Justice, SEC actions backpedal a bit on post-scandal rules

December 18, 2006 from Associated Press – “They were two early Christmas gifts for corporate America -- with potentially far-reaching effects for investors and the financial landscape. At the Justice Department and the Securities and Exchange Commission, separate actions last week both had the effect of easing landmark rules laid down in response to the 2002 crisis of corporate malfeasance.

Culminating an intense months long lobbying campaign by an array of companies, the five SEC commissioners voted at a public meeting Wednesday to propose a plan giving corporate managers more flexibility in assessing the strength of internal financial controls. It would especially benefit smaller companies.

The sweeping anti-fraud law known as Sarbanes-Oxley was enacted in 2002 amid the wave of scandals that engulfed Enron Corp., WorldCom Inc. and other big corporations. The law contains a key section requiring public companies to assess the strength of their internal safeguards to ensure that their financial statements are accurate. Companies have complained to the SEC that those rules are overly burdensome and costly, especially for smaller businesses…

Some business-friendly Democrats who are assuming power positions in January have expressed support for Sarbanes-Oxley relief for companies -- and their preference for the SEC to wield its regulatory scalpel as opposed to Congress' heavier hand of legislation.

The SEC move was a "reasonable approach" in light of the disproportionate burden of the financial-control rules on small companies, said James Cox, a professor at Duke University who also is a securities-law specialist.

Still, he said, with more leeway under the SEC plan -- allowing, for example, less stringent testing of internal controls for some companies, "Those (financial) numbers are going to be less trustworthy than they would be otherwise. ... Investor protection's going to suffer."

SEC officials insisted that would not happen. Agency Chairman Christopher Cox called the new plan "making Sarbanes-Oxley work for investors at the right price"…

180 View – We thought that the article was vague so we went to the source at http://www.sec.gov/rules/proposed/2006/33-8762.pdf released by the SEC on December 20, 2006. We have highlighted what we believe are the key points.

“The proposed guidance is organized around two broad principles. The first principle is that management should evaluate the design of the controls that it has implemented to determine whether they adequately address the risk that a material misstatement in the financial statements would not be prevented or detected in a timely manner. The guidance describes a top-down, risk-based approach to this principle, including the role of entity-level controls in assessing financial reporting risks and the adequacy of controls. The proposed guidance promotes efficiency by allowing management to focus on those controls that are needed to adequately address the risk of a material misstatement in its financial statements. There is no requirement in our guidance to identify every control in a process or document the business processes impacting ICFR. Rather, under the approach described herein, management focuses its evaluation process and the documentation supporting the assessment on those controls that it believes adequately address the risk of a material misstatement in the financial statements. For example, if management determines that the risks for a particular financial reporting element are adequately addressed by an entity-level control, no further evaluation of other controls is required.

The second principle is that management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk. The proposed guidance provides an approach for making risk-based judgments about the evidence needed for the evaluation. This allows management to align the nature and extent of its evaluation procedures with those areas of financial reporting that pose the greatest risks to reliable financial reporting (i.e., whether the financial statements are materially accurate). As a result, management may be able to use more efficient approaches to gathering evidence, such as self-assessments, in low-risk areas and perform more extensive testing in high-risk areas.

By following these two principles, we believe companies of all sizes and complexities will be able to implement our rules effectively and efficiently. As smaller public companies generally have less complex internal control systems than larger public companies, this top-down, risk-based approach should enable smaller public companies in particular to scale and tailor their evaluation methods and procedures to fit their own facts and circumstances. We encourage smaller public companies to take advantage of the flexibility and scalability of this approach to conduct an efficient evaluation of internal control over financial reporting. Further, we believe the proposed guidance will assist companies of all sizes in completing the annual evaluation of ICFR in an effective and efficient manner by addressing a number of the common areas of concern that have been identified over the past two years.”

The Unexpected Benefits of Sarbanes-Oxley

April 2006 form Harvard Business Review courtesy of Approva Corporation – This article is about:

• Control environment (attitude, values, transparency…) is the 1st line of control defense
• Reducing control testing based on risk of a particular process leading to material errors
• Avoiding duplication of work when it comes to documenting business process. In one example, a company’s processes were being reviewed for Sarbanes-Oxley and for ISO 9000. There were 2 different teams documenting the identical business process
• Standardization improves data consistency which reduces the potential for error. Another standardization benefit is that it can lead to efficiencies by streamlining processes. And the auditors only need to review one process rather than multiple processes
• Manual controls are not as good as automated controls
• Few companies have used Sarbanes-Oxley as a way to improve business process
  

180 View – It’s about time that the auditors provided more real value in their review of internal controls by identifying weaknesses in efficiency and effectiveness of business process.

IMA Releases Landmark Study Revealing Sarbanes-Oxley Compliance Issues

October 12, 2006 from Business Wire – “A lack of practical management implementation guidance and the incomplete nature of the COSO (Committee of Sponsoring Organizations) 1992 framework in assessing effectiveness of internal controls over financial reporting (ICoFR) are two of the key cost drivers for public companies complying with Sarbanes Oxley Section 404 (SOX) requirements, says a landmark research study released by the Institute of Management Accountants (IMA®). The research study, COSO 1992 Control Framework and Management Reporting on Internal Control: Survey and Analysis of Implementation Practices, was released today.

Conducted by Professor Parveen P. Gupta of Lehigh University, the study assessed the views of nearly 400 experienced CFOs, controllers, internal auditors, and SOX compliance specialists at publicly traded companies. The study was designed to determine the extent to which companies are using COSO’s 1992 internal controls framework and identify the factors which inhibit a successful and cost-effective SOX compliance outcome, including high-cost compliance activities, definition and use of “risk based” models, application of risk assessments (fraud, plausible, and inherent risk), integrated audits, IT controls assessments, skills gap issues, and other practical areas.

“IMA’s study is the first comprehensive study of its kind that goes beyond estimating the cost of compliance. This study helps to identify the real drivers of cost and provides actionable insights for policy makers, regulators and professional associations,” said Paul A. Sharman, president and CEO, IMA. “We have hypothesized for some time that current controls frameworks are inadequate, as they do not allow management practitioners to conduct cost-effective, risk-based assessments covering internal controls over financial reporting, fraud risk, general IT controls, and other areas.”

A sampling of key findings from the IMA research study includes:

• Approximately two-thirds of the total respondents attributed two key factors as major cost drivers:
  1. A lack of practical guidance from the SEC or other professional organizations on how to decide what constitutes an effective (or ineffective) internal control system
  2. Redundant testing (between auditors and inside SOX compliance resources) due to a lack of collaboration to reduce the sample size. The data suggests that the original goal of achieving efficiencies via an integrated audit of internal control incremental to (not duplicative of) the traditional financial statement audit is still not a reality
• More than half of respondents acknowledged that they did not use COSO 1992 to assess IT control effectiveness, in spite of indicating their control assessment was done in accordance with COSO 1992. Almost 52 percent of respondents used COBIT for this critical aspect of their ICoFR assessment
• Forty-five percent of smaller public companies and 35 percent of larger public companies are using a “bottom-up” approach to internal controls, rather than a “risk-based” point-of-view. The higher percentage for smaller companies could suggest a skills gap issue in applying robust risk assessment methods
• Only 38 percent of respondents indicated that the COSO 1992 controls framework, the predominant framework in use, was guiding their internal control assessments, while 62 percent primarily rely on Accounting Standard 2 (AS2). Due to the lack of practical guidance, AS2 has become the de facto assessment standard for company management
• Fifty-seven percent of respondents did not believe that the COSO 1992 framework alone was sufficient guidance for determining the effectiveness of internal controls, strongly suggesting that practical assessment methodologies linked to the framework are necessary to assert to the SEC that an organization has an effective system of internal controls.
  

“These results suggest that our hypotheses have been proven to a reasonable degree. Now it is time to develop the long awaited assessment guidance so desperately needed by American businesses to cost-effectively comply with SOX while protecting shareholder interests,” added Sharman.

The study, COSO 1992 Control Framework and Management Reporting on Internal Control: Survey and Analysis of Implementation Practices, includes an Executive Summary that is available free of charge. The full study is available for purchase from IMA. Please visit https://www.imanet.org/research_sox_study.asp for complete details.”

180 View – We think there's no excuse for not providing an efficient SOX compliance reveiw.

Greenspan: Dump SarbOx

September 26, 2006 from eWeek.com – “The Sarbanes-Oxley Act is doing more harm than good and must be overhauled, Alan Greenspan told a technology audience here.

"One good thing: Sarbox requires the CEO to certify the financial statement. That's new and that's helpful. Having said that, the rest we could do without. Section 404 is a nightmare." Greenspan's remarks came at a meeting of the Massachusetts Technology Leadership Council here on Sept. 25. Greenspan was Chairman of the Federal Reserve board for 18 years, having retired in early 2006.

He said the evidence is clear that Sarbanes-Oxley strictures are driving initial public stock offerings away from the New York Stock Exchange and to the London Stock Exchange. Increasingly, he said, people recognize that Sarbanes-Oxley must be changed. "The pressure on getting 404 significantly altered is rising and is taking on a critical mass." But he added, "You do not get a bill altered when the two names [Sarbanes and Oxley] are in the process of retiring. People are waiting until they are gone. Then, hopefully, changes will be made. Any bill that passes both houses almost unanimously, cannot be a good piece of legislation."

180 View – We think it’s time Sarbox (or the equivalent) reviews include efficiency (achieve the desired result with the minimum use of resources) and effectiveness (achieve the desired result). Then we are talking about value for the money.

Internal Controls — A Review of Current Developments

August 2006 from International Federation of Accountants – This review summarizes key internal control frameworks, highlights recent legislation, and discusses the role of internal control in enhancing corporate governance. It is a 19 page document and we will just quote some of the more interesting paragraphs “… As the severity of high-profile corporate accounting failures has increased steadily over the last decade, there has been a corresponding increase in the development of new legislation, standards, codes and guidelines to assist organizations in improving their corporate governance. While these standards and guidelines originated from a variety of sources, they share a core principle: that good governance, by its nature, demands effective systems of internal control.

Recognition of the critical importance of internal control is evident in the key frameworks and guidelines on the subject. In the 1990s internal control frameworks such as the COSO1 (USA), Turnbull2 (UK) and CoCo3 (Canada) emerged, some of which have recently been reviewed and updated or supplemented. In addition, there are many other publications on the theory and benefits of internal control…

As internal control frameworks, COSO, Turnbull and CoCo complement each other. They each see internal control as a process/set of processes designed to facilitate and support the achievement of business objectives. Each of the frameworks takes the wider approach to internal control covering consideration of significant risks in operations, compliance and financial reporting. Objectives such as improving business effectiveness are included, as are compliance and reporting objectives. The narrow approach to internal control is usually restricted to internal control over financial reporting…

SOX focuses on one specific aspect of internal control, that related to internal control over financial reporting whereas, as been previously noted, the key internal control frameworks such as COSO, Turnbull and CoCo take a wider business-led approach and cover all controls. Assessments of internal control using the SOX definition are less likely to focus on the business benefits that can result from a review of the wider aspects of internal control and the related processes for risk management…

By covering all material controls and linking internal control to risk management, it allowed companies to focus on the most significant risks facing them. By setting out high-level principles rather than detailed processes, it required boards to think broadly about their company’s risks and enabled them to apply the guidance in a way that suited the circumstances of their company.”

180 View – We believe that internal control should consider business effectiveness. In this way, the control review will provide more value. As well, there should not be a significant increase in time spent as long as the reviewer has the expertise in compliance as well as efficiency and effectiveness.

S.E.C. looks to cut costs of meeting audit rules and new guidance for smaller public companies

July 12, 2006 from The New York Times - "The Securities and Exchange Commission, scrambling to find ways to cut the costs of complying with the Sarbanes-Oxley Act without gutting the act, said yesterday that it expected to propose a rule aimed at curbing costs.

The commission published a "concept release," setting forth numerous questions regarding both how the carrying out of the law had proceeded and what should be done now. It asked for comments on those questions over the next two months.

At issue is Section 404 of the law, which requires public companies to assess the adequacy of their internal financial controls and to have that assessment reviewed by external auditors. That provision of the law was based on a law passed in 1991 requiring banks to certify their internal controls and was expected to add little in the way of costs.

But there have been widespread complaints that the cost has been excessive. An S.E.C. advisory committee recommended that smaller companies, which have not yet been required to comply with the section of the law, be exempt. A bill introduced in Congress proposed going further and exempting the vast majority of companies.

"Our goal is to develop practical guidance for companies to help improve the reliability of financial reporting and to make Section 404 implementation more efficient and cost effective for investors," said the commission's chairman, Christopher Cox.

The commission gave little firm indication of what a new rule would say, but in numerous sections it indicated impatience and concern that the process had proved so costly and expensive. It noted that some companies had complained of excessive documentation being required by auditors and added, "We have anecdotally heard that this documentation, in many cases, substantially exceeded that normally produced by financial institutions," even though the Sarbanes-Oxley Act and the 1991 law were similarly worded.

The commission indicated that it suspected that audit firms had done too much work, saying it was "skeptical of the large number of internal controls that some companies have identified, documented and tested." It said it thought one cause of problems might have been an "overly conservative" interpretation of the rules by auditors.

The commission pointed to a document issued yesterday by a group of accounting organizations, known as the Council of Sponsoring Organizations, aimed at providing a simplified framework for smaller companies to assess their financial controls.

"What we are saying is no company is exempted from good internal controls,'' said David Richards, the president of the Institute of Internal Auditors, one organization in the group. "It does not matter what your size is."

He said the document was aimed in part at helping companies identify a relatively small number of controls that needed to be carefully checked because of their importance to accurate financial reporting.

Despite widespread complaints about cost, Section 404 does appear to have had some benefits. In the first year, about one of six companies reported material weaknesses in their controls, while that figure was down to about one in 15 during the second year.

A report by Grant Thornton, an accounting firm, noted that about 10 percent of banks had such problems, even though they had been complying with the 1991 law, which did not require external auditors to monitor the assessment. It said that indicated that auditor review was critical to assuring adequate controls.

The S.E.C. said earlier this year that it was beginning to consider how to modify the carrying out of Section 404. Yesterday's announcement may have been most significant in that it indicated that the commission thought a new rule, rather than increased guidance, would probably be necessary.

Also significant, however, was the renewed endorsement of Section 404 itself.

"Quality financial reporting is a critical cornerstone to our capital markets, and investors are entitled to rely upon it,'' said John W. White, director of the commission's Division of Corporation Finance, in announcing the new action. "Section 404 has a key role to play in enhancing the reliability of public companies' financial statements."

180 View - Every problem is an opportunity for someone. Y2K was a huge opportunity for ERP software developers such as SAP and Oracle. Sarbanes-Oxley has been a huge opportunity for auditors. It seems that some have been overzealous in their work as they rack up their fees. It seems to us that fees would go down dramatically if the auditors applied more common sense. If the absence of a control does not cause material risk, why document and test it? As well, there may be a myriad of controls that contribute to a particular business process. However if one of the controls is sufficient, why bother documenting and testing all the secondary controls?

The article makes reference to the Council of Sponsoring Organizations (COSO) providing a simplified framework for smaller companies to assess their financial controls. The American Institute of Certified Public Accountants (AICPA) and the Institute of Management Accountants have both affirmed support for new guidance for smaller public companies released during a webcast on July 11 by COSO. Click here for the webcast.

Sarbanes-Oxley - A Tough Act to Follow

March 15, 2006 from CFO Magazine - "The costs are indeed substantial. AMR Research estimates that, by year-end, U.S. businesses will have spent $20 billion on Sarbox compliance since the law was enacted. On average, AMR estimates that companies are laying out about $1 million on Sarbox compliance for every $1 billion in revenues.

CFO's survey shows an even greater hit to income. Finance managers at companies with annual revenues of $500 million or more indicated that Sarbox compliance had taken an average yearly earnings bite of more than 2 percent. Smaller companies were worse off. Respondents at businesses with sales of under $500 million said Sarbox compliance was devouring 4.5 percent of their earnings each year...

The major flashpoint of the argument is the way auditors attack 404. Some finance chiefs feel that the Public Company Accounting Oversight Board (PCAOB) has taken a heavy-handed approach to Auditing Standard No. 2, which instructs engagement partners on how to check their clients' internal-controls reviews. As a result, CFOs say auditors test and retest internal controls to ensure their sign-offs are beyond question. Finance managers contend the prospect of auditor nit-picking forces clients into indiscriminate documentation of internal controls.
The PCAOB appears to be aware of the situation. In a November 2005 report on the initial implementation of AS2, the board criticized auditors who "did not alter the nature, timing, and extent of their testing to reflect the level of risk."

By taking a one-size-fits-all approach to their testing, accountants apparently ignored the risk profiles of individual companies. "As a result, some auditors appeared to have expended more effort than was necessary in lower-risk areas," the board stated, noting that "in some cases, a higher-risk area should have received more audit attention than it did."

180 View - Not only should accountants consider the risks, but they should also not waste time on non-critical controls. Certain controls over completeness or accuracy can be marginally helpful - what's the point of testing them?