From: Leigh Thompson
I am the Sarbanes Oxley Coordinator for a $1 billion bank holding company. We have been required to comply with the Sarbanes Oxley Act, Section 404 since 2004. While the Act’s intentions have considerable merit, I believe the requirements, as defined by the external auditors performing 404 attestations, have gone way beyond the “spirit” and intent of the Act. The considerable cost, time, and personnel allocated to this endeavor for a smaller public company take valuable resources away from day to day activities and oversight.
In our own experiences, we have been asked to provide documentation (flowcharts) of safe guarding of assets, defined by our external auditors, as documentation over the testing of fire extinguishers, burglar alarms, and sprinkler systems. While these safeguards of assets are important, I question how these items directly affect the internal controls over financial reporting. Additionally, our external auditors spent in excess of 1,000 hours on our engagement testing internal controls over information technology. The deficiencies noted included the number of “swipe access” cards the manager of a 3rd party data processor held. Again, I question the relationship to internal control over financial reporting. These are only two of countless examples of an audit focus that by the acts intent should begin with a “top-down” approach, but has evolved into a “bottom-up” focus on minor task oriented controls that have less to do with financial reporting, than, I believe, with the external auditors’ entry level staff’s inability to test highly complex or more “top down” controls.
In reading the Committee’s report, I began to note numerous examples and explanations provided which were all too similar to our experiences. It was somewhat comforting to see that all public accounting firms seemed to be taking the same approach. However, the approach seems to be a bottom-up, detail task oriented control testing, with significant focus on information technology. This approach results in labor intensive and costly audits. As a person working in this area on a daily basis, I feel that this approach does little to prevent errors in financial reporting.
The Committee’s recommendations included a tiered approach to Sarbanes Oxley, as well as, a more defined interpretation of the COSO framework for smaller businesses and clearer interpretations by the PCAOB of auditing standards. I feel that all of these need to be addressed. The cost of implementing and maintaining a SOX program for a smaller public company far outweighs any benefit. As a highly regulated industry, we are accustomed to operating in an effective internal control environment. The merits of SOX and the benefits of a sound internal control structure, I believe warrant continued compliance with the 404 program for all companies. However, I do not feel that the external auditor’s attestation provides any additional support to the control structure, while adding significant cost to the external audit. Our fees have increased over 200% since beginning compliance with Sarbanes Oxley’s 404 attestation requirement. The cost in our 2nd year has been more than the cost incurred in the 1st year.
I strongly support and encourage adoption of the changes proposed by the Committee.