April 12, 2005
April 11, 2005
Mr. Jonathan G. Katz
Securities and Exchange Commission
450 Fifth Street, NW
Washington, DC 20549 0609
Re: File No. 4-497 - Internal Control Requirements under Section 404 of the Sarbanes-Oxley Act of 2002
Dear Mr. Katz:
Bausch & Lomb appreciates the opportunity to provide commentary pursuant to the Commissions request for feedback on the internal control requirements under Section 404 of the Sarbanes-Oxley Act of 2002 the Act. We believe such dialogue will be constructive in improving the implementation and interpretation of, and also the usefulness and effectiveness of, the internal control provisions of the Act.
We agree that the intent and spirit of the Act is appropriate and plays a significant role in the restoration of credibility to the financial reporting process, a process which is critical to the success of the U.S. capital markets and to the protection of the investor community. It is in support of such objectives that we provide the insights included in this letter.
Reasonable Assurance and Materiality
The COSO framework states, An internal control system, no matter how well conceived and operated, can provide only reasonable--not absolute--assurance to management and the board regarding achievement of an entitys objectives. The likelihood of achievement is affected by limitations inherent in all internal control systems Another limiting factor is that the design of an internal control system must reflect the fact that there are resource constraints, and the benefits of controls must be considered relative to their costs.
We believe that this concept in the COSO framework is reasonable and recognizes that there are inherent limitations in any system of internal control, including mistakes and errors. However, the public accounting firms interpretation of Auditing Standard No. 2, including the definition of significant deficiency, creates a potential for conflict with the concept of reasonable assurance which management is required to assess under the framework in which it must use to evaluate the effectiveness of its internal controls over financial reporting and conclusions reached by the external auditor, which seem to be at times that only absolute assurance is acceptable.
We also believe the intersection of materiality, including interim materiality, in the current environment and the internal controls attestation requirements results in internal controls being perceived as and held to a level of precision for which such controls are not intended by definition in COSO. The AS No. 2 definition of Significant Deficiency, which includes the concepts of more than remote and more than inconsequential, creates an exceptionally low threshold for a control deficiency, or a combination of control deficiencies, to be considered a Significant Deficiency.
Level of Effort in Testing Routine Accounts and Transactions
The requirements to perform detailed testing of routine accounts and transactions at the transaction level are extremely onerous for many companies, including multi-national concerns with global operations. Management compliance and external auditor attestation over this portion of the Act produces much of the cost borne by companies in complying with the Act, largely due to duplication of efforts in testing controls over routine processes and transactions by management and the external auditor please see point below. Bausch & Lombs external auditor fees for audit services in 2004 were more than twice the 2003 amount.
We do not believe the amount of transactional testing required by both management and the external auditor is consistent with the recognition by COSO of resource constraints and the benefits of internal controls considered relative to their costs, nor does such detailed, transactional testing address the behaviors of executive management, the root cause of the urgency and enactment of the Act. We suggest that the PCAOB refine AS No. 2 to de-emphasize transaction level testing of controls over routine processes and accounts i.e., the Control Activities component of COSO and to provide further guidance and focus on testing of the foundation of any system of internal control over financial reporting, Control Environment, including management tone at the top and other COSO elements.
Reliance on Management Testing and Internal Audit
In recent years there has indeed been a focus and momentum to improve corporate governance, including the role of the Audit Committee and the internal audit function. In fact, under AS No. 2, the external auditor is required, as part of their attestation procedures, to evaluate the effectiveness of the audit committee and the internal audit function. However, AS No. 2 at the same time limits the amount of reliance the external auditor can place on management testing conducted by or reviewed and validated by the internal audit function. We believe that AS No. 2 should differentiate the amount of reliance an external auditor is able to place on internal audit related to controls over routine transactions and processes versus the amount of reliance to be placed on the work conducted by internal audit over areas that require significant management judgment, involve complex estimation processes and relate to anti-fraud programs and controls and the tone set by executive management. The benefit of this approach will be cost effectiveness without sacrificing the effectiveness of the audit and attestation process, which would still be risk-based and focused on those areas for which the Act was constructed.
Audit Process and Oversight
Audit and attestation approaches used by the Big Four firms appear to consider audit firm risk management considerations more than focusing on a client-specific risk-based audit approach. On the subject of audit quality and process, we are concerned that audit firms may be focusing more on the form of internal controls attestations rules-based versus the unique ability to use their experience and judgment to render an opinion on a companys system of internal controls principles-based. This paradigm at best may dilute the usefulness of such opinions to investors and at worst, mislead the investor with a potentially false sense of comfort, that being a level of absolute assurance.
Late Interpretive Guidance
In 2004, much significant interpretive guidance was issued extremely late in the year by experts in the field of accounting and auditing for example, frameworks for evaluating control exceptions and deficiencies. The practicality of implementing changes or new requirements related to such a complex set of rules with less than two months remaining in a companys fiscal year is a significant challenge and drain on resources. In the interest of keeping future changes to legislation and interpretation fair and manageable for implementation by management, we believe adequate time must be provided for management to address such changes and new requirements to complete its obligations under the Act.
Thank you again for the opportunity to present certain of our views on the internal control requirements under Section 404 of the Act. Please contact me at 585-338-8708 if you would like to discuss any comments included in this letter.
Very truly yours,
Jurij Z. Kushner
Vice President and Controller
Bausch & Lomb Incorporated