March 28, 2006
I am submitting my comments in connection with the SEC Advisory Committee's Release No. 33-8866. I have assisted over 10 SEC registrants in various ways with regard to implementing SOX Section 404. I have worked with most of the US National Audit firms and several of the regional PCAOB registered audit firms. My consulting firm has served as a total implementation agent with assisting management from planning SOX engagements carried through the testing phase to simply helping with entity level controls. I have read numerous comments posted to this Release and still do not really believe one critical issue has been fully addressed at this time.
I believe that one of the most important flaws currently with implementing Section 404 is that a vicious circle exists between the auditor, the PCAOB, and management. Principally, that a significant factor why management incurs such excessive fees is that the auditor is convinced that the PCAOB field auditors are so aggressive in their examinations that they must 'overtest' and 'overdocument' to be prepared to 'pass' their examinations. These field audit objectives seem to be in stark contrast to the message being communicated by the PCAOB and the SEC communication in May 2005 (Question 49)where management does not have to succumb to the rigors of AS 2 and that a COSO assessment does not have to be on a control by control matching process with the auditor. The effect of this 'fear effect' is that management is largely still being told by the auditor that they must conform to their methodology and thus AS 2 to take advantage of testing under the principle of reliance on management's testing. Thus, management is coaxed into a belief that without this conformance, that the auditor 'could' attest that management's assessment is ineffective and possibly issue an adverse opinion as such.
I believe the PCAOB must take the lead in correcting this by 1) working with their field staff to conform to the May 2005 guidance and to recommend audit firms not 'push' their clients to an assessment beyond what management feels is appropriate for complying with COSO and 2) Issue further AS 2 staff QA to explicitly articulate that management may take exception to auditor recommended guidance through a written communication process that shows their assumption where different from the auditor and that as long as authoritative guidance allows such practice, that an adverse opinion would not be issued. I realize 2 is an aggressive recommendation but would solve a number of filer frustrations on obscure Audit firm National Office interpretations that do not seem rooted in black and white GAAP or other authoritative guidance.
Thanks for the opportunity to comment.