March 15, 2006
1. Costly
The financial and morale costs are extremely high, on the order of a large system implementation. The question is, are investors getting a good return on this investment? Im not so sure.
2. Time Consuming
Other costs are time and focus, taking away from focusing on core business operations and reducing overall efficiency. Once again, are investors getting a decent ROI?
3. Not Specific Enough and Everyone Running Scared
The guidance is not specific enough to ensure consistency across audit firms. This, combined with the fact that everyone is running scared, has resulted in clients and especially audit firms to be ridiculously conservative instead of risk deficiencies.
4. Too Much Documentation and Not Enough Evaluation
The PCAOB has already addressed the issue of the sign and date mentality versus true assessment of controls. However, its QA docs do not seem to be effective in changing this mentality.
5. Clients Hiring People without the Appropriate Qualifications and Experience
Given the importance of 404, clients are dedicating individuals and organizations supposedly to manage internal controls. I wrote supposedly, because the focus is more on managing SOX documentation and testing than ensuring controls are in place to protect investors. Unfortunately, there is a very limited supply of the right people for these jobs, so clients are hiring people without sufficient 404 experience, or moving people from other groups within the organization. This will increase costs more than decrease risks.
6. ELCs and a Control Culture are the Most Important
The focus should be on ELCs and a culture of internal controls, with as much training as documentation and testing. This will allow business unit leaders to focus more on internal controls and less on over preparation for 404 audits.