Stated goal is to ease compliance burdens, particularly on smaller public companies, but questions remain if the revisions go far enough.
In the closing days of 2006, the Securities and Exchange Commission ("SEC" or "Commission"), along with the Public Company Accounting Oversight Board ("PCAOB" or "Board"), released proposed new guidance and standards to assist public companies in complying with the requirements of Section 404 of the Sarbanes Oxley Act of 2002 ("Sarbanes-Oxley" or "Act")1. The long-awaited revisions were praised by SEC Chairman, Christopher Cox, as an "exceptionally positive step for both investors and for America's capital markets." It remains to be seen, however, whether the much anticipated reforms will be sufficient to appease the criticism of some business leaders, particularly those of smaller public companies, who have grappled with what they perceive to be burdensome and in some cases duplicative processes required for compliance with the Act.
The crux of the new revisions entail two main areas. The SEC is proposing interpretive guidance for management regarding its evaluation of "internal control over financial reporting (ICFR)," a term created with the SEC's adoption of rules implementing Section 404 of the Act. The PCAOB is proposing a new auditing standard titled An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements that would supersede existing Auditing Standard No. 2 (AS2). Both proposals are intended to address the dissatisfaction many business leaders have expressed over the extensive costs in terms of both money and manpower that are currently required to comply with existing regulations.
In an issued statement concerning the PCAOB's proposal to replace AS2, Cox commented that the "PCAOB's proposal to repeal the unduly expensive and inefficient auditing standard under section 404 of Sarbanes-Oxley - and to replace that standard with one that strengthens investor protection by refocusing resources on what truly matters to the integrity of financial statements" along with the SEC's new interpretive guidance for ICFR "should significantly improve the implementation of Section 404." Casting a similar statement, the PCAOB issued a statement announcing that the new auditing standard to replace AS2 would be "principles-based" and was "designed to focus the auditor on the most important matters, increasing the likelihood that material weaknesses will be found before they cause material misstatement of the financial statements." Thus, in the press releases accompanying these new proposals, both the SEC and the PCAOB have made clear that the new proposals are intended to be "mutually reinforcing" and together will assist companies' compliance with Section 404, thereby making Sarbanes-Oxley more effective and efficient. Notwithstanding the comments of the SEC and PCAOB and the new interpretive guidance and the proposed auditing standard, some opponents of Section 404 have continued to raise concerns with the compliance requirements that have been implemented by the PCAOB.
Congress enacted Sarbanes-Oxley in the wake of the corporate accounting and disclosure scandals that plagued the country's financial markets in the beginning of this decade. Repeated corporate scandals involving inaccurate financial reporting, malfeasance by corporate officers and directors and a perceived, if not actual, lack of fundamental safeguards to ensure the accurate reporting of financial information resulted in a perilous condition that threatened the public's confidence in the nation's financial markets. Sarbanes-Oxley was intended to institute a uniform system of corporate accountability and disclosure for all public companies in order to shore up the public's confidence. The creation of the PCAOB with its stated goal to "oversee the audit of public companiesin order to protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports" for public companies was one of the most significant provisions of Sarbanes-Oxley.
Since its implementation, Sarbanes-Oxley has met with some criticism from the corporate community due to the cost burdens imposed in order to ensure compliance. One of the main areas of corporate disapproval has been Section 404 of the Act and the PCAOB's AS2, which was designed to implement Section 404.
Section 404 of the Act requires, among other things, that a corporation's annual report include a certified statement that the corporation's management is responsible for ensuring adequate internal control structures and procedures for financial reporting. AS2 requires that this annual certification must be attested to by the corporation's external auditor, thus requiring an "external audit" of management's assessment of the company's ICFR. The "external audit" requirement has resulted in significant financial as well as manpower costs to public companies' compliance with the Act and imposes particularly negative consequences on small businesses.
AS2 has also had an apparent effect on the role of outside auditors performing the "external audit." In testimony in June 2005 before the Senate Committee on Banking Housing and Urban Affairs, The Financial Services Roundtable, an organization representing 100 of the nation's largest integrated financial services companies, noted that implementation of Section 404 has "made auditors hesitant to provide advice to clients, caused auditors to impose excessive testing and documentation requirements on clients, and significantly increased the costs of outside audits."
As both the SEC and PCAOB noted in their proposals, two annual financial reporting cycles have been completed since outside auditors began applying AS2 to audits of the largest public companies. During this time, the PCAOB oversaw implementation of AS2 and the efforts made by auditors to ensure company compliance and gathered information from a variety of sources. In assessing the information obtained, the PCAOB concluded that "two basic propositions have emerged." One, the external audit of ICFR has "produced significant benefits," including a greater focus on corporate governance that had not existed in the past. Two, the PCAOB recognized that these benefits have come with "significant cost," recognizing the "consistent message" that compliance with ICFR under the Act "has required greater effort and resulted in higher costs than expected."
Recognizing that external auditors should perform ICFR audits as efficiently as possible, the PCAOB evaluated "every significant aspect of the audit of internal control to determine whether existing standards encouraged auditors to perform procedures that are not necessary in order to achieve the intended benefits." As a result of the PCAOB review, the new auditing standard to replace AS2 was created.
The new auditing standard is designed primarily to: 1) focus the audit on the matters most important to internal control; 2) eliminate unnecessary procedures; 3) scale the audit for smaller companies; and 4) simplify the requirements of the audit by, among other things, reducing detail and specificity.
Significantly, the PCAOB stressed that it "continues to believe that the overall scope of the audit described by AS No. 2 is correct" i.e . to attest to and report on management's assessment, the auditor must test controls directly to determine whether they are effective." However, the PCAOB recognized that the auditor could still perform an effective audit of internal control without carrying out a comprehensive review of the sufficiency of corporate management's evaluation process. Thus, the new auditing standard eliminates the requirement of AS2 to evaluate management's annual evaluation process.
The remaining highlights of the PCAOB's proposed new accounting standard are a scaling of the external control audit for smaller companies and a simplification of the requirements in general, both of which are geared towards alleviating the impact of Section 404 compliance on smaller companies who tend to have fairly simple internal control structures. The PCAOB recognized that smaller companies often present "different financial reporting risks than larger and more complex ones and that their internal control systems often appropriately address those risks in different ways." In essence, the new auditing standard would require auditors to perform tasks that are dependent upon where in the "size and complexity continuum" the company falls.
As a corollary to the PCAOB's new auditing standard, the SEC's new interpretive guidance on ICFR is "intended to assist companies of all sizes to complete their annual evaluation in an effective and efficient manner." Significantly, the SEC stated that proposed amendments to its rules that require management's annual evaluation of ICFR will make it clear that an evaluation that complies with the interpretive guidance is "one way to satisfy those rules."
Critics of the external audit requirements of Sarbanes-Oxley are not satisfied with the PCAOB's new audit standard, primarily because the PCAOB continues to insist on an external audit. Opponents have indicated that the external audit requirement has been the largest factor in the greater than expected effort required and costs incurred in compliance with the Act. Significantly, they point out that the actual language of Section 404 does not require an external audit of ICFR and it was not a requirement until the PCAOB issued AS2 in June 2004. According to the critics, nothing in the new auditing standard will actually eliminate an external auditor from performing a full-blown audit in order to protect themselves from the possibility of litigation if a problem is later uncovered.
The proposals are currently subject to public comment until the end of February, at which point the SEC and PCAOB will consider making the new provisions permanent and supersede present requirements.
1 Sarbanes-Oxley is officially known as the "Public Company Accounting Reform and Corporate Responsibility Act," 15 U.S.C. 7201 et. seq.
Stephen V. Falanga is a Partner in the Corporate Department of Connell Foley LLP. John P. Lacey is a Partner in the Business Litigation Department of the firm.