Accounting Ethics

A C C O U N T I N G & A U D I T I N G

f inancial repor t ing

Six Years of the Sarbanes-Oxley Act Are We Better Off?

By William J. Dodwell

M ore than six years have passed since Congress enacted the Sarbanes-Oxley Act (SOX) in

the wiike of the Enron collapse and other corporate debacles that shook the investor community and the general public. Facing political pressure to act, the U.S. House of Representatives and the Senate quickly passed a package of reforms by near-unanimous approval. But complaints from many companies about the imple- mentation burden have challenged the value of SOX and raised the question. "Are we better off?"

Accounting Scandals Reining in corporate fmancial reporting

was justifiable. Beginning in late 2001. allegations of fraud and other improprieties by companies including Enron. Adelphia. WorldCom, Cendant, and Tyco seriously undermined investor contidence and con- tributed to stock market malaise. Concerns included concealing debt through uncon- solidated off-balance sheet entities; manip- ulating revenue through creative applica- tion t)f derivative accounting rules; bury- ing expenses in the balance sheet; and hid- ing bad receivables—all despite the scruti- ny of management, public- auditors, secu- rities analysts, rating agencies, and invest- ment bankers.

Although frauds have been in the spot- light, some problems arose instead from the interpretation of complex accounting rules. In some instances, management and auditor agreed on the accounting for cer- tain transactions, only to be challenged in a politicized environment of prosecutors, regulators, and media. For example, hedge accounting, governed by SFAS 133. Accounting for Derivative ¡mtmments and Hedging Activities, loomed large in some major restatements. But SFAS 133 is so

cumbersome that the FASB is consider- ing simplifying the standard. Other con- tentious issues are founded on subjective estimates of such things as loss and con- tingency provisions and amortization rates. To be sure, material financial misstatement was problematic, but because well-intend- ed interpretations were sometimes second- guessed, it was not always malicious. Of course, any manipulation of those estimates

off-balance sheet special-purpose entities (SPE). And, as mentioned, the FASB is reassessing SFAS I33's complex hedge accounting requirements.

Passage of SOX As part of implementing SOX, the SEC

created the Public Company Accounting Oversight Board (PCAOB) to oversee the auditors of publicly held companies, replac-

to distort earnings and bonus calculations was reprehensible.

Accounting scandals have prompted the FASB to reevaluate certain inadequate standards. For example, it amended its con- solidation rules under FIN 46(R) in a reac- tion to Enron's machinations involving

ing the system of self-regulation through the AlCPA. (The AlCPA continues to set standards for accounting firms serving nonpublic companies.) Not meaning to reinvent the wheel, the SEC and PCAOB built on the internal controls framework established in 1992 by the Committee of

38 AUGUST 2008 / THE CPA JOURNAL

Sponsoring Organizations (COSO) of the Nationcil Commission on Fraudulent Financial Reporting—more commonly called tlie Treadway Commission (after its chairman, James C. Treadway. Jr., a former SEC commissioner). In its effort to improve the accountability and effectiveness of the public audit, tlie PCAOB created Auditing Standiuxl 2 (AS2). which was specifically designed to guide auditors in the evalua- tion of intemal controls (AS5, An Audit of hui'nuil Control Cher Financial Reporting That Is Integrated with An Audit of Financial Statements, which superseded AS2. is discussed further below). In addi- tion, the PCAOB made accounting tlmis subject to annual inspection to verily that their SOX certifications are supported by sufficient evidence.

At the enterprise level. SOX requires organizational assessments focusing on corporate govemance over broad systemic flmi-wide checks and balances, including risk management, communications, the whistleblower provision, and conllict-of- interest issues. Additionally, SOX requires the CEO and CFO to bear personal responsibility for the effectiveness of intemal ctintrols by signing off on the financial statements. Violations are sub- ject to criminal penalty.

To redress the rcwt causes of manage- menl accounting abuses at the transaction level, section 4()4 of SOX requires public companies to annually document and test intemal controls and their asstx:iated busi- ness proces.scs. remediate deficiencies, and assert the contR)!s' effectiveness in ensur- ing the accuracy of fmancial reporting. The outside auditor is then required to opine on that assertion as well as form an indepen- dent opinion on control effectiveness. Both management's assessment and the auditor's judgments are disclosed in the company's luinual lO-K report. (The SEC has repeat- edly delayed the implementation date for nonaccelerated filers—compiuiies whose market capitalization is under $75 million.)

Whereas SOX engendered some hene- tlcial change, section 404 created a hack- lash, with coiporate accounting depart- ments across America challenging the excessive cost of compliance. Indeed, the very competitiveness of American business has been called into question because of SOX's dtKumcntation and testing ["equire- mcnts. In six years of experience, repre-

senting for most companies two years of startup implementation and four years of certified audiLs. does SOX pass a cost-ben- efil analysis? Have the improprieties thai prompted the legislation been substantial- ly redressed? Can SOX's requirements be mitigated to exempt the many innocent companies and identify tlie relative hand- ful of guilty parties?

Backlash The reaction against SOX's section

404 requirement to dix:ument intemal con- trols and test them annually came from far and wide. First, companies smarted Irom having to incur massive preparatory costs associated with hiring employees and consultants, and installing new computer systems. Then they bristled at the perceived excessive implementation Requirements and ambiguous SEC and PCAOB guidance. The question became, "How much docu- mentation and testing is necessary?" The following addresses this question and constitutes a framework for evaluating the time and cost burdens of documentation and testing eventually broached by AS5:

• Duplication of a SOX audit of inter- nal controls and a traditional audit of financial .statements. What is the difference, and is there too much overlap? One might argue that a SOX audit fœuses on prtK'esses and structures that govern the effectiveness of intemal controls over the financial reptirting process. By contrast, a financial audit tVtuses on as.sessing the fair- ness of the actual financial statements. Oi' ctturse, auditors have always considered intemal controls in designing their finan- cial statement auditing procedures. But now SOX requires auditors to consider them as a separate objective in its own right. Question: Would further integrating SOX audit and financial .statement audit proce- dures be wore efficient?

• Redundancy of both management and SOX testing of inte nuil controls. Auditors thought that AS2 limited how much they can rely on a company's own SOX test- ing. Therefore, they must conduct consid- erable testing of their own selected sam- ples, and must also verify a sampling of management's tests, to provide an adequate basis for their opinions. That limited abil- ity to rely on management's work results in higher costs. Question: Should auditors rely more on nuuiagement's tesi results?

• Disagreement between management and the external auditor over risk-assess- ment and te.sting methodologies. Althtjugh the regulatory guidance acknowledges the role of management's judgment in assess- ing risk, judgment is subjective and sometimes does not reconcile with an audi- tor's independent assessment. The scope of SOX work depends on risk assessment and the defmition of an intemal control. For example, some companies do not dis- tinguish controls from procedures, Furthemiorç, SOX applies only to key con- trols, but the distinction from non-key con- trols is not codified and is therefore entirely a matter of judgment. Depending on how key contnils are defined, they may be significantly more numerous than nec- essary, rendering individual documentation iind testing overly burdensome. Other sub- jective scope paiameters. such as husiness process taxonomies and materiality thresh- olds, also iniluence the workload. Because intemal contjols and lest metlKxlotogies are not definitively codified in the SOX guid- ance, management and the auditor may dif- fer in their risk assessments and in the relative scope and extent of documentation and testing.

Because the outside auditor is the final arbiter of the scope needed to support an opinion, management may invest substan- tial time and money in work tliat it con- siders unnecessary based on its intuitive knowledge of the day-to-day operation of intemal controls. Question: How exten- sively must intemal controls be tested to establish reasonable effectiveness?

Cost-Benefit Analysis The ultimate assessment of SOX centers

on a cost-benefit analysis lhat takes into account the relative significance of each positive and negative item. The following are the tradeoffs, some of which are more definitive than others. Costs.

m Smaller profit margins and retarded economic growth from management compliance costs, higher audit fees, and the opportunity costs of forgoing more pro- ductive activities. • Certain redundancy between the work of management and the outside auditor. • A stressful scramble for new auditors as accounting tlrms drop certain clients when reevaluating their acceptance and

AUGUST 2008 / THE CPA JOURNAL 39

retention policies. Smaller companies are particularly vulnerable. • Diminished competitiveness in capital raising and business investment as newly public companies list their shares on for- eign exchanges and foreign companies expand overseas instead of investing in the United States in order to avoid the SOX burden.

The competitiveness issue prompted sev- eral studies on the effect of regulation, lit- igation, and ambiguous accounting rules. including those commissioned by the Treasury Department and one by U.S. Senator Charles Schumer of New York and New York City Mayor Michael Bloomberg. Those studies were predicat- ed on the supposition that excessive regu- lation, including SOX, adversely affects the U.S. financial markets and New York City's status as tinancial capital of the world.

Opponents of this view, including for- mer SEC Chainiian Arthur Levitt, claim this "capital crisis" is unfounded. And Treasury Undersecretary Robert Steel pointed out that a highly disproportion- ate share of global mutual fund and hedge fund assets resides in the United States. In addition, he said futures contracts trad- ed on U.S. exchanges and dollar-denom- inated foreign-exchange derivatives atso predominate.

• Reduced domestic capital spending as companies compensate for SOX compli- ance costs. • Concentrated stock ownership as companies avoid SOX by taking them- .selves private through stock repurchase or through sale to private-equity firms. Other companies exempted themselves by issu- ing stock on a 144A private placement basis to a few large institutions rather than the general public.

Ownership concentration is not neces- sarily bad. Typically, private-equity port- folio companies, unfettered by pressure to produce short-term results, take on greater risk to produce better retums than public companies. However, some bemoan the inequity of those outsized gains devolving only to the few rather than the larger investor community.

• SOX work conducted after the initial implementation tends to yield diminish- ing retums in succeeding years after con- trol weaknes.ses are corrected.

Benefits. m SOX audits promote transparency and ensure reliable financial reports. They have uncovered many material weaknesses in intemal controls that have contributed to a dramatic rise in the number of financial restatements. SOX-driven correctives and disclosures inspire greater inve.stor confi- dence and ultimately support a more effi- cient capital allocation process.

• The potential consequences of a failed SOX audit motivate companies to main- tain higher quality transaction controls and corporate govemance that might not oth- erwise exist. Those consequences apply particularly to the cost of capital, because failure to comply with SOX potentially affects stock prices, borrowing rates, and bond ratings. Thus, the fear of failure results in extra assurance for investors.

• The SOX review forces companies and auditors to place greater emphasis on the control environment and its ongoing con- tinuity. Section 404 adds pRx;ess evalua- tion to traditional account validation, and holds both management and its public audi- tors more accountable.

• The exercise of maintaining extensive documentation of intemal controls required by SOX section 404 potentially fosters a better control mindset among accounting staff This mindset can sometimes lead to control process rationalization and streamlining.

• SOX documentation is a good tool for training new personnel. It also serves as disaster recovery backup and a means of communicating internal control informa- tion to those responsible for its execution.

Regulatory Relief In response to widespread criticism, the

PCAOB issued AS5 in 2007 to replace AS2 as guidance for independent auditors in the interest of a more practical evaluation of con- trols over financial reporting. This stand;ird. in combination with the SEC's concurrent guidance for managenKnt evaluation of inter- nal controls. Interpretive Guidance for Management, established a better principles- based framework for aligning the views of management and the outside auditor. In view of the speed with which SOX was assem- bled, regulators knew from the beginning that it was a work in progress that would tiequire refinements over time. The follow- ing de,scribes the current incamation.

Auditors. AS5 recommends that audi- tors adopt a top-down, risk-based approach to evaluating intemal controls that ft>cus- es on the most likely sources of risk; that is, scalable to the size and complexity of the organization, and integrated with the audit of financial statements. This is in con- trast to the bottom-up, prescriptive approach to assessing risk and identifying intemal controls under AS2, which start- ed at micro-level exposures and inductively established overarching controls at the financial statement level. AS5 requires less documentation and testing in a more cost- effective assessment that eliminates exces- sive scmtiny while retaining focus on the serious financial reporting risks posed by weak intemal controls.

AS5 emphasizes materiality in assessing misstatement risk ana greater attention to entity-level and fraud controls. In addition, AS5 recognizes that some companies need strict SOX standards while others need less stringent standards. Thus, auditors may now acknowledge this distinction and make SOX standards commensurate with a com- pany's risk to achieve reasonable assurance at less cost. Previously, a one-si/e-fits-all approach applied to all public companies, with some preliminary accommodation for smaller companies.

Other efficiencies envisioned by AS5 include: • Designing testing to more fully encom- pass the objectives of both the audit of intemal control and the audit of financial statements simultaneously, where each audit inlbrms the other; • Relying more on the work perlbrmed by others for the purpose of management's assessment of intemal controls; and • More selectively conducting walk- throughs as a means of understanding the nature of misstatement risk.

For smaller companies (i.e.. nonacceler- ated tilers), the SEC recently provided fur- ther relief by defenring the independent audi- tor's attestation of management's report on the effectiveness of intemal controls over financial reporting for fiscal years ending on or after December 15. 2009.

Management. At the same time AS5 was released, the SEC provided parallel advice for management in its Interpretive Guidance for Management, which codifies a more efficient approach to evaluating the effectiveness of internal controls in

40 AUGUST 2008 / THE CPA JOURNAL

detecting and preventing material financial misstatement. The guidance centers on a top-down, risk-based apprtiach to first iden- tifying risk and then evaluating the design and operating effectiveness of the transac- tion- imd entity-level controls. This specific guidance enables management to adopt a more efficient and independent evaluation of the effectiveness of intemal controls rather than just deferring to AS5 details for le;ir of not satisfying the auditor.

Management is permitted to exercise greater judgment in deciding on appropri- ate methods and procedures that address the likelihood and potential magnitude of financial misstatement. This streamlined assessment eliminates the redundant review of multiple controls over a particular report- ing risk. This means more flexible d(x:u- mentation and testing standards in the pro- duction of adequate evidentiary matter keyed to the degree of perceived mis- statement risk posed by error or fraud. Furthermore, management's procedures may differ from those adopted by the inde- pendent auditor. Further efficiency is achieved in subsequent years because man- agement now evaluates only changes in risks and controls in an updated assess- ment, rather than recreating the entire process.

Smaller Public Companies In April 2006 the SEC issued its Einal

Report of the Advisory Committee on Smaller Public Companies. This issuance established risk-based, scaled securities reg- ulation for companies in the lowest 6% of market capitalization, which represent the majority of public companies. One accom- modation was a temporary exemption from SOX section 404. In its place, these com- panies became subject to new guidance on intertial controls over financial reporting issued by COSO. This document was a guide on how small companies should apply the 1992 COSO framework pending the development of a SOX intemal control framework specifically designed for small- er companies.

The 2{X)6 report recommended that the PCAOB iiniend AS2 to provide cost-effec- tive relief for small companies, to include testing to find only material weaknesses, and to integrate internal control and llnancial statement audits. The SEC also urged the PCAOB to ensure (hat public audit firms

incorporate this relief in the intemal con- tail reviews of client eompanies.

In June 2007 the SEC released its SOX interpretive guidance on management's evaluation of intemal controls for smaller companies in conjunction with the release of AS5 by the PCAOB. The SEC did not exempt small companies from SOX com- pliance as some had hoped. Rather, sym-

pathetic AS5 management guidance for- mally acknowledged that all companies with less than $75 million of puhlic equi- ty can independently scale their SOX assessments to the circumstances of their business w ithout having to [iiime tlie audit- ing standard as before. Additionally, the SEC will monitor implementation of AS5 in the PCAOB's inspections of audit fimis.

And so is data mining with IDEA'.

IDEA D a c a A n s l y s i B

IDEA is a regiBtared traüemarlí oí CaseWarß IDEA. Inr;.

With IDEA, doing extractions is an easy ride. IDEA also quickly and accurately imports, joins, analyzes and samples data from almost any source. Learning this powerful, easy to use, productivity tool is a breeze. And, IDEA'S free first year of customer support helps you lose the training wheels fast. For a free demo, ride up to our web site at www.audimation.com.

AUGUST 2008 / THE CPA JOURNAL 41

To ensure that smaller companies no longer bear a disproportionate burden, the SEC was expected lo conduct a cost-benefit study of the new standards. But is the new guidance definitive enough to avoid disagreements with auditors'?

Best Practices AS5 and the accompanying management

guidance establish a framework for evalu- ating internal controls more efficiently through a top-down, risk-based approach. The guidance emphasizes a holistic view of risk that identifies enterprise-wide vul-

Considering the number of financial

restatements of the last several

years, the traditional financial

statement audit alone is not enough

to assure the investor community.

nerabilities and gives greater consideration to fraud controls. The eurrent approaeh comprises the following modalities: • Risk assessment Fwus on exposures to material finiuicial misstatements that take into account their probability through error or fraud, especially management override. Consider the complexity of processes and dependence on judgment. Evaluate entity- level and IT controls. Consider the vul- nerability of manual operations, ineluding spreadsheet applieations, which are perva- sive in smaller companies. Under AS5, the auditor's independent risk assessment, established through appropriate inquiry, observation, document inspections, and

walkthroughs, should align with manage- ment's self-asse,ssment founded on daily operations. • Controls identification. Identify only key controls that address material expo- sures consistent with the company's size, complexity, and operating structure. Document the design of those controls.

• Controls effectiveness. Test both design and operating effectiveness. Focus on the most operative control that address- es particular material exposures consistent with the risk assessment, not all such con- trols. AS5 emphasizes broader, higher-level controls that might warrant 100% testing over lower-level controls that would involve sampling methodologies . Document test procedures and findings to produce evidence that is consistent with the nature, timing, and extent of those controls.

• Remediation. Resolve and retest sig- nificantly deficient conu-ols. • Reporting. Communicate findings to the board of directors, and report defi- ciencies to the parties responsible. Distinguish design deficiencies from operating deficiencies. Assess the relative seriousness of deficiencies in terms of the impact on the financial statements and clas- sify them as a significant deficiency or a material weakness.

As a means of applying these concept.s efficiently. AS5 eites a risk-assessment methodology that had already been in prac- tice for several years. This approach involves assigning taxonomies to particu- lar processes and contiols to establish an overall risk profile in a risk-control matrix format. Specifically, risk assessment starts with identifying significant accounts and disclosures, and then mapping them to business processes that are classified by degree of risk and complexity. Associated controls are characterized by relevant asser- tions, such as valuation, existence or occur- rence, and presentation and disclosure. Controls are also evaluated by posing "What could go wrong?" questions that contemplate possible financial misstatement and fraud scenarios.

In the past, some risk-averse auditors might have dismissed this model, favor- ing more-traditional benchmarks of risk exposure, such as a financial statement category's percentage of total assets or revenues. But now that the methodology has the PCAOB's imprimatur, all audi-

tors can rely on it as a means of stream- lining the SOX process in a top-down assessment. Or not. A certain disso- nance between management and auditors concerning respective risk assessments may be inevitable, especially in manual- ly intensive operating environments com- mon to smaller companies.

PCAOB Oversight No review of SOX would be complete

without addressing the public audits that failed to detect many of the problems that led to the well-chronicled scandals. Through its inspection program, the PCAOB seeks to evaluate the quality of the auditing process, thereby holding firms accountable for correcting their mis- takes and upgrading their methodologies in future audits. In particuUu*. the PCAOB cites significant failures to properly apply AS2 in evaluating management assertions and the effectiveness of internal controls. Its reports will also call out improperly applied Generally Accepted Accounting Principles (GAAP). a failing that affects the financiai statement audit as well.

Limitations Regulators—the Treasury Department,

the SEC. the PCAOB. and the FASB— strive to balanee management cost, audi- tor liability, and investor protection to achieve effective and efficient prevention and detection of material accounting fraud and error. Can SOX accomplish this? Refco's misstatement, for example, occurred some years after SOX was enact- ed. And the existence of SOX arguably did not directly help expose sttxk option back- dating. In the effort to balance effective- ness and efficiency, only time will tell whether AS5 has succeeded.

Six Years and Counting Considering the number of financial

restatements ol' the last several years, the traditional financial statement audit alone is not enough to assure the investor com- munity. A separate SOX examination of intemal controls helps fill the gap by pro- viding additional assurance where controls are strong and raising awareness of the potential tor future problems where con- trols ai'e lacking.

Are we better off after six years of Sarbanes-Oxley guidance? To some

42 AUGUST 2008/ THE CPA JOURNAL

extent, implementation has prevented and detected more of the problems that gave rise to SOX. AS5 and the com- panion SEC management guidance cod- ify the integration of the SOX examina- tion with the annual financial statement audit, and promulgate a risk-based tai- lored approach to SOX documentation and testing requirements. Theoretically, both the PCAOB and the SEC docu- ments mitigate previous excesses and balance the guidance for management and auditor-—with a special accommo- dation to the plight of smaller compa- nies. The practical implementation, how- ever, is a continuing question mark. In any case, prospective compliance that relies on a SOX infra.stnjcture already in place is much less onerous than the ini- tial implementation.

Notwithstanding the new latitude afford- ed management in making more indepen- dent assessments of its internal conU"ols. companies may still have to present evi- dence to convince professionally skeptical

auditors. On the other hand, do the new rules

dilute the SOX prcx:ess to the extent that auditors defer to managcmciit's sell-assess- ment, and curtail scmtiny as they depart from certain benign redundancies of AS2 standards'.' Have the concessions made in the name of cost compromised the bene- fits,' Does the narrower scope encompass- ing fewer controls and abbreviated tests founded on subjective materiality have a limited effectiveness? Future PCAOB inspections and media reports of new or nonexistent scandals and ineffective audits will be the final proof.

Some peeiple. of course, will disingen- uously ascribe the next business calamity to ineffective SOX implementation, per- haps expecting a panacea. A case in point is the fallout from the ongoing subprinie credit crisis. While the recent spate of mas- sive portfolio write-downs might seem to indicate failed risk-management controls, the problem is largely founded on illiq- uidity and the inability to

establish fair value in the absence of will- ing buyers and available funding. The valuation of impaired mortgage securities is an accounting issue made problematic by anomalous maiket conditions plagued by uncertainty- Tlie writedowns are not generally the result of failed intemal con- trols, but rather a wholesale market repricing.

In the final analysis., truly cost-effective SOX examinations will better protect investoiN ¡uid contribute to better-functioning capital iniukets tliat will benefit tlie econo- my at large. But the optimal balance between the costs and the benefits may always be elu- sive. •

WiUiamJ. Dodweli CPA, led several SOX section 404 implementations and per- fonned numerous other financial control iisse.s.snwnts as a management con.sultant to financial senices companies.

Understand the current concerns involving bankruptcy

Bankruptcy Breakfast C o n f e r e n c e

TUESDAY, SEPTEMBER 16, 2008

FAE Conference Center

3 Park Avenue, at 34th Street

19th Floor

New York, NY 10016

Conference Code: 25247911 Member Fee: $100 Nonmember Fee: SI 25 Recommended CPE Credit; 3 hours Field of Study: Advisory Services

CONFERENCE HIGHLIGHTS INCLUDE: • Discussion on Lenders' Perspectives • "ABCs" of Assignments for the Benefit of Creditors • Cash Forecasts • From Cash Flows to Valuations

Here is a solution your problems:

To register or for more information, visit www.nysscpa.org, or call 800-537-3635, 'AE

created CPA Career Opportunities Online for firms iii<e yours.

CPACa Opportunities Online exposes local firms to qualified applicants. It alerts them about the diverse opportunities in public accounting firms of ali sizes. So, iet us help /ou attract top talent by advenising the career opportuni- ties within your firm, for only $50 per year.

ÍYSSCPA,

Looking for new ways to reach qualiried applicants?

Advertise Your Firm with CPA Career

Opportunities Online

Benefits:

I Enhance your firm's recruiting programs I Reduce your time spent on screening entry-level applicants

I Update your company's listing at any time

And so much more!

. r additional information about advertising with CPA Career Opportunities Online, contact William Pape at 212-719-8420, or visit www.nysscpa.org.

AUGUST 2008 / THE CPA JOURNAL 43