WEBMASTER NOTE: This is the unedited transcript of the Roundtable Discussion on Implementation of Internal Control Reporting Provisions held on May 10, 2006 which we received directly from the court reporter. We are posting the transcript in this form to make it available as soon as possible. 1 THE UNITED STATES SECURITIES AND EXCHANGE COMMISSION 2 3 4 5 6 ROUNDTABLE DISCUSSION ON 7 SECOND-YEAR EXPERIENCES WITH INTERNAL CONTROL 8 REPORTING AND AUDITING PROVISIONS 9 10 11 12 Wednesday, May 10, 2006 13 9:00 a.m. 14 15 16 17 18 SEC Headquarters 19 100 F Street, N.E. 20 Washington, D.C. 20549 21 22 23 24 Diversified Reporting Services, Inc. 25 (202) 467-9200 1 C O N T E N T S 2 PAGE 3 Opening Remarks 4 4 Chairman Christopher Cox, U.S. 5 Securities and Exchange Commission 6 7 Acting Chairman Bill Gradison, 8 Public Company Accounting Oversight Board 9 10 Introduction and Panel One - Overview of the Second Year 16 11 Moderators: 12 Thomas Ray, Office of the Chief Auditor, PCAOB 13 Nancy L. Salisbury, Office of the Chief Accountant, SEC 14 John W. White, Division of Corporation Finance, SEC 15 16 Panel Two - Management's Evaluation and Assessment 59 17 Moderators: 18 Laura J. Phillips, Office of the Chief Auditor, PCAOB 19 Scott A. Taub, Office of the Chief Accountant, SEC 20 John W. White, Division of Corporation Finance, SEC 21 22 Lunch Break 23 24 25 1 C O N T E N T S (CONTINUED) 2 PAGE 3 Panel Three - The Audit of Internal Control Over Financial 4 Reporting 118 5 Moderators: 6 Laura J. Phillips, Office of the Chief Auditor, PCAOB 7 Thomas Ray, Office of the Chief Auditor, PCAOB 8 Nancy L. Salisbury, Office of the Chief Accountant, SEC 9 10 Panel Four - The Effect on the Market 176 11 Moderators: 12 Thomas Ray, Office of the Chief Auditor, PCAOB 13 Carol A. Stacey, Division of Corporation Finance, SEC 14 John W. White, Division of Corporation Finance, SEC 15 16 Panel Five - Next Steps 220 17 Moderators: 18 Thomas Ray, Office of the Chief Auditor, PCAOB 19 Scott A. Taub, Office of the Chief Accountant, SEC 20 John W. White, Division of Corporation Finance, SEC 21 22 Closing Remarks 23 24 25 1 P R O C E E D I N G S 2 MR. WHITE: I'm John White, the Director of the 3 Division of Corporation Finance at the SEC, and I want to 4 welcome you to today's Roundtable on Second-Year Experiences 5 with Internal Control Reporting and Auditing Provisions. 6 The roundtable is being hosted, as you know, by the 7 Securities and Exchange Commission and the Public Company 8 Accounting Oversight Board. We have a full agenda today that 9 I'm sure you will find very informative and a very 10 interesting program. We're going to start this morning with 11 brief statements from Chairman Christopher Cox of the SEC and 12 Acting Chairman Bill Gradison of the PCAOB. 13 It's my pleasure now to turn the podium over to 14 Chairman Cox to start the roundtable. Chairman Cox? 15 CHAIRMAN COX: Thank you very much, John. Thank 16 you to all of you. Welcome. This is a beautiful spring day. 17 We're going to spend it indoors with no windows. 18 But I know that it's going to be a vigorous and 19 substantive discussion. I'm very much looking forward to it 20 myself. I'd like to thank each of our panelists, many of 21 whom were kind enough to join us last year as well, for their 22 willingness to come to Washington today and to devote their 23 energy and constructive thinking to a topic of great 24 importance to the nation's public companies. 25 I would also like to extend a particular welcome to 1 Acting Chairman of the Public Company Accounting Oversight 2 Board, Bill Gradison, and the PCAOB Board members who are 3 holding this roundtable with us as well. 4 The Sarbanes-Oxley Act was a critical step in 5 addressing an unprecedented string of corporate scandals that 6 were rooted in very serious governance, accounting and audit 7 failures. The Act, and in particular its internal control 8 requirements embedded in Section 404, has great potential to 9 improve the accuracy and reliability of financial reporting, 10 and it's already done so in many ways. 11 That potential, however, can only be realized if we 12 implement the statute properly, and in the manner that 13 Congress intended it when it passed the Act in 2002. In 14 practice, it hasn't always worked out that way. But we at 15 the SEC are committed to making sure that the provisions of 16 the Act work for public companies and for investors for whom 17 this is all designed. And I have no doubt that the PCAOB 18 shares this commitment. 19 Strong internal control over financial reporting 20 has long been recognized to be important to the reliability 21 of financial information. For that reason, companies have 22 been required to have such controls since the Foreign Corrupt 23 Practices Act was passed in 1977. The requirement to assess 24 and report on these controls, however, is new. It began with 25 Sarbanes-Oxley. Our accelerated filers have now been 1 required to comply with the internal control reporting 2 requirements for two years. 3 During the initial year of reporting, approximately 4 3,900 companies reported on the effectiveness of their 5 internal controls over financial reporting, with almost 16 6 percent of those companies concluding that their internal 7 control over financial reporting was not effective. A total 8 of approximately 1,500 material weaknesses were reported. 9 These reported weaknesses reflected a variety of control- 10 related topics. 11 During the second year of reporting, through April 12 25th, 2006, approximately 3,000 companies have reported, with 13 7 percent of those companies concluding that their internal 14 control over financial reporting was not effective. A total 15 of approximately 400 material weaknesses were reported, again 16 reflecting a variety of control-related topics. 17 At the roundtable that we sponsored last year, we 18 heard about the time, energy and resources that went into 19 implementing the internal control requirements in the first 20 year. We also heard a great deal about first year 21 inefficiencies in the process. We and the PCAOB took this 22 input and issued additional guidance shortly following that 23 roundtable. 24 The purpose of today's discussion is to hear 25 directly from those who have experienced now two years of 1 compliance with the internal control reporting requirements. 2 We hope to hear very specific feedback that will allow the 3 Commission and the Board to further assess the implementation 4 of the internal control requirements and to find out whether 5 impediments remain to reaching a sustainable process that is 6 both efficient and effective. 7 We are particularly eager to hear whether there are 8 actions that we can take to improve the internal control 9 documentation, assessment, reporting and auditing processes. 10 For example, the PCAOB's Auditing Standard Number 2 gives 11 guidance to independent external auditors tasked with 12 determining whether a company's internal controls are 13 effective. 14 No similar guide, however, exists for companies and 15 for their management. And in the absence of direction from 16 us, companies have been basing the assessment of their 17 controls on AS-2. Management and auditors clearly have 18 different duties and responsibilities. Wouldn't management 19 benefit from having guidance from the Securities and Exchange 20 Commission on what constitutes adequate controls? 21 The ultimate goal, of course, is to have good 22 controls and complete disclosure so that investors can make 23 informed decisions without unduly impacting a company's day- 24 to-day business. I'm certain that the distinguished and 25 diverse group of panelists that we've assembled will let us 1 know how the process has really worked for issuers in general 2 in year two. 3 As we did last year, the SEC and the PCAOB 4 solicited written feedback in connection with this 5 roundtable. In addition to what we hear today, therefore, we 6 will be considering the written submissions that we've 7 received. Those submissions are available to the public on 8 the SEC's and the PCAOB's web sites. 9 Today's proceedings come on top of reports from the 10 Government Accountability Office and the SEC's own Advisory 11 Committee that we set up last year to report on the problems 12 peculiar to small business. I hope and expect that today's 13 roundtable will bring us much closer to the finish line, and 14 we have every intention at the SEC and the PCAOB of getting 15 404 right sooner rather than later. 16 As compared to the importance of our topic, we have 17 a limited amount of time today. So I'm going to keep my 18 remarks brief. Our moderators will be going through the 19 rules of the road for the panel discussions in more detail, 20 but I hope that we can engage in a focused and useful 21 discussion, just as we did last year. 22 Again, let me express my thanks to all the panelist 23 who have agreed to be here today. We appreciate the time 24 that specific you're taking out of your very busy schedules 25 in order to share your views with us. We'll be listening 1 carefully. And I can assure you that we intend to consider 2 all of the different views expressed today. 3 Now I'd like to give Bill Gradison, the Acting 4 Chairman of the PCAOB an opportunity also to say a few words 5 of welcome. Bill? 6 MR. GRADISON: Thank you, Chairman Cox. On behalf 7 of the Public Company Accounting Oversight Board, welcome to 8 today's roundtable. 9 The Board and staff of PCAOB have been actively 10 monitoring the implementation of the internal control 11 reporting requirements of Sarbanes-Oxley, and this roundtable 12 is an important aspect of our information gathering. 13 We expect the panelists will share their 14 experiences with the internal control requirements, the nitty 15 gritty that doesn't always come across in the surveys that 16 we've seen. In that sense, this roundtable is much like the 17 congressional testimony that Chairman Cox and I are familiar 18 with from our days -- our years, actually -- in the House of 19 Representatives. Like the testimony that we heard from 20 congressional witnesses, what we hear today will give us 21 guidance for adjusting and improving the rules that govern 22 the assessment of internal control by auditors and 23 management. 24 After last year's roundtable, the SEC and PCAOB 25 both made mid-course corrections with respect to reporting on 1 and the auditing of internal controls. Without prejudging 2 anything we'll hear today, based on the information we 3 already have, it would seem that some further changes may be 4 in order. 5 The SEC, of course, writes the rules and oversees 6 the implementation of companies' responsibilities for 7 assessing and reporting on internal control. PCAOB writes 8 the standards for and oversees the implementation of the 9 auditors' responsibilities with regard to internal control. 10 Section 404, along with the SEC's implementing 11 rules, and the PCAOB auditing standard, Auditing Standard 12 Number 2, or AS-2, as it's affectionately known, won't by 13 themselves drive all the necessary improvements in financial 14 reporting. 15 It is important to keep in mind that public 16 companies by their very nature have special responsibilities 17 to their owner investors. Indeed, the Sarbanes-Oxley Act 18 recognizes by stating in the preamble that it is, quote, "an 19 Act to protect investors by improving the accuracy and 20 reliability of corporate disclosures." Close quote. 21 In furtherance of this goal, Congress was quite 22 explicit when it mandated in Section 404 of the Act specific 23 requirements for companies and their external auditors with 24 respect to internal control over financial reporting. 25 Yet at the same time, Congress gave PCAOB and the 1 SEC considerable flexibility in determining how to implement 2 these requirements. Indeed, both Senator Sarbanes and 3 Chairman Oxley have stressed this flexibility repeatedly. My 4 Board colleagues and I have always had flexibility in mind 5 when dealing with AS-2. 6 From the time we voted to adopt it, we've 7 emphasized that the application of significant auditor 8 professional judgment is an essential part of the standard. 9 My sense is that auditors as well as management of public 10 companies should exercise even more judgment as they look to 11 the third year of implementing the internal control 12 requirements. 13 My fellow Board members and I at PCAOB are 14 particularly concerned about small audit firms that have yet 15 to perform internal control audits. We hope to encourage 16 these firms to continue auditing public companies by helping 17 them prepare to implement AS-2. I believe we will succeed if 18 we can communicate to them that AS-2 is not only flexible but 19 scalable. And a standard can only be properly implemented by 20 exercising good, sound professional judgment. 21 A key part of any action we take must address 22 implementation of AS-2 in the internal control audits of 23 smaller public companies. PCAOB is uniquely positioned to 24 understand how well auditors are fulfilling their 25 responsibilities through our inspections of registered public 1 accounting firms. We've heard some say that our inspections 2 have driven auditors to do more work under AS-2 than is 3 necessary. 4 In this regard, the Board last week announced that 5 our inspectors will focus on audit efficiency, that is 6 whether auditors meet the -- whether audits meet the 7 objectives of AS-2 with the least expenditure of efforts and 8 resources. 9 In addition, our inspections, that actually began 10 last week, will combine our inspections of internal control 11 audits with our inspections of financial statement audits, 12 much as auditors are expected to integrate their audits of 13 internal control with the audits of financial statements. 14 Consistent with past guidance, our inspectors will 15 also be looking for top-down approaches to audits, whether 16 auditors properly assess and respond to risk, and whether 17 auditors use the work of others to the greatest extent that 18 is appropriate. 19 We believe that focusing our inspections in this 20 manner will be a significant step towards preserving the 21 parts of the auditors' work that are truly necessary and 22 essential while cutting out unnecessary costs. Because of 23 the importance of our inspections, some of the questions for 24 panelists will focus specifically on our inspections program. 25 We look forward to hearing panelists' reactions to our 2006 1 inspections approach. 2 As our monitoring of the reporting requirements 3 continues, the Board welcomes ideas about how the 4 implementation of Section 404 can be made scalable to 5 companies of all size. 6 I was a general partner of a New York Stock 7 Exchange firm that built its business around the needs of 8 smaller businesses and investors of modest means. From that 9 experience, I firmly believe there is significant public 10 interest in providing investors in all companies with the 11 same level of assurance as to the accuracy and reliability of 12 financial reporting, which of course is what Sarbanes-Oxley 13 is all about. 14 Addressing the various implementation issues in a 15 constructive manner will require action by PCAOB, the SEC, 16 issuers and auditors, which must of course be geared toward 17 investor protection. Whatever actions are taken, we'll 18 certainly be informed by today's roundtable. 19 With that, let me turn the floor back to John 20 White. 21 MR. WHITE: Thank you, Chairman Cox and Acting 22 Chairman Gradison. We have a very full day ahead of us with 23 five terrific panels to walk us through a range of issues 24 that people have faced as accelerated filers have completed 25 their second year of compliance with Section 404's 1 requirements. 2 Before we get to the roundtable itself, however, I 3 need to make a few introductory points and lay out the rules 4 of the road, as Chairman Cox described. First, we are very 5 fortunate to have here today all of the members of the two 6 hosts of the roundtable, the SEC and the PCAOB. Seated at 7 the table to my left starting nearest to the audience we have 8 the five SEC Commissioners, Chairman Chris Cox, whom you have 9 met, Commissioner Cynthia Glassman, Commissioner Paul Atkins, 10 Commissioner Roel Campos, and Commissioner Annette Nazareth. 11 Sitting at the table to my right we have the four 12 current members of the PCAOB. Again starting at the end 13 closest to the Audience, Acting Chairman Bill Gradison, who 14 just spoke, Charles Niemeier, Kayla Gillen and Dan Goelzer. 15 The Commissioners and the Board members will be here 16 throughout the day for all five panels, and for that I say in 17 advance they have my gratitude and admiration, because it 18 will be a long day. The rest of us get to come and go up 19 here. 20 The rules of the road for today's program are I 21 think actually fairly simple. The lead moderator on each 22 panel will introduce the panelists, and the other moderators 23 for that panel, and I'll do that in just a moment for the 24 first panel. But I want to cover a few other things firs. 25 As Chairman Cox said, we have asked each of the 1 panelists to submit written comments if they choose to, and 2 many have done that. And their submissions, along with the 3 other submissions received from the public, are all available 4 on the Commission's web site. The PCAOB also has public 5 comments posted on its web site. 6 And finally, a transcript of today's program will 7 posted on the Commission's web site once it's been prepared. 8 In the interest of time and so we can move quickly 9 through the proceedings today, we have asked the panelists 10 not to make opening statements so that we can start questions 11 right away with each panel. The moderators will take the 12 liberty of directing certain questions to certain panelists, 13 and in some cases follow-up questions to panelists. But at 14 the same time, we do encourage the participation of all the 15 panelists when you have something to say and would like to 16 make a comment. 17 But there is one very important rule for all that, 18 and that is, so that we can maintain order, if you would like 19 to speak, you need to take your tent card like this and set 20 it up like that, and then we will know that you wish to be 21 called on. 22 The Commissioners and the PCAOB Board members have 23 also agreed to follow the same tent card rules to the extent 24 that they have questions, or at least I hope so. 25 With that, I'm going to introduce the first panel, 1 and we're going to get started. So, the first panel. 2 PANEL ONE - OVERVIEW OF THE SECOND YEAR 3 This panel has been set up to look at the 4 experiences people have had specifically with their second 5 year of compliance with 404. And we are especially 6 interested in changes in the second year as companies and 7 their auditors have gained more experiences, whether 8 resources have been allocated efficiently and effectively in 9 the second year, and whether progress has been made towards 10 the goal of improving the reliability of financial reporting 11 in the second year. 12 To work through those issues, we've assembled a 13 very impressive panel, and I will go through and introduce 14 each of the panel members. Starting on the left, we have 15 Philip Ameen, the Vice President and Controller of GE. 16 Next we have Mary Bush, the president of Bush 17 International. Ms. Bush is also a member of several boards 18 of directors of public companies, including one in which she 19 serves as the chair of the audit committee. Rodg Cohen, who 20 is the chairman of the law firm of Sullivan & Cromwell. 21 Colleen Cunningham, President and CEO of Financial Executives 22 International, or as I think many of us know it, FEI. Bob 23 Davis, Chief Financial Officer of CA, Inc. Mr. Davis is also 24 here representing the U.S. Chamber of Commerce at today's 25 roundtable. 1 Next, Samuel DiPiazza, Global Chief Executive 2 Officer of PricewaterhouseCoopers International, if I got all 3 that right. Barbara Hackman Franklin, President and CEO of 4 Barbara Franklin Enterprises and a former U.S. Secretary of 5 Commerce. Ms. Franklin is also the director of several 6 public companies, including one of which she serves as the 7 chair of the audit committee. 8 Next, Joe Grundfest, who is a professor at Stanford 9 Law School. Professor Grundfest is also a former SEC 10 commissioner, although I bet he was not in such a nice room 11 as this. And he is a director and audit committee member of 12 two public companies. 13 Seated next to Professor Grundfest is Dennis 14 Johnson, who is the Senior Portfolio Manager, Corporate 15 Governance Office of CALPERS, the California Public Employee 16 Retirement System. 17 And finally, Ed Nusbaum the CEO and Executive 18 Partner at the accounting firm of Grant Thornton. 19 The moderators for Panel One are myself, John 20 White, to my right, Nancy Salisbury, the Senior Associate 21 Chief Accountant in the Commission's Office of the Chief 22 Accountant, and to my left, Tom Ray, the Chief Auditor at the 23 PCAOB. 24 So, that's I think all the introductions, so let's 25 turn to the substance of the first panel. And we'd like to 1 organize this first panel along the lines of five topics with 2 roughly equal time for each one. The first topic will be the 3 benefits and costs of 404, speaking broadly. 4 The second is the specifics of second year 5 compliance compared to first year compliance for accelerated 6 filers. Third, we want to talk about costs and a couple of 7 studies that have been done on costs. And then we want to 8 move to experiences with the management's assessment and then 9 close with experiences with the audit. 10 So those are basically our five topics to get to 11 our first topic. We want to hear about the second year 12 compliance and whether the panelists believe that the 13 requirements of 404 have helped improve the quality and 14 reliability of companies' financial statements. 15 And I guess I'd like to actually call on three 16 panelists to get a variety of perspectives. So I'd like to 17 pose these questions in that area first to Barbara Franklin, 18 then Rodg Cohen, and then Dennis Johnson. And those are, 19 what are the improvements we've seen in 404? What are the 20 source of those improvements? What are the countervailing 21 costs? How do you see the balance of the benefits and the 22 cost? 23 We start with you, Ms. Franklin. You need to turn 24 your mic on. 25 MS. FRANKLIN: Thank you. I would like to first 1 thank the SEC and the PCAOB for holding this roundtable again 2 this year. Last year's was very productive, and so was the 3 guidance that emanated from it, and I assume that will happen 4 this time, too. 5 To answer your question, to begin to answer, of 6 course I speak as an audit committee chairman and member. I 7 think the second year implementation of AS-2 has been 8 smoother and in general, control systems are more effective. 9 Fewer material weaknesses have been noted. And presumably, 10 that does mean stronger reliability of financial statements. 11 But there are ongoing costs, and the balance 12 between costs and benefits has improved, but it still isn't 13 quite right. On the benefits side, hard to quantify, but 14 what I've noted about management is, that there's been a 15 change in mindset from a semi-crisis to a more steady state 16 ongoing effort. There's more understanding of the function 17 and importance of controls, more ownership of them throughout 18 management, not just the financial side. 19 There have been some efficiencies. Deferred 20 maintenance has been taken care of. One caveat, though, is 21 small companies. I think there's some guidance that is 22 really needed there. 23 With respect to auditors on the benefit side, I 24 think they have done better with respect to risk, risk-based 25 approach, more reliance on the work of others and just a 1 little less nervous. But I still think that there is still a 2 lot of sticking to the literal wording of the standard with 3 good reason, fear of litigation, of the memory of Arthur 4 Andersen, what the PCAOB inspections might turn up, all of 5 that. 6 And then with respect to audit committees, I think 7 audit committees now are more engaged. From the beginning, 8 the planning of the scoping of the process to the final 9 opinions and the oversight that has to go on in between. 10 On the cost side, there are these surveys that 11 we'll I'm sure hear about later. And in every one of them, 12 the cost has gone down. There is not agreement about how 13 much the cost has gone down, and generally I think there's 14 still the view that the costs are still a little bit too out 15 of line. 16 I think with respect to management on the cost 17 side, it was very hard to predict what the second year was 18 going to be like. So maybe the estimates early on were not 19 quite accurate, and there is an ongoing cost to maintaining 20 and testing controls. 21 With respect to auditors, I've said I think there 22 is an issue there about the overdoing some kinds of testing 23 because of the literal interpretation of the standards, and 24 about audit committees, we spend more time on this, but, hey, 25 that goes with the territory. 1 So I think there's still more work to be done to 2 balance the costs and the benefits, and it's really important 3 to get this right, because you don't want to create an undue 4 regulatory burden. You don't want to discourage companies 5 from our capital markets, and you don't want to do anything 6 to diminish the entrepreneurial risk-based culture that has 7 made this U.S. economy what it is today. 8 I've got two quick comments to throw in, and then I 9 will stop. I think it's now time to amend the standard. And 10 literally take the guidance that you put forth last year and 11 put it into the wording of the standard, and that will 12 empower auditors in a way that they don't feel empowered to 13 make judgment right now. 14 Second thing would be to give -- SEC would have to 15 do this -- give guidance to managements about their role 16 here, and particularly to small companies. 17 MR. WHITE: Thank you. Mr. Cohen, do you want to 18 give us your insights? 19 MR. COHEN: Thank you very much. And again, I 20 would echo Barbara's comments, how positive it is that the 21 Commission and the PCAOB are doing this. 22 At the risk of apostasy, I really do believe that 23 there are significant benefits from 404. You have it at the 24 individual company level where companies have discovered 25 problems before they became far more serious. You have it in 1 the capital markets because there is greater confidence in 2 the capital markets. And something I spend a lot of time 3 doing, which is consolidation, you have a major benefit, 4 because there is greater reliability. 5 So the effort really needs to be on balancing the 6 burdens, the costs, against those benefits to make the 7 equation work. 8 I do think it's fair to say that the burdens have 9 declined in the second year based on what we are hearing from 10 clients. To some extent, that is a function of experience. 11 I think to an extent maybe not fully realized, it is a 12 function of the guidance which the Commission did provide 13 last year. 14 But I think when you try and measure the benefits 15 and the burdens, in addition to the costs, which presumably 16 can be quantifiable, there is a more qualitative cost, and 17 that remains the continuing very conservative environment in 18 the accounting profession with respect to the internal 19 controls procedure. 20 We are seeing and continue to see almost a direct 21 correlation between a failure to apply a complex accounting 22 standard, FAS-133 is probably the best example, to a 23 restatement to a material weakness. That line seems to be 24 almost inevitable. Likewise, error seems to correlate 25 directly to a significant deficiency. 1 Further guidance from the Commission would be very 2 helpful in trying to lighten that environment, and if the 3 environment is made easier, then costs will go down. 4 Thank you. 5 MR. WHITE: Thank you. Mr. Johnson, can you give 6 us your perspective, I guess I would say an investor 7 perspective, from CALPERS? 8 MR. JOHNSON: Yes, from CALPERS' perspective, we 9 believe the second year has been a positive. The benefits 10 are several. Number one, there's been improvements in 11 disclosure, and we believe that's very positive for 12 investors. 13 Secondly, you may be familiar with our focus list 14 initiative at CALPERS. And as we have engaged companies 15 through this initiative, focusing specifically on the audit 16 committee, we have determined that the members of the audit 17 committee are of better quality, they're far more engaged, 18 and there's better planning that seems to be taking place at 19 the board level. 20 Also as a result of our focus list initiative, 21 there have been fewer concerns around internal control 22 weaknesses in the last 12 months versus previous periods. 23 And then last, I would just point to a study that 24 was published recently by Lord and Benoit that talked about 25 companies without internal control problems outperforming 1 companies with internal control problems since the 2 implementation of SOX 404. So we look at these as being 3 examples of the benefits of the second year of 4 implementation. 5 In terms of cost, we would note two. Number one 6 being the increase in audit expenses. And then secondly, we 7 note a Wall Street Journal article that was published 8 recently that talked about the perceived cost related to 90 9 percent of the non-U.S. IPOs occurring outside of the United 10 States, and so therefore a perception of market opportunity 11 or investment opportunity being lost. 12 But in summary, we view the benefits as being 13 positive. We believe as a result of the second year of 14 implementation here, market integrity continues to improve. 15 Investor confidence continues to rise, and these two 16 characteristics are very vital for an institution like 17 CALPERS in order for us to be fiduciaries and make the 18 benefit payments to our 1.4 million members. 19 Thank you. 20 MR. WHITE: Thank you. I guess I'd like actually 21 to move to our second topic, which is to try to get an 22 understanding of the second year experience under 404 23 compared to the first year experience. And I guess I'd like 24 to approach that from -- hear from that from the perspective 25 of management, the independent auditor and the board of 1 directors. 2 So I'm going to pose -- at least start my questions 3 with Phil Ameen, Ed Nusbaum and Mary Bush. And the questions 4 really are, how did the second year of assessing, reporting 5 and auditing differ from the first? Were there changes? Are 6 there other changes that you would like to see? And I guess 7 if possible, I'd particularly like you to address whether 8 companies and auditors were successful in your view in 9 implementing the guidance that the SEC and the PCAOB issued 10 last May right after the first roundtable. 11 So, Mr. Ameen, can you give us the GE perspective? 12 MR. AMEEN: I'm not sure I'm speaking for all of 13 GE, but I'll be happy to share what I can on that from that 14 angle. First of all, thank you for the opportunity to be 15 here today and to share the views. 16 We were not at GE actually in our second year in 17 2005. We started implementation and documentation in 2003, 18 and therefore, when we went into the 2004 period with which 19 I'm going to give you the comparisons, we already had a 20 pretty good set of documentation. So our cost and hours data 21 are probably not typical of what you'd see. But I'd say they 22 are typical of implementation of a complex undertaking, which 23 this certainly was. 24 We said last year that our total costs of 404 25 approximated $33 million, and they ran about the same in 1 2005. We did in probably acknowledgement of Commissioner 2 Glassman's observation that no company should have 40,000 3 significant controls, we managed to restrict that number to 4 38,000 that were tested. 5 And I think in sort of sitting back and looking at 6 the overall conclusions that we can reach, one, we're 7 certainly more focused on controls, both in our underlying 8 operations and in operations that we're assessing for 9 acquisition. 10 Two, we are more sophisticated in those 11 assessments, and we're more targeted in analyzing and 12 assessing the controls that are important to our reporting 13 process. 14 And thirdly, we have a common vocabulary for 15 talking about the controls. So, overall, on balance, I think 16 the management team, the board of directors and people down 17 in the trenches actually doing the testing are favorably 18 impressed with the progress that's been made in the second 19 year of 404. 20 MR. WHITE: Okay. Mr. Nusbaum? From the auditor 21 perspective. 22 MR. NUSBAUM: Thank you. Well, first of all, the 23 first observation from an auditor perspective is that the -- 24 in the second year, management's documentation was much 25 better. It had already existed. It was refined and 1 improved. Some of the bugs in the software were gotten out, 2 and companies did a much better job in the second year, a 3 much more efficient job in documenting their controls. 4 From our perspective as auditors at Grant Thornton, 5 I think at all the firms, we truly embraced some of the 6 concepts that came out of last May's discussion. We 7 conducted integrated audits where we combined the testing for 8 internal controls with the substantive testing, which made us 9 more efficient, certainly reduced redundancies, duplicative 10 questions and processes and testing, which made our clients 11 happier. 12 It also allowed us to place reliance on those 13 controls, which made us more efficient. And we took a risk- 14 based approach, a very top-down approach to make our audits 15 effective and efficient. 16 So I believe one of your specific questions was, 17 was the guidance last year helpful, and did we succeed in 18 implementing it? I think as a profession and certainly our 19 firm found the guidance extremely helpful, and I believe we 20 did succeed in implementing it in many different ways. 21 The principles of AS-2, which some have suggested 22 mending, I think Barbara mentioned that, clearly the 23 underlying principles of AS-2 I believe work. And while one 24 could debate some of the specifics, the principles should be 25 kept. 1 Having said that, I think we do need more guidance 2 on internal controls, whether it comes from the SEC or 3 whoever it comes from, it should be in my view very 4 principle-based guidance, principle-based standards, and then 5 specific guidance should come from a panel or a consortium of 6 relevant interests, including corporations, preparers, 7 preferably from the FEI or other groups, from investor 8 groups, whether it's CALPERS or others, and from of course 9 the auditors. And then also with strong representation from 10 the SEC, the PCAOB and maybe any other regulators. 11 That kind of real, practical guidance that would be 12 based on examples and case studies would allow us to use 13 judgment, and allow companies to use judgment, but provide 14 better guidance on the definition of material weaknesses, 15 significant deficiencies, which I think would make us more 16 efficient going forward, particularly benefit smaller 17 companies, as Chairman Gradison talked about, which we're 18 particularly concerned about and making it as easy as 19 possible for those companies to be able to enact the rules. 20 I think that Chairman Cox and Mr. Johnson have 21 talked about the benefits to the investors and so forth, but 22 we could continue to make the process better from an 23 auditor's standpoint by looking at best practices in the 24 audits of 404 going forward. 25 MR. RAY: Excuse me, Ed. I have a short follow-up 1 question on a remark you made just a moment ago. You gave a 2 very positive report on your implementation of the May 16th 3 guidance from last year. Do you think you fully implemented 4 that guidance, or if not, how many more -- how much more time 5 do you think it will be for auditors to really get most of 6 the, or all of the efficiencies that the Board had intended 7 when issuing that May 16th guidance? 8 MR. NUSBAUM: Thank you, Tom. It's an excellent 9 question because -- and I know you were once an auditor -- 10 the process for the audit really evolves over time. And as 11 with all the big firms, it takes us time to modify our 12 approaches, modify our software, and it's really an 13 evolution. There's no finish line on any of these endeavors. 14 As soon as the May rules and May guidance came out, 15 we embarked on a process and issued guidance by August, 16 revising our computerized audit tools, our software, and 17 providing guidance to all of our people in August of 2005. 18 Having said that, I think that further 19 modifications in our case and in all the firms can be made to 20 implement that guidance, and particularly by looking at best 21 practices. The PCAOB can identify, and I know through the 22 inspection process this year will look at further 23 efficiencies we can adopt, because they see all the reports, 24 and they see the underbellies of every firm. So they can 25 help us provide best practices. 1 And I think the accounting firms have already begun 2 discussing how we can work together better, and we need to 3 work together better to identify best practices and figure 4 out how we can further implement this guidance. 5 I don't think we're complete on this at all. I 6 think it is a multiyear. I think we've accomplished it. 7 Some will happen next year, and some will even happen in 8 future years. 9 MR. WHITE: Okay. Ms. Bush, can we get the board 10 of directors' perspective? 11 MS. BUSH: Yes, certainly. 12 MR. WHITE: You need to turn your mic on. 13 MS. BUSH: Yes. Thank you. I think there were 14 changes from year one to year two, in many ways some internal 15 to the companies, some from the outside auditors, and some in 16 the ways in which those bodies interact with each other. 17 I think that managements overall are taking more 18 responsibility, more personal responsibility for controls, 19 rather than simply leaving it to the internal auditors. 20 Internal auditors are in many cases I think pushing 21 managements to take more responsibility. 22 Managements are beginning to integrate the control 23 process into their everyday operations, into the work 24 processes. And this in many ways can be a benefit to the 25 company to its operations. So, in some ways, what one might 1 say is that we're experiencing sort of a cultural change 2 within companies in terms of the emphasis that they're 3 placing on controls. 4 Secondly, I think that -- or certainly the internal 5 audit departments with which I deal, are placing much more 6 emphasis on designing controls as a method of prevention of 7 problems as opposed to detecting problems after the fact. 8 This is also a good thing when it comes to financial 9 reporting and when it comes to safeguarding shareholder 10 assets. 11 Also, independence was an issue with the outside 12 auditors. In many cases in year one, many firms felt that 13 they could not engage with the company or advise them, shall 14 we say, on finding the best approach to financial reporting 15 on whatever the specific accounting matter might have been. 16 I find a mix of experiences there. I find that 17 some outside audit firms are engaging more if they do not 18 feel that they are sacrificing their independence by advising 19 companies when they're trying to choose the best method for 20 accounting for transactions or whatever. I find, on the 21 other hand, I hear comments that some still refuse to engage 22 in talking with the auditors with the financial management 23 early on regarding methodologies. And that I think is a 24 problem. 25 I believe that in the guidance last year, which I 1 also compliment both bodies on, that outside auditors were 2 encouraged to engage more with financial management on how 3 they would account for certain transactions and the like 4 early on rather than after the fact. 5 The checklist approach is still an issue, I think. 6 And what I mean by that is that there still seems to be as 7 much emphasis placed on low level controls, low level process 8 controls, as there in on controls that really have a risk for 9 incorrect financial reporting. That is an issue that I think 10 needs additional attention. 11 And as for guidance, I think there is still room 12 very definitely for guidance, and that that guidance, one of 13 the areas on which I would focus if I were doing it, is on 14 giving guidance with regard to what is truly important in 15 terms of misreporting on financial statements, and this goes 16 back to the issue of that there are areas where there is 17 extraordinary risk for accurate financial reporting, and that 18 there are areas where there is almost no risk at all. And if 19 some guidance could be given to managements as well as to the 20 accounting profession with regard to that issue, I think that 21 it would be very helpful. 22 MR. WHITE: Okay. Thank you. Before we move to 23 the cost issue, Mr. DiPiazza, you have another comment on the 24 first year versus the second year from the auditor 25 perspective? 1 MR. DiPIAZZA: Thank you, John. I just thought it 2 would be helpful to maybe put a few more facts out there that 3 -- and I agree with the comments that Dennis, Mary and Ed 4 have all made. 5 The chairman said that -- he said that we were down 6 from 16 percent material weaknesses, adverse opinions a year 7 ago, now to 7 percent. Over 75 percent of the companies that 8 had material weaknesses a year ago have found those 9 remediated and are not repeating. 10 When you begin to look inside the control 11 atmosphere and the activity inside companies, there's some 12 very clear things that have happened, and we like to think 13 that they are the result of 404 focus. Standardizing 14 processes, eliminating redundant controls, integrating far- 15 flung activities around the world. Bringing new employees 16 quickly into the control environment versus not doing that. 17 A lot of these things were things that were pointed 18 out in the first time through in 404 and clearly have 19 affected the way companies are behaving. And we think the 20 regime of management certification and auditor testing has 21 created that. 22 A couple of more facts. The key controls and all 23 the surveys we're going to talk about, we'll probably talk 24 about cost. But those surveys also did some other things, 25 and I'm not sure which one, whether it was the FEI or the 1 Internal Auditor Survey, but it said that key controls are 2 now down 20, 25 percent from where they were a year ago. So 3 there clearly has been a change in the way key controls are 4 being looked at. 5 So what you are seeing are some pretty clear 6 changes in behavior. The May 16th guidance has clearly had 7 an impact in the way we behave, and I think the way the 8 companies, the standards in which they're holding their 9 auditors, but there's more to come, especially along the 10 lines of reliance. 11 As management and companies become more confident 12 and more independence in their testing, we'll be able to test 13 fewer controls as well. 14 MR. WHITE: Okay. Thank you. So I would like now 15 to turn to cost, which we have heard a lot about. And when 16 I'm talking about costs, I mean costs incurred by companies 17 in complying with 404. 18 There are two studies out there, and I would like 19 Ms. Cunningham and Mr. DiPiazza to talk about the two 20 studies. And then I guess I would like then to go to Mr. 21 Davis to give us the Chamber of Commerce's view on costs, but 22 why don't we start with Ms. Cunningham and the FEI study? 23 MS. CUNNINGHAM: Thank you. And thank you for 24 having us again this year. 25 A little bit about our study. We've done them 1 since 2003. Our last survey that we've done was in March of 2 2005. We did do a survey recently in March 2006 where we 3 asked our members' registrants to answer questions regarding 4 404 and their year two implementation efforts. 5 We had 274 companies respond, of which 238 were 6 accelerated filers. I think before I get into the specifics 7 of the results of our survey, I think, you know, it's 8 important to state that all of the surveys that have been 9 done recently note some -- there are a lot of similarities. 10 They all note similar benefits. 11 For example, in our survey, 56 percent of the 12 respondents stated that there's greater investor confidence 13 in the financial reporting. Forty-four percent felt that the 14 financial reports were more reliable. Thirty-eight percent 15 felt that they were more accurate, and 33 percent felt that 16 404 helped prevent or detect fraud. 17 And as one of the sponsoring organizations of COSO, 18 we've long supported the position that effective internal 19 controls are vital to the integrity of financial reporting. 20 That said, on the cost side, we still hear from our 21 members, and it's evidenced in the survey results, that the 22 costs still far outweigh the benefits. In fact, in our 23 survey, 85 percent of the respondents believe that the cost 24 outweigh the benefits. And this compares to 94 percent who 25 responded that way last year. 1 So it has come down a bit, and I will say we did 2 bifurcate our results based on size of companies. And I 3 think the large companies view it more favorably than the 4 smaller companies for good reason. 5 On the cost side, the respondents in our March '06 6 survey reported that their costs have come down about 16.3 7 percent compared with last year. The bulk of that was 8 internal time that they spent -- I'm sorry, it was the use of 9 external consultants and audit fees. the internal time that 10 staff spent did not go down as much as companies anticipated. 11 I think part of that is the consultant work moved to internal 12 resources. 13 On the audit fee side, our members responded that 14 audit fees declined about 13 percent, not as much as we 15 anticipated, but I think a piece of that relates to the 16 supply and demand issue associated with the resources needed 17 in the audit firms and the salaries that are now required to 18 be paid to maintain those resources. And clearly, 404 added 19 a lot of work to the auditors' staff. So, therefore, they 20 needed to make sure they retained staff. And also I think 21 the practice protection costs have also gone up, which caused 22 the audit fees to go up. 23 I think, you know, there has been discrepancies, a 24 lot of discussion about the discrepancy and the amount of 25 decline between the various surveys, and I think the point 1 here is that they did go down. Most surveys' respondents 2 state that they just didn't go down as much as we 3 anticipated, but I think that can be kind of explained. 4 Also, I should point out that because it's an 5 integrated audit, it might have been difficult for the 6 respondents to identify the pieces that relate to 404 versus 7 the financial statement audit. So studies that have been 8 done related to the overall audit fees based on proxies will 9 note that they've stayed relatively flat when you include 10 both the financial statements and the 404 audits. 11 MR. WHITE: Okay. I guess the other survey, Mr. 12 DiPiazza, is the one that was done, I guess commissioned by 13 the Big Four. And if you could comment on that one, that 14 would be useful. 15 MR. DiPIAZZA: I'm very happy to. And I agree with 16 Colleen. The surveys are all taking sort of a different 17 direction in terms of methodology and where they're coming 18 from. I mean, NASDAQ did a survey. The Institute of 19 Internal Auditors did a survey. And I think it's fair to say 20 that the averages are coming out where costs are down 21 somewhere between 15 and 25 percent. 22 Our survey, we looked at both small companies, 23 large companies. We looked at -- and it was done by CRA. It 24 was an independent survey. We basically gave them access to 25 information and let them accumulate it. The total cost for 1 large companies were down in the 40 percent range, and that 2 included external use of consultants and costing of internal 3 resources and auditor costs as well. And the specific 4 auditor cost for large companies went down about 20 percent. 5 Small companies, the cost went down a bit less, 30 percent in 6 total and 20 percent from the auditor's side. 7 So there is in fact, as I think everyone will say, 8 a scalability issue a bit with the smaller companies. The 9 reasons, and we probed to find out where is coming down, 10 where are we seeing the differences, and they're the obvious 11 ones. 12 Documentation, big savings in documentation. I do 13 think the risk-based approach and the reliance on management 14 testing had a big impact. Integrating the audit does provide 15 advantages, but it makes it a little more difficult, as 16 Colleen said, to figure out what really is the long-term 17 effect. 18 There's a learning curve going on. We don't think 19 in the profession that we're done yet by any means in 20 becoming more efficient. But I do think we would say that 21 the curve is not going to stay at the current rate, because 22 we are now reaching, over the next year or two, we will be 23 reaching what we hope a more steady state as we look at this. 24 MR. WHITE: Mr. Davis from the Chamber of Commerce 25 perspective. 1 MR. DAVIS: In a nutshell, the costs are too high. 2 But -- 3 MR. WHITE: How did I know that was coming? 4 MR. DAVIS: I'll be happy to elaborate a little 5 bit. I think the -- I think it's been a very healthy 6 dialogue. I appreciate the SEC and the PCAOB having us here 7 again this year. I do think the guidance that came out a 8 year ago as a result of that roundtable was helpful. Cost 9 improvements have been made. I do think shareholder 10 confidence is up. So, a lot of the original intents of 11 Sarbanes-Oxley have been achieved. 12 But the cost improvements that have been made to 13 date, particularly around 404, are nowhere near dramatic 14 enough. And I would tend to agree with Barbara's comments 15 about the only way that you could really propel that is to 16 amend or revise AS-2 and potentially have some guidance from 17 the SEC come out to management. 18 Because I think one of the things you're seeing 19 right now, too, is there's a lot of variance in practice. So 20 even if the Big Four may have, you know, one set of practices 21 they're trying to proliferate a lot of times I think -- at 22 least I hear anecdotally, there will be variances by local 23 offices. 24 And it's just that despite Ed's comment about 25 everybody wants to be principle-based and rule-based, until 1 AS-2 is revised, you keep going back to AS-2, and management 2 doesn't really have their version of AS-2, as the chairman 3 said. 4 So I think in this risk-adverse environment, as 5 Mary said, we're just continuing to test too many lower level 6 controls that are really to some degree missing the forest 7 for the trees. 8 And I think the only thing that the Chamber 9 specifically highlighted, which hasn't been addressed here, 10 is that I do also think there are a lot of soft costs 11 involved. There's a lot of time being spent by boards and 12 senior management, which I would probably argue, you know, 13 the audit committees, that's their job. That's the CFO's job 14 and the controller's job, but are we spending a 15 disproportionate amount of time having management so focused 16 on value protection that they're not creating value? I mean, 17 clearly, a few years ago the pendulum was way too far toward 18 value creation. It's now potentially, you know, in the other 19 direction. 20 And then the final thing that I will mention of the 21 Chamber that we brought up in the letter is that one of the 22 other things, too, I think in the risk-adverse environment is 23 there's been a big increase in restatements, that I think 24 most of the time if you actually look at what's driving the 25 restatements, most investors are, I think to some degree, 1 mystified as to the rationale or the reason for doing it. 2 And I tend to think that could be, while we're 3 trying to increase investor confidence with these control 4 opinions, having less judgment than you would expect by 5 auditors and management and being risk-adverse and doing 6 restatements, I think has a countervailing impact which is 7 not positive. 8 MR. WHITE: You had another question, Tom? 9 MR. RAY: Yes. I have a short follow-up question 10 for Mr. DiPiazza, and I think perhaps Mr. Nusbaum and maybe 11 others also might have a view on this point. In the CRA 12 survey, it does show a fairly substantial reduction in the 13 audit fees associated with 404. But on the other hand, other 14 increases in audit fees pretty much make up the difference, 15 so we had a fairly steady overall audit fee cost from year to 16 year. I wonder if you could comment on the reasons for those 17 other audit fee increases? 18 MR. DiPIAZZA: Happy to, Tom. There's no question 19 that the integrated audit, the financial audit, has a scope 20 increase going on. That's coming from demands from audit 21 committees and boards, and frankly, from our own sense of 22 responsibility of what proper coverage is for auditing. 23 So there's clearly scope that has been increased in 24 the pure financial audit. But there are other things. 25 They're the incorporation of new standards, changed standards 1 that we are having to deal with. There's more focus on the 2 detection of fraud, more involvement of forensics that we 3 three years ago didn't have as much as we have today. 4 There are changes going on inside the systems of 5 company, frankly, in part because of 404, where there's more 6 integration happening. There's the systems adjustments or 7 process adjustments as a result of 404, which means the basic 8 audit process is adapting to those things. 9 Over time, that ought to mitigate or reduce the 10 audit fee, but in a year of change, you've got to deal with 11 it. Transactions, a pick up in the transaction environment 12 over the last year, clearly meant that there were more audit 13 fees going on. 14 So, you know, from our perspective, it's a 15 balancing factor. Now we do think that after this year you 16 will see that mitigated as well. But this was another year 17 of change for increase in scope in the audit process. 18 MR. WHITE: Ms. Bush? 19 MS. BUSH: Yes. Thank you. I of course haven't 20 done surveys on costs. My information is anecdotal from the 21 companies where I serve on the boards and from others from 22 whom I talk who are on boards or who are on audit staffs. 23 But from that anecdotal evidence, there seems to be 24 a good deal of differentiation with regard to the cost 25 reductions that we have experienced, and that a lot more, 1 significantly more, of those cost reductions are coming from 2 inside the companies because there is less need for 3 documentation because a lot of what is needed was put in 4 place in the first year. 5 But that the cost reductions in terms of the 6 outside auditors are much, much lower. 7 MR. WHITE: Mr. Cohen? 8 MR. COHEN: Thank you, John. Chairman Cox I 9 thought raised a key question which has been commented on 10 briefly by several panelists and then made a key statement, 11 and I'd like to be presumptuous to try and bring those two 12 together. 13 The question was whether there should be some form 14 of standards or additional guidance for management. And the 15 statement was the distinction which needs to be drawn between 16 the role of management and the role of the outside auditors. 17 At the beginning, it was inevitable that the 18 process would involve duplication, that the outside auditors 19 would almost necessarily have to be highly intrusive and very 20 comprehensive. 21 One great virtue of having standards or guidance 22 for management would be to be able to draw that distinction 23 between the role management in the process and the role of 24 the outside accountants. And I think the bottom line of that 25 would be, once everybody recognizes the respective roles, 1 would be a reduction in costs. 2 MR. WHITE: Well, I guess that will actually leads 3 into our fourth topic, which is management assessment. I 4 think my principal question here was to get a view on the 5 need for guidance or not the need for guidance in the 6 management assessment area. 7 I think we've heard that expressed by several of 8 the panelists already. I don't know, does anyone else -- 9 would anyone else like to comment on the need for management 10 guidance? Mr. Nusbaum? 11 MR. NUSBAUM: Thank you. There were some comments 12 earlier about the need for guidance for management, but I 13 just want to caution that -- and I believe that that's 14 necessary, but that guidance, just to clarify my point about 15 principle-based, the overall guidance and standards should be 16 principle-based, whether they come from the SEC or others. 17 But the implementation really needs real life 18 examples and practical guidance that can be used on a day-to- 19 day basis by management and also used by the auditors and the 20 audit committee as they deal with real life situations. 21 And whether it's through a panel, as I mentioned 22 earlier, or through some other means, what we need is, is not 23 just a set of rules issued, but some examples and practical 24 guidance with real life examples that will make life easier 25 for management, and frankly, easier for the auditors as well. 1 MR. WHITE: Ms. Cunningham? 2 MS. CUNNINGHAM: Yeah. I know you said not to echo 3 would previous speakers said, but I think Ed's right. I 4 guess when I hear guidance, I get worried that we're going to 5 get another standard that will, you know, box management in 6 to some degree. 7 And I think it's very, very important. Every 8 company is run differently. Every company gets comfortable 9 with their internal controls perhaps in a different way. And 10 I think we need to make sure that it is principles-based and 11 the guidance focuses on, you know, the clarification of maybe 12 key terms and definitions, and clarify that management is not 13 expected to follow the same rules that the auditors are 14 required to do. 15 MR. WHITE: Boy, I'm almost afraid I asked this 16 question. 17 MR. DiPIAZZA: Actually, John, I wanted to be sure 18 that -- we are talking about management guidance, but there's 19 guidance that we need in the profession as well in AS-2. 20 And, frankly, that's what I wanted to make a comment on. 21 There's several areas, and I think someone earlier 22 actually made the reference to it. Restatements are a 23 problem. When a deficiency, first evaluating a deficiency 24 and the extent of a deficiency is hard enough. But then when 25 you have a situation where deficiencies are a strong 1 indicator, restatement is a strong indicator of a material 2 weakness and vice versa, then you've got very serious issues 3 about how a restatement, when a restatement leads to a 4 material weakness and an adverse opinion. And if there is 5 anything that's creating enormous stress in the system, it's 6 sitting right there. 7 You know, from the profession's viewpoint, every 8 restatement doesn't mean you have a material weakness. But 9 there is a default assumption that that's what you've got. 10 So we're going to need some help there. 11 We probably also need help with materiality. The 12 interim materiality, how it's judged, what are the impacts on 13 known errors, known misstatements on the interim basis versus 14 something that's not a known misstatement but a problem on an 15 interim basis. Those are things that we need some help with 16 in AS-2. I don't think you have to reopen AS-2 to do it, and 17 we can talk -- I know you'll get to that in a second. 18 We actually think that AS-2, the May 16th guidance 19 of last year has already been incorporated in our policies 20 and procedures. You're not going to get a big bang by 21 incorporating them into AS-2, because we're already treating 22 them as if they're part of the standard. 23 But I do think there are some things we need to -- 24 we need some help with. 25 MR. WHITE: Ms. Franklin? 1 MS. FRANKLIN: A footnote. I was going to raise 2 what Sam did about the materiality definition and those -- 3 I've had a bee in my bonnet about the definitions of 4 significant deficiency and material weakness for a long time 5 in the standard, that there ought to be some better way to 6 articulate what we're trying to do and to bring materiality 7 back. 8 With respect to the management guidance, where I 9 was really going with that is to emphasize that this would be 10 a way for the SEC to help with the small company dilemma 11 rather than granting a blanket exemption of some kind that 12 would hit 70 or 80 percent of micro small cap companies. I 13 think that's the way to handle that particular problem. 14 But the SEC I believe is the only one who can do 15 that. The Board cannot. 16 MR. WHITE: Okay. We're going to move in a moment 17 here to the audit experience side of this, but, Mr. Ameen, do 18 you have one more comment on the management side? 19 MR. AMEEN: Just a couple of observations. First 20 on the relationship between a restatement and a material 21 weakness. It seemed to us when we ran into our FAS-133 22 circumstance that the relationship between the two is almost 23 axiomatic and very difficult to escape, that having a 24 material error in financial statements that needed to be 25 corrected was evidence, prima facie, and almost irrefutable, 1 that there was a material weakness. 2 In fact, by the time we reported the restatement, 3 we had corrected the weakness, although it was nine months 4 later before our auditors could acknowledge that fact, itself 5 a problem. 6 But it doesn't seem to be a problem to me to relate 7 the two so long as -- and I think that ought to be 8 acknowledged. 9 Secondly, I have some concerns about standard 10 setting through examples, if case studies become the way that 11 we communicate the interpretations. The internal control 12 environments and the decisions that are made about what are 13 significant controls and significant weaknesses are very 14 complex and very specific to individual companies. I would 15 be concerned that we'd be able to capture that complexity in 16 a case study environment, and therefore I'd caution against 17 that approach. 18 MR. WHITE: Okay. So why don't we move to the 19 audit experience in the second year. Professor Grundfest, 20 you have been extraordinarily patient. So I think I'm going 21 to ask you a few questions. 22 MR. GRUNDFEST: It's early in the morning 23 California time. 24 MR. WHITE: Ah. I knew there was something. I'd 25 actually like to ask you about the PCAOB inspection process 1 and its effect on the audits of internal control. And there 2 have been a number of comments about that in different 3 places, and there was certainly the recent statement I guess 4 on May 1st that the PCAOB put out on how the inspection 5 process was going to be conducted in 2006. And I know you 6 have some thoughts on this, so I'll -- 7 MR. GRUNDFEST: Thank you very much, John. And I 8 think the inspection process is really going to be central to 9 the future of the operation of 404 because it is through the 10 inspection process that the audit firms are going to get very 11 clear messages from their proximate supervising body as to 12 whether they've gone too far in terms of the procedures that 13 they're following, whether they haven't gone far enough, and 14 too sloppy on the 404 front, or whether, in Goldilocks' 15 terms, you've got it just about right. All right. 16 For perfectly understandable reasons, society and 17 regulators don't have the greatest credibility when the 18 companies being audited complain about the audit process. 19 The greatest credibility in terms of being able to signal 20 that the process has gone too far will likely come from the 21 PCAOB and the inspections there. 22 Now, in that context, I think it's very important 23 for the PCAOB and the profession to understand that there are 24 some structural features of this process that push it towards 25 hyper aggressive enforcement of the 404 standards. And it 1 may be useful to take a step back and to understand that the 2 audit profession is not unique in this regard. 3 The phenomenon of defensive medicine is something 4 that all of us are aware of. We all know that the medical 5 profession is subject to great litigation pressure, and if, 6 for example, you're an oncologist, one of your great fears is 7 being sued because of the failure to diagnose lawsuit, a 8 diagnose situation. 9 So it is a natural tendency in the medical 10 profession to prescribe tests that you typically would not 11 prescribe but for the possibility of litigation. And then 12 there's some other incentives around the testing environment. 13 For example, the cost of the test is not borne by the 14 physician that prescribes the test. 15 Prescribing the test gives a benefit to the 16 physician because it reduces the probability that there will 17 be litigation against them. And in many situations, the 18 physician makes more money because they're also applying the 19 test. 20 If we have a look at the predicament that the audit 21 profession has been subject to, it's almost a direct parallel 22 to the situation we find in the medical profession where the 23 same natural economic forces push people with good intentions 24 to engage in hyper aggressive enforcement, and in the medical 25 context, to start applying controls that really are 1 suboptimal because of external social pressures. 2 We've got exactly the same situation at work here, 3 and in order to solve that situation, I really do think we 4 need, you know, a two-bullet approach. Number one, we've 5 been talking about strong improvement of the inspection 6 process. But I also think we need to change the substance of 7 what it is that's being inspected against. 8 Several of my colleagues have already mentioned the 9 importance of the term "materiality" and the role that the 10 phrase "significant deficiency" plays in the analysis of the 11 process. 12 Yes, we're all supposed to look for material 13 weaknesses, but the standard also cautions us that an 14 accumulation of a sufficient number of significant 15 deficiencies can itself constitute a material weakness. So 16 let's, as one of my colleagues likes to say, dilate on the 17 definition of the term "significant deficiency." 18 If you stop and think about it for a moment, it 19 makes your head spin, all right, because go back, read AS-2, 20 and it says that a significant deficiency will kick in -- and 21 here I paraphrase -- where you have more than a remote 22 probability of a more than inconsequential misstatement. 23 All right. Grab your breath and let's try to 24 quantify what these words mean, okay? Rough rule of thumb, 25 all right. And I know SAB-99, there's all sorts of other 1 literature that says, Joe, you can't make it this simple, but 2 let's make it real simple. 3 Materiality. If you've got a number that's at 5 4 percent of the revenues, you're at materiality, okay. That's 5 a common rule of thumb, okay. All right. I've even got the 6 auditors shaking their head, I'm with you. 7 MR. GRUNDFEST: You've got literature generated by 8 the audit profession itself saying that you are not 9 inconsequential if you are at less than 20 percent of the 10 materiality standard. Right, guys? Okay. Twenty percent of 11 5 percent. If somebody will correct my math, that's 1 12 percent, okay? 13 Then we're talking about a more than remote 14 probability of a more than inconsequential misstatement. 15 What does the word "remote" mean? Now the profession and the 16 PCAOB have been orthodox in taking the position that we're 17 not going to put a number to the word "remote." 18 Allow me to be unorthodox. Let's assume that the 19 probability is 5 percent or 10 percent. It really doesn't 20 make much of a difference. Let's say it's 5 percent. So, 21 what's the expected value of a -- of 20 percent of 5 percent 22 multiplied by 5 percent? That's five one-hundredths of one 23 percent. That's five basis points. So a very natural 24 quantification of the language contained in AS-2 drives you 25 to look at processes that have an effect of five basis 1 points. And we wonder why people are complaining about low 2 level process controls, because the very language is -- thank 3 you! 4 MR. GRUNDFEST: I was surprised it took that 5 long, Sam! 6 MR. DiPIAZZA: I really tried, Joe! 7 MR. GRUNDFEST: And you know, sure, the audit 8 standard is not supposed to look only for significant 9 deficiencies, but it's hard to ignore the language in the 10 rule itself that gives so much importance to that term. 11 MR. WHITE: I think we have to give Mr. DiPiazza a 12 response here. 13 MR. DiPIAZZA: I'm not going to go through the 14 standard because, Joe, I don't understand exactly what it 15 says, either, sometimes. But I will say, you can't do it the 16 way you just did it. 17 You can't take the multiplication of those two 18 numbers and say that is what we're measuring, because when it 19 hits, it's not five basis points. Okay? It's not. 20 That may be how you view the probability of remote. 21 But, in fact, if you have an event on a weakness in a 22 control, you are going to get bigger than that issue. 23 And so what we are looking for are places where 24 that might occur. So I just -- math is great. And I know at 25 Stanford you do a great job with it. But that's not the way 1 it actually works in the real world. 2 MR. WHITE: Mr. Nussbaum. You going to echo the 3 same thing? There are a lot of auditor comments going on up 4 here? 5 MR. NUSSBAUM: I agree, of course, with Sam. But I 6 do think we need to look at materiality. But it's not just 7 materiality over material weaknesses, as you point out, 8 Professor Grundfest. I think all of our heads are spinning 9 as a result of, not just the standard, but the various 10 interpretations of it. 11 But what we need to do is look at financial 12 statement materiality as well. Because that, as you 13 mentioned, SAM 99, does cause us to result in a significant 14 number of restatements that maybe don't need to be made, as 15 someone talked about earlier. 16 My being concerned about a financial statement 17 materiality issue when you are looking at it from a top-down, 18 risk-based approach, could result in a lot more testing than 19 needs to really be done. 20 But we are sort of stuck with that -- those 21 standards on financial statement materiality, both in the 22 guidance and SAM 99. But more importantly, in the way it is 23 being interpreted. So, I do think that there is some 24 validity to looking at materiality, but I would extend that 25 look to financial statements beyond. 1 And if I could just comment on another thing you 2 said, Professor Grundfest, and that is that the PCAOB 3 inspection process should make sure that we should do enough 4 auditing to ensure that there is good quality. And also make 5 sure that we don't over-audit so that we don't charge too 6 much. And I agree with that. And I think the inspection 7 processes here will clearly do that. 8 But I want to acknowledge that this perfect, just 9 about right, really probably is a fairy tale from Goldilocks. 10 There is so much judgment involved here in the course of an 11 audit, whether it's Grant Thornton or any other firm, that we 12 have to acknowledge that there is a range of acceptable 13 answers, and there's no single perfect answer, both in 14 management's documentation and the definition of material 15 weakness, or what the internal controls are, financial 16 statement materiality or what are the appropriate audit 17 procedures. 18 And we have to be willing to accept that auditor's 19 judgment and management's judgment in that process. 20 MR. WHITE: I see we have a few more cards up, but 21 actually, we only have about two minutes left. And I did 22 have one question that I wanted to put to Professor 23 Grundfest, on restatements. But you only have two minutes. 24 MR. GRUNDFEST: I'll take 30 seconds. On 25 restatements, there are two -- 1 MR. WHITE: Well, let me ask the question because - 2 - I told you I was going to need -- 3 MR. GRUNDFEST: You are going to get what I want to 4 say, anyway. So -- 5 MR. WHITE: The restatements went up a lot last 6 year, from 600 to 1200. And there are a lot of comments 7 about whether that was -- how that relates to 404. 8 Now say whatever you wanted to say. 9 MR. GRUNDFEST: There are two things. First, 10 let's -- so the question is, restatements, 404, what's the 11 connection. Does it prove that 404 is really working. Let's 12 divide the proposition into two parts. 13 First, let's assume that restatements are related 14 to 404. And then we are going to challenge that assumption, 15 because it's really incorrect. 16 The vast majority of restatements have no material 17 effect, if you measure materiality by stock price response. 18 This is going in, looking at a bunch of accounting issues, 19 cleaning up a bunch of accounting issues, and disclosing the 20 information to the stock market. 21 What did investors say? We could care less. 22 Well, if that's right, then what that suggests at 23 one level is that all the expenses that went into the 24 restatement process didn't lead to a restatement that was 25 material in the sense the stock market cared about. And that 1 would be consistent with the hypothesis that 404 is causing a 2 lot of wasteful expenditure that investors themselves do not 3 value, once the information is actually presented to them. 4 So, what is interesting about that argument is, if 5 you add the fact relating to stock market price response, it 6 actually is consistent with the hypothesis that 404 has gone 7 too far, and is imposing inefficient costs. 8 Now, take a step back, and say, well, gee, has 404 9 really led to all these restatements? The short answer to 10 that is, only a minority of them, if at all. 11 And there, I think Commissioner Glassman's recent 12 speech has a one-liner in it that explains -- wait a minute, 13 about half of these restatements came from companies that 14 were weren't subject to 404 requirements, anyway. So, 15 therefore, how could you say that 404 caused that? I think 16 that analysis is entirely correct. And you add that with the 17 observation that restatements have no material effect. And 18 then you get an entirely different picture of the situation. 19 MR. WHITE: It is 10:30, but the moderators have 20 made the executive decision to steal five minutes from the 21 next panel, so, Mr. Ameen? 22 MR. AMEEN: I just wanted to point out that five 23 basis points on my revenues is $75 million, about which I do 24 care. 25 MR. WHITE: Ms. Bush? 1 MS. BUSH: I would just say that the complexity of 2 the measuring or defining or figuring out significant 3 deficiencies, material weaknesses, what is really material, 4 what should cause a restatement. It's all shown up, shall we 5 say, by the conversation between Mr. Grundfest and Mr. 6 DiPiazza. 7 That, in my mind, also points out the costs, 8 because these kinds of conversations go on with companies, in 9 companies as well. Those costs also, I think, can lead to 10 less focus on the strategic and operational audits that 11 companies should be engaging in. Also, just in terms of the 12 business itself, the strategy, the operations, the business 13 to create value, as Mr. Davis alluded to earlier. 14 MR. WHITE: Okay. So, Ms. Franklin, you opened 15 this panel. We'll let you close it. 16 MS. FRANKLIN: With just a comment about 17 inspections. I think to really get the most out of the 18 inspection process, and to give feedback and guidance to the 19 auditors, they have got to be more timely. 20 I think you are all aware of the fact that there 21 were delays in when the auditors got the reports the last 22 time. And maybe that was a start-up issue, with respect to 23 the newness of the board, but I really think that that 24 process needs to be accelerated. 25 The substance of it needs to be right, but the 1 timeliness of it does, too. 2 MR. WHITE: Well, I would like to thank our 3 10 panelists. We very much appreciate your being here. We 4 are going to adjourn this panel, and the next one, which will 5 be on Management's Assessment, will resume at 10:45. 6 Thank you. 7 (A brief recess was taken.) 8 PANEL TWO - MANAGEMENT'S EVALUATION AND ASSESSMENT 9 MR. TAUB: Our first panel was very successful. We 10 certainly hope to continue the very high level of discussion 11 and discourse throughout the day. 12 This second panel is intended to focus in on 13 management's assessment process, and the evaluation work that 14 management does under 404 in order to render its opinion on 15 the effectiveness of internal controls. 16 My name is Scott Taub. I am the Acting Chief 17 Accountant at the Commission, and I will be the lead 18 moderator for this panel. 19 To my left is Laura Phillips, Deputy Chief Auditor 20 at the PCAOB. To my right is Carol Stacey. She is the Chief 21 Accountant in the Division of Corporation Finance, Office of 22 the Chief Accountant. We will be moderating this second 23 panel. 24 We have an excellent panel assembled in order to 25 have this discussion. 1 From my left to right, we have Bill Brunner, CFO, 2 Vice President and Treasurer of First Indiana Corporation, 3 and the Chairman of the ABA -- American Bankers Association, 4 have to specify which ABA -- Accounting Committee. 5 Then, Kimberly Parker Gavaletz, the Vice President 6 and Deputy of Global Sustainment at Lockheed Martin. Did I 7 get the title right? Okay. 8 Sue Gordon, Senior Vice President, 9 Corporate Controller and Chief Accounting Officer at CBS 10 Corporation, having survived the spin-off from Viacom. 11 Moving on. Keith Holmberg is the Vice President of 12 Finance and Control Processes at British Petroleum. 13 Lee Level, Corporate Vice President and Board 14 Member at Computer Sciences Corporation. He also serves on 15 several other boards of directors, and indeed, chairs audit 16 committees at some of those other boards. 17 Peter Minan, National Managing Partner of Audit at 18 KPMG, one of the Big Four firms. 19 Stephen Sherwin, is a doctor and the Chairman and 20 CEO of Cell Genesys, Inc. He also represents to some extent 21 the Biotechnology Industry Group. 22 Moving on. Dr. Albert Teplin, Audit Committee 23 Chair at Viad Corporation, and also an Audit Committee on 24 other boards of directors. 25 And, finally, Jim Turley, the Chairman and CEO of 1 Ernst & Young. 2 Thanks to all of our panelists for agreeing to be 3 here today. We look forward to a good conversation. I am not 4 going to repeat all of the rules of the road that John White 5 gave us this morning. 6 We will remind panelists, as well as commissioners 7 and board members, please turn up your tent cards and, as an 8 added reminder, once your turned-up tent card has worked, and 9 we have called on you, please turn down the tent card while 10 you speak. I understand that CNBC and MSNBC would like to 11 see everybody's faces clearly as you speak. 12 The Commission's rules require that management 13 assess, at the end of each fiscal year, the company's 14 internal controls over financial reporting and report on its 15 assessment of the effectiveness of those internal controls. 16 At last year's roundtable, several commenters 17 questioned whether management's approach to completing its 18 assessment of internal control over financial reporting was 19 appropriately top-down out, risk-based and focused. 20 Moreover, several commenters suggested that too 21 many controls and processes were documented and tested. 22 Feedback from some commenters indicated that they expected 23 that some of the cost and effort involved in documenting 24 internal controls over financial reporting did represent one- 25 time start-up costs that might not be repeated in subsequent 1 years. 2 The Commission and Board are now seeking input on 3 whether and how companies have improved the efficiency and 4 effectiveness of the process for assessing internal control 5 over financial report in the second year of compliance. 6 The Commission and Board are also soliciting views 7 about the challenges in designing a sustainable assessment 8 process that is both effective and efficient. 9 The first question I am going to first direct it at 10 Ms. Gavaletz, and then to Dr. Teplin. 11 The question is whether the guidance that the SEC 12 and PCAOB issued last May has been helpful in improving 13 management's assessment process, whether indeed the 14 management assessment was more risk-based and more focused in 15 the current year, and then perhaps a discussion of any 16 remaining challenges that you are aware of in management's 17 assessment process. 18 Ms. Gavaletz? 19 MS. GAVALETZ: Thank you for the opportunity to be 20 here today, and to be able to comment both to the PCAOB and 21 the SEC and to engage with the other panelists here. 22 I do want to say that yes, the guidance last year 23 from the May Roundtable was helpful to management but, I 24 believe, to everybody involved. I think it depended on where 25 you were in the maturation of your own internal control 1 environment, and how that was helpful to you. 2 First, for those that were very mature, I think it 3 reaffirmed the use of that top-down approach, and that risk- 4 based approach. For those that might have been just 5 inventing, it really helped them. It affected them and 6 changed them mid-course to make any corrections, maybe, to 7 further go that way. 8 And for those that were just starting, it certainly 9 helped them with a basis of how to start and get started. So 10 I think it was timely for that. 11 I think, as far as its overall effect, though, in 12 the first year, that after that guidance, it was probably 13 still just getting started being effective, because actually 14 the time of that to affect last year's activity, was probably 15 just at the tip of the iceberg as far as seeing the 16 effectiveness of that. 17 I think we'll see continued effectiveness this year 18 and as we go forward and as people mature across the curve 19 that guidance will be reaffirming. I think that was 20 illustrated by a lot of the surveys that have been commented 21 on in the first panel. 22 The Institute of Internal Auditors' survey said 23 that, in the first year, 42 percent of the chief auditor 24 surveyed believed the top-down approach was used, but in the 25 second year, 75 percent believed it. So I think that is 1 significant in itself. And so I think there is more to come. 2 The second part of the question, or processes for 3 evaluating control more risk-focused, I believe they were. 4 But of that 75 percent that said they had used more of a top- 5 down approach, there still was a perception by 58 percent of 6 that 75 percent that they saw the external auditors testing 7 things that were not, in their view -- and again I am not 8 sure how much of that was confirmed with the external 9 auditors -- based on a risk-based approach or that could 10 affect the company materially. 11 So I think some of that is some understanding, some 12 communication -- there was a lot of improvement in 13 communication across this last year, but I think there's 14 still some coming together on what is the risk-based 15 approached and top-down that needs to happen. 16 As far as what's left, I think part of our 17 challenge is staying course and keeping the faith. I look 18 back on this country, and any significant legislation, and 19 you go back all the way to the founding of the country on our 20 Constitution, our Declaration of Independence, some really 21 sound things in that first body. I think there are some very 22 sound things in the 404 on AS-2 that are there. 23 I think the other guidance and things coming out 24 are important, but I believe -- I would caution on 25 legislating, regulating too much there. I think we need to 1 really look at what are the questions being asked and satisfy 2 those questions. 3 And when people ask for guidance really understand 4 what they are asking for guidance about. In talking to 5 people getting ready for this panel, I have heard that. And 6 I have seen that in the comment letters. And I have surveyed 7 others. And what I have been hearing more, and I would like 8 to make sure we hit that a little bit, that the small company 9 side of it is definitely there. 10 But I hear some cry for relief, but I think there 11 is a lot more of a cry for how-to. And an easy way to 12 implement, which I am not sure is what the SEC and PCAOB is 13 supposed to necessarily be telling. 14 I think there are other providers for that. I think 15 they can utilize the COSO framework and hopefully the small 16 business framework that's coming out. And other providers 17 will be there to help them with some how-to's. I think that 18 is more what's being asked there. 19 I would welcome input from others. I know relief 20 would always want to be there, but I think the principles are 21 still there, and if you want to change something for the 22 small businesses, large businesses here would like to hear 23 about it as well, because I think, again, the soundness of 24 our internal controls apply to both. And I think investors 25 in small or large businesses are equally -- that's equally 1 important to both of them. So understanding and satisfying 2 the need. 3 I think the other thing that's out there for this 4 risk-based, top-down in other areas if really from the 5 management versus the external auditors. And it's kind of -- 6 well, the external auditors have this, and so it's driving 7 management. 8 I am not sure that something that is a competing or 9 leading effort won't cause us -- well, my books says this, 10 your book says that. I would rather foster the relationships 11 between the two to talk through these and work through the 12 issues than necessarily competing standards as we are going 13 forward. 14 And I do hear some standards versus informal 15 guidance. I would, again, just say go slowly in converting 16 things into standards. I think guidance -- as people have 17 said, the guidance that was issued last year has been hugely 18 helpful, as evidenced by people and their proceeding forward. 19 If we get too voluminous, if we do each year, and 20 add -- ten years from now where would we be from this. 21 I think it was important last year. I think it 22 will be important this year. And, again, I thank you for the 23 opportunity to be here. 24 MR. TAUB: Okay. Thank you. Dr. Teplin, do you 25 have anything to add on these questions? 1 DR. TEPLIN: Well, I don't know if I have something 2 entirely new to add, but I do have a different perspective. 3 I thought, first of all, to answer the question very 4 directly, the guidance last year was very helpful, 5 particularly, I believe, in reestablishing the useful 6 cooperative communication between management and the external 7 auditor. 8 There had been substantial confusion in that. And, 9 as an audit chair and audit committee member myself, I found 10 myself very much in the middle of that. And I think that the 11 guidance that was issued last year, there were a few 12 sentences in there that were extremely helpful in 13 reestablishing what has been, as we move through this 14 process, a much more efficient and better way of doing 15 things. 16 As far as going to more of a top-down, risk 17 assessment, in scoping the assessment and improving it, I 18 think that what is happening is a clear winnowing down 19 towards that. I am seeing now at least that -- I would argue 20 that 2006 is going to be the year that you are going to see 21 significant improvements. 22 Two thousand and four, we got through it. And 23 there was a lot of discomfort though the entire process. 24 Two thousand and five, at least we knew what to do. 25 Since we had already attained an assessment. And cost didn't 1 come down, as we had hoped, and so on. 2 But I think in 2006, management, the audit firms, 3 and the audit committee indirectly, are working towards 4 becoming much more efficient in this process. That's not to 5 say that things can't be improved more. I think that there 6 needs to be more clarity in what guidance that there is on 7 the use of the internal auditor in the firms. 8 You know, where management takes ownership and is 9 doing their job, and the internal auditor is doing their job 10 in testing and so on, and then you've got another auditor 11 coming in, if everybody is cooperating, and there is 12 oversight by the audit committee, and so on, I think that 13 tremendous efficiencies can be attained by using the internal 14 auditor. 15 I am not at all worried that corporations will find 16 -- will take out the inefficiencies. They have the 17 incentives to do so. But as we scope a project such as this, 18 and so on, there are different incentives for the public 19 auditor and the corporation. And they audit committee has to 20 make sure those are balanced correctly. 21 I think I'll leave it at that. 22 MR. TAUB: Mr. Brunner, the banking sector has long 23 had some reporting on internal controls under fiducia. 24 Nonetheless, I am aware of comments that the 404 process was 25 certainly different, or additive to, what had been happening 1 under fiducia. 2 Can you tell me, from your point of view, was the 3 guidance that we provided last year helpful in the process? 4 And are the audits of internal control becoming more risk- 5 focused? 6 MS. BRUNNER: First of all, I agree. It was very 7 helpful. But I would underscore that the largest portion of 8 the help was opening the gates to the more cooperative 9 relationship with the auditor. I just can't underscore that, 10 given that, given the working relationship, that positive 11 things will come out from all avenues. 12 Yes, there are a lot of tactical things. In 13 looking and comparing to how the banking industry has been, 14 which not only had fiducia, but by the sheer nature of the 15 industry, it has always been a very control-based 16 environment. Our products and services lend themselves to a 17 very, very strict control. We have always had a very risk- 18 sensitive model in the first place. 19 I think the difference between what we see in 404 20 and what we have seen in the past was the prescriptive nature 21 and the degree of focus on things that can be tested and 22 measured. 23 Now, maybe that's a hazard of our professions in 24 that we like things that we can see, observe, test and 25 measure. But one of the things that -- and it varied from 1 company to company -- but certainly we see that some 2 improvement can be made, and that opportunity exists. 3 We largely saw that entity-level controls were done 4 in one silo. And activity-level controls were done in 5 another silo. And, of course, we think a lot of energy went 6 into testing and pounding out and measuring and documenting 7 things with lots and lots of paper of doing it. 8 But I think the real lift is yet to come, because 9 when you get to the point you can step back and look at the 10 risks of your business, look at the tone at the top. Look at 11 the environment you are in, and be able to really integrate 12 the -- call it tone at the top, call it entity level, 13 whatever it might be -- and you can integrate that with how 14 much mathematical testing do I need to do. We can start 15 taking some of the burden. 16 Because certainly from the banking industry the 17 difference largely was the amount of documentation and way of 18 going about it. 19 MR. TAUB: Thank you. Move on to another set of 20 questions and start directing this set to Mr. Level and to 21 Ms. Gordon. 22 How would management's process have been different 23 if the auditors were not also going to be involved in 24 assessing internal controls? 25 Were there instances where management believed that 1 it had found and implemented an effective way to test 2 controls but the auditors made suggestions for additional 3 testing that management didn't necessarily think was 4 necessary? And, if so, in the end was that helpful to 5 management's assessment process, or did it merely add to the 6 burden? 7 Mr. Level? I'll start with you. 8 MR. LEVEL: Thank you. And we appreciate the 9 invitation to be back. And the interest of the Commission 10 and the PCAOB in considering again this year the 11 possibilities to make what we are doing better, quicker and 12 faster. And cheaper. 13 We would have, as you have already heard from the 14 first panel and a couple of the comments already from this 15 panel -- we would have committed more of our resources and 16 spent more time on the entity level tone at the top-type 17 controls if we had no audit of the management's assessment. 18 But the reality is, frankly, that our process in 19 the end was driven by the auditors' opinion of internal 20 controls and so we went about determining what they needed to 21 derive and to reach their conclusions and for their opinion, 22 and went down that path. 23 We also did what we felt we needed to do to make 24 them comfortable, of course, with our assessments supporting 25 our opinion. You all know about the typical differences 1 between COSO and AS-2, around an issue that I think is quite 2 important, and that is the ability to recognize that some 3 controls exist, even if they are not documented. 4 We spent a lot of time, frankly, in the last two 5 years, documenting controls that already existed in order to 6 support both the auditor's opinion and our opinion and their 7 own. 8 As you all know, we have been pen pals with the 9 Commission and have submitted comments for the last several 10 years about this topic. And we did again in connection with 11 this panel and this roundtable. And I would urge you to 12 refer back to that as to more specifics we have in that area. 13 But I would -- in thinking about -- on the way from 14 California out here, about this matter again, I feel that we 15 really need to deal with the three-opinion opinions. And we 16 need to integrate the auditor's opinion and make it one 17 opinion, both on internal controls and on fairness of 18 financial presentation. Remove them from the management's 19 opinion of controls and management should, of course, 20 continue doing that. 21 We would support some guidance from the Commission 22 around management's assessment. But we are fearful, frankly, 23 that we would end up with a whole new set of rules and an 24 approach to management's assessment, and we would have to go 25 ahead and expand on what we already do there. 1 And we would find, frankly, that we would have to 2 continue to do everything that we have done, including -- 3 unless you deal with AS-2 -- dealing with making our auditors 4 comfortable in the way in which their -- the standards that 5 apply to their opinion would mandate that they behave. 6 Now, having said all of that, I do want to close in 7 saying that your guidance last spring was quite helpful. It 8 was a little late, but helpful. 9 And I want to echo what I heard from both of the 10 previous panelists here, that the tone between the auditors 11 and management was probably the single most important result 12 of that guidance. 13 Thank you. 14 MR. TAUB: Thank you. Ms. Gordon, if you could 15 comment on how your auditors affected management's process. 16 MS. GORDON: Well, thank you. And once again thank 17 you for letting me come and speak in front of the group again 18 this year. What a difference a year makes. It's true for 19 the success of 404, in my mind. And also true in splitting a 20 company into two media companies now. 21 So, I have a lot to say also on the small. We were 22 large, and now we are two moderate size. So, I found that 23 question very interesting. 24 But first, to speak to what the guidance did for 25 us. The guidance was extremely helpful, echoing what the 1 people have said on the panel. But also it confirmed our 2 approach, that management is responsible for assessing risk. 3 And then we then take that risk assessment and coordinate it 4 with our internal audit, and then coordinate it with our 5 external auditors. So that is the approach that we had taken 6 from the beginning with this, the guidance confirmed that. 7 To the question of what would have -- how our 8 assessment would have been different had we not had an 9 independent audit, I have to truthfully say that I don't 10 think there would have been a difference. 11 And that maybe seems strange in some way, but I 12 think by taking the approach that management owns the 13 certification, and management is responsible for the 14 controls. The CFO, the controllers at the divisional level 15 and at the corporate level, have to say that this assessment 16 for risk is their assessment. 17 Now, the discussion comes in once management has 18 sat down and the financial groups at all the locations 19 throughout the world for us, sit down and look at it. We 20 then have the challenge of working with internal audit and 21 the independent auditor and saying is this sufficient? Is 22 this enough? 23 And throughout the course of the first year, it was 24 certainly much more debate than there was the second year. 25 The second year, we got down to talking about issues where we 1 may have had a different point of view on the auditor's 2 position on re-performance of controls versus our position 3 where we thought it was sufficient to verify evidence that 4 control had been performed. 5 So that we had to work with the independent audit 6 team and we had to go back and forth and debate what is 7 sufficient. 8 Also, the issue where I think we still continue to 9 debate, something as challenging or un-challenging as 10 spreadsheet controls. The auditors will come in and say that 11 this is the most important control that you have to have. 12 You have to go and recalculate and re-add and check all the 13 spreadsheets that you have that are in key processes, and you 14 have to find a team of people that are going to do this. 15 This tends to be a very interesting battle. 16 Because I can remember the computer came out many, many years 17 ago. You didn't have to re-check or re-add them up, but we 18 find that there's a healthy tension between us, as far as we 19 are going to go. So, as far as guidance on that, if we were 20 to look at what we need to do, maybe that's something that 21 information to the external auditors or to internal auditors 22 might be helpful, from that standpoint. 23 So, those were some of the issues that we still 24 continue to debate, but I still think minor compared to what 25 the issues were in the first year. 1 As I said, it's been an unbelievable year. I 2 applaud Phil from GE, who said that controls are in the 3 vocabulary. And speaking from a media company, we have a 4 year where controls are so embedded in the minds of both 5 business operations people, financial people and top 6 management. It's a success to what Sarbanes-Oxley really did 7 for us. So, I applaud it. And any other questions? 8 MS. PHILLIPS: In terms of auditor involvement, 9 changing what management otherwise would have done, Pete 10 Minan, you have some firsthand experience implementing AS-2 11 and working with companies. Can I get your perspective on 12 that? 13 MR. MINAN: Certainly. First of all, let me thank 14 the Commission and the Board for inviting me back to speak 15 again. I am happy to be here as well. 16 In year one, clearly the auditors had a significant 17 amount of input in management's assessment process. The 18 standards were new. The concept was new. And at the time 19 there was no guidance for issuers really as to what to 20 follow. Some of the issuers, of course, looked to their 21 auditors for guidance. The auditors in turn looked to AS-2 22 for guidance, and basically almost held AS-2 as the default, 23 the de facto standard for management's assessment. 24 The May 2005 guidance was particularly helpful in 25 dealing with that and in a particular area. One area that 1 the May 2005 guidance did was clarify the recognition that 2 management has a broader array of procedures that they can 3 use to test their assertion -- basically their assertion did 4 not have to look -- their test of their assertion does not 5 have to look like what we as auditors are used to seeing. 6 And that really opened the door. I think that went a long 7 way to reducing if not eliminating some of the duplication of 8 efforts. It certainly improved efficiencies in many 9 respects, and took a lot of stress out of the system. 10 Now, are we there yet? No. Clearly, as both 11 issuers and auditors gain more experience, I think we are 12 going to move further down the learning curve on that. As we 13 get more experience as to how managements document their 14 assessment, I think we are going to get better at auditing 15 that assessment and reaching our conclusions. 16 Particularly in the area of risk assessment -- I 17 mean, we talk about risk assessment, risk-based auditing, but 18 the concept is -- the hard part of risk assessment is the 19 qualitative aspects of risk assessment. And we as external 20 auditors have been doing risk-based auditing of financial 21 statements for years. We've got an accumulated knowledge 22 over the years auditing financial statements that help us 23 make those decisions and evaluating risk. 24 With respect to internal controls, the mind set is 25 a little different. We don't have the years of experience. 1 We don't have the accumulation of data. And certainly 2 management and issuers do not have the data as well. So, 3 it's a little harder. So we need to gain more experience to 4 help us evaluate the risk there. 5 Particularly in the area we heard mentioned 6 earlier, and that's linking the company-wide controls to the 7 financial statement assertions. That's an area where I think 8 we are going to gain more experience and become better at, 9 and I think you are going to see some efficiencies come out 10 of that particular area. 11 MS. PHILLIPS: Jim Turley. In your firm's comment 12 letter, you suggested that AS-2 shouldn't be amended because 13 its sound and scalable as it is. We have seen in comment 14 letters and heard a number of folks talk today already about 15 the May 16th guidance being helpful, additional benefits 16 still to come, and that we are not going to see the full 17 benefits, in terms of changing audit behavior, unless the 18 standard is amended. To change the rule text itself to 19 articulate those same concepts as in the May 16th guidance. 20 Would you be supportive of that type of amendment 21 of AS-2? 22 MR. TURLEY: Yes. Let me make a couple of comments 23 first. You asked a very interesting question about how 404 24 would have been done differently by management if it wasn't 25 audited and you asked Peter the same question. 1 I have every confidence that CBS would have done 2 exactly as was said. Sadly, I don't think that's the case 3 for every company in the country. 4 Our experience has been that there were many 5 occasions where we had to, sadly, hold some feet to the fire, 6 if you will. And some of those companies -- in fact, if 7 companies weren't committed to doing what CBS was committed 8 to doing, they were not clients of ours, and the other firms 9 had the same reaction. There are a lot of companies who 10 don't serve anymore. 11 So I think that at some level what you measure does 12 get improved. I think the investor community sees the value 13 of independent auditing, and so I wish, deeply in my heart, 14 that all companies had the kind of commitment that CBS has 15 articulated. 16 To the issue of amending AS-2. The May 16th 17 guidance was extremely helpful. As some of my colleagues in 18 the previous panel talked about, that guidance has been 19 already implemented in every one of our processes and 20 methodologies in communications to our partners and our 21 staff. And we have been very transparent with the PCAOB, as 22 you know, about how we have communicated not just the May 23 16th guidance, but all the Qs and As that have also talked 24 about 404. 25 So to that end, I don't think amending AS-2 to 1 include the May 16th guidance would have any substantive 2 impact on the performance of the profession. 3 Having said that, I think we are in a dilemma as a 4 collective group. We are hearing some great companies say 5 that additional guidance for issuers may not be needed 6 because it might change what is now beginning to work very 7 effectively, and increasingly very effectively. 8 But we have a number of companies that have not 9 implemented 404 yet. So I actually believe that having 10 issuer guidance for smaller companies is really important as 11 we move forward. What evidence is needed for management to 12 make its assessment. How should they think through the 13 intersection of work required versus risk. What level of 14 documentation is needed. How should they think through the 15 comments that Lee had about entity level controls. 16 I think those things are subject to some guidance 17 for those issuer communities -- the issuer community that has 18 yet to implement 404. 19 And then I think making sure that AS-2 is aligned 20 with that guidance would be very, very important so we don't 21 have competing standards. To the extent that PCAOB wants 22 to -- if there is back-door issuer guidance in AS-2, to take 23 that out. But merge together the guidance that's out there 24 on the street today because it has been very effective. 25 And I think that we wouldn't object to that. But I 1 think that having wholesale change to AS-2 is not necessary 2 because, as our letter said, it is scalable and it is being 3 effective. 1 MR. TAUB: Thank you. We've heard a little bit I 2 think in these last few minutes some perhaps differing views 3 about whether guidance is needed for management. And perhaps 4 I can just pose the question first to Mr. Holmberg from a 5 large company environment and then to Dr. Sherwin whose 6 coming from a smaller company environment. 7 Is there sufficient information available to 8 management regarding internal control frameworks and 9 regarding how to assess the effectiveness of an internal 10 control system at a company? Start with Mr. Holmberg. 11 MR. HOLMBERG: Thank you. Again, thank you for 12 this invitation. I know I also somewhat representative a 13 number of foreign filers today, and I can tell you from my 14 interactions with them that they spent 2003 and 2004 in some 15 bemusement about what was going on with their American 16 counterparts and 2005 with some trepidation, and this year 17 you see the fear in their eyes. 18 So, fortunately for BP, we've essentially finished 19 our first-year assessment based on last year's results, and 20 so are kind of starting our second year. 21 I'd have to say that when I saw the corp's finance, 22 we wrestled with it because we have not from a large company 1 perspective spent a lot of time saying we don't have enough 2 guidance as to what management's assessment should be. 3 I would actually say we've probably felt like we've 4 benefitted from the fact that we didn't have as much 5 guidance, and therefore were not constrained and bound as our 6 external auditors were by the degree of rigor and precision 7 which AS-2 provided them with. And I think we somewhat 8 benefitted from therefore being able to use judgment where 9 appropriate. 10 Going into our second year, we have, much I guess 11 like many U.S. companies, have significantly changed what we 12 believe to be materiality levels for what we've looked at, 13 and we've gotten in fact very, very quick agreement with our 14 external auditors on some of those changes; so quick that I 15 wonder if we didn't push far enough on that, but I won't say 16 too much because I share the dais today with the chairman of 17 our audit firm, so -- 18 And so we feel pretty comfortable about what it 19 takes to do management assessment. I think what we've -- 20 anytime you have compliance you're better off within a 21 company if you can get business management to buy into it 22 because it's a good idea, and not because you're doing it for 23 compliance sake. 24 And I think we've been -- I feel like we've been 25 relatively successful with business management in saying it's 1 useful to identify which controls you should have for your 2 major processes; they buy into that. You should determine if 3 those controls are good enough or if they need to be 4 remediated; they can buy into that. So we should test 5 controls on an -- basis; they'll buy into that. 6 Where I lose them is when they say, we also need to 7 -- in order to assess those each year, we need to test those 8 internally with the people who perform the controls; we need 9 to test them with the internal auditors; we need to test them 10 with our external auditors; all of this testing activity in 11 order to get to that assessment. And that's when from a 12 business management perspective they kind of say that's 13 sounds more like compliance than it does good business 14 practice. 15 And so for us that's probably been the biggest area 16 of frustration that, not only were we doing a lot of work 17 internally, but also the auditors following the AS-2 needed 18 to do a fair amount of their own. And so that's the one 19 thing from a foreign filer perspective that's been in our 20 minds. 21 MR. TAUB: Dr. Sherwin, I know you come from a 22 smaller company environment, so perhaps some thoughts from 23 that end of things. 24 DR. SHERWIN: Well, thank you. And I'd also like 25 to thank the Commission and the Board for an opportunity to 1 speak today. 2 I noted that I am the only physician on any of the 3 five panels; I'm not sure that's a good advertisement 4 considering the wealth and widely held views about how we 5 deal with money in my profession. 6 But I'm also here as CEO of a smaller public 7 company, as you all know. And I note that I'm also the only 8 officer of a small public company on any of the five panels, 9 and so I feel a particular responsibility to speak on behalf 10 of the hundreds and hundreds of small public companies that 11 are under the burden of Section 404. 12 As a representative of the Biotechnology Industry 13 Organization, I have particular knowledge of how that 14 regulation is playing our in our industry. Remember that we 15 are largely small and emerging companies working in important 16 areas of health care, food supply, improving sources of 17 energy and alternative fuels. 18 We are also part of an industry in which the U.S. 19 still maintains a global position, and we don't want to lose 20 that; we don't want our global leadership to fall prey to the 21 burden of this regulation as well as the convergent 22 regulations that you're all aware of with respect to FAS 23 123R. 24 So I could spend a couple of minutes, but I won't, 25 talking about the real costs in terms of dollars and 1 personnel that are devoted to the implementation of this 2 regulation. We've surveyed our members; we have the date 3 from our own industry survey. 4 I really don't follow the surveys from the 5 accounting firms: at least a half a million to a million of 6 added expense; over 1,000 hours of personnel time -- these 7 are real numbers to small and emerging companies -- a greater 8 than 250 percent increase in internal controls in the 9 accounting departments. 10 And we don't see any prospects for any change, 11 because to your question about guidance and feedback, we're 12 forced to go to other audit firms in order to get the 13 information we need to address the questions of the primary 14 audit firm. 15 But you know what's more important -- and bear with 16 me -- I think in talking about the real dollar and personnel 17 cost is talking about the opportunity costs in small 18 companies, and this would be true in any of the industries 19 where there are smaller public companies. 20 But in Biotech, which I know well, and as a 21 physician, I can tell you what it means to spend a million 22 dollars on an implementation of these regulations and not on 23 research and development for the new cancer treatments that 24 we're working on at Cell Genesys and that many other 25 companies are working on. 1 So I would urge you all to think about opportunity 2 costs -- obviously much harder to survey and measure -- and 3 the effect on our business model. I happen to have the 4 privilege of having been involved in starting three 5 companies, one of which is still private. 6 And when I sit on the board of that company and 7 listen to venture capital investors wonder whether that 8 company should go public at any point because of the costs of 9 these regulations, or whether in fact they should list 10 overseas, I'm terribly concerned as a 25-year veteran of the 11 Biotech industry that we not step on our own toes and imperil 12 the business model that has created the great companies that 13 you know about today. 14 I'll stop now. I'm not sure I even really directly 15 answered your question. But I appreciate an opportunity to 16 speak, and I felt I needed to do that, given that I am the 17 only small company officer who had that chance today. Thank 18 you. 19 MR. TAUB: Thank you. 20 We have a couple of cards up. First Kayla Gillen, 21 and then we'll go to Bill Brunner. 22 GILLEN: Thank you. I wanted to sort of follow up 23 on the question that -- 24 MR. TAUB: If you could put your card down, Kayla, 25 so they can see you on TV. 1 GILLEN: Oh, that's my goal. 2 I'd like to follow up on the question that Ms. 3 Phillips asked Mr. Turley regarding amendments to AS-2. Now 4 I understood from your comments that you can see a need for 5 possible amendments that would make sure that AS-2 is aligned 6 with whatever management guidance the SEC might issue, but 7 that you were concerned about, for example, incorporating the 8 May 16th guidance principles into the standard itself. 9 And what I understood you to say is that your 10 reason for concern is that you didn't think it would be 11 necessary because your firm has fully embraced the guidance. 12 Yet we continue -- we at the Board, and I believe the 13 Commissioner has experienced this as well -- continue to hear 14 anecdotally, from your clients as well as the other firm's 15 clients, that the May 16th guidance has not been fully 16 incorporated into what is actually happening on the ground. 17 And so I wondered if we could have a little bit 18 about what harm would happen versus what benefit some of us 19 think might happen if we amended the May -- AS-2 to 20 incorporate May 16th guidance. 21 MR. TURLEY: Kayla, thank you for asking that. I 22 must -- I may not have been clear in my remarks. I don't 23 have any concern about incorporating the May 16th guidance 24 into AS-2 as long as AS-2 is in -- consistent with whatever 25 management guidance, initial guidance would be, and including 1 even the Qs and As would not be a problem. 2 On the comment that the clients on the ground 3 aren't always feeling, you know, the exact perfect execution 4 of the May 16th guidance, you know, I an my colleagues, would 5 probably plead guilty. I think each of the firms made very 6 sure, very quickly, to bake in the May 16th guidance to all 7 of our methodology and processes in everything we've said and 8 everything we did and all the education we delivered. 9 Having said that, we deliver service through 10 thousands and thousands of people all around the country and 11 all around the world. And I'll be the first to admit that 12 on-the-ground execution has not been 100 percent consistent 13 with what was then new guidance, and I think we are, you 14 know, making every effort to continue to improve that day by 15 day by day. 16 And I think, as one of the other commentators said, 17 I think '06 will be better than '05, and I think we'll 18 continue to improve from there on out, because it's a focus 19 of our firm and all of the firms. 20 MR. TAUB: Mr. Brunner. 21 MR. BRUNNER: Thank you. 22 This question that we were working on around, is 23 there enough information out there, we have a lot of debate 24 amongst our members. The American Banker's Association 25 represents some of the largest companies in the work -- in 1 the United States down to some of the smallest public files 2 in the United States. 3 And what we find is the larger the company, do they 4 need more guidance, more tools? Not necessary. There's a 5 lot of depth of resources within those companies that, you 6 know, they, so to speak, can figure it out themselves and 7 work on it. 8 But as we get down to the membership and you wind 9 up with organizations that are smaller and don't have a lot 10 of redundancy of professional talent in accounting or 11 control, that search -- that field thins out. 12 And so potentially. some additional guidance for 13 that group would be helpful. But, back to a little bit of a 14 question, maybe I'm bleeding into the next question in this 15 whole area is: You get to those smaller organizations and yo 16 start to run out of the ability to take the current model and 17 apply it to them. 18 I sometimes use the example: You have the doer; 19 you have the checker; and you have the checker of the 20 checker." In many cases, there is a more than -- more than 21 one -- certainly, sometimes more than two, and definitely not 22 three qualified personnel present to do that kind of work. 23 Earlier, I had mentioned the concept of trying to 24 pull up to taking more of any entity view, more of some other 25 way other than the documentation frenzy around really trying 1 to do it that way, and take more of a risk approach on it. 2 Potentially, you take more of a view of more 3 observation and inquiry rather than going through several 4 layers where you may end up having engaged outside experts 5 that are experienced in a given field, putting them to work 6 on the clock, for a cost, to go in and check the work that's 7 already been done; just sort through your document trail. 8 So I think the long answer to the short question 9 of, "Is more guidance needed," I think different guidance is 10 needed as you go down the scale of the companies; the big 11 folks can handle it. Don't mean to speak for them, given I'm 12 in a small company myself -- had more resources to be able to 13 do so. 14 MR. TAUB: Thank you very much. We've got a couple 15 of more cards up. Acting Chairman Gradison, and then Ms. 16 Gordon. 17 MR. GRADISON: Dr. Sherwin, you have indicated the 18 -- and pointed out quite properly the opportunity costs 19 involved in public companies as a result of what we're 20 talking about today and that you have experience on non- 21 public company or more as well. 22 Is it your judgment that operating nowadays in the 23 private forum with whatever private capital might be 24 available today or not available today impairs the ability of 25 the private company to innovate to the extent that the public 1 company can do because of its access to public funds? 2 In other words, is the public suffering, in your 3 judgment, in your field, in the areas that are important to 4 all of us, innovation, job creation, competitiveness and so 5 forth, because the cost of being a public company has been 6 rising? 7 MR. SHERWIN: I think the short answer is yes. I 8 think there is no question that the venture capital 9 financiers of small emerging companies are taking a very hard 10 look at the value equation and taking those companies public 11 and are beginning to consider alternative liquidity events, 12 acquisition and the like in greater frequency. 13 And the concern I have about this is what it will 14 do to the start-up opportunities, particularly in my 15 industry, because it all works backwards from the liquidity 16 event, as we all know. 17 So I think I've heard enough conversations myself 18 at board meetings where venture capitalists are beginning to 19 question the public offering liquidity event and thinking of 20 alternatives and then wondering, frankly, whether they want 21 to continue to invest in this area. 22 It's hard to measure. Opportunity cost is always 23 much harder to measure, but I believe it's a real phenomenon. 24 And that's why Bio supports, as I think you all know, the 25 Small Business Advisory Committee recommendations to the 1 Commission in terms of scaling the implementation of 404. 2 MR. GRADISON: Thank you. 3 MR. SHERWIN: You're very welcome. 4 MR. TAUB: Okay. 5 Ms. Gordon. 6 MS. GORDON: I just wanted to say a few words about 7 echoing the belief that larger filers don't really need 8 additional guidance on what is needed; okay. And I believe, 9 Bill, you kind of nailed it on the head -- we have all of the 10 resources internally. 11 When you look at it, we have business unit managers 12 at each location; we have comptrollers; we have a corporate 13 staff that is experienced in internal audit controls as well 14 as external audit controls. So providing additional guidance 15 for large filers, I would echo that point of view. 16 One of the interesting things that we always face, 17 we have acquisitions throughout a year. And we always go out 18 -- and we're looking -- we acquire a small, little company 19 that has not had any of these controls. So they're coming in 20 -- it's a small radio station, small television station, 21 maybe a small new up-and-coming new media. 22 And we kind of go in and say, here is this large 23 behemoth company coming in and trying to put controls in. 24 And we kind of get an experience on how different that is for 25 a small filer to come into and fall into our ranks. 1 If you look at it, you see the challenges that they 2 have, but you also see the resources that we automatically 3 have available to give them. It's very interesting when we 4 look at this to see how helpful you can be as a large filer 5 and the struggles that you have as a small entity coming in. 6 So I would go on the side of less guidance for 7 large issuers, but some relief for the small companies coming 8 in. 9 MR. TAUB: Okay. Kimberly Gavaletz, you've got 10 your card up, and then I'm going to move on to some questions 11 that get at some more specific aspects of the assessments. 12 MS. GAVALETZ: Thank you. 13 I'd like to comment a little further on this 14 opportunity costs that's lost, but also on maybe some other 15 unintended consequences that we sometimes see as negative but 16 that might actually be positive here from as the companies 17 are getting that venture capitalist interest and then 18 proceeding on to being a public company to the point where 19 they might be interested in being acquired. 20 To your point, Susan, we, when we're looking at 21 companies, it is part of our -- we're bigger, and can bring 22 them in. But we're finding it's very beneficial if they've 23 already started some of this effort. 24 One of the things that got addressed in the first 25 panel is the vocabulary or vernacular of controls is being 1 very helpful if nothing else for when you are incorporating 2 and acquiring and then integrating and then getting the true 3 value out of that company as quickly as possible. 4 So I can almost see a continuum as companies go 5 public that they might need to be on -- in a maturity curve 6 that needs to happen as they mature in that effort, and it 7 might be very different to do that, but as, if nothing else, 8 this discussion is helpful in the control environment for the 9 people being acquired, if that's their ultimate goal or for 10 those that are acquiring them. 11 And also just as the company grows, you'll hear 12 controls -- even some of the earlier Microsoft stories of 13 when they were very small the level of controls they needed - 14 - then as they grew the level of controls -- and this was 15 more in the engineering realm, but it still applies, I think 16 equally as well here, to be able to control the company, they 17 had to get configuration management. They had to do all of 18 the other things; put the internal controls in place. 19 And I think it is that maturation that we're 20 talking about there. So I think there are some saving that 21 occur in the long-run, but how that works into not de- 22 incentivizing the entrepreneurial spirit of this country and 23 our inventive spirit, but at the same time positioning such 24 that the investment community is equally served as well as 25 them having the opportunity to grow and to be just viable 1 citizens in the acquisitions side of things is very important 2 as well. 3 So I think we're really planting some seeds, if 4 nothing else, like I said, in the vocabulary side, but in the 5 long-run, I think some of these become more common practice, 6 and won't be as hard to do, because people will have known 7 how to do them. 8 And the people that the small companies hire might 9 be some folks that know how to do it, and it becomes more 10 common practice; whereas right now you kind of got what you 11 got. 12 MR. TAUB: I'm going to move on to some questions 13 that get a little more specific on certain areas. We've 14 heard a couple of people suggest that the consideration of 15 company-level controls is very important and that effective 16 company-level controls ought to be able to reduce perhaps the 17 amount of work that's done on lower-level or processing 18 controls. 19 I'd like to ask the question first to Mr. Brunner 20 and then Mr. Holmbery as well as others who would like to 21 chime in. What types of company-level controls really do 22 have the greatest impact or should have the greatest impact 23 on the scope and extent of additional testing? 24 MR. BRUNNER: Well, I would first off -- and you 25 have to step back just a bit even from the control that's in 1 place -- is a recognition of the business model that you're 2 in. What are the controls, and what are the environment that 3 you exist in on a daily basis? 4 But stepping down into the entity-level controls, 5 it would be -- I think you cannot escape things such as 6 very top level processes, the involvement of management, the 7 involvement of the business leaders in the finance reporting 8 and the amount of review and the kind of work that goes on at 9 that level, the processes at entity-level that I've done, so 10 to speak, to close and analyze and look at the business. 11 I get that in one sense it's a process but another 12 sense it's clearly a tone at the top of the engagement of 13 understanding, the depth of understanding that goes on within 14 a company. 15 The focus on ethics and approach that the people 16 take to the business, those are the type of things that can 17 be very, very helpful. For example, just by how a company 18 analyses and understands their business, they may know -- 19 even though they may be smaller -- good, solid information 20 about what drives the business, what drives the revenue, what 21 are the metrics of performance. 22 I think those are higher level controls that need 23 to be given a lot of weight in finding and discovering 24 discrepancies versus going down and saying, "I'm going to 25 check five of these and document them down and put them in a 1 file." 2 There are certain ways that that mitigating control 3 is going to catch things at a much higher level. I hope that 4 answers your question. 5 MR. TAUB: Thank you. 6 Mr. Holmberg, you could address the same topic. 7 MR. HOLMBERG: I think, obviously, a lot of 8 companies have tone-at-the-top-type company controls that 9 have been in place, but I think your question is more 10 specific to other kinds of controls that we've looked at. 11 And, as we go into our second year, we are really 12 focussing that in two areas: One, BP, like many companies, 13 has a significant profitable, profitability forecasting 14 process that it uses. Maybe ours is more significant than 15 others, but the very fact that you can compare actual results 16 with forecasted results and find discrepancies there provides 17 a lot more comfort than we realize. 18 But the process always worked; we didn't rely on it 19 as much as possible. But I think the biggest area that we're 20 focussing on is in IT where we are trying to put in place 21 more what we'd call IT operating standards. 22 And if such standards are working effectively, then 23 we are essentially moving away from IT testing at the 24 application level for every application that's considered 25 significant. And that's a -- quite a big philosophical 1 change, but one that we believe is justified, and one that we 2 so far our external auditors' supported. 3 MR. TAUB: I'd like to actually roll with that. 4 You mentioned IT, and IT controls are another area where 5 we've received a lot of comments, heard a lot of discussion 6 that the level of working being done related to IT controls 7 was perhaps not optimal. 8 In fact, let's start with Mr. Level. 9 Your thoughts on whether the evacuation of 10 information technology controls is being done in the most 11 effective way and whether -- if you believe improvement is 12 needed there, or whether we have started moving in the right 13 direction? 14 MR. LEVEL: We've been pretty direct in our 15 comments. It is very important that baselining, benchmarking 16 be allowed and that the current guidance around what the 17 criteria that are necessary to be achieved before one can use 18 this approach are frankly more expensive than starting all 19 over. 20 And so -- and we think we know something about 21 information technology. And, by the way, in that regard, 22 there was a comment earlier about using registrant 23 experiences in and advisory way. And we would certainly 24 volunteer to participate. 25 And I know there are any number of information 1 technology companies in the country; if there's anything that 2 we have a strength in, it's that -- who would be happy to 3 help you deal with that issue. 4 And frankly, we've found that this is an area where 5 maybe we've spent too much time on application controls based 6 on the way in which the guidance evolved and not enough time 7 on other controls around information technology, physical 8 controls, network controls and so on. 9 And I think you would find that you have a more 10 constructive and a more appropriate conclusion to support 11 your assessment of information technology controls if we 12 could benchmarking, baseline and spend equal amounts of 13 resources over areas. 14 MR. TAUB: I've seen a number of people nodding as 15 we've gone in the IT discussion. 16 And, Ms. Gordon, I believe you were one. 17 MS. GORDON: My response to -- ISNT moved in the 18 right direction, but we still have a very long way to go. 19 And I think that kind of, we just all reconvened the group 20 for the company on 404. And I think we -- our takeaway was 21 that, you know, for the business processes, we're where we 22 want to be; want to keep going. 23 But ISNT, we've got to get there, to a place where 24 right now I think from an -- audit firms are still taking the 25 approach of a control questionnaire approach, so they're 1 coming in and giving us canned questions, so it hasn't really 2 been tailorized. They're not maybe looking at a risk-based 3 approach for the IST review. 4 In addition, companies are finding I think that all 5 of our controls are manual, so that we are faced with maybe 6 90 percent or greater of our control and how to instruct to 7 automate these control so that we can make the control 8 process and the evacuation from the company's standpoint more 9 effective, quicker, as well as kind of work with the outside 10 auditors not to have this group of ISNT experts come in and 11 evaluate us and be basing their information off of a 12 questionnaire. 13 So the goal this year is to move from more then 90 14 percent of our controls are manual to maybe 80 percent. And 15 ISNT is on board with this. And I think they see this as a 16 great opportunity. 17 So as you're going in and building a new system, 18 take the initiative from day one to actually go in and 19 building those controls; embed them in the system so that you 20 have that. 21 But I think that that was the greatest 22 disappointment. If I had any disappointment for '04 and 2005 23 it was that we didn't move ahead on ISNT as much as I wanted. 24 MR. TAUB: There are a few cards up. Ms. Gavaletz, 25 Dr. Sherwin, and, Jim, did you have your card up and it fell? 1 MR. TURLEY: It keeps falling off. 2 MR. TAUB: All right. Well, why don't we turn to 3 Jim Turley first, and then we'll go back to Kim Gavaletz. 4 MR. TURLEY: Yeah. Real quickly, Scott. I think 5 these last two questions on both the company-wide or entity 6 controls and the IT controls are all linked. You know, when 7 I look at companies, I think there needs to be a balance of 8 prevent controls, detect controls and entity-level controls; 9 some automated; some not. 10 And I think that balance changes depending upon 11 whether you're a small company or a large company. And if 12 you think about prevent-, detect-, entity-level controls, I 13 think actually the nature of some of the company-wide or 14 entity-level controls is actually different at bigger 15 companies than at smaller companies; much more focus around a 16 monitoring of whether other controls are effective; whereas 17 in some smaller companies, it's a monitoring of operations 18 themselves. 19 And so I -- this is one of the reasons why I think 20 it's really important that we get more focussed guidance for 21 smaller companies because there is difference between the 22 control environments. And so I, you know, encourage, you 23 know, Coastal to complete their efforts and the SEC to 24 consider smaller company internal control guidance. And I 25 think that will help balance, keep that balance appropriate. 1 MR. TAUB: Thank you. 2 Ms. Gaveletz? 3 MS. GAVELETZ: In the IT area, I believe we really 4 have been going through some evolution. As was mentioned 5 earlier with 404 we really went into the external auditors 6 having to, not only look at the integrity of the financial 7 reports themselves, but the controls backing them up. 8 I think the next step really was the IT that backed 9 up -- that was really doing the controls. And I think we 10 brought a whole lot of folks into doing that IT work that 11 might have been on the fringes. 12 One of the -- another unintended consequence that's 13 been great has been the integration of our IT work with the 14 actual applications that they're serving. They did them, but 15 there hadn't been that ongoing relationship, and the control 16 environment had really -- the focus on that has really caused 17 that, and so that learning has happened. 18 But what I think it's resulted in is to date we've 19 seen more bottoms up risk assessment. Because, to be honest, 20 a lot of people that did a lot of that high-level risk 21 assessment before may or may not have had the IT knowledge, 22 or they brought in the IT specialist into an investment that 23 they hadn't previously been in. 24 So I think some of that's going to correct itself 25 as the people are in the same rooms having the same 1 conversations. And I think as internal auditors, external 2 auditors and the colleges graduate more folks that have the 3 IT background that's part of their normal curriculum that 4 they're going through, we'll also start providing that as 5 part of the work force. 6 But right now, we're having to blend some 7 communities together that quite honestly weren't always in 8 the same room in those conversations; they might have existed 9 in the same corporations, the same firms, but not necessarily 10 together, so I think that's got to happen. 11 But there really is that integration going on. I 12 think there is lots of things going on right now. The 13 Institute of Internal Auditors is working on some guidance in 14 this area at a more top level. The IT governance institute 15 that does covers also working that. So I think there is 16 guidance coming out on that. 17 The thing I would be most concerned is making sure 18 that we get it into more of a top down, because I think we 19 have done a lot more actually looking at it in detailed level 20 work that may not be as efficient and effective as it could 21 be to really answer the question on the effectiveness of 22 internal controls relative to financial reporting. 23 MR. TAUB: Thank you. If I can turn to Dr. 24 Sherwin. 25 DR. SHERWIN: Thanks. I just wanted to make a 1 brief comment about how 404 oversight in the IT area is 2 particularly onerous to smaller companies, because I think it 3 illustrates the general points I was making earlier. And I 4 could just as well comment on the application in accounting 5 areas or human resources. 6 And, in a nutshell, the problem is that the lack of 7 adequate staff and infrastructure forces the hand of the 8 smaller public company to seek outside consultative support 9 to carry out the necessary testing, and usually that means a 10 second audit firm. 11 And therein lies the catch 22 in terms of our never 12 having any confidence that the cost requirements of 13 implementing these regulations as they're now defined will go 14 down over time. So, again, the need for scaled reform. I 15 want to emphasize how important it is and how the IT area 16 illustrates this. 17 MR. TAUB: Thank you. 18 We've got a couple more tent cards on this one, and 19 then we'll move on to a couple of more subjects in the 20 remaining 15 minutes or so. 21 Mr. Minan? 22 MR. MINAN: Thank you. 23 First, with respect to IT, generally speaking, my 24 experience is probably the IT area more than any others that 25 benefitted a lot from the 404 experience. I think both the 1 company's assessment process and the external auditor's 2 review of the IT area, I think shined a light on the IT area, 3 generally speaking, and identified some areas that probably 4 hadn't gotten some attention in the past. 5 Opportunities to improve both financial controls 6 and operational controls, I think we saw some deficiencies 7 that hadn't previously been focused on, and I think we saw 8 some opportunities for companies to migrate from detective 9 manual controls to preventative systems-based controls. So I 10 think that areas gained a lot of benefit just as a result of 11 the 404 process, and I think it's important to not lose sight 12 of that. 13 I think in year 2 and year 3, we'll continue to get 14 benefits and improvements, at least from an external audit's 15 perspective as well as management's assessment perspective 16 relative to benchmarking. This is an example where the May 17 guidance came out; was very, very helpful; and was embraced, 18 but not all of the benefits are necessarily realized. 19 With respect to benchmarking, as companies continue 20 the migrating towards preventative systems-based controls and 21 continue to get comfortable with documenting the controls 22 over changes to systems, I think you'll see more and more 23 benefits reflected in lower audits -- narrower audit scope 24 and less audit hours; I think that's pretty important. 25 I also think it was point out earlier that the 1 integration of the audit, which we did much better this year 2 than we did in year one -- again, we did that early in the 3 year this year. And I think in some degrees the integration 4 didn't occur in light of the May guidance. We started the 5 integration process in April and March and kind of did the 6 lessons learned at the end of year one. 7 And I think it was in some respects that it went a 8 little bit too far down the road to change things for scale 9 as it relates to the full benefits that come out of the May 10 guidance relative to IT. 11 So I think -- I'm very, very optimistic that in 12 year 3 this is an area where I continue to see -- continue to 13 expect to see benefits and efficiencies both on the 14 management's assessment side as well as the external audit 15 side. 16 MR. LEVEL: Well, it depends on which side of the 17 glass you're looking. Thank you, Peter. I just wanted to 18 point out that one of the consequences of the increased 19 interest in IT is increased cost around IT. 20 Our SAS 70 cost is up about three times year over 21 year as a result of the increased focus in this area. So 22 there is a cost to go with the benefit of the focus, but we 23 love it. 24 MR. TAUB: Commissioner Atkins, I see that you have 25 a question. 1 COMMISSIONER ATKINS: Yes. Before we leave this 2 topic of company-level controls as well, because from my 3 perspective that's what this is all about, and where things 4 sort of veered off course, and you all have brought up some 5 of the more picayune aspects, I guess, of the process where 6 you're asked to recalculate spreadsheet calculations and 7 things like that. 8 I'm curious, because I do think, you know, we 9 probably do have to change the definitions that was heard 10 from the first panel. But I was wondering how could we arm 11 you all, as management, in order to be able to push back on 12 some of the more, you know, picayune granular demands and 13 keep things at really the entity-level, which is what this 14 process was meant to do in the first place? 15 MS. GAVALETZ: I would just comment your comment 16 right there helped. Okay. Just staying at -- to stay at the 17 entity control level, raise it up, you know, apply the same 18 top-down approach, which I think will cause companies to look 19 at themselves and see what is their governance structure 20 around their IT environments. 21 How does that affect their financial reporting, and 22 actually ask those questions and make sure that the top level 23 is there, which I think will have the overall consequence of 24 working throughout the system. 25 So I think your comment right there was very 1 helpful. 2 MR. TAUB: Mr. Level, your response. 3 MR. LEVEL: I agree with Kimberly, and keep it up. 4 I think we would most appreciate increased focus on the fact 5 that COSO agrees that documentation is not necessary to have 6 good control. 7 The whole distrust, if you will, of the fact that 8 management represents a particular control takes place, and 9 the auditor knows it does but they have forced issues like 10 minutes of meetings. They walk by the same conference room, 11 you know, with class and see that people are holding the 12 meeting every time. But it's just a -- it's a major, major 13 issue, and it isn't picayune. 14 MR. TAUB: Okay. Ms. Gordon, did you have another 15 response to Commissioner Atkins? 16 COMMISSIONER GLASSMAN: I was just going to echo 17 that, that relief on the documentation for the auditor would 18 be of great help, and also continuing the emphasis on the 19 entity-level controls, which I think the company as a whole 20 makes that decision. 21 When we look at it and we say, you know, the most 22 important thing for us is that we have effective business 23 code of conduct that we have employees sign; that we have an 24 internal audit recommendation process, where every point's 25 going to be addressed, or where we have strong analytics on a 1 monthly or quarterly or annual basis. 2 If that's management's view, and management's 3 position on how they get comfortable, then it should be 4 sufficient to say that that's the tone at the top. That's 5 the direction we're moving in, and the auditor should take 6 some solace in that, we would hope. 7 MR. TAUB: Okay. A couple of more cards went up. 8 Mr. Holmberg and then Mr. Brunner. 9 MR. HOLMBERG: Well, just to be somewhat 10 responsive, I do think that's why you hear some people 11 pushing back, that we do need to modify AS-2, because even 12 though the guidance last year was helpful, at least in our 13 particular concern we still have auditors feeling compelled 14 to say the guidance is useful, but we're still bound by AS-2. 15 So the comments about having to walk throughs and 16 not rely on the work of others. The guidance is helpful, but 17 we're still bound by AS-2. I think modifying AS-2 to be a 18 little less prescriptive and a little bit more judgment on 19 the behalf of auditors, would actually be very helpful. 20 MR. BRUNNER: This might be a little more of a 21 philosophical answer to your question. But when I look back 22 and you say what is driving this documentation, what is 23 driving a lot of this detail thing rather than stepping up or 24 taking more observation views. 25 Some of it, I think, is just a recognition of 1 environment. I'm not quite sure how we fix all of it, is 2 being cognizant that issuers, auditors, everyone, and it's 3 been mentioned particularly in the first panel, are so 4 sensitive to risk, and risk of 20-20 hindsight, and being 5 called on the carpet, so to speak, for whatever they have. 6 It is certainly a wind or a trend that we're having 7 to fight against. What is a common answer to that? Paper it 8 up. Document it up. So whatever we can do in that vein that 9 try to reduce some of the fear, if one might say, of doing 10 that would be very helpful. 11 MS. STACEY: I'm wondering if we can wander down a 12 slightly different path. This has been very helpful, but I 13 wanted to explore a little bit on some additional guidance 14 that people thought might be helpful. 15 We've heard about entity-level controls and how 16 that impacts the scope of the remainder of the testing. One 17 of the things that we really haven't explored yet is exactly 18 how that testing actually happens. 19 Is it ongoing monitoring? Is it testing at points 20 in time and rolling forward to the end of the year? I 21 haven't heard a lot about any problems in that area, or 22 whether additional guidance is needed on exactly how you 23 actually perform the assessment. I'm wondering if anyone 24 would care to comment on that. Yes, Kimberly. 25 MS. GAVALETZ: As I kind of made statements 1 earlier, I'm not a huge extra guidance. You know, keep it as 2 simple as you can. But I think relative to going forward, 3 there could be some additional, you know, emphasis on the 4 entity controls, and kind of turning the equation back the 5 way I think actually the standard is written. 6 But we've gone, you know, in our rush to having to 7 be compliant in the early years, we've really gone all the 8 way down to the full end of the spectrum. You had to solve 9 the whole equation, so you did everything. 10 But I think we've still -- if we could get back to 11 those entity controls and reinforce that level of it, because 12 that is really where you get the tone of the top. It is 13 really where you get the overriding controls that make 14 everything happen. 15 When you're -- I used to like to look across all 16 the businesses in my internal audit role, to be able to see 17 what was going on across all of them, versus having to audit 18 at each place. 19 If I didn't have the appropriate organizational 20 structure, the appropriate policies and procedures in place, 21 you can't audit it in. So the importance is there in the 22 entity controls. 23 I think also in doing the risk-based approach on 24 things, I think people are struggling a little bit. I think 25 I would intuitively agree. But implementing risk-base when - 1 - we haven't really hit it on the panel today, but in the 2 past, last year we did on all the work you have to have 3 looked at, you know, in that year. 4 I didn't have the phrasing quite right there. But 5 I think people haven't quite figured out all the ways that 6 they can really look at something and do the work in that 7 year, but the work might have been from prior years. 8 But they would do either minimal testing or assert 9 that they don't need to do any testing, because they tested 10 it two years ago and they've checked the change logs and 11 change records and there weren't any changes. They don't 12 have to do anything. 13 Some areas are getting that into their -- some 14 companies I talked to are getting that into their processes. 15 Others, you know, it's a significant area. We've got to do 16 it every year. 17 So I think some things there. Also once something 18 gets scoped into the risk environment, getting it off the 19 list is very difficult. So being able to be flexible and 20 really "Okay, that risk went away," or we need to maybe 21 monitor that. How are you monitoring that?" 22 Checking how we're monitoring it, just really more 23 of a dialogue on the whole thing at the top level, I think 24 will help really make the environments that we're trying to 25 create get there a lot faster, versus just the individual 1 more robotic sort of testing. 2 MR. TAUB: Dr. Teplin, did you have something to 3 add here? 4 DR. TEPLIN: Yes. When I thought about the whole 5 list of questions and so on that we were reflecting on, this 6 whole idea of each year stands on its own has bothered me a 7 good deal over time. 8 As the panelists indicated, testing done this year 9 for a medium risk or a near-high risk may not need to be done 10 each year. 11 I think that this type of -- by the statement "each 12 year has to stand on its own" has forced companies and forced 13 the external auditors, the independent auditor, to feel that 14 every year we're going to do all these tests again. 15 I think that that has prevented some of the cost 16 efficiencies that we could use. So I would ask that this be 17 reconsidered, or at least modified in a way that makes -- 18 perhaps makes it clear that you didn't mean that every 19 control has to be tested every year and so on. 20 I think that that's somewhat of a confusion in 21 there. 22 MR. TAUB: Mr. Level. 23 MR. LEVEL: Carol, your question reminded me -- 24 sorry. Your question reminded me of a comment that we've 25 included in all of our letters during the last couple of 1 years, and I would just like to reiterate it, that we think 2 there should be some focus on the 302-404 interrelationship. 3 We've gone from annual reporting or quarterly 4 reporting and annual audits to continuous auditing, and that 5 has gone into, obviously into the control areas in space. It 6 would help if we could moderate the representation to a 7 knowledge and belief, for example, or take some other 8 approach. 9 MR. TAUB: Okay. We've got about three or four 10 minutes left. Throughout this panel, we've heard a number of 11 people suggest that to the extent more guidance from 12 management is needed, it is needed more and more as the 13 company gets smaller and smaller, and that perhaps the size 14 of the company indeed does impact what kind of additional 15 work is needed on management's assessment process. 16 If I could ask, what are the particular challenges 17 that small companies face, and how could they be addressed in 18 terms of making the assessment process more effective and 19 efficient, and if I could start with Dr. Sherwin. 20 DR. SHERWIN: Thank you. As I stated earlier, it's 21 hard for me to see how the circumstances with smaller 22 companies in Section 404 can be addressed by way of guidance, 23 because of the lack of infrastructure and inadequate 24 personnel to make the process more efficient. 25 The subsequent requirement to have secondary 1 outside firms performing the internal testing is going to fix 2 the cost at a certain level, and I frankly don't see how it's 3 going to be diminished. 4 That's why Bio supports the recommendations of the 5 Small Business Advisory Committee with respect to a scaled 6 application of 404 reflecting, as you well know, market 7 capitalization and level of revenues. 8 MR. TAUB: Kimberly. 9 MS. GAVALETZ: That's a test for all of our 10 speakers. I think that it almost makes me want to go start a 11 small business, to address the concern of the small 12 businesses, because I do see the concern that's being 13 addressed. 14 Because you don't have the staffs that larger firms 15 have, that they utilize. You know, they don't have -- if 16 their businesses were -- if our businesses were all broken up 17 into small components, we wouldn't have the ability either. 18 But because we have the economy of scale, we have the folks 19 there. 20 But I'm thinking that some of the things, that the 21 small businesses need our resources. They're also needing 22 some more "how to" and some more almost start-up kits that 23 would allow them to know, you know, here is what -- and I 24 don't like hugely checklists and things. 25 But I think in some of these areas, if you're 1 coming from just starting a company, something that would be 2 just very useful. But again, I don't know, kind of back to 3 your question of guidances, is what's needed there or 4 service, some service that needs to be provided to be able to 5 assist the small businesses. 6 I don't know if that needs to be looked at from a 7 government perspective. I think again as an entrepreneurial 8 company and country, there ought to be something there to 9 help serve in a cost-effective manner, the need that's out 10 there, because I do believe the need is there. 11 MR. TAUB: We are running quite short on time, but 12 I see Commissioner Glassman wanting to either ask a question 13 or make a comment here. 14 COMMISSIONER GLASSMAN: It's a question, thank you, 15 and it's related to the small businesses. Thanks. Given 16 that you have to do 906 and 302 certifications, how much of a 17 problem would it be to do at least the management assessment 18 part of 404, without the auditors being involved? 19 DR. SHERWIN: I think that's an important question, 20 because with the requirements for certification, we take 21 things very seriously. I believe that that is an element of 22 oversight that has been overlooked inc considering the 23 additional burden of 404. 24 So that would be helpful. Now there certainly is 25 an added component, with the external out of station, and it 1 would be better with respect to just having the focus on the 2 internal certification. 3 But even so, the scaled approach remains our 4 primary focus in terms of our viewpoint as defined by the 5 Small Business Advisory Committee. Thank you. 6 MR. TAUB: And we've got time for one more comment, 7 and we've got coincidentally one tent card up. So Mr. 8 Brunner, you get the last word. 9 MR. BRUNNER: To continue on your question a little 10 bit, because it kind of jumps into where I wanted to go, was 11 what do I think would make a difference? I think it would 12 assist in companies being able to do exactly what I was 13 talking about earlier, of looking at a risk-based approach to 14 it. 15 You'd have yet another avenue that isn't in your 16 way or another view or that, you know, quite honestly likes 17 to build a documentation base. You'd be able to give them a 18 little more freedom to take on a risk-based approach. 19 I can't underscore -- I'm not sure giving small 20 companies tactical things to do is an answer. It's giving 21 guidance and understanding of risk, and the guidance and 22 understanding of how to think about risk can be very helpful. 23 We as well, you know, support the proposals out 24 there for the small companies. Thank you. 25 MR. TAUB: Okay. With that, we've come to the 1 close of our panel on Management's Evaluation and Assessment. 2 I'd like to thank the panelists for your contributions. 3 Thank the Commissioners and the Board Members as well for 4 their attendance and their contributions. 5 We now have a break until 1:15, when we will return 6 with our third panel. Thank you everybody. 7 (Whereupon, a luncheon recess was taken.) 8 PANEL THREE 9 THE AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING 10 MR. RAY: Good afternoon and welcome back to the 11 roundtable on internal control reporting and auditing 12 provisions. I'd like to just briefly summarize the rules of 13 the road since we've all had a lunch break now and perhaps 14 some of you arrived over the lunch break for this roundtable. 15 We don't have a whole lot of time as you've probably noticed 16 from the schedule to cover a lot of ground and hear from a 17 fairly large number of panelists, and we want to hear from as 18 many of you as possible on each question that we're about to 19 pose to you. There are no opening statements. We want you to 20 focus on the questions that the moderators will be posing to 21 you. So also please keep your comments as brief as possible 22 while clearly making your points, again so that we can hear 23 from as many of you as possible on each of the questions. I 24 do plan to direct some of the questions to specific members 25 of the panel, to get the discussion rolling. But after that, 1 I certainly do hope that each of you will volunteer by 2 placing your name tents up, to also participate in the 3 discussion of each of the questions. 4 If I don't see many name tents up, I probably will 5 call on one of you. Of course, because of time, I can't 6 necessarily guarantee that I will be able to call on 7 everybody for every question. 8 But I certainly anticipate that we will call on 9 everyone at some point during this panel. So let me 10 introduce the panelists. Beginning on my left, we have Frank 11 Brod. He is Corporate Vice President of Finance and 12 Administration, and Chief Accounting Officer at Microsoft 13 Corporation. 14 Next to Frank is Lisa Flavin. She is Vice 15 President, Audit at Emerson Electric Company. 16 Next to Lisa is Tim Flynn. Tim is Chairman and 17 Chief Executive of KPMG, LLP. 18 Next to Tim is Jay Howell. Jay is Associate 19 Director of Assurance for the Northwest Region of BDO 20 Seidman, LLP. 21 Next to Jay is Leo Kessel. Leo is Senior Client 22 Partner, Deloitte and Touche, LLP. 23 Next is to Leo is Bruce Renihan. Bruce is 24 Executive Vice President and Controller, Canadian Imperial 25 Bank of Commerce. 1 Next is Gary Stauffer. He's a senior partner, 2 National Risk and Quality Practice at PriceWaterhouseCoopers, 3 LLP. 4 Next we have Shelly Stein. Shelly is Chief 5 Operating Officer of Grant Thornton, LLP. 6 Next is Tom Szlosek. Tom is Vice President and 7 Controller, Honeywell International, Inc. 8 And finally Rick Veltschy. Rick is Executive in 9 Charge of Financial Institution Audit Practice at Crowe 10 Chisick and Company, LLP. 11 Now let me introduce the moderators. My name is 12 Tom Ray. Of course, we've all been introduced this morning. 13 Accompanying me on this panel are Laura Phillips with the 14 PCAOB and Nancy Salisbury, from the SEC staff. 15 This panel will address the auditor's role in the 16 internal control process. The objective of this panel is to 17 discuss how the auditor's process for evaluating internal 18 control over financial reporting changed in the second year, 19 and how the audit process may be further improved to achieve 20 greater efficiency and effectiveness. 21 There will be five areas that I wish to cover over 22 the next hour and a half. The first is a response to risk 23 and complexity of the organization. The second relates to 24 the identification and testing of internal controls. 25 The third relates to the effect of company level 1 controls on the audit process. The fourth deals with using 2 the work of others, including internal auditors. Finally, we 3 will discuss the effect of the PCAOB inspections process on 4 the audit of internal control. 5 Now I know we've covered a couple of these subjects 6 already this morning, but they're very important subjects, 7 and I think it's important that this panel, which is composed 8 of different people and a different mix of people, also 9 address those questions. 10 So I feel like I've already spoken too much. So 11 let me go ahead and get started with the first question, 12 which I am going to direct to Gary Stauffer, to get us 13 started in the discussion. 14 So Gary, first question here is how well did 15 auditors vary the nature, timing and extent of their internal 16 control work, based on the assessment of risk of material 17 misstatement, and what sort of strategies we'll employ to 18 make sure that this happened? 19 MR. STAUFFER: First of all, let me thank you for 20 inviting me to participate today. It's good to be here. 21 From an overall perspective, I think companies and auditors 22 modified and significantly changed their audit approach to 23 improve the efficiencies in evaluating internal controls over 24 financial reporting in Year 2. 25 They moved clearly to a more risk-based approach. 1 That allowed them to change the scope of their work, and it 2 also allowed them to vary the nature, timing and extent of 3 their testing. 4 We made significant changes in our approach. We 5 embedded the risk-based approach into our core methodologies, 6 and all our Year 2 training. That includes incorporating in 7 that process the assessment of risk and how it plays on the 8 nature, timing and extent of testing; the use of the work of 9 others and how important that is; how to evaluate and test 10 only key controls. 11 We've heard a lot about the fact that people have 12 tested way too many controls. Finally, we've incorporated 13 into that process a theme on integrating the two audits, to 14 ensure that we get the most beneficial economies out of the 15 audit process. 16 Now in doing that, we issued a briefing paper 17 called "Achieving the Right Balance in the Integrated Audit," 18 and we've issued that to all our audit personnel around the 19 world, to make sure that they have a good understanding of 20 those four areas. 21 As it relates to your question on nature, timing 22 and extent, that paper goes into fairly detail around how one 23 needs to assess risk, and apply that risk assessment to the 24 nature of the testing, the extent of the testing that one 25 does. 1 It's clear from the discussions this morning that 2 people keep speaking about too many people are testing lower 3 level transactional controls, and not looking at the risk 4 effect. 5 I think the May 16th guidance clearly brought that 6 forward, and I think most of us in the profession have 7 clearly driven that home, that the nature of the test, the 8 timing of the testing and the extent of testing should vary 9 greatly, depending on if you're looking at a routine control, 10 or a control that has substantial impacts and complexities to 11 the financial statements as a whole. 12 Now these changes were considered not only to 13 consider effectiveness, but also to make sure that from an 14 audit perspective, we still gain the right amount of audit 15 evidence, to make sure that we're achieving a quality and 16 effective audit. 17 Now all that being said, as you've heard this 18 morning, we did not achieve the full benefits of what I would 19 call the May 16th guidance and the issues that I just listed. 20 We went a long way to get there, but we still have more 21 benefits to be gained, and we clearly are pushing forward 22 that in our current audit training processes and guidance 23 that we're putting out to our practices, and would hope to 24 achieve that as we move forward. 25 MR. RAY: Thanks, Gary. I noticed there are some 1 tent cards up, but I'm looking over to Lisa Flavin, because I 2 think that as an internal audit executive, you might have 3 some perspective you might share with us. 4 MS. FLAVIN: I think overall, our audit team did a 5 very good job of looking at the nature and complexity of our 6 organization, and determining where they were going to test, 7 especially given the multi-location nature of Emerson. 8 But just like everything else, there are -- and we 9 primarily agree with the scoping and the testing that they're 10 doing. But there are some areas that still need to be 11 tweaked, and I'm going to give you an example of that, 12 because I think it's an example that brings home many of the 13 points that were talked about earlier in the first two 14 panels. We have an account that management has determined is 15 not a significant account due to a number of qualitative 16 factors. That account is accrued vacation, and our external 17 auditors agree with that assessment except for the fact that 18 it exceeds a quantitative threshold that their firm has 19 mandated, that causes it to be scoped in as a significant 20 account in any event. Now they've done a good job of varying 21 the nature, timing and extent of their testing given these 22 qualitative factors, and their external audit time and cost 23 is very minimal. 24 But what that fails to incorporate is the time that 25 the entity takes as a result of that being a significant 1 account. What I mean by that is now we are also considering 2 it a significant account. We don't want to have a 3 deficiency in our assessment process. 4 We're also testing the controls over that account 5 because we want to maximize reliance. That involves testing 6 the controls at all the end scope locations. It involves 7 management document controls, pulling documentation so that 8 we can test. 9 It involves tracking deficiencies, although they 10 are very insignificant, to see if they're remediated and 11 documenting the ultimate conclusion. All of that takes, you 12 know, 500 to 1,000 hours of our Company time with very little 13 value add. 14 So there's an example I think of where the cost- 15 benefit equation doesn't make sense. In addition, I think 16 it's an example of what, you know, one of the earlier panels 17 said of this fear of litigation, and maybe fear of the 18 unknown in the inspection process, that the firms, you know, 19 have to institute these minimum thresholds, that they don't 20 want -- they want to make sure they're covering all the bases 21 even though there may be qualitative factors that make that 22 not make sense. 23 It's also a good example of if we are going to test 24 in that area, a monitoring control would be much more 25 efficient in covering off the risk of the material weakness. 1 So I think that's another example that we need to -- I think 2 we need more guidance on where or examples of where 3 qualitative factors may override a quantitative threshold. 4 MR. RAY: Thank you. Bruce Renihan. 5 MR. RENIHAN: Thank you. I'd certainly agree with 6 many of the statements that were just made. My starting 7 point would be that in Year 2, I think it was more about 8 increasing the effectiveness of the SOX work, including the 9 SOX audit work. 10 I think Year 1 was pretty much of a scramble, and 11 it was done reasonably well, but just to use some indicative 12 metrics, we probably ended up the year with a order of 13 magnitude a few hundred small deficiencies, you know, some 14 aggregated up to a significant deficiency, but in the 15 aggregate just a range of areas that we needed to make modest 16 improvements in our control environment. 17 Over the course of year 2, we remediated 90 percent 18 of those. In spite of which, we managed to find probably 19 close on 200 other deficiencies in Year 2 that really clearly 20 existed in the prior year. So I think Year 2 for us was 21 about getting better at understanding what the key controls 22 are, testing them, just generally getting smarter. I think 23 that was a journey for management and for the auditors. 24 Now we're getting to the efficiency aspects in Year 25 3, and certainly the issue, for example, of scope of 1 coverage, in our view being somewhat inconsistent, to say you 2 must, you know, cover 70 percent of the financial statement 3 dollars. 4 For example, in your coverage, without regards to 5 the risk of those individual accounts, that drives the range 6 of work and you were provided an example of that. 7 So the thing certainly that we would find very 8 useful would be to be able to reduce the amount of low level 9 testing, to be able to leverage off the company level 10 controls and including, very importantly, the very 11 significant SOX compliance processes that we have, and that 12 are subject to audit, and that our auditors make use of, as a 13 basis to meaningfully reduce the amount of work. 14 MR. RAY: Thank you. Frank Brod. 15 MR. BROD: Well, thank you Tom, and thanks for 16 having me amongst all of you today. I did want to make a 17 comment on the guidance that was issued last year. I think 18 it was extremely helpful, and it really brought a bit of a 19 change, more of a sea change, in the way auditors and their 20 clients acted together in a much more collaborative fashion. 21 The guidance came out in May, though, and many of 22 these internal control audits for the calendar year 2005 were 23 already underway and already been scoped and all. So it 24 wasn't -- it wasn't fully implemented in 2005. So we'd 25 expect some additional benefit. 1 The organizations that I'm familiar with actually 2 worked with the auditors through an enterprise risk model, 3 looking at those things that impact financial reporting, and 4 by way of that together reduce the number of critical 5 controls that have identified from very large numbers. 6 There was a reduction at both Dow and at Microsoft 7 in the 30 percent range in the second year, and then probably 8 a very similar amount in the next year, to test those things 9 that really matter and not every supplementary and 10 complementary control, during walk-throughs have been done 11 between internal audit and the auditors. So that's also been 12 helpful in terms of disruption to the organization. 13 The guidance, though, still is in conflict, though, 14 with AS-2, and that you know, I would urge the PCAOB and the 15 SEC to address, because it does push you down to a very low 16 level of detail on a transaction basis. 17 This more than a remote possibility of more than 18 inconsequential drives you down to the transaction levels, 19 and that goes against this looking at the high level of risk. 20 You also -- this every year should stand on its 21 own. You know, we wouldn't be here talking about Year 2 if 22 these years are on a continuum. You know, what you learn in 23 a previous year is very important, as to how management 24 behaves, but also how the auditor should go through things. 25 I would very much urge you to look at that, to find 1 a way that the knowledge gained in one year can be used to 2 benchmark and be part of that risk analysis and the testing 3 in the years to come. 4 Because if you have a stable process, whether it be 5 an IT control or a management control, if it hasn't been 6 altered, it continues to operate. You know, there's not -- 7 you know, you can do some sampling testing. 8 You don't have to go through a whole walk-through 9 again to tell yourself that everything's fine, either from 10 management's side or the auditor. 11 So those were some of the things that I would want 12 to add. When we get into the inspections later, I think that 13 -- the fact that those reports are not out in any sort of a 14 timely fashion. You know, here we're two and a half years 15 into this, and as a registrant, I have no idea of what they 16 found in any, you know, the PCAOB inspectors had found on an 17 internal control audit. 18 You know, this cloud that hangs over this process 19 does impact people's behavior, because no one wants to get on 20 the wrong side of the inspector, whether you're the auditor 21 or the registrant. We need to find a way to accelerate that 22 information, make it useable and put it in a format that is 23 helpful to the overall process. 24 MR. RAY: Thanks. I'm going to call on Jay Howell, 25 and then we're going to pose a follow-up question in this 1 same area. Go ahead, Jay. 2 MR. HOWELL: Thanks, Tom. At BDO, we also found 3 the May 16th guidance to be very helpful, and we don't -- 4 we've integrated it into our policies, in our tools. We've 5 trained our people on that guidance. 6 We don't feel strongly about integrating the May 7 16th guidance into the existing standard or not either way, 8 from our perspective. 9 What we really think is needed for us in Year 3 is 10 just the additional experience and judgment going forward. 11 As we proceed, we've gained the benefits now in Year 2. We 12 have a tremendous amount of additional experience and 13 judgment, and that's what we're focusing on within our 14 training, and in our people is the education and judgment 15 factor. 16 Judgment is crucial. It takes time to develop, and 17 my biggest concern with respect to judgment is that we're not 18 being consistent, one within BDO but then two, out within the 19 profession. So I think that the consistency factor is 20 important for the PCAOB in particular to focus on in the 21 inspections. 22 We're really hoping to get additional insight from 23 the inspection process as to what we're doing, and ways we 24 can do it better, and being consistent with the marketplace 25 as well. Thanks. 1 MS. PHILLIPS: So far the discussion really has 2 covered responding to risk and complexity broadly. I would 3 like to focus the discussion now on the types of adjustments 4 that auditors have made to their audit approaches for less 5 complex and smaller accelerated filers. 6 How have auditors scaled their work to these types 7 of entities, and is there a need for additional guidance or 8 changes to the rules or standards in this regard? 9 MR. RAY: Yes, go ahead Leo. You had your card up 10 earlier. 11 MR. KESSEL: Yes. First, I appreciate the 12 opportunity to be here. I do want to just echo that I think 13 there have been measurable benefits that came out of this 14 process, and I think the May guidance was particularly 15 helpful. 16 But clearly companies and auditors did sit down 17 before the May guidance. We did a post-mortem when we 18 completed them. I'm actually a partner who has signed 19 internal controls reports. So I've been through the process. 20 We sat down with management through the CFO level 21 and we discussed what are the opportunities to improve the 22 efficiency and maintain the effectiveness. 23 One of the key things that I think many companies 24 wrestled with is how do you make Year 1, which was a project, 25 into a sustainable process? So we spent time thinking about 1 that. 2 I think in the areas where the guidance was helpful 3 is improving, you know, the way we looked at multi-locations. 4 We placed greater reliance on internal audit. The company I 5 was responsible for has many, many small manufacturing 6 plants, and the level of work that internal audit had done at 7 that allowed us to leverage a lot of that work. 8 Certainly, and also just as an example, they had 9 many legacy systems. They're not on common systems and 10 processes. So I think the company learned something through 11 this process as well, the importance of moving to common 12 systems and processes. 13 But in Year 2, we didn't feel the need to test all 14 of those legacy systems. We did enough work to satisfy 15 ourselves that there hadn't been changes, substantive changes 16 in the systems or processes. So we took advantage of that. 17 Then also, you know, just in terms of defining the 18 classes of transactions, we looked at that at a higher level, 19 to again make sure we were focused on the highest risk areas. 20 I think as the companies, not only the auditors, 21 get more experience in dealing with the risk assessment 22 process, I think you're going to see improvement in Year 3 in 23 that arena as well. 24 MR. RAY: Rick Veltschy. 25 MR. VELTSCHY: Directly to Laura's point of 1 scalability or reaction for smaller companies, I think that 2 the key thought process needs to be that smaller companies 3 are not all about the technical compliance with the standard 4 and with the SEC rule. 5 The challenges with the smaller companies also 6 often surrounds simply the organization of the process, to 7 get an internal control assessment done. Our experience was 8 that in Year 1, many of those companies struggled with those 9 project management aspects of this new challenge. 10 If you recall, the Commission and the PCAOB 11 provided an extended time period for companies to file their 12 initial internal control reports. 13 More than two-thirds of our accelerated filer 14 clients took advantage of that accelerated time frame, which 15 speaks to the fact that perhaps things were not as well 16 organized as they could have been, or as timely and so forth. 17 So really one of the strategies, I think, that 18 public accounting firms had to employ in working with those 19 companies was simply focusing on logical work flow sequences 20 that could make an integrated audit take place. 21 The good news is that in Year 2, if you look at 22 just that project management aspect of things, I think all 23 but one of our clients were able to timely file, and it 24 allows -- and now that the project management aspects have 25 been taken care of, you now can begin to focus on the 1 technical issues associated with an integrated audit, and 2 look at the opportunities for efficiency that would derive 3 from better reliance on the work of others and so forth. 4 I think this project management mind set and factor 5 is a very important issue, as it relates to again the smaller 6 end of the accelerated filer group. It will be an even more 7 important factor to the extent that those companies that have 8 not yet implemented the internal control requirements do have 9 to come on stream. 10 MR. RAY: Gary Stauffer. 11 MR. STAUFFER: Directly to your question, Laura, we 12 do believe that AS-2 is scalable. We would agree, as many 13 have said this morning, that additional guidance, 14 particularly practical guidance on how to scale it to smaller 15 companies, is important. 16 We would not believe that AS-2 needs to be 17 fundamentally changed. In fact, we think the fundamentals of 18 AS-2 around reasonable assurance, materiality, principle 19 level of evidence and integrated audit, are clearly 20 fundamentals that need to stay and apply to both large and 21 small companies. 22 I'd like to just address one point that was 23 mentioned earlier, and also Frank mentioned it. It goes to 24 this issue around significant deficiencies, and the point 25 that Professor Grundfest made this morning. 1 The idea that the auditor is in some way setting 2 their scope on the basis of materiality at an inconsequential 3 level. That's not what AS-2 would provide for, nor do I 4 believe the profession is doing. 5 I think scope is set at materiality levels, 6 equivalent to how the auditor has historically judged the 7 financial statements, and that's just used as a benchmark, 8 five percent of pre-tax income. 9 So when you speak about inconsequential and the 10 size of that number being so small, that's not where the 11 scope of the audit is being set, and therefore is not 12 affecting the level of work that's being done. 13 Now once an exception or a deficiency is found, 14 there is an effort to try to evaluate that deficiency, into 15 whether it's a significant deficiency or a material weakness. 16 That's where the process comes in of using the 17 words "inconsequential." So there's not an effort to do that 18 from a scoping perspective in setting the work. One final 19 comment on the materiality, quantitative materiality. 20 It's difficult to walk away from an account that's 21 15 percent of your overall pre-tax income, and could result 22 in a material misstatement to the financial statements, just 23 because it's qualitatively immaterial. 24 From a qualitative perspective, people wouldn't 25 look at it as qualitatively immaterial. It can result in a 1 material misstatement to the financial statements, and I 2 think you only need to look at Worldcom and the issues around 3 fixed assets there. 4 Most people would say fixed assets is a very low 5 risk control. In fact, many of the problems at Worldcom were 6 caused by lack of controls over capitalization in the fixed 7 asset area. So absolutely you shouldn't spend a lot of time 8 on it. Neither management or the auditors need to spend a 9 lot of time on it. 10 We can vary the nature, time and extent of the 11 testing to a relatively low level. But some level of effort 12 needs to be put on that account, because in fact it is 13 material to the financial statements and could cause a 14 material misstatement. 15 I agree wholeheartedly with a comment made earlier, 16 that monitoring controls could be just that control that 17 could be looked at, so you don't have to go down into the so- 18 called weeds to test transactional controls in the account 19 that qualitatively isn't viewed as material, but 20 quantitatively is. You can use that monitoring control to 21 achieve the same objectives. 22 MR. RAY: Thank you. Commissioner Glassman? 23 COMMISSIONER GLASSMAN: Thank you. I have a 24 question that I guess goes to all of you, although I would 25 especially appreciate the feedback from the businesses that 1 are represented. 2 Can you conceive of a different role for the 3 auditors, rather than having the auditors test the controls 4 themselves, which seems to be what's happening? Have the 5 auditors reviewed your process and your implementation of 6 that process to determine whether your assertion seems 7 reasonable? 8 MR. RAY: Go ahead Tom Szlosek. 9 MR. SZLOSEK: Yes. I'll try that one. Yeah, 10 actually you know, we've given that one a lot of thought. 11 Maybe in the first year I would have said that it's 12 inconceivable that you could move int hat direction. 13 But as the guidance came out, and as the clarity 14 and the consensus and the collaboration between the auditors 15 and management have improved in Year 2, and I think in Year 3 16 even more so, you know, I start to see a blurring of the 17 lines between, you know, the management testing on controls 18 and the auditor's testing of controls. 19 You know, we agree in almost all aspects of scope. 20 We agree on locations. We agree on key controls to tests. 21 We agree on how to evaluate findings. So you know, we're 22 working hand in hand, and to think that they're two separate 23 processes. 24 At this point, as I said, the distinctions between 25 the two of them are blurred. So I really think, and I'm not 1 sure whether it's a legislative relief or whether, you know, 2 it's within the scope of PCAOB, but to look it as yes, you 3 need a report on internal control, but that report comes from 4 management. 5 You know, the role of the auditor could be what it 6 is in the first part, which is to issue a report on 7 management's report, and you know, not to have that second 8 report. 9 MR. RAY: Would others like to comment on that? 10 Oh, I'm sorry. Frank. 11 MR. BROD: No, that's fine Tom. I was just going 12 to concur with what our friends from Honeywell said. This 13 process has moved sufficiently or significantly from the 14 first year to the second and now the third, where there is a 15 level of redundancy. 16 But both the auditor and the registrant are very 17 much tied together from a process standpoint, and have the 18 same understanding of what needs to be tested and all. So 19 there could be some efficiencies in that without having any 20 negative impact on the quality that results. 21 The auditor still needs to do some level of 22 internal testing as part of their scoping, which has been the 23 traditional internal control they did prior to SOX. 24 MR. RAY: Shelly Stein. 25 MS. STEIN: I think Frank hit on some of the points 1 that I wanted to make in response to that. But it's 2 important to recognize that if the auditors are going to do 3 some testing, they actually have to be able to test 4 management's assertions on these things. 5 You can go back to the days of when FIDICIA was 6 implemented, whereas we relied on what management said. Yet 7 we have found through the testing, as it related to SOX, that 8 there have been a number of issues where we found material 9 weaknesses. 10 So there's got to be an appropriate balance here, 11 and it can't be all one way or another, and I think we've got 12 work at it in terms of determining what the appropriate 13 balance is. 14 MR. RAY: Okay. I'd like to hear from Bruce 15 Renihan, and then I'm going to move onto the next question. 16 Thank you. 17 MR. RENIHAN: I think that the owner's involvement 18 within our firm in respect of our overall SOX compliance 19 process is very significant, and it's highly transparent. 20 So I think the end result of a range of work that 21 is done by the external auditor is not so much driven by 22 whether they, and this is obviously my assessment, whether 23 they believe that they will find a control issue or 24 deficiency, but it's driven by documentation requirements, 25 because there's enough interaction for them to have a sense 1 of comfort with respect to the controls. 2 When you get therefore to a situation where now 3 there's a sample size that has to be addressed, indeed I 4 think what we're seeing is kind of a hard stop at the level 5 of 50 percent of whatever that sample is, you know, equals 6 principle evidence that the auditor will -- the external 7 auditor will identify the transaction and do the testing, and 8 obviously we're scrambling around to try to provide all of 9 that information. 10 Now that's down from close to 100 percent in Year 11 1, where all of the testing was selected by the external 12 auditor. So there is some leveraging off the work of 13 management and internal audit. 14 But it's still very quantitatively driven, in my 15 experience. 16 MR. RAY: Okay. I'd like to move on to more 17 specifically to question directed to the identification and 18 testing of controls, and I'm going to ask Lisa Flavin to 19 comment and get us rolling on this subject first. 20 The question is, did management and the auditors do 21 a better or worse job at identifying significant accounts, 22 significant processes and major classes of transactions this 23 year, and how did that affect the number of controls tested 24 by management and tested by the auditors? Lisa Flavin. 25 MS. FLAVIN: We certainly did a much better job in 1 Year 2. I think we scoped out roughly 20 to 25 percent of 2 the controls that were tested in Year 1. We also got 3 agreement on those controls, between management and the 4 external auditors. So I feel very confident that we're 5 headed in the right direction in that respect. 6 As I said before, the only issue we have and the 7 only tweaking is with respect to significant accounts, and we 8 still have a couple of discrepancies in that area. 9 MR. RAY: I'd like to go ahead and add a follow-up 10 question, and if you want to comment on that one, the 11 previous question, please feel free to do so. 12 Perhaps a little bit more pointed question here. 13 Would it be appropriate to allow some kind of rotation of 14 testing from year to year, and how would that work while 15 still providing the auditor with sufficient evidence to 16 support his or her opinion on internal control. 17 I think I saw Frank's card go up first. 18 MR. BROD: Well thank you. As the former chair of 19 the Committee on Corporate Reporting at FEI, we have 20 suggested that very topic in each of the comment letters 21 prior to AS-2 being developed, at last year's roundtable and 22 again in our comment letter this time. 23 It is an area where I think this concept of 24 learning as you go through this audit, that you should 25 -- just as you do in all other aspects of life, learn from 1 what you have, and you know, spend your time on those things 2 that need the attention. 3 Part of that assessment is just how good things 4 were in the past, and whether anything has changed at all in 5 their effectiveness in time. It shouldn't have to call for a 6 complete retest on everything every year. 7 So this -- you know, I know the word "rotation" 8 doesn't set well with a lot of people, but maybe the word 9 "benchmarking of controls" may be a better term for that. 10 But to set what the acceptable level is and test to 11 see if there's been change, you know, on a limited basis and 12 where they find there's some variability, then you go in and 13 do a much more detailed test. 14 But that is something we have advocated, I think 15 would cut down on the cost. You touched on cost earlier, you 16 know, and everybody's happy that the cost of compliance has 17 gone down in Year 2. But remember, if you just look at audit 18 fees, they went up 50 percent the first year. They've gone 19 down about 20. 20 There is an embedded permanent 30 percent increase 21 in audit fees that's going to go on forever, and with 22 integrated audits, we'll never be able to separate the two 23 again. 24 MR. RAY: So Mr. Brod would you envision that there 25 could be some accounts where neither management nor the 1 auditors tested them specifically in a particular year. 2 MR. BROD: When you use the word "account," I would 3 say "yes, there are," because you should be queuing on those 4 critical accounts, and if you do a good job of identifying 5 those, you know, you will have some -- you know the auditor 6 may not test every account every year, just as they don't 7 test every transaction now. But they're looking for relative 8 assurance, not absolutely assurance. 9 But you would look at your -- management is going 10 to have people looking at all accounts. That's part of the 11 whole financial reporting process. So I wouldn't give the 12 impression that they're untouched or unlooked at in that 13 process. 14 But the auditor may not look at all internal audit 15 does in our companies, but do a rotation of tests based on 16 risk and geographic complexity as well. 17 MR. RAY: Lisa Flavin. 18 MS. FLAVIN: Tom, I think this one relates directly 19 to a conversation we had earlier on one of the panels about 20 the fundamental improvement, I think, that we can make, is 21 finding that right balance between company level and 22 monitoring controls, and the process transactional controls. 23 In some cases, we had deficiencies at the processor 24 transaction level, that are not going to rise to the level of 25 material weakness because of these overall company level and 1 monitoring controls. 2 However, we don't want to totally ignore those 3 detailed transaction controls either, because they are 4 important. But maybe the equation of finding the right 5 balance is focusing on company level monitoring controls on 6 an annual basis, and rotating those more detailed transaction 7 process level controls. 8 MR. RAY: Jay Howell. 9 MR. HOWELL: My view is that the auditor is going 10 to issue an opinion on the effectiveness of controls each 11 year, and that should be based on testing of significant 12 accounts in each year, by either the auditor and/or the 13 company. 14 I think that you can have some degree of rotation 15 of that testing, and that the standard currently permits 16 that. Paragraph 126 indicates in the use of the work of 17 others, that the auditor can in certain instances for a low 18 risk account, fixed assets, payroll accrual for instance, 19 rely entirely on the work of others in a given year. 20 You might not choose to do that every year, but I 21 think that there should be some testing by either management 22 or the auditor, of that account. I think every account 23 that's significant will probably have some degree of risks 24 that should be looked at each year and say, you know, is 25 there something new; are we really addressing this account 1 effectively. 2 There's new accounting standards that come out 3 periodically; with respect to even vacation accruals there's 4 a new accounting standard that is going to probably trip some 5 companies up and have restatements as a result in that 6 account. 7 So I think most accounts that are materially 8 significant, say the five percent level, should be scoped in 9 each year. 10 MR. RAY: Tom Szlosek. 11 MR. SZLOSEK: Yes, Tom. Not that I like it, but I 12 think the quantitative approach for risk assessment that was 13 kind of alluded to, you know, earlier in this panel and other 14 panels, I think that kind of inhibits rotation, in the sense 15 that if you're looking at the number of locations that you 16 want to test to get your coverage, whether it's 60 percent or 17 70 percent. 18 I mean somebody at lunch said you needed to get 80 19 percent, but I chose to ignore that. But you know, you're 20 going to do what you would expect. You'd go from the 8020 21 rule and pick, you know, all the big sites until you got, you 22 know, close your coverage. 23 Well you know, every year, you know in a reasonably 24 stable company, those sites are going to be the same. You 25 know, you're leaving out 40 percent or 30 percent of the 1 other sites where, you know, arguably there was more risk, 2 because they're remote sites, they're smaller, they're in you 3 know, emerging markets or whatever, and they have a greater 4 chance of having a misstatement. 5 So I think if we're again being more conscientious 6 about qualitative as much as quantitative risk that you 7 referred to. 8 MR. RAY: Okay. We'll hear from Rick Veltschy and 9 Gary Stauffer on this question, and then we have another 10 follow-up question in this area we would like to pose. 11 MR. VELTSCHY: Tom, I think that, I guess to answer 12 your question most directly, I think that it would be 13 possible to have that type of rotation in some fashion. I 14 really think this question drives to the concept that was 15 alluded to on an earlier panel, that we really need to see 16 more and more, I believe, divergence between how management 17 conducts its assessment and how the auditor conducts their 18 assessment. 19 I believe that management has a great deal more 20 information available to them on a day-to-day basis, because 21 of the operation of their company, in terms of opportunities 22 to detect control weaknesses. Production people see changes 23 in volumes. Things happen because, you know, Betty and Steve 24 were talking over the water cooler and notice a behavioural 25 change. 1 Companies gather and have available to them much 2 more than the auditor, and I don't think that that 3 distinctiveness of knowledge has been taken into account very 4 well because of the lack of company guidance and some what I 5 like to call is an auditor-centric approach. So I think as we 6 see the company assessments evolve and mature, particularly 7 in the smaller companies. I think that we'll be able to see 8 auditors taking different approaches to getting to their 9 level of comfort, perhaps relying in more imaginative ways on 10 management's assessment process. 11 So I really do think that the concept of being able 12 to say I'm going to perhaps not test a particular area in a 13 particular year, I think you may be able to get there as you 14 learn more about how companies do their own assessments. 15 MR. STAUFFER: I think in general the concepts of 16 rotation are clearly achieved in just a pure concept of 17 varying the nature, timing and extent of work, and changing 18 predictability in the audit process, and using the work of 19 others. 20 I think all the firms have a concept that in low, 21 routine controls, the auditor can rely 100 percent on the 22 work of others. So if there are those areas that are less 23 risky, have low inherent risk, low complexity, non-pervasive, 24 no history of errors, that work can be limited dramatically, 25 just by varying the nature, timing and extent of the testing, 1 and still gain enough evidence to be able to draw the 2 conclusion on internal controls over financial reporting as a 3 whole. 4 I would just want to make one follow-up comment to 5 Commissioner Glassman's comment about just auditing the 6 assessment. In my view, the audit clearly -- the internal 7 controls over financial reporting clearly adds value, just as 8 an audit of the financial statements adds value to the 9 reliability of those financial statements and the public 10 trust in those. 11 By evaluating only the assessment, the auditor only 12 evaluating the assessment, you will not get that same 13 reliability and public confidence as you do by auditing the 14 internal controls, and be satisfied that they're 15 appropriately working. 16 MS. PHILLIPS: Before we leave the area of 17 identifying and testing controls, I want to be sure that we 18 focus at least briefly on testing IT controls, which got some 19 discussion this morning. 20 But I want to get some insight from you panelists 21 on the remaining challenges that face auditors as it relates 22 to identifying and testing IT controls. 23 MR. RAY: Lisa Flavin. 24 MS. FLAVIN: This is one area that we actually 25 scoped in more controls in Year 2 than in Year 1, in the IT 1 general control area. I think there's confusion in this 2 area, because of the term "pervasive," that there's a 3 tendency in the IT general control to put too much emphasis 4 on those controls. 5 If you take any, virtually any given single control 6 in the IT general control area, those controls -- that single 7 control doesn't necessarily have a pervasive effect 8 individually. 9 There needs to be more of the risk-based approach 10 in determining which controls we're going to test in that 11 area, and maybe we start out with looking at access controls 12 and program change controls, and if there's issues in those 13 areas, then expand. But not scope in every single IT/GC 14 control. 15 MR. RAY: If no one else would like to comment on 16 that, I'm going to move on to the next subject. Gary 17 Stauffer, did you want to comment? 18 MR. STAUFFER: Yes. I think general computer 19 controls are very important, and I think historically, many 20 companies have had a difficult time achieving those controls, 21 particularly in access controls and change control 22 procedures. 23 The benefits are huge, as it was discussed earlier. 24 If you can have IT general computer controls in place and 25 working, the level of testing on the automated application 1 controls will drop dramatically. 2 That in itself should change substantially the 3 level of work both management and the auditor can do, and 4 that's the benchmarking concepts that I think are well 5 brought-out in the May 16th guidance, and can be taken 6 advantage of. 7 So I think IT general computer controls are a very 8 important process and can be a major impact on the 9 efficiencies of the process. 10 MR. RAY: Frank Brod. 11 MR. BROD: Yes. Let me just echo Lisa's comment. 12 So that's very important. You need to test the IT general 13 computer controls, but you should do it on a risk basis, 14 because not every general control has an impact on financial 15 reporting. 16 I think that's been lost in some of the audits that 17 have been done on internal control, which has resulted in a 18 lot of extra work in a lot of companies. I know we heard 19 that quite a bit from our CCR member companies. 20 MR. RAY: Thank you. I'm going to move on now to 21 the next subtopic, which is the effect of company level 22 controls on the audit process, and I'm going to ask Jay 23 Howell to start us off in that discussion on this question, 24 which is how well do auditors understand the concept of 25 company level controls, and what effect does the testing of 1 those controls have on the auditor's work on other key 2 controls? Jay Howell. 3 MR. HOWELL: Thanks, Tom. First with respect to 4 company level controls, some companies also refer to them as 5 entity-level controls, and in general I think of them as 6 comprising the control environment, tone at the top, 7 monitoring controls, risk assessment, IT/GC. 8 They generally wouldn't include the control 9 activities component of the five components of COSO. I 10 believe the company level controls are an essential element 11 of an effective control environment, and they're very 12 essential in considering the risk down approach. 13 But I also believe that the control activities, the 14 more detailed controls are also an essential element of an 15 effective control environment, and that testing of both the 16 company level controls and the control activities needs to 17 occur. You can't just rely on testing of the company 18 controls. They're just one component of an effective 19 internal control environment. 20 Paragraph 54 of AS-2 indicates in fact the testing 21 of company level controls alone is not sufficient, and I 22 would agree with this. 23 When company level controls are strong or 24 effective, and I prefer to use the word "strong," because I 25 think of it as a continuum; it's not an on/off switch, an 1 auditor might choose to rely entirely on the work of internal 2 audit or others in some low risk areas, like we discussed 3 earlier. 4 So there's tremendous benefits to having a strong 5 control environment, company level controls with respect to 6 efficiency. You know, and the rotation concept or what Gary 7 described earlier, and varying the nature, timing and extent 8 of the auditor's testing, the auditor will have a lot more 9 flexibility with respect to their testing approaches, in a 10 strong control environment, and where strong company level 11 controls are established. 12 Where we fall short is that the company level 13 controls within AS-2 is probably the least described areas, 14 as far as how an auditor is going to go about testing that 15 controls. So I believe that additional guidance would be 16 useful in that area for the auditor, in testing company level 17 controls. 18 Then for companies, I also think that the guidance 19 is fairly minimal in what a company needs to do to document 20 and test their company level controls. I used to think that 21 this was limited primarily to the smaller companies, but I'm 22 now suspecting that all companies probably could use more 23 guidance in this area. 24 I noted the recent Institute of Internal Auditors 25 report that was published a few days ago, that's a management 1 guide on implementing Section 404. That guide talks about 2 the importance of company or entity-level controls, and that 3 failures in entity-level controls caused a number of the 4 major financial failures over the past few years. 5 However, when you go through the details of that 6 guide, there's really very little guidance in that guide for 7 management, on what they should do to document and test 8 company level controls. I think that for me highlighted the 9 need for that type of guidance. 10 MR. RAY: Bruce Renihan, and I think I also saw Tom 11 Szlosek raise his card. So as soon as Bruce is finished, 12 please go. 13 MR. RENIHAN: Yes. Our entity-level controls, in 14 our view, are critical, and we see those as something that 15 need to be looked at annually. We've found the process of 16 looking at those controls, all the way through, you know, 17 what's happening at the board level, all those 18 responsibilities, accountabilities, and you know, testing, 19 competency of staff. 20 Those range of issues are critical to the 21 management and in a continuing look at those reinforces their 22 importance, and also provides, I think, you know, a lot of 23 comfort to both management and auditors. We diligently 24 document that, and our auditors pay due attention to it. 25 I'm concerned that SOX processes and the work that 1 we've all gone through has diminishing value going forward, 2 relative to work effort, because in the first instance, it 3 was very important for many companies to actually come to 4 understand what their key controls were, and it wasn't 5 necessarily all that transparent. 6 It's been a significant learning effort, and it's 7 allowed a number of us to have a better understanding of 8 processes and consistency of processes and standardization of 9 key controls and the like. 10 I think that we built up a significant SOX 11 infrastructure to support the work that is going on. I'm 12 much more interested in leveraging that infrastructure 13 against issues of legislative compliance and operational 14 process controls, which in particularly the last is, you 15 know, where companies can most significantly benefit, I would 16 say. 17 So to fully implement COSO against, you know, the 18 infrastructure that we've in effect been forced to put in 19 place, but very valuably were forced to put in place, I am 20 concerned, though, to repeat on diminishing returns to that 21 initial value. 22 MR. RAY: Tom Szlosek. 23 MR. SZLOSEK: Yes. On company-level controls, I 24 hear what everybody's saying about the importance of them. I 25 mean AS-2 is clear that, you know, the whole sequence starts 1 with company level controls. The whole audit sequence starts 2 there. 3 I also agree with what Jay said, that you know, 4 after that there's not a lot of additional guidance. That's 5 maybe why what I've seen in practice, both you know, our own 6 management testing as well as, you know, our external 7 auditor's testing. 8 The company-level controls, you know, for the first 9 two years have been more of a check the box at the end of the 10 process kind of exercise, really. Or as a means of 11 mitigating or identifying compensating controls for, you 12 know, the detailed process controls that you've tested and 13 found deficiencies in. 14 So it's kind of unfortunate that, you know, it does 15 have the prominence in everybody's mind. But I think in 16 practice, you know, there is much more opportunity to use at 17 the front end to help with the risk-based audit approach. 18 So you know, in the third year, our Audit Committee 19 has actually picked up on this point. We spent 30 minutes in 20 our last meeting with them in the first quarter, just going 21 through our company level control framework, and what the 22 elements of it are and how we're testing it. 23 They're looking for us and for our auditors to 24 place a much bigger emphasis on that. So I think we've got 25 to keep going on that. 1 MS. SALISBURY: Just a quick follow-up on that. I 2 mean, do you have in mind what exact changes you might be 3 making, placing reliance on your company-level controls? I 4 mean, what are you guys thinking? 5 MR. SZLOSEK: Well, first we've defined our 6 framework. So for us, it starts with a baseline of all our 7 policies and procedures, like our code of ethics, our 8 controllers accounting policies, the company policies and 9 procedures. Then at the top is, you know, the oversight, you 10 know. 11 The Audit Committee, we have what we call a SOX 12 Committee, which is, you know, all the controllers and 13 control managers in the business, and we have internal audit 14 out there in the oversight. Between the two is, you know, 15 all of the execution of the different company-level controls. 16 So for example, you know, somebody alluded to a 17 monthly operating review, where you're comparing your actual 18 results to, you know, budget and looking at variances, to see 19 if there's not only an operational issue but, you know, 20 whether there's -- the actual numbers make sense. 21 So we've kind of defined that in a very 22 prescriptive framework, and have taken that out to our 23 controllers, and are taking it out to all of our reporting 24 locations, so that they can understand what we mean by every 25 element of the framework, and that they have to develop 1 specific test plans to ensure that those are in place and can 2 be relied on. 3 Then, you know, from that, we are changing our 4 scope of location, so that we can -- if the company-level 5 controls are in fact demonstrated to be in place. But we 6 want to go to other locations that we haven't hit in the last 7 couple of years, and make sure they're starting to get 8 rotated on the process. So it's an opportunity for us. 9 MR. RAY: Gary Stauffer. 10 MR. STAUFFER: Yes. It's interesting. Company- 11 level controls in Year 1 were left to last, weren't well- 12 understood, were referred to as "the softer components," and 13 didn't have a lot of guidance. 14 So I agree with many of the comments. They weren't 15 necessarily considered in Year 1. I think the guidance put 16 out on May 16th, with the top-down approach in mind, clearly 17 refocused that effort. 18 We spent a lot of time trying to put that in 19 perspective, to make sure our audit teams that into 20 consideration. Company-level controls become an important 21 element in determining the nature, level and extent. 22 If you have strong company-level controls, low 23 complexity, routine controls, low inherent risk, in an 24 account like accrued vacation that should have a substantial 25 impact on the level of testing you're going to do. So I 1 think company-level controls directly play into that. 2 If you have a company-level control that operates 3 at the level of precision that allows you to achieve the 4 objectives that you're trying to test for, you can eliminate 5 all the routine testing. 6 That gets back to the comment made earlier about 7 monitoring controls. Those monitoring controls many times 8 can achieve that level of effectiveness and precision. 9 So if it does, you can eliminate the process. So 10 we're gaining on company level controls. I don't think we 11 have it right yet. I think there's more benefits to be 12 gained, and we continue to push on that. But I think it's a 13 very important aspect of the overall audit process. 14 MR. RAY: Thanks, Gary. Let's move on to the next 15 subject here, which is using the work of others. I'm going 16 to ask Tom Szlosek to start us off on a discussion on that 17 point, and specifically did auditors increase or decrease the 18 degree to which the work of others, such as internal 19 auditors, was use din the second year? 20 Specifically, are there opportunities to increase 21 reliance on that work in the future? 22 MR. STAUFFER: Yes. Thanks, Tom. When I think of 23 work of others for auditors, I first think of our internal 24 group, and our group, our internal audit organization is 25 headed by a former Big Four partner. 1 They have been able to demonstrate competent 2 subjectivity, independence from management. In fact, they 3 don't participate in any of the management testing. You 4 know, our Audit Committee has kind of drawn that line that, 5 you know, they're going to be independent and not involved in 6 that. So there's a very clear opportunity that this is a 7 group that can be relied on. 8 Unfortunately in practice, we just haven't seen it. 9 We haven't seen anything beyond, you know, sharing of audit 10 reports maybe, and that tends to create more work as opposed 11 to less work, because you know, when the external auditors 12 see findings in the audit reports, in the internal audit 13 reports, they tend to want to spend more time in those areas 14 as opposed to trying to understand how we've rectified them. 15 So we've sat down with our external auditors this 16 year and we both have kind of seen that this is an 17 opportunity. We're looking at it to create efficiency, and 18 you know, we're now at the point of sharing risk assessment, 19 one another's risk assessment, and ensuring that instead of, 20 you know, a direct supervision kind of arrangement, that the 21 external auditors are actually spending time understanding 22 how and where our internal auditors are working, where they 23 see the risks and how that can contribute to the evidence 24 that they need to collect for the opinions they need to 25 issue. So it's an opportunity, and we're on it for Year 3. 1 MR. RAY: Rick Veltschy. 2 MR. VELTSCHY: I think our experience would mirror, 3 to some extent, what Tom's described. I earlier described 4 what I felt was a situation where in Year 1, it was very 5 difficult to integrate the audit due to project management 6 issues. 7 I think in Year 2, the audit got integrated in 8 terms of the auditors, control on substantive audits, as well 9 as good project management and logical time lines with the 10 registrant. 11 In our firm, we are working very hard to accomplish 12 what Tom just described, which is begin the audit planning 13 with the concept of maximization of reliance on the work of 14 others. 15 That's just very roll up your sleeves detail work, 16 and we're accomplishing that by simply sitting down with our 17 clients and going through every key control, asking the 18 questions jointly, does this control need to be tested to 19 achieve the objectives. Then asking the next question, which 20 is if it's tested sufficiently by others, do we as the 21 auditor need to test that particular control ourselves? 22 I think what we're finding is that we're trying to 23 change our mind set. AS-2 has a principle evidence standard. 24 That standard is that the auditor needs to -- you know, they 25 need to themselves gather the principle evidence from which 1 their report rests. 2 We think that when you work through the parts of 3 the audit where the auditor must, is compelled by AS-2 to do 4 the work themselves, that you may have come a long way 5 towards that principle evidence standard. 6 So we're beginning with the idea that if we think 7 management's assessment is good, we can rely on the work. As 8 we are going through this optimization process, I think we're 9 finding quite a few areas where in fact in Year 2 we did not 10 rely on management's work for our conclusions, where I think 11 we will in Year 3. 12 MR. RAY: Jay Howell. 13 MR. HOWELL: I'd like to point out that a lot of 14 companies don't have a dedicated internal audit function. So 15 the use of work of others can refer to where there is an 16 objective internal audit function that reports to the Audit 17 Committee. 18 But it can also refer to management's self- 19 assessment or companies that hire an outside firm to come in 20 and help it perform some of the testing. AS-2 provides some 21 guidance that indicates where the internal audit function 22 doesn't report to the Audit Committee, or is not as competent 23 and objective, that the auditor should use the work of others 24 to a much lesser extent. 25 So I wanted to focus on that language "much lesser 1 extent." Because that's the box that we find ourselves in 2 quite regularly with our clients, where they don't have a 3 dedicated internal audit function, and particularly where 4 they've hired outside help to come in and help with the 5 documentation and testing of controls. 6 Often that outside help reports primarily to 7 management instead of the Audit Committee, and the guidance 8 in AS-2 would tend to indicate that would be a factor we 9 would consider from an objectivity standpoint, and probably 10 use that work to a lesser extent. 11 So I just wanted to highlight that as one of the 12 barriers we perceive in the use of others. 13 MR. RAY: Thanks, Jay. You're great at quoting AS- 14 2. But that's an important point, and as others comment on 15 this, we'd be interested in hearing your further thoughts on 16 that as well. Lisa Flavin. 17 MS. FLAVIN: Most notably, we saw an increase in 18 reliance in Year 2 in the area of IT general controls. In 19 Year 1, there was no reliance. In Year 2, it was 50 percent, 20 which was the maximum allowed by the firm. 21 So I felt pretty confident that we're maximizing 22 reliance right now in accordance with what the standard will 23 allow and firm guidance. An area I'd like the PCAOB to 24 consider also allowing reliance is in the company-level 25 control process. 1 There are certain controls within company-level 2 controls that are very non-subjective, compliance-oriented 3 controls, such as employee background checks, code of conduct 4 acknowledgment forms and personnel files, ethics hotline 5 postings at certain locations. 6 I really think it would be helpful if we were 7 allowed to have reliance on the work of others in those 8 areas. Going along the lines with what Jay said a minute 9 ago, I think there is a wide discrepancy in what audit firms 10 will accept in terms of reliance. 11 I know some companies where the audit firms will 12 accept management's testing, where one process owner tests 13 another process owner and will rely on that work, where 14 there's other cases where audit firms will only rely on the 15 work of a corporate internal audit department. 16 So there seems to be within a wide degree of 17 discrepancy on what's acceptable and what's not, in terms of 18 reliance. 19 MR. RAY: Leo Kessel, you had your card up. Would 20 you still like to comment? 21 MR. KESSEL: Please. Just to build on a number of 22 comments that have been made, I think there is a significant 23 opportunity to work with internal audit and management in 24 terms of scoping, and the amount of reliance that should take 25 place on that scoping, particularly in multi-location 1 entities, where you've got hundreds of small entities. 2 I think you can help the company by having a joint 3 risk assessment, deciding which of those locations are going 4 to be important and who's going to provide that coverage for 5 the audit committee or for management. 6 So I think doing that in a multi-location, you 7 certainly have an opportunity to vary the timing, extend the 8 tests, and provide some broader coverage on an overall basis 9 as well. 10 MR. RAY: Thank you. So let me move into the last 11 subsection here on this panel, which is talk about the effect 12 of PCAOB inspections on the audit of internal control. 13 I'm going to ask Tim Flynn to get our remarks 14 started in that area, and specifically it's a very general 15 question, Tim, but how are the PCAOB's inspections affecting 16 the implementation of Auditing Standard No. 2? 17 MR. FLYNN: Thanks, Tom. First, let me say that 18 there's no doubt in my mind that the PCAOB inspections the 19 last three years have really helped improve financial 20 reporting and audit quality. 21 So if you look at the integrative audit moving into 22 Year 2 of 404 inspections -- you're heading for the second 23 year -- what are some of the challenges? 24 When you look at what's happened so far in the 25 inspection, as to improve the audit quality, what are some of 1 the attributes of that? It's really improved the rigor that 2 auditors are applying to their work. 3 In my view, it's also improved the documentation of 4 judgments being made across the audit spectrum, and 5 conclusions being reached. 6 Now there's many factors that have contributed to 7 this change, sense of our responsibility as professionals, 8 focusing back on our core being the audit, and more engaged 9 board members and audit committee members. 10 But I think what's central to it and what's driven 11 the most change has been the PCAOB inspection process. Now 12 if you look at specifically the inspection process to the 13 integrated audit, in the first year last year, it was 14 relatively limited in scope from my point of view. 15 The PCAOB inspection process was really to gain an 16 understanding, kind of a baseline of how do the firms really 17 go about implementing AS-2. Also take a look at some of the 18 key things coming out of the May 16th guidance, official 19 guidance, around integrated audit, top-down approach, risk- 20 based assessment. 21 How would things have looked differently in '04 had 22 that guidance been in existence at that point in time, and 23 came out with some additional information on that in November 24 of last year. 25 As we moved through the inspection process for 1 2005, that was a real opportunity to gain some additional 2 insights into how we're applying 404 across the profession. 3 As I look at it, as we move into this process for 4 next year, we talked about a lot of attributes here today 5 about entity-level controls. We talked about sample sizes. 6 We talked about significant accounts. 7 This is complicated stuff, and there's a lot of 8 judgment that comes into play. We're new at this. This is 9 the only second year and we're in the third year of this 10 process. 11 To me what would really help in the inspection 12 process is to engage in a really meaningful debate, and 13 really understand what were the judgments being made? What 14 were thought processes gone through by the auditors in 15 selected accrued vacation? What drove them to that decision? 16 Because these are people, professionals applying 17 judgment, doing the best they can to apply AS-2. What drove 18 the judgments around those areas, and then have the PCAOB 19 look at that as well and say what might have been some of the 20 things that they would look at to say maybe those judgments 21 weren't what they should have been. What drove us there, 22 what should we do differently, how should we have looked at 23 that? 24 I'm encouraged by some of the early discussions 25 about the inspection process for next year. We're going to 1 focus on the quality of AS-2, but also focus on the 2 efficiency components of it, and take a look at the guidance 3 that came out on May 16th of last year. How was that 4 guidance really implemented, and look at that through the 5 inspection process? 6 I hope coming out of that we can look at best 7 practices as well, kind of the best practices, and then sit 8 back and have a meaningful debate around what were the 9 judgments made and why. 10 I'm also encouraged by talking to the PCAOB 11 recently, that they're going to include individuals from the 12 Standards Group into the inspection process more this year. 13 So I think we can get a view of what was intended? What was 14 the picture that when we set the standard, we thought 404 15 would look like? 16 What does it look like today, as it's really been 17 implemented? How big is the gap, and how do we work together 18 to close that gap, between the regulators, the issuers and 19 the public accountants, trying to preform that work? 20 So I think it's a critical year in the inspection 21 process. I think it gives great opportunity to ensure that 22 404 is moving toward the picture intended, as it was 23 originally designed. 24 We all know and we all have a line interest here to 25 make sure that the benefits, the protection from the investor 1 perspective around 404, doesn't get lost in this debate of 2 how to paint that picture as it was originally designed, and 3 move forward in the right direction. 4 MR. RAY: Thanks, Tim. Frank Brod? 5 MR. BROD: Yes. As the SOX legislation was being 6 or as the Senate bill was being put together, our FEI group 7 spoke at length with Senator Sarbanes' staff, you know, to 8 get an independent review of the auditors. We thought this 9 was a very important part, and in the peer reviews it more 10 like the cat guarding the henhouse. 11 I don't know that you ever got a truly objective 12 review. So when the PCAOB came into being, with the 13 inspection process, it was really the first time that the 14 public accounting industry was subject to any sort of 15 internal scrutiny. 16 That's good, and it's also bad, because it placed a 17 cloud over them. I think it actually altered the behavior of 18 the audit firms from the national office down to the client 19 service partners, of freezing in quite a conservative risk- 20 averse notions of this. 21 We thought that would be temporary, I think, as we 22 were observing what was going on. But the inspection process 23 itself has been very, to me very disappointedly slow. You 24 know the 2003 audit years' reports were reviewed in 2004. 25 Those reports were issued late in 2005. 1 That's two years passes. That's not really helpful 2 to what's happened, you know, if things have been going on 3 that weren't quite right, you know, they probably continued. 4 If things were good, we hadn't -- you know, there 5 wasn't a process to really convey these best practices 6 throughout the industry, both to the audit firms and to the 7 clients of the auditors. 8 So this process has to be sped up. It needs to be 9 a little bit more out in the open. You know, we'd even -- 10 you know, I hear a lot of anecdotal things from companies 11 that are being part of an inspection. You know, even to the 12 extent where, you know, I heard the comment that, you know, 13 they push integrated audits, but when the PCAOB inspectors 14 come in, they come with two teams, one to do the SOX 404 15 work, one to do the financial statements work. 16 So then, you know, if you're dealing with an 17 integrated audit in those cases, you have the same group of 18 people trying to deal with two different inspection crowds. 19 I don't know if that's still the case, but those are the 20 types of things that just don't seem to fit in this overall 21 deal. 22 We ought to be getting the information out in a 23 useful fashion to the auditors, so that they can enhance 24 their process and continue their improvement, but also to the 25 companies who are, you know, are hiring the audits, to make 1 sure that they keep their processes as best in line as well. 2 MR. RAY: Shelly Stein. 3 MS. STEIN: I'd like to echo the comments made by 4 Tim, because I think they're right on with respect to a 5 number of the things that we're talking about. He ended his 6 comments reminding us about the investor, and we haven't 7 heard a lot of that today. 8 I think we need to talk about the opportunity cost 9 for investors if we make sweeping changes, that take away 10 their ability to be able to make decisions about financial 11 statements and the information that they receive. 12 I'd also like to take some of the information I've 13 heard on all the panels, and just paint a little bit of a 14 picture and see if I can bring it back to the PCAOB 15 inspection process. 16 If you go back a few years, the marketplace was 17 saying "Auditors, you audit too much." Now we're hearing 18 some people -- excuse me, "You don't audit enough." Let's 19 see if I can get that right. Now we're hearing some people 20 say "Now you're auditing too much." 21 In between, what came along was 404. I think 404 22 laid out some very clear things, that said that every company 23 ought to have good internal controls. It said that 24 management should be in a position to be able to tell their 25 investors at least annually that they have good internal 1 controls. 2 It said that there should be a reasonable and 3 efficient way for auditors to perform appropriate procedures, 4 to say that they agree with management's assessment. I think 5 those things make sense. 6 But what we've heard today is "Well gosh, you know, 7 the auditors and the company quite aren't in sync with what 8 those are, how to go about it," and we've heard a lot of 9 people talk about the need for guidance. Not changing the 10 rules, but giving more practice guidance, bringing together 11 the auditors, the regulators, the investors, the issuers, the 12 academics and saying together "What are some real-life 13 examples so we know what right looks like?" 14 I think that that's something that we've heard from 15 a lot of people today that's important. But now we have to 16 take that forward, too, to the PCAOB inspection process. I 17 have to tell you that I think the PCAOB inspectors have done 18 a fabulous job, and they've given us a lot of good 19 information. 20 But there's still a piece that's missing here that 21 I think is a disconnect, and I think about it in terms of the 22 standard-setters saying "You know, you need to use your 23 auditor's judgment and do the right things here." 24 But when the inspectors come in, what are they 25 questioning because they're auditors? Did you do the right 1 things? How's your judgment? I don't have a problem with 2 that. In fact, I value that opinion, and even value the fact 3 that we're going to focus on efficiency in this year to come. 4 But what still bothers me a little bit is that we 5 look at it as auditors with the best judgment that we 6 possibly can, and the inspectors are looking at it with the 7 best judgment that they possibly can. 8 But I can tell you that 100 percent of the time, if 9 we don't convince them, the auditor are wrong. If I look at 10 a baseball analogy, you know, tie goes to the runner. We 11 don't get that opportunity. You've got two teams playing but 12 one of the teams is also the umpire. 13 So there's an issue here when it comes back to the 14 conversations of talking with the client, and everybody says 15 "Well, the auditor is so conservative." "Yeah, it's our 16 license on the line." 17 So I think we've got to put this on the table as 18 something else to address too, because again, I value their 19 judgment, I value their opinion. But I think this circles 20 around the cogs in the wheel to address a number of the 21 things that we've been talking about today. 22 I very much look forward to the efficiency comments 23 coming forward in the next year, and the sharing of those 24 best practices without sacrificing the quality of what we do 25 and what the inspectors are looking for. 1 MR. RAY: Bruce Renihan. 2 MR. RENIHAN: Thanks. I mean my perspectives on 3 this subject are really just borne out of day-to-day 4 interaction with our auditors, and there are hundreds of 5 decisions that are made over the course of the year, that 6 impact on the amount of work and effort that you expend. 7 Inevitably, the musing arises as to how things 8 would look in the working papers if we made Decision A as 9 opposed to Decision B, from which I really just infer that 10 those decisions inevitably are on the side of caution, and I 11 think we all understand why that's the case. But it 12 translates into more work. 13 So the challenge, as I see it, for the PCAOB is 14 really how to structure some balance into the equation. 15 Clearly, the down sides are severe for auditors being judged 16 to have not done their work adequately. 17 It's not clear to me what the carrot or the stick 18 is associated with, you know, going overboard in terms of the 19 work challenging question, for which I have no answer. 20 MR. RAY: Thank you. We've heard from the panels 21 today and elsewhere that the inspections process could be 22 having an effect on the auditor's willingness to exercise 23 their judgment. Are there other things the PCAOB, SEC or 24 others could do to encourage auditors to exercise their 25 judgment? Jay Howell? 1 MR. HOWELL: I think to follow up on an earlier 2 point about timely feedback, I know and we're all learning in 3 this together, and I think within the auditing profession 4 I've seen a tremendous amount of improvement. I'm seeing 5 tremendous improvement in the inspections process too. 6 I think last year at BDO, we did get fairly timely 7 feedback. We were one of the fortunate firms to have our 8 inspections early in the process. The PCAOB did meet with us 9 in person, to discuss some of the 404 findings with us, so 10 that we could learn from that experience. 11 So I commend your efforts at providing us with the 12 timely feedback, and I think that going forward into this 13 upcoming year, one of the important things you can do is to 14 continue that process. 15 As you're out in the fields conducting inspections, 16 I think that there is interaction and feedback occurring at 17 that process, and that the firms by and large don't need to 18 wait until the final reports come out, to start adjusting 19 behaviors, if that's needed, that the inspection process 20 itself out in the field should be a starting point for that. 21 MR. RAY: Leo Kessel. 22 MR. KESSEL: Yes. I would just like to build on 23 some of the points that are made, because I think in the 24 inspection process, and all I have is anecdotal evidence up 25 until this point; one of my clients has been selected for 1 review this year, so I will have practical experience here in 2 the near future, is that there isn't a lot about you've done 3 this right. 4 The partner I spoke with that was reviewed last 5 year indicated that, you know, he was told numerous times 6 we're not here to tell you what a good job you've done; we're 7 here to challenge the work you've done, and make sure that 8 the appropriate judgments have been made. 9 I think challenging our work is very appropriate. 10 But I do think if we don't take the opportunity to capture 11 best practices, and we don't capture the opportunity to tell 12 the firms what they're doing well and do it more at other 13 clients, I do think we lose an opportunity. 14 MR. RAY: Thanks. I think we have just enough time 15 to hear from Tim Flynn before we have to shut this one down. 16 Tim? 17 MR. FLYNN: Tom, to the point just raised and some 18 of the comments. I think the challenge here is to build a 19 reservoir of knowledge, you know, of what good looks like, 20 like Shelly said. What is the picture of 404 as they put it 21 together? 22 From my standpoint, there's a great reservoir of 23 knowledge coming out of the inspection process, and the 24 challenge is how we communicate that knowledge out to the 25 profession and issuers. 1 Maybe we need to form a group of -- from the firms, 2 as well as from the PCAOB, to look at how can we format some 3 of that knowledge and get it back out in the hands, and be 4 the foundation from the guidance we're trying to put forth? 5 MR. RAY: Well, I'd just like to thank the 6 panelists today and my co-moderators. We are going to break 7 now and start promptly at 3:00. 8 (Whereupon, a short recess was taken.) 9 PANEL 4 - THE EFFECT ON THE MARKET 10 MR. WHITE: I'm going to start with the fourth 11 panel. We've been through a lot of detail on the last two 12 panels on management assessment and AS-2. On this panel, 13 we're going to move back a little bit to the bigger picture 14 and talk about the effect of 404 on the markets. 15 And I guess we're interested in -- particularly in 16 hearing your thoughts on two questions: One is whether 17 management's and auditors' reports and all of the related 18 disclosures have been useful to investors and other market 19 participants. And second, are there ways to improve that 20 usefulness of 404 reporting? 21 I'll get into obviously the details in a moment. 22 But I first want to now go through and introduce the 23 panelists. As we have three times earlier today, we have a 24 very impressive group of individuals as our panelists. And 25 I'll start on the far left. Charles Bowsher is the Former 1 Comptroller General of the United States. Noreen Culhane is 2 the Executive Vice President, Global Corporate Client Group 3 at the New York Stock Exchange. She is a last minute 4 substitution for John Thane. 5 And we certainly appreciate your appearing on such 6 short notice. You will still get called on just as often as 7 Mr. Thane. I hope you can cover all of the spots. 8 We have Greg Jonas, the Managing Director of the 9 Accounting Specialists Group at Moody's Investors; Peter 10 Lyons, a partner at the law firm of Shearman & Sterling; Mike 11 McConnell, Managing Director of Shamrock Capital Advisors; 12 Bob Pozen, who is currently Chairman of MS Investment 13 Management -- He is also a director and Audit Committee 14 member for two public companies; Monty Redman, who is Chief 15 Financial Officer of Astoria Corporation, and he is also 16 speaking for America's Community Bankers. 17 We have Kurt Schact, Managing Director of the 18 Centre for Financial Market Integrity of the CFA Institute. 19 Some of you who have been listening to these -- proceedings 20 like these recently, Mr. Schact is also one of the members of 21 the Commission's Advisory Committee On Smaller Public 22 Companies, which issued its report last month. 23 So we're very pleased to have you on both of these. 24 David Warren is the CFO of Nasdaq Stock Market, and 25 Karen Hastie Williams, who serves as a director on a number 1 of public companies and is the chair of the Audit Committee 2 on two of them; I guess. 3 The moderators: I'm John White; to my right is 4 Carol Stacey, the Chief Account in the Division of 5 Corporation Finance at the SEC; she was with us this morning; 6 and Tom Ray, the Chief Auditor at the PCAOB, who you've also 7 met on prior panels. 8 The way I'd like to organize the fourth panel is 9 similar to the way we've done the other panels, and that is 10 to break this up into five, I guess I will call them, 11 discrete topics, and try to spend more or less equal time on 12 each of those topics. So as the panelists make their remarks 13 just if you can jot down the -- the kind of the general 14 topics, and hopefully we can stay on them as we work our way 15 through. 16 The first one is Section 404 and its effect on the 17 U.S. capital markets and investor confidence. The second 18 would be the benefits and costs to investors of 404; 19 previously we've talked about costs to the companies, but now 20 we're talking about the benefits and costs to investors. 21 Third would be to focus on disclosures and really 22 the usefulness and understandability of the Section 404 23 disclosures. That's where we're going to talk about material 24 weakness definitions and things like that. Fourth is a topic 25 that has received a lot of press, which is the 1 competitiveness of the U.S. capital markets with foreign 2 markets and the impact of 404 on that process. 3 And then finally, we'd like to step back a little 4 bit and ask if there are alternative reporting and assessment 5 options that the Board and the Commission should consider for 6 the benefit of investors in the markets. 7 So with that, we'll go to topic one, which is -- 8 I'd actually like to ask four of the panelists to respond to 9 topic one. I'm going to start with Chuck Bowsher, then 10 Noreen Culhane, Karen Williams and Mike McConnell. 11 The questions are: Has 404 helped to restore 12 investor confidence, and if so how? And what has the effect 13 of 404 been on the U.S. capital markets? 14 Mr. Bowsher. 15 MR. BOWSHER: Well, I think it's had a big effect 16 and a very positive effect. In other words, I think we had a 17 real crisis here. We had a big drop off in the tech world 18 and in the small companies out in the Silicone Valley; that 19 was one crisis. But we had a corporate governance crisis too 20 and accounting frauds of magnitudes we had not seen in years. 21 And so we had to do something. And I think the 22 Sarbanes legislation is really first rate legislation as far 23 as the accounting and the auditing provisions. And I think 24 Section 404 is very key to that. And I think we've really 25 made great strides here in the last 2 or 3 years, especially 1 on the front corridor which I call paragraph one; that's 2 where the management was responsible to document their 3 systems, to get them in good shape, to have the internal 4 audit functions become much more useful in this area than 5 maybe they have been in the past. 6 And so I think that now we're seeing the real 7 payoff there, because we're seeing a lot of the companies not 8 reporting material weaknesses. That's coming down. We're 9 not seeing the restatements of any significant issues except 10 in a few cases. And the stock market is going up big time, 11 and not only just for this, but I think this is a factor. 12 And it's kind of like when we had the banking and 13 the S&L crisis and some of the other crisis we've had in the 14 past. In America we have problems but we do react to them, 15 and we really do get on top of them, and it isn't like what 16 happened to poor old Japan there when it went for 10 to 15 17 years to bail out their banking system because they weren't 18 willing to deal with some of the real issues. So I think 19 it's been a big benefit. 20 The one problem I think is still left is with the 21 big auditing firms and how much duplication is being done. I 22 know some of the spokesmen for them today have said 23 everything is working quite well, and we're making great 24 progress based on last year's guidance. 25 But at the Audit Committee -- I serve on a lot of 1 audit committees and boards -- we don't see that. And, in 2 other words, we see some improvement, but we really truly see 3 now still a lot of duplication. So I think it, in paragraph 4 2, we still haven't got it right as to how much work has to 5 be done and to avoid duplication, to rely more on the 6 internal auditors and things like that. But I think that's 7 doable; I think it's very doable. And I hope we could get it 8 done in the third year here. 9 MR. WHITE: Thank you. 10 Ms. Culhane, can you give us the perspective from 11 the New York Stock Exchange of whether we've restored 12 investor confidence -- 13 MS. CULHANE: Well -- 14 MR. WHITE: -- or where we're going on that front? 15 MS. CULHANE: Huh-huh. I would say clearly 16 investor confidence is the key underpinning to the capital 17 markets; clearly. It is investor confidence that incends 18 obviously investors to feel comfortable investing in the 19 markets. That begets liquidity which is essentially the 20 underpinning of what makes the markets work. 21 So clearly, ensuring that investors feel that 22 there's proper disclosure, that there is transparency, that 23 there is meaningful information that's disclosed in a timely 24 way is key to our markets working efficiently. Sarbanes- 25 Oxley certainly has been an important component of this; it's 1 not the only component of it. 2 And we've clearly not reached an endpoint; we're on 3 a journey, and the journey continues, and there will be other 4 things in the future for sure. But yes, I think that as a 5 principle matter from a policy perspective, Sarbanes-Oxley 6 and 404 have been helpful. I think what we have seen -- to 7 build on what Chuck just said -- is that about 15.8 percent 8 of the 2,900 reporting companies did disclose weaknesses in 9 year one; that dropped more than by 50 percent; it dropped to 10 about 6.2 percent in the second year. 11 At the Exchange, we have 189 companies that have 12 reported a weakness, about 6 percent of the reporting 13 companies cumatively over the time that we've been reporting. 14 And we have monitored the reaction of the market to those 15 disclosures, which has been extremely calm. 16 We would put that down to the fact that certainly 17 the definition of materiality is something that in prior 18 panels -- and I'm sure in this one will get some focus -- in 19 that everything that's being disclosed, given that the market 20 reaction is very calm, one would question whether or not they 21 really are that material. 22 I think the market is a pretty good arbiter of 23 materiality as a general matter. But fundamentally at the 24 end of the day, I think part of the reason that there has 25 been not too too much reaction in the market has been because 1 disclosure has been timely; it's been complete, and the 2 remediation has been included, and so the market has reacted 3 with great calm. 4 All of that said, we have to continue to focus with 5 great I think rigor and discipline on the fact that investor 6 confidence if the key component to the markets, and anything 7 that we can do to incent that is an important step. 8 MR. WHITE: Thank you. 9 Ms. Williams, you are on a lot of boards. What is 10 your perspective on where we are with investment -- investor 11 confidence? 12 MS. WILLIAMS: I think investor confidence is 13 certainly at a much higher level today than it was 3 years 14 ago. My sense is that the investors see that both the 15 management and the audit community, the external auditors 16 have taken the legislation very seriously. 17 I think everybody had a fairly steep learning curve 18 in year 1, and there was a lot of expenditure focussed on 19 getting systems in place that could monitor effectively the 20 work of the -- both the internal auditors and management as 21 well as giving the tools that the external auditors needed. 22 In all of my companies I'm very fortunate to have a 23 very strong internal audit team. And that's one of the 24 reasons I've been looking at and agreed with the earlier 25 speaker about the importance of being able to rely on the 1 work of others in this process. 2 And I think that the -- going forward, investors 3 will see that this has really become institutionalized. It's 4 not just simply something that we're doing for a short period 5 of time and then go back to the way things were. This is now 6 part of permanent law, and I believe that the management has 7 also been very serious about bringing the company into 8 compliance. 9 And I think in year 2, we will see, or we have seen 10 a reduction in the costs, both with respect to the external 11 auditor costs as well as to the internal compliance costs. 12 MR. WHITE: Thank you. 13 Commissioner Glassman, we'll go to you in just 14 moment. Let me just finish with Mr. McConnell on this same 15 question. You are obviously an investor, and I guess we 16 would like to hear the investor perspective on investor 17 confidence. 18 MR. MCCONNELL: Sure. Thank you, Mr. White. 19 We believe Section 404 is working, and it is early 20 days. Context is important. We were at a time in America 21 where we required heightened attention to the 22 responsibilities of the agents and the agency relationships 23 in our capital markets. 24 Some of the preliminary benefits that we're seeing: 25 enhanced transparency, higher quality financial reporting, 1 improved governance, fairly broadly defined, improved 2 business processes anecdotally in some of our investee 3 companies, improved management information that allows him to 4 possibly make better decisions. And all of this is 5 contributing to the investing public regaining confidence in 6 the U.S. capital markets. How do we know that? 7 A couple data points that sort of are helpful: 8 Clearly, market multiples have increased in the last 3 or 4 9 years which indicate a lower or lowering of equity cost of 10 capital. Stock price performance -- I think all of us may 11 have seen their earlier work by Lord and Benoint in the Wall 12 Street Journal this week, which is some fairly compelling 13 data that stock price performance of those companies that are 14 complying with Section 404 are significantly higher than 15 those that don't. 16 We've seen an increase in M&A activity and IPOs 17 since 2001, 2002. And Lynn Turner and his team at Glass 18 Lewis have done a good job of summarizing that in some recent 19 reports. 20 And then lastly, there's been some academic 21 research 2 years into the implementation of SOX 404 that can 22 in fact point to some data -- for issuers is decreasing. 23 MR. WHITE: Thank you. 24 Commissioner Glassman? 25 COMMISSIONER GLASSMAN: Thank you. 1 This is just a question to add to the other 2 questions as you're thinking about your answers. To the 3 extent that there are benefits and improved internal 4 controls, which I think there are, as you answer the 5 questions, can you differentiate if you can the extent to 6 which they're coming form the overall environment from 302 -- 7 302906 certifications for management's assessments or the 8 auditors at this station or some combination? I'd appreciate 9 that. Thanks. 10 MR. WHITE: Okay. Well, why don't we move to the 11 second topic which is very closely related actually to the 12 first, which is really, how have investors benefitted from 13 404. I'd like to direct that to three more of our panelists, 14 Greg Jonas, Kurt Schact and David Warren. And how have 15 investors benefitted, and have those benefits come at an 16 acceptable cost? 17 Mr. Jonas. 18 MR. JONAS: Thank you. Appreciate the opportunity 19 to share some thoughts with you today. Let me address the 20 question first in terms of confidence and then address the 21 question directly in terms of specific benefits that 22 investors, creditors, in my case, enjoy from 404. 23 A number of people have addressed themselves to the 24 confidence question; let me do so through a creditor's lens. 25 If you go back to the dark days when the market was most 1 nervous about the quality of financial reporting, which I put 2 at October of 2002, credit spreads for investment-grade 3 companies were 2.5 percentage points over the Treasury rate. 4 And for corporate high-yield companies, they were a 5 whopping 10 percent over the Treasury rate. And those were 6 for companies who could get capital. The market shut, as you 7 recall, a lot of companies out of the capital markets in 8 those days. 9 In contrast, the credit spreads today are .85 10 percent points for corporate investment-grade credit and 2.8 11 percent points over the Treasury rate for a corporate high- 12 yield credit. 13 Now, clearly, that dramatic reduction between the 14 dark days of October and today we cannot all attribute to 15 404. But if only 10 percent of that reduction is due to 404, 16 put those numbers in your calculator, and you get a benefit 17 that is absolutely enormous. 18 So it is our believe that there are significant 19 benefits. We cannot exactly quantify them. And this is 20 unfortunate, but we can't, but that there are significant 21 benefits overall. We perceive it in our own practices; we 22 rate companies, and we certainly perceive it in the market 23 overall. 24 And with regard to specific benefits for investors, 25 we see that investors -- we think we see incremental 1 information from internal control reports relevant to the 2 risk assessment. And this helps investors price and allocate 3 capital. 4 It's our view that we see the market behaving quite 5 rationally to internal control information. We see that the 6 market in certain cases does react, and in some cases react 7 quite negatively to the news; whereas, in other cases, it's a 8 big non-event. That to me is a sign that the market is 9 different between troublesome times and not, and is a healthy 10 sign. 11 The second benefit is that -- and more direct 12 benefit -- is that investors enjoyed lower risk of a bad 13 investment that might result from bad numbers. Now there 14 surely is continuing risk of a bad investment because of bad 15 business risk, but there shouldn't be bad investments because 16 of bad numbers, unreliable numbers. 17 And it's our perception that investors are enjoying 18 the fact that the numbers are of higher quality today than 19 they were a few years ago, and we attribute some of that to 20 404. 21 The third benefit that we see -- and this is 22 anecdotal; whereas the first two I mentioned we have direct 23 experience with at Moody's. The third one comes indirectly 24 through comments that we're receiving from management of the 25 companies that we rate. 1 But managements are telling us that they are 2 learning some things about business risk management from 3 their improvement in financial control systems. If that's 4 true, then investors enjoy higher returns as management is 5 able to better manage their business risk. 6 MR. WHITE: Mr. Schact? 7 MR. SCHACT: Thank you, John. Nice to be back 8 here. Thank you for including us. 9 Obviously, we think the effect on the marketplace 10 has been very constructive. And I would point to a number of 11 different benefits. I'll give you my list in addition to 12 obviously to greater investor confidence which I think you've 13 heard many of year panelists talk about today. 14 But I think probably one of the most important 15 things that is it has changed behavior. It's sort of 16 embedded in the psyche all stakeholders in this debate the 17 notion of financial reporting and controls over financial 18 reporting, and that's a very serious and very significant 19 benefit to investors. 20 It's served as an important check on the competence 21 of financial reporting staff at the issuer. It has served I 22 think very well as a tool for detection and repair of 23 material weaknesses at companies. And I think it's served 24 its purpose as a deterrent to larger-scale accounting frauds 25 at a number of firms. So we see a number of important 1 benefits. 2 With respect to this notion of -- I think this 3 notion of competition and its effect on the markets in terms 4 of competition and costs, are the costs worth it? We've 5 talked about whether listings are falling behind. We've 6 talked about whether we're dampening entrepreneurial spirits 7 and innovation and job creation; is the cost of 404 too high? 8 And we would say that in the context of 404 that 9 it's not even a close call that 404 has served its purpose in 10 terms of detecting and fixing the holes and internal control 11 structures. It has solidly focussed the management staff, as 12 I've mentioned, on financial reporting. And the cost byte is 13 declining, and we think that trend is still lower. 14 MR. WHITE: Mr. Warren. 15 MR. WARREN: Yes. Thank you, John. 16 I just -- I think from my perspective as the CFO of 17 Nasdaq, I really do wear two hats in thinking about my 18 response to your question. One, as the CFO of Nasdaq, I 19 certainly have, pursuant to our charter, a responsibility to 20 the investor and for our 3,200 companies. 21 But I'm also the CFO of a public company that lists 22 -- and not surprisingly on the Nasdaq stock market -- but has 23 to comply with Sarbanes 404. So I've been through this now 24 for the third year. So when I talk to CFOs and CEOs, I have 25 sort of first-hand experience to relate to what I'm hearing. 1 And I also frequently talk to investors as well. 2 So what I think I can generally share with you in terms of 3 benefits and costs to the investors, yes; I would agree with 4 all of the statements that have been made. I think investors 5 general feel that Sarbanes has been worth it. We had better 6 financial statements; we have increased transparency; we have 7 increased investor confidence. I would not say anymore than 8 just sort of to agree and support those statements. 9 But I also feel that while the marketplace views 10 its importance I don't get any real evidence -- and a lot of 11 this is anecdotal, but certainly from my own experience -- 12 that the market is necessarily rewarding or penalizing 13 companies for their work in Sarbanes. 14 I mean, they take comfort in knowing that the 15 financials are better, but if a company is a later filer and 16 they correct a deficiency or it they're gotten -- you know, 17 you can't tell if a company has gotten a real stellar opinion 18 on Sarbanes. They make the bar or they don't. So I think in 19 that regard, I think the investor community takes some 20 comfortable in the overall package of Sarbanes. 21 And I think to some degree the management 22 certifications and the processes that have been put in place 23 in sections outside of 404 are actually I think a much sort 24 of we don't focus enough on that. But I think there's a lot 25 of work that happened before 404 that added a lot of benefit 1 to financial disclosures. 2 And on 404, I think the part that investors sort of 3 least understand is the arider attestation process. They 4 don't quite see sort of how that works and how that's worth 5 the cost. 6 I'll just add two final points: And I do think 7 that they view generally that the costs outweigh the 8 benefits, and I think they understand that they fall 9 disproportionately on the smaller companies. And at Nasdaq, 10 we definitely, you know, talk to a range of smaller 11 companies. 12 I would also say that as CFO, in the last 16 months 13 or so, I have been out in the capital markets selling Nasdaq 14 stock on three different occasions. I have probably talked 15 to 150 investors in one-on-one meetings, small group 16 meetings, conference calls, large group meetings, and I have 17 never once been asked a question about Sarbanes-Oxley, you 18 know, good, bad or indifferent. It just simply does not come 19 up as a point of discussion as investors are talking to the 20 company and to management about our performance and about our 21 plans. 22 MR. WHITE: I see we have a couple of cards up, but 23 I -- just to get you thinking about a more drilling down 24 question here, and it really comes off of what Mr. Glassman 25 asked, and that is -- because the question is coming up a lot 1 for us -- is are the benefits that are coming from -- the 2 benefits that are coming to the markets -- are they coming 3 from the 302, 906 certifications? Are they coming from 4 management's assessment, or are they coming from the AS-2 5 audit? 6 And I realize the easy answer to that is some of 7 all of those. But if we could -- after we do the two cards 8 that are up, if we could, I'd like to come back and see if 9 anybody wants to weigh in on where those benefits are coming 10 from in terms of those three different areas. 11 Mr. Redman. 12 MR. REDMAN: Okay. I don't have the full 13 perspective of the entire market that some of the other 14 panelists do have. But from a banking industry, which is 15 highly regulated, I can say then when 404 was starting to be 16 implemented -- we do about six investor conferences and road 17 shows around the entire country, and probably close to 100 18 different investors and small groups and large groups, and 19 the only questions we got were, how much is it going to cost 20 you, and will you complete it on time. 21 And not if the internal controls are okay, just, 22 will you complete the documentation on time. And that's 23 where the questions. And since then in 2005, the other -- 24 the only questions were, "Are you going to save any money 25 from the prior year?" 1 I can't remember any questions regard -- in terms 2 of internal control. And I think that may be directly 3 related to the banking industry which has had FIDUSHA since 4 1993. And for us there's a lot of duplication in that 5 regard. So from a personal perspective, we just have not 6 seen the interest in the investor community. 7 MR. WHITE: Mr. Pozen. 8 MR. POZEN: Thank you. 9 Before I came here yesterday, I went and talked to 10 the analyst at MFS to get a sense of what they thought. And 11 on the cost side, they're totally hard costs which include 12 the auditors' fees and other things. But they emphasize that 13 to them the two costs that they were concerned about more 14 were management time that's put into the process and impacts 15 or potential impacts on corporate restructurings. 16 I think one of the Q&As deals with mergers and 17 allows a delay. But if you had an IPO tomorrow and you were 18 on a calendar-year basis, you would still have to file with 19 your first 10K which would mean in, you know, February and 20 March of 2007, your internal controls report, and that's very 21 different for companies that are going through an IPO. 22 Or if you had a spinoff or various restructurings 23 where companies had to restructure their internal controls, 24 there isn't a deal, and so that's a particular cost that the 25 Commission could deal with in the way they're dealt with 1 mergers by allowing some delay in that case. 2 As to the benefits, I think it's hard to say -- I 3 mean, I guess I'm a little skeptical that we're sort of that 4 multiples and all IPOs and all are result of 404. We have 5 had the best corporate earnings growth we've ever had in the 6 last few years, so that obviously helped stock prices. We 7 came out of a business cycle. We had 9/11. I mean, there 8 are lots of factors, so I would be very hesitant to attribute 9 all of these good things to 404. 10 I think if we want to see what 404 does, it's 11 mainly in the reporting. The only way the analysts see 404 12 if when there is a material weakness that's reported. So 13 from their point of view it's the statute says, "Adequate 14 internal control structure and procedure for financial 15 reporting." And for them it's all in the financial 16 reporting. And when they define materiality, they mean it in 17 the traditional sense of a significant impact on the entity 18 level. 19 The problem I think that we have is that when 20 various things have come out from the audit board there have 21 been I guess two different perspectives on materiality. One 22 is at the entity level; the other is at the individual 23 account balance level. 24 From the point of view of analysts, it's irrelevant 25 what happens at the individual account balance level because 1 it doesn't show up in terms of the financial reporting. It 2 may have to do with the infrastructure and that it can build 3 up. But what they're mostly interested in is traditional 4 financial materiality on the whole entity level. 5 And if there is a report of material weakness, I 6 think the reason why we're seeing a difference in market 7 reaction is because some reports of material weakness, 8 especially those accompanied by financial restatements are 9 materiality in the traditional financial sense, and the 10 market reacts to that. 11 But to the extent that it's more in the details, 12 more in the individual account balance, this may be an 13 infrastructure issue. It could ultimately lead to some 14 problems. But from an analyst's point of view it's not going 15 to the financial reporting, so it doesn't go to the stock 16 price ultimately. 17 And I think that you could say the same thing about 18 significant deficiencies. Significant deficiency may occur 19 in the company, but the analyst never, you know, hears that, 20 so the analyst isn't being reported that, so that's something 21 the company has to deal with. 22 But the analyst impact -- the analyst perspective 23 is all on material impact on the financial basis, and so I 24 think we have to say that the benefits of this -- of 404 in 25 particular -- are on the general confidence, but on the 1 particular reporting of material weakness and what 2 information is contained in that report. 3 MR. WHITE: Okay. Just one clarification: I think 4 the way, if you parse it through a calendar year 2006 IPO 5 doesn't have to do 404 until 2008. But also a calendar year 6 2007 IPO has to do it in 2008. So you're right, there's a 7 problem, but it doesn't kick in for another year. 8 MR. POZEN: I'm sorry. Okay. You're correct on 9 that. But you would have an accelerated filer that did a 10 spin-out in 2006. 11 MR. WHITE: You still wouldn't get picked up. 12 MR. POZEN: You wouldn't get picked up until 2007, 13 until 2008? 14 MR. WHITE: Correct. 15 MR. POZEN: Even if it was an accelerated filer who 16 was already filing 404 reports? 17 MR. WHITE: I -- 18 MR. POZEN: Anyway. It's a technical question. 19 MR. WHITE: But anyway, before we get on to the 20 material weakness discussion and the disclosure discussion, 21 let's go back to the question I asked a moment ago, because I 22 know that is a matter that a number of us we really like to 23 hear about of whether you think the benefit comes from the 24 certification, the management assessment, the audit or just 25 some of all of them. 1 Mr. Lyons. 2 MR. LYONS: Yes. Thanks, John. 3 The answer is, we don't know, because all of these 4 factors kicked in at roughly the same time. There clearly 5 seems to be much better investor confidence, and they're all 6 affected it. And I don't have any question that 404 has had 7 a positive impact on investor confidence. 8 And I've looked at the econometric studies. None 9 of them really convince me that they demonstrate the positive 10 benefits of 404, and it's not because people aren't trying. 11 I think it's just very hard to construct and appropriate 12 econometric model that really kilters out all of the things 13 that are going on in the marketplace. I applaud the people 14 who are trying, but it's very tough stuff on limited info. 15 I would just say that from our perspective in terms 16 of dealing with our clients, the question I would say is 17 what's had the most impact on client behavior and clients 18 having the right tone at the top and being rigorous about 19 financial reporting. 20 And I would submit based anecdotally on the 21 evidence that my partners and I see that the two things that 22 have driven most of the behavioral change, largely positive, 23 have been 302, 906, which I have to say really focussed 24 people's minds. 25 I mean, CEOs and CFOs were very focussed on that, 1 and that filtered through the organization because they 2 wanted to make sure their people were supporting what they 3 were saying. 4 I'd also say that we've seen very positive 5 developments in the way boards are behaving and the way audit 6 committees are behaving, and that's been happening at the 7 same time. And I would submit that that has had -- I've seen 8 that in Audit Committee meetings I attend. And the way CFOs 9 and chief accounting officers interact with their audit 10 committees, I would say anecdotally I've seen that affect 11 behavior within companies, within issuers, far more 12 substantially than 404. 13 That doesn't mean 404 hasn't been positive, but our 14 anecdotal evidence would say that it's really the first two 15 factors more than 404 that has had a more salutary effect; 16 all positive, but that's more bang for our buck there I would 17 argue. 18 MR. WHITE: Mr. Jonas. 19 MR. JONAS: Our take is that 302 was a home run for 20 all the reasons that Peter just mentioned. So what I'm about 21 to say sounds like I'm slamming 302, and I'm not. 22 We did three tests to see to what degree 302 could 23 stand on its own as a solo act or whether we need auditor 24 involvement with 404 to supplement it. The three tests were, 25 first, we looked at how many 302 material weaknesses did we 1 see before 404 became effective. And the answer is, not many 2 relative to the number that surfaced under 404. 3 A second test was, for all companies that report 4 404 weaknesses, how much before that did a 302 disclosure of 5 that weakness get reported. And the answer is not much 6 before. 7 And then the third test related to smaller 8 companies. We compared the number of material weaknesses 9 flagged in 302 disclosures by small companies not yet subject 10 to 404 versus those for small companies that are subject to 11 404. And guess what? A whole lot more are surfaced in the 12 404 process than in 302 in that test as well. 13 What this tells us is it is not the 302 is bad and 14 not working. Instead it tells us that problems surface when 15 auditors are involved. I think we should view this as 16 healthy. This is not a bad sign; it's a good sign. It's 17 just that we think that auditor involvement adds essential 18 discipline, skepticism, inconsistency to the process. 19 MR. WHITE: Anyone else want to weigh in on the 20 question? 21 Mr. Bowsher. 22 MR. BOWSHER: I think they really fit together. In 23 other words, I think if you have 302 without 404, you are 24 asking people to sign certificates where they -- especially 25 in large organizations, they don't have the foggiest idea 1 whether they got problems down there in the organization. 2 I remember discussing this with Paul O'Neal, when 3 he was Secretary Treasury, when the law was being passed and 4 signed. And I said, "Both you and I have been served as CFO 5 and CEO of very large organizations, and until we got the 6 controls in place and got them checked out, we didn't know at 7 the top whether we were in good shape or we weren't in good 8 shape. And the idea that you'd have to sign a certificate -- 9 " 10 So I think you really have to look upon this as a 11 package deal. And I think the only problem, as I said 12 earlier, is I think we've gotta get -- and I was even saying 13 to Mr. Glassman that I think it's important to have the audit 14 piece in there, but you've gotta get it more effective, 15 especially cost effective than it is today. But I truly 16 think any idea of dropping the audit or the 404 and keeping 17 302 would get you back into what Greg was just saying, and 18 you're going to see a lot of problems come up eventually. 19 MS. STACEY: Could I just follow up with what Greg 20 had talked about a minute ago on the 302s certification and 21 the lack of disclosure on material weaknesses? We had issued 22 some guidance fairly early on that told companies as they 23 were going through the process the first year of doing 404 24 assessment that they needed to think about whether they 25 should be providing disclosure if they come upon material 1 weaknesses. 2 And the reason being that they may be remediating, 3 them by the time that they actually have to report. So we 4 put it back to them in the guidance and said, "If you believe 5 it would be a material omission not to provide that 6 disclosure then you need to provide it. Otherwise it's your 7 judgment." Do you think that that contributed to a lack of 8 disclosure in the 302 certifications, or do you really think 9 that they just should have been disclosing them and they 10 weren't? 11 MR. JONAS: No. I was not trying to make the 12 impression that no one -- that people are not complying with 13 the rules and that 302 isn't working. That wasn't my point 14 at all. It's just that the discipline of 404 is at a 15 different level. And that discipline seems to be helpful 16 because it's that discipline that's surfacing a bunch of 17 incremental issues that at least we in our shop have found to 18 be useful information in the rating process. 19 MR. WHITE: Mr. Bowsher. 20 MR. BOWSHER: I was just at an Audit Committee 21 meeting this morning at a very large nonprofit, and they were 22 doing 404 and 302 for the first time. And one more time, one 23 of the big things that comes out is if you have a delegation 24 of certification within a large organization so that not only 25 are the CFO and CEO certifying but the heads of the key units 1 of your organization and that, so you've really pushed this 2 whole system down and make it a part. 3 And I remember serving on the American Express Bank 4 when they had just a fiduciary in there. And when we got 5 that working properly on a worldwide basis, we really got rid 6 of some of the problems that we had been living with. 7 So I think it's the way that it's actually 8 implemented as a total package really works well. And so 9 this idea that you could do away with some of the parts of it 10 that maybe are costly, but actually I think if you get it 11 efficient they're not very costly. And it's important to 12 keep it all together. 13 MR. WHITE: Okay. I'll move to the next topic 14 which is the -- I guess I will call it the disclosure topic. 15 And I'll start the question with Mr. McConnell and then I 16 guess back to Mr. Pozen and to Mr. Jonas, if I can. 17 When I say the disclosure question, I'm focussing 18 now on the actual disclosures that are made about the result 19 results of the 404 work, which is basically a disclosure that 20 you have ineffective internal controls. And then usually 21 there's a lot of surrounding disclosure disclosing the 22 material weaknesses, and sometimes the remediation and what 23 caused it. 24 And so I guess my question really is, do investors 25 understand what a material weakness is? Is the disclosure 1 that's there, the kind of disclosure that is useful, should 2 there be more disclosure, less disclosure, but just focussing 3 on the kinds of disclosure that are being made about what 4 comes out of the 404 process? 5 Mr. Jonas, do you want to start? 6 MR. JONAS: First, we do try to distinguish between 7 problems that we should -- that are rating relevant versus 8 problems that we feel are not. So it is important in helping 9 us distinguish that the disclosure be adequate for us to 10 apply our criteria. 11 And we put controls into two broad buckets; A for 12 acceptable; B for bothersome. And what we're finding is 13 having -- we have no problem based on the current disclosure 14 in bucketizing these control problems into categories that we 15 think are rating relevant. 16 So from that standpoint that I think it is very 17 positive. We have taken rating action in the last year on 29 18 companies because of control issues. And the rating action 19 wasn't solely because of control issues. In each case there 20 were other factors involved as well. But control factors 21 definitely played a part in the decision. 22 Today, we're publishing research that outlines in 23 more detail than anybody cares to see about exactly what we 24 did and why. So I -- my overall perspective is that the 25 control disclosures are good to help us supply the 1 methodology that we're trying to imply. My impression also 2 is that the market does understand generally enough about 3 what a material weakness is. 4 Let me though move to two criticisms that I have, 5 despite having enthusiasm for the overall quality of 6 disclosure. These criticisms are, to us anyway, are 7 important. The first is I really think we need to turn up 8 the noise on controls that prevent and detect fraudulent 9 financial reporting. 10 We're here today because a relative handful of 11 large public companies, managements, decided a few years ago 12 to cook the books; that's why we're here. And making sure 13 that that never repeats in anywhere near the volume and 14 magnitude that had occurred it has got to be job one of the 15 whole package of Sarbanes-Oxley reforms, and in particular 16 the 404 area. 17 And when we look at the amount of noise we see in 18 the public disclosure about fraud-related controls it's rare; 19 it's very rare. And only -- of the companies we rate, in 20 only four cases do we see controls that are directly related 21 to fraudulent reporting. 22 And in all four cases, the companies had a 23 fraudulent reporting event that had occurred in the previous 24 year. So obviously, you know, this is a decritical area. 25 And it would just give us more comfort to know that folks are 1 really working at these fraud-related controls. And it's 2 just a little different to believe that apart from these four 3 companies in our rating universe that nobody else had, you 4 know, bad tone and the other mission critical aspects of 5 fraud-related controls. 6 The second criticism that I would offer is, I think 7 our disclosures about material weaknesses have become, maybe 8 inadvertently, backward looking rather than forward looking. 9 Our original notion on 404 was that they're kind of leading 10 indicators of companies that are at risk of financial 11 reporting problems. 12 So it's kind of like, you know, you're telling the 13 patient, "Well, we see some high blood pressure here, and 14 that could lead to a heart attack, so let's get after some 15 remediation before we have a heart attack." 16 But if you look at what is being disclosed about 17 material weaknesses, in all but a handful of companies, there 18 has been a train wreck in financial reporting that has 19 occurred, either a restatement for errors or material audit 20 adjustments that arose in the audit process. There's been 21 this train wreck prior to reporting a material weakness, 22 which means that the disclosures are backward looking. 23 We're saying, you know, the patient had a heart 24 attack, and by the way, the patient had some high blood 25 pressure. Now we're hopeful that under this radar screen of 1 public reporting is the hard heavy lifting of forward looking 2 work on controls. 3 Tom, you called those significant deficiencies. 4 Hopefully, I guess, that work is the forward looking work. 5 But we're not seeing forward looking disclosures, and it is 6 making us a little nervous. I would hope that as time goes 7 on we could get increasingly focussed on the preventive 8 nature of controls and have some disclosures in the absence 9 of a train wreck in reporting. 10 MR. WHITE: Mr. McConnell, are you happy with the 11 disclosures, or do you have comments on the -- we're talking 12 about the actual content of disclosure now. 13 MR. MCCONNELL: I understand. It's actually a very 14 good question that's being asked for a good reason. And by 15 and large, people that sort of are at the -- of investing 16 such as ourselves or perhaps some people at Mr. Pozen's firm 17 or Fidelity or other mutual funds, we're certainly not all 18 trained in the technical aspects of accounting, and sometimes 19 these disclosures can be overwhelming for us. 20 Now, fortunately, I think we're economic creatures, 21 and we will seek third-party advice either our accounting 22 firms or some in-house expertise to answer that. However, 23 that should -- the fact that you're asking the question 24 should not suggest that we ought not try to provide better 25 guidance and better disclosure to more of those that are at 1 the -- of deciding the buyer/seller security tomorrow based 2 upon what was released last night to help us better 3 understand without seeking third-party advice. 4 Because by and large, I think most people that are 5 making those decisions aren't as trained in the technical 6 aspects of the types of issues we're discussing here. So any 7 help would be helpful. We'll still figure it out as best we 8 can on our own. But the mere fact that you're asking the 9 question in a forum like this would suggest that there's some 10 improvement that could be made. 11 MR. WHITE: Mr. Pozen, do you have more to say on 12 this, or is your earlier material weakness discussion already 13 it? 14 MR. POZEN: I'll say a few more words. I think 15 these disclosures could go a little further. I mean, what 16 the analyst is really trying to ascertain is whether this 17 disclosure is financial materially or whether there is more 18 or less a technical problem, and that's what I think you see 19 the markets reacting to. And to the extent that a disclosure 20 is accompanied by financial restatements then it's obvious. 21 But I think that there clearly are disclosures 22 being made of material weaknesses that are more technical in 23 nature. The companies will say that there are timing issues 24 or they're about to fix these things or these sorts of 25 things. So I think that it would be very useful to explain a 1 little more about whether this was in the nature of something 2 that was a technical accounting issue or whether it was 3 something that really went toward a financial restatement. 4 I also agree with the suggestion that there be more 5 remediation and more future looking information, because I 6 think that's what a lot of analysts want to know; is this 7 going to lead to a problem down the road. 8 And finally, the analysts tell me it's very 9 difficult when they approach the CFO and say, "Can you give 10 us a little more about this disclosure," that usually the CFO 11 is very reluctant to say anything, and usually says, "Well, 12 if I tell you, I have to tell the whole world. And I've told 13 the whole world exactly what I want in the disclosure." 14 So I think that that disclosure is pretty much all 15 the analyst ever gets. 16 MR. WHITE: Ms. Williams, you've been waiting very 17 patiently over there. 18 MS. WILLIAMS: I would add that the content of any 19 disclosure in this context very much will reflect the culture 20 of the company. I am very fortunate to sit on boards where 21 we have an open-door policy. And if I see something or if 22 the internal auditor or the external auditor comes to me with 23 an issue, we put it on the table and we discuss it. And in 24 making the disclosure, we provide as fulsome a description as 25 our lawyers will let us do, and that's another component of 1 it. 2 But I do think that 302 has helped companies, and 3 I've seen it, to really look at their operational 4 effectiveness. And much of the money and implementation of 5 404 has gone to creating a better operational environment so 6 that if a problem arises it's caught at an earlier stage. 7 And it may be a significant deficiency but it's not a 8 material weakness. 9 MR. WHITE: Chairman Cox. 10 CHAIRMAN COX: Thanks. 11 The focus and indeed the title of this panel is 12 "The Effect On the Market." And I think we've done a good 13 job of fleshing out many of the aspects of what that implies. 14 One of the things I'd like to hear a little bit more about is 15 the international context, and specifically how you all judge 16 the importance of harmonization of our 404 requirements with 17 the norms of other high standards countries, and what is the 18 consequence of not doing so? 19 MR. WHITE: Well, that actually was our next topic 20 to go to the international question. 21 CHAIRMAN COX: Oh, good. Great. 22 MR. WHITE: So I guess -- I think we should 23 probably start with the stock exchanges to comment first. I 24 don't think, would either one of you like to go first? 25 Mr. Warren. 1 MR. WARREN: I'll be happy to go first. 2 The question is it right on the money. I think we 3 all see the problem. We see certainly a number of, you know, 4 when I talk to my colleagues in London who are working to get 5 companies to list in the U.S., I think despite the benefits 6 of the U.S. capital markets, we see a number of them that are 7 not listing in the U.S. for all of the reasons we've 8 discussed. 9 I think, you know, we've seen various surveys on 10 this. I think that a couple of things I think need to and I 11 think can occur simultaneously. One is that I think our own 12 reforms of Sarbanes-Oxley will start to go a long way to 13 muting a lot of the criticism and a lot of, if you will, the 14 marketing appeal that is being used against our capital 15 markets to get people to not list in the U.S. 16 So I think the work that we do to reform that 17 certainly dulls the arguments that people are making to list 18 on foreign exchanges. 19 I think the second part -- the part of your 20 question in terms of how do we begin to sort of look at 21 harmonizing standards around the world is an important one. 22 And, you know, I think at this point I don't think any of us 23 have any foreign views on it, but it clearly the next step. 24 So without getting into a whole lot of specifics, I think 25 we've got to try to reform what we want to have happen and 1 then try to work to see if we can't make that more sort of 2 universally understood by other regulatory agencies around 3 the world. 4 MR. WHITE: Ms. Culhane. Let me just focus the 5 question a little bit more as well. Is 404 effecting the 6 competitiveness of U.S. markets? Is the cost of capital 7 going -- for U.S. companies going up compared to our foreign 8 counterparts? 9 MS. CULHANE: Well, let me just provide some data 10 points that I think will be illustrative in terms of the 11 capital markets over time and what we see as a matter of 12 capital raising as in the registered -- as a registered 13 issuer in the capital markets. 14 If you go back just a few years, back to 2000, and 15 you look at the 10 largest global IPOs, nine of them 16 registered in the U.S. capital markets and raised money here. 17 If you look last year at 2005 and you look at all 18 of the companies that raised over a billion dollars, there 19 were 24 of them; 23 of them did not register in the U.S. 20 capital markets, although most of them did do private 21 placements in the U.S. capital markets, so they're accessing 22 the U.S. investor but circumventing the requirement for 23 compliance with governance standards. And I think that's a 24 very serious thing that needs to be considered and dealt 25 with. 1 If you look at the capital raised, 224 2 international companies accessed the U.S. capital markets, 3 and they raised $89 billion; I believe the number was 89. 4 But 189 of them did not do so as a registered matter; they 5 did so in private placements. 6 So only 5.7 percent of the dollars raised were 7 raised through the capital markets as a matter of being a 8 registered, listed entity. The rest of it was all private 9 placement. So I think it's pretty irrefutable that there has 10 been a big sea-change here and that while the U.S. investor, 11 the breadth and depth and liquidity of the U.S. investing 12 pool, the 90 million investors in the United States remain a 13 very attractive target to global companies looking to raise 14 money. They are disinterested in doing so while complying 15 with the U.S. governance standards. 16 Now, at the same time I have to say, that when I 17 travel around -- we're talking not only to issuers in trying 18 to attract companies to our market, and of course, my 19 competitor is sitting at the other side of the table, but 20 we're very much joined at the hip in this regard in that -- I 21 think the real issue here is not within the U.S. markets but 22 the U.S. markets as an entity. 23 You can look at what's happening in London. There 24 are now 1,500 companies listed on AIM, and a third of those 25 that listed in 2005 were non-U.K. companies. You can look at 1 the U.S. companies and see that 30 of them are now listed on 2 AIM. There was another announcement yesterday of a company 3 that raised I think $80 million, a tech company, a U.S. 4 company that's listing on AIM. 5 And this is precisely because they wish not to have 6 to comply either as a matter of cost or as a matter of 7 resources, or if look to Asia increasingly is a matter of 8 concern with litigation and what they consider to be just too 9 much litigation in our country and within our markets, and 10 they find that to be problematic, not just as a matter of 11 cost but as a matter of loss of face and personal liability. 12 So I think the combination of these factors say 13 that the U.S. capital markets which have long held the 14 premium position of the number one markets in the world are 15 now being faced with something that we haven't faced before, 16 and money is obviously -- capital is global. 17 We can look at other issues that have pressed on 18 this, by the way. I mean, I think the combination of markets 19 in Europe, the introduction of the Euro as a currency, has 20 created a much deeper pool of liquidity there, so there are 21 other places: Hong Kong. I mean, we've seen places like 22 China Construction Bank raise $9 billion listing in Hong 23 Kong; that could have never happened 5 years ago; it just 24 would have never happened. 25 So to the first part of Chairman Cox's question, 1 yes, I think there has been an impact on the competitiveness 2 of the U.S. capital markets; that's not to say that we don't 3 support good governance; we think it's critical. It's not to 4 say we don't support 404, because we think that's critical as 5 well as 302 and 906 and other components. 6 But it is to say that there is a change under way 7 here. And to use the analogy that Greg used a minute ago, 8 you know, you want to sort of seek the signs and take action 9 before the patient's dead. This would probably be a good 10 place to use that analogy. 11 I will say however that there are very strong 12 benefits for coming to the U.S. capital markets as a 13 registered issuer and lister. And there are studies, a 14 recent one by Carolli that points to significant premium 15 invaluation by being registered in the U.S. 16 And this is a study that compares companies listed 17 in their home market who did private placements in the U.S. 18 versus companies listed in their home market who did 19 registered issuances in the U.S. And there's a significant 20 valuation premium for those that were registered. So there 21 are many benefits that can accrue to companies, but the cost 22 has to be better aligned with the benefit in order to 23 redirect that flow of registered capital back to the U.S. 24 capital markets. 25 MR. WHITE: That was the study that had the 30 pet 1 number in it? Is that the -- 2 MS. CULHANE: Yes. So the Carolli study looks at 3 about -- it's thousands, maybe 9,000 or so companies over a 4 several year span. And it does vary by geography. But it is 5 on average over 5 years, about a 31 percent valuation 6 premium; yes, that's the study. 7 MR. WHITE: Okay. 8 Mr. Pozen, on the international question. 9 MR. POZEN: Yes. I think it's that people ought to 10 think about a potential contradiction between the studies 11 that are showing that Section SOX and 404 reduced the cost of 12 capital to issuers and increase multiples and the fact that 13 these issuers are choosing not to list in the United States, 14 some of them even U.S. companies. 15 I guess it seems that it may be -- I guess you 16 Wednesday have to argue that there was some economic 17 rationality going on that companies wanted to avoid reducing 18 their cost and capital and their multiples. So I think the 19 question suggests that it's much more complicated this 20 relationship. 21 And the other thing is -- we see going on in Europe 22 and the U.K is we see more of a flexible approach and more of 23 a optional approach. You have guidelines that are put 24 together in which companies have some internal control 25 obligations, and their reporting obligations, their audit 1 attestation is more or less left up to a guideline. 2 So we actually have -- we're going to generate some 3 date, and that is if it turns out that there is an optimal 4 mix of internal controls and auditor review, then presumably 5 more and more companies in the U.K and Europe will go to that 6 model, so that will tend to tell us something. So I think we 7 ought to look carefully at those models and see where do, you 8 know, optimizing management tend to find that combination. 9 MR. WHITE: Mr. Lyons as a cross-border M&A lawyer. 10 MR. LYONS: Well, we have seen a precipitous drop 11 off in the interest of our OUS clients, and frankly, most of 12 the clients I work with are form outside the U.S. In our 13 firm, that's a great percent of what we do. And I think 14 that's directly related to 404. 15 To tie it back to what Commissioner Glassman said 16 before, when we started to see our clients' behavior change - 17 - they didn't like -- the OUS clients, they had -- they 18 didn't like 302; they didn't like some of the other parts of 19 Sarbanes-Oxley because it was a little inconsistent with what 20 they were doing. 21 But we didn't see them start to vote with their 22 feet until they had to stare down the barrel of 404. And 23 then we started to see exactly what Noreen was talking about. 24 We didn't see our clients registering in the U.S. for IPOs. 25 They were going to do -- they'll do a London listing and 144- 1 A or Hong Kong and 144-A. That became the overwhelming norm. 2 And that was a direct impact of 404. 3 Now these clients presumably, if they believe that 4 the U.S. capital market -- that the regulation under 404 5 provides them a higher multiple, then they ought to want to 6 list here, unless they conclude that the hit to EPS from the 7 incremental expenses is going to out weigh the improved 8 multiple, that is implicitly what they have concluded. 9 Otherwise to say what Mr. Pozen said, otherwise, 10 they'd be behaving irrationally. Now, whether that 11 conclusion is correct is not clear, but that's clearly the 12 conclusion that's been made in Europe. And it's been more 13 pronounced in Europe, somewhat less than some of the emerging 14 markets; perhaps because frankly the systems over there, 15 while they're not the same as ours, I don't think any of us 16 could argue that many of their systems are reasonably robust; 17 whereas in some of the other markets, they may perceive that 18 they get more uplift from coming into a U.S. registration in 19 some of the other markets gives a little bit more boost. 20 And so what we've seen anecdotally and I think is 21 consistent with the statistics is that in Europe very few of 22 them are going to list in the U.S. And, you know, I think 23 there's not as much of a clamor for deregistration as there 24 was, but there's still an undercurrent, and there still are 25 major European issuers who will look to deregister from the 1 U.S.; I think that's a bad thing. 2 But, you know, that will continue unless we can 3 demonstrate to them that the benefits to their stock price, 4 that their cost of capital from 404 outweigh the costs. And 5 the problem with that is that the costs are much easier for 6 them to quantify. You know what the -- you know, you don't 7 know it for sure, because some of it is ours, but they run 8 the numbers, and they'll know what those costs are. The 9 investor confidence, it's much harder to prove. And the fact 10 that they're not coming here demonstrates they don't believe 11 it. 12 MR. WHITE: Mr. Bowsher. 13 MR. BOWSHER: I've been working with foreign 14 companies for nearly 50 years. And I remember every time we 15 had a reform in this country that they thought we had gone 16 over board, and they were reluctant to bring it to them, but 17 most of the time eventually we did. I can't tell you how 18 many times I've heard over the years that "the wedding we 19 never wanted was an SEC in our country," you know. 20 But most of them have got something that looks 21 somewhat like an SEC today. And I think that's sort of 22 happened just as Peter I think was saying there. But I think 23 one of the other things that's going to happen too and that 24 is when the really big companies overseas. 25 I've been working with one of the big ones in Japan 1 -- when they finally do the Sarbanes reforms and the 404 and 2 the 302 and everything like that, and actually get it done 3 because they're been able to delay it here, that's going to 4 have a big impact on their business community when they see 5 the prominent companies of those countries complying, getting 6 it done and everything like that. It's always been a trend I 7 think overseas. And so I think we will definitely see a 8 period here. 9 I think also in the private equity world, there's 10 no question, there's huge amounts of money today going into 11 private equity. And they can enjoy not having to do 12 quarterly reporting and everything else that goes with being 13 a private company. 14 But a lot of those companies are going to come out 15 of private equity at some point; they're going to be sold 16 into the market. That's how those guys get their money back. 17 And so you're going to see a lot of them in the big capital 18 market arenas at Nasdaq and the New York Stock Exchange; it's 19 just a matter of time. 20 MR. WHITE: Thank you. 21 PANEL FIVE - NEXT STEPS 22 MR. WHITE: I guess I'd like to move to the fifth 23 topic that has been assigned to this panel from the agenda, 24 and that is alternative models or "Alternative Structures of 25 how we might achieve I guess the results of 404, but doing it 1 I guess different than it's now set up with the management 2 assessment and the AS-2 audit to go with it and how we can do 3 that and still achieve the goals of investor protection and 4 helping the markets. 5 Mr. Redman, do I turn to you first on that? 6 MR. REDMAN: Okay. 7 Again, I'm speaking on the perspective from the 8 banking industry and also from some of the smaller banking 9 institutions, but the ones that have still had to file with 10 Fidusha since 1993. And as required under that, we've been 11 doing annual management assessments of an internal controls 12 and had management and auditor attestations for over 10 13 years, and one of the suggestions would be that for highly 14 regulated companies, talking about amending AS-2. 15 And some of the prior panels today talked about 16 incorporating some of the guidance of last May into amending 17 AS-2. And if we were to do that possibly amending AS-2 for 18 highly regulated companies to remove the requirement of the 19 auditor's opinion on management assessment effectiveness of 20 internal control for those types of companies. 21 And with that, possibly instructing the external 22 auditors on how management reaches its conclusions on 23 internal control to audit that rather than the attestation 24 and other considerations: giving the external auditors more 25 latitude and direction in terms of the review of 404 1 documentation, including utilization of a company's internal 2 auditors who are not involved in a direct documentation of 3 the internal controls. 4 Another thing that was mentioned at a prior panel 5 was either lengthening or rotating the testing cycle of 6 noncritical controls as well as taking a look and giving the 7 auditors discretion in latitude when they are auditing an 8 entity that has demonstrated superior governance and risk 9 management over time, getting away from the 1-year everything 10 has to be done completely at that time. 11 MR. WHITE: Okay. 12 Did anyone else want to comment on alternative 13 models? 14 Ms. Williams. 15 MS. WILLIAMS: I would second Mr. Redman's 16 suggestion. I'm also involved with a financial services 17 company as well as a regulated utility. And I think that 18 there is room there for looking to the checks and balances 19 that already exist within those particular areas of the 20 economy to perhaps make some adjustment to the current SOX 21 requirements. 22 One of the things that I've found is that the 23 internal auditors -- if you've got a good internal auditor -- 24 they are in my case accountable to the Audit Committee. And 25 we get information from the internal auditors that I think is 1 very helpful in ferreting out problems at an early stage. 2 And I think to the extent that that could be used in other 3 companies, it's a way of achieving what you're trying to 4 achieve within 404 without having to add another layer of 5 review. 6 MR. WHITE: Thank you. 7 All right. Well, my clock tells me we have about 2 8 minutes, so, Mr. Pozen, I think you're going to get the 9 concluding remark, unless you do it faster than 2 minutes in 10 which case, we'll let someone else -- 11 MR. POZEN: I think what we've heard is from the 12 point of view investors the key question is what's the impact 13 on financial reporting, and that's mainly at the entity level 14 of controls and fraud controls, and it also relates to 15 material weaknesses as opposed to significant deficiencies. 16 So I support what Monty said is, if we could have a 17 cycle, a sense of a cycle where every year we focussed on 18 entity level controls that were directly related to financial 19 reporting and fraud issues and things that went more toward 20 individual bounds controls and significant deficiencies as 21 opposed to material changes in the financial statements, it 22 seems to me that's the way to get where you want to get to 23 and reduce some of the cost. 24 MR. WHITE: Something has happened here. Both of 25 the stock exchanges have got their tent cards up. 1 Mr. Warren. 2 MR. WARREN: Well, I'll be brief. I just would add 3 to what's been said today that I think that Nasdaq certainly 4 supports the work that was done by the Advisory Committee on 5 Small Public Companies. And I think there is movement now in 6 establishing a framework for smaller companies, and that will 7 be very, very productive work. And we would just encourage 8 that to go forward and to look at the breadth of those 9 recommendations and try to advance those in a way that, you 10 know, really makes sense for smaller companies. 11 MR. WHITE: Ms. Culhane, the last comment. 12 MS. CULHANE: Just one brief comment: And this 13 goes back to something Commissioner Glassman said earlier 14 when she encouraged us to think about the impacts of 302 and 15 906 and as it relates to 404. 16 And I would just make a comment on, all of the 17 commentary up here has been very interesting, and 18 particularly those very sophisticated investors seated at 19 this panel who have talked about going to subject matter 20 experts to get interpretations of what material weakness 21 disclosures really are and mean and how it might or might not 22 be impactful to the company. 23 And I think -- I can't help but think of the poor 24 retail investor out there who doesn't have a subject matter 25 expert at their elbow, who doesn't really have a place to go 1 to get real meaningful information that could be helpful to 2 them as they think about where they're going to invest their 3 hard-earned money. 4 So the comment I would make is that I think while 5 there's no quantitative way to say whether the attestation of 6 senior management is more or less important than the focus on 7 financial controls in 404, they're both clearly aligned; they 8 are complementary; and they're both important. 9 But at the end of the day, the retail investor 10 looks at, as Greg said, the reason we got here, the Enrons, 11 the WorldComs, the Adelphias. And really and truly it was at 12 the top of the company that those problems instigated from. 13 So I can't help but think that the retail investor is very 14 comforted by the fact that CEOs and CFOs have to attest now 15 to what it is that they are putting out there disclosing upon 16 which these people are making investment decisions. I just 17 didn't want the poor retail guy to get lost in this 18 discussion. 19 MR. WHITE: Okay. Well, thank you. 20 And I would like to thank all 10 of the panelists. 21 This was a very enlightening discussion. The planners for 22 this roundtable have allocated just a 5-minute break now, not 23 the usual 15. I don't know how to explain that, but we 24 should be back at 4:20 to continue with the "Next Steps" 25 panel. 1 Thank you. 2 MR. RAY: Good afternoon, once again. We have 3 finally the final panel of the day. Welcome, our final 4 panelists. So far, we have learned a lot about specific 5 experiences that people have had implementing Section 404 6 over the last two years, and learned a lot of insights coming 7 out of those experiences. And we have also heard a lot of 8 recommendations on what should be done going forward. 9 I am not going to try to summarize what we have 10 learned today. But nevertheless, let me just point out a few 11 things that I have heard. First off, there has been 12 recommendations for additional guidance that ought to come 13 out of the Securities and Exchange Commission and the PCAOB, 14 both for management and for auditors. 15 But there has been caution about how much guidance 16 ought to be given in the nature of that guidance and how it's 17 done. There has been recommendations that Auditing Standard 18 No. 2 ought to be amended, namely, to incorporate the May 19 16th guidance, but there is not unanimity on how it should be 20 done, or what types of amendments ought to be made. 21 And we are hearing that benefit to R&D coming out 22 of the 404 process, but there are questions about the costs 23 associated with those benefits, as well as how Section 404 24 ought to be done. 25 There does seem to be agreement, however, that the 1 process should and can become more efficient, and that leads 2 us to our final panel of the day. 3 In this panel, we are seeking feedback on any 4 significant remaining concerns on how the efficiency and 5 effectiveness of the internal control process done by 6 management and auditors should be improved, and 7 recommendations from you in that regard. 8 Let me introduce the panelists for this final 9 panel. 10 We have with us Mike Cook. Mike is the Audit 11 Committee Chairman and Board Member for numerous 12 organizations. 13 Nick Cyprus is the former Vice President and 14 Controller and Chief Accounting Officer for two very large 15 public companies and currently is a Member of the sponsoring 16 organizations of the Treadway Commission, also known as COSO, 17 which, as you know, is developing additional guidance for 18 smaller public companies. 19 Alex Davern is CFO and Senior Vice President of 20 Manufacturing and IT Operations, National Instruments. Alex 21 is also Chairman of the American Electronics Association 22 Committee on Reform of Sarbanes-Oxley 404. 23 Michele Hooper is Co-founder and Managing Partner 24 of the Director's Council and is Audit Committee Chair and 25 Board Member of numerous organizations. 1 John Huber is a partner with Latham & Watkins LLP. 2 Bob Kueppers is Deputy CEO of Deloitte & Touche 3 USA LLP. 4 Damon Silvers is Associate General Counsel, 5 American Federation of Labor and Congress of Industrial 6 Organizations (the AFL-CIO). 7 Dave Walker is Comptroller General of the United 8 States. 9 Ann Yerger is Executive Director of the Council of 10 Institutional Investors. 11 I'm Tom Ray. I'm with the PCAOB. I've been 12 introduced before. Also with me on the moderator's desk are 13 John White, with the SEC staff, and Scott Taub, with the SEC 14 staff. 15 Now, similar to the previous panels, we have 16 divided it up into broad areas. In this case, there are only 17 three broad areas that we are going to talk about. And I 18 promise you I will call on individuals to start the 19 discussion in each of those particular areas. 20 But I am hopeful that the panelists will exercise 21 their arms a lot in reaching for their name tags and placing 22 them up so that I may call on you in getting your views on 23 each of these three particular areas. 24 So, those three areas are: overall recommendations 25 on next steps. Then we are going to get into specific 1 recommendations on rules and guidance. And finally, we would 2 like your views on how other parties, other than PCAOB and 3 the SEC, for example, should be involved in improving the 404 4 process. 5 So, let's go to the first question. And for this 6 one, I am going to ask Dave Walker to comment. Dave, you and 7 your colleagues at the GAO spend a lot of time working on 8 internal controls and have been following the 404 9 implementation process. So, specifically going forward, 10 Dave, what are the major areas that need attention by 11 management, auditors, the PCAOB and the SEC? 12 MR. WALKER: Well, first let me say at the outset 13 that we at GAO strongly support Section 404. We believe that 14 it has great conceptual merit. And while there were a number 15 of first year implementation challenges and significant costs 16 associated with first-year implementation, that the costs are 17 already starting to come down significantly, and there are a 18 number of benefits associated with 404. 19 I would first say that the PCAOB needs to consider 20 how Auditing Standard No. 2 can be made more clear. And I do 21 believe it would be appropriate to consider integrating the 22 concepts and objectives that were emphasized in the PCAOB 23 subsequent guidance, as well as clarifying areas where there 24 have been practice difficulties. 25 As you know, you did issue some very important 1 guidance in the aftermath of a forum very similar to this 2 that took place last year, but it doesn't have the same 3 authoritative standing. And therefore, I think it is 4 important to recognize that reality and to consider 5 integrating that into an updated Standard No. 2. 6 We continue to believe that the PCAOB should 7 consider modifying its requirements for -- and to allow for 8 rotational testing based upon risk materiality and other 9 considerations. It's something that we have done for years 10 in the federal environment. We are not subject to Sarbanes- 11 Oxley, but we voluntarily comply with a number of the key 12 elements of 404, and have for years. And we believe that 13 there is some merit to risk-based and materiality-based 14 rotational testing. 15 We believe that the SEC obviously needs to consider 16 and resolve the 404 implementation issues with regard to 17 smaller public companies in compliance with the 404, and I'll 18 note that we have issued this report within the last couple 19 of weeks dealing with issues dealing with smaller companies. 20 And we have talked about the plusses and minuses and -- not 21 only considering cost/benefit, but also the fact that 22 investors -- investor confidence and investor considerations 23 obviously were one of the primary reasons that Sarbanes-Oxley 24 was passed. 25 With regard to COSO, we recommend that the SEC 1 continue to support the work of COSO and work with COSO. 2 We also believe that it's important that that 3 ultimate guidance be somewhat clearer, that it emphasize the 4 ability to use professional judgment and risk-based 5 approaches, which not only is appropriate overall, but 6 especially for smaller companies, which is what they are 7 trying to focus on now. 8 And last but not least, you now have the PCAOB 9 inspection program, which is something that did not exist 10 before. And that should be able to provide some very 11 valuable information with regard to actual implementation. 12 And one would hope and expect that the experiences that are 13 gained through that inspection program can be looped back 14 into areas where their additional guidance might be necessary 15 to be able to be provided. 16 And let me add one more thing. I think the 17 profession has a responsibility here, too. I think the 18 profession needs to be developing a best practices, and 19 sharing best practices, in order to try to help get the job 20 done in the most efficient and cost effective manner. And so 21 it's not just with regard to the SEC and the PCAOB, I think 22 the profession and other responsible parties have to be doing 23 their part, as well. 24 Those are my thoughts, Tom. 25 MR. RAY: Thank you. I know most of you, and I 1 know you are not bashful. Michelle Hooper. 2 MS. HOOPER: First, I would like to say that I am 3 very pleased to be asked again to participate in this 4 session. It's been a very good day, and I think a very 5 interesting day, because I think you are hearing very similar 6 messages from a number of different perspectives of people 7 with very different backgrounds. And I always find that 8 helpful. And you are probably going to hear a lot of 9 redundancy on this panel, as well. 10 And I am going to add to it, but I am also going to 11 bring up another area. 12 I think that in addition to everything that has 13 been said, which I totally agree with, I think the issue of 14 the inspections and the timeliness of those inspections and 15 the feedback back to the various audit firms is critical. 16 I think those inspections could be very helpful in 17 providing real world experiences and assessments as to the 18 effectiveness of what is being done out there. But if we end 19 up going through most of our six reviews without the benefit 20 of getting that timely information and being able to adjust 21 and make mid-course corrections, it's not going to do us a 22 whole lot of good, and we are going to be back here next 23 year, complaining about things that we could have perhaps 24 dealt with in a more timely basis. 25 So, that's one. 1 The second piece is -- it relates to the nature of 2 conservatism, I think, that we are finding. Not only on the 3 part of external auditors, although I am going to focus on 4 the external auditor function. But I think there is a degree 5 of conservatism, even within the management and the board 6 ranks. 7 And it -- quite frankly, it relates to liability 8 and the issue of people being concerned -- boards being 9 concerned, external audit firms being concerned, about the 10 liability that they would have based on either finding or not 11 finding a variety of things that could be going on within 12 companies. 13 I think that one is by making -- by giving people 14 more of an understanding of the issue as it relates 15 particularly to examples and case studies. You will not get 16 external audit firm pushing down or pushing up the level of 17 risk-based approaches and using more of management judgment 18 because they don't really know how that is going to be 19 interpreted once you get down to the actual individual that 20 is going to be doing the PCAOB inspection. 21 Are they hearing and adjudicating their reviews to 22 the same degree that we are talking about here in this room? 23 Or are they going to be taking it more on the letter of the 24 actual law that is being written? 25 On the case of the board and management, I think 1 there is a degree of conservatism, because again, we are not 2 sure where -- even though there is a safe harbor provision 3 placed in the Sarbanes-Oxley rules, it is a very vague, if 4 you will, approach to safe harbors. And I think clarifying 5 and providing more specificity on exactly what does that mean 6 and how -- again, how should we be executing our 7 responsibilities I think could be very helpful. 8 And I'll stop at that. 9 MR. RAY: Thank you. Bob Kueppers? 10 MR. KUEPPERS: Thanks, Tom. I've got a series of 11 observations. I think we have seen today -- at least my 12 observation -- we have seen some agreement that there are 13 benefits to 404. Clearly some agreement about costs coming 14 down, although we may disagree on the percentages. 15 One of the things when I talk to groups about 404 16 is, I suggest we have had somewhat of an inordinate focus on 17 the audit costs. And I have always said, maybe what we 18 should do is just not charge for 404 piece of the audit. 19 We'll just do it for free and that always gets a good laugh. 20 Except, not today. 21 MR. KUEPPERS: The point is that companies would 22 not be satisfied if their costs did not come down. And I 23 think what we haven't yet put together is the symbiotic 24 relationship between management's work and the auditors' 25 work. If we need to rely more -- and this year we found that 1 people were relying double the level they relied last year, 2 which is directionally good. But we had managements that 3 said we are going to do less, because we have to get costs 4 down. 5 Well, if management does less then auditors can't 6 rely. So I think management guidance that would help 7 management figure out what responsibility, if any, they have 8 for doing their own walk-through, so we might be able to 9 piggy-back off that. 10 The materiality issue that was mentioned earlier, 11 not the definitions within AS-2 so much, but just the overall 12 problem of trying to assess a deficiency in a context of 13 would it have a material impact on the financials when we 14 really don't have, I don't think, a good metric for quarters 15 versus years and segments versus quarters, and all those 16 kinds of things. 17 And with respect to AS-2, I am kind of ambivalent. 18 If the board determines to amend it to incorporate the May 19 16th guidance, that's find. I think there's always a certain 20 amount of risk when you open up a standard, because I think 21 its basic building blocks should not be fiddled with, but 22 that could be a helpful exercise, just to make it crystal 23 clear that that's part of the standard. 24 And then, the last thing, I guess, is there is the 25 whole issue of small business that somebody had to start, so 1 I thought I would. Wherein I really believe that we can take 2 the learnings that we have had in the first couple of years, 3 from the larger -- the accelerated filers, and work something 4 forward so we can figure out now whether to implement 404 in 5 the rest of the community. But how? And that's why I have 6 been very high on this notion of a pilot program where we 7 could develop some draft guidance for audit firms and for 8 management. Give it a try in '06, and figure out if there is 9 anything else we need to adjust further before the 10 Commission's rules require the rest of the companies to go 11 live in '07. 12 I think that's something that's worth studying and 13 considering. 14 MR. RAY: Thanks. Damon Silvers. 15 MR. SILVERS: Thank you. I apologize. The air 16 conditioning system. 17 It seems to me that you've got to begin here. I 18 think the panelists that have come before me have spoken -- 19 given very reasonable suggestions to the Commission and the 20 Board. But in light of the larger dialogue that went on 21 today, I think it's important that we start with some first 22 principles. 23 We have a statute here, and the statute requires a 24 group of -- a set of things to be done. All right. First, 25 that management assess their internal controls. All 1 managements. Of all public companies. Somehow, I don't know 2 -- the advisory group somehow misplaced their statute book. 3 But it does require all management of all public companies to 4 do so. 5 And on behalf of the individual members of my -- of 6 the AFL-CIO's unions, we would not want any of them to be 7 subject to a pitch by any stock of any company whose 8 management couldn't do so. 9 Secondly, that the statute requires that those 10 assessments then be attested to. And Black's Law Dictionary 11 says that attestation is essentially the same thing as an 12 audit by an outside auditor. There isn't any flexibility on 13 those requirements in the statute nor should there be. 14 Thirdly, it requires that it be so annually. And 15 "annual," again, is a word that has a simple, plain language 16 meaning. Annual. Every year. To the extent that there have 17 been suggestions here today that we not do any of those three 18 things, I think those suggestions are beyond the power of 19 anyone in this room to implement and are profoundly unwise. 20 Now. What are the implications of those three 21 principles? First, you cannot comply with the statute and do 22 so merely by having the auditor rely on management's 23 representations. That's not an audit. That's not an 24 attestation. That's not consistent with the statute. 25 Secondly, despite what some of the previous 1 panelists said, you cannot do this merely at the entity 2 level. It's a little unclear to me what people mean when 3 they said "auditing at the entity level" for the assessment. 4 But one thing is clear. That an audit of internal 5 controls cannot be simply an examination of whether or not 6 the board or the CEO seem like smart people or dedicated 7 people. It has to be an actual look at the controls. And, 8 to give an example of what I mean. If somebody can start 9 moving money around at an account level, or without anybody 10 else watching, without anybody being able to grab onto it, 11 what is to prevent a senior manager whose ethics or brains or 12 degrees have been "audited"? From asking someone more junior 13 in the company to do things down in the interests of the 14 company where there are no controls that would end up 15 bouncing right at the integrity of the financial statement as 16 a whole? 17 And thirdly, we cannot have merely a management -- 18 an auditor's assessment of management's process. Nor can we 19 have simply a reliance upon management's internal control 20 staff or management's saying it's so. None of those things 21 are an audit of internal controls. 22 Now, saying all those things, though, does not mean 23 that you -- that things ought not to be done by both the 24 Commission and PCAOB. None of the principles I just 25 articulated means or should imply that the costs of 404 ought 1 to be as high as they are. Nor does it imply that 2 essentially management ought to assess whether or not there 3 are spoons in the coffee room. Or that auditors ought to 4 audit that. 5 And to the extent that there have been absurdities 6 that have gone on in the implementation of 404, or confusion, 7 or lack of clarity, those things need to be dealt with. 8 Investors, I think, uniformly agree on these 9 points. And it is unfortunate that a debate about doing 10 things that are patently illegal has blocked a real 11 consideration of the common ground that exists between 12 investors and companies about how to do this in a rational 13 and cost-effective way. 14 And I will just suggest four things that the 15 Commission and Board ought to consider. 16 First, as many people have said today, there is 17 really a need for some guidance to management. Guidance to 18 issuers. Guidance that only the Commission can properly 19 issue. Guidance beyond COSO. I think everybody who 20 participates -- who has an interest in this process believes 21 that that's a good idea. And a good starting point are the 22 principles outlined last year in the Joint PCAOB release. 23 Secondly, there needs to be some clarity on issues 24 of risk. A lot of people believe that AS-2 has a risk 25 standard that is impossible to meet. I think in some ways 1 that's an artifact of the language. That there is a three- 2 part division of risk levels in that language. What those 3 risk levels mean needs some clarification, because they could 4 be interpreted as meaning a standard higher than the criminal 5 standard. I don't think that's what they actually mean, but 6 there is some confusion about that. 7 Thirdly, there needs to be some guidance to smaller 8 issuers about where there is an issue of overlapping duties 9 of personnel. An org chart model of a large company -- a GE, 10 for example, does not apply to a small biotech company. 11 On the other hand, though, that does not mean that 12 a small biotech company ought to be allowed to have a payroll 13 system where one person cuts checks and nobody checks on what 14 checks they are cutting. 15 Finally, I think it's very clear that there has 16 been a failure to approach the 404 process as part of an 17 integrated audit. And both the PCAOB and the SEC need to 18 think about ways in which that can be encouraged. There is a 19 great deal of both cost savings and rationality to be had in 20 pursuing things in that direction. 21 I hope these things can be pursued without an 22 attack on the fundamental investor protections that 404 23 embodies. 24 And I'll close by saying this. The concern that 25 Bob Kueppers raised about opening AS-2 and the mischief that 1 might follow. I am inclined to the hope that the PCAOB and 2 staff are tough enough folks to resist that. And that we can 3 have a rational process here. But some of what has gone on 4 in the last few months around attempts to basically gut 5 Sarbanes-Oxley, has impinged upon my natural hopefulness. 6 And I would hope that we could quickly shift this dialogue in 7 a direction in which it is clear that people who opened up 8 this rule -- the AS-2 to a rational corrective process, are 9 not slitting investors' throats by doing so, and that they 10 could do so in the confidence that that gesture of good faith 11 would be met equally with good faith on the part of those who 12 sought to undermine Sarbanes-Oxley to this point. 13 Thank you. 14 MR. RAY: Thanks. As future panelists add 15 additional comments, I would encourage you to comment on your 16 view on whether we should be changing AS-2 as well. It's an 17 interesting question to us. 18 Mike Cook? 19 MR. COOK: Tom, I don't get into the details of 20 these things from the perspective of an audit committee 21 chairman to have a lot to say about what should or shouldn't 22 be amended. 23 I would just suggest to you that in that regard, I 24 would change as little as you possibly can. We are once 25 again in the middle of a year. We are looking for 1 consistency. We are looking for consistency of performance. 2 From an audit committee perspective, I recognize that if you 3 put out more guidance, they are going to put out more 4 guidance, there are going to be 10,000 or 15,000 people -- a 5 large number of people are going to have to be trained in it, 6 they would have to figure out what it means, they are going 7 to tell the audit committees, we'll get back to you later 8 with implications of this for our audit plan. 9 And everything will be in limbo again. I don't see 10 the need for that. And I would suggest to you that if you do 11 issue guidance or change standards at this stage, be 12 satisfied that it's really necessary to do that. 13 I said last year, please do issue more guidance, 14 because I was convinced it was necessary. I am not at all 15 convinced that that's the case this year. 16 One other quick comment. Then I have something I 17 would like to talk about as a more important next step. I 18 called the question on the issue of whether or not these 19 rules apply to smaller businesses. I am not sure they are 20 small businesses by my standards, but smaller businesses. 21 This contentious discussion is calling so much 22 attention to this issue in so many places. It is important. 23 I understand the concerns of these businesses and the cost 24 effectiveness questions that they have. But call the 25 question as soon as you can reasonably do so because it needs 1 to come off the front page. And it leads to what I would 2 like to hear a little bit more about, and that is my hope 3 that we could do some things in "Next Steps" that would put 4 404 in perspective. 5 And what I mean by that is I think 404 is 6 important. But 404 is not the be-all, end-all of financial 7 reporting that it is portrayed to be. And the time and 8 attention that we are spending, all of us who are in this 9 process, on 404 is obscuring and taking time away from other 10 things that I think are much more important to be addressed 11 in terms of enhancing financial reporting, and let me 12 elaborate just a little bit. 13 Last year at this roundtable, as all accountants 14 are required to do, I pledged allegiance to good internal 15 control. I pledged allegiance to 404. And I do so again. I 16 am absolutely convinced it is the right thing. I observed 17 last year that the costs in year one would exceed the 18 benefits, but that was okay. There was a cost to restoring 19 public confidence, so let's get over it and move on. 20 My view is, in year two, the costs have gone down. 21 The benefits may have gone down even more. Now, in terms of 22 relative benefit, it was true what people said on these 23 panels a year ago. That we have a lot of deferred 24 maintenance. We've got catch-up work to do. And that is 25 going to make it cost a lot more. But once the deferred 1 maintenance has been completed, the benefits the second time 2 around are substantially less than they were the first time 3 around, and I would suggest it's certainly possible that the 4 gap between cost and benefit may be greater in the second 5 year than it was the first year. 6 But I don't have any definitive information to 7 support. But everybody says that the costs are going down 8 and the benefits are going up. I am not completely convinced 9 that those statements are accurate. 10 What I would like to see us put 404 in perspective 11 is, 404 has an important role to play in the overall scheme 12 of financial reporting. 13 But 404, like virtually everything in the Sarbanes- 14 Oxley legislation, is defensive. It is about prevention. It 15 is about preventing bad behavior. It is about preventing 16 people who would go over the line from going over the line. 17 It has the positive impact, also, of improving the 18 quality of financial reporting, the reliability of it, by 19 finding errors and correcting them on a more timely basis, 20 but I don't think we would be here or we would be investing 21 what we are investing in 404 if it were not for its fraud 22 detection objectives, as opposed to just correcting errors in 23 financial statements. 24 I am glad that companies are not getting their 25 taxes right and their lease accounting right. But I doubt 1 that we could justify the cost of 404 by those outcomes. 2 But it is part of a group of things that we have 3 done, which is about all we have done in the area of 4 financial reporting in the last four or five years, all of 5 which are almost entirely defensive. They deal with 6 auditing. Auditing is defensive. Keep people from doing the 7 wrong things. Internal control. Whistle-blowing. Etc., 8 etc. 9 All of these things are good. They are important. 10 They fit into the overall scheme, but they do nothing to 11 enhance the quality of the basic financial reporting product. 12 They protect its reliability. They protect its integrity. 13 But they have done nothing to improve it. 14 And I would suggest to you, as a sports analogy, 15 while we have done a very good job on defense, we prevented a 16 lot of scoring against us, we haven't scored any points on 17 offense, in terms of improving financial reporting in a 18 meaningful way, in a long, long time. 19 And it is time for us to get to that. Somebody 20 said, okay, what do you have in mind? I could list 10 or 15 21 things, but I'll pick three or four. 22 Global. Comparability of financial reporting on a 23 global basis, through attention to the convergence of 24 international standards. 25 Complexity. We all know the issues of complexity. 1 Reporting on nontraditional financial information. 2 We have been talking about this for so long. We have had so 3 many groups study this for so long it makes my head hurt to 4 remember them all, and yet nothing has come out of it. And 5 there continues to be a great investor need for information 6 about things that are not being delivered to them in 7 traditional financial statements. 8 Information about human capital. Information about 9 intellectual capital. Information about research and 10 development. And things of that kind, and they are not 11 getting any of that information and there are no meaningful 12 initiatives that I am aware of -- and I don't claim to be 13 aware of all these things -- that are going to deliver that 14 information to them. 15 And I would go on and on, but I would just add one 16 more that I would like to mention, because a number of items 17 fall under this caption, and this has to do with forward- 18 looking information. People I talk to, and maybe I have been 19 talking to the wrong ones -- keep talking about the need for 20 more information that will help them predict the future of 21 the companies. The future success. What are the critical 22 success factors to the future of the company. And while we 23 tried to get at that through MDNA and other mechanisms, we 24 are far short of where we could be, and often what we have 25 done is to restrict the flow of information, rather than to 1 encourage it or enhance it. Things such as Regulation FD, 2 Regulation G and so forth are restricting, if anything, the 3 flow of information or have that implication. 4 Now people are talking about we need to do away 5 with earnings guidance. Even people are going to the extreme 6 of saying we need to do away with quarterly earnings. That's 7 too much of a short term focus. And my suggestion would be 8 that these initiatives, taken together, which are reducing 9 the amount of information that is going to the marketplace, 10 particularly forward-looking information that the marketplace 11 really needs, would be well served to be replaced by a 12 thoughtful approach to providing more information, with 13 appropriate safe harbors and restrictions and things of that 14 kind. 15 Recap what I would like to say -- 404 is a very 16 good and valuable part of the defensive side of financial 17 reporting. It is necessary. But we have to have an 18 offensive game plan at the same time. And we really need to 19 have the time and energy to step back and talk about what we 20 an do to enhance financial reporting, not protect financial 21 reporting from bad behavior by bad people, imposing costs on 22 lots and lots of people who have no ill intentions and would 23 never be engaged in that type of conduct to begin with. 24 So, we paid a very high price for the misdeeds of a 25 few people from a cost standpoint. But I am also concerned 1 we are paying a very high price in terms of the time and 2 attention that continues to go into this subject. 3 MR. RAY: Let me just ask you a follow-up question 4 on that. I apologize if you covered this already. How do we 5 get to those next steps? 6 There are still a lot of people who are concerned 7 about 404 and how it is being applied. Do we stop doing 404? 8 Or what is it we do to get beyond it so that we can then 9 focus our energy on these next important things? 10 MR. COOK: Well, Tom, my opinion is, we have got to 11 get the issue resolved of to whom does 404 apply. I mean, 12 that is a lingering issue which is creating a great deal of 13 heat, friction and probably lots of other things that I don't 14 even know about. We've got to get that resolved, because 15 that is bringing so much attention to this subject. Out of 16 proportion to the overall significance of 404 for the vast 17 majority of the large companies in the United States. 18 After that, I think I would just suggest we have a 19 little bit of a cooling-off period here. And not race to 20 identify every problem and issue guidance to solve -- and let 21 people of good intentions and reasonable judgment work with 22 this for awhile. 23 But every time we put in a new solution, we just 24 create all sorts of issues, and from my perspective, again, 25 as an audit committee chairman, half a dozen companies or so, 1 working with large companies and very good audit firms. They 2 can handle this. Let them go at it for awhile without more 3 guidance and more issuances, unless it is very minor or 4 absolutely necessary. But let it work for awhile. 5 And I am not advocating that they disband it by any 6 means. I think it is absolutely necessary. 7 MR. RAY: Thanks. Alex Davern. 8 MR. DAVERN: Thank you. We are all -- Mr. Silvers 9 and I were on the same panel last year, and we disagreed 10 then, so I am not tremendously surprised that we will 11 disagree on some topics again today. And certainly I respect 12 his comments and thoughts. 13 I wanted to make a few comments about the tenor of 14 the discussion today. I frankly, to be honest with you, have 15 been quite disappointed with the tenor of the discussion. 16 There has been a tremendous amount of polite 17 discussion, and we have all been patting ourselves on the 18 back that in year two things got a little bit better, and 19 things didn't get a lot worse in year two. 20 And while that's great, I would like to step out a 21 little bit further, and I would like to offer a grade to the 22 Commission on the implementation of Section 404. 23 I would like to step people back to June of 2003, 24 when the Commission published its rule. And the Commission 25 set an expectation of the cost of implementing 404 would be 1 about $90,000. The Commission set an expectation that the 2 cost of implementing 404 would be relatively the same for 3 companies of different sizes. 4 Now, as a member of the Commission's Advisory 5 Commission on Smaller Public Companies, I want to assure Mr. 6 Silvers, first off, we did have a dictionary in, and we did 7 understand the definition of "annual." So, let me put that 8 to rest. 9 My perspective is that the Commission deserves a 10 failing grade, frankly, for the implementation of Section 11 404. And, having worked on this issue passionately for the 12 last two years, I feel a little frustrated with the lack of 13 forward action and the lack of realistic, commonsense 14 thinking being applied to the problem. 15 I sat here last year and listened to promises from 16 the audit firms that we would see costs drop by 40 percent, 17 when I came back today. I am here today. And external audit 18 fees -- it's clear from the proxies -- these are just as high 19 now as they were a year ago. They haven't come down at all. 20 And so I hope that we'll see some more forward 21 progress on this than we did in the last 12 months. I think 22 investors also recognize this. I want to echo the comments 23 made by other people earlier on. As a CFO of a public 24 company, I have never once been asked by an investor about 25 Section 404 other than how much is it going to cost and will 1 it come down. That is the only question I have ever gotten. 2 I have never been pushed or asked about the adequacy of our 3 controls and is it inputting benefits. Not once in the last 4 three years. 5 I'm also part of a NASDAQ committee, and we 6 recently surveyed institutional investors. And this survey 7 will be released in the next couple of weeks. We 8 deliberately went out to the investing public to reach bi- 9 side institutional investors to get their views on this. 10 Eighty-six percent of the institutional investors believe 11 that costs of Section 404 exceed the benefits -- I'm 12 personally in favor of 404, I'd just like it to cost $93,000, 13 like we were said to expect in the beginning. 14 Eighty percent of institutional investors clearly 15 support the recommendations of the Smaller Public Companies 16 Advisory Committee, that there be scaled regulation, and that 17 we practically recognize the realities of the world. That 18 1 percent of the total market value of all U.S. public 19 companies is captured in microcap companies. They are 20 fundamentally different. 21 And the conclusion of the Advisory Committee, after 22 a lot of hard work by a lot of smart people, was that it was 23 very difficult to believe that a regulatory format like 404, 24 which requires an external audit attestation, would ever be 25 cost-effective for the shareholders of smaller public 1 companies, especially microcap companies. 2 The reasons, in my view, as to why we are in this 3 situation -- I was taught by my dad, if you admit things 4 wrong by a factor of 20, it's probably a good idea to sit 5 back and really reconsider your fundamental assumptions. And 6 I think that applies today. I think the reasons for it are 7 pretty simple. There's three main reasons. 8 Number one is the elephant in the room that is not 9 being discussed at all at this meeting today. And that is 10 that the GAO has concluded that the Big Four are an 11 oligopoly, with a significant amount of anti-competitive 12 market power. That is a fact that the government has 13 determined. 14 My members of the American Electronics Association 15 believe that is a significant contributing factor to the 16 significant excessive costs of this regulation. 17 Number two is materiality. This has been hit on by 18 many people. And I am going to recommend some changes that I 19 -- in just a second. 20 And then number three is scaling. We are 21 continuing to struggle with the issue, and I agree that we 22 should call the ball on what we are going to do. But I think 23 that the consequences of applying the current regime, which 24 clearly does not deliver benefit over cost to the 25 shareholders to the massive amount of smaller public 1 companies in this country will be very significantly 2 negative. It will be very bad for the U.S. capital markets. 3 They will be very bad for innovation in the United States. 4 And they will create a very strong political backlash. 5 I think the pressure that has happened publicly so 6 far as a result of the big companies having to comply with 7 404 is nothing compared to thousands of small companies, 8 which will create a severe backlash if they are forced to 9 comply with what is not a practical solution for their 10 shareholders. 11 My recommendations, to get to your earlier 12 question, are threefold. 13 One, we need to amend AS-2. I would agree with the 14 comment that it shouldn't be amended for application in 2006. 15 It should be amended for application in 2007. I don't think 16 mid-year we should make changes. But we should be thinking 17 now and publishing now proposed regulations to amend AS-2 for 18 next year. 19 Earlier, AS-2 was compared in an earlier panel to 20 the Constitution. I don't know if anybody remembers that. I 21 would like to also reference -- although I am a recent 22 American citizen -- the American public had the courage to 23 amend the Constitution. If we had the courage to amend the 24 Constitution, I hope we will have the courage to amend AS-2. 25 The changes I would recommend are threefold. 1 Number one, change the definition of "material weakness." It 2 is core to the problem. The SAB 99 rules apply qualitative 3 and quantitative assessment. To what are you going to do a 4 restatement? Will the restatement affect the mosaic or the 5 entirety of information available to investors in deciding on 6 the value of a stock? 7 We need to get a qualitative assessment into the 8 assessment of material weakness so we don't have hundreds and 9 thousands of material weaknesses that are being disclosed, 10 which investors have clearly indicated they don't care about. 11 We need to change the assessment of a material 12 weakness from assessing against the quarterly financial 13 statements of a company to against the annual financial 14 statements of a company. This quarterly application 15 assessment of material weakness is way too tight a standard 16 and results in the minutia that Professor Grundfest so 17 eloquently explained this morning. 18 And thirdly, we need to allow rotation. I would 19 echo the comment made by the GAO. It is a practical, 20 commonsense audit tool that has been used for many decades. 21 The second recommendation I have is adopt the 22 recommendations of the Small Public Company Advisory 23 Committee. Although there are many who fervently disagree 24 with this, the reality is that those are the best, in my 25 view, practical solutions to the main problem. They will 1 deal with the 6 percent of companies for which this is 2 horribly painful, and we can get on with the business of 3 ensuring that the 94 percent of the capital markets, and the 4 100 percent of the capital markets we're moving forward with 5 positive recommendations. 6 I would also say that Chairman Oxley has made it 7 very clear that the SEC, in his belief, has the authority to 8 provide exemptive relief, if it is in the public interest, 9 and if the costs of regulation exceed the benefits. I 10 believe those who voted for Sarbanes-Oxley 404 did it in the 11 framework and the knowledge that the SEC had an obligation to 12 apply it in a manner where the benefits exceeded the costs. 13 And thirdly, we need to restore competition, and I 14 hope the PCAOB takes very seriously the lack of competition 15 in the public company audit market, with four companies 16 auditing 98 percent of the revenue of public companies in 17 America. 18 Without significant change there, which I believe 19 is an exposed risk to the U.S. capital markets to have that 20 concentration, it will be very difficult to get the type of 21 competition we need in order to have cost-effective 22 implementation. 23 Now, I'll listen to the many and various rebuttals. 24 MR. RAY: Thank you. Nick Cyprus. And Nick, when 25 you're finished, I know John White has another question he 1 would like to direct to you. 2 MR. CYPRUS: Okay. Well, first, let me thank you 3 for inviting me here today to speak. I feel privileged. 4 I believe that Section 404 and AS-2 have gone a 5 long way. And I have worked with two Fortune 500 companies 6 as the Chief Accounting Officer in improving the quality of 7 financial reporting. And I would say I would be extremely 8 cautious about making changes to Auditing Standard 2, because 9 I believe that the audit firms and, by the way, management, 10 understand the guidance that is out there. 11 And I believe like anything that we will drive 12 those costs down. Every year, because it is about improving 13 the bottom line. So, we will figure that out. And we will 14 be driving those costs down. And when there is a 15 disagreement between us and our auditors as to how to get 16 those costs down, there is a process that we can go through. 17 You created that process today. I know how to meet with the 18 chairman of my audit committee, and my company, and in 19 essence, my audit firm, and I know where to find the members 20 of the PCAOB, who could help us. 21 And, by the way, if something relevant comes out of 22 there, because we think one thing and the PCAOB comes up with 23 something that none of us knew about, that's the time to 24 issue additional guidance that says, you guys didn't know 25 this but here is how we felt. 1 But to just make wholesale changes is going to take 2 us off the experience curves that we are already under. 3 Because I perceive that I know how to get at this, and I am 4 worried about change that I may not know how to get at. 5 So, I am not necessarily positive that I think 6 change is necessary until we have very specific issues that 7 we know how to change. 8 Okay. With that said, I do want to just make 9 certain comments that I think are important. I really do 10 believe that all public companies should comply with Section 11 404. Being a public company subjects you, I believe, to a 12 set of standards. A set of rules that are out there to 13 protect the public. And to just go out there and say, I 14 can't afford, can't afford, to comply with those set of rules 15 is an interesting proposition but then you can't afford to 16 use public capital. 17 So, I think that we have an obligation to help 18 people understand the rules, practically comply with the 19 rules, but not play the game. I just don't think that is a 20 good answer. I don't care how small you are or where you are 21 in the public. 22 I think everybody has to be a part of that game if 23 you want to be a public company. 24 So -- and I feel pretty strongly about that. 25 There's processes in place that are meant to protect the 1 public. I think we can come up with those things. 2 By the way,, not having the financial skill sets to 3 understand what those rules are, or saying well, we'll 4 certify the financial statement ourselves and we don't need 5 the auditors to look at them. 6 My statement would be, well, then, how do you 7 know -- even though you truly believe in your heart what you 8 did was right -- how do you know it's right? If someone with 9 the right skill sets hasn't come and looked at what you did 10 and says, we agree it's right. 11 So, we could figure out a process that works on 12 that cost. Because I absolutely believe that those costs can 13 come down from where they are today. And I believe that they 14 will come down from where they are. 15 We can talk about it all we want, but I've got to 16 tell you, every CFO in the country and every controller in 17 the country is focused on how to get those costs down, okay? 18 While maintaining the benefits. 19 I'll limit my comments to that for now. I have 20 specific suggestions we can get on, when we get in more 21 detail. 22 MR. WHITE: I want to go back to the Advisory 23 Report from -- the Small Public Company Committee. The 24 Commission and the staff obviously have that report, and we 25 are looking very carefully at the recommendations, 1 particularly those that relate to 404. 2 And, as I read them, and as -- I was particularly 3 emphasized [sic] by the two chairs of that committee, they 4 say that "unless and until." And I underlined those words 5 "unless and until" a suitable framework is developed for 6 smaller public companies to apply 404, that 404 should not 7 apply to smaller public companies. 8 And I know that you are really here as the "COSO 9 spokesperson," so I will look to you, Mr. Cyprus. At the 10 request of the Commission, COSO has in fact been working on a 11 framework to assist smaller public companies, and I know you 12 have been -- you've had that put out -- you put the proposal 13 out last October, it's been -- you have gotten comments on 14 it, and I guess I would like you to expand a little bit on 15 where we are with that proposal because if -- does that 16 proposal go in the direction of this "unless and until" 17 because that's really the recommendation -- say, if we have a 18 framework, then it should apply to the smaller companies. 19 So, if you could give us a report on the 20 framework -- the COSO work, I would appreciate that. 21 MR. CYPRUS: I'd be happy to. The COSO board is 22 still working on it. I would not expect that you are going 23 to see a brand new COSO framework from the framework that's 24 out there today. 25 What you will see is a lot of thought process on 1 how to apply that framework in more practical -- so, we will 2 be talking about principles. We'll be talking about -- 3 you'll be seeing some attributes, and we'll be giving 4 guidance as to how to apply the framework that's out there. 5 But there is nobody within the COSO group today that is 6 actually working on a different, new framework. So, I hope 7 those expectations are set. But we are working hard to try 8 to come up with practical guidance and thoughts that would 9 help those people who don't necessarily have all the skill 10 sets of the members that sit on the COSO board or who are 11 internal control experts. 12 So, it would simplify that. But I don't see a 13 different framework coming out. 14 MR. RAY: Thank you. Ann Yerger. I believe you 15 have your card up. It's hard to tell with the air 16 conditioning situation over there. And then when you are 17 finished, I'll recognize Commissioner Atkins. 18 MS. YERGER: I did. I was the one blowing on 19 Damon's card so I could beat him to the punch. 20 I just want to share the Council's perspective. We 21 have long been very supportive of Section 404. We believe 22 solid internal controls are the backbone of high quality 23 financial statements. And, as a result, they are relevant to 24 any company, large or small, tapping the public markets. 25 The Council's perspective is one of an organization 1 representing large term investors who are very broadly and 2 deeply invested in our U.S. capital markets. The average 3 Council fund has about 45 percent of its portfolio in U.S. 4 stocks, about half of that is passively managed. And 5 passively managed, in a very broad way, in an index such as 6 the Russell 3000, which, I might add, has about 40- 7 plus percent of its companies that would fall under the large 8 company level recommended by the Small Business Advisory 9 Committee, and I can tell you our members are not comfortable 10 thinking that such a significant portion of their long term 11 core portfolio would not have to be in compliance with this. 12 I will comment we don't support 404 at any and all 13 costs. Shareholders ultimately shoulder these compliance 14 costs, and we want to be certain that they are cost-effective 15 and efficient. And we obviously believe that 404 16 implementation be risk-based and right-sized to best suit 17 companies' size and complexity. 18 We share the business community's concerns over the 19 implementation costs of 404, but we believe that these 20 problems can and should be addressed by the SEC and the 21 PCAOB. We think there is quite a gulf between the status quo 22 and the recommendations of the Small Business Advisory 23 Report. And we think that you can deal with this with 24 guidance. 25 We agree that time is of the essence. Not simply 1 because I think we have all been spending probably too much 2 time on 404, and it's enough time. We need to move forward. 3 But also because I am very concerned that if the 4 SEC and PCAOB don't act, that Congress will, which we think 5 would be a very suboptimal response at this point. 6 Let me just make a few comments on some of the 7 recommendations that were noted. I, of course, second 8 everyone's comments about the need -- and I think the 9 incredible need -- for practical, plain English guidance to 10 the companies, particularly small companies, on how to 11 evaluate and set up and effective internal control framework. 12 We would also very much support a pilot program, to 13 test the effectiveness of the guidance at issue. And that 14 could be done, giving you plenty of time to refine the 15 guidance and enhance the implementation for small companies. 16 I would like to commend on -- about deadlines. 17 Deadlines have been extended several times. I think the 18 Council could very reluctantly live with one additional 19 modest but final extension. However, we would very much 20 oppose any multi-stage, phase-in process. I think 21 implementation here has taken long enough. It's time for the 22 entire business community, small and large, to get over it 23 and get on with it. 24 To the PCAOB. There is certainly anecdotal 25 evidence to suggest that auditors haven't fully embraced or 1 perhaps understood the guidance issue last year and I don't 2 think maybe it's at the national level, but certainly down at 3 the field, there is evidence that it's not working correctly. 4 In terms of integrated audits, etc., we do 5 recommend that you consider expanding or clarifying the 6 guidance, where appropriate, and I think it is very 7 appropriate to embed some of this into AS-2. 8 We would support clarifications to AS-2, provided 9 the changes do not materially impact the underlying intent of 10 AS-2. 11 Finally, we would very much support issuance of 12 guidance to small company auditors so that they can do a 13 better job on their side. 14 And finally, we would urge both the SEC and the 15 PCAOB to work together, and to work with COSO to ensure that 16 the 404 framework is respaced and the right size and that 17 your guidance is coordinated and complementary. 18 Thanks. 19 MR. RAY: Thank you. Commissioner Atkins? 20 MR. ATKINS: Thank you. I just wanted to follow up 21 on a couple of the points and ask a question here. I think 22 it's clear, at least to me, from what we have heard today 23 that application of 404 and AS-2 sort of veered off -- at 24 least in answer to the failing grade that you have given us - 25 - veered off from at least what I was voting for at the 1 beginning, which was the COSO-based, top-down approach. 2 So I thank you all for your suggestions on that. 3 But I was wondering. At least we have two decision-makers 4 here on the panel as far as dealing with, as you termed the 5 oligopoly out there, we all know that if you have a reduced 6 supply of folks out there because of all the new requirements 7 for auditors that the price goes up. 8 How easy is it for you to actually negotiate the 9 scope and/or the fees of these projects, as members of the 10 audit committee? And others maybe hear from your clients. 11 Is it a take it or leave it proposition that is presented to 12 you? Is there flexibility in there where you can have 13 influence? 14 MR. COOK: Well, I would answer first, 15 Commissioner. I am only involved with pretty good sized 16 companies. This is not a big issue for those companies. As 17 somebody said one time, how many accounting firms do we need. 18 I said, one more than the one I have. And I can handle the 19 issue. 20 And, as a practical matter, this -- the costs are 21 there. They are being incurred. The difficulty with this is 22 that the firms are incurring very substantial costs. And 23 from my perspective as chairman of the audit committee, I 24 don't think I'm really doing the best for everyone. I'm just 25 hammering down the costs by delivering ultimatums that says, 1 if you don't do it for half that, we are going to go get 2 somebody else to do it. 3 What I really what is for them to learn how to do 4 it and have people help them do it in a way that will bring 5 down their costs rather than just hammering it down through 6 the issues of supply and demand. 7 So we are trying to work with firms. Trying to 8 work with the financial management. It takes a lot of 9 effort. And we are quite satisfied that the hours are being 10 put in and that the costs are not unreasonable on an hourly 11 basis. But it just takes an awful lot to get this done. 12 MR. DAVERN: I would also address Mr. Atkins' 13 question. I would agree with Michael that certainly we want 14 to focus on balance between both sides to try to reduce the 15 cost. However, the objective reality is that audit fees and 16 total external audit fees did not come down at all in here, 17 too, and the objective fact on the table. 18 The other point I would make is that this issue is 19 directly related to size. If you are a very large company, a 20 Fortune 500 company, you are very attractive client, a 21 premier client, you have a significant amount of negotiating 22 room, then it's normal and natural. That is the benefit of 23 scale. 24 If you are a very, very small company, the 25 situation is the reverse. And it is basically a take it or 1 leave it for most of our small company members. And that's 2 the feedback that we get repeatedly. 3 I would like to also make one other comment, as, 4 again, the only member of the Advisory Committee that has 5 appeared today. And Daniel, hopefully, back me up on this 6 when we talked about it -- but when you go to your question 7 of COSO, and Melissa addressed the question for smaller 8 public companies -- we actually had the Chairman of the Task 9 Force of that Framework as part of our 404 Subcommittee on 10 the Advisory Committee. 11 And she and we all concluded that the new COSO 12 guidance would not significantly change the cost equation for 13 small public companies. And so that was considered very 14 carefully before we reached our conclusions. 15 Thank you. 16 MR. RAY: Thanks. I know that John Huber has some 17 specific suggestions for us. We talked briefly before the 18 meeting. And I would like to recognize John, and then I 19 believe Chairman Cox would like to have the floor. 20 MR. COX: Actually, I just wanted to find out the 21 answer to John's earlier question. And I just got it, so, I 22 haven't a question. 23 MR. RAY: John Huber. 24 MR. HUBER: Before I go into my suggestions, I 25 really want to address the cost question. 1 I'm a securities lawyer. I do restatement work and 2 -- what is euphemistically called "irregularity" work all the 3 time. There were 1260 restatements last year from public 4 companies. We're very busy. 5 And I can tell you that the concept of cost for a 6 404 audit is nothing compared to what happens when you face a 7 restatement in terms of delisting from NASDAQ, litigation, 8 people coming and saying, gee, you know, your indenture is 9 now in default. We would like you to pay up. 10 All of those concepts start to come in, and the 11 concept of the cost of an audit, from an auditor, has got to 12 be weighed in terms of what is out there if you don't do it 13 right in the current regulatory environment. 14 So, I am not going to get involved in dollars, but 15 I am going to say, every CFO I work with comes to a very 16 simple conclusion, that being penny-wise and pound-foolish 17 with respect to the costs of the audit really was a stupid 18 thing to do. 19 And, with that, I would like to thank the Board. I 20 would like to thank the Commission. I would like to thank 21 the staff for inviting me back for the second time. I don't 22 know why you did it, but thanks, anyway. 23 The fact of the matter is, I've got four points in 24 terms of things that the SEC and the Board can do. Two of 25 them apply to all registrants. One of them applies to 1 smaller business. And one applies to foreign private 2 issuers. 3 And I'm really building on my experience in private 4 practice for 20 years, and 11 years at the SEC, in terms of 5 these suggestions. Because I was a young attorney when the 6 Foreign Corrupt Practices Act was passed in 1978, and guess 7 what? It was an empty box. There wasn't anything there, and 8 everybody just went blithely down the road with respect to 9 13(b). We are now filling the box. 10 The first recommendation really deals with a very 11 simple concept that I was the voice in the wilderness on last 12 year concerning material weakness. I was on the panel, and I 13 was the only person saying, hey. There is an issue with 14 respect to material weakness. But I really do think that 15 with two years' experience, that AS-2 and the SEC's role 16 should be looked at with respect to the benefit of that two 17 years' experience. 18 You can look at a lot of different things. I think 19 the structures of these rules are sound, but I think we need 20 to go to the next level with respect to what these 21 definitions in particular, but the way that the process works 22 in specific really should be examined. 23 The one that everybody is talking about is material 24 weakness. I am going to talk about it too, but I am going to 25 give you a little bit more that just, it's broken. Okay? 1 Material weakness is a probability magnitude test. 2 Okay? The probability and magnitude. More than remote is 3 probability. Material is the magnitude. We need to increase 4 the probability factor. It has to be something like likely. 5 Okay. I hate to say that is what really is important, but 6 you are going to see why I mean it in a minute. 7 And the concept of materiality is not a PCAOB 8 point. It's an SEC point. And that comes straight out of 9 SAB 99. And there were those of us in private practice who 10 really did think it was a new standard in 1999. And really 11 did think that it lowered the bar of materiality. Far lower 12 than what Bob Pozen was talking about with respect to a 13 significant impact on the entity level. 14 But the fact of the matter is, my whole point with 15 respect to this is that the definition should be like the 16 canary in the mine shaft with respect to financial 17 statements. Everybody was expecting that, so I delivered 18 that to you. Okay? 19 The fact of the matter is, it means something. The 20 point that was made that you get a material weakness with a 21 restatement -- that's a day late and a dollar short. The 22 material weakness should be the precursor of what is coming 23 down the pike. So that two things happen. First, the 24 ordinary American investor reacts to it. It may sound crazy, 25 but that's what this is all about. It's about protecting 1 investors, and therefore, material weakness should be defined 2 in a way that he or she understands. When it's disclosed 3 there should be an impact on the marketplace. 4 I do this disclosure all the time. I am 5 continually shocked that they say all of these terrible 6 things and nobody understands what we are saying in terms of 7 the marketplace because (a) everyone has it, and it is in the 8 realm of probably that it's not going to happen because the 9 threshold is too low. 10 And second, and this goes to Commissioner 11 Glassman's point, management has got to really understand 12 that this is important. One of the reasons why you are 13 getting all this cost stuff is that CFOs, CEOs, companies 14 don't think it's important because they don't worry about it. 15 They've got to worry about the definition of material 16 weakness in terms of the effect on them, and particularly the 17 302 certification for the CEO and CFO. 18 So that should occur in terms of the amendment. The 19 guidance from May should be included in the AS-2 standard. I 20 would say more importantly, the nine firm framework, which is 21 a great way of understanding how you go from significant 22 deficiency to material weakness should also be included. 23 Part and parcel of these is the second suggestion 24 that I have. The May guidance talked about the zone of 25 reasonableness. Now, the zone of reasonableness is a lot 1 like the twilight zone. A lot of people don't go in there. 2 Okay? 3 MR. HUBER: And the fact of the matter is once you 4 are there, it becomes something that is problematic. We need 5 guidance on the question of the zone of reasonableness 6 because judgment is critical. It is a critical underpinning 7 to getting this entire system to work efficiently from a 8 management standpoint as well as an auditor standpoint. 9 An auditor's reasonably based judgment should not 10 be penalized. We can all say that philosophically, but the 11 fact of the matter is AS-2 should build it into the standard 12 so that engagement partners -- and that's usually as far up 13 as I go in the pecking order with respect to accounting 14 firms. I never get beyond engagement partner. 15 Engagement partners are the people that I deal with 16 and so they don't twitter. And the fact of the matter is, 17 this point is really something that I would analogize to 18 Delaware corporation law, with respect to the business 19 judgment standard. Loyalty. Good faith. Being informed. 20 Okay? 21 If management and the auditor do that, and they 22 reach the wrong answer, they should not be penalized. And 23 putting something like that into AS-2 is something that I 24 would recommend. People should not be afraid of the PCAOB 25 inspector. The PCAOB inspector should not be a career-ending 1 experience for an auditor. The fact of the matter is, they 2 are all trying to do the same thing in terms of protecting 3 investors and inspiring investor confidence. 4 Third, I agree with -- 5 MR. RAY: Say, John. I hate to interrupt you. We 6 are running out of time. If we could get your last two 7 points very quickly, that would be great. 8 MR. HUBER: Two points. I agree with the Small 9 Business standard that was talked about. Mr. Turley's 10 standard. I would make it real in terms of the SEC and the 11 PCAOB should form and EITF to get guidance out for smaller 12 businesses quick. And the fact of the matter is about 13 calling the question is very important. The COSO for smaller 14 businesses has got to come in. 15 Fourth and finally, but this goes to the Chairman's 16 point, it is imperative that we, the United States, talk to 17 the European Union and get an international internal control 18 role of financial reporting. As an SEC person, I used to be 19 sent by the Chairman to Europe to talk to them. They thought 20 I was Fort Apache the Bronx. They thought I would burn their 21 houses down because I was from the United States. The SEC -- 22 we need to make absolutely sure that they understand what 23 this is about and bring convergence into the mix with respect 24 to coming up with something because our markets used to be 25 the gold standard of the world. The person from the New York 1 Stock Exchange talked about it. We are losing that gold 2 standard. And I don't know whether it's just money traveling 3 or money being someplace else, but 404 should not be the 4 factor. 5 MR. RAY: Thanks, John. Dave Walker, I think I saw 6 your name go up earlier? Did you want to make a remark? And 7 if so, I believe you are going to have the last -- 8 MR. WALKER: It actually didn't go up, but somebody 9 mentioned something about GAO studies. I think we have to 10 keep in mind from eight major international accounting and 11 consulting firms down to four. And there's a lot of reasons 12 for that. Part of that is the responsibility of the 13 government. The government opposed going from six to five, 14 and the government caused the going from five to four. 15 Because the government indicted the firm rather than the 16 responsible individuals. 17 And there is an issue here because with new 18 independence rules, with concerns with regard to industry 19 expertise and a variety of other factors, you really don't 20 have four choices for auditors today. 21 But that's probably beyond the scope of this panel. 22 MR. RAY: Okay. Well, with that, that brings us to 23 the end of the panel. And almost the end of the day. So, on 24 behalf of all the moderators, I would like to thank all of 25 the panelists. I would like to thank the SEC Commissioners, 1 and the PCAOB Board Members for their attendance, attention 2 and participation. And the audience here in Washington, and 3 those listening in on the web. 4 With that, I am going to turn the floor over to SEC 5 Chairman Chris Cox. 6 MR. WHITE: Actually, John, I would also like to 7 put on the record our thanks for the tremendous efforts of 8 the staff of the PCAOB and the staff of the Office of Chief 9 Accountant, the Division of Corporation Finance. They have 10 put in countless hours putting today's program together and I 11 really want to make sure that was on the record as well. 12 MR. COX: Well, John, that's a nice segue into my 13 valediction, which is going to be exceptionally brief. 14 Before we adjourn, I would like to thank everyone. 15 Certainly all of our staff for their participation and 16 willingness to share their experiences that that goes first 17 to all of our panelists, this panel and all the preceding 18 panels. The information that you provided at this roundtable 19 and through y our written comments has been extremely 20 valuable. 21 I would also like to once again thank my fellow 22 Commissioners, and Acting Chairman Gradison and the Members 23 of the PCAOB Board for their participation. 24 We have heard today that 404 has produced 25 significant benefits and costs. We have heard a range of 1 views about relative importance of each. We also have heard 2 specific feedback about issues that remain to be addressed, 3 and actions that the SEC and the PCAOB could take to make the 4 internal controls investment in auditing more efficient and 5 more effective. 6 The SEC and the PCAOB will evaluate the comments 7 that we have received as we consider what next steps we will 8 take to improve the efficiency and effectiveness of the 9 process. 10 Finally, while our focus today has been on those 11 companies that have gone through two years of implementation 12 of the internal control requirements, we have also heard of 13 special challenges faced by companies that have not yet 14 undertaken the process. We are sensitive to these concerns, 15 and we will consider information that we have received here 16 today in light of those important issues. 17 We will also consider the important work of the 18 Advisory Committee on Smaller Public Companies, which just 19 had their first meeting at our roundtable last year and has 20 now provided us with a Final Report. 21 That sums it all up. I want to thank everyone for 22 being here. Our meeting is adjourned. 23 (Whereupon, at 5:33 p.m., the meeting was 24 concluded.) 25