Indeed, observes the PCAOB's McDonough, "the reason this legislation is so tough is because the American people rose in fury. They believed corporate leadership in America had let them down, which I believe [is true]." Sarbox, he points out, passed the Senate unanimously, and missed unanimous House passage by just three votes.
It is those numbers that best explain the muted response of business groups and individual company executives. The Business Roundtable, observes Lehner, "knew investor confidence was shaken and a lot had to be done to restore it."
There is, however, a massive effort under way to convince rule makers that their interpretation of Section 404 has gone far beyond what is needed to restore investor confidence. "The SEC and the PCAOB get lobbied just as much as Congress these days," notes Lehner. In fact, he says, their narrow focus may be preferable to the reactionary tendencies of Congress. "Any time you open up a piece of legislation, you do run a risk. You could end up with something you didn't anticipate."
Congress devoted just 168 words to Section 404, notes the Chamber of Commerce's Chavern. "There are a lot of links in the chain between those 168 words and the $10 billion to $20 billion being spent to comply," he says. "They include SEC rulemaking, and most particularly PCAOB standard-setting and how audit firms are putting those standards in place."
Litany of Complaints
So exactly what changes would the business world like to see from the SEC, the PCAOB, and auditors? Perhaps the top complaint about 404 is that auditors must opine on management's own assessment of internal controls. Since auditors already issue their own opinion about internal controls, that second auditor's opinion is widely considered by business to be a duplicative and unnecessarily costly addition.
Not so, counters OPERS's Richson. "Investors think that extra step is very much an important piece of making sure there are no weaknesses in controls," she says, noting that investors have not forgotten the way auditors "rubber-stamped" management representations in the past. Indeed, former SEC chief accountant Lynn Turner noted during the roundtable that management at 87 percent of companies announcing material control weaknesses had previously certified the effectiveness of their controls.
All debate aside, the audit opinion on management's assessment is one of the very few requirements actually spelled out by Congress in the original legislation, making any change highly unlikely.
Beyond that, however, many of the concerns expressed by CFOs arise from PCAOB Auditing Standard No. 2 and the resulting behavior of auditors. As its name implies, AS2 was written for auditors. But with few other sources of guidance, auditing standards have become "'back-door' management requirements," as Alamo Group internal-audit director Dennis M. Stevens noted in his comment letter. Regulators have certainly indicated a willingness to consider changes to the standard if necessary. "The board's interest is not in preserving the very first version of this standard for all eternity," says PCAOB associate chief auditor Laura Phillips.
"Are things being done that are unnecessary? My guess is yes," said McDonough at a Harvard Law School panel on regulation on March 7. "It is insane for small companies to have the same internal controls as General Electric." The SEC roundtable, he says, is an opportunity to learn. "Then we — the SEC and the PCAOB — have to figure out how to do as much as we can administratively."
But before any changes take place, regulators will have to decide whether the fault lies with AS2, or with the auditors who apply it. Irritation with the auditors' indiscriminate approach to all controls regardless of risk ran high during the April 13 roundtable, a sentiment compounded by the auditors' refusal to provide any advice or counsel for fear of violating independence rules. AS2, notes the FEI's Cunningham, "states throughout the standard that the auditor needs to use judgment. But the auditors were terrified to use judgment."
That issue was high on the PCAOB's agenda for the roundtable, says Phillips, who wondered in advance whether auditors are "taking advantage of the flexibility the standard was designed to provide."
The answer, most CFOs would say, is no. The most mundane and frequently cited example is the emphasis on signing or initialing control documents as proof that a control actually worked. "We believe AS No. 2 properly outlines...appropriate tests of controls," Plum Creek Timber Co. CFO William R. Brown told the SEC. In practice, however, Brown and others say auditors focus largely on documentation, doling out deficiencies for missing paperwork or initials even if the control in question is working.
"Some of it is just silly," agrees Mike Coke, CFO of AMB Property Corp. "If you have proof the review happened, why do you need to keep a piece of paper?" Santa Fe, New Mexicobased Thornburg Mortgage told the SEC that auditors noted a deficiency because there was no record of the installation of the company's up-to-date antivirus software.
"We need to deal with the real possibilities of management override and financial-reporting risk," argues Computer Sciences Corp. (CSC) chief financial officer Leon J. Level, who put reducing unnecessary levels of documentation high on his list of recommendations to the SEC. "Making sure every piece of paper is initialed before handing it over to auditors doesn't change the likelihood that financials are fairly presented. Initials don't prove anything. If you have massive collusion, you can have fraud."
Reader Comments» Post a comment