Four years after the passage of the Sarbanes-Oxley Act, corporate managers are still seeking guidance on compliance with Section 404, the provision of the law that requires management and auditor assessments of the effectiveness of internal controls over financial reporting.
To be sure, the Securities and Exchange Commission’s final rules for the implementation of 404 SEC and the Public Company Accounting Oversight Board’s Auditing Standard No. 2 (AS2) state that the 1992 Internal Control Integrated Framework, also known as COSO, provides enough guidance for managers and external auditors to check out a corporation’s internal controls. But most executives don’t believe COSO sheds enough light on how to comply with the rules, a new survey finds.
According to an Institute of Management Accountants (IMA) survey of 374 finance chiefs, controllers, internal auditors, and Sarbox compliance specialists at publicly traded companies, 57 percent of respondents don’t believe COSO alone supplies sufficient guidance. COSO was promulgated at a time when assessments of internal controls weren’t mandatory, the survey’s authors observe.
Only 38 percent of the respondents noted that they refer to COSO at all. In contrast, 62 percent mainly rely on AS2 in their efforts to comply with Sarbox’s internal-controls provision.
The results show that AS2, which provides guidance for auditors on how to conduct audits of internal controls over financial reporting, has become the de facto assessment standard for company management, according to the IMA.
In a recent CFO.com article, Thomas Ray, the PCAOB’s chief auditor, said that revising the auditing standard is the board’s highest priority in the next year. Many companies have cited AS2 as a driver of soaring Sarbox compliance costs, claiming that auditors have interpreted the standard conservatively and conducted more work than is needed.
Further, the survey respondents cited the lack of practical guidance from the SEC or professional organizations on how to decide what an effective internal-control system is as a factor in boosting Sarbox compliance costs. Another was redundant testing by auditors and inside Sarbox compliance staff.
The study’s results suggest that the 1992 COSO model offers a principles-based framework but “falls short of providing implementation guidance that would significantly help management conduct a top-down/risk-based integrated assessment of internal controls over financial reporting in a sustainable cost-effective manner,” Parveen Gupta, an accounting professor at Lehigh University and conductor of the IMA study, said in the report.