What if there weren’t any auditors?
The question, asked by Scott Taub, the acting chief accountant of the Securities and Exchange Commission, might have been purely hypothetical. But participants at a May 10 panel on management’s role in assessing and evaluating internal controls seemed to warm to it as if Taub might seriously be mulling the ouster of external auditors from the Sarbox 404–compliance process.
“How would management’s process be different if audit wasn’t there?” Taub asked panelists at the roundtable on second-year 404 experiences, which was sponsored by the SEC and the Public Company Accounting Oversight Board.
Corporate executives on the panel seemed pleased to contemplate the prospect. Lee Level, a corporate vice president, board member, and former CFO of Computer Sciences Corp., said that if auditors were jettisoned from the compliance process, senior managers at CSC “would have committed more of our resources on the entity level” rather than being bogged down by the minutiae of meeting auditors’ expectations.
Like other panelists, Level seemed to favor a “risk-based” approach to 404 compliance in which corporatewide priorities are set first and only significant potential controls breeches are then addressed. As it happened at CSC, “our process was driven by auditors,” he said. “We also did what we felt we needed to do to make them comfortable with our assessments.”
Although CSC isn’t suggesting the total elimination of auditors from the internal-controls-compliance process, the company did propose that they should play less of a role in 404 adherence. Currently auditors must dole out three opinions: their take on the presentation of financial statements, their views on management’s assessment of internal controls, and their own attestation of those controls. “We recommend the auditor be required to form only two opinions, one on the financial statements and the other on the effectiveness of internal control over financial reporting. The auditors’ opinion on management’s assertion is redundant and does not provide further assurance,” the company said.
A number of panelists at the roundtable said the default template for corporate compliance with 404 has become Auditing Standard No. 2, the PCAOB’s guidance on internal-controls attestation for auditors. They suggested that if the SEC provided a parallel guidance to corporations, it might eliminate the need for auditor vetting of management’s opinions. Level, however, said “that we would have a whole new set of rules” if the commission were to hand out such guidance — indicating that he was content to continue complying with AS2.
Another panelist, however, seemed clear about the relative standing of auditors and her company. “I don’t think it would have been different if there were no auditors,” said Susan Gordon, corporate controller and chief accounting officer of CBS Corp. “Management has to say this assessment of risk is their assessment.”
It isn’t likely that auditors will decrease their presence in the 404-compliance picture, however. Acknowledging that he had “every confidence that CBS could have done it on their own,” James Turley, chairman and chief executive officer of Ernst & Young, declared that “on many occasions, if you will, we had to hold [clients’] feet to the fire” to get them to comply with the provision.