Speech by SEC Staff:
As a matter of policy, the Securities and Exchange Commission disclaims responsibility for any private publication, or statement of any SEC employee or Commissioner. This speech expresses the author's views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the Staff.
On the other hand, it has been great fun to follow SC events from afar, and I can assure you that the Trojan family is alive and well in Washington, D.C. Indeed, it is alive and well at the SEC. Not only is Chairman Cox a USC grad, but Conrad Hewitt, the Chief Accountant, took MBA classes at USC, and Joe Ucuzoglu, who serves as the Chief Accountant's senior advisor, is a graduate of the Leventhal School of Accounting. In fact, Joe U. is one of my former students, and he is someone who really knows how to think and talk about accounting with great clarity. While I cannot take any credit, it is a special pleasure to watch him shine.
As a professor, in addition to teaching, I spent more than two decades thinking and writing about the quality of financial reporting and auditing. Generally, I had the luxury of considering the issues from afar - as my time and inclination permitted. In the Office of the Chief Accountant, we work day-in and day-out to maintain and improve the quality of financial reporting and auditing. As Deputy Chief Accountant for Professional Practice, the issues have taken on a new sense of importance and urgency for me. This very much applies to moving forward with Sarbanes-Oxley (SOX), which has occupied a major portion of the Professional Practice Group's time and energy since I arrived at the SEC.
The Professional Practice Group has the lead in developing the Commission's proposed guidance to help management comply with SOX Section 404(a). Further, the Group has a significant role in leading and coordinating the Commission's oversight of all the PCAOB's activities, including auditing standard-setting, as well as the Commission's work with respect to auditor independence.
Given these activities, my remarks this afternoon will first focus on Section 404. Then I will comment on a few other corporate governance aspects of SOX that relate to auditing and auditor independence. And I do plan to leave time for your questions at the end of the session.
However, before saying anything more, I do need to pause and remind you that the views I express here today are solely my own. They do not necessarily reflect the views of the Securities and Exchange Commission, the Commissioners, or of any other members of the Commission's staff.
That said, now let's consider SOX.
As Chairman Cox emphasized last week in a speech at the U.S. Chamber of Commerce's First Annual Capital Markets Summit on Securing America's Competitiveness, it is not SOX, but the implementation of it that is the problem. To quote the Chairman:
"It is wrong to conflate the implementation problems of 404 with the entirety of the Sarbanes-Oxley Act. While it is a handy whipping boy, overall the law has had important positive effects. It may fairly be credited with correcting the most serious problems that beset our markets just a few years ago. It has played a significant and valuable role in restoring integrity to our markets."
So let's focus on Section 404, the infamous internal control over financial reporting (or ICFR) section. Where, to add a bit more context to the Chairman's remarks, let me begin by making the point that the importance of having adequate internal controls, which provide reasonable assurance regarding the reliability of financial reporting, is long-recognized and actually was reinforced back in 1977, under the Foreign Corrupt Practices Act, for companies of all sizes. SOX Section 404(a) essentially adds a requirement for annual disclosures to investors about the effectiveness of a company's internal controls.
Under the SEC's 404 implementation rules, management discloses its assessment, which is its conclusion on whether the company's internal control over financial reporting is effective, at fiscal year end. Management cannot disclose that ICFR is effective when material weaknesses exist, and the nature and extent of such material weaknesses then must be disclosed, too. Management needs to have a reasonable basis for its ICFR disclosure.
Early on, the Commission made the decision not to issue any overall guidance to assist management in implementing and conducting an evaluation process to provide it with this basis. At the time, for a variety of reasons, this decision seemed to make sense. Unfortunately, in retrospect, what frequently happened was that auditors ended up driving the 404 process.
The PCAOB issued Auditing Standard No. 2 (AS 2), that included what many refer to as the 40's paragraphs, which created expectations for management's evaluations, albeit indirectly. Without SEC guidance, AS 2 became the de facto guidance for managements' evaluations. The result has been the auditing literature, as interpreted by the PCAOB and audit firms, has been used as the basis to judge the adequacy of evaluations of ICFR. Essentially, AS 2 largely dictated how much control is enough for a reasonable assurance system. As such, companies tended not to need to consider the guidance in their control framework, which defines what an effective system of controls consists of.
But much has been learned - by both the SEC and the PCAOB - through feedback, including roundtables and the SEC's concept release, as accelerated filers essentially "pilot-tested" the implementation of 404. Last December, the Commission proposed rules and interpretive guidance to help management with its ICFR evaluation process. Likewise, in December, the PCAOB issued, among other items, an exposure draft of a proposed standard that would replace AS 2, as the standard for auditors in conducting integrated audits of ICFR (under SOX Sections 404(b) and 103).
The comment period for both the SEC's and PCAOB's proposals ended February 26th. I will talk about what we are hearing from the comment letters, but first, to provide some context for this discussion, I would like to overview the SEC's guidance as proposed in December.
An overarching objective of the SEC's proposed guidance is to rationalize the planning and conduct of the ICFR evaluation process for all companies, regardless of size. Assessing the effectiveness of internal control over financial reporting is all about risk and materiality. Our proposed guidance allows companies to focus their efforts on those areas that management has identified as posing the greatest risks of material misstatements in the financial statements, not being prevented or detected on a timely basis. This is what investors care about and what is important for achieving reliable financial reporting.
Still, the tough challenge is to get the right balance between reliable financial reporting and efficiency in achieving it. We developed the guidance with this important balance in mind, and offered an approach that allows companies of all sizes and complexities to efficiently and effectively complete their annual evaluations.
However, the guidance as proposed did not provide detailed instructions to management on how to approach their evaluation. In other words, it is not prescriptive. Judgments about risk and materiality are not always simple. But, an overly prescriptive standard has contributed to the struggles many have experience in implementing 404, and it is one reason that both the SEC and PCAOB are now looking to issue new and revised guidance, respectively. In addition, if the guidance were to prescribe something more detailed, we very likely could end up with evaluations more concerned with form than substance and which are inefficient to implement, ineffective at detecting material weaknesses, or both.
Instead, we proposed guidance that allows management to exercise significant and appropriate judgment in designing and conducting an evaluation that is tailored to its company's individual facts and circumstances. Unlike an external auditor, management is responsible for and involved with the company's ICFR on an ongoing basis, and thus has a good deal of knowledge about it. As such, our proposed guidance reflects the view that the details of the particular approach as to how companies go about their evaluation can appropriately be left to management and to the requirements of the control framework they use - while importantly, still maintaining the ability for an efficient audit.
Let me pause here to emphasize that reliable financial statements come from control systems that provide reasonable assurance. Control frameworks (such as COSO) explain what is required of a system to achieve this. The SEC's management evaluation requirement and auditing standards do not. From an investor protection perspective, an important implication of this is that spending inordinate amounts on audits is not the basis for an effective and sustainable system of controls. We can only expect the ICFR audit to let investors know when management's disclosures are not materially correct.
In that regard, in addition to the proposed interpretive release on management guidance, in December the Commission also proposed rules that provide for a single audit opinion on ICFR, consistent with the PCAOB's exposure draft for its new standard to supersede AS 2. These proposed revisions further clarify that auditors are not opining on the efficacy of the methods and procedures management uses to evaluate its internal controls.
This revision reinforces what we believe will be one of the beneficial effects of our proposed guidance, namely shifting discussions betweens auditors and management away from a focus on management's process to what matters most - risk and materiality in terms of potential misstatements. Discussions of this nature are the real key to facilitating more effective integrated audits and efficiencies in planning and performing them, rather than discussions of process and documentation (although these need to occur, too, in the context of the integrated audit, just like they have always done in the context of the financial statement audit).
Our proposed guidance recognized that accelerated filers have invested considerable effort and resources in their existing evaluation processes. And, believe it or not, many of these companies are now happy with the results.
We are very mindful of this. As such, we did not want any SEC guidance to disrupt or require unnecessary changes to the evaluation processes that accelerated filers have already implemented, and are working well. Still, we expected that a number of accelerated filers would find that the proposed guidance offers ways for overall improvements in the effectiveness and efficiency of their existing evaluation processes.
The proposed guidance provides one (but not the only) method to comply with the requirement for an annual evaluation of ICFR. Management can certainly follow other reasonable approaches. However, a proposed amendment to our rules does provide a (non-exclusive) safe harbor, in that if management follows the SEC guidance, then it has satisfied the requirement in the rules to annually evaluate ICFR.
Our proposed guidance is organized around what I characterize as a three-phase framework.
|Phase 1||Involves identifying the financial reporting risks and then the controls that adequately address these risks.|
|Phase 2||Involves evaluating the operating effectiveness of the controls identified in Phase 1, and determining the evidence needed to support the assessment, using evaluation procedures tailored to the risk assessment.|
|Phase 3||Involves reporting on the effectiveness of ICFR, including disclosing any material weaknesses identified during the evaluation process.|
Let me provide a few specifics on Phases 1 and 2.
In Phase 1, management uses its knowledge and understanding of the business and how generally accepted accounting principles (GAAP) applies to the business, to consider the sources and potential likelihood of material misstatements in the financial statements. Here, management considers what could go wrong.
Then, management identifies the controls that adequately address these financial reporting risks. Controls adequately address financial reporting risks, if their design is such, that there is not a reasonable possibility that a misstatement, which could result in a material misstatement in the financial statements, will not be prevented or detected on a timely basis.
Importantly, there is no requirement to identify all controls within a process for inclusion in management's evaluation or the documentation of that evaluation. Before proposing the guidance, we received significant feedback that companies, for various reasons, may have gotten carried away with this aspect of the evaluation, which resulted in an excessive number of controls being identified for testing (in Phase 2) that were not important to achieving the objective of ICFR. Much of the discussion around "key controls" and the need to rationalize the number of controls being included in the assessments were due to inefficient approaches in this area.
In Phase 2, management evaluates the operating effectiveness of the controls identified in Phase 1. Here, the determination of the nature and type of evidence needed to support an assessment of operating effectiveness should consider the materiality of the financial reporting element, its inherent risk of misstatement, and the risk that controls identified in Phase 1 related to that element would fail to operate effectively to prevent or detect a material misstatement.
Since the nature and type of evidence needed to support an evaluation of operating effectiveness varies based on these risk and materiality considerations, the proposed guidance also provides some discussion of how evidence might differ with materiality and with the degree of risk. For example, in lower risk areas, on-going monitoring may provide sufficient evidence for the ICFR evaluation (and direct testing might not be necessary). However, we would expect in higher risk areas, that the evidence gathered would include some amount of direct testing, and cover a reasonable period of time, including the fiscal year-end.
This illustrates that the proposed guidance is not a free pass for management to sit on its hands and do nothing, so companies should not misread our intentions. General guidelines are provided about what evaluation procedures would ordinarily involve in those areas that management has assessed as higher risk. Further, the guidance highlights areas of ICFR that ordinarily would be considered higher risk, including significant accounting estimates, critical accounting policies, related party transactions, fraud risks, and the like.
The proposed guidance also provides some discussion of documentation considerations. While the guidance as proposed gives management significant flexibility in determining the nature and extent of documentation needed to support its assessment, the guidance also intends to ensure that evaluations are conducted with appropriate discipline and rigor.
The proposed guidance is scalable in that smaller, less complex companies can adjust the procedures they use and the documentation they keep. For example, for smaller companies that have less complex internal control systems, the guidance recognizes circumstances where management may be able to rely on its daily interactions, and may need to create only limited documentation specifically for the evaluation.
Even so, we realize that non-accelerated filers who have not yet complied with our rules implementing SOX Section 404, feel a good deal of anxiety. They're overwhelmed by the stories of how burdensome the implementation of 404 has been for others. And unfortunately, there are groups with catchy 404 sound-bites (which help mask their motives), as well as articles in the press (some of which report the catchy sound-bites) that continue to play on these fears.
But a careful reading of our proposed guidance should help alleviate these fears and anxieties. Meeting the requirements under Section 404 need not be burdensome. It is very doable for companies of all sizes. Remember, the objective of the ICFR evaluation is to provide a basis for reliable and meaningful disclosures to investors about the control systems companies are currently required to have - not create unnecessary overhead burdens or waste shareholder resources.
Further, the Commission has tried to help non-accelerated filers by delaying implementation of 404 until guidance has achieved the right balance between reliability and efficiency. In this regard, in December 2006, the Commission finalized a rule extending the compliance date for non-accelerated filers for furnishing management's assessments to require them for fiscal years ending on or after December 15, 2007.
The Commission's December rule also bi-furcated the reports by management and auditors. That is, it delayed the requirement for auditor's attestations under 404(b) for non-accelerated filers until the filing of annual reports for fiscal years ending on or after December 15, 2008. In addition, the Commission has said that it would continue to be sensitive to the timing issue, as we go forward and turn the proposed guidance into final form.
Finally, I'd like to note that COSO issued its ICFR guidance for smaller companies in July 2006. Frankly, all companies that choose COSO as the framework for their assessments should find this guidance helpful. The July COSO guidance is in three volumes. Volume 3 is a set of tools to assist management in evaluating the design and operating effectiveness of ICFR. So companies that want more details on "what exactly to do" can consider these tools. By the way, the first two volumes (an executive summary and an overview of ICFR in smaller businesses) are intended to be read by executives, boards of directors, and audit committees (which means they are written in plain English, not audit-speak).
With this background, let me spend a few minutes on what we are hearing from the comment process. As I mentioned, the comment period on the Commission's proposed rules and guidance for management ended on February 26, as did the PCAOB's comment period on their exposure drafts. We've received over 200 comment letters; and the PCAOB has received over 170.
While the fact that the comment periods ended on the same day was coincidental, we did intend them to overlap because we recognized that the SEC's and PCAOB's 404-related proposals would need to be considered together. The letters clearly reflect this; indeed, a number of commenters sent the same letter to both the SEC and the PCAOB.
The SEC's comment letters reflect a broad cross-section of constituencies. These include: accelerated and non-accelerated filers, both domestic and foreign, and associations that represent them or their various constituent groups; investors and groups representing investor interests; audit firms, accounting and auditing groups and associations, and individual auditors; consulting firms; law firms and their associations; regulatory-related groups (such as the GAO), and the academic community (both faculty and students).
While we are only in the preliminary stages of analyzing the comment letters, and neither the Commission nor the staff has formed any conclusions yet, let me touch on a few high level themes that can be gleaned from a general reading of the letters.
First, many commenters support our guidance. The good news is that overall we are hearing that many think we struck the right balance and that most commenters believe the guidance will enable them to conduct significantly more efficient and effective evaluations. Most commenters appear to be giving us a thumb's-up for our risk and principles-based approach. This theme certainly is one that is loud and clear from accelerated filers who commented. So, while there is not unanimity, those that express concerns tend to be from non-accelerated filers (or groups that represent them), who then generally go on to ask us to exempt them from 404, extend their deferral, or provide more specifics.
Commenters, while generally expressing overall support for the PCAOB's proposed changes from AS 2, and see the proposed guidance as less prescriptive than AS 2, nonetheless commented that the proposed guidance for auditors appears more prescriptive than the SEC's proposed guidance for management. According to a number of commenters, the PCAOB's proposed standard may end up driving the process, and may undermine the ability to achieve the improvements in effectiveness and efficiency being sought by both the SEC and the PCAOB in the implementation of Section 404.
One theme is that the level of prescriptiveness within the PCAOB's proposed audit standard, unnecessarily requires the performance of more testing and preparation of more documentation by auditors (as compared to the SEC's guidance for management). To elaborate, several letters point out that the PCAOB's proposed audit standard contains over 250 "must's" and "should's." This matters because the PCAOB also has a rule, "Certain Terms" Rule 3101 that defines what "must" and "should" mean. "Must's" are mandatory and "should's" are presumptively mandatory performance requirements for auditors. Moreover, another PCAOB audit standard (AS 3) likewise carries audit documentation requirements for each "must" and "should." Further, auditor compliance with these performance and documentation requirements then become the subject of PCAOB inspections, which I will touch on shortly.
Anyway, commenters express concerns that the result of all this is that a more prescriptive auditing standard will drive management to perform unnecessary work for the sole purpose of helping to enable their auditors to fulfill their responsibilities under the PCAOB's audit standard. Essentially, these commenters argue that a more prescriptive auditing standard will force management to either pay the auditor to test and document or do it themselves.
To avoid these "unintended consequences," a number of letters call for the SEC's and PCAOB's guidance to be better aligned. Commenters make a number of suggestions for doing so. These suggestions include having the audit standard allow for more auditor judgment. Only a few commenters suggest compelling alignment of management and auditors by making the SEC's guidance more prescriptive.
A second aspect of the alignment issue relates to terminology. Not all terms in the SEC's and PCAOB's proposals have the exact same words in their definitions. Commenters are asking for all definitions to coincide. Moreover, the letters contain other suggestions for improvements in terminology.
We are also seeing some comments related to the audit opinion. Recall, both the SEC's and PCAOB's proposals call for just one audit opinion on management's disclosure on the effectiveness of ICFR. A number of commenters, of all sizes and shapes, support this decision and the reasons for it. However, others express the view that we kept the wrong opinion. One common rationale for this view is that more cost-savings would be achieved from dropping the audit opinion on the effectiveness of controls. Most who suggest that the wrong opinion was eliminated do not make investor protection arguments, although a few investor advocates say that both audit opinions should continue to be required. Another rationale for the view that we kept the wrong opinion, quite frankly involves confusion over exactly what the eliminated opinion was all about to begin with. Essentially, some commenters think that auditors should be opining on the efficacy of management's process (which was not the intent of the opinion eliminated, as clarified by the PCAOB last June).
Otherwise, some letters to the SEC identify areas where additional clarification is needed or would be useful (e.g., entity-level controls), and suggest aspects of management's annual evaluation process that we should consider addressing (e.g., rotational testing).
As I said, we are in the process of analyzing all the comments, and we are deliberating on how to revise the proposed guidance in response to them. We are also reviewing the comments related to the PCAOB's guidance and will work with them as they complete their standard.
In this regard, it is important to note that PCAOB Board approval is not the last step in the audit standard-setting process. In accordance with SOX, the Commission must vote whether or not to approve a standard, and so PCAOB standards do not become final until the SEC has approved them. The Commission takes this responsibility very seriously, and this is one reason that the staff works closely and diligently with the PCAOB during their standard-setting process.
Now, to transition from 404 to other issues related to moving forward with SOX, I would like to say a bit more about PCAOB inspections. We are also hearing worries from various commenters that the PCAOB's inspection process will likely continue to contribute to an overly conservative implementation under any proposed auditing standard. For example, one worry related to 404 is that an overly prescriptive standard can result in a PCAOB inspection process that promotes inefficiency by focusing on technical compliance with prescribed requirements rather than on achievement of overall audit objectives. Generally, the concern is that unnecessary audit work will continue, irrespective of any revised guidance, and that the auditing standard will continue to drive management's evaluation process because of the PCAOB's inspection process.
On the other hand, regulators and others have placed great emphasis on using the PCAOB's inspection process to inspect for inefficiencies on 404 audits, or so called overauditing on ICFR audits. So, let's explore these tensions.
In establishing the PCAOB, SOX made inspections a key element of the audit regulatory oversight process. SOX intended inspections to assess the degree of compliance of each registered public accounting firm and associated persons of that firm with SOX, PCAOB and SEC rules, and professional standards in connection with performing audits (Section 104).
Now we need to look at standards for a moment. Standards - whether auditing, quality control, or independence - provide a floor for auditor performance. Importantly, audit firms should have incentives to go beyond the floor and compete on the basis of quality. This occurs not only from enlightened self-interest, but when, for example, audit quality carries a premium and clients are willing to pay more for higher quality services.
Bringing these concepts together, one can say that SOX envisioned using inspections to assess compliance with a floor (which means assessing audit effectiveness) not a ceiling (which is assessing audit efficiency). Everyone wants "just right auditing" (we likewise want "just right accounting"), but inspectors are not like Goldilocks and audits are not like porridge, where you can come in after the fact, taste them, and tell whether they are too hot, too cold, or just right. Arguably, we can come closest to our goal of providing investors high quality audits by empowering audit professionals to make sound and reasonable judgments in an environment where all participants approach the process with intellectual honesty, and where disagreements are not viewed to be second-guessing, during the inspection process.
Anyway, while some view inspecting for efficiency as something worthwhile, I happen to believe that investors, in the long run, are best served if regulators concentrate on audit effectiveness. Solving the 404 problem, by rationalizing ICFR assessments and attestations, will thus enable regulators to regain their focus on audit effectiveness. In the meantime, it is important for all of us to recognize the idiosyncratic nature of this temporary inspection assignment.
And perhaps, rather than having efficiency inspections that focus on individual audit firm inefficiencies in the conduct of their ICFR audits (in other words, focusing on efficiency deficiencies), we could reframe the task to use the inspection process as a mechanism to better inform both audit standard-setting and auditor performance. Regarding the former, inspections, for example, can help alert standard-setters to particular areas in an audit standard that need to be clarified or revised, as well as areas that might call for new guidance. In regard to auditor performance, inspections, for example, can be used to identify best practices and communicate these practices to all firms. This is quite different than using inspections to identify for, and communicate to, an individual audit firm any deficiencies in the efficiency (or effectiveness) with which they conducted selected ICFR audits.
Having touched on auditing standards, I would like to say a few more words about them consistent with our overarching theme of moving forward with SOX. The PCAOB made the decision, in implementing SOX, to set auditing standards in-house; that is the PCAOB decided not to delegate audit standard-setting to one or more outside professional groups of accountants as allowed by SOX. I believe this implementation decision has a number of implications.
For example, this decision largely relegates the current, relevant audit experience and expertise found within audit firms to a constituency, which then becomes just one constituency among many that provide input into the PCAOB's standard-setting process. Moreover, because currently practicing auditors are not an integral part of the standard-setting process, it means an increase in the likelihood for ambiguity, misinterpretation, misunderstanding, and uncertainty in the implementation of PCAOB standards.
Another implication is that we now have two audit standard-setting groups working within the U.S., the PCAOB (for SEC registrants and others that voluntarily adopt PCAOB standards) and the Auditing Standards Board for all others. Plus, we have the International Auditing Standards Board working in the international arena. And the EU has expressed special interest in considering the adoption of these standards for use in their member countries.
While there is a good deal of talk about international convergence of accounting standards, I would suggest that we need to add auditing standards to this discussion. Frankly, it seems, at least to me, that there may be fewer compelling arguments for divergences in auditing standards, than accounting standards.
Finally, since we are talking about convergence, it seems worthwhile to consider auditor independence standards, too. SOX places responsibility for oversight of auditor independence on audit committees, and while auditors (and audit firm quality control systems) can help facilitate this process, it is one that is complicated by the myriad laws, rules, and professional standards around the globe. The lack of convergence for independence standards creates compliance challenges for audit firms and their multi-national clients. Different models of auditor independence have evolved.
In OCA, we recognize that the current disparity in independence rules can be burdensome for all. So, in conjunction with other securities regulators in IOSCO, the staff at the Commission is beginning to survey the landscape, in an effort to compare and contrast the auditor independence requirements in various jurisdictions throughout the world. In discussions among regulators, we are working on understanding current similarities and differences to engage in constructive dialogue going forward.
In the meantime, the staff has also been considering how to facilitate communication of the Commission's existing (and the PCAOB's recent) independence rules to audit committee members to help them fulfill their responsibilities under SOX. We hope to be able have some materials available soon.
On that note, I would like to end my prepared remarks to leave time for any questions that you might like to ask. So let me conclude by saying that although we face a number of audit-related public policy challenges as we go forward with SOX, facing these challenges involves cooperation among regulators, investors, issuers, auditors, and others - which importantly includes academics. If we recognize that the goal for all of us is simply improving the quality of financial reporting and auditing, we can get there.
Thank you very much.
|Home | Previous Page||