After much anticipation and a lot of management angst, the first assessments of internal control effectiveness have been filed by public companies as required by Section 404 of the Sarbanes-Oxley Act (SOx 404). And what are the results of these reports? Through May 24, 2005, approximately 10% of all companies reporting under SOx 404 have identified some material weakness, so their internal control was found to have failed being effective overall.1 So after year one, we now have the opportunity to consider what apparently worked well in nine out of ten of these companies, and what caused the remaining companies to have failed. Understanding what has happened so far can only help as we move forward.
The road to SOx 404 began with the passage of the Sarbanes-Oxley Act of 2002 in August of that year. This Act did not mandate the dates that companies had to comply (that was left to the SEC), nor did it indicate standards for the auditors (that was left to the PCAOB). All that the Act essentially said, under Section 404, was that management must assess the effectiveness of their internal control over financial reporting, and the company's independent auditor will audit and report on management's assessment. So some companies began their assessment in 2002, relying on their own interpretations, or those of their auditors or consultants. The first formal guidance came when the SEC adopted the rules over SOx 404 in August 2003, and then when the PCAOB formalized standards for the auditors in March 2004. Over time, there have been a couple of delays in the effective dates, dozens of FAQs issued by the SEC and PCAOB intended to explain their requirements further, and a highly publicized release of statements by both organizations on May 16 of this year to address the public's critical feedback on the requirements. So it is easy to say that SOx 404 requirements have been evolving, and continue to do so.
So what was learned in year one and how should management consider SOx 404 moving forward? Probably the most important lesson is to use prudent judgment throughout the process. Both the SEC and PCAOB have made it clear that this is not a "one-size fits all, bottom-up, check-the-box approach that treats all controls equally."2 Many companies and their auditors in year one believed the rules implied a strict set of requirements for internal control to be effective. While there are certainly some specific criteria to be met in the assessment, it is clear that every company is different. And while process remediation will most likely be necessary to correct internal control weaknesses in some areas, it is also true that most good companies have effective internal controls, which have evolved over time in most areas.
That brings us to the next consideration. Using prudent judgment during the process requires some subjective reasoning. Of course one person's subjective belief is not necessarily the same as another's. The point is that management must continually communicate to and with their auditors those decisions and findings that are made during their assessments. Certainly some of those companies that either passed or failed in their year one reports had been surprised by their auditors when their assessments were audited. Each of the myriads of considerations and decisions made during the assessment should be discussed timely to assure a meeting of the minds in the end.
So how does management determine the approach that is appropriate for their unique organization? Again, the SEC and PCAOB are in agreement that the process should be a "top-down approach," considering risks within the internal control over financial reporting. Such an approach starts with the financial reports, and identifies the company-level and individual process, transaction and application controls over significant financial statement accounts and processes. In a way, the financial statements are reverse-engineered to expose those points where a material misstatement could occur, and the internal controls are assessed at those points. Management makes a risk assessment during the scoping process, which of course should be discussed with the auditors. Take the time to appropriately scope the process at the inception of the process, and also consider findings throughout the assessment, and management will have an effective and efficient project.
Companies that have already reported in year one should continually consider scoping in subsequent years. A monitoring mechanism needs to be in place to support management's continued understanding of their internal control structures and reporting in subsequent annual periods. Some of the controls evaluated in year one may not make sense in subsequent years, as the company and systems evolve. Also, there are likely to be opportunities for standardization of internal controls over time. As always, management should perform risk assessment of internal control throughout each period.
Some of the biggest concerns come from those companies that have yet to complete their initial assessment. The SEC provided its latest relief to smaller companies when, in March 2005, they delayed the reporting requirement of "non-accelerated filer" companies and foreign private issuers from years ending after July 15, 2005 to years ending after July 15, 2006. Since this was not the first time that the reporting timelines were delayed, some believe that the requirements for smaller companies will be further reduced or eliminated altogether. While there is no certainty, there is currently no basis to believe that the requirements of small companies will be reduced, since the current requirements are based on the Act. In fact the SEC has provided this relief knowing that smaller companies do not have extensive resources and need more time. Therefore, it only makes sense that these companies do not ignore the assessment process, but rather utilize the time appropriately.
Also relating to smaller companies, there will be further guidance coming later in 2005 from COSO (the Committee of Sponsoring Organizations, the organization recognized as providing a standard framework of internal control) to assist these companies in implementing internal controls within COSO. Since smaller companies typically do not have extensive accounting and reporting personnel, it may prove inherently more difficult for them to design an effective internal control structure. It should be noted that COSO will not be altering its overall design framework, which some call "COSO Lite," but its implementation guidance should prove very valuable as there have been few such authoritative examples to follow so far.
Year one of SOx 404 proved exceedingly daunting to many companies. As should be expected, there is much to learn from the experience. Companies should step back and assure that they make the best efforts to apply that knowledge when moving forward.
1 Compliance Weekly, May 24, 2005
2 SEC-Statement on Implementation of Internal Control Reporting Requirements, May 16, 2005