If you think audits are tough now, just wait. Section 404 of the Sarbanes-Oxley Act of 2002 requires auditors to certify not just financial results but also the processes by which they are determined. The law mandates a formal audit — including documentation, testing, and certification — of a company's internal controls. The new requirement will give auditors a real say in how CFOs run their operations.

Just how much of a say wasn't totally clear until March, when the Public Company Accounting Oversight Board (PCAOB) issued its final standards, which stipulate that auditors give either a thumbs-up or thumbs-down to a company's internal controls, starting with "accelerated filers" (market caps over $75 million) whose fiscal years end on or after November 15. (The standard was awaiting approval from the Securities and Exchange Commission as CFO went to press.)

Before this ruling, if the auditors identified any material weakness in internal controls, they would merely send a letter to the audit committee detailing the problem. Now, weaknesses such as neglecting to get a second signature on certain checks or failing to properly document legacy software systems could mean a failing grade on internal controls. True, the auditor may still approve a company's financial statements. But failing the controls testing in a formal audit will undoubtedly lead investors to question the validity of financial results. And given the pressures auditors face, rumors are rampant that audit firms will fail a significant portion — some observers say 10 percent — of the companies they audit.

The prospect of failing the controls audit puts finance executives, who must issue their own assessment of internal controls (which also is subject to an audit), in a precarious position. They will have to find and publicly disclose any inadequate controls lest the auditors reveal them instead and report the company to the PCAOB. Then they can just hope that any resulting damage to their stock price and reputation from the disclosure is mitigated by admiration for their candor.

On the other hand, finance executives who are up to this challenge may gain a lot more internal clout as a result. "I have a big interest in well-controlled financial reports anyway," notes Gary Perlin, CFO of Capital One Financial Corp. So if any employee objects to the process, says Perlin, "all I have to do is say, 'Excuse me, it's the law.'" In other words, he adds, "404 is a benefit, because it lets me get people's attention." Perlin isn't the only finance executive who sees the rule in these terms. "I think I'm better for it," insists Keith Sherin, CFO and senior vice president of General Electric Co. "It helps increase my confidence in our financial integrity."

GE has already seen its payments to its auditor KPMG LLP increase 40 percent in 2003 (from $38.7 million to $55.3 million), in large part because of work related to Sarbox and Section 404. And 404 alone is expected to cost the average large company $4.6 million this year (including both internal and external expenses), according to a recent Financial Executives International (FEI) study. But that survey was conducted before the audit firms learned the full extent of their responsibilities. Given the provisions of the final standards, in particular the extensive testing requirements, the bills could be much higher than previously thought (see "Paying the Piper," at the end of this article). The question is, will companies besides GE and Capital One find the money well spent?

Prove It
Requirements for adequate internal controls are not new. For the past 27 years, the SEC has demanded that public companies meet certain standards of control. As long ago as 1992, the Committee of Sponsoring Organizations of the Treadway Commission created a framework for evaluating them

Just maintaining internal controls, however, is no longer good enough. Sarbox requires companies to analyze and document their internal-control processes, which means they must in effect create elaborate procedural manuals and update them whenever a process changes. And before controls can be certified, both the company and its auditors must test them for their "design and operating effectiveness," says Stephen Poss, senior partner and chair of the securities litigation and SEC enforcement practice area at law firm Goodwin Procter LLP.

To do that, the final PCAOB standard — known as "Auditing Standard No. 2: An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements" — requires auditors to examine the controls themselves and even conduct "walk-throughs" of important stages. There are limits on how much an auditor can rely on the work of others, even though internal finance staffs may have already tested the same processes. And because the audit covers the entire year, there are also extensive interim testing requirements.

Moreover, because the auditors are required to test anything materially significant to a company's financial statements, they must look for weaknesses in everything from how entries are consolidated and adjusted to what security controls are in place for accessing corporate technology.

What's still uncertain is just how far auditors will go in applying the new PCAOB standards. Their tests will vary "company to company and auditor to CFO," notes George P. Herrmann, vice president and CFO of Jefferson Wells International, a Brookfield, Wisconsin-based consultancy that specializes in internal controls. But factors such as the nature of the control, its complexity, and its frequency of use will all determine the extent of the testing, says Steve Wagner, a partner with Deloitte & Touche LLP and co-chair of its Sarbanes-Oxley steering committee.

• 1
• 2
• next »