Will external SOX audits reflect kinder, gentler control assessments? Recent SEC guidance stresses "reasonable" vigilance. But the PCAOB response to last years' audits might leave companies toeing a harder line.
Too much or not enough? The message sent by the Public Company Accounting Oversight Board (PCAOB) in its latest round of inspection reports—including criticism of auditing work by each of the Big Four accounting firms—seems in contrast to an overall tone lately suggesting that firms need to back off on the level of detail they are examining.
Paul Atkins, commissioner with the Securities and Exchange Commission (SEC), said in January that both the SEC and PCAOB need to give corporations and auditors “more leeway.” “Despite our attempt to emphasize reasonableness [in application of SOX 404], people in the trenches are taking an excessive granular approach.” Atkins emphasized that he spoke only for himself, not for his fellow commissioners or the SEC, while speaking in San Diego at the Securities Regulation Institute.
Atkins's statement echoes corporate criticism that auditors have been performing overly aggressive assessments, often of immaterial controls. This view crystallized at a March 2005 roundtable with business representatives and auditors, during which feedback from public companies was clear: SOX compliance was costing too much, and inappropriate auditing of internal controls was largely to blame. Auditors were criticized for taking advantage of ambiguities inherent in SOX to charge exorbitant fees for largely unnecessary work.
An SEC statement issued on May 17, 2005, in response to the roundtable feedback notes in part:
":in many cases [of audits] neither a top-down nor a risk-based approach was effectively used. Rather, the assessment became a mechanistic, check-the-box exercise. This was not the goal of the Section 404 rules, and a better way to view the exercise emphasizes the particular risks of individual companies. Indeed, an assessment of internal control that is too formulaic and/or so detailed as to not allow for a focus on risk may not fulfill the underlying purpose of the requirements."
Concurrently, the PCAOB issued new guidance on implementation of its Auditing Standard 2 (AS-2), under which SOX audits were being conducted. That guidance also urges auditors to exercise restraint in control assessment, reasserting that ":the auditor may eliminate from further consideration:those accounts and disclosures that have only a remote likelihood of containing misstatements that could cause the financial statements to be materially misstated."
Although the new guidance was initially seen as a penalty call against overly zealous auditing, any corporate sense of relief might have been premature. By stressing reasonableness and judgment the recent guidance appears to limit audit scope. But it still largely requires auditors and corporate leaders to second guess how regulators define their terms.
Will the coming year's audits demonstrate a kinder, gentler approach to control assessments? The answer depends on two critical factors; namely, auditors' definition of "reasonable" vigilance and, most importantly, the PCAOB response to past years' audits.
Good-cop Messaging, Hard-line EnforcementAlthough the SEC sets regulatory tone in regard to public company reporting, auditors actually report to the PCAOB—a legally independent entity. And therein lies potential conflict. If the SEC seems to be playing good-cop to business interests, the PCAOB's latest round of audit reviews is more critical, particularly of the Big Four accountancies: Deloitte & Touche, Ernst & Young, KPMG, and PricewaterhouseCoopers. Despite the board's recent statements encouraging public-company auditors to focus less on transactional details and more on a top-down, risk-based approach, its audit reviews provide little evidence of this direction.
The PCAOB began in mid-2005 to release its second year of inspection reports on the public-company accounting firms that collectively audit some 10,000 publicly traded companies. The level of detailed criticism in these reports indicates that the PCAOB sets a high standard of behavior for accounting firms, observes Gartner analyst French Caldwell.
PCAOB officials are “sending two conflicting messages,” says Caldwell. “They're saying firms are spending too much time and effort, but then [they release] a list of deficiencies a mile long. It's very difficult for audit firms to square those two statements.”
Many auditors agree. There's a disconnect between PCAOB inspection teams and those setting policy in Washington, states Michael Ramos, a practicing CPA who specializes in SOX compliance. Ramos is the author of two books on SOX, including The Sarbanes-Oxley Section 404 Implementation Toolkit, published in 2005.
Among its reviews of 2004 audits, the PCAOB says of several firms, including Ernst & Young and KPMG, "In some cases, the deficiencies identified were of such significance that it appeared to the inspection team that the firm had not, at the time it issued its audit report, obtained sufficient competent evidential matter to support its opinion on the issuer's financial statements. In some of those audits, that conclusion followed from the omission, or insufficient performance, of a single procedure, while other audits included more than one such failure."
In other criticism of Ernst & Young, the PCAOB cites two cases in which it says the accountancy failed to identify departures from generally accepted accounting practices. The reports also observe four separate deficiencies in testing of loan losses.
PriceWaterhouseCoopers is also heavily criticized in the reviews, which enumerate more than 30 cases in which it states the accountancy had insufficient evidence to support its auditors' opinions. Other criticisms include a failure by Deloitte & Touche to properly apply lease accounting standards in one audit. In another case, Deloitte & Touche purportedly made an inadequate evaluation of its client's ability to continue as a going concern.
The PCAOB's reports are critical of audit practices at smaller firms as well as the largest. For example, a recent review of Grant Thornton International, a top second-tier accounting and consulting firm, contains a lengthy list of problems regulators claim to have found.
A Law DividedOmissions and oversights are recurring themes in PCAOB audit reports. That could be bad news for companies in the short run, if auditors choose to use the reports to rationalize more granular and conservative assessments.
In the big picture, however, it's also a problem for the PCAOB itself. Regulators still face intense industry pressure to eviscerate SOX requirements, and legislators seem increasingly sympathetic to their demands. To support the law, the PCAOB must be able to show that a reasonable relationship between the law's compliance costs and its overall benefits (read: effectiveness). This means finding a way to make SOX more palatable to industry without stripping its regulatory purpose.
The success of the endeavor rides on communication; specifically, whether the PCAOB can demonstrate that it trusts auditor judgment while simultaneously communicating how it wants that judgment process to change.
“Auditors have gone into too much detail, but internal auditors are also going too far," Ramos says. "I've seen it go both ways.” Ramos emphasizes the communication challenges aren't limited to PCAOB and its inspection teams: “It's everyone. Communication can be improved between audit firms and clients, the PCAOB and clients, everyone.”
Unfortunately, from the corporate perspective, much of what the PCAOB communicates to auditors will be under wraps. Under SOX, the PCAOB may withhold some portions of its inspection reports from the public—instead, giving audit firms a year to correct cited deficiencies. Unpublicized portions include inspection procedures and some observations, an overview of the inspection process, and any response from the inspected firm.
Still, according Gartner's Caldwell, companies that feel they're being too aggressively audited should push back, limiting outside auditors to key risk areas that the firm itself has identified. Companies can help control audit costs by doing their own risk assessments and identifying key risk areas and key controls themselves. A company can then say to an outside audit firm, “Everything else is outside the purview of a Sarbanes-Oxley audit,” Caldwell states. But for firms that do that, he emphasizes, they need plenty of good documentation of processes and risk assessments, and proof that key controls are aligned to risk management.
Ramos strikes a hopeful note, suggesting that, as communication about SOX and the requirements of Section 404 improves, the effectiveness and efficiency of audits will improve as well. In the meantime, he says, companies should communicate with their auditors in meaningful discussions and take their guidance, but “try not to get too rigid in your approach. It's still a very fluid environment:.Be patient with it. It is getting better.”
Source: IT Compliance Institute