United States: Roundtable Discussion on Implementation of Internal Control Reporting Provisions (Section 404 of the Sarbanes-Oxley Act of 2002) The U.S. Securities and Exchange Commission

On April 13, 2005, the Securities and Exchange Commission hosted an all-day roundtable discussion about the implementation of Section 404 of the Sarbanes-Oxley Act of 2002 ("SOX 404"). The roundtable took the form of six panels composed of invited representatives of public companies (CEOs, CFOs and audit committee members), independent accountants, lawyers, and interested persons.

The SEC commissioners, along with representatives of the Public Company Accounting Oversight Board ("PCAOB"), attended all of the panel discussions as observers. The stated purpose of the roundtable was to allow the SEC and the PCAOB to obtain feedback from participants in the first SOX 404 process about the benefits, difficulties, and issues raised during the process.

SOX 404 requires public companies to (i) establish, maintain, and assess their internal control over financial reporting and (ii) obtain an opinion of their independent auditors as to the effectiveness of their internal control.¹ Since the enactment of the Foreign Corrupt Practices Act in 1977, public companies have been required to maintain a system of internal accounting controls. The requirements of SOX 404, however, require public companies and their auditors to focus additional attention on the effectiveness of internal controls and report publicly on such internal accounting controls.

There were a number of common themes expressed during the roundtable discussions.

• Much time and energy spent on SOX 404 implementation. The amount of time required to implement SOX 404 was very high and required significant contributions of time from all personnel, particularly accounting personnel, management and the audit committee.

• High cost of SOX 404 implementation. The cost to implement SOX 404 was very high, even when measured solely in terms of fees paid to internal and external auditors (without including management and personnel time expended), and was much higher than anticipated.

• SOX 404 benefits perhaps outweighed by implementation costs. Having strong controls is important to companies and investors because our economy runs on good financial information. It was not clear, however, that the benefits of the SOX 404 process were sufficient to justify the time and costs required for its implementation.

• A risk-based approach is needed. Too much time was spent on unimportant control weaknesses and deficiencies, with little to no consideration given to the significance of the risk likely to arise from any particular weakness or deficiency. Auditors were very conservative in their judgments about significance and materiality, were reluctant to make judgment decisions and often re-tested internal controls that the company had already tested. A "risk-based" approach needs to be established.

• Additional PCAOB and SEC guidance needed. Additional guidance is needed from the PCAOB and the SEC regarding materiality, the level of testing required, what management needs to do to reach its assessment of the effectiveness of its internal controls, and the level of public disclosure that is appropriate.

• SOX 404 will not prevent fraud. Even the effective implementation of SOX 404 will not prevent collusive fraud in financial reporting, although the consistent application of SOX 404 standards should result in earlier detection of fraud.

PCAOB Chairman William McDonough announced that the PCAOB will publish additional guidance to clarify some aspects of SOX 404 on May 16, 2005. SEC Chairman William Donaldson instructed the staff of the SEC to provide additional guidance on the implementation of SOX 404 and the disclosure requirements associated with SOX 404 as soon as possible and well in advance of the end of 2005, which will be the next time that most domestic public companies must engage in the complete SOX 404 review.

• About 8% of companies have reported material weaknesses

• Many of the companies that have gone through the SOX 404 process have identified and remedied many deficiencies

• Audit committee agendas have been taken over in the past year by SOX 404

• $35 billion spent on SOX 404 compliance by companies, approximately $15 billion of which was spent on IT controls

• The average per company cost of SOX 404 implementation was $4.3 million for smaller companies and $15.0 million for larger companies

• Cost for larger companies (over $5 billion in yearly revenue) was .05% of revenue, but for smaller companies was 2.5% of revenue

• An average of 275 deficiencies had to be fixed per company

• A decrease in SOX 404 costs of 40-46% is expected in year 2

Public Company Accounting Oversight Board Chairman William J. McDonough

• There are obvious competing interests (reassuring investors as to the accuracy of the financial statements vs. labor and cost of SOX 404 implementation)

• Going forward, auditors will conduct an integrated audit of the financial statements and internal controls, which will be a good thing

• If there is a material weakness that has been solved during the year, perhaps PCAOB will propose a new standard for such situations

• PCAOB inspection process is supposed to be even-handed and could reveal that what the accountants did was excessive

• Small companies, especially technology companies, need a sophisticated and highly experienced audit partner as the engagement partner, but how this is done is a question to be resolved as the most experienced audit partners usually work on the bigger clients

• Auditors must show judgment and used a risk-based approach

• PCAOB will work with auditors to improve their work in the inspections

• PCAOB will develop best practices to provide to audit firms

• PCAOB will put out guidance on May 16, 2005

Securities and Exchange Commission Chairman William H. Donaldson

• Having strong controls is important because our economy runs on good financial statements

• Instructed the staff of the SEC to provide guidance to issuers as soon as possible in preparation for the next SOX 404 season

Securities and Exchange Commission Division of Corporation Finance Director Alan L. Beller

• SOX 404 does not change the 1977 standard of having internal controls over financial reporting, it just deals with the disclosure of such controls

• There is no rule that prevents companies from describing the importance of the material deficiency. Therefore, companies may differentiate between the real important deficiencies and the less important ones. The level of magnitude of each material deficiency can be disclosed, for example, by the company stating that some deficiency is not so important because of XYZ reasons

• The SEC has heard the calls from issuers for guidance on SOX 404. SOX 404 rules were written to be principles-based. Mr. Beller wants to know what could help issuers in doing their own review of internal controls and figuring out what is enough

Securities and Exchange Commission Commissioner Harvey J. Goldschmid

• The idea regarding disclosure of material weaknesses was to give companies a lot of room to explain each material weakness. "This one is a small one and this one is a bigger one."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.