Sarbanes-Oxley Section 404: What's on the agenda?

Tensions are running high in the world of Sarbanes-Oxley Section 404, with a flurry of activity in the last couple of months, spurring lots of lively discussion and debate amongst the many interested parties. Comments have come from a variety of sources, including the landmark May 10th SEC/ PCAOB roundtable on second-year experiences and various government and independent research reports. Furthermore May 17th saw the announcement by the PCAOB and SEC separately of a series of actions to address issues raised. The tricky cost/benefit equation remains firmly centre stage. A further source of stress is the question of clarity versus subjectivity or regulation versus judgment i.e. how much more regulation should the SEC and PCAOB provide? The latitude of judgment currently required to implement the legislation is proving problematical. This is not surprising given the prescriptive rules-based regulatory environment to which the US is accustomed.

My aim in writing this article is to cut through the volume of material that has emerged over recent months and distil the key high level themes which are dominating the Section 404 agenda. The table at the end of the article provides a summary of what I believe to be the main events and research reports that have been issued in April and May of this year. Each adds new information and different perspectives, the majority of which were brought together at the May 10th SEC/PCAOB eight hour roundtable discussion. In what follows I provide a discussion of the key high level themes identified under 3 broad headings:

  • Benefits of S404 - including the market perspective
  • Costs, costs, costs' and efficiencies?
  • Next Steps

Benefits of S404 - including the market perspective
There appears to be general agreement that S404 has improved the quality of financial reporting and has even involved a ‘cultural change’of embedding control into the fabric of the organisation. Benefits cited include:

  • Better and more transparent disclosure
  • Increased awareness and ownership of controls
  • More engaged audit committees and boards
  • Positive effect on US capital markets
Whilst increased ‘control consciousness’ has been recognised, the benefits to companies in the broader area of risk management are discussed less. Perhaps this is a subject for Year 3 and beyond as companies increasingly focus on increased efficiencies and the added value aspect of S404 as opposed to mere compliance. The danger here of course is that companies do not go far enough early enough in re-assessing existing structures. Instead they may just add another expensive layer of compliance to the already over encumbered and often uncoordinated risk management and compliance programme. Indeed we already see top companies in the US moving to bring their entire governance functions under one umbrella, with a scorecard of all risk perspectives neatly on one page.

With regard to the effect on the markets, the prevailing view is that Sarbanes-Oxley has made a significant contribution to restoring investor confidence. Panelists at the May 10th Roundtable (‘panelists’) cited lower cost of capital and higher stock price multiples as tangible proof of the benefits afforded to issuers and their shareholders - of course there are many factors that affect the price of stocks, and cause and effect questions remain. There is, however, some concern about the long term effect on the US capital markets of the new requirements, with recent studies indicating that foreign companies are choosing to access the U.S capital market through secondary, private placements offerings.

Is the market using S404 data?
If S404 is really of benefit to investors then we should see the information that is disclosed in S404 reports being used by the investment community.

In terms of market reaction to individual S404 disclosures, investment analysts have been pretty silent. However their view should ultimately be reflected in the share price and Lord & Benoit have conducted some interesting research on the share price performance of nearly 2,481 S404 filers. The study compared the average share price performance for three categories of filers during the first two years of implementation with the following results:

The Lord & Benoit Report: Do the Benefits of 404 Exceed the Cost?

* Clean S404 assessment = "effective controls"; Adverse 404 assessment = "ineffective controls"

Whilst there are the usual cause and effect questions, the results show that average stock prices increased at a higher rate for companies that has consistently reported good internal controls compared to those that either corrected their internal controls or remain unimproved. The results also indicate that lost confidence can be recovered quickly. This is consistent with Moody’s approach (discussed below), which is concerned with pervasive and ongoing problems when considering company downgrades.

In contrast to our ‘silent’ analysts, rating agencies are overtly using S404 disclosures in their rating decisions. In the first year of S404 reporting, Moody’s took rating action in roughly 20% of the companies that reported control problems. Moody’s May report ‘The Second Year of Section 404 Reporting on Internal Control’ provides good insight into how it is using S404 data in its rating decisions. In general, it is taking negative rating action when all of the following factors are present:

  • Material weakness considered ‘pervasive’
  • Ongoing and uncertain problems with the company’s reporting
  • The current rating does not yet fully reflect the uncertainty of possibly misleading financial reporting

Moody’s treats ‘delinquent’ (i.e. late) filers as if they had reported a material weakness and generally finds that these companies meet all three of the above rating action criteria.

But Moody’s raises a fundamental point regarding the usefulness of disclosures and the S404 process in general, expressing concern that too many material weakness disclosures were being made at the same time that errors or restatements were being announced, thus acting as lagging rather than leading indicators and undermining their usefulness to users of financial statements. Moody’s reports that out of 74 companies reporting material weaknesses in the current year, only 4 companies did not experience a prior reporting error (note figures relate to companies that Moody’s rates as opposed to all filers).

‘We can only hope that underneath the radar screen of public reporting is genuine improvement in controls that will prevent future errors from occurring’, (Moody’s, May 2006)

Costs, costs, costs'.and efficiencies?
When it comes to compliance, costs tend to make it to the top of the agenda, not surprising given that they tend to be immediate and quantifiable in contrast to the benefits, which are more long term and intangible. S404 is no exception and whilst few argue that there are significant benefits to S404, there appears to be consensus that costs are still too high. But we are only at the beginning of the S404 era and certainly there are many efficiencies still to be gained. These will be achieved through savings in both direct costs of compliance and also from streamlining the controls and processes within an organisation as a result of knowledge gained during the S404 process.

Experience to date and opportunities for further efficiencies
There are a number of studies which look at the S404 cost experience, each reporting somewhat differing estimates but all showing significant declines in Year 2 versus Year l. Perhaps the most compelling data comes from the CRA International survey which reported an average reduction in Year 2 compliance costs of c.30%-40% over Year 1, including up to 50% reductions in external support fees and over 20% in external audit fees.

Savings have come from a variety of sources, including elimination of one time start-up costs (e.g. lower costs to document controls and less effort to remediate controls), learning curve effects and additional regulatory guidance. Companies and auditors are now acutely aware that the scope of controls identified for testing as well as the testing approach taken are key drivers of the ongoing cost of compliance.

Everyone seems to have found the May 2005 guidance issued by the PCAOB very helpful in this regard (top down risk-based approach) and companies reported testing a significantly lower number of key controls in Year 2, with further room for rationalisation. The CRA Survey reports a c.20% reduction in key controls tested by auditors in Year 2 versus Year 1. Requests for further guidance in this area have been heard by the PCAOB and the SEC and both have included same in their respective action plans.

In addition panelists at the Roundtable strongly expressed the view that a key benefit of the May guidance was the clarification that auditors can provide advice and assistance to management regarding accounting, financial reporting and internal control matter, allowing for much greater efficiency in the process. Another cited benefit was the recognition of the flexibility in management’s approach to its assessment.

The common themes emerging with respect to opportunities for efficiencies are:

  • Entity level controls - there has been too much testing of lower level controls by companies and auditors; but both are now beginning to recognise the efficiency in evaluating and testing the company’s monitoring controls.
  • Use of the work of others by auditors - there has been much frustration with duplication of effort due to auditors not relying on the work of management. There has been an increase in the use of work of others by auditors - the latest CRA Survey indicates that reliance increased to 25% of audit evidence, up from 15% in Year 1 for larger companies (corresponding figures for smaller companies are 22% and 11%). However, the problem here is two-fold: uncertainty amongst auditors as to the extent of reliance permissible and also limitations due to issues relating to testing efforts at the company e.g. lack of independence. The PCAOB and SEC will address this area in the new guidance they plan to issue.

  • Leveraging IT controls - Testing of IT and application controls has been a difficult area for many companies but significant progress is reported (indeed the process has facilitated many companies in identifying opportunities to improve their IT controls). Overall people feel that major opportunities still exist to leverage such controls.

Results of cost surveys and panelists views clearly indicate that the burden of compliance is proportionately greater for smaller companies. There is some support for providing smaller companies broad exemption from the internal control reporting requirements (Ernst & Young disagrees), however the SEC’s 17th release makes clear that there will be no exemption forthcoming (‘ultimately all public companies will be required to comply’, - SEC, 17th May) . Additional guidance is clearly needed for smaller public companies and both the PCAOB and SEC have indicated that they will provide guidance to management/auditors of smaller companies (the SEC will assess the need following a review of the guidance being developed by COSO in this regard).

Next steps
I have identified throughout this article some of the issues which the SEC and PCAOB plan to address in their upcoming guidance i.e. smaller company guidance; top down risk-based approach and auditor versus management assessment (note on the latter the SEC will issue a concept release for comment). Other issues on the agenda include Material Weaknesses (MW) and Significant Deficiencies (PCAOB clarification of definitions and consideration of the ‘strong indicators of a MW’ to allow for more judgment); and lots of inspections (both PCAOB of auditor and SEC of the PCAOB). The next date in the diary is Monday, June 12th, when the PCAOB will hold a Standard Advisory Board meeting to discuss its activities in this arena.

‘Careful what you ask for!’ is a phrase now commonly used in the context of S404 guidance/regulation, so it will be interesting to see the form and nature of the new guidance (the PCAOB is planning to revise Auditing Standard No. 2 as well as issue additional guidance). But in the meantime, at this side of the Atlantic, Foreign Private Issuers are focused on getting through Year 1. If it is any comfort, the three words I have heard used repeatedly in connection with Year 1 efforts are ‘difficult’, ‘challenging’ and ‘struggle’, so if that is how you are feeling, you are not alone!

The world of S404 is moving at rapid pace, with benefits being realised and cost efficiencies being achieved. But I believe that to truly bring the cost/ benefit equation into balance companies need to move beyond the compliance model and move to an integrated governance model, using S404 and other initiatives to truly manage risk from a single consistent view.

For key s404 events and releases in April and May 2006, click here

Elaine Brownlee is a manager in Ernst & Young’s Business Risk Services practice.

The material in this article is provided for general information purposes only and does not constitute professional advice. It is necessarily in a condensed form. Readers are advised to seek professional advice with regard to their particular factual situation before taking any decision or course of action.

© Copyright 2006 Ernst & Young