 What does it look like today, as it's really been
17 implemented? How big is the gap, and how do we work together
18 to close that gap, between the regulators, the issuers and
19 the public accountants, trying to preform that work?
20 So I think it's a critical year in the inspection
21 process. I think it gives great opportunity to ensure that
22 404 is moving toward the picture intended, as it was
23 originally designed.
24 We all know and we all have a line interest here to
25 make sure that the benefits, the protection from the investor
1 perspective around 404, doesn't get lost in this debate of
2 how to paint that picture as it was originally designed, and
3 move forward in the right direction.
4 MR. RAY: Thanks, Tim. Frank Brod?
5 MR. BROD: Yes. As the SOX legislation was being
6 or as the Senate bill was being put together, our FEI group
7 spoke at length with Senator Sarbanes' staff, you know, to
8 get an independent review of the auditors. We thought this
9 was a very important part, and in the peer reviews it more
10 like the cat guarding the henhouse.
11 I don't know that you ever got a truly objective
12 review. So when the PCAOB came into being, with the
13 inspection process, it was really the first time that the
14 public accounting industry was subject to any sort of
15 internal scrutiny.
16 That's good, and it's also bad, because it placed a
17 cloud over them. I think it actually altered the behavior of
18 the audit firms from the national office down to the client
19 service partners, of freezing in quite a conservative risk-
20 averse notions of this.
21 We thought that would be temporary, I think, as we
22 were observing what was going on. But the inspection process
23 itself has been very, to me very disappointedly slow. You
24 know the 2003 audit years' reports were reviewed in 2004.
25 Those reports were issued late in 2005.
1 That's two years passes. That's not really helpful
2 to what's happened, you know, if things have been going on
3 that weren't quite right, you know, they probably continued.
4 If things were good, we hadn't -- you know, there
5 wasn't a process to really convey these best practices
6 throughout the industry, both to the audit firms and to the
7 clients of the auditors.
8 So this process has to be sped up. It needs to be
9 a little bit more out in the open. You know, we'd even --
10 you know, I hear a lot of anecdotal things from companies
11 that are being part of an inspection. You know, even to the
12 extent where, you know, I heard the comment that, you know,
13 they push integrated audits, but when the PCAOB inspectors
14 come in, they come with two teams, one to do the SOX 404
15 work, one to do the financial statements work.
16 So then, you know, if you're dealing with an
17 integrated audit in those cases, you have the same group of
18 people trying to deal with two different inspection crowds.
19 I don't know if that's still the case, but those are the
20 types of things that just don't seem to fit in this overall
21 deal.
22 We ought to be getting the information out in a
23 useful fashion to the auditors, so that they can enhance
24 their process and continue their improvement, but also to the
25 companies who are, you know, are hiring the audits, to make
1 sure that they keep their processes as best in line as well.
2 MR. RAY: Shelly Stein.
3 MS. STEIN: I'd like to echo the comments made by
4 Tim, because I think they're right on with respect to a
5 number of the things that we're talking about. He ended his
6 comments reminding us about the investor, and we haven't
7 heard a lot of that today.
8 I think we need to talk about the opportunity cost
9 for investors if we make sweeping changes, that take away
10 their ability to be able to make decisions about financial
11 statements and the information that they receive.
12 I'd also like to take some of the information I've
13 heard on all the panels, and just paint a little bit of a
14 picture and see if I can bring it back to the PCAOB
15 inspection process.
16 If you go back a few years, the marketplace was
17 saying "Auditors, you audit too much." Now we're hearing
18 some people -- excuse me, "You don't audit enough." Let's
19 see if I can get that right. Now we're hearing some people
20 say "Now you're auditing too much."
21 In between, what came along was 404. I think 404
22 laid out some very clear things, that said that every company
23 ought to have good internal controls. It said that
24 management should be in a position to be able to tell their
25 investors at least annually that they have good internal
1 controls.
2 It said that there should be a reasonable and
3 efficient way for auditors to perform appropriate procedures,
4 to say that they agree with management's assessment. I think
5 those things make sense.
6 But what we've heard today is "Well gosh, you know,
7 the auditors and the company quite aren't in sync with what
8 those are, how to go about it," and we've heard a lot of
9 people talk about the need for guidance. Not changing the
10 rules, but giving more practice guidance, bringing together
11 the auditors, the regulators, the investors, the issuers, the
12 academics and saying together "What are some real-life
13 examples so we know what right looks like?"
14 I think that that's something that we've heard from
15 a lot of people today that's important. But now we have to
16 take that forward, too, to the PCAOB inspection process. I
17 have to tell you that I think the PCAOB inspectors have done
18 a fabulous job, and they've given us a lot of good
19 information.
20 But there's still a piece that's missing here that
21 I think is a disconnect, and I think about it in terms of the
22 standard-setters saying "You know, you need to use your
23 auditor's judgment and do the right things here."
24 But when the inspectors come in, what are they
25 questioning because they're auditors? Did you do the right
1 things? How's your judgment? I don't have a problem with
2 that. In fact, I value that opinion, and even value the fact
3 that we're going to focus on efficiency in this year to come.
4 But what still bothers me a little bit is that we
5 look at it as auditors with the best judgment that we
6 possibly can, and the inspectors are looking at it with the
7 best judgment that they possibly can.
8 But I can tell you that 100 percent of the time, if
9 we don't convince them, the auditor are wrong. If I look at
10 a baseball analogy, you know, tie goes to the runner. We
11 don't get that opportunity. You've got two teams playing but
12 one of the teams is also the umpire.
13 So there's an issue here when it comes back to the
14 conversations of talking with the client, and everybody says
15 "Well, the auditor is so conservative." "Yeah, it's our
16 license on the line."
17 So I think we've got to put this on the table as
18 something else to address too, because again, I value their
19 judgment, I value their opinion. But I think this circles
20 around the cogs in the wheel to address a number of the
21 things that we've been talking about today.
22 I very much look forward to the efficiency comments
23 coming forward in the next year, and the sharing of those
24 best practices without sacrificing the quality of what we do
25 and what the inspectors are looking for.
1 MR. RAY: Bruce Renihan.
2 MR. RENIHAN: Thanks. I mean my perspectives on
3 this subject are really just borne out of day-to-day
4 interaction with our auditors, and there are hundreds of
5 decisions that are made over the course of the year, that
6 impact on the amount of work and effort that you expend.
7 Inevitably, the musing arises as to how things
8 would look in the working papers if we made Decision A as
9 opposed to Decision B, from which I really just infer that
10 those decisions inevitably are on the side of caution, and I
11 think we all understand why that's the case. But it
12 translates into more work.
13 So the challenge, as I see it, for the PCAOB is
14 really how to structure some balance into the equation.
15 Clearly, the down sides are severe for auditors being judged
16 to have not done their work adequately.
17 It's not clear to me what the carrot or the stick
18 is associated with, you know, going overboard in terms of the
19 work challenging question, for which I have no answer.
20 MR. RAY: Thank you. We've heard from the panels
21 today and elsewhere that the inspections process could be
22 having an effect on the auditor's willingness to exercise
23 their judgment. Are there other things the PCAOB, SEC or
24 others could do to encourage auditors to exercise their
25 judgment? Jay Howell?
1 MR. HOWELL: I think to follow up on an earlier
2 point about timely feedback, I know and we're all learning in
3 this together, and I think within the auditing profession
4 I've seen a tremendous amount of improvement. I'm seeing
5 tremendous improvement in the inspections process too.
6 I think last year at BDO, we did get fairly timely
7 feedback. We were one of the fortunate firms to have our
8 inspections early in the process. The PCAOB did meet with us
9 in person, to discuss some of the 404 findings with us, so
10 that we could learn from that experience.
11 So I commend your efforts at providing us with the
12 timely feedback, and I think that going forward into this
13 upcoming year, one of the important things you can do is to
14 continue that process.
15 As you're out in the fields conducting inspections,
16 I think that there is interaction and feedback occurring at
17 that process, and that the firms by and large don't need to
18 wait until the final reports come out, to start adjusting
19 behaviors, if that's needed, that the inspection process
20 itself out in the field should be a starting point for that.
21 MR. RAY: Leo Kessel.
22 MR. KESSEL: Yes. I would just like to build on
23 some of the points that are made, because I think in the
24 inspection process, and all I have is anecdotal evidence up
25 until this point; one of my clients has been selected for
1 review this year, so I will have practical experience here in
2 the near future, is that there isn't a lot about you've done
3 this right.
4 The partner I spoke with that was reviewed last
5 year indicated that, you know, he was told numerous times
6 we're not here to tell you what a good job you've done; we're
7 here to challenge the work you've done, and make sure that
8 the appropriate judgments have been made.
9 I think challenging our work is very appropriate.
10 But I do think if we don't take the opportunity to capture
11 best practices, and we don't capture the opportunity to tell
12 the firms what they're doing well and do it more at other
13 clients, I do think we lose an opportunity.
14 MR. RAY: Thanks. I think we have just enough time
15 to hear from Tim Flynn before we have to shut this one down.
16 Tim?
17 MR. FLYNN: Tom, to the point just raised and some
18 of the comments. I think the challenge here is to build a
19 reservoir of knowledge, you know, of what good looks like,
20 like Shelly said. What is the picture of 404 as they put it
21 together?
22 From my standpoint, there's a great reservoir of
23 knowledge coming out of the inspection process, and the
24 challenge is how we communicate that knowledge out to the
25 profession and issuers.
1 Maybe we need to form a group of -- from the firms,
2 as well as from the PCAOB, to look at how can we format some
3 of that knowledge and get it back out in the hands, and be
4 the foundation from the guidance we're trying to put forth?
5 MR. RAY: Well, I'd just like to thank the
6 panelists today and my co-moderators. We are going to break
7 now and start promptly at 3:00.
8 (Whereupon, a short recess was taken.)
9 PANEL 4 - THE EFFECT ON THE MARKET
10 MR. WHITE: I'm going to start with the fourth
11 panel. We've been through a lot of detail on the last two
12 panels on management assessment and AS-2. On this panel,
13 we're going to move back a little bit to the bigger picture
14 and talk about the effect of 404 on the markets.
15 And I guess we're interested in -- particularly in
16 hearing your thoughts on two questions: One is whether
17 management's and auditors' reports and all of the related
18 disclosures have been useful to investors and other market
19 participants. And second, are there ways to improve that
20 usefulness of 404 reporting?
21 I'll get into obviously the details in a moment.
22 But I first want to now go through and introduce the
23 panelists. As we have three times earlier today, we have a
24 very impressive group of individuals as our panelists. And
25 I'll start on the far left. Charles Bowsher is the Former
1 Comptroller General of the United States. Noreen Culhane is
2 the Executive Vice President, Global Corporate Client Group
3 at the New York Stock Exchange. She is a last minute
4 substitution for John Thane.
5 And we certainly appreciate your appearing on such
6 short notice. You will still get called on just as often as
7 Mr. Thane. I hope you can cover all of the spots.
8 We have Greg Jonas, the Managing Director of the
9 Accounting Specialists Group at Moody's Investors; Peter
10 Lyons, a partner at the law firm of Shearman & Sterling; Mike
11 McConnell, Managing Director of Shamrock Capital Advisors;
12 Bob Pozen, who is currently Chairman of MS Investment
13 Management -- He is also a director and Audit Committee
14 member for two public companies; Monty Redman, who is Chief
15 Financial Officer of Astoria Corporation, and he is also
16 speaking for America's Community Bankers.
17 We have Kurt Schact, Managing Director of the
18 Centre for Financial Market Integrity of the CFA Institute.
19 Some of you who have been listening to these -- proceedings
20 like these recently, Mr. Schact is also one of the members of
21 the Commission's Advisory Committee On Smaller Public
22 Companies, which issued its report last month.
23 So we're very pleased to have you on both of these.
24 David Warren is the CFO of Nasdaq Stock Market, and
25 Karen Hastie Williams, who serves as a director on a number
1 of public companies and is the chair of the Audit Committee
2 on two of them; I guess.
3 The moderators: I'm John White; to my right is
4 Carol Stacey, the Chief Account in the Division of
5 Corporation Finance at the SEC; she was with us this morning;
6 and Tom Ray, the Chief Auditor at the PCAOB, who you've also
7 met on prior panels.
8 The way I'd like to organize the fourth panel is
9 similar to the way we've done the other panels, and that is
10 to break this up into five, I guess I will call them,
11 discrete topics, and try to spend more or less equal time on
12 each of those topics. So as the panelists make their remarks
13 just if you can jot down the -- the kind of the general
14 topics, and hopefully we can stay on them as we work our way
15 through.
16 The first one is Section 404 and its effect on the
17 U.S. capital markets and investor confidence. The second
18 would be the benefits and costs to investors of 404;
19 previously we've talked about costs to the companies, but now
20 we're talking about the benefits and costs to investors.
21 Third would be to focus on disclosures and really
22 the usefulness and understandability of the Section 404
23 disclosures. That's where we're going to talk about material
24 weakness definitions and things like that. Fourth is a topic
25 that has received a lot of press, which is the
1 competitiveness of the U.S. capital markets with foreign
2 markets and the impact of 404 on that process.
3 And then finally, we'd like to step back a little
4 bit and ask if there are alternative reporting and assessment
5 options that the Board and the Commission should consider for
6 the benefit of investors in the markets.
7 So with that, we'll go to topic one, which is --
8 I'd actually like to ask four of the panelists to respond to
9 topic one. I'm going to start with Chuck Bowsher, then
10 Noreen Culhane, Karen Williams and Mike McConnell.
11 The questions are: Has 404 helped to restore
12 investor confidence, and if so how? And what has the effect
13 of 404 been on the U.S. capital markets?
14 Mr. Bowsher.
15 MR. BOWSHER: Well, I think it's had a big effect
16 and a very positive effect. In other words, I think we had a
17 real crisis here. We had a big drop off in the tech world
18 and in the small companies out in the Silicone Valley; that
19 was one crisis. But we had a corporate governance crisis too
20 and accounting frauds of magnitudes we had not seen in years.
21 And so we had to do something. And I think the
22 Sarbanes legislation is really first rate legislation as far
23 as the accounting and the auditing provisions. And I think
24 Section 404 is very key to that. And I think we've really
25 made great strides here in the last 2 or 3 years, especially
1 on the front corridor which I call paragraph one; that's
2 where the management was responsible to document their
3 systems, to get them in good shape, to have the internal
4 audit functions become much more useful in this area than
5 maybe they have been in the past.
6 And so I think that now we're seeing the real
7 payoff there, because we're seeing a lot of the companies not
8 reporting material weaknesses. That's coming down. We're
9 not seeing the restatements of any significant issues except
10 in a few cases. And the stock market is going up big time,
11 and not only just for this, but I think this is a factor.
12 And it's kind of like when we had the banking and
13 the S&L crisis and some of the other crisis we've had in the
14 past. In America we have problems but we do react to them,
15 and we really do get on top of them, and it isn't like what
16 happened to poor old Japan there when it went for 10 to 15
17 years to bail out their banking system because they weren't
18 willing to deal with some of the real issues. So I think
19 it's been a big benefit.
20 The one problem I think is still left is with the
21 big auditing firms and how much duplication is being done. I
22 know some of the spokesmen for them today have said
23 everything is working quite well, and we're making great
24 progress based on last year's guidance.
25 But at the Audit Committee -- I serve on a lot of
1 audit committees and boards -- we don't see that. And, in
2 other words, we see some improvement, but we really truly see
3 now still a lot of duplication. So I think it, in paragraph
4 2, we still haven't got it right as to how much work has to
5 be done and to avoid duplication, to rely more on the
6 internal auditors and things like that. But I think that's
7 doable; I think it's very doable. And I hope we could get it
8 done in the third year here.
9 MR. WHITE: Thank you.
10 Ms. Culhane, can you give us the perspective from
11 the New York Stock Exchange of whether we've restored
12 investor confidence --
13 MS. CULHANE: Well --
14 MR. WHITE: -- or where we're going on that front?
15 MS. CULHANE: Huh-huh. I would say clearly
16 investor confidence is the key underpinning to the capital
17 markets; clearly. It is investor confidence that incends
18 obviously investors to feel comfortable investing in the
19 markets. That begets liquidity which is essentially the
20 underpinning of what makes the markets work.
21 So clearly, ensuring that investors feel that
22 there's proper disclosure, that there is transparency, that
23 there is meaningful information that's disclosed in a timely
24 way is key to our markets working efficiently. Sarbanes-
25 Oxley certainly has been an important component of this; it's
1 not the only component of it.
2 And we've clearly not reached an endpoint; we're on
3 a journey, and the journey continues, and there will be other
4 things in the future for sure. But yes, I think that as a
5 principle matter from a policy perspective, Sarbanes-Oxley
6 and 404 have been helpful. I think what we have seen -- to
7 build on what Chuck just said -- is that about 15.8 percent
8 of the 2,900 reporting companies did disclose weaknesses in
9 year one; that dropped more than by 50 percent; it dropped to
10 about 6.2 percent in the second year.
11 At the Exchange, we have 189 companies that have
12 reported a weakness, about 6 percent of the reporting
13 companies cumatively over the time that we've been reporting.
14 And we have monitored the reaction of the market to those
15 disclosures, which has been extremely calm.
16 We would put that down to the fact that certainly
17 the definition of materiality is something that in prior
18 panels -- and I'm sure in this one will get some focus -- in
19 that everything that's being disclosed, given that the market
20 reaction is very calm, one would question whether or not they
21 really are that material.
22 I think the market is a pretty good arbiter of
23 materiality as a general matter. But fundamentally at the
24 end of the day, I think part of the reason that there has
25 been not too too much reaction in the market has been because
1 disclosure has been timely; it's been complete, and the
2 remediation has been included, and so the market has reacted
3 with great calm.
4 All of that said, we have to continue to focus with
5 great I think rigor and discipline on the fact that investor
6 confidence if the key component to the markets, and anything
7 that we can do to incent that is an important step.
8 MR. WHITE: Thank you.
9 Ms. Williams, you are on a lot of boards. What is
10 your perspective on where we are with investment -- investor
11 confidence?
12 MS. WILLIAMS: I think investor confidence is
13 certainly at a much higher level today than it was 3 years
14 ago. My sense is that the investors see that both the
15 management and the audit community, the external auditors
16 have taken the legislation very seriously.
17 I think everybody had a fairly steep learning curve
18 in year 1, and there was a lot of expenditure focussed on
19 getting systems in place that could monitor effectively the
20 work of the -- both the internal auditors and management as
21 well as giving the tools that the external auditors needed.
22 In all of my companies I'm very fortunate to have a
23 very strong internal audit team. And that's one of the
24 reasons I've been looking at and agreed with the earlier
25 speaker about the importance of being able to rely on the
1 work of others in this process.
2 And I think that the -- going forward, investors
3 will see that this has really become institutionalized. It's
4 not just simply something that we're doing for a short period
5 of time and then go back to the way things were. This is now
6 part of permanent law, and I believe that the management has
7 also been very serious about bringing the company into
8 compliance.
9 And I think in year 2, we will see, or we have seen
10 a reduction in the costs, both with respect to the external
11 auditor costs as well as to the internal compliance costs.
12 MR. WHITE: Thank you.
13 Commissioner Glassman, we'll go to you in just
14 moment. Let me just finish with Mr. McConnell on this same
15 question. You are obviously an investor, and I guess we
16 would like to hear the investor perspective on investor
17 confidence.
18 MR. MCCONNELL: Sure. Thank you, Mr. White.
19 We believe Section 404 is working, and it is early
20 days. Context is important. We were at a time in America
21 where we required heightened attention to the
22 responsibilities of the agents and the agency relationships
23 in our capital markets.
24 Some of the preliminary benefits that we're seeing:
25 enhanced transparency, higher quality financial reporting,
1 improved governance, fairly broadly defined, improved
2 business processes anecdotally in some of our investee
3 companies, improved management information that allows him to
4 possibly make better decisions. And all of this is
5 contributing to the investing public regaining confidence in
6 the U.S. capital markets. How do we know that?
7 A couple data points that sort of are helpful:
8 Clearly, market multiples have increased in the last 3 or 4
9 years which indicate a lower or lowering of equity cost of
10 capital. Stock price performance -- I think all of us may
11 have seen their earlier work by Lord and Benoint in the Wall
12 Street Journal this week, which is some fairly compelling
13 data that stock price performance of those companies that are
14 complying with Section 404 are significantly higher than
15 those that don't.
16 We've seen an increase in M&A activity and IPOs
17 since 2001, 2002. And Lynn Turner and his team at Glass
18 Lewis have done a good job of summarizing that in some recent
19 reports.
20 And then lastly, there's been some academic
21 research 2 years into the implementation of SOX 404 that can
22 in fact point to some data -- for issuers is decreasing.
23 MR. WHITE: Thank you.
24 Commissioner Glassman?
25 COMMISSIONER GLASSMAN: Thank you.
1 This is just a question to add to the other
2 questions as you're thinking about your answers. To the
3 extent that there are benefits and improved internal
4 controls, which I think there are, as you answer the
5 questions, can you differentiate if you can the extent to
6 which they're coming form the overall environment from 302 --
7 302906 certifications for management's assessments or the
8 auditors at this station or some combination? I'd appreciate
9 that. Thanks.
10 MR. WHITE: Okay. Well, why don't we move to the
11 second topic which is very closely related actually to the
12 first, which is really, how have investors benefitted from
13 404. I'd like to direct that to three more of our panelists,
14 Greg Jonas, Kurt Schact and David Warren. And how have
15 investors benefitted, and have those benefits come at an
16 acceptable cost?
17 Mr. Jonas.
18 MR. JONAS: Thank you. Appreciate the opportunity
19 to share some thoughts with you today. Let me address the
20 question first in terms of confidence and then address the
21 question directly in terms of specific benefits that
22 investors, creditors, in my case, enjoy from 404.
23 A number of people have addressed themselves to the
24 confidence question; let me do so through a creditor's lens.
25 If you go back to the dark days when the market was most
1 nervous about the quality of financial reporting, which I put
2 at October of 2002, credit spreads for investment-grade
3 companies were 2.5 percentage points over the Treasury rate.
4 And for corporate high-yield companies, they were a
5 whopping 10 percent over the Treasury rate. And those were
6 for companies who could get capital. The market shut, as you
7 recall, a lot of companies out of the capital markets in
8 those days.
9 In contrast, the credit spreads today are .85
10 percent points for corporate investment-grade credit and 2.8
11 percent points over the Treasury rate for a corporate high-
12 yield credit.
13 Now, clearly, that dramatic reduction between the
14 dark days of October and today we cannot all attribute to
15 404. But if only 10 percent of that reduction is due to 404,
16 put those numbers in your calculator, and you get a benefit
17 that is absolutely enormous.
18 So it is our believe that there are significant
19 benefits. We cannot exactly quantify them. And this is
20 unfortunate, but we can't, but that there are significant
21 benefits overall. We perceive it in our own practices; we
22 rate companies, and we certainly perceive it in the market
23 overall.
24 And with regard to specific benefits for investors,
25 we see that investors -- we think we see incremental
1 information from internal control reports relevant to the
2 risk assessment. And this helps investors price and allocate
3 capital.
4 It's our view that we see the market behaving quite
5 rationally to internal control information. We see that the
6 market in certain cases does react, and in some cases react
7 quite negatively to the news; whereas, in other cases, it's a
8 big non-event. That to me is a sign that the market is
9 different between troublesome times and not, and is a healthy
10 sign.
11 The second benefit is that -- and more direct
12 benefit -- is that investors enjoyed lower risk of a bad
13 investment that might result from bad numbers. Now there
14 surely is continuing risk of a bad investment because of bad
15 business risk, but there shouldn't be bad investments because
16 of bad numbers, unreliable numbers.
17 And it's our perception that investors are enjoying
18 the fact that the numbers are of higher quality today than
19 they were a few years ago, and we attribute some of that to
20 404.
21 The third benefit that we see -- and this is
22 anecdotal; whereas the first two I mentioned we have direct
23 experience with at Moody's. The third one comes indirectly
24 through comments that we're receiving from management of the
25 companies that we rate.
1 But managements are telling us that they are
2 learning some things about business risk management from
3 their improvement in financial control systems. If that's
4 true, then investors enjoy higher returns as management is
5 able to better manage their business risk.
6 MR. WHITE: Mr. Schact?
7 MR. SCHACT: Thank you, John. Nice to be back
8 here. Thank you for including us.
9 Obviously, we think the effect on the marketplace
10 has been very constructive. And I would point to a number of
11 different benefits. I'll give you my list in addition to
12 obviously to greater investor confidence which I think you've
13 heard many of year panelists talk about today.
14 But I think probably one of the most important
15 things that is it has changed behavior. It's sort of
16 embedded in the psyche all stakeholders in this debate the
17 notion of financial reporting and controls over financial
18 reporting, and that's a very serious and very significant
19 benefit to investors.
20 It's served as an important check on the competence
21 of financial reporting staff at the issuer. It has served I
22 think very well as a tool for detection and repair of
23 material weaknesses at companies. And I think it's served
24 its purpose as a deterrent to larger-scale accounting frauds
25 at a number of firms. So we see a number of important
1 benefits.
2 With respect to this notion of -- I think this
3 notion of competition and its effect on the markets in terms
4 of competition and costs, are the costs worth it? We've
5 talked about whether listings are falling behind. We've
6 talked about whether we're dampening entrepreneurial spirits
7 and innovation and job creation; is the cost of 404 too high?
8 And we would say that in the context of 404 that
9 it's not even a close call that 404 has served its purpose in
10 terms of detecting and fixing the holes and internal control
11 structures. It has solidly focussed the management staff, as
12 I've mentioned, on financial reporting. And the cost byte is
13 declining, and we think that trend is still lower.
14 MR. WHITE: Mr. Warren.
15 MR. WARREN: Yes. Thank you, John.
16 I just -- I think from my perspective as the CFO of
17 Nasdaq, I really do wear two hats in thinking about my
18 response to your question. One, as the CFO of Nasdaq, I
19 certainly have, pursuant to our charter, a responsibility to
20 the investor and for our 3,200 companies.
21 But I'm also the CFO of a public company that lists
22 -- and not surprisingly on the Nasdaq stock market -- but has
23 to comply with Sarbanes 404. So I've been through this now
24 for the third year. So when I talk to CFOs and CEOs, I have
25 sort of first-hand experience to relate to what I'm hearing.
1 And I also frequently talk to investors as well.
2 So what I think I can generally share with you in terms of
3 benefits and costs to the investors, yes; I would agree with
4 all of the statements that have been made. I think investors
5 general feel that Sarbanes has been worth it. We had better
6 financial statements; we have increased transparency; we have
7 increased investor confidence. I would not say anymore than
8 just sort of to agree and support those statements.
9 But I also feel that while the marketplace views
10 its importance I don't get any real evidence -- and a lot of
11 this is anecdotal, but certainly from my own experience --
12 that the market is necessarily rewarding or penalizing
13 companies for their work in Sarbanes.
14 I mean, they take comfort in knowing that the
15 financials are better, but if a company is a later filer and
16 they correct a deficiency or it they're gotten -- you know,
17 you can't tell if a company has gotten a real stellar opinion
18 on Sarbanes. They make the bar or they don't. So I think in
19 that regard, I think the investor community takes some
20 comfortable in the overall package of Sarbanes.
21 And I think to some degree the management
22 certifications and the processes that have been put in place
23 in sections outside of 404 are actually I think a much sort
24 of we don't focus enough on that. But I think there's a lot
25 of work that happened before 404 that added a lot of benefit
1 to financial disclosures.
2 And on 404, I think the part that investors sort of
3 least understand is the arider attestation process. They
4 don't quite see sort of how that works and how that's worth
5 the cost.
6 I'll just add two final points: And I do think
7 that they view generally that the costs outweigh the
8 benefits, and I think they understand that they fall
9 disproportionately on the smaller companies. And at Nasdaq,
10 we definitely, you know, talk to a range of smaller
11 companies.
12 I would also say that as CFO, in the last 16 months
13 or so, I have been out in the capital markets selling Nasdaq
14 stock on three different occasions. I have probably talked
15 to 150 investors in one-on-one meetings, small group
16 meetings, conference calls, large group meetings, and I have
17 never once been asked a question about Sarbanes-Oxley, you
18 know, good, bad or indifferent. It just simply does not come
19 up as a point of discussion as investors are talking to the
20 company and to management about our performance and about our
21 plans.
22 MR. WHITE: I see we have a couple of cards up, but
23 I -- just to get you thinking about a more drilling down
24 question here, and it really comes off of what Mr. Glassman
25 asked, and that is -- because the question is coming up a lot
1 for us -- is are the benefits that are coming from -- the
2 benefits that are coming to the markets -- are they coming
3 from the 302, 906 certifications? Are they coming from
4 management's assessment, or are they coming from the AS-2
5 audit?
6 And I realize the easy answer to that is some of
7 all of those. But if we could -- after we do the two cards
8 that are up, if we could, I'd like to come back and see if
9 anybody wants to weigh in on where those benefits are coming
10 from in terms of those three different areas.
11 Mr. Redman.
12 MR. REDMAN: Okay. I don't have the full
13 perspective of the entire market that some of the other
14 panelists do have. But from a banking industry, which is
15 highly regulated, I can say then when 404 was starting to be
16 implemented -- we do about six investor conferences and road
17 shows around the entire country, and probably close to 100
18 different investors and small groups and large groups, and
19 the only questions we got were, how much is it going to cost
20 you, and will you complete it on time.
21 And not if the internal controls are okay, just,
22 will you complete the documentation on time. And that's
23 where the questions. And since then in 2005, the other --
24 the only questions were, "Are you going to save any money
25 from the prior year?"
1 I can't remember any questions regard -- in terms
2 of internal control. And I think that may be directly
3 related to the banking industry which has had FIDUSHA since
4 1993. And for us there's a lot of duplication in that
5 regard. So from a personal perspective, we just have not
6 seen the interest in the investor community.
7 MR. WHITE: Mr. Pozen.
8 MR. POZEN: Thank you.
9 Before I came here yesterday, I went and talked to
10 the analyst at MFS to get a sense of what they thought. And
11 on the cost side, they're totally hard costs which include
12 the auditors' fees and other things. But they emphasize that
13 to them the two costs that they were concerned about more
14 were management time that's put into the process and impacts
15 or potential impacts on corporate restructurings.
16 I think one of the Q&As deals with mergers and
17 allows a delay. But if you had an IPO tomorrow and you were
18 on a calendar-year basis, you would still have to file with
19 your first 10K which would mean in, you know, February and
20 March of 2007, your internal controls report, and that's very
21 different for companies that are going through an IPO.
22 Or if you had a spinoff or various restructurings
23 where companies had to restructure their internal controls,
24 there isn't a deal, and so that's a particular cost that the
25 Commission could deal with in the way they're dealt with
1 mergers by allowing some delay in that case.
2 As to the benefits, I think it's hard to say -- I
3 mean, I guess I'm a little skeptical that we're sort of that
4 multiples and all IPOs and all are result of 404. We have
5 had the best corporate earnings growth we've ever had in the
6 last few years, so that obviously helped stock prices. We
7 came out of a business cycle. We had 9/11. I mean, there
8 are lots of factors, so I would be very hesitant to attribute
9 all of these good things to 404.
10 I think if we want to see what 404 does, it's
11 mainly in the reporting. The only way the analysts see 404
12 if when there is a material weakness that's reported. So
13 from their point of view it's the statute says, "Adequate
14 internal control structure and procedure for financial
15 reporting." And for them it's all in the financial
16 reporting. And when they define materiality, they mean it in
17 the traditional sense of a significant impact on the entity
18 level.
19 The problem I think that we have is that when
20 various things have come out from the audit board there have
21 been I guess two different perspectives on materiality. One
22 is at the entity level; the other is at the individual
23 account balance level.
24 From the point of view of analysts, it's irrelevant
25 what happens at the individual account balance level because
1 it doesn't show up in terms of the financial reporting. It
2 may have to do with the infrastructure and that it can build
3 up. But what they're mostly interested in is traditional
4 financial materiality on the whole entity level.
5 And if there is a report of material weakness, I
6 think the reason why we're seeing a difference in market
7 reaction is because some reports of material weakness,
8 especially those accompanied by financial restatements are
9 materiality in the traditional financial sense, and the
10 market reacts to that.
11 But to the extent that it's more in the details,
12 more in the individual account balance, this may be an
13 infrastructure issue. It could ultimately lead to some
14 problems. But from an analyst's point of view it's not going
15 to the financial reporting, so it doesn't go to the stock
16 price ultimately.
17 And I think that you could say the same thing about
18 significant deficiencies. Significant deficiency may occur
19 in the company, but the analyst never, you know, hears that,
20 so the analyst isn't being reported that, so that's something
21 the company has to deal with.
22 But the analyst impact -- the analyst perspective
23 is all on material impact on the financial basis, and so I
24 think we have to say that the benefits of this -- of 404 in
25 particular -- are on the general confidence, but on the
1 particular reporting of material weakness and what
2 information is contained in that report.
3 MR. WHITE: Okay. Just one clarification: I think
4 the way, if you parse it through a calendar year 2006 IPO
5 doesn't have to do 404 until 2008. But also a calendar year
6 2007 IPO has to do it in 2008. So you're right, there's a
7 problem, but it doesn't kick in for another year.
8 MR. POZEN: I'm sorry. Okay. You're correct on
9 that. But you would have an accelerated filer that did a
10 spin-out in 2006.
11 MR. WHITE: You still wouldn't get picked up.
12 MR. POZEN: You wouldn't get picked up until 2007,
13 until 2008?
14 MR. WHITE: Correct.
15 MR. POZEN: Even if it was an accelerated filer who
16 was already filing 404 reports?
17 MR. WHITE: I --
18 MR. POZEN: Anyway. It's a technical question.
19 MR. WHITE: But anyway, before we get on to the
20 material weakness discussion and the disclosure discussion,
21 let's go back to the question I asked a moment ago, because I
22 know that is a matter that a number of us we really like to
23 hear about of whether you think the benefit comes from the
24 certification, the management assessment, the audit or just
25 some of all of them.
1 Mr. Lyons.
2 MR. LYONS: Yes. Thanks, John.
3 The answer is, we don't know, because all of these
4 factors kicked in at roughly the same time. There clearly
5 seems to be much better investor confidence, and they're all
6 affected it. And I don't have any question that 404 has had
7 a positive impact on investor confidence.
8 And I've looked at the econometric studies. None
9 of them really convince me that they demonstrate the positive
10 benefits of 404, and it's not because people aren't trying.
11 I think it's just very hard to construct and appropriate
12 econometric model that really kilters out all of the things
13 that are going on in the marketplace. I applaud the people
14 who are trying, but it's very tough stuff on limited info.
15 I would just say that from our perspective in terms
16 of dealing with our clients, the question I would say is
17 what's had the most impact on client behavior and clients
18 having the right tone at the top and being rigorous about
19 financial reporting.
20 And I would submit based anecdotally on the
21 evidence that my partners and I see that the two things that
22 have driven most of the behavioral change, largely positive,
23 have been 302, 906, which I have to say really focussed
24 people's minds.
25 I mean, CEOs and CFOs were very focussed on that,
1 and that filtered through the organization because they
2 wanted to make sure their people were supporting what they
3 were saying.
4 I'd also say that we've seen very positive
5 developments in the way boards are behaving and the way audit
6 committees are behaving, and that's been happening at the
7 same time. And I would submit that that has had -- I've seen
8 that in Audit Committee meetings I attend. And the way CFOs
9 and chief accounting officers interact with their audit
10 committees, I would say anecdotally I've seen that affect
11 behavior within companies, within issuers, far more
12 substantially than 404.
13 That doesn't mean 404 hasn't been positive, but our
14 anecdotal evidence would say that it's really the first two
15 factors more than 404 that has had a more salutary effect;
16 all positive, but that's more bang for our buck there I would
17 argue.
18 MR. WHITE: Mr. Jonas.
19 MR. JONAS: Our take is that 302 was a home run for
20 all the reasons that Peter just mentioned. So what I'm about
21 to say sounds like I'm slamming 302, and I'm not.
22 We did three tests to see to what degree 302 could
23 stand on its own as a solo act or whether we need auditor
24 involvement with 404 to supplement it. The three tests were,
25 first, we looked at how many 302 material weaknesses did we
1 see before 404 became effective. And the answer is, not many
2 relative to the number that surfaced under 404.
3 A second test was, for all companies that report
4 404 weaknesses, how much before that did a 302 disclosure of
5 that weakness get reported. And the answer is not much
6 before.
7 And then the third test related to smaller
8 companies. We compared the number of material weaknesses
9 flagged in 302 disclosures by small companies not yet subject
10 to 404 versus those for small companies that are subject to
11 404. And guess what? A whole lot more are surfaced in the
12 404 process than in 302 in that test as well.
13 What this tells us is it is not the 302 is bad and
14 not working. Instead it tells us that problems surface when
15 auditors are involved. I think we should view this as
16 healthy. This is not a bad sign; it's a good sign. It's
17 just that we think that auditor involvement adds essential
18 discipline, skepticism, inconsistency to the process.
19 MR. WHITE: Anyone else want to weigh in on the
20 question?
21 Mr. Bowsher.
22 MR. BOWSHER: I think they really fit together. In
23 other words, I think if you have 302 without 404, you are
24 asking people to sign certificates where they -- especially
25 in large organizations, they don't have the foggiest idea
1 whether they got problems down there in the organization.
2 I remember discussing this with Paul O'Neal, when
3 he was Secretary Treasury, when the law was being passed and
4 signed. And I said, "Both you and I have been served as CFO
5 and CEO of very large organizations, and until we got the
6 controls in place and got them checked out, we didn't know at
7 the top whether we were in good shape or we weren't in good
8 shape. And the idea that you'd have to sign a certificate --
9 "
10 So I think you really have to look upon this as a
11 package deal. And I think the only problem, as I said
12 earlier, is I think we've gotta get -- and I was even saying
13 to Mr. Glassman that I think it's important to have the audit
14 piece in there, but you've gotta get it more effective,
15 especially cost effective than it is today. But I truly
16 think any idea of dropping the audit or the 404 and keeping
17 302 would get you back into what Greg was just saying, and
18 you're going to see a lot of problems come up eventually.
19 MS. STACEY: Could I just follow up with what Greg
20 had talked about a minute ago on the 302s certification and
21 the lack of disclosure on material weaknesses? We had issued
22 some guidance fairly early on that told companies as they
23 were going through the process the first year of doing 404
24 assessment that they needed to think about whether they
25 should be providing disclosure if they come upon material
1 weaknesses.
2 And the reason being that they may be remediating,
3 them by the time that they actually have to report. So we
4 put it back to them in the guidance and said, "If you believe
5 it would be a material omission not to provide that
6 disclosure then you need to provide it. Otherwise it's your
7 judgment." Do you think that that contributed to a lack of
8 disclosure in the 302 certifications, or do you really think
9 that they just should have been disclosing them and they
10 weren't?
11 MR. JONAS: No. I was not trying to make the
12 impression that no one -- that people are not complying with
13 the rules and that 302 isn't working. That wasn't my point
14 at all. It's just that the discipline of 404 is at a
15 different level. And that discipline seems to be helpful
16 because it's that discipline that's surfacing a bunch of
17 incremental issues that at least we in our shop have found to
18 be useful information in the rating process.
19 MR. WHITE: Mr. Bowsher.
20 MR. BOWSHER: I was just at an Audit Committee
21 meeting this morning at a very large nonprofit, and they were
22 doing 404 and 302 for the first time. And one more time, one
23 of the big things that comes out is if you have a delegation
24 of certification within a large organization so that not only
25 are the CFO and CEO certifying but the heads of the key units
1 of your organization and that, so you've really pushed this
2 whole system down and make it a part.
3 And I remember serving on the American Express Bank
4 when they had just a fiduciary in there. And when we got
5 that working properly on a worldwide basis, we really got rid
6 of some of the problems that we had been living with.
7 So I think it's the way that it's actually
8 implemented as a total package really works well. And so
9 this idea that you could do away with some of the parts of it
10 that maybe are costly, but actually I think if you get it
11 efficient they're not very costly. And it's important to
12 keep it all together.
13 MR. WHITE: Okay. I'll move to the next topic
14 which is the -- I guess I will call it the disclosure topic.
15 And I'll start the question with Mr. McConnell and then I
16 guess back to Mr. Pozen and to Mr. Jonas, if I can.
17 When I say the disclosure question, I'm focussing
18 now on the actual disclosures that are made about the result
19 results of the 404 work, which is basically a disclosure that
20 you have ineffective internal controls. And then usually
21 there's a lot of surrounding disclosure disclosing the
22 material weaknesses, and sometimes the remediation and what
23 caused it.
24 And so I guess my question really is, do investors
25 understand what a material weakness is? Is the disclosure
1 that's there, the kind of disclosure that is useful, should
2 there be more disclosure, less disclosure, but just focussing
3 on the kinds of disclosure that are being made about what
4 comes out of the 404 process?
5 Mr. Jonas, do you want to start?
6 MR. JONAS: First, we do try to distinguish between
7 problems that we should -- that are rating relevant versus
8 problems that we feel are not. So it is important in helping
9 us distinguish that the disclosure be adequate for us to
10 apply our criteria.
11 And we put controls into two broad buckets; A for
12 acceptable; B for bothersome. And what we're finding is
13 having -- we have no problem based on the current disclosure
14 in bucketizing these control problems into categories that we
15 think are rating relevant.
16 So from that standpoint that I think it is very
17 positive. We have taken rating action in the last year on 29
18 companies because of control issues. And the rating action
19 wasn't solely because of control issues. In each case there
20 were other factors involved as well. But control factors
21 definitely played a part in the decision.
22 Today, we're publishing research that outlines in
23 more detail than anybody cares to see about exactly what we
24 did and why. So I -- my overall perspective is that the
25 control disclosures are good to help us supply the
1 methodology that we're trying to imply. My impression also
2 is that the market does understand generally enough about
3 what a material weakness is.
4 Let me though move to two criticisms that I have,
5 despite having enthusiasm for the overall quality of
6 disclosure. These criticisms are, to us anyway, are
7 important. The first is I really think we need to turn up
8 the noise on controls that prevent and detect fraudulent
9 financial reporting.
10 We're here today because a relative handful of
11 large public companies, managements, decided a few years ago
12 to cook the books; that's why we're here. And making sure
13 that that never repeats in anywhere near the volume and
14 magnitude that had occurred it has got to be job one of the
15 whole package of Sarbanes-Oxley reforms, and in particular
16 the 404 area.
17 And when we look at the amount of noise we see in
18 the public disclosure about fraud-related controls it's rare;
19 it's very rare. And only -- of the companies we rate, in
20 only four cases do we see controls that are directly related
21 to fraudulent reporting.
22 And in all four cases, the companies had a
23 fraudulent reporting event that had occurred in the previous
24 year. So obviously, you know, this is a decritical area.
25 And it would just give us more comfort to know that folks are
1 really working at these fraud-related controls. And it's
2 just a little different to believe that apart from these four
3 companies in our rating universe that nobody else had, you
4 know, bad tone and the other mission critical aspects of
5 fraud-related controls.
6 The second criticism that I would offer is, I think
7 our disclosures about material weaknesses have become, maybe
8 inadvertently, backward looking rather than forward looking.
9 Our original notion on 404 was that they're kind of leading
10 indicators of companies that are at risk of financial
11 reporting problems.
12 So it's kind of like, you know, you're telling the
13 patient, "Well, we see some high blood pressure here, and
14 that could lead to a heart attack, so let's get after some
15 remediation before we have a heart attack."
16 But if you look at what is being disclosed about
17 material weaknesses, in all but a handful of companies, there
18 has been a train wreck in financial reporting that has
19 occurred, either a restatement for errors or material audit
20 adjustments that arose in the audit process. There's been
21 this train wreck prior to reporting a material weakness,
22 which means that the disclosures are backward looking.
23 We're saying, you know, the patient had a heart
24 attack, and by the way, the patient had some high blood
25 pressure. Now we're hopeful that under this radar screen of
1 public reporting is the hard heavy lifting of forward looking
2 work on controls.
3 Tom, you called those significant deficiencies.
4 Hopefully, I guess, that work is the forward looking work.
5 But we're not seeing forward looking disclosures, and it is
6 making us a little nervous. I would hope that as time goes
7 on we could get increasingly focussed on the preventive
8 nature of controls and have some disclosures in the absence
9 of a train wreck in reporting.
10 MR. WHITE: Mr. McConnell, are you happy with the
11 disclosures, or do you have comments on the -- we're talking
12 about the actual content of disclosure now.
13 MR. MCCONNELL: I understand. It's actually a very
14 good question that's being asked for a good reason. And by
15 and large, people that sort of are at the -- of investing
16 such as ourselves or perhaps some people at Mr. Pozen's firm
17 or Fidelity or other mutual funds, we're certainly not all
18 trained in the technical aspects of accounting, and sometimes
19 these disclosures can be overwhelming for us.
20 Now, fortunately, I think we're economic creatures,
21 and we will seek third-party advice either our accounting
22 firms or some in-house expertise to answer that. However,
23 that should -- the fact that you're asking the question
24 should not suggest that we ought not try to provide better
25 guidance and better disclosure to more of those that are at
1 the -- of deciding the buyer/seller security tomorrow based
2 upon what was released last night to help us better
3 understand without seeking third-party advice.
4 Because by and large, I think most people that are
5 making those decisions aren't as trained in the technical
6 aspects of the types of issues we're discussing here. So any
7 help would be helpful. We'll still figure it out as best we
8 can on our own. But the mere fact that you're asking the
9 question in a forum like this would suggest that there's some
10 improvement that could be made.
11 MR. WHITE: Mr. Pozen, do you have more to say on
12 this, or is your earlier material weakness discussion already
13 it?
14 MR. POZEN: I'll say a few more words. I think
15 these disclosures could go a little further. I mean, what
16 the analyst is really trying to ascertain is whether this
17 disclosure is financial materially or whether there is more
18 or less a technical problem, and that's what I think you see
19 the markets reacting to. And to the extent that a disclosure
20 is accompanied by financial restatements then it's obvious.
21 But I think that there clearly are disclosures
22 being made of material weaknesses that are more technical in
23 nature. The companies will say that there are timing issues
24 or they're about to fix these things or these sorts of
25 things. So I think that it would be very useful to explain a
1 little more about whether this was in the nature of something
2 that was a technical accounting issue or whether it was
3 something that really went toward a financial restatement.
4 I also agree with the suggestion that there be more
5 remediation and more future looking information, because I
6 think that's what a lot of analysts want to know; is this
7 going to lead to a problem down the road.
8 And finally, the analysts tell me it's very
9 difficult when they approach the CFO and say, "Can you give
10 us a little more about this disclosure," that usually the CFO
11 is very reluctant to say anything, and usually says, "Well,
12 if I tell you, I have to tell the whole world. And I've told
13 the whole world exactly what I want in the disclosure."
14 So I think that that disclosure is pretty much all
15 the analyst ever gets.
16 MR. WHITE: Ms. Williams, you've been waiting very
17 patiently over there.
18 MS. WILLIAMS: I would add that the content of any
19 disclosure in this context very much will reflect the culture
20 of the company. I am very fortunate to sit on boards where
21 we have an open-door policy. And if I see something or if
22 the internal auditor or the external auditor comes to me with
23 an issue, we put it on the table and we discuss it. And in
24 making the disclosure, we provide as fulsome a description as
25 our lawyers will let us do, and that's another component of
1 it.
2 But I do think that 302 has helped companies, and
3 I've seen it, to really look at their operational
4 effectiveness. And much of the money and implementation of
5 404 has gone to creating a better operational environment so
6 that if a problem arises it's caught at an earlier stage.
7 And it may be a significant deficiency but it's not a
8 material weakness.
9 MR. WHITE: Chairman Cox.
10 CHAIRMAN COX: Thanks.
11 The focus and indeed the title of this panel is
12 "The Effect On the Market." And I think we've done a good
13 job of fleshing out many of the aspects of what that implies.
14 One of the things I'd like to hear a little bit more about is
15 the international context, and specifically how you all judge
16 the importance of harmonization of our 404 requirements with
17 the norms of other high standards countries, and what is the
18 consequence of not doing so?
19 MR. WHITE: Well, that actually was our next topic
20 to go to the international question.
21 CHAIRMAN COX: Oh, good. Great.
22 MR. WHITE: So I guess -- I think we should
23 probably start with the stock exchanges to comment first. I
24 don't think, would either one of you like to go first?
25 Mr. Warren.
1 MR. WARREN: I'll be happy to go first.
2 The question is it right on the money. I think we
3 all see the problem. We see certainly a number of, you know,
4 when I talk to my colleagues in London who are working to get
5 companies to list in the U.S., I think despite the benefits
6 of the U.S. capital markets, we see a number of them that are
7 not listing in the U.S. for all of the reasons we've
8 discussed.
9 I think, you know, we've seen various surveys on
10 this. I think that a couple of things I think need to and I
11 think can occur simultaneously. One is that I think our own
12 reforms of Sarbanes-Oxley will start to go a long way to
13 muting a lot of the criticism and a lot of, if you will, the
14 marketing appeal that is being used against our capital
15 markets to get people to not list in the U.S.
16 So I think the work that we do to reform that
17 certainly dulls the arguments that people are making to list
18 on foreign exchanges.
19 I think the second part -- the part of your
20 question in terms of how do we begin to sort of look at
21 harmonizing standards around the world is an important one.
22 And, you know, I think at this point I don't think any of us
23 have any foreign views on it, but it clearly the next step.
24 So without getting into a whole lot of specifics, I think
25 we've got to try to reform what we want to have happen and
1 then try to work to see if we can't make that more sort of
2 universally understood by other regulatory agencies around
3 the world.
4 MR. WHITE: Ms. Culhane. Let me just focus the
5 question a little bit more as well. Is 404 effecting the
6 competitiveness of U.S. markets? Is the cost of capital
7 going -- for U.S. companies going up compared to our foreign
8 counterparts?
9 MS. CULHANE: Well, let me just provide some data
10 points that I think will be illustrative in terms of the
11 capital markets over time and what we see as a matter of
12 capital raising as in the registered -- as a registered
13 issuer in the capital markets.
14 If you go back just a few years, back to 2000, and
15 you look at the 10 largest global IPOs, nine of them
16 registered in the U.S. capital markets and raised money here.
17 If you look last year at 2005 and you look at all
18 of the companies that raised over a billion dollars, there
19 were 24 of them; 23 of them did not register in the U.S.
20 capital markets, although most of them did do private
21 placements in the U.S. capital markets, so they're accessing
22 the U.S. investor but circumventing the requirement for
23 compliance with governance standards. And I think that's a
24 very serious thing that needs to be considered and dealt
25 with.
1 If you look at the capital raised, 224
2 international companies accessed the U.S. capital markets,
3 and they raised $89 billion; I believe the number was 89.
4 But 189 of them did not do so as a registered matter; they
5 did so in private placements.
6 So only 5.7 percent of the dollars raised were
7 raised through the capital markets as a matter of being a
8 registered, listed entity. The rest of it was all private
9 placement. So I think it's pretty irrefutable that there has
10 been a big sea-change here and that while the U.S. investor,
11 the breadth and depth and liquidity of the U.S. investing
12 pool, the 90 million investors in the United States remain a
13 very attractive target to global companies looking to raise
14 money. They are disinterested in doing so while complying
15 with the U.S. governance standards.
16 Now, at the same time I have to say, that when I
17 travel around -- we're talking not only to issuers in trying
18 to attract companies to our market, and of course, my
19 competitor is sitting at the other side of the table, but
20 we're very much joined at the hip in this regard in that -- I
21 think the real issue here is not within the U.S. markets but
22 the U.S. markets as an entity.
23 You can look at what's happening in London. There
24 are now 1,500 companies listed on AIM, and a third of those
25 that listed in 2005 were non-U.K. companies. You can look at
1 the U.S. companies and see that 30 of them are now listed on
2 AIM. There was another announcement yesterday of a company
3 that raised I think $80 million, a tech company, a U.S.
4 company that's listing on AIM.
5 And this is precisely because they wish not to have
6 to comply either as a matter of cost or as a matter of
7 resources, or if look to Asia increasingly is a matter of
8 concern with litigation and what they consider to be just too
9 much litigation in our country and within our markets, and
10 they find that to be problematic, not just as a matter of
11 cost but as a matter of loss of face and personal liability.
12 So I think the combination of these factors say
13 that the U.S. capital markets which have long held the
14 premium position of the number one markets in the world are
15 now being faced with something that we haven't faced before,
16 and money is obviously -- capital is global.
17 We can look at other issues that have pressed on
18 this, by the way. I mean, I think the combination of markets
19 in Europe, the introduction of the Euro as a currency, has
20 created a much deeper pool of liquidity there, so there are
21 other places: Hong Kong. I mean, we've seen places like
22 China Construction Bank raise $9 billion listing in Hong
23 Kong; that could have never happened 5 years ago; it just
24 would have never happened.
25 So to the first part of Chairman Cox's question,
1 yes, I think there has been an impact on the competitiveness
2 of the U.S. capital markets; that's not to say that we don't
3 support good governance; we think it's critical. It's not to
4 say we don't support 404, because we think that's critical as
5 well as 302 and 906 and other components.
6 But it is to say that there is a change under way
7 here. And to use the analogy that Greg used a minute ago,
8 you know, you want to sort of seek the signs and take action
9 before the patient's dead. This would probably be a good
10 place to use that analogy.
11 I will say however that there are very strong
12 benefits for coming to the U.S. capital markets as a
13 registered issuer and lister. And there are studies, a
14 recent one by Carolli that points to significant premium
15 invaluation by being registered in the U.S.
16 And this is a study that compares companies listed
17 in their home market who did private placements in the U.S.
18 versus companies listed in their home market who did
19 registered issuances in the U.S. And there's a significant
20 valuation premium for those that were registered. So there
21 are many benefits that can accrue to companies, but the cost
22 has to be better aligned with the benefit in order to
23 redirect that flow of registered capital back to the U.S.
24 capital markets.
25 MR. WHITE: That was the study that had the 30 pet
1 number in it? Is that the --
2 MS. CULHANE: Yes. So the Carolli study looks at
3 about -- it's thousands, maybe 9,000 or so companies over a
4 several year span. And it does vary by geography. But it is
5 on average over 5 years, about a 31 percent valuation
6 premium; yes, that's the study.
7 MR. WHITE: Okay.
8 Mr. Pozen, on the international question.
9 MR. POZEN: Yes. I think it's that people ought to
10 think about a potential contradiction between the studies
11 that are showing that Section SOX and 404 reduced the cost of
12 capital to issuers and increase multiples and the fact that
13 these issuers are choosing not to list in the United States,
14 some of them even U.S. companies.
15 I guess it seems that it may be -- I guess you
16 Wednesday have to argue that there was some economic
17 rationality going on that companies wanted to avoid reducing
18 their cost and capital and their multiples. So I think the
19 question suggests that it's much more complicated this
20 relationship.
21 And the other thing is -- we see going on in Europe
22 and the U.K is we see more of a flexible approach and more of
23 a optional approach. You have guidelines that are put
24 together in which companies have some internal control
25 obligations, and their reporting obligations, their audit
1 attestation is more or less left up to a guideline.
2 So we actually have -- we're going to generate some
3 date, and that is if it turns out that there is an optimal
4 mix of internal controls and auditor review, then presumably
5 more and more companies in the U.K and Europe will go to that
6 model, so that will tend to tell us something. So I think we
7 ought to look carefully at those models and see where do, you
8 know, optimizing management tend to find that combination.
9 MR. WHITE: Mr. Lyons as a cross-border M&A lawyer.
10 MR. LYONS: Well, we have seen a precipitous drop
11 off in the interest of our OUS clients, and frankly, most of
12 the clients I work with are form outside the U.S. In our
13 firm, that's a great percent of what we do. And I think
14 that's directly related to 404.
15 To tie it back to what Commissioner Glassman said
16 before, when we started to see our clients' behavior change -
17 - they didn't like -- the OUS clients, they had -- they
18 didn't like 302; they didn't like some of the other parts of
19 Sarbanes-Oxley because it was a little inconsistent with what
20 they were doing.
21 But we didn't see them start to vote with their
22 feet until they had to stare down the barrel of 404. And
23 then we started to see exactly what Noreen was talking about.
24 We didn't see our clients registering in the U.S. for IPOs.
25 They were going to do -- they'll do a London listing and 144-
1 A or Hong Kong and 144-A. That became the overwhelming norm.
2 And that was a direct impact of 404.
3 Now these clients presumably, if they believe that
4 the U.S. capital market -- that the regulation under 404
5 provides them a higher multiple, then they ought to want to
6 list here, unless they conclude that the hit to EPS from the
7 incremental expenses is going to out weigh the improved
8 multiple, that is implicitly what they have concluded.
9 Otherwise to say what Mr. Pozen said, otherwise,
10 they'd be behaving irrationally. Now, whether that
11 conclusion is correct is not clear, but that's clearly the
12 conclusion that's been made in Europe. And it's been more
13 pronounced in Europe, somewhat less than some of the emerging
14 markets; perhaps because frankly the systems over there,
15 while they're not the same as ours, I don't think any of us
16 could argue that many of their systems are reasonably robust;
17 whereas in some of the other markets, they may perceive that
18 they get more uplift from coming into a U.S. registration in
19 some of the other markets gives a little bit more boost.
20 And so what we've seen anecdotally and I think is
21 consistent with the statistics is that in Europe very few of
22 them are going to list in the U.S. And, you know, I think
23 there's not as much of a clamor for deregistration as there
24 was, but there's still an undercurrent, and there still are
25 major European issuers who will look to deregister from the
1 U.S.; I think that's a bad thing.
2 But, you know, that will continue unless we can
3 demonstrate to them that the benefits to their stock price,
4 that their cost of capital from 404 outweigh the costs. And
5 the problem with that is that the costs are much easier for
6 them to quantify. You know what the -- you know, you don't
7 know it for sure, because some of it is ours, but they run
8 the numbers, and they'll know what those costs are. The
9 investor confidence, it's much harder to prove. And the fact
10 that they're not coming here demonstrates they don't believe
11 it.
12 MR. WHITE: Mr. Bowsher.
13 MR. BOWSHER: I've been working with foreign
14 companies for nearly 50 years. And I remember every time we
15 had a reform in this country that they thought we had gone
16 over board, and they were reluctant to bring it to them, but
17 most of the time eventually we did. I can't tell you how
18 many times I've heard over the years that "the wedding we
19 never wanted was an SEC in our country," you know.
20 But most of them have got something that looks
21 somewhat like an SEC today. And I think that's sort of
22 happened just as Peter I think was saying there. But I think
23 one of the other things that's going to happen too and that
24 is when the really big companies overseas.
25 I've been working with one of the big ones in Japan
1 -- when they finally do the Sarbanes reforms and the 404 and
2 the 302 and everything like that, and actually get it done
3 because they're been able to delay it here, that's going to
4 have a big impact on their business community when they see
5 the prominent companies of those countries complying, getting
6 it done and everything like that. It's always been a trend I
7 think overseas. And so I think we will definitely see a
8 period here.
9 I think also in the private equity world, there's
10 no question, there's huge amounts of money today going into
11 private equity. And they can enjoy not having to do
12 quarterly reporting and everything else that goes with being
13 a private company.
14 But a lot of those companies are going to come out
15 of private equity at some point; they're going to be sold
16 into the market. That's how those guys get their money back.
17 And so you're going to see a lot of them in the big capital
18 market arenas at Nasdaq and the New York Stock Exchange; it's
19 just a matter of time.
20 MR. WHITE: Thank you.
21 PANEL FIVE - NEXT STEPS
22 MR. WHITE: I guess I'd like to move to the fifth
23 topic that has been assigned to this panel from the agenda,
24 and that is alternative models or "Alternative Structures of
25 how we might achieve I guess the results of 404, but doing it
1 I guess different than it's now set up with the management
2 assessment and the AS-2 audit to go with it and how we can do
3 that and still achieve the goals of investor protection and
4 helping the markets.
5 Mr. Redman, do I turn to you first on that?
6 MR. REDMAN: Okay.
7 Again, I'm speaking on the perspective from the
8 banking industry and also from some of the smaller banking
9 institutions, but the ones that have still had to file with
10 Fidusha since 1993. And as required under that, we've been
11 doing annual management assessments of an internal controls
12 and had management and auditor attestations for over 10
13 years, and one of the suggestions would be that for highly
14 regulated companies, talking about amending AS-2.
15 And some of the prior panels today talked about
16 incorporating some of the guidance of last May into amending
17 AS-2. And if we were to do that possibly amending AS-2 for
18 highly regulated companies to remove the requirement of the
19 auditor's opinion on management assessment effectiveness of
20 internal control for those types of companies.
21 And with that, possibly instructing the external
22 auditors on how management reaches its conclusions on
23 internal control to audit that rather than the attestation
24 and other considerations: giving the external auditors more
25 latitude and direction in terms of the review of 404
1 documentation, including utilization of a company's internal
2 auditors who are not involved in a direct documentation of
3 the internal controls.
4 Another thing that was mentioned at a prior panel
5 was either lengthening or rotating the testing cycle of
6 noncritical controls as well as taking a look and giving the
7 auditors discretion in latitude when they are auditing an
8 entity that has demonstrated superior governance and risk
9 management over time, getting away from the 1-year everything
10 has to be done completely at that time.
11 MR. WHITE: Okay.
12 Did anyone else want to comment on alternative
13 models?
14 Ms. Williams.
15 MS. WILLIAMS: I would second Mr. Redman's
16 suggestion. I'm also involved with a financial services
17 company as well as a regulated utility. And I think that
18 there is room there for looking to the checks and balances
19 that already exist within those particular areas of the
20 economy to perhaps make some adjustment to the current SOX
21 requirements.
22 One of the things that I've found is that the
23 internal auditors -- if you've got a good internal auditor --
24 they are in my case accountable to the Audit Committee. And
25 we get information from the internal auditors that I think is
1 very helpful in ferreting out problems at an early stage.
2 And I think to the extent that that could be used in other
3 companies, it's a way of achieving what you're trying to
4 achieve within 404 without having to add another layer of
5 review.
6 MR. WHITE: Thank you.
7 All right. Well, my clock tells me we have about 2
8 minutes, so, Mr. Pozen, I think you're going to get the
9 concluding remark, unless you do it faster than 2 minutes in
10 which case, we'll let someone else --
11 MR. POZEN: I think what we've heard is from the
12 point of view investors the key question is what's the impact
13 on financial reporting, and that's mainly at the entity level
14 of controls and fraud controls, and it also relates to
15 material weaknesses as opposed to significant deficiencies.
16 So I support what Monty said is, if we could have a
17 cycle, a sense of a cycle where every year we focussed on
18 entity level controls that were directly related to financial
19 reporting and fraud issues and things that went more toward
20 individual bounds controls and significant deficiencies as
21 opposed to material changes in the financial statements, it
22 seems to me that's the way to get where you want to get to
23 and reduce some of the cost.
24 MR. WHITE: Something has happened here. Both of
25 the stock exchanges have got their tent cards up.
1 Mr. Warren.
2 MR. WARREN: Well, I'll be brief. I just would add
3 to what's been said today that I think that Nasdaq certainly
4 supports the work that was done by the Advisory Committee on
5 Small Public Companies. And I think there is movement now in
6 establishing a framework for smaller companies, and that will
7 be very, very productive work. And we would just encourage
8 that to go forward and to look at the breadth of those
9 recommendations and try to advance those in a way that, you
10 know, really makes sense for smaller companies.
11 MR. WHITE: Ms. Culhane, the last comment.
12 MS. CULHANE: Just one brief comment: And this
13 goes back to something Commissioner Glassman said earlier
14 when she encouraged us to think about the impacts of 302 and
15 906 and as it relates to 404.
16 And I would just make a comment on, all of the
17 commentary up here has been very interesting, and
18 particularly those very sophisticated investors seated at
19 this panel who have talked about going to subject matter
20 experts to get interpretations of what material weakness
21 disclosures really are and mean and how it might or might not
22 be impactful to the company.
23 And I think -- I can't help but think of the poor
24 retail investor out there who doesn't have a subject matter
25 expert at their elbow, who doesn't really have a place to go
1 to get real meaningful information that could be helpful to
2 them as they think about where they're going to invest their
3 hard-earned money.
4 So the comment I would make is that I think while
5 there's no quantitative way to say whether the attestation of
6 senior management is more or less important than the focus on
7 financial controls in 404, they're both clearly aligned; they
8 are complementary; and they're both important.
9 But at the end of the day, the retail investor
10 looks at, as Greg said, the reason we got here, the Enrons,
11 the WorldComs, the Adelphias. And really and truly it was at
12 the top of the company that those problems instigated from.
13 So I can't help but think that the retail investor is very
14 comforted by the fact that CEOs and CFOs have to attest now
15 to what it is that they are putting out there disclosing upon
16 which these people are making investment decisions. I just
17 didn't want the poor retail guy to get lost in this
18 discussion.
19 MR. WHITE: Okay. Well, thank you.
20 And I would like to thank all 10 of the panelists.
21 This was a very enlightening discussion. The planners for
22 this roundtable have allocated just a 5-minute break now, not
23 the usual 15. I don't know how to explain that, but we
24 should be back at 4:20 to continue with the "Next Steps"
25 panel.
1 Thank you.
2 MR. RAY: Good afternoon, once again. We have
3 finally the final panel of the day. Welcome, our final
4 panelists. So far, we have learned a lot about specific
5 experiences that people have had implementing Section 404
6 over the last two years, and learned a lot of insights coming
7 out of those experiences. And we have also heard a lot of
8 recommendations on what should be done going forward.
9 I am not going to try to summarize what we have
10 learned today. But nevertheless, let me just point out a few
11 things that I have heard. First off, there has been
12 recommendations for additional guidance that ought to come
13 out of the Securities and Exchange Commission and the PCAOB,
14 both for management and for auditors.
15 But there has been caution about how much guidance
16 ought to be given in the nature of that guidance and how it's
17 done. There has been recommendations that Auditing Standard
18 No. 2 ought to be amended, namely, to incorporate the May
19 16th guidance, but there is not unanimity on how it should be
20 done, or what types of amendments ought to be made.
21 And we are hearing that benefit to R&D coming out
22 of the 404 process, but there are questions about the costs
23 associated with those benefits, as well as how Section 404
24 ought to be done.
25 There does seem to be agreement, however, that the
1 process should and can become more efficient, and that leads
2 us to our final panel of the day.
3 In this panel, we are seeking feedback on any
4 significant remaining concerns on how the efficiency and
5 effectiveness of the internal control process done by
6 management and auditors should be improved, and
7 recommendations from you in that regard.
8 Let me introduce the panelists for this final
9 panel.
10 We have with us Mike Cook. Mike is the Audit
11 Committee Chairman and Board Member for numerous
12 organizations.
13 Nick Cyprus is the former Vice President and
14 Controller and Chief Accounting Officer for two very large
15 public companies and currently is a Member of the sponsoring
16 organizations of the Treadway Commission, also known as COSO,
17 which, as you know, is developing additional guidance for
18 smaller public companies.
19 Alex Davern is CFO and Senior Vice President of
20 Manufacturing and IT Operations, National Instruments. Alex
21 is also Chairman of the American Electronics Association
22 Committee on Reform of Sarbanes-Oxley 404.
23 Michele Hooper is Co-founder and Managing Partner
24 of the Director's Council and is Audit Committee Chair and
25 Board Member of numerous organizations.
1 John Huber is a partner with Latham & Watkins LLP.
2 Bob Kueppers is Deputy CEO of Deloitte & Touche
3 USA LLP.
4 Damon Silvers is Associate General Counsel,
5 American Federation of Labor and Congress of Industrial
6 Organizations (the AFL-CIO).
7 Dave Walker is Comptroller General of the United
8 States.
9 Ann Yerger is Executive Director of the Council of
10 Institutional Investors.
11 I'm Tom Ray. I'm with the PCAOB. I've been
12 introduced before. Also with me on the moderator's desk are
13 John White, with the SEC staff, and Scott Taub, with the SEC
14 staff.
15 Now, similar to the previous panels, we have
16 divided it up into broad areas. In this case, there are only
17 three broad areas that we are going to talk about. And I
18 promise you I will call on individuals to start the
19 discussion in each of those particular areas.
20 But I am hopeful that the panelists will exercise
21 their arms a lot in reaching for their name tags and placing
22 them up so that I may call on you in getting your views on
23 each of these three particular areas.
24 So, those three areas are: overall recommendations
25 on next steps. Then we are going to get into specific
1 recommendations on rules and guidance. And finally, we would
2 like your views on how other parties, other than PCAOB and
3 the SEC, for example, should be involved in improving the 404
4 process.
5 So, let's go to the first question. And for this
6 one, I am going to ask Dave Walker to comment. Dave, you and
7 your colleagues at the GAO spend a lot of time working on
8 internal controls and have been following the 404
9 implementation process. So, specifically going forward,
10 Dave, what are the major areas that need attention by
11 management, auditors, the PCAOB and the SEC?
12 MR. WALKER: Well, first let me say at the outset
13 that we at GAO strongly support Section 404. We believe that
14 it has great conceptual merit. And while there were a number
15 of first year implementation challenges and significant costs
16 associated with first-year implementation, that the costs are
17 already starting to come down significantly, and there are a
18 number of benefits associated with 404.
19 I would first say that the PCAOB needs to consider
20 how Auditing Standard No. 2 can be made more clear. And I do
21 believe it would be appropriate to consider integrating the
22 concepts and objectives that were emphasized in the PCAOB
23 subsequent guidance, as well as clarifying areas where there
24 have been practice difficulties.
25 As you know, you did issue some very important
1 guidance in the aftermath of a forum very similar to this
2 that took place last year, but it doesn't have the same
3 authoritative standing. And therefore, I think it is
4 important to recognize that reality and to consider
5 integrating that into an updated Standard No. 2.
6 We continue to believe that the PCAOB should
7 consider modifying its requirements for -- and to allow for
8 rotational testing based upon risk materiality and other
9 considerations. It's something that we have done for years
10 in the federal environment. We are not subject to Sarbanes-
11 Oxley, but we voluntarily comply with a number of the key
12 elements of 404, and have for years. And we believe that
13 there is some merit to risk-based and materiality-based
14 rotational testing.
15 We believe that the SEC obviously needs to consider
16 and resolve the 404 implementation issues with regard to
17 smaller public companies in compliance with the 404, and I'll
18 note that we have issued this report within the last couple
19 of weeks dealing with issues dealing with smaller companies.
20 And we have talked about the plusses and minuses and -- not
21 only considering cost/benefit, but also the fact that
22 investors -- investor confidence and investor considerations
23 obviously were one of the primary reasons that Sarbanes-Oxley
24 was passed.
25 With regard to COSO, we recommend that the SEC
1 continue to support the work of COSO and work with COSO.
2 We also believe that it's important that that
3 ultimate guidance be somewhat clearer, that it emphasize the
4 ability to use professional judgment and risk-based
5 approaches, which not only is appropriate overall, but
6 especially for smaller companies, which is what they are
7 trying to focus on now.
8 And last but not least, you now have the PCAOB
9 inspection program, which is something that did not exist
10 before. And that should be able to provide some very
11 valuable information with regard to actual implementation.
12 And one would hope and expect that the experiences that are
13 gained through that inspection program can be looped back
14 into areas where their additional guidance might be necessary
15 to be able to be provided.
16 And let me add one more thing. I think the
17 profession has a responsibility here, too. I think the
18 profession needs to be developing a best practices, and
19 sharing best practices, in order to try to help get the job
20 done in the most efficient and cost effective manner. And so
21 it's not just with regard to the SEC and the PCAOB, I think
22 the profession and other responsible parties have to be doing
23 their part, as well.
24 Those are my thoughts, Tom.
25 MR. RAY: Thank you. I know most of you, and I
1 know you are not bashful. Michelle Hooper.
2 MS. HOOPER: First, I would like to say that I am
3 very pleased to be asked again to participate in this
4 session. It's been a very good day, and I think a very
5 interesting day, because I think you are hearing very similar
6 messages from a number of different perspectives of people
7 with very different backgrounds. And I always find that
8 helpful. And you are probably going to hear a lot of
9 redundancy on this panel, as well.
10 And I am going to add to it, but I am also going to
11 bring up another area.
12 I think that in addition to everything that has
13 been said, which I totally agree with, I think the issue of
14 the inspections and the timeliness of those inspections and
15 the feedback back to the various audit firms is critical.
16 I think those inspections could be very helpful in
17 providing real world experiences and assessments as to the
18 effectiveness of what is being done out there. But if we end
19 up going through most of our six reviews without the benefit
20 of getting that timely information and being able to adjust
21 and make mid-course corrections, it's not going to do us a
22 whole lot of good, and we are going to be back here next
23 year, complaining about things that we could have perhaps
24 dealt with in a more timely basis.
25 So, that's one.
1 The second piece is -- it relates to the nature of
2 conservatism, I think, that we are finding. Not only on the
3 part of external auditors, although I am going to focus on
4 the external auditor function. But I think there is a degree
5 of conservatism, even within the management and the board
6 ranks.
7 And it -- quite frankly, it relates to liability
8 and the issue of people being concerned -- boards being
9 concerned, external audit firms being concerned, about the
10 liability that they would have based on either finding or not
11 finding a variety of things that could be going on within
12 companies.
13 I think that one is by making -- by giving people
14 more of an understanding of the issue as it relates
15 particularly to examples and case studies. You will not get
16 external audit firm pushing down or pushing up the level of
17 risk-based approaches and using more of management judgment
18 because they don't really know how that is going to be
19 interpreted once you get down to the actual individual that
20 is going to be doing the PCAOB inspection.
21 Are they hearing and adjudicating their reviews to
22 the same degree that we are talking about here in this room?
23 Or are they going to be taking it more on the letter of the
24 actual law that is being written?
25 On the case of the board and management, I think
1 there is a degree of conservatism, because again, we are not
2 sure where -- even though there is a safe harbor provision
3 placed in the Sarbanes-Oxley rules, it is a very vague, if
4 you will, approach to safe harbors. And I think clarifying
5 and providing more specificity on exactly what does that mean
6 and how -- again, how should we be executing our
7 responsibilities I think could be very helpful.
8 And I'll stop at that.
9 MR. RAY: Thank you. Bob Kueppers?
10 MR. KUEPPERS: Thanks, Tom. I've got a series of
11 observations. I think we have seen today -- at least my
12 observation -- we have seen some agreement that there are
13 benefits to 404. Clearly some agreement about costs coming
14 down, although we may disagree on the percentages.
15 One of the things when I talk to groups about 404
16 is, I suggest we have had somewhat of an inordinate focus on
17 the audit costs. And I have always said, maybe what we
18 should do is just not charge for 404 piece of the audit.
19 We'll just do it for free and that always gets a good laugh.
20 Except, not today.
21 MR. KUEPPERS: The point is that companies would
22 not be satisfied if their costs did not come down. And I
23 think what we haven't yet put together is the symbiotic
24 relationship between management's work and the auditors'
25 work. If we need to rely more -- and this year we found that
1 people were relying double the level they relied last year,
2 which is directionally good. But we had managements that
3 said we are going to do less, because we have to get costs
4 down.
5 Well, if management does less then auditors can't
6 rely. So I think management guidance that would help
7 management figure out what responsibility, if any, they have
8 for doing their own walk-through, so we might be able to
9 piggy-back off that.
10 The materiality issue that was mentioned earlier,
11 not the definitions within AS-2 so much, but just the overall
12 problem of trying to assess a deficiency in a context of
13 would it have a material impact on the financials when we
14 really don't have, I don't think, a good metric for quarters
15 versus years and segments versus quarters, and all those
16 kinds of things.
17 And with respect to AS-2, I am kind of ambivalent.
18 If the board determines to amend it to incorporate the May
19 16th guidance, that's find. I think there's always a certain
20 amount of risk when you open up a standard, because I think
21 its basic building blocks should not be fiddled with, but
22 that could be a helpful exercise, just to make it crystal
23 clear that that's part of the standard.
24 And then, the last thing, I guess, is there is the
25 whole issue of small business that somebody had to start, so
1 I thought I would. Wherein I really believe that we can take
2 the learnings that we have had in the first couple of years,
3 from the larger -- the accelerated filers, and work something
4 forward so we can figure out now whether to implement 404 in
5 the rest of the community. But how? And that's why I have
6 been very high on this notion of a pilot program where we
7 could develop some draft guidance for audit firms and for
8 management. Give it a try in '06, and figure out if there is
9 anything else we need to adjust further before the
10 Commission's rules require the rest of the companies to go
11 live in '07.
12 I think that's something that's worth studying and
13 considering.
14 MR. RAY: Thanks. Damon Silvers.
15 MR. SILVERS: Thank you. I apologize. The air
16 conditioning system.
17 It seems to me that you've got to begin here. I
18 think the panelists that have come before me have spoken --
19 given very reasonable suggestions to the Commission and the
20 Board. But in light of the larger dialogue that went on
21 today, I think it's important that we start with some first
22 principles.
23 We have a statute here, and the statute requires a
24 group of -- a set of things to be done. All right. First,
25 that management assess their internal controls. All
1 managements. Of all public companies. Somehow, I don't know
2 -- the advisory group somehow misplaced their statute book.
3 But it does require all management of all public companies to
4 do so.
5 And on behalf of the individual members of my -- of
6 the AFL-CIO's unions, we would not want any of them to be
7 subject to a pitch by any stock of any company whose
8 management couldn't do so.
9 Secondly, that the statute requires that those
10 assessments then be attested to. And Black's Law Dictionary
11 says that attestation is essentially the same thing as an
12 audit by an outside auditor. There isn't any flexibility on
13 those requirements in the statute nor should there be.
14 Thirdly, it requires that it be so annually. And
15 "annual," again, is a word that has a simple, plain language
16 meaning. Annual. Every year. To the extent that there have
17 been suggestions here today that we not do any of those three
18 things, I think those suggestions are beyond the power of
19 anyone in this room to implement and are profoundly unwise.
20 Now. What are the implications of those three
21 principles? First, you cannot comply with the statute and do
22 so merely by having the auditor rely on management's
23 representations. That's not an audit. That's not an
24 attestation. That's not consistent with the statute.
25 Secondly, despite what some of the previous
1 panelists said, you cannot do this merely at the entity
2 level. It's a little unclear to me what people mean when
3 they said "auditing at the entity level" for the assessment.
4 But one thing is clear. That an audit of internal
5 controls cannot be simply an examination of whether or not
6 the board or the CEO seem like smart people or dedicated
7 people. It has to be an actual look at the controls. And,
8 to give an example of what I mean. If somebody can start
9 moving money around at an account level, or without anybody
10 else watching, without anybody being able to grab onto it,
11 what is to prevent a senior manager whose ethics or brains or
12 degrees have been "audited"? From asking someone more junior
13 in the company to do things down in the interests of the
14 company where there are no controls that would end up
15 bouncing right at the integrity of the financial statement as
16 a whole?
17 And thirdly, we cannot have merely a management --
18 an auditor's assessment of management's process. Nor can we
19 have simply a reliance upon management's internal control
20 staff or management's saying it's so. None of those things
21 are an audit of internal controls.
22 Now, saying all those things, though, does not mean
23 that you -- that things ought not to be done by both the
24 Commission and PCAOB. None of the principles I just
25 articulated means or should imply that the costs of 404 ought
1 to be as high as they are. Nor does it imply that
2 essentially management ought to assess whether or not there
3 are spoons in the coffee room. Or that auditors ought to
4 audit that.
5 And to the extent that there have been absurdities
6 that have gone on in the implementation of 404, or confusion,
7 or lack of clarity, those things need to be dealt with.
8 Investors, I think, uniformly agree on these
9 points. And it is unfortunate that a debate about doing
10 things that are patently illegal has blocked a real
11 consideration of the common ground that exists between
12 investors and companies about how to do this in a rational
13 and cost-effective way.
14 And I will just suggest four things that the
15 Commission and Board ought to consider.
16 First, as many people have said today, there is
17 really a need for some guidance to management. Guidance to
18 issuers. Guidance that only the Commission can properly
19 issue. Guidance beyond COSO. I think everybody who
20 participates -- who has an interest in this process believes
21 that that's a good idea. And a good starting point are the
22 principles outlined last year in the Joint PCAOB release.
23 Secondly, there needs to be some clarity on issues
24 of risk. A lot of people believe that AS-2 has a risk
25 standard that is impossible to meet. I think in some ways
1 that's an artifact of the language. That there is a three-
2 part division of risk levels in that language. What those
3 risk levels mean needs some clarification, because they could
4 be interpreted as meaning a standard higher than the criminal
5 standard. I don't think that's what they actually mean, but
6 there is some confusion about that.
7 Thirdly, there needs to be some guidance to smaller
8 issuers about where there is an issue of overlapping duties
9 of personnel. An org chart model of a large company -- a GE,
10 for example, does not apply to a small biotech company.
11 On the other hand, though, that does not mean that
12 a small biotech company ought to be allowed to have a payroll
13 system where one person cuts checks and nobody checks on what
14 checks they are cutting.
15 Finally, I think it's very clear that there has
16 been a failure to approach the 404 process as part of an
17 integrated audit. And both the PCAOB and the SEC need to
18 think about ways in which that can be encouraged. There is a
19 great deal of both cost savings and rationality to be had in
20 pursuing things in that direction.
21 I hope these things can be pursued without an
22 attack on the fundamental investor protections that 404
23 embodies.
24 And I'll close by saying this. The concern that
25 Bob Kueppers raised about opening AS-2 and the mischief that
1 might follow. I am inclined to the hope that the PCAOB and
2 staff are tough enough folks to resist that. And that we can
3 have a rational process here. But some of what has gone on
4 in the last few months around attempts to basically gut
5 Sarbanes-Oxley, has impinged upon my natural hopefulness.
6 And I would hope that we could quickly shift this dialogue in
7 a direction in which it is clear that people who opened up
8 this rule -- the AS-2 to a rational corrective process, are
9 not slitting investors' throats by doing so, and that they
10 could do so in the confidence that that gesture of good faith
11 would be met equally with good faith on the part of those who
12 sought to undermine Sarbanes-Oxley to this point.
13 Thank you.
14 MR. RAY: Thanks. As future panelists add
15 additional comments, I would encourage you to comment on your
16 view on whether we should be changing AS-2 as well. It's an
17 interesting question to us.
18 Mike Cook?
19 MR. COOK: Tom, I don't get into the details of
20 these things from the perspective of an audit committee
21 chairman to have a lot to say about what should or shouldn't
22 be amended.
23 I would just suggest to you that in that regard, I
24 would change as little as you possibly can. We are once
25 again in the middle of a year. We are looking for
1 consistency. We are looking for consistency of performance.
2 From an audit committee perspective, I recognize that if you
3 put out more guidance, they are going to put out more
4 guidance, there are going to be 10,000 or 15,000 people -- a
5 large number of people are going to have to be trained in it,
6 they would have to figure out what it means, they are going
7 to tell the audit committees, we'll get back to you later
8 with implications of this for our audit plan.
9 And everything will be in limbo again. I don't see
10 the need for that. And I would suggest to you that if you do
11 issue guidance or change standards at this stage, be
12 satisfied that it's really necessary to do that.
13 I said last year, please do issue more guidance,
14 because I was convinced it was necessary. I am not at all
15 convinced that that's the case this year.
16 One other quick comment. Then I have something I
17 would like to talk about as a more important next step. I
18 called the question on the issue of whether or not these
19 rules apply to smaller businesses. I am not sure they are
20 small businesses by my standards, but smaller businesses.
21 This contentious discussion is calling so much
22 attention to this issue in so many places. It is important.
23 I understand the concerns of these businesses and the cost
24 effectiveness questions that they have. But call the
25 question as soon as you can reasonably do so because it needs
1 to come off the front page. And it leads to what I would
2 like to hear a little bit more about, and that is my hope
3 that we could do some things in "Next Steps" that would put
4 404 in perspective.
5 And what I mean by that is I think 404 is
6 important. But 404 is not the be-all, end-all of financial
7 reporting that it is portrayed to be. And the time and
8 attention that we are spending, all of us who are in this
9 process, on 404 is obscuring and taking time away from other
10 things that I think are much more important to be addressed
11 in terms of enhancing financial reporting, and let me
12 elaborate just a little bit.
13 Last year at this roundtable, as all accountants
14 are required to do, I pledged allegiance to good internal
15 control. I pledged allegiance to 404. And I do so again. I
16 am absolutely convinced it is the right thing. I observed
17 last year that the costs in year one would exceed the
18 benefits, but that was okay. There was a cost to restoring
19 public confidence, so let's get over it and move on.
20 My view is, in year two, the costs have gone down.
21 The benefits may have gone down even more. Now, in terms of
22 relative benefit, it was true what people said on these
23 panels a year ago. That we have a lot of deferred
24 maintenance. We've got catch-up work to do. And that is
25 going to make it cost a lot more. But once the deferred
1 maintenance has been completed, the benefits the second time
2 around are substantially less than they were the first time
3 around, and I would suggest it's certainly possible that the
4 gap between cost and benefit may be greater in the second
5 year than it was the first year.
6 But I don't have any definitive information to
7 support. But everybody says that the costs are going down
8 and the benefits are going up. I am not completely convinced
9 that those statements are accurate.
10 What I would like to see us put 404 in perspective
11 is, 404 has an important role to play in the overall scheme
12 of financial reporting.
13 But 404, like virtually everything in the Sarbanes-
14 Oxley legislation, is defensive. It is about prevention. It
15 is about preventing bad behavior. It is about preventing
16 people who would go over the line from going over the line.
17 It has the positive impact, also, of improving the
18 quality of financial reporting, the reliability of it, by
19 finding errors and correcting them on a more timely basis,
20 but I don't think we would be here or we would be investing
21 what we are investing in 404 if it were not for its fraud
22 detection objectives, as opposed to just correcting errors in
23 financial statements.
24 I am glad that companies are not getting their
25 taxes right and their lease accounting right. But I doubt
1 that we could justify the cost of 404 by those outcomes.
2 But it is part of a group of things that we have
3 done, which is about all we have done in the area of
4 financial reporting in the last four or five years, all of
5 which are almost entirely defensive. They deal with
6 auditing. Auditing is defensive. Keep people from doing the
7 wrong things. Internal control. Whistle-blowing. Etc.,
8 etc.
9 All of these things are good. They are important.
10 They fit into the overall scheme, but they do nothing to
11 enhance the quality of the basic financial reporting product.
12 They protect its reliability. They protect its integrity.
13 But they have done nothing to improve it.
14 And I would suggest to you, as a sports analogy,
15 while we have done a very good job on defense, we prevented a
16 lot of scoring against us, we haven't scored any points on
17 offense, in terms of improving financial reporting in a
18 meaningful way, in a long, long time.
19 And it is time for us to get to that. Somebody
20 said, okay, what do you have in mind? I could list 10 or 15
21 things, but I'll pick three or four.
22 Global. Comparability of financial reporting on a
23 global basis, through attention to the convergence of
24 international standards.
25 Complexity. We all know the issues of complexity.
1 Reporting on nontraditional financial information.
2 We have been talking about this for so long. We have had so
3 many groups study this for so long it makes my head hurt to
4 remember them all, and yet nothing has come out of it. And
5 there continues to be a great investor need for information
6 about things that are not being delivered to them in
7 traditional financial statements.
8 Information about human capital. Information about
9 intellectual capital. Information about research and
10 development. And things of that kind, and they are not
11 getting any of that information and there are no meaningful
12 initiatives that I am aware of -- and I don't claim to be
13 aware of all these things -- that are going to deliver that
14 information to them.
15 And I would go on and on, but I would just add one
16 more that I would like to mention, because a number of items
17 fall under this caption, and this has to do with forward-
18 looking information. People I talk to, and maybe I have been
19 talking to the wrong ones -- keep talking about the need for
20 more information that will help them predict the future of
21 the companies. The future success. What are the critical
22 success factors to the future of the company. And while we
23 tried to get at that through MDNA and other mechanisms, we
24 are far short of where we could be, and often what we have
25 done is to restrict the flow of information, rather than to
1 encourage it or enhance it. Things such as Regulation FD,
2 Regulation G and so forth are restricting, if anything, the
3 flow of information or have that implication.
4 Now people are talking about we need to do away
5 with earnings guidance. Even people are going to the extreme
6 of saying we need to do away with quarterly earnings. That's
7 too much of a short term focus. And my suggestion would be
8 that these initiatives, taken together, which are reducing
9 the amount of information that is going to the marketplace,
10 particularly forward-looking information that the marketplace
11 really needs, would be well served to be replaced by a
12 thoughtful approach to providing more information, with
13 appropriate safe harbors and restrictions and things of that
14 kind.
15 Recap what I would like to say -- 404 is a very
16 good and valuable part of the defensive side of financial
17 reporting. It is necessary. But we have to have an
18 offensive game plan at the same time. And we really need to
19 have the time and energy to step back and talk about what we
20 an do to enhance financial reporting, not protect financial
21 reporting from bad behavior by bad people, imposing costs on
22 lots and lots of people who have no ill intentions and would
23 never be engaged in that type of conduct to begin with.
24 So, we paid a very high price for the misdeeds of a
25 few people from a cost standpoint. But I am also concerned
1 we are paying a very high price in terms of the time and
2 attention that continues to go into this subject.
3 MR. RAY: Let me just ask you a follow-up question
4 on that. I apologize if you covered this already. How do we
5 get to those next steps?
6 There are still a lot of people who are concerned
7 about 404 and how it is being applied. Do we stop doing 404?
8 Or what is it we do to get beyond it so that we can then
9 focus our energy on these next important things?
10 MR. COOK: Well, Tom, my opinion is, we have got to
11 get the issue resolved of to whom does 404 apply. I mean,
12 that is a lingering issue which is creating a great deal of
13 heat, friction and probably lots of other things that I don't
14 even know about. We've got to get that resolved, because
15 that is bringing so much attention to this subject. Out of
16 proportion to the overall significance of 404 for the vast
17 majority of the large companies in the United States.
18 After that, I think I would just suggest we have a
19 little bit of a cooling-off period here. And not race to
20 identify every problem and issue guidance to solve -- and let
21 people of good intentions and reasonable judgment work with
22 this for awhile.
23 But every time we put in a new solution, we just
24 create all sorts of issues, and from my perspective, again,
25 as an audit committee chairman, half a dozen companies or so,
1 working with large companies and very good audit firms. They
2 can handle this. Let them go at it for awhile without more
3 guidance and more issuances, unless it is very minor or
4 absolutely necessary. But let it work for awhile.
5 And I am not advocating that they disband it by any
6 means. I think it is absolutely necessary.
7 MR. RAY: Thanks. Alex Davern.
8 MR. DAVERN: Thank you. We are all -- Mr. Silvers
9 and I were on the same panel last year, and we disagreed
10 then, so I am not tremendously surprised that we will
11 disagree on some topics again today. And certainly I respect
12 his comments and thoughts.
13 I wanted to make a few comments about the tenor of
14 the discussion today. I frankly, to be honest with you, have
15 been quite disappointed with the tenor of the discussion.
16 There has been a tremendous amount of polite
17 discussion, and we have all been patting ourselves on the
18 back that in year two things got a little bit better, and
19 things didn't get a lot worse in year two.
20 And while that's great, I would like to step out a
21 little bit further, and I would like to offer a grade to the
22 Commission on the implementation of Section 404.
23 I would like to step people back to June of 2003,
24 when the Commission published its rule. And the Commission
25 set an expectation of the cost of implementing 404 would be
1 about $90,000. The Commission set an expectation that the
2 cost of implementing 404 would be relatively the same for
3 companies of different sizes.
4 Now, as a member of the Commission's Advisory
5 Commission on Smaller Public Companies, I want to assure Mr.
6 Silvers, first off, we did have a dictionary in, and we did
7 understand the definition of "annual." So, let me put that
8 to rest.
9 My perspective is that the Commission deserves a
10 failing grade, frankly, for the implementation of Section
11 404. And, having worked on this issue passionately for the
12 last two years, I feel a little frustrated with the lack of
13 forward action and the lack of realistic, commonsense
14 thinking being applied to the problem.
15 I sat here last year and listened to promises from
16 the audit firms that we would see costs drop by 40 percent,
17 when I came back today. I am here today. And external audit
18 fees -- it's clear from the proxies -- these are just as high
19 now as they were a year ago. They haven't come down at all.
20 And so I hope that we'll see some more forward
21 progress on this than we did in the last 12 months. I think
22 investors also recognize this. I want to echo the comments
23 made by other people earlier on. As a CFO of a public
24 company, I have never once been asked by an investor about
25 Section 404 other than how much is it going to cost and will
1 it come down. That is the only question I have ever gotten.
2 I have never been pushed or asked about the adequacy of our
3 controls and is it inputting benefits. Not once in the last
4 three years.
5 I'm also part of a NASDAQ committee, and we
6 recently surveyed institutional investors. And this survey
7 will be released in the next couple of weeks. We
8 deliberately went out to the investing public to reach bi-
9 side institutional investors to get their views on this.
10 Eighty-six percent of the institutional investors believe
11 that costs of Section 404 exceed the benefits -- I'm
12 personally in favor of 404, I'd just like it to cost $93,000,
13 like we were said to expect in the beginning.
14 Eighty percent of institutional investors clearly
15 support the recommendations of the Smaller Public Companies
16 Advisory Committee, that there be scaled regulation, and that
17 we practically recognize the realities of the world. That
18 1 percent of the total market value of all U.S. public
19 companies is captured in microcap companies. They are
20 fundamentally different.
21 And the conclusion of the Advisory Committee, after
22 a lot of hard work by a lot of smart people, was that it was
23 very difficult to believe that a regulatory format like 404,
24 which requires an external audit attestation, would ever be
25 cost-effective for the shareholders of smaller public
1 companies, especially microcap companies.
2 The reasons, in my view, as to why we are in this
3 situation -- I was taught by my dad, if you admit things
4 wrong by a factor of 20, it's probably a good idea to sit
5 back and really reconsider your fundamental assumptions. And
6 I think that applies today. I think the reasons for it are
7 pretty simple. There's three main reasons.
8 Number one is the elephant in the room that is not
9 being discussed at all at this meeting today. And that is
10 that the GAO has concluded that the Big Four are an
11 oligopoly, with a significant amount of anti-competitive
12 market power. That is a fact that the government has
13 determined.
14 My members of the American Electronics Association
15 believe that is a significant contributing factor to the
16 significant excessive costs of this regulation.
17 Number two is materiality. This has been hit on by
18 many people. And I am going to recommend some changes that I
19 -- in just a second.
20 And then number three is scaling. We are
21 continuing to struggle with the issue, and I agree that we
22 should call the ball on what we are going to do. But I think
23 that the consequences of applying the current regime, which
24 clearly does not deliver benefit over cost to the
25 shareholders to the massive amount of smaller public
1 companies in this country will be very significantly
2 negative. It will be very bad for the U.S. capital markets.
3 They will be very bad for innovation in the United States.
4 And they will create a very strong political backlash.
5 I think the pressure that has happened publicly so
6 far as a result of the big companies having to comply with
7 404 is nothing compared to thousands of small companies,
8 which will create a severe backlash if they are forced to
9 comply with what is not a practical solution for their
10 shareholders.
11 My recommendations, to get to your earlier
12 question, are threefold.
13 One, we need to amend AS-2. I would agree with the
14 comment that it shouldn't be amended for application in 2006.
15 It should be amended for application in 2007. I don't think
16 mid-year we should make changes. But we should be thinking
17 now and publishing now proposed regulations to amend AS-2 for
18 next year.
19 Earlier, AS-2 was compared in an earlier panel to
20 the Constitution. I don't know if anybody remembers that. I
21 would like to also reference -- although I am a recent
22 American citizen -- the American public had the courage to
23 amend the Constitution. If we had the courage to amend the
24 Constitution, I hope we will have the courage to amend AS-2.
25 The changes I would recommend are threefold.
1 Number one, change the definition of "material weakness." It
2 is core to the problem. The SAB 99 rules apply qualitative
3 and quantitative assessment. To what are you going to do a
4 restatement? Will the restatement affect the mosaic or the
5 entirety of information available to investors in deciding on
6 the value of a stock?
7 We need to get a qualitative assessment into the
8 assessment of material weakness so we don't have hundreds and
9 thousands of material weaknesses that are being disclosed,
10 which investors have clearly indicated they don't care about.
11 We need to change the assessment of a material
12 weakness from assessing against the quarterly financial
13 statements of a company to against the annual financial
14 statements of a company. This quarterly application
15 assessment of material weakness is way too tight a standard
16 and results in the minutia that Professor Grundfest so
17 eloquently explained this morning.
18 And thirdly, we need to allow rotation. I would
19 echo the comment made by the GAO. It is a practical,
20 commonsense audit tool that has been used for many decades.
21 The second recommendation I have is adopt the
22 recommendations of the Small Public Company Advisory
23 Committee. Although there are many who fervently disagree
24 with this, the reality is that those are the best, in my
25 view, practical solutions to the main problem. They will
1 deal with the 6 percent of companies for which this is
2 horribly painful, and we can get on with the business of
3 ensuring that the 94 percent of the capital markets, and the
4 100 percent of the capital markets we're moving forward with
5 positive recommendations.
6 I would also say that Chairman Oxley has made it
7 very clear that the SEC, in his belief, has the authority to
8 provide exemptive relief, if it is in the public interest,
9 and if the costs of regulation exceed the benefits. I
10 believe those who voted for Sarbanes-Oxley 404 did it in the
11 framework and the knowledge that the SEC had an obligation to
12 apply it in a manner where the benefits exceeded the costs.
13 And thirdly, we need to restore competition, and I
14 hope the PCAOB takes very seriously the lack of competition
15 in the public company audit market, with four companies
16 auditing 98 percent of the revenue of public companies in
17 America.
18 Without significant change there, which I believe
19 is an exposed risk to the U.S. capital markets to have that
20 concentration, it will be very difficult to get the type of
21 competition we need in order to have cost-effective
22 implementation.
23 Now, I'll listen to the many and various rebuttals.
24 MR. RAY: Thank you. Nick Cyprus. And Nick, when
25 you're finished, I know John White has another question he
1 would like to direct to you.
2 MR. CYPRUS: Okay. Well, first, let me thank you
3 for inviting me here today to speak. I feel privileged.
4 I believe that Section 404 and AS-2 have gone a
5 long way. And I have worked with two Fortune 500 companies
6 as the Chief Accounting Officer in improving the quality of
7 financial reporting. And I would say I would be extremely
8 cautious about making changes to Auditing Standard 2, because
9 I believe that the audit firms and, by the way, management,
10 understand the guidance that is out there.
11 And I believe like anything that we will drive
12 those costs down. Every year, because it is about improving
13 the bottom line. So, we will figure that out. And we will
14 be driving those costs down. And when there is a
15 disagreement between us and our auditors as to how to get
16 those costs down, there is a process that we can go through.
17 You created that process today. I know how to meet with the
18 chairman of my audit committee, and my company, and in
19 essence, my audit firm, and I know where to find the members
20 of the PCAOB, who could help us.
21 And, by the way, if something relevant comes out of
22 there, because we think one thing and the PCAOB comes up with
23 something that none of us knew about, that's the time to
24 issue additional guidance that says, you guys didn't know
25 this but here is how we felt.
1 But to just make wholesale changes is going to take
2 us off the experience curves that we are already under.
3 Because I perceive that I know how to get at this, and I am
4 worried about change that I may not know how to get at.
5 So, I am not necessarily positive that I think
6 change is necessary until we have very specific issues that
7 we know how to change.
8 Okay. With that said, I do want to just make
9 certain comments that I think are important. I really do
10 believe that all public companies should comply with Section
11 404. Being a public company subjects you, I believe, to a
12 set of standards. A set of rules that are out there to
13 protect the public. And to just go out there and say, I
14 can't afford, can't afford, to comply with those set of rules
15 is an interesting proposition but then you can't afford to
16 use public capital.
17 So, I think that we have an obligation to help
18 people understand the rules, practically comply with the
19 rules, but not play the game. I just don't think that is a
20 good answer. I don't care how small you are or where you are
21 in the public.
22 I think everybody has to be a part of that game if
23 you want to be a public company.
24 So -- and I feel pretty strongly about that.
25 There's processes in place that are meant to protect the
1 public. I think we can come up with those things.
2 By the way,, not having the financial skill sets to
3 understand what those rules are, or saying well, we'll
4 certify the financial statement ourselves and we don't need
5 the auditors to look at them.
6 My statement would be, well, then, how do you
7 know -- even though you truly believe in your heart what you
8 did was right -- how do you know it's right? If someone with
9 the right skill sets hasn't come and looked at what you did
10 and says, we agree it's right.
11 So, we could figure out a process that works on
12 that cost. Because I absolutely believe that those costs can
13 come down from where they are today. And I believe that they
14 will come down from where they are.
15 We can talk about it all we want, but I've got to
16 tell you, every CFO in the country and every controller in
17 the country is focused on how to get those costs down, okay?
18 While maintaining the benefits.
19 I'll limit my comments to that for now. I have
20 specific suggestions we can get on, when we get in more
21 detail.
22 MR. WHITE: I want to go back to the Advisory
23 Report from -- the Small Public Company Committee. The
24 Commission and the staff obviously have that report, and we
25 are looking very carefully at the recommendations,
1 particularly those that relate to 404.
2 And, as I read them, and as -- I was particularly
3 emphasized [sic] by the two chairs of that committee, they
4 say that "unless and until." And I underlined those words
5 "unless and until" a suitable framework is developed for
6 smaller public companies to apply 404, that 404 should not
7 apply to smaller public companies.
8 And I know that you are really here as the "COSO
9 spokesperson," so I will look to you, Mr. Cyprus. At the
10 request of the Commission, COSO has in fact been working on a
11 framework to assist smaller public companies, and I know you
12 have been -- you've had that put out -- you put the proposal
13 out last October, it's been -- you have gotten comments on
14 it, and I guess I would like you to expand a little bit on
15 where we are with that proposal because if -- does that
16 proposal go in the direction of this "unless and until"
17 because that's really the recommendation -- say, if we have a
18 framework, then it should apply to the smaller companies.
19 So, if you could give us a report on the
20 framework -- the COSO work, I would appreciate that.
21 MR. CYPRUS: I'd be happy to. The COSO board is
22 still working on it. I would not expect that you are going
23 to see a brand new COSO framework from the framework that's
24 out there today.
25 What you will see is a lot of thought process on
1 how to apply that framework in more practical -- so, we will
2 be talking about principles. We'll be talking about --
3 you'll be seeing some attributes, and we'll be giving
4 guidance as to how to apply the framework that's out there.
5 But there is nobody within the COSO group today that is
6 actually working on a different, new framework. So, I hope
7 those expectations are set. But we are working hard to try
8 to come up with practical guidance and thoughts that would
9 help those people who don't necessarily have all the skill
10 sets of the members that sit on the COSO board or who are
11 internal control experts.
12 So, it would simplify that. But I don't see a
13 different framework coming out.
14 MR. RAY: Thank you. Ann Yerger. I believe you
15 have your card up. It's hard to tell with the air
16 conditioning situation over there. And then when you are
17 finished, I'll recognize Commissioner Atkins.
18 MS. YERGER: I did. I was the one blowing on
19 Damon's card so I could beat him to the punch.
20 I just want to share the Council's perspective. We
21 have long been very supportive of Section 404. We believe
22 solid internal controls are the backbone of high quality
23 financial statements. And, as a result, they are relevant to
24 any company, large or small, tapping the public markets.
25 The Council's perspective is one of an organization
1 representing large term investors who are very broadly and
2 deeply invested in our U.S. capital markets. The average
3 Council fund has about 45 percent of its portfolio in U.S.
4 stocks, about half of that is passively managed. And
5 passively managed, in a very broad way, in an index such as
6 the Russell 3000, which, I might add, has about 40-
7 plus percent of its companies that would fall under the large
8 company level recommended by the Small Business Advisory
9 Committee, and I can tell you our members are not comfortable
10 thinking that such a significant portion of their long term
11 core portfolio would not have to be in compliance with this.
12 I will comment we don't support 404 at any and all
13 costs. Shareholders ultimately shoulder these compliance
14 costs, and we want to be certain that they are cost-effective
15 and efficient. And we obviously believe that 404
16 implementation be risk-based and right-sized to best suit
17 companies' size and complexity.
18 We share the business community's concerns over the
19 implementation costs of 404, but we believe that these
20 problems can and should be addressed by the SEC and the
21 PCAOB. We think there is quite a gulf between the status quo
22 and the recommendations of the Small Business Advisory
23 Report. And we think that you can deal with this with
24 guidance.
25 We agree that time is of the essence. Not simply
1 because I think we have all been spending probably too much
2 time on 404, and it's enough time. We need to move forward.
3 But also because I am very concerned that if the
4 SEC and PCAOB don't act, that Congress will, which we think
5 would be a very suboptimal response at this point.
6 Let me just make a few comments on some of the
7 recommendations that were noted. I, of course, second
8 everyone's comments about the need -- and I think the
9 incredible need -- for practical, plain English guidance to
10 the companies, particularly small companies, on how to
11 evaluate and set up and effective internal control framework.
12 We would also very much support a pilot program, to
13 test the effectiveness of the guidance at issue. And that
14 could be done, giving you plenty of time to refine the
15 guidance and enhance the implementation for small companies.
16 I would like to commend on -- about deadlines.
17 Deadlines have been extended several times. I think the
18 Council could very reluctantly live with one additional
19 modest but final extension. However, we would very much
20 oppose any multi-stage, phase-in process. I think
21 implementation here has taken long enough. It's time for the
22 entire business community, small and large, to get over it
23 and get on with it.
24 To the PCAOB. There is certainly anecdotal
25 evidence to suggest that auditors haven't fully embraced or
1 perhaps understood the guidance issue last year and I don't
2 think maybe it's at the national level, but certainly down at
3 the field, there is evidence that it's not working correctly.
4 In terms of integrated audits, etc., we do
5 recommend that you consider expanding or clarifying the
6 guidance, where appropriate, and I think it is very
7 appropriate to embed some of this into AS-2.
8 We would support clarifications to AS-2, provided
9 the changes do not materially impact the underlying intent of
10 AS-2.
11 Finally, we would very much support issuance of
12 guidance to small company auditors so that they can do a
13 better job on their side.
14 And finally, we would urge both the SEC and the
15 PCAOB to work together, and to work with COSO to ensure that
16 the 404 framework is respaced and the right size and that
17 your guidance is coordinated and complementary.
18 Thanks.
19 MR. RAY: Thank you. Commissioner Atkins?
20 MR. ATKINS: Thank you. I just wanted to follow up
21 on a couple of the points and ask a question here. I think
22 it's clear, at least to me, from what we have heard today
23 that application of 404 and AS-2 sort of veered off -- at
24 least in answer to the failing grade that you have given us -
25 - veered off from at least what I was voting for at the
1 beginning, which was the COSO-based, top-down approach.
2 So I thank you all for your suggestions on that.
3 But I was wondering. At least we have two decision-makers
4 here on the panel as far as dealing with, as you termed the
5 oligopoly out there, we all know that if you have a reduced
6 supply of folks out there because of all the new requirements
7 for auditors that the price goes up.
8 How easy is it for you to actually negotiate the
9 scope and/or the fees of these projects, as members of the
10 audit committee? And others maybe hear from your clients.
11 Is it a take it or leave it proposition that is presented to
12 you? Is there flexibility in there where you can have
13 influence?
14 MR. COOK: Well, I would answer first,
15 Commissioner. I am only involved with pretty good sized
16 companies. This is not a big issue for those companies. As
17 somebody said one time, how many accounting firms do we need.
18 I said, one more than the one I have. And I can handle the
19 issue.
20 And, as a practical matter, this -- the costs are
21 there. They are being incurred. The difficulty with this is
22 that the firms are incurring very substantial costs. And
23 from my perspective as chairman of the audit committee, I
24 don't think I'm really doing the best for everyone. I'm just
25 hammering down the costs by delivering ultimatums that says,
1 if you don't do it for half that, we are going to go get
2 somebody else to do it.
3 What I really what is for them to learn how to do
4 it and have people help them do it in a way that will bring
5 down their costs rather than just hammering it down through
6 the issues of supply and demand.
7 So we are trying to work with firms. Trying to
8 work with the financial management. It takes a lot of
9 effort. And we are quite satisfied that the hours are being
10 put in and that the costs are not unreasonable on an hourly
11 basis. But it just takes an awful lot to get this done.
12 MR. DAVERN: I would also address Mr. Atkins'
13 question. I would agree with Michael that certainly we want
14 to focus on balance between both sides to try to reduce the
15 cost. However, the objective reality is that audit fees and
16 total external audit fees did not come down at all in here,
17 too, and the objective fact on the table.
18 The other point I would make is that this issue is
19 directly related to size. If you are a very large company, a
20 Fortune 500 company, you are very attractive client, a
21 premier client, you have a significant amount of negotiating
22 room, then it's normal and natural. That is the benefit of
23 scale.
24 If you are a very, very small company, the
25 situation is the reverse. And it is basically a take it or
1 leave it for most of our small company members. And that's
2 the feedback that we get repeatedly.
3 I would like to also make one other comment, as,
4 again, the only member of the Advisory Committee that has
5 appeared today. And Daniel, hopefully, back me up on this
6 when we talked about it -- but when you go to your question
7 of COSO, and Melissa addressed the question for smaller
8 public companies -- we actually had the Chairman of the Task
9 Force of that Framework as part of our 404 Subcommittee on
10 the Advisory Committee.
11 And she and we all concluded that the new COSO
12 guidance would not significantly change the cost equation for
13 small public companies. And so that was considered very
14 carefully before we reached our conclusions.
15 Thank you.
16 MR. RAY: Thanks. I know that John Huber has some
17 specific suggestions for us. We talked briefly before the
18 meeting. And I would like to recognize John, and then I
19 believe Chairman Cox would like to have the floor.
20 MR. COX: Actually, I just wanted to find out the
21 answer to John's earlier question. And I just got it, so, I
22 haven't a question.
23 MR. RAY: John Huber.
24 MR. HUBER: Before I go into my suggestions, I
25 really want to address the cost question.
1 I'm a securities lawyer. I do restatement work and
2 -- what is euphemistically called "irregularity" work all the
3 time. There were 1260 restatements last year from public
4 companies. We're very busy.
5 And I can tell you that the concept of cost for a
6 404 audit is nothing compared to what happens when you face a
7 restatement in terms of delisting from NASDAQ, litigation,
8 people coming and saying, gee, you know, your indenture is
9 now in default. We would like you to pay up.
10 All of those concepts start to come in, and the
11 concept of the cost of an audit, from an auditor, has got to
12 be weighed in terms of what is out there if you don't do it
13 right in the current regulatory environment.
14 So, I am not going to get involved in dollars, but
15 I am going to say, every CFO I work with comes to a very
16 simple conclusion, that being penny-wise and pound-foolish
17 with respect to the costs of the audit really was a stupid
18 thing to do.
19 And, with that, I would like to thank the Board. I
20 would like to thank the Commission. I would like to thank
21 the staff for inviting me back for the second time. I don't
22 know why you did it, but thanks, anyway.
23 The fact of the matter is, I've got four points in
24 terms of things that the SEC and the Board can do. Two of
25 them apply to all registrants. One of them applies to
1 smaller business. And one applies to foreign private
2 issuers.
3 And I'm really building on my experience in private
4 practice for 20 years, and 11 years at the SEC, in terms of
5 these suggestions. Because I was a young attorney when the
6 Foreign Corrupt Practices Act was passed in 1978, and guess
7 what? It was an empty box. There wasn't anything there, and
8 everybody just went blithely down the road with respect to
9 13(b). We are now filling the box.
10 The first recommendation really deals with a very
11 simple concept that I was the voice in the wilderness on last
12 year concerning material weakness. I was on the panel, and I
13 was the only person saying, hey. There is an issue with
14 respect to material weakness. But I really do think that
15 with two years' experience, that AS-2 and the SEC's role
16 should be looked at with respect to the benefit of that two
17 years' experience.
18 You can look at a lot of different things. I think
19 the structures of these rules are sound, but I think we need
20 to go to the next level with respect to what these
21 definitions in particular, but the way that the process works
22 in specific really should be examined.
23 The one that everybody is talking about is material
24 weakness. I am going to talk about it too, but I am going to
25 give you a little bit more that just, it's broken. Okay?
1 Material weakness is a probability magnitude test.
2 Okay? The probability and magnitude. More than remote is
3 probability. Material is the magnitude. We need to increase
4 the probability factor. It has to be something like likely.
5 Okay. I hate to say that is what really is important, but
6 you are going to see why I mean it in a minute.
7 And the concept of materiality is not a PCAOB
8 point. It's an SEC point. And that comes straight out of
9 SAB 99. And there were those of us in private practice who
10 really did think it was a new standard in 1999. And really
11 did think that it lowered the bar of materiality. Far lower
12 than what Bob Pozen was talking about with respect to a
13 significant impact on the entity level.
14 But the fact of the matter is, my whole point with
15 respect to this is that the definition should be like the
16 canary in the mine shaft with respect to financial
17 statements. Everybody was expecting that, so I delivered
18 that to you. Okay?
19 The fact of the matter is, it means something. The
20 point that was made that you get a material weakness with a
21 restatement -- that's a day late and a dollar short. The
22 material weakness should be the precursor of what is coming
23 down the pike. So that two things happen. First, the
24 ordinary American investor reacts to it. It may sound crazy,
25 but that's what this is all about. It's about protecting
1 investors, and therefore, material weakness should be defined
2 in a way that he or she understands. When it's disclosed
3 there should be an impact on the marketplace.
4 I do this disclosure all the time. I am
5 continually shocked that they say all of these terrible
6 things and nobody understands what we are saying in terms of
7 the marketplace because (a) everyone has it, and it is in the
8 realm of probably that it's not going to happen because the
9 threshold is too low.
10 And second, and this goes to Commissioner
11 Glassman's point, management has got to really understand
12 that this is important. One of the reasons why you are
13 getting all this cost stuff is that CFOs, CEOs, companies
14 don't think it's important because they don't worry about it.
15 They've got to worry about the definition of material
16 weakness in terms of the effect on them, and particularly the
17 302 certification for the CEO and CFO.
18 So that should occur in terms of the amendment. The
19 guidance from May should be included in the AS-2 standard. I
20 would say more importantly, the nine firm framework, which is
21 a great way of understanding how you go from significant
22 deficiency to material weakness should also be included.
23 Part and parcel of these is the second suggestion
24 that I have. The May guidance talked about the zone of
25 reasonableness. Now, the zone of reasonableness is a lot
1 like the twilight zone. A lot of people don't go in there.
2 Okay?
3 MR. HUBER: And the fact of the matter is once you
4 are there, it becomes something that is problematic. We need
5 guidance on the question of the zone of reasonableness
6 because judgment is critical. It is a critical underpinning
7 to getting this entire system to work efficiently from a
8 management standpoint as well as an auditor standpoint.
9 An auditor's reasonably based judgment should not
10 be penalized. We can all say that philosophically, but the
11 fact of the matter is AS-2 should build it into the standard
12 so that engagement partners -- and that's usually as far up
13 as I go in the pecking order with respect to accounting
14 firms. I never get beyond engagement partner.
15 Engagement partners are the people that I deal with
16 and so they don't twitter. And the fact of the matter is,
17 this point is really something that I would analogize to
18 Delaware corporation law, with respect to the business
19 judgment standard. Loyalty. Good faith. Being informed.
20 Okay?
21 If management and the auditor do that, and they
22 reach the wrong answer, they should not be penalized. And
23 putting something like that into AS-2 is something that I
24 would recommend. People should not be afraid of the PCAOB
25 inspector. The PCAOB inspector should not be a career-ending
1 experience for an auditor. The fact of the matter is, they
2 are all trying to do the same thing in terms of protecting
3 investors and inspiring investor confidence.
4 Third, I agree with --
5 MR. RAY: Say, John. I hate to interrupt you. We
6 are running out of time. If we could get your last two
7 points very quickly, that would be great.
8 MR. HUBER: Two points. I agree with the Small
9 Business standard that was talked about. Mr. Turley's
10 standard. I would make it real in terms of the SEC and the
11 PCAOB should form and EITF to get guidance out for smaller
12 businesses quick. And the fact of the matter is about
13 calling the question is very important. The COSO for smaller
14 businesses has got to come in.
15 Fourth and finally, but this goes to the Chairman's
16 point, it is imperative that we, the United States, talk to
17 the European Union and get an international internal control
18 role of financial reporting. As an SEC person, I used to be
19 sent by the Chairman to Europe to talk to them. They thought
20 I was Fort Apache the Bronx. They thought I would burn their
21 houses down because I was from the United States. The SEC --
22 we need to make absolutely sure that they understand what
23 this is about and bring convergence into the mix with respect
24 to coming up with something because our markets used to be
25 the gold standard of the world. The person from the New York
1 Stock Exchange talked about it. We are losing that gold
2 standard. And I don't know whether it's just money traveling
3 or money being someplace else, but 404 should not be the
4 factor.
5 MR. RAY: Thanks, John. Dave Walker, I think I saw
6 your name go up earlier? Did you want to make a remark? And
7 if so, I believe you are going to have the last --
8 MR. WALKER: It actually didn't go up, but somebody
9 mentioned something about GAO studies. I think we have to
10 keep in mind from eight major international accounting and
11 consulting firms down to four. And there's a lot of reasons
12 for that. Part of that is the responsibility of the
13 government. The government opposed going from six to five,
14 and the government caused the going from five to four.
15 Because the government indicted the firm rather than the
16 responsible individuals.
17 And there is an issue here because with new
18 independence rules, with concerns with regard to industry
19 expertise and a variety of other factors, you really don't
20 have four choices for auditors today.
21 But that's probably beyond the scope of this panel.
22 MR. RAY: Okay. Well, with that, that brings us to
23 the end of the panel. And almost the end of the day. So, on
24 behalf of all the moderators, I would like to thank all of
25 the panelists. I would like to thank the SEC Commissioners,
1 and the PCAOB Board Members for their attendance, attention
2 and participation. And the audience here in Washington, and
3 those listening in on the web.
4 With that, I am going to turn the floor over to SEC
5 Chairman Chris Cox.
6 MR. WHITE: Actually, John, I would also like to
7 put on the record our thanks for the tremendous efforts of
8 the staff of the PCAOB and the staff of the Office of Chief
9 Accountant, the Division of Corporation Finance. They have
10 put in countless hours putting today's program together and I
11 really want to make sure that was on the record as well.
12 MR. COX: Well, John, that's a nice segue into my
13 valediction, which is going to be exceptionally brief.
14 Before we adjourn, I would like to thank everyone.
15 Certainly all of our staff for their participation and
16 willingness to share their experiences that that goes first
17 to all of our panelists, this panel and all the preceding
18 panels. The information that you provided at this roundtable
19 and through y our written comments has been extremely
20 valuable.
21 I would also like to once again thank my fellow
22 Commissioners, and Acting Chairman Gradison and the Members
23 of the PCAOB Board for their participation.
24 We have heard today that 404 has produced
25 significant benefits and costs. We have heard a range of
1 views about relative importance of each. We also have heard
2 specific feedback about issues that remain to be addressed,
3 and actions that the SEC and the PCAOB could take to make the
4 internal controls investment in auditing more efficient and
5 more effective.
6 The SEC and the PCAOB will evaluate the comments
7 that we have received as we consider what next steps we will
8 take to improve the efficiency and effectiveness of the
9 process.
10 Finally, while our focus today has been on those
11 companies that have gone through two years of implementation
12 of the internal control requirements, we have also heard of
13 special challenges faced by companies that have not yet
14 undertaken the process. We are sensitive to these concerns,
15 and we will consider information that we have received here
16 today in light of those important issues.
17 We will also consider the important work of the
18 Advisory Committee on Smaller Public Companies, which just
19 had their first meeting at our roundtable last year and has
20 now provided us with a Final Report.
21 That sums it all up. I want to thank everyone for
22 being here. Our meeting is adjourned.
23 (Whereupon, at 5:33 p.m., the meeting was
24 concluded.)
25