Risk Management

CFOs: 404 Compliance Back at Square One

Finance chiefs think the revised SEC and PCAOB standards for internal controls won't change anything because they cancel each other out.
Sarah JohnsonMarch 9, 2007

Mismatches between the internal-controls proposals of the Securities and Exchange Commission and the Public Company Accounting Oversight Board will keep compliance with Section 404 of the Sarbanes-Oxley Act overly burdensome and costly, CFOs think.

In letters to the SEC and the PCAOB commenting on the regulators’ proposed revisions to their guidelines, senior finance executives say the tone and wording of the rules are too different to accomplish their main goal: to get senior top corporate management and audit firms on the same page in assessing and attesting to a company’s internal controls over financial reporting.

The SEC and PCAOB released their proposed standards for public comment on December 19 and December 20, respectively. Before the comment deadline of February 26 for both, the regulators had each received more than 150 letters. One-fifth of the responses for AS5 — as the PCAOB’s proposed new auditing standard for independent auditors is informally known — came from finance executives. The SEC and PCAOB have yet to say when they will announce the next steps for their proposals.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

CFOs used words like “disconnect” and “significant gap” to describe the relationship between the SEC’s proposed 404 corporate guidance and AS5. Because the suggested standards aren’t aligned, some executives predicted, auditors will ignore the regulators’ push to have them focus on the highest-risk areas.

Instead, some of the CFOs said that to meet the PCAOB’s requirements, audit firms will continue to take the overly conservative approach that has been widely blamed on the existing auditing standard, AS2. Many, however, had hoped the revisions would lead to cheaper auditing bills and more leeway for the use of professional judgment.

The comment letters made several suggestions for bridging what the finance chiefs see as a gap between senior management and their auditors that has widened since Sarbox was enacted five years ago. Some requests were minor, such as deciding whether to use the SEC’s term “entity-level controls” or the PCAOB’s “company-level controls” since the regulators seem to be referring to the same thing.

Other criticisms were broader. In particular, finance executives said, the tone of the new AS5 is overly prescriptive, while the SEC’s standard is too vague in comparison. The result: the detailed nature of AS5 likely will mean it will continue to be the de facto guideline for management.

That’s exactly what will happen at Pfizer, wrote vice president and controller Loretta Cangialosi. Her company will use AS5 because it won’t “incur incremental costs by doing management’s assessment one way and having the external auditors perform their assessment in another way,” she wrote.

Does that divergence leave the regulators, senior finance executives, and auditors back at square one? Until the SEC’s proposal, management had no principles for complying with 404 and turned to the auditing standard for help. The commission has acknowledged the mistake in not advising companies sooner — a mistake that exposed the most minor internal controls to auditor scrutiny, including some that seemed to have little connection to a financial report.

Some finance executives said one way to fix the disconnect between auditors and their clients is to eliminate the requirement that auditors must opine on a company’s internal controls themselves. Some unnecessary audit work would indeed decrease under AS5, they noted, since auditors would no longer need to assess management’s process for opining on internal controls.

Taken by itself, the revised Section 404 does let management conduct an efficient assessment of a company’s internal controls, wrote Thomas Fanning, executive vice president and CFO of Southern Co., in his comment letters to the PCAOB and SEC. But AS5 is “ultimately incompatible” with 404 and leaves CFOs without support in defending their staffs’ judgments to an accountant, he wrote. “When management alters their assessment to allow for utilization by the public accountant, the PCAOB guidance forces management to perform procedures and tests that exceed those levels suggested by the SEC’s guidance, thus contributing to inefficiency,” wrote Fanning.

Similarly, Valarie Sheppard, vice president and comptroller of Procter & Gamble, wrote that the differences between the two standards will result in external audits that are more conservative than management’s assessment of internal controls. Knowing this, companies will continue to “document and assess lower-risk controls, thereby continuing to incur unnecessary costs and failing to achieve the objective of more effective and efficient assessments,” she wrote.

If Sheppard’s prediction — which was echoed by other finance executives — is correct, then some of the changes made to AS2 could be moot. The main point of revising that standard was to keep auditors away from lower-risk controls, those areas that have little or no relation to a possible material misstatement of a company’s financial reports.

In fact, as CFOs noted approvingly, the new standards call for a “top-down, risk-based” approach that encourages auditors to concentrate on the most high-risk areas. The hope is that by doing so, companies — particularly the small-cap businesses that have yet to comply with Sarbox — would not be hit with overly high external auditing expenses.

But when — if ever — would a decrease in auditing costs be realized? It would probably take a couple of years if the regulators don’t act fast to implement the standards and if the PCAOB continues to heavily criticize audit firms in their inspection reports, finance executives say. The PCAOB auditors’ enforcement has led to a deeper level of documentation and testing, which has a ripple effect on companies, wrote Lee Matecko, vice president of operational finance for Whole Foods Market.

The first year Whole Foods complied with Sarbox, its audit firm said its internal controls were in the top 1 percent of other companies its size, according to Matecko. That high praise seemed to have no bearing on the following year, however, when the auditors wanted even more fine-tuning from the supermarket chain, forcing the company to focus on “insignificant details with limited internal control deficiencies,” wrote Matecko.

4 Powerful Communication Strategies for Your Next Board Meeting