The Nature and Disclosure of Fees Paid to Auditors

The Nature and Disclosure of Fees Paid to Auditors
An Analysis Before and After the Sarbanes-Oxley Act

By Ariel Markelevich, Charles A. Barragato, and Rani Hoitash

NOVEMBER 2005, SPECIAL ISSUE - The issues surrounding auditor independence and investor confidence in the financial statements of public companies have been widely debated. Much of the discussion has been fueled by the dramatic changes in the accounting profession since the 1990s. Many accounting firms (including some of the largest in the world) merged and transformed themselves into multispecialty organizations.

In the wake of accounting firms’ transformation, regulators became increasingly concerned about the interplay between auditor independence and the provision of nonaudit services (NAS) to audit clients. In his highly publicized testimony before the U.S. Senate on September 28, 2000, then–SEC chairman Arthur Levitt expressed his concern that “as auditing becomes an ever-smaller portion of a firm’s business with an audit client, it becomes harder to assume that the auditor will challenge management when he or she should, if to do so might jeopardize a lucrative consulting contract for the auditor’s firm.” This view, coupled with Enron’s failure, WorldCom’s malfeasance, and the collapse of Arthur Andersen, led to the eventual passage of the Sarbanes-Oxley Act of 2002 (SOA).

The analysis that follows focuses on the market for audit and nonaudit services by examining fees paid to auditors during the period 2000 to 2003. This timeframe is of particular interest because this period saw sweeping changes in auditors’ business, regulatory, and professional environment.

Regulatory Background

In recent years, the SEC and Congress have promulgated a variety of rules that are grounded in the notion that auditor independence is vital to the production of high-quality audits and that fees paid to auditors for both audit and nonaudit services may impair such independence. In November 2000, the SEC issued a directive requiring public companies to disclose audit and audit-related fees paid to their outside auditors. These disclosure rules became effective for proxy statements filed after February 5, 2001 (SEC Final Rule S7-13-00). Following SOA, the SEC expanded (and in some instances redefined) these disclosure requirements, and now requires that fees paid to auditors be broken down into the following categories: 1) audit fees; 2) audit-related fees; 3) tax fees; and 4) all other fees. One of the more significant changes under the expanded guidelines is a change in how audit fees are defined. The initial rule adopted by the SEC (for proxies filed in 2000) required that companies disclose fees paid for audits and quarterly reviews in the “audit fees” category. The expanded rule requires companies to include any fees for services performed to fulfill the accountant’s responsibility under GAAS. Additionally, audit firms are now prohibited from providing such services as financial information system implementation and design, internal auditing, and a number of other services.

Data and Results

The study comprised a sample consisting of 2,507 public companies that have disclosed audit fee information from 2000 to 2003, as reported in the Standard & Poor’s Audit Fee Database. Starting in 2003, companies were required to report fees paid to their auditors under the new disclosure rule. The new rule also mandated that companies present their fiscal 2002 fees under the new rule for comparison purposes. Consequently, the sample consists of fees reported under the old rules for 2000 and 2001, and fees reported under the new rule for 2002 and 2003. The descriptive statistics for the additional fee categories are limited to 2002 and 2003.

Analysis

Exhibit 1 presents the full sample descriptive statistics for fees paid for audit and nonaudit services during the period under study. For ease of exposition, and to mitigate the impact of extreme observations, the discussion focuses on median fees (illustrated in Figure 1).

As noted in Exhibit 1, total fees increased from $602,369 in 2000 to $683,618 in 2003, an increase of roughly 13%. In contrast to the changes in the definition of audit fees and nonaudit fees (as described above), the definition of total fees remained consistent over time. Some critics contend that large fees paid to auditors make auditors more economically dependent on their clients, possibly creating a relationship in which the auditor becomes reluctant to make appropriate inquiries during the audit for fear of losing highly profitable fees. Overall, there has been a slight increase in total fees from 2000 to 2003. Such a modest change in total fees over the sample period makes it difficult to make reasonable inferences concerning the assertion that auditors can become economically dependent upon clients, or how SOA may have affected this.

Audit fees increased almost 80%, from $239,000 in 2000 to $430,000 in 2003. This increase is substantial and is likely attributable to a number of factors, including: 1) increased risk of litigation; 2) changes in the scope and complexity of audit engagements; 3) transition from the Big Five to the Big Four marketplace (the demise of Arthur Andersen); 4) reactions to new regulatory restrictions forbidding auditors from rendering certain nonaudit services; and 5) the changing definition of the audit fees category (the revised SEC disclosure requirement). Additional analyses address the potential impact of the new definition of audit fees; because fees paid by companies in 2002 were reported under both the old and new rules, there is a unique opportunity to study the effects of this reclassification. As a result of the reclassification, median audit fees increased by about 10%, while nonaudit fees decreased by a similar amount. This suggests that any change above 10% results from actual variations in the services provided by auditors (or the fees charged), rather than from the change in classification.

The median fees paid for nonaudit services declined from $312,741 in 2000 to $211,200 in 2003, a decline of 32%. In 2003, nonaudit services accounted for roughly 31% of total fees, compared to almost 52% in 2000. If the relation between auditor independence and the provision of nonaudit services to audit clients is problematic, as the SEC and Congress have argued, then the reduction in the ratio of nonaudit services to total fees should help limit auditor-independence violations.

Tax fees represent the largest category of the nonaudit fee composite. Median tax fees declined by 8%, from $102,000 in 2002 to $93,448 in 2003. Median audit-related fees increased 26% over the same period, from $40,140 in 2002 to $50,500 in 2003.

Analysis by Audit Firm Size

Category 1 includes only the Big Five (Arthur Andersen, Deloitte, Ernst & Young, KPMG, and PwC), category 2 consists of the two largest second-tier firms (BDO Seidman and Grant Thornton), and category 3 contains all other auditing firms.

Descriptive statistics for fees paid to the Big Five are presented in Exhibit 2A. Total fees behavior is similar to that in Exhibit 1 for the whole sample. Median total fees increased by 20%, from $678,000 to $812,000, during the same period. Median audit fees grew substantially, from $264,000 in 2000 to $503,000 in 2003, roughly 91%. Correspondingly, median nonaudit fees decreased approximately 27%, from $364,550 in 2000 to $266,348 in 2003.

Exhibit 2B presents the results for category 2, second-tier firms. The median total fees increased by 33%, from $218,713 in 2000 to $291,450 in 2003. Median audit fees increased from $138,950 in 2000 to $197,900 in 2003, roughly 42%. Median nonaudit fees decreased by 19%, from $80,674 in 2000 to $65,350 in 2003.

Results for the third group, small audit firms, are presented in Exhibit 2C. Median total fees increased from $298,207 in 2000 to $308,919 in 2003, an increase of 4%. Consistent with the trend in the previous two categories, median audit fees increased by roughly 40%, from $149,875 in 2000 to $210,488 in 2003, while median nonaudit fees decreased by 17%, from $114,000 in 2000 to $95,138 in 2003.

Changes in Market Share

Exhibit 3 presents market share data by audit firm category in terms of the total fees received by audit firms and the total number of clients they serve.

Although there is little change in the percentage of total fees received by each of the three auditor groups from 2000 to 2003, it is interesting that the Big Five collected just under 92% of the fees in both years. With respect to changes in the aggregated fees between 2000 and 2003, second-tier firms increased collections from their audit clients by just over 44%. Conversely, the Big Five firms and small firms experienced a decline in total collections of roughly 13%.

The Big Five lost 86 clients (a 4% decrease) to the second-tier (36 clients, a 58% increase) and small firm groups (50 clients, a 15% increase). These results suggest that although both the second-tier and small firms gained clients, the majority of Arthur Andersen’s clients were retained by the remaining Big Four.

Implications

Audit fees increased substantially between 2000 and 2003, with the Big Five experiencing the greatest percentage increase, accompanied by a large decline in nonaudit fees for firms of all sizes. These results are not caused by the changes in the definitions of audit and nonaudit fee classifications but rather by changes in the services provided by auditors, or the fees charged for those services. The net effect of these changes may appear relatively modest given that several of the Big Five spun off their consulting practices during or just prior to the period in question and that SOA now limits the types of consulting services that can be offered to audit clients.

Small audit firms appear to have been more negatively affected during the study period, as evidenced by their relatively flat total fees from 2000 to 2003, as compared to a 20% and 33% increase for Big Five and second-tier firms, respectively. Using total fees as a barometer, second-tier firms experienced a substantial increase in market share from 2000 to 2003, with both the Big Five and small firms giving up ground.

Although the full regulatory impact of SOA remains to be seen, to the extent that Congress and the SEC are correct that the relation between auditor independence and the provision of nonaudit services to audit clients is problematic, then the expanded fee disclosures and restrictions on consulting services should reduce auditor-independence violations. On the other hand, if auditor-independence violations stem more from auditors’ dependency on the total fees received from audit clients, then the relatively small reduction in total fees documented from 2000 to 2003 may require refocusing on other aspects of the auditor-independence issue.

---

Ariel Markelevich, PhD, is an assistant professor at Long Island University–C.W. Post Campus, Brookville, N.Y.
Charles A. Barragato, PhD, CPA, CFE, is a professor at Long Island University–C.W. Post Campus.
Rani Hoitash, PhD, is an assistant professor at the Sawyer School of Management, Suffolk University, Boston, Mass.

Revisiting the Ripple Effects of the Sarbanes-Oxley Act
By Jo Lynne Koehn and Stephen C. DelVecchio

MAY 2006 - Almost four years have passed since the Sarbanes-Oxley Act of 2002 (SOX) was legislated and implemented. In “Ripple Effects of the Sarbanes-Oxley Act” (February 2004 CPA Journal), the authors identified and discussed foreseen, and unforeseen consequences of the Act. Now, with the benefit of hindsight, these previously identified effects will be revisited and their status updated. Several additional effects are noted that were not originally identified. (Note: This article presents the “ripple effects” in the same order as the original. The order does not signify the relative importance of the effects.)

Negative Influence on Corporate Mergers and Acquisitions
Merger and acquisition activity in the immediate wake of SOX did not show a decline. The number of deals consummated actually rose, from 7,702 in 2003 to 8,313 in 2004. The dollar value of those deals rose from $570 billion in 2003 to $833 billion in 2004. A portion of the increased activity is likely due to foreign buyers capitalizing on the weaker dollar (R. Weisman, “Merger Activity at Full Tilt, Even Before Gillette,” Boston Globe, February 7, 2005).
Some believe that the reason the M&A activity has been the opposite of expectations is that mergers can result in combined entities that can more easily absorb the significant compliance costs associated with SOX. And, while the number of deals after SOX has not declined, SOX has still affected M&A activity by impacting the due diligence required to support merger transactions. Acquiring companies must carefully review financial records, vendors, and key customers of target companies and assume accountability after the merger for those records and relationships. Such increased time and scope for due diligence has increased the transaction costs associated with mergers and acquisitions (R. Ouellette, “Sarbanes-Oxley Sure to Affect Variety of Transactions,” Due Diligence, September 26, 2005).


Increased Efforts by Audit Committees
In 1999, the New York Stock Exchange and the National Association of Securities Dealers created the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees. The committee established recommendations that audit committee charters require meetings at least four times per year. A survey following the committee’s report (W. Read and K. Raghunandan, “The State of Audit Committees,” Journal of Accountancy, May 2001) found that, on average, audit committees met less than the recommended four times per year. Since SOX, as anticipated, audit committees are meeting more frequently. The annual Spencer Stuart Board Index study of corporate governance in S&P 500 corporations found that audit committees met, on average, five times per year in 2002. In 2003, the frequency of meetings increased to seven. An alternate survey of governance practices in 200 corporations by Pearl Meyer & Partners reported an average frequency of nine meetings for audit committees in 2005.


Contraction of the Audit Market/Decreased Competitiveness of the Audit Market
In July 2003, the General Accounting Office (GAO, which became the Government Accountability Office in 2004) published a report titled “Public Accounting Firms: Mandated Study on Consolidation and Competition.” The SOX-mandated report did not find impaired competition in the audit market for public companies, nor did it find the conditions favorable for any second-tier firms joining the Big Four. The GAO stated: “[L]ack of staff, industry and technical expertise, capital formation, global reach, and reputation” comprise some of the market forces that make it unlikely that any firms will be able to join the Big Four (S. Taub, “Too Few Auditors to Go Around?,” cfo.com, July 31, 2003). Size disparity between the top-tier and second-tier firms may just be too large to overcome. If all the revenues of the second-tier firms are added together, they fall short of the revenue of KPMG, the smallest of the top-tier firms (“Report from a General in the SEC’s War on Fraud,” BusinessWeek, September 26, 2005).
Even though the audit market has not expanded in the sense that second-tier firms have moved to the first tier, nonetheless shifts are occurring in the market. When hiring auditors, many public companies are now considering second-tier firms as viable options. Because the typical audit requires more hours to complete since SOX, the Big Four have shed some clients due to a lack of manpower. Other companies have switched to second-tier firms based on the service they expect to receive if they are among the second-tier firm’s highest-profile clients. In 2004, the second-tier firm of BDO Seidman, LLP, gained 109 clients and lost 38. Another firm in the second tier, Grant Thornton, LLP, gained 80 and lost 63 (N. Byrnes, “The Little Guys Doing Large Audits,” BusinessWeek Online, August 22, 2005). The next year, the 2005 revenues of BDO Seidman showed growth of 13% to $3.3 billion. Comparatively, Ernst & Young’s revenues increased 16% to $16.9 billion (J. Ciesielski, “Happy Holidays: Big Revenue Growth at Accounting Firms,” www.accountingobserver.com/blog/2005/12/bdo-revenues-up-13/, December 21, 2005).
One constraint to companies changing from the first-tier audit firms to the second tier is geographical dispersion of operations. The Big Four, with their worldwide coverage and other attributes noted above by the GAO, remain the best audit firm candidates for companies with significant size and global operations.
The audit market has changed since SOX, and the initial concerns regarding contraction and decreased competitiveness now seem less worrisome. The increased audit demands attributable to SOX have been satisfied by some shifts from first- to second-tier firms. However, the SEC remains mindful that some corporations can be viably served only by the Big Four, and the loss of another firm from the first tier could resurrect concerns of market contraction and decreased competitiveness.


Increase in Accounting Costs
A survey by Financial Executives International reported that small companies anticipate spending $824,000 to comply with SOX and that the average cost for all companies is $4.3 million (D. Solomon, “Small Firms to Get another Extension on Sarbanes Rule,” The Wall Street Journal, September 13, 2005). AMR Research in Boston estimates that, collectively, U.S. public companies will spend $6.1 billion in SOX-related compliance costs (D. Gullapalli, “Living with Sarbanes-Oxley,” The Wall Street Journal, October 17, 2005).
One component of compliance costs is related to corporate governance. Pearl Meyer & Partners’ 2005 Study of Director Compensation finds that median total board remuneration rose 10% in 2005, to $183,204. In 2004, the comparative increase was 13%.
These consultants maintain that three board committees—audit, compensation, and governance/nominating—are the committees that are generally most impacted by issues related to regulatory changes, shareholder activism, and the public’s scrutiny of financial controls, executive compensation, and board performance.
One way that companies are adapting board pay to the new governance environment is by differentiating committee chair pay by the effort demanded of the committee. Exhibit 1 shows the median combined meeting fees and retainers for audit, compensation, and governance/nominating chairs. The chairs’ combined compensation rose 22% to $22,500 for audit chairs, 12% to $14,000 for compensation chairs, and 14% to $12,000 for governance/nominating chairs. Audit committee members are paid 96% more than compensation members and 122% more than governance/nominating members. Interestingly, the pay for committee members on these committees was reported to be flat or down. The compensation report notes that corporations are relying less on meeting fees, in response to criticism that board members should not be rewarded for fulfilling a mandatory responsibility.


Increased Records-Management Requirements
SOX has focused increased attention on the records-management area. Since 2002, many companies have implemented e-mail archiving systems to allow efficient retrieval of e-mail in the event it is subpoenaed for cases related to regulatory or private litigation. The software systems archive e-mail, usually on backup servers, according to company-specified indexing systems. Key items, like the date and the name of the sender and the receiver, can be indexed. Later searches by the key items will allow the entire message to be retrieved for review (P. Loftus, “Send and Save,” The Wall Street Journal, August 19, 2005).


Salary Increases
The Lucas Group, a professional recruiting firm, in its 2005 report indicated strong hiring growth in positions needed to meet Sarbanes-Oxley compliance. This growth in demand has impacted salaries for accounting and finance professionals. Robert Half International’s 2005 Salary Guide forecasts that starting salaries for accounting and finance professionals will increase an average of 2.4% next year. However, the guide reported double-digit average increases for certain areas of accounting:

• Internal auditors at large corporations: 12.5%
• Internal auditors at mid-size corporations: 16.8%
• Managers at large public accounting firms: 10.2%
• Senior accountants at large public accounting firms: 11.7%
• Entry-level professionals at small public accounting firms: 11.4%.

Increase in Audit Fees
Respondents to a survey by the Financial Executives Institute in 2003 anticipated audit fees increasing by 30%. In 2004, the FEI respondents anticipated fees would increase by 50%. The large increases correlate positively with the increased time that auditors report spending on audits. Deloitte & Touche, LLP, estimates spending 40% to 60% more time on audits since SOX’s implementation (“Online Extra: ‘Huge Progress’ in Auditing,” BusinessWeek Online, January 10, 2005).


Influence on SEC Sanctions
The SEC must be mindful of the oligopoly conditions among the Big Four in the audit market when deciding upon sanctions for accounting firms. In 2004, a court action by the SEC forbade one of the Big Four from accepting new public company audits for six months, due to the firm’s violations of audit independence rules (Initial Decision Release 249, April 6, 2004). The duration of the suspension period may stem from consideration of the limited competition currently existing in the audit industry. Each firm possesses various industry specializations, so there may be only one or two firms that offer expertise in a specific industry.


Impact on Private Companies
Private companies with no intention of going public, and those without pressure from outside parties, such as lenders or auditors, are not, by statute, impacted by SOX, but may choose to selectively comply with its provisions.
A recent PricewaterhouseCoopers survey of 340 CEOs of private companies found that slightly more than one quarter have adopted SOX “best practices.” Data shows that the companies most interested in adopting best practices tend to be larger private businesses (averaging $74.2 million in revenues) and that these companies choose to apply SOX provisions chiefly in the areas of governance and transparency (J. Jusko, “Sarbanes-Oxley: Private Opportunity in Public Regulation,” www.barometersurveys.com, February 1, 2006).
Phillip Toomey, the managing partner of the law firm Artiano, Guzman & Toomey, notes in “Advising Private Cos.: What You Need to Know About SOX” (Accounting Today, September 26–October 9, 2005) certain specific best practices that private companies have adopted:

• CEO/CFO certifications of financial statements;
• Developing an internal code of ethics;
• Appointing independent board members and an audit committee;
• Creating processes for reporting concerns; and
• Splitting audit and nonaudit services between separate accounting firms.

Reluctance of Foreign Companies to Comply
Charlie McCreevey, the European Union’s internal-markets chief, has been working closely with the SEC to achieve accounting equivalence. In September 2005, top officials of the EU Commission and the SEC worked out a “roadmap” outlining steps that will eliminate the requirement that European companies using International Financial Reporting Standards (IFRS) reconcile their financial reports to U.S. Generally Accepted Accounting Principles (U.S. GAAP). The agreement may be effective as soon as 2007, but not later than 2009.
On December 1, 2005, in a speech to the Federation of European Accountants in Brussels, Ethiopis Tafara, director, office of international affairs at the SEC, stressed that a permanent elimination of the reconciliation requirement is highly dependent on the expectation that IFRS–U.S. GAAP convergence efforts will continue to make good progress.
The elimination of the reconciliation requirement will ease regulatory burdens for European companies that are publicly traded in the United States. However, many foreign companies may nonetheless still choose to delist from the U.S. stock exchanges rather than comply with SOX. Many foreign issuers not only see SOX’s new governance rules as too costly to implement but also view managers and directors as more vulnerable to personal liability (D. Hilken, “New York Shy,” Weekend Standard, April 30–May 1, 2005). Currently, McCreevey has also entered into discussions with SEC officials seeking easier delisting procedures from U.S. exchanges for foreign companies (“SOX and Stocks,” The Wall Street Journal, April 19, 2005).
For foreign companies, the London Stock Exchange, with fewer regulatory requirements, is an attractive alternative to U.S. exchanges. More foreign companies are listed on the London Stock Exchange than on any other exchange, including the New York Stock Exchange and NASDAQ combined (L. Jenkins, “The Ultimate City Take-Over,” Bruges Group International Conference, November 2, 2002).


Increased Volume of Corporate Disclosure
One of the primary goals of SOX is to increase investor confidence and the assurance of the integrity of the U.S. capital markets. To this end, SOX requires increased corporate disclosures to improve the quality of financial reporting. The SEC has recommended that companies consider the formation of disclosure committees to be charged with judging the materiality of information and disclosure obligations on a timely basis (L.J. Bevilacqua, “Disclosure Under Sarbanes Oxley: An Assessment and a Look Forward,” Directorship, December 2003). The volume of disclosure since SOX has increased, not only due to such increased corporate diligence with respect to disclosure, but also because actual additional reporting is required by SOX. New SOX disclosure requirements include the following:

• Management certifications (section 302);
• Reconciliations of publicly disclosed non-GAAP financial measures, such as pro forma measures with GAAP [section 401(b)];
• Off–balance-sheet transactions, arrangements, and obligations in quarterly and annual reports filed with the SEC [section 401(c)]; and
• The internal control report (section 404) stating management’s responsibility for establishing and maintaining internal controls, as well as management’s assessment of the effectiveness of controls, including any material weaknesses.

Trickle-down Accountability
SOX section 302 requires CEOs and CFOs to certify quarterly and annual filings with the SEC. A survey of company leaders conducted by Pricewater-houseCoopers (P. Collins, “Management Barometer,” July 23, 2003) shows that, on average, 22.5 executives, other than the CEO and CFO, will be required to submit subcertifications. This number is an increase from the 18.6 that was initially expected.
The AIPCA reports hearing from its membership that many companies require subcertification statements from others within the finance division of the companies. Visit www.aicpa.org/sarbanes/ceo_cfo_sub-certifications.asp for the certification requirements and sample documents that various organizations are using to support subcertification at lower levels.


Trickle-down Power to Shareholders
Shareholders of some publicly traded companies have gained the right to nominate candidates to the board of directors that appear on proxy ballots alongside board-nominated candidates. Many companies, however, are reluctant to give shareholders this power. A rule has been proposed by the SEC to allow shareholders more power to nominate directors to corporate boards (E. Iwata, “Businesses Say Corporate Governance Can Go Too Far,” USA Today, October 4, 2005).
While awaiting a final rule from the SEC on this issue, it is interesting to note that some governance reforms are occurring as settlement terms in shareholder lawsuits. The following is a selection of governance changes (see P. Plitch, “Governance at Gunpoint,” The Wall Street Journal, October 17, 2005) specified as settlement terms in recent class-action shareholder lawsuits:

• Term limits for directors
• Shareholder nominations of directors
• Required rotation of outside audit firm
• Restrictions on insider sale of stock
• Required independence of two-thirds of the board.

Impact on D&O Insurance
Directors and officers (D&O) insurance underwriting has been significantly impacted by SOX. Many D&O policy applications now consider any filings with the SEC to be part of the insurance application. If filings are later amended or restated, underwriters may attempt to rescind D&O policies. Some companies are finding that underwriters are not willing to insure at the same coverage levels as before SOX. Adequate D&O coverage can sometimes be obtained only by purchasing from several insurers. Directors are perhaps most troubled by policies’ narrower coverage. Formerly, most policies excluded coverage for fraudulent conduct only upon an ultimate finding of liability. Currently, some insurers are attempting to deny coverage for even alleged fraudulent acts (G.H. Weisdorn, L. McCord, and M.S. Williams, “D & O Policies: Greater Risks—Less Coverage,” Graziadio Business Report, 2005, Volume 8, Issue 3).
Companies considering going public must realize that underwriting for public-company D&O insurance is quite different from underwriting for private companies. D&O underwriters for public companies must assess SOX compliance in areas such as audit committee quality and composition, accounting controls, accounting policies, and the existence of a code of ethics (C. Waterfall, “Sarbanes-Oxley and the Private Company: D & O Insurance,” Mercator Monitor, September 20, 2003).
D&O policy premiums rose 11% in 2000, 29% in 2001 and 2002, and even more sharply, 33%, in 2003. In 2004, some leveling of premiums occurred as more insurers entered the market (Plitch, “Governance at Gunpoint”).


Consulting Is Booming
“The Global Consulting Marketplace 2005–2007,” a report published by Kennedy Information, Inc., projects growth rates for consulting sectors. In the operations management sector (where consultants suggest changes for efficiency, cost cutting, and business process improvement) mid to high single-digit growth is anticipated.
Many links to company news releases disclosing increased consulting and compliance costs related to SOX can easily be found through an Internet search. An excerpt from Inovio’s second-quarter 2005 news release (www.innovio.com) is fairly typical:
The increase in general and administrative expenses for the six months ended June 30, 2005, as compared to the same period in 2004, was mainly due to increased consulting and legal expenses and increased personnel costs to support our administrative infrastructure, which includes our finance, investor relations and information technology departments, and ongoing business development efforts. The increase in general and administrative expenses was also due to accounting-related expenses incurred during the six months ended June 30, 2005, related mainly to the implementation of and ongoing compliance with internal control over financial reporting requirements under Section 404 of the Sarbanes-Oxley Act of 2002 [emphasis added].


New Compliance-Software Production
Unquestionably, SOX has been a boon for software vendors. Large companies are spending at least $500,000 on compliance software. Such software must assist in the documentation and testing of internal controls, as well as adequately report compliance progress to executives. Software must also easily allow for auditor review. A company could meet SOX requirements without investing in new software; however, consultants acknowledge that attempting systematic documentation with spreadsheets and word-processing documentation would likely require considerable human resources.
Many software vendors have shifted business models to focus on the growing SOX-compliance software market. Certain packages focus on section 404 requirements, while others may be narrower. For example, software can now be purchased to comply with section 301, to allow employees to anonymously file complaints, or to allow section 409 reporting of 8-K events (P. Loftus, “Software for Sarbanes,” The Wall Street Journal, April 25, 2005).


More Work for Lawyers
Consultants and attorneys have found new opportunities working for companies that seek to comply with SOX. One likely unforeseen effect of SOX is that it has motivated certain companies to completely privatize. Another unforeseen effect is that of companies seeking to “go dark” to cut SOX compliance costs and required financial disclosures. Going dark entails deregistering company shares with the SEC, a step short of privatization in that shares can still be publicly traded via listings on “pink sheets” at the National Quotation Bureau. Assisting companies with deregistration has provided attorneys with sizable fees, as much as 10% to 25% of a company’s first-year savings on audit and compliance after delistment (J. Norman, “Companies ‘Go Dark’ to Cut Compliance Costs,” Orange County Register, April 10, 2005).


Educational Impact
SOX’s passage in 2002 is partially responsible for the increased demand for accounting graduates. Bea Sanders, the AICPA’s vice president of academic and career development, states that SOX has led private companies to increase their hiring of new accountants. Tom Rogowski, director of university recruiting for Grant Thornton LLP, concurs by noting that “Sarbanes-Oxley has created an additional layer of reporting or diligence required by certain companies and that has had an impact on the number of resources needed” (A. Giegerich, “Enron Gives Boost to Accounting Field,” Portland Business Journal, July 29, 2005). The economy’s overall health, in conjunction with the demands placed by SOX, has strengthened the demand for accountants.
The supply of accounting graduates is rising to meet this increased demand. The 2004 edition of the AICPA’s “The Supply of Accounting Graduates and the Demand for Public Accounting Recruits Survey” reported that in 2002/03, 37,000 students were awarded bachelor’s degrees in accounting and close to 13,000 were awarded master’s degrees. Compared to 2001/02, the number of bachelor’s degree recipients increased 6% and the number of master’s degrees awarded increased 30%. In the same year, the number of candidates for the CPA exam rose by 1%. Some students are likely entering accounting due to the notoriety caused by heightened media coverage of high-profile audit failures and fraud. Others are responding to the increased demand, and resulting job opportunities, caused by SOX.


Company Loans to Executives Prohibited
A key provision of SOX prohibits company loans to executives. Nonetheless, new strategies are evolving that allow companies to direct money to CEOs. Michelle Leder, in an article in Slate (“Outfoxing SOX,” January 24, 2005), identifies three of the more-popular strategies:

• Special signing bonus: upfront money for joining a company
• Retention bonus: money upon renewal of employment contracts
• Death retention bonus: money payable to executive’s beneficiaries upon proof of death of the executive.

Change in the Audit Process
SOX, with its requirement that management and the external auditors attest to effective controls over financial reporting, has reshaped the audit processes used to evaluate internal control. The graphic in Exhibit 3, which the consulting firm Complyant labels a “SOX Wheel,” is a representation of the typical phases that a company and external auditors might use in evaluating internal controls.


Two Tiers of Compliance?
As initially passed, SOX made no distinction in regulation between large-capitalization and small-capitalization companies. As costs of compliance have been large and extremely burdensome for small companies, the SEC has revisited the requirements placed on small publicly traded companies.
After SOX became law, the SEC began a series of changes to the reporting deadlines for 10-K and 10-Q filings. In September 2002, the SEC established new periodic reporting rules that shortened the deadline for filing both the 10-K and the 10-Q reports; created a new class of reporting entities, known as accelerated filers; and allowed a three-year phase-in period. Accelerated filers are companies that—

• have $75 million or more of public float (defined as an Exchange Act reporting company with aggregate market value of voting and nonvoting common equity held by nonaffiliates as of the last business day of the issuer’s most recently completed second fiscal quarter);
• are subject to reporting rule 13(a) or 15(d) of the Exchange Act for a period of 12 calendar months; and
  n have filed at least one previous annual report, and are not eligible to use 10-KSB or 10-QSB.

The three-year phase-in period stipulated that for years ending on or after December 15, 2003, and before December 15, 2004, the deadlines were 75 days for the 10-K and 40 days for the 10-Q. Beginning with annual reports filed for fiscal years ending after December 15, 2004, the 10-K deadline became 60 days and the 10-Q deadline became 35 days. For companies not meeting the definition of an accelerated filer, the deadlines remained 90 days for the 10-K and 45 days for the 10-Q.
After receiving and considering the comments made by companies and their auditors concerning these deadline changes, the SEC in February 2004 extended the deadline for SOX section 404 reports, which accompany the 10-K filings, to the first fiscal year ending on or after November 15, 2004, from June 15, 2004.
In November 2004, the SEC postponed the final phase-in deadline for the accelerated filers to 2006. Then, in September 2005, the SEC proposed changes to both the reporting rules and the definition of accelerated filers. The SEC proposed a three-tier report-filing deadline for companies, and refined the definition of accelerated filers to include a new class of companies known as large accelerated filers. The large accelerated filers are companies with public float of $700 million or more. The SEC proposed that only the large accelerated filers would have a 60-day deadline for the 10-K and a 35-day deadline for the 10-Q.
After further consideration and deliberation, on December 27, 2005, the SEC issued Release 33-8644, which established the current version of the rules covering reporting deadlines and the classes of reporting filers. Release 33-8644 maintains the three tiers of reporting filers (large accelerated filers, accelerated filers, and nonaccelerated filers) and establishes the reporting deadlines for each class. Exhibit 2 provides a summary of the current rules.
Release 33-8644 also provides a mechanism for companies to move to a different filer class based on the value of the public float the company has as of the last business day of its most recently completed second quarter. The reporting guidelines established by Release 33-8644 are effective for fiscal years ending on or after December 15, 2005.
Neal L. Wolkoff, chairman and CEO of the American Stock Exchange, highlights several reasons different rules for different-size companies make sense (“Sarbanes-Oxley Is a Curse for Small-Cap Companies,” The Wall Street Journal, August 15, 2005). First, large companies often have more-complex business models and, hence, more-complex accounting. Small companies, with less-complicated financial transactions and statements, may require less-rigid internal controls. According to Wolkoff, small and mid-size companies in the early stages of growth merit different regulations, because it is hard for start-up companies to afford heavy compliance costs.


‘Auditing’ the Auditors
In May 2005, the Public Company Accounting Oversight Board (PCAOB) took its first disciplinary action. The PCAOB banned the managing partner of a small New York City CPA firm from auditing public companies and revoked the firm’s registration. The PCAOB administered the discipline upon finding that the firm concealed information from inspectors and submitted false documents related to the inspection (S. Hughes and D. Gullapalli, “U.S. Accounting-Oversight Board Takes First Disciplinary Action,” The Wall Street Journal, May 25, 2005).
The PCAOB inspects registered accounting firms to gauge their compliance with PCAOB rules, SEC regulations, professional standards, and the individual firm’s quality-control policies. Annual inspections are required for registered accounting firms that conduct more than 100 audits per year. Firms completing fewer audits must be inspected at least once every three years. Registered accounting firms are closely monitoring the PCAOB’s initial inspections for signals regarding how it will approach findings, deficiencies, and discipline.
The initial implementation of inspections has been challenging. In October 2005, the PCAOB issued reports to some of the Big Four firms citing deficiencies in obtaining sufficient and competent evidential matter to support opinions on several issuers’ financial statements (J. Weil, “Board Is Critical of Deloitte Audits,” The Wall Street Journal, October 7, 2005). The PCAOB and the SEC are also already on record rebuking auditors for being “overly cautious” and “mechanical” in their efforts to comply with SOX. Some corporations believe that SOX-related compliance costs are higher than necessary, while some auditors have been criticized for conducting large-scale reviews that are not tailored to a company’s specific risks (D. Solomon and D. Gullapalli, “Auditors Get Sarbanes-Oxley Rebuke,” The Wall Street Journal, May 27, 2005). The next few years will be instructive, as accounting firms become more familiar with the PCAOB’s expectations and work continuously to improve the quality of financial statement audits.


Changes in Attorneys’ Legal Conduct
SOX section 307 mandated that the SEC issue a rule to govern the conduct of attorneys representing public companies. SEC Rule 205 requires attorneys who become aware of material wrongdoing to report the incident “up the ladder” to the highest company authority (G.T. Stromberg and A. Popov, “Lawyer Conduct Rules Under Sarbanes-Oxley and State Bars: Conflicts to Navigate?” Critical Legal Issues: Working Paper Series, No. 132, July 2005).
The original Rule 205 included a provision that would require an attorney to make a “noisy withdrawal” (a written notification of withdrawal to the SEC) when the attorney had reported up the ladder and the board of directors had not provided an “appropriate response.” The SEC’s proposed noisy withdrawal has received much interest and critique from the legal profession. Attorneys have expressed concern regarding the rule’s possible impact on confidential attorney-client relationships. Given such concern, on January 29, 2003, the SEC withdrew the noisy withdrawal portion before finalizing Rule 205. The SEC also proposed a revision to the noisy withdrawal provision that would require the issuer, as opposed to the attorney, to report the attorney’s withdrawal to the SEC and would require additional reports by the issuer to the public via forms 8-K, 20-F, or 40-F. To date, no decision has been finalized by the SEC to require noisy withdrawal reports by attorneys or issuers.


New Metrics
The disclosure of more non-GAAP performance metrics to increase the transparency of companies’ reported results does not seem to be coming to pass in the SOX era. FASB has, however, proposed establishing an investors’ task force to facilitate input from the investment community on proposed changes to GAAP (D. Gullapalli, “FASB to Create Investor Task Force,” The Wall Street Journal, September 29, 2005). The input that FASB would receive from stock-research analysts and portfolio managers via this task force could provide better insight into what information.


New Effects: The Urge to Privatize
SOX compliance has made it more time-consuming and expensive to function as a public company. If one also factors in the personal risk to managers for failure to adequately comply, the idea of simply avoiding these costs and risks by going private is appealing to some. A main deterrent to operating as a private company is the difficulty of raising capital; however, if private equity firms show the ability to buy even the largest of companies, this deterrent to privatization may be less significant (S. Rosenbush, “The Allure of Going Private,” BusinessWeek Online, March 29, 2005).
Collins Industries Inc. is one small company where directors recently decided to take the company private. Director Don S. Peters estimated the cost of complying with Sarbanes-Oxley at $1 million. Peters questioned whether being publicly listed justified the cost, stating, “It’s a heck of a mess for companies our size” (M. Davis, “Vehicle Maker Restates Earnings,” The Kansas City Star, August 9, 2005).


Impact on Management Style
Dominic D’Alessandro, the Manulife CEO, told those in attendance at his company’s annual meeting that he worries that compliance with SOX section 404 may stifle managers’ creativity and entrepreneurship. Such curtailment of managers’ style could negatively impact company performance (M. Gutschi, “Manulife CEO: New Governance Rules May Stifle Creativity,” The Wall Street Journal, May 5, 2005).


Repeal or Rollback?
Several recent surveys of corporate executives provide some sense of CEOs’ perceptions of SOX. A 2005 Christian & Timbers survey of 186 U.S. executives reported that 34% thought SOX should be repealed. In Bain & Co.’s 2005 Management Tools & Trends survey, 63% of North American executives maintain that SOX raises costs without actually improving governance. International perception varied, as only 53% of Europeans and 42% of Asians and Latin American executives concurred.
On February 7, 2006, the Free Enterprise Fund, a pro-business conservative group, along with a small Nevada-based accounting firm, filed a suit in federal court against the PCAOB and its board. The plaintiffs are seeking to overturn SOX on grounds that the PCAOB violates the appointments clause and the Constitution’s separation of powers among the three branches of government (K. Scannel, and B. Mullins, “Suit Seeks to Overturn Sarbanes-Oxley Law,” The Wall Street Journal, February 8, 2006).
Despite the negative opinions of SOX, the pending lawsuit, and the considerable costs to comply with the auditing-disclosure requirements, hundreds of companies say that accounting problems have been uncovered. Efficiencies gained by eliminating redundancies are a positive outcome of SOX (D. Henry, A. Borrus, L. Lavelle, D. Brady, M. Arndt, and J. Weber, “Death, Taxes and Sarbanes-Oxley?” BusinessWeek, January 17, 2005).
While many CEOs would undoubtedly support a rollback of SOX, if better audits and increased investor confidence prove to be continuing effects from SOX, fine-tuning, not wholesale repeal—barring no findings of unconstitutionality of the Act—could be the more likely scenario going forward. As Federal Reserve Bank of Atlanta President Jack Guynn so aptly stated when commenting recently on the costs associated with laws aimed at improving corporate business practices: “I don’t think it’s possible to tally up the cost of not having credibility.”

---

Jo Lynne Koehn, PhD, CPA, is a professor of accounting, and Stephen C. DelVecchio, DBA, CPA, is an associate professor of accounting, both in the department of accounting at Central Missouri State University, Warrensburg, Mo.

The authors wish to thank two anonymous reviewers for their insightful comments and suggestions. They reference numerous reports and sources in this article. All sources for this article are available from the authors by contacting Jo Lynne Koehn at Koehn@cmsu.edu.

Six Years of the Sarbanes-Oxley Act

By William J. Dodwell

AUGUST 2008 - More than six years have passed since Congress enacted the Sarbanes-Oxley Act (SOX) in the wake of the Enron collapse and other corporate debacles that shook the investor community and the general public. Facing political pressure to act, the U.S. House of Representatives and the Senate quickly passed a package of reforms by near-unanimous approval. But complaints from many companies about the implementation burden have challenged the value of SOX and raised the question, “Are we better off?”

Accounting Scandals

Reining in corporate financial reporting was justifiable. Beginning in late 2001, allegations of fraud and other improprieties by companies including Enron, Adelphia, WorldCom, Cendant, and Tyco seriously undermined investor confidence and contributed to stock market malaise. Concerns included concealing debt through unconsolidated off–balance sheet entities; manipulating revenue through creative application of derivative accounting rules; burying expenses in the balance sheet; and hiding bad receivables—all despite the scrutiny of management, public auditors, securities analysts, rating agencies, and investment bankers.

Although frauds have been in the spotlight, some problems arose instead from the interpretation of complex accounting rules. In some instances, management and auditor agreed on the accounting for certain transactions, only to be challenged in a politicized environment of prosecutors, regulators, and media. For example, hedge accounting, governed by SFAS 133, Accounting for Derivative Instruments and Hedging Activities, loomed large in some major restatements. But SFAS 133 is so cumbersome that the FASB is considering simplifying the standard. Other contentious issues are founded on subjective estimates of such things as loss and contingency provisions and amortization rates. To be sure, material financial misstatement was problematic, but because well-intended interpretations were sometimes second-guessed, it was not always malicious. Of course, any manipulation of those estimates to distort earnings and bonus calculations was reprehensible.

Accounting scandals have prompted the FASB to reevaluate certain inadequate standards. For example, it amended its consolidation rules under FIN 46(R) in a reaction to Enron’s machinations involving off–balance sheet special-purpose entities (SPE). And, as mentioned, the FASB is reassessing SFAS 133’s complex hedge accounting requirements.

Passage of SOX

As part of implementing SOX, the SEC created the Public Company Accounting Oversight Board (PCAOB) to oversee the auditors of publicly held companies, replacing the system of self-regulation through the AICPA. (The AICPA continues to set standards for accounting firms serving nonpublic companies.) Not meaning to reinvent the wheel, the SEC and PCAOB built on the internal controls framework established in 1992 by the Committee of Sponsoring Organizations (COSO) of the National Commission on Fraudulent Financial Reporting—more commonly called the Treadway Commission (after its chairman, James C. Treadway, Jr., a former SEC commissioner). In its effort to improve the accountability and effectiveness of the public audit, the PCAOB created Auditing Standard 2 (AS2), which was specifically designed to guide auditors in the evaluation of internal controls (AS5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, which superseded AS2, is discussed further below). In addition, the PCAOB made accounting firms subject to annual inspection to verify that their SOX certifications are supported by sufficient evidence.

At the enterprise level, SOX requires organizational assessments focusing on corporate governance over broad systemic firm-wide checks and balances, including risk management, communications, the whistleblower provision, and conflict-of-interest issues. Additionally, SOX requires the CEO and CFO to bear personal responsibility for the effectiveness of internal controls by signing off on the financial statements. Violations are subject to criminal penalty.

To redress the root causes of management accounting abuses at the transaction level, section 404 of SOX requires public companies to annually document and test internal controls and their associated business processes, remediate deficiencies, and assert the controls’ effectiveness in ensuring the accuracy of financial reporting. The outside auditor is then required to opine on that assertion as well as form an independent opinion on control effectiveness. Both management’s assessment and the auditor’s judgments are disclosed in the company’s annual 10-K report. (The SEC has repeatedly delayed the implementation date for nonaccelerated filers—companies whose market capitalization is under $75 million.)

Whereas SOX engendered some beneficial change, section 404 created a backlash, with corporate accounting departments across America challenging the excessive cost of compliance. Indeed, the very competitiveness of American business has been called into question because of SOX’s documentation and testing requirements. In six years of experience, representing for most companies two years of startup implementation and four years of certified audits, does SOX pass a cost-benefit analysis? Have the improprieties that prompted the legislation been substantially redressed? Can SOX’s requirements be mitigated to exempt the many innocent companies and identify the relative handful of guilty parties?

Backlash

The reaction against SOX’s section 404 requirement to document internal controls and test them annually came from far and wide. First, companies smarted from having to incur massive preparatory costs associated with hiring employees and consultants, and installing new computer systems. Then they bristled at the perceived excessive implementation requirements and ambiguous SEC and PCAOB guidance. The question became, “How much documentation and testing is necessary?” The following addresses this question and constitutes a framework for evaluating the time and cost burdens of documentation and testing eventually broached by AS5:

• Duplication of a SOX audit of internal controls and a traditional audit of financial statements. What is the difference, and is there too much overlap? One might argue that a SOX audit focuses on processes and structures that govern the effectiveness of internal controls over the financial reporting process. By contrast, a financial audit focuses on assessing the fairness of the actual financial statements. Of course, auditors have always considered internal controls in designing their financial statement auditing procedures. But now SOX requires auditors to consider them as a separate objective in its own right. Question: Would further integrating SOX audit and financial statement audit procedures be more efficient?
• Redundancy of both management and SOX testing of internal controls. Auditors thought that AS2 limited how much they can rely on a company’s own SOX testing. Therefore, they must conduct considerable testing of their own selected samples, and must also verify a sampling of management’s tests, to provide an adequate basis for their opinions. That limited ability to rely on management’s work results in higher costs. Question: Should auditors rely more on management’s test results?
• Disagreement between management and the external auditor over risk-assessment and testing methodologies. Although the regulatory guidance acknowledges the role of management’s judgment in assessing risk, judgment is subjective and sometimes does not reconcile with an auditor’s independent assessment. The scope of SOX work depends on risk assessment and the definition of an internal control. For example, some companies do not distinguish controls from procedures. Furthermore, SOX applies only to key controls, but the distinction from non-key controls is not codified and is therefore entirely a matter of judgment. Depending on how key controls are defined, they may be significantly more numerous than necessary, rendering individual documentation and testing overly burdensome. Other subjective scope parameters, such as business process taxonomies and materiality thresholds, also influence the workload. Because internal controls and test methodologies are not definitively codified in the SOX guidance, management and the auditor may differ in their risk assessments and in the relative scope and extent of documentation and testing.

Because the outside auditor is the final arbiter of the scope needed to support an opinion, management may invest substantial time and money in work that it considers unnecessary based on its intuitive knowledge of the day-to-day operation of internal controls. Question: How extensively must internal controls be tested to establish reasonable effectiveness?

Cost-Benefit Analysis

The ultimate assessment of SOX centers on a cost-benefit analysis that takes into account the relative significance of each positive and negative item. The following are the tradeoffs, some of which are more definitive than others.

Costs.

• Smaller profit margins and retarded economic growth from management compliance costs, higher audit fees, and the opportunity costs of forgoing more productive activities.
• Certain redundancy between the work of management and the outside auditor.
• A stressful scramble for new auditors as accounting firms drop certain clients when reevaluating their acceptance and retention policies. Smaller companies are particularly vulnerable.
• Diminished competitiveness in capital raising and business investment as newly public companies list their shares on foreign exchanges and foreign companies expand overseas instead of investing in the United States in order to avoid the SOX burden.

The competitiveness issue prompted several studies on the effect of regulation, litigation, and ambiguous accounting rules, including those commissioned by the Treasury Department and one by U.S. Senator Charles Schumer of New York and New York City Mayor Michael Bloomberg. Those studies were predicated on the supposition that excessive regulation, including SOX, adversely affects the U.S. financial markets and New York City’s status as financial capital of the world.

Opponents of this view, including former SEC Chairman Arthur Levitt, claim this “capital crisis” is unfounded. And Treasury Undersecretary Robert Steel pointed out that a highly disproportionate share of global mutual fund and hedge fund assets resides in the United States. In addition, he said futures contracts traded on U.S. exchanges and dollar-denominated foreign-exchange derivatives also predominate.

• Reduced domestic capital spending as companies compensate for SOX compliance costs.
• Concentrated stock ownership as companies avoid SOX by taking themselves private through stock repurchase or through sale to private-equity firms. Other companies exempted themselves by issuing stock on a 144A private placement basis to a few large institutions rather than the general public.

Ownership concentration is not necessarily bad. Typically, private-equity portfolio companies, unfettered by pressure to produce short-term results, take on greater risk to produce better returns than public companies. However, some bemoan the inequity of those outsized gains devolving only to the few rather than the larger investor community.

• SOX work conducted after the initial implementation tends to yield diminishing returns in succeeding years after control weaknesses are corrected.

Benefits.

• SOX audits promote transparency and ensure reliable financial reports. They have uncovered many material weaknesses in internal controls that have contributed to a dramatic rise in the number of financial restatements. SOX-driven correctives and disclosures inspire greater investor confidence and ultimately support a more efficient capital allocation process.
• The potential consequences of a failed SOX audit motivate companies to maintain higher quality transaction controls and corporate governance that might not otherwise exist. Those consequences apply particularly to the cost of capital, because failure to comply with SOX potentially affects stock prices, borrowing rates, and bond ratings. Thus, the fear of failure results in extra assurance for investors.
• The SOX review forces companies and auditors to place greater emphasis on the control environment and its ongoing continuity. Section 404 adds process evaluation to traditional account validation, and holds both management and its public auditors more accountable.
• The exercise of maintaining extensive documentation of internal controls required by SOX section 404 potentially fosters a better control mindset among accounting staff. This mindset can sometimes lead to control process rationalization and streamlining.
• SOX documentation is a good tool for training new personnel. It also serves as disaster recovery backup and a means of communicating internal control information to those responsible for its execution.

Regulatory Relief

In response to widespread criticism, the PCAOB issued AS5 in 2007 to replace AS2 as guidance for independent auditors in the interest of a more practical evaluation of controls over financial reporting. This standard, in combination with the SEC’s concurrent guidance for management evaluation of internal controls, Interpretive Guidance for Management, established a better principles-based framework for aligning the views of management and the outside auditor. In view of the speed with which SOX was assembled, regulators knew from the beginning that it was a work in progress that would require refinements over time. The following describes the current incarnation.

Auditors. AS5 recommends that auditors adopt a top-down, risk-based approach to evaluating internal controls that focuses on the most likely sources of risk; that is, scalable to the size and complexity of the organization, and integrated with the audit of financial statements. This is in contrast to the bottom-up, prescriptive approach to assessing risk and identifying internal controls under AS2, which started at micro-level exposures and inductively established overarching controls at the financial statement level. AS5 requires less documentation and testing in a more cost-effective assessment that eliminates excessive scrutiny while retaining focus on the serious financial reporting risks posed by weak internal controls.

AS5 emphasizes materiality in assessing misstatement risk and greater attention to entity-level and fraud controls. In addition, AS5 recognizes that some companies need strict SOX standards while others need less stringent standards. Thus, auditors may now acknowledge this distinction and make SOX standards commensurate with a company’s risk to achieve reasonable assurance at less cost. Previously, a one-size-fits-all approach applied to all public companies, with some preliminary accommodation for smaller companies.

Other efficiencies envisioned by AS5 include:

• Designing testing to more fully encompass the objectives of both the audit of internal control and the audit of financial statements simultaneously, where each audit informs the other;
• Relying more on the work performed by others for the purpose of management’s assessment of internal controls; and
• More selectively conducting walkthroughs as a means of understanding the nature of misstatement risk.

For smaller companies (i.e., nonaccelerated filers), the SEC recently provided further relief by deferring the independent auditor’s attestation of management’s report on the effectiveness of internal controls over financial reporting for fiscal years ending on or after December 15, 2009.

Management. At the same time AS5 was released, the SEC provided parallel advice for management in its Interpretive Guidance for Management, which codifies a more efficient approach to evaluating the effectiveness of internal controls in detecting and preventing material financial misstatement. The guidance centers on a top-down, risk-based approach to first identifying risk and then evaluating the design and operating effectiveness of the transaction- and entity-level controls. This specific guidance enables management to adopt a more efficient and independent evaluation of the effectiveness of internal controls rather than just deferring to AS5 details for fear of not satisfying the auditor.

Management is permitted to exercise greater judgment in deciding on appropriate methods and procedures that address the likelihood and potential magnitude of financial misstatement. This streamlined assessment eliminates the redundant review of multiple controls over a particular reporting risk. This means more flexible documentation and testing standards in the production of adequate evidentiary matter keyed to the degree of perceived misstatement risk posed by error or fraud. Furthermore, management’s procedures may differ from those adopted by the independent auditor. Further efficiency is achieved in subsequent years because management now evaluates only changes in risks and controls in an updated assessment, rather than recreating the entire process.

Smaller Public Companies

In April 2006 the SEC issued its Final Report of the Advisory Committee on Smaller Public Companies. This issuance established risk-based, scaled securities regulation for companies in the lowest 6% of market capitalization, which represent the majority of public companies. One accommodation was a temporary exemption from SOX section 404. In its place, these companies became subject to new guidance on internal controls over financial reporting issued by COSO. This document was a guide on how small companies should apply the 1992 COSO framework pending the development of a SOX internal control framework specifically designed for smaller companies.

The 2006 report recommended that the PCAOB amend AS2 to provide cost-effective relief for small companies, to include testing to find only material weaknesses, and to integrate internal control and financial statement audits. The SEC also urged the PCAOB to ensure that public audit firms incorporate this relief in the internal control reviews of client companies.

In June 2007 the SEC released its SOX interpretive guidance on management’s evaluation of internal controls for smaller companies in conjunction with the release of AS5 by the PCAOB. The SEC did not exempt small companies from SOX compliance as some had hoped. Rather, sympathetic AS5 management guidance formally acknowledged that all companies with less than $75 million of public equity can independently scale their SOX assessments to the circumstances of their business without having to mime the auditing standard as before. Additionally, the SEC will monitor implementation of AS5 in the PCAOB’s inspections of audit firms. To ensure that smaller companies no longer bear a disproportionate burden, the SEC was expected to conduct a cost-benefit study of the new standards. But is the new guidance definitive enough to avoid disagreements with auditors?

Best Practices

AS5 and the accompanying management guidance establish a framework for evaluating internal controls more efficiently through a top-down, risk-based approach. The guidance emphasizes a holistic view of risk that identifies enterprise-wide vulnerabilities and gives greater consideration to fraud controls. The current approach comprises the following modalities:

• Risk assessment. Focus on exposures to material financial misstatements that take into account their probability through error or fraud, especially management override. Consider the complexity of processes and dependence on judgment. Evaluate entity-level and IT controls. Consider the vulnerability of manual operations, including spreadsheet applications, which are pervasive in smaller companies. Under AS5, the auditor’s independent risk assessment, established through appropriate inquiry, observation, document inspections, and walkthroughs, should align with management’s self-assessment founded on daily operations.
• Controls identification. Identify only key controls that address material exposures consistent with the company’s size, complexity, and operating structure. Document the design of those controls.
• Controls effectiveness. Test both design and operating effectiveness. Focus on the most operative control that addresses particular material exposures consistent with the risk assessment, not all such controls. AS5 emphasizes broader, higher-level controls that might warrant 100% testing over lower-level controls that would involve sampling methodologies. Document test procedures and findings to produce evidence that is consistent with the nature, timing, and extent of those controls.
• Remediation. Resolve and retest significantly deficient controls.
• Reporting. Communicate findings to the board of directors, and report deficiencies to the parties responsible. Distinguish design deficiencies from operating deficiencies. Assess the relative seriousness of deficiencies in terms of the impact on the financial statements and classify them as a significant deficiency or a material weakness.

As a means of applying these concepts efficiently, AS5 cites a risk-assessment methodology that had already been in practice for several years. This approach involves assigning taxonomies to particular processes and controls to establish an overall risk profile in a risk-control matrix format. Specifically, risk assessment starts with identifying significant accounts and disclosures, and then mapping them to business processes that are classified by degree of risk and complexity. Associated controls are characterized by relevant assertions, such as valuation, existence or occurrence, and presentation and disclosure. Controls are also evaluated by posing “What could go wrong?” questions that contemplate possible financial misstatement and fraud scenarios.

In the past, some risk-averse auditors might have dismissed this model, favoring more-traditional benchmarks of risk exposure, such as a financial statement category’s percentage of total assets or revenues. But now that the methodology has the PCAOB’s imprimatur, all auditors can rely on it as a means of streamlining the SOX process in a top-down assessment. Or not. A certain dissonance between management and auditors concerning respective risk assessments may be inevitable, especially in manually intensive operating environments common to smaller companies.

PCAOB Oversight

No review of SOX would be complete without addressing the public audits that failed to detect many of the problems that led to the well-chronicled scandals. Through its inspection program, the PCAOB seeks to evaluate the quality of the auditing process, thereby holding firms accountable for correcting their mistakes and upgrading their methodologies in future audits. In particular, the PCAOB cites significant failures to properly apply AS2 in evaluating management assertions and the effectiveness of internal controls. Its reports will also call out improperly applied Generally Accepted Accounting Principles (GAAP), a failing that affects the financial statement audit as well.

Limitations

Regulators—the Treasury Department, the SEC, the PCAOB, and the FASB—strive to balance management cost, auditor liability, and investor protection to achieve effective and efficient prevention and detection of material accounting fraud and error. Can SOX accomplish this? Refco’s misstatement, for example, occurred some years after SOX was enacted. And the existence of SOX arguably did not directly help expose stock option backdating. In the effort to balance effectiveness and efficiency, only time will tell whether AS5 has succeeded.

Six Years and Counting

Considering the number of financial restatements of the last several years, the traditional financial statement audit alone is not enough to assure the investor community. A separate SOX examination of internal controls helps fill the gap by providing additional assurance where controls are strong and raising awareness of the potential for future problems where controls are lacking.

Are we better off after six years of Sarbanes-Oxley guidance? To some extent, implementation has prevented and detected more of the problems that gave rise to SOX. AS5 and the companion SEC management guidance codify the integration of the SOX examination with the annual financial statement audit, and promulgate a risk-based tailored approach to SOX documentation and testing requirements. Theoretically, both the PCAOB and the SEC documents mitigate previous excesses and balance the guidance for management and auditor—with a special accommodation to the plight of smaller companies. The practical implementation, however, is a continuing question mark. In any case, prospective compliance that relies on a SOX infrastructure already in place is much less onerous than the initial implementation.

Notwithstanding the new latitude afforded management in making more independent assessments of its internal controls, companies may still have to present evidence to convince professionally skeptical auditors.

On the other hand, do the new rules dilute the SOX process to the extent that auditors defer to management’s self-assessment, and curtail scrutiny as they depart from certain benign redundancies of AS2 standards? Have the concessions made in the name of cost compromised the benefits? Does the narrower scope encompassing fewer controls and abbreviated tests founded on subjective materiality have a limited effectiveness? Future PCAOB inspections and media reports of new or nonexistent scandals and ineffective audits will be the final proof.

Some people, of course, will disingenuously ascribe the next business calamity to ineffective SOX implementation, perhaps expecting a panacea. A case in point is the fallout from the ongoing subprime credit crisis. While the recent spate of massive portfolio write-downs might seem to indicate failed risk-management controls, the problem is largely founded on illiquidity and the inability to establish fair value in the absence of willing buyers and available funding. The valuation of impaired mortgage securities is an accounting issue made problematic by anomalous market conditions plagued by uncertainty. The writedowns are not generally the result of failed internal controls, but rather a wholesale market repricing.

In the final analysis, truly cost-effective SOX examinations will better protect investors and contribute to better-functioning capital markets that will benefit the economy at large. But the optimal balance between the costs and the benefits may always be elusive.

---

William J. Dodwell, CPA, led several SOX section 404 implementations and performed numerous other financial control assessments as a management consultant to financial services companies.