Risk & Compliance

The Second Time Around

Reported declines in compliance costs are likely to temper conflicts between companies and their auditors at this year's roundtable on Sarbox 404.
David KatzMay 4, 2006

The Securities and Exchange Commission and the Public Company Accounting Oversight Board have set the stage for another donnybrook between corporate executives and their independent auditors on matters concerning internal controls over financial reporting. The agenda for the regulators’ May 10 roundtable on second-year compliance experiences with Section 404 of the Sarbanes-Oxley Act certainly contains some points of contention. But don’t expect any knockouts: the punches are likely to be little more than love taps.

Like the 2005 roundtable covering first-year experiences with 404, the May panels are replete with Big Four executives and representatives of corporate giants. Friction lingers between them, of course, especially regarding what clients see as the accountants’ standoffishness and their rigid attitude toward testing internal controls.

But a lot of steam has seeped out of the debate. Costs have gone down—not down as much as expected by some, but down. In a poll of 238 public companies with a public float of more than $75 million and average revenues of $6 billion, Financial Executives International found that their total average cost of adhering to the internal-controls section had dropped 16.3 percent, to $3.8 million, in 2005. The previous year, however, respondents forecast that the costs would descend by 39 percent.

Wishful as that prediction now sounds, other studies have found even steeper expense drops. In a survey of 58 audit clients with market caps of over $700 million, three of the Big Four audit firms found that the clients’ total 404 compensation costs—including internal costs and fees paid to auditors and other third-party providers—fell a whopping 43.9 percent last year.

What’s more, 66 smaller companies (ones with market caps between $75 million and $700 million) enjoyed a 30.7 percent decrease, according to the survey by CRA International commissioned by Deloitte & Touche, Ernst & Young, and PricewaterhouseCoopers. The firms attributed the lessening expense at companies both large and small to three factors: efficiencies spawned as their clients scampered up the learning curve; reduced documentation; and cheaper consulting outlays.

Expect the accounting firms’ upbeat numbers to be disputed at the roundtable by those companies and industries that haven’t fared as well. One of the likely critics will be Bill Brunner, CFO of First Indiana Corporation, chairman of the American Bankers Association’s accounting committee, and a member of the event’s panel on management’s assessment and evaluation of internal controls. (The other four panels will take a broad look at 404’s second year and discuss the auditor’s role, the provision’s effect on the market, and possible next steps concerning the rule.)

A comment letter sent by ABA to the PCAOB says, in fact, that the bankers were “astonished” by CRA’s findings regarding audit fees, including those shelled out for internal-controls compliance. The bankers’ group took a swipe at the auditors’ numbers, contending that “this estimate does not come from the issuers, but from the accounting firms. Without input from the issuers, these estimates may not reflect all of the costs.”

The accounting firms’ study found that audit fees paid by large clients plummeted last year by 22.3 percent and that those paid by smaller ones decreased by 20.6 percent. “This is the exact opposite feedback that we are receiving from the banking industry. In fact, the feedback that we are receiving is that, generally, the costs are either the same or higher, the ABA wrote. “According to our members, the auditing firms are claiming that last year’s fees were insufficient to cover their costs and this year’s fees remain high in order to better cover this year’s costs.”

To be sure, the ABA is comparing apples to oranges: the banking business might well have had higher 404 audit fees than the broader sample the CRA study examines. But it’s easy to sense a vestigial—and perhaps more widespread—client hostility to auditors in the suggestion that the firms might be talking about fees out of two sides of their mouths.

Along with broadly reported cost cuts, however, a statement made by the PCAOB only nine days before the roundtable about the board’s approach to its 2006 inspections of controls audits is likely to calm the waters a tad. The timing of the announcement may well be intentional.

During their inspections, PCAOB inspectors will try to confirm whether the accounting firms are still taking a check-list, one-size-fits all approach to controls audits. In the wake of last year’s roundtable, the board warned the firms away from such practices after corporate panelists squawked that the approach had yanked up audit fees.

Even though the PCAOB’s announcement may render many companies’ objections to their auditors’ practices at least temporarily moot, corporate executives may still make a vigorous case for a more flexible, “risk-based” approach to 404 compliance at the roundtable.

Some finance executives have envisioned using the approach—which sets audit priorities by assessing which controls are most likely to cause crucial errors if they fail—in tandem with even broader “enterprise risk management” programs. Pitney Bowes, for instance, has launched an ERM effort that could be used as a model for Sarbox compliance overall, finance chief Bruce Nolop told CFO.com earlier this year. As part of the effort, managers gather information from all the corporation’s departments to help them make an assessment of which risks could have a material impact on the company.

Tamping down the Fires

In another seeming attempt to play down controversy, the regulators have structured the roundtable so that the issue sure to generate the most heat — the effects of 404 on small companies — isn’t likely to get much of an airing. Smaller companies have complained that the provision isn’t “scaled” to fit their specific needs and thus presents them with greater per-unit compliance costs than their bigger peers.

Because the roundtable’s purpose, however, “is to review second-year experiences, the discussion will not specifically focus on possible special accommodations or exemptions for companies that have not yet had to comply with the internal control reporting provisions,” the PCAOB and the SEC declared in a briefing paper. And since companies with a public float of $75 million or less, called “non-accelerated filers,” have until fiscal years ending after July 15, 2007 to start complying with 404, discussion of many small companies’ problems would seem to be off limits.

Nevertheless, at least some discussion of the plight of other small issuers is sure to emerge at the event. The regulators themselves seem to have assured that by suggesting this discussion question to participants in the management evaluation and assessment panel: “Are there issues or challenges that are specific to smaller accelerated filers in completing their assessments that might not apply to all accelerated filers?”

Perhaps sensing the possibility for new income streams stemming from a step-down regulatory system, some auditors are likely to champion small companies at the panel. In a comment letter addressed to the regulators, BDO Seidman LLP wrote: “we believe it is essential to develop a right-sized, scalable approach to internal controls that is better suited to the unique needs of the smaller companies while still providing investors with the protection intended by Section 404.”

For its part, Deloitte and Touche said in its letter that it also wants “to make compliance with Section 404 reporting requirements cost-effective for smaller businesses.” Yet the Big Four firm also said that it strongly opposes the recommendations of the SEC’s Advisory Committee on Smaller Public Companies for “broad, permanent” exemptions from 404 reporting for smaller companies or “the adoption of weakened standards requiring reporting only on the design and implementation” of the standard.

Instead, Deloitte suggests a plan to prepare and field test special guidance for smaller companies during 2006 and 2007. As a major auditor, the firm would be sure to have a hand in the project. No surprise: there’s gold in them thar hills.