How do we fix this?? 565
SOX-Migration last edited by
Another post indicates the SEC wants comments on what your experience was with SOX 404 and what should be done about it. This was on the SEC website at http://www.sec.gov/news/press/4-497.shtml.
We urge the Commission to consider these changes:
A. Eliminate redundant assessments.
The Congress passed an Act that requires in its Section 404 that each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer� (emphasis added). The PCAOB then elected to require each firm to perform its own, independent assessment of internal control as a condition precedent to reporting on management’s assessment. By analogy, it is as if the Congress passed a law requiring all children to do their homework, and further requiring all parents to ensure that homework gets done. The PCAOB then suggested that no parent could determine if the homework was done unless the parents first did all the homework themselves. We believe requirements should be better aligned with Congressional intent by eliminating the need for each accounting firm to perform a second, independent, redundant assessment.
B. Define broad principle based� requirements for management’s assessment.
At present there is very little guidance concerning what is required of management. Requirements are defined for the accounting firms and they in effect back-door� management requirements. In the minds of some restraint increases risk, and the resulting lack of restraint coupled with the redundant assessment referenced above has the unintended consequence of substantial over-auditing and increased expense.
C. Define broad principle based� guidance for a public accounting firm’s report on management’s assessment.
The investing public needs assurance that management’s assessment was reasonably comprehensive and substantive. The accounting firms need guidance on how far they should reasonably be expected to go to make that determination. Present guidance suggesting they do all the homework themselves� raises the bar too high.
D. Focus on key controls.
Problems at Enron, WorldCom, et al seem rooted in high-level
ethical lapses, collusion and management override of existing control procedures. Very broad general� controls like strong ethical standards, effective independent oversight and review, and appropriate and readily available lines of communication apply to these very broad problems. Severe punishment for those who fail to honor the public trust may provide a deterrent. The low-level, very detailed procedures addressed in the recent SOX 404 assessment are considerably less effective in preventing or detecting high-level problems.
E. Permit testing over several years.
While somewhat oversimplified, current requirements essentially require all testing to be reperformed every year, even though many if not most of
the procedures may have been repeatedly tested and found effective. Such requirements increase cost with little or no benefit. Management, with approval from the Audit Committee of the Board, should be permitted to define a testing plan that addresses key controls more
frequently than other procedures that involve less risk. Key controls for example might be tested annually, while other procedures might be retested over a two to five-year period.
F. Focus on fundamental auditing.
Problems at Enron, WorldCom, et al also seemed related to audit failures. Where were the auditors� is a recurring theme, and further analysis of these problems will undoubtedly yield more insight. Until then however, there is the nagging suspicion that these audit failures, if any, were due in part to a trend that has been developing for many years. That trend is toward more and more highly detailed, complex rules of
disclosure, which takes more and more time and attention from the more experienced members of every audit team. That fundamental part of a financial audit that goes to ensuring management’s information is representative of actual underlying economic activity is largely handled by less experienced auditors. Limited emphasis appears placed on
understanding the flow of transactions and the basic structure of internal accounting control, in part perhaps due to accounting systems themselves being more technically challenging and less prone to analysis by less experienced auditors. More involvement of experienced
personnel in fundamental financial auditing may be needed.
We do not see a need to change the stated requirements of the actual Sarbanes-Oxley Act of 2002. In our view, what is needed is a substantial rethinking and revision of the related interpretations and requirements promulgated by the PCAOB.
Denis last edited by
Who is we?
Anyway, my comments would be:
A - Disagree. The Act was brought in because high-profile failures resulted from the behaviour of management. It was sensible to require that managements assertion be audited. Your analogy is somewhat off - the PCAOB does not require that ‘the parents do the homework first’ they require that the parent checks that the child has actually done their homework and are not just saying that they have.
B - Exists already - SOX 404 plus COSO
C - Exists already - PCAOB Auditng Standard #2
D - Exist already - you need to consider entity level controls (control environment) before process level controls. Within processes you may focus on key controls.
E - Agree, a risk weighted rotational approach would be pragmatic and sesnible.
F - Your first sentance is false. Enron and Worldcom were, first and foremost, FRAUDS carried out by DIRECTORS, OFFICERS AND MANAGEMENT of the Company. The auditors could never have PREVENTED this but perhaps they could have DETECTED it earlier.
To me a large part of the perceived problems come from management abbrogating the responsibilty for internal control to consultants and/or auditors. I’ve worked on 4 SOX projects and the more successful ones are where it is management that sets the agenda.
That said the SOX arena could definitely use a healthy dose of pragmatism - especially when it comes to smaller companies.