Implementing Sarbanes-Oxley: Learning From Past Mistakes

Cathy Criswell CIA, CPA
July 28, 2005 — 1,771 views  
Become a Bronze Member for monthly eNewsletter, articles, and white papers.

Sarbanes-Oxley Act, officially titled the Public Company Accounting Reform and Investor Protection Act of 2002, was signed into law on July 30, 2002.  The Act is considered the most significant change to federal securities laws in decades.  Infamous corporate financial scandals, including Enron, Arthur Andersen, and WorldCom, created the drive for reform.  The primary impact of the act on the accounting profession was the shift from self-regulation of auditing standards to rule-setting and review by the Public Company Accounting Oversight Board (PCAOB).

A key element of the Act, Section 404, requires assessment and reporting on internal control over financial reporting.  Publicly-traded companies must prepare an annual report on internal control signed by the Chief Executive Officer and Chief Financial Officer.  This report must include an overall opinion on internal control and a description of material weaknesses. 

The PCAOB has issued guidelines on how management should render their opinion.  The guidelines require management to use an internal control framework, such as the Internal Control-Integrated Framework from the Committee of Sponsoring Organizations (COSO), to make their assessment.  PCAOB guidance also gives information on how to determine a material weakness.

Accelerated filers were required to implement reporting requirements of Section 404 for the first fiscal year ending on or after November 15, 2004.  (Accelerated filers are companies with common equity public float of $75 million or more as of the last business day of its most recently completed second fiscal quarter.)  The Securities and Exchange Commission (SEC) extended the compliance dates for all non-accelerated filers to the first fiscal year ending on or after July 15, 2006.  Therefore, the first filing under Section 404 has already been completed by large corporations, and smaller companies are gearing up to meet their first reporting date.

The first round of filing was enormously expensive for large corporations. According to the Financial Executives Institute (FEI), in a survey of 217 companies with average revenue above $5 billion, the cost of compliance was an average of $4.36 million. The survey also indicated actual costs to be approximately 39% higher than companies expected to spend.  This information begs the question of why were the costs so much higher than expected.

On April 13, 2005, the SEC held a roundtable to discuss implementation of the internal control reporting requirements.  The PCAOB issued a policy statement on May 16 summarizing their response to the issues discussed at the roundtable.  Following are important points from the roundtable and the policy statement:

Integrate audits – Certified Public Accountants should integrate their audit of internal control with their audit of financial statements so that evidence gathered and tests conducted in either context contributes to both types of audit.  This will prevent duplication of effort.

Use a risk-based approach – Audit plans should be tailored to address higher risk areas, and time spent on audit activities should be proportionate to the associated risk.  The PCAOB criticized auditors for relying too much on standardized checklists that were executed the same way regardless of associated risk. 

Use a top-down approach – Start with an assessment of company-wide internal controls.  When problems are identified at this level, drill down to lower levels.  This approach can reduce the time spent on auditing areas where the likelihood of a material weakness is remote.

Take advantage of work done by others – Internal control evaluation may have been done by internal auditors or other designated company employees.  PCAOB standards describe when using the work of others is appropriate.

Communicate with clients – Many public accounting firms too strictly interpreted new independence rules and were reluctant to provide advice to their clients in how to evaluate internal control.  The PCAOB recommends public accounting firms to more fully communicate with their clients regarding their views on accounting and internal control issues.

The information generated from the roundtable discussion, and subsequent PCAOB guidance, should help large corporations in preparing for their second reporting, and smaller corporations in preparing for their first reports.  On the horizon is additional guidance from the SEC and COSO for smaller corporations to evaluate internal control.  Using these lessons learned from past experience will help all corporations reduce the costs of assessing internal control and enjoy more of the benefits.

Cathy Criswell, CIA, CPA is an internal audit manager for the city of Tulsa. She has worked there since 1988 when the Internal Auditing Department was first created. Ms. Criswell assisted with the creation of the department, developing new audit methodologies and the audit universe. Ms. Criswell prepares the annual audit plan using a risk assessment methodology she developed. She also created and implemented a staff scheduling methodology. Ms. Criswell received her B.S. degree in business administration, graduating with honors, from the University of Tulsa.

Cathy Criswell CIA, CPA