Faced with a tidal wave of complaints about high costs and implementation difficulties, federal regulators say they will consider modifying rules and auditing standards related to the Sarbanes-Oxley Act.
Executives from companies including General Electric, Lockheed Martin and Emerson Electric spoke about the challenges of complying with the legislation during an all-day roundtable held last week in Washington, D.C. Most participants agreed that two years of SOX compliance has shored up corporate accounting practices - but at a cost that's lopsided compared with the benefits gained.
The Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) arranged the roundtable to solicit feedback about SOX Section 404, which requires companies to attest to the effectiveness of internal controls put in place to protect financial reporting systems and processes. Representatives from these bodies said they're open to suggestions about how to relax the burden of Section 404 compliance.
"The Sarbanes-Oxley Act was a critical step in addressing an unprecedented string of corporate scandals that were rooted in very serious governance, accounting and audit failures," said SEC Chairman Christopher Cox in his opening remarks. Section 404 has the potential to improve the accuracy and reliability of financial reporting, but only if it's implemented properly, Cox said. "In practice, it hasn't always worked out that way.
Bill Gradison, acting chairman of the PCAOB, added that guidance the SEC issued last year and PCAOB's latest auditing standard may not be enough to clarify the rules that govern the reporting and auditing of internal controls. "Based on the information we already have, it would seem that some further changes may be in order," Gradison said.
Among the changes panelists advocate is greater latitude for auditors to use their judgment in determining which controls are most significant.
Mary Bush, president of consulting firm Bush International, said there's a need for guidance from the SEC and PCAOB around the areas that pose the greatest risk to accurate financial reporting: "There still seems to be as much emphasis placed on low-level process controls as there is on controls that really have a risk for incorrect financial reporting."
Several panelists agreed that companies and audit firms need to pare back the number of controls that are tested.
Business managers at British Petroleum find it's useful to identify, document and test the effectiveness of internal controls, but balk at the duplication of testing required by staff and internal and external auditors, said Keith Holmberg, vice president of financial control processes at the global energy company. All that testing starts to dilute the sense that it's good business practice, he said. "For us that's probably been the biggest area of frustration."
The evaluation of IT-related controls, in particular, leaves a lot to be desired, said Susan Gordon, corporate controller at CBS. Audit firms today tend to use canned control questionnaires, not tailored for specific situations, in evaluating controls rather than taking a more relevant, risk-based approach to reviewing IT controls, she said.
Adding to the burden at CBS is that more than 90% of its IT controls are manual. Looking ahead, Gordon hopes to see that drop to 80% in 2006. As new applications and systems are deployed, IT staff will design the necessary controls from the start, Gordon said. "IS and IT are onboard with this, and they see this as a great opportunity," she said.
Stephen Sherwin, chairman and CEO of biotech firm Cell Genesys, said the topic of IT controls illustrates the huge burden Section 404 places on smaller public companies - including his.
"404 oversight in the IT area is particularly onerous to smaller companies," Sherwin said. "The problem is that the lack of adequate staff and infrastructure forces the hand of the smaller public company to seek outside consultative support to carry out the necessary testing." That expense adds up to "our never having any confidence that the cost requirement of implementing these regulations as they are now defined will go down over time," he said.
Sherwin was the sole CEO of a small public company present at the roundtable, but he wasn't the only panelist to address the SOX burden on smaller public companies, which have to begin complying with Section 404 next year.
An SEC advisory committee in April recommended establishing a scaled-back regulation for smaller public companies that don't have the resources to comply with Section 404 requirements in their current form. But panelists pointed out having sound internal controls is important to businesses of all sizes.
The legislation requires management at all public companies to assess their internal controls, and all public companies should be held up to that requirement, said Damon Silvers, associate general counsel of the AFL-CIO. "On behalf of the individuals, the members of the AFL-CIO's unions, we would not want any of them to be subject to a pitch to buy the stock of any company whose management could not do so," Silver said.
In addition, large businesses are equally interested in guidance that might alleviate the burden of Section 404. "If you're going to change something for the small businesses, large businesses here would like to hear about it as well," said Kimberly Gavaletz, a vice president at Lockheed Martin.
Large public companies know all too well the cost of compliance. Financial Executives International (FEI) surveyed 274 public companies and found average compliance costs were about $3.8 million in fiscal year 2005. Companies spent an average 22,786 staff hours internally to comply with Section 404 in 2005.
The good news is, companies with two years of compliance under their belts reported that costs dropped an average of 16%, said Colleen Cunningham, president and CEO of FEI.
But that's not always the case. GE spent about $33 million on Section 404 compliance in 2004, and costs ran about the same in 2005, said Philip Ameen, vice president and comptroller at GE.
While GE's tally didn't decline, there are positive outcomes from the legislation. Two years of Section 404 compliance has focused the company on the controls that are most important to its reporting processes, Ameen said. "Overall, on balance, I think the management team, the board of directors and people down in trenches doing the testing are favorably impressed with progress that has been made in the second year of 404."
FEI's survey tells a similar story. Among respondents, 44% said financial reports are more reliable, and 33% agreed that compliance with Section 404 has helped prevent or detect fraud.
But is that enough? No, according to the 85% of FEI survey respondents who believe the costs of SOX compliance still outweigh the benefits.
Despite the challenges, not everyone wants to see the rules or guidance related to Section 404 altered, given the disruption it would cause to ongoing audits.
J. Michael Cook recommended changing as little as possible and only that which is absolutely necessary. " I recognize that if you put out more guidance, there are going to be 10,000 or 15,000 people in a large number of firms that are going to have to be trained in it, figure out what it means," said Cook, who is audit committee chairman at companies including Burt's Bees, Comcast and Eli Lilly. "Everything will be in limbo again."