Reducing SOX Section 404 Compliance Costs
A Top-Down, Risk-Based Approach

By Patrick O’Brien

E-mail Story Print Story

In two published releases, the PCAOB summarized its findings and provided guidance on how to improve upon these inefficiencies. The board is encouraging auditors and issuers to use a top-down, risk-based approach instead of an overly detailed, bottom-up assessment. The PCAOB stated that the assessment of internal controls over financial reporting will be more effective if auditors and issuers focus on company-level controls and the significant accounts, processes, and controls that are most likely to have a material impact on the financial statements.

A top-down, risk-based approach is founded on the premise that not all accounts, transactions, and risks are equally important. Companies should not only consider the relative significance of these items, but also factor in a number of related concerns, including the nature of the business, the inherent risk level of processes and controls, and the effectiveness of technology and human resources.

This article, the first in a two-part series, describes a four-step process for implementing a top-down, risk-based approach to establishing scope and test strategies for internal controls. When combined with appropriate technology support and sound business acumen, it can significantly reduce the costs for SOX section 404 documentation and testing.

Introduction

On May 16, 2005, and November 30, 2005 (PCAOB Release Nos. 2005-009 and 2005-023, respectively), the PCAOB published additional guidance to auditors on how to implement Auditing Standard 2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (AS 2). The guidance consisted of a Policy Statement regarding the implementation of AS 2, a series of staff questions and answers, and a report on the initial implementation of AS 2. Through these publications, the PCAOB is providing technical guidance to auditors and issuers on how to use the provisions and underlying principles of AS 2 to conduct effective and cost-efficient audits of internal controls over financial reporting.

While most issuers generally support the objectives of SOX section 404, many have expressed concerns about compliance costs and are examining how the implementation process can be improved. The general consensus is that the internal control assessment and audit process has the potential to significantly improve the quality and reliability of financial reporting, but that the first round of internal control audits cost too much. The goal is to implement AS 2 in a manner that captures the benefits of the process without unnecessary or unsustainable costs.

The PCAOB has identified the primary drivers of cost to be the scope of the internal control audit and the amount of management testing being performed. These factors should be addressed most urgently to affect audits for the second and third years of SOX compliance. The PCAOB recommends using a top-down approach that begins with company-level controls and proceeds to identify for further testing only those accounts and processes that are, in fact, relevant to internal control over financial reporting. Furthermore, companies should use the risk assessment required by AS 2 to eliminate from further consideration those accounts that have only a remote likelihood of containing a material misstatement.

After reviewing the guidance issued by the PCAOB, companies should consider refining their best practices to support a top-down, risk-based approach to testing the effectiveness of internal controls. Such a methodology incorporates the following four principles:

• Company-level controls: Use a top-down approach that begins with company-level controls to identify for further testing only those accounts and processes that are relevant to internal control over financial reporting.
• Material accounts: Identify the financial statement accounts that are material by selecting an appropriate number of locations to obtain adequate coverage (not too low or excessive).
• Risk-based selection of controls: Apply a risk-based approach that considers both quantitative and qualitative factors in identifying significant processes for the transaction-level testing of controls.
• Account assertions: Ensure that the controls selected for testing cover the significant account assertions.

The PCAOB guidance, when implemented appropriately, can greatly reduce the scope of controls identified for SOX section 404–related testing. In many cases, reductions of 25% to 45% can be achieved.

Background

Now that many companies have passed the milestone of Year 1 SOX compliance, they have an opportunity to take a look back to understand what actually occurred, and to see how the experiences and lessons of Year 1 can help form strategies and responses for Year 2 and beyond.

SOX section 404 implementation during Year 1 was a challenge for everyone involved; for many companies, the process was simply overwhelming. Fully understanding the task at hand, planning an initial approach, and ensuring the timely availability of the appropriate resources were just a few of the key challenges companies faced. In many cases, the process was burdensome because the required documenting, monitoring, verifying, and reporting were performed manually.

Another key problem was that many companies spent excessive amounts of time testing the design and operating effectiveness of every control, the validity of every assertion, and the accuracy of every account balance.

Year 2 of SOX compliance can be quite different from Year 1. Now that companies better understand what the law requires and where their process weaknesses lie, they should be focused on implementing a sustainable compliance process. One of the key components for a sustainable process is choosing the right compliance technology needed to make the second year’s filing less onerous than the first’s. See the Exhibit for a list of criteria for selecting a technology solution.

Beginning with Year 2, and certainly by Year 3, the focus should turn to cost reduction. In “Emerging Trends in Internal Controls: Fourth Survey and Industry Insights” (September 2005), Ernst & Young found a strong correlation between the number of controls identified for testing and the costs associated with compliance. For example:

• 85% of surveyed companies with annual revenues greater than $20 billion invested more than $10 million dollars in initial SOX section 404 compliance.
• One-fourth of companies with annual revenues greater than $20 billion tested more than 10,000 controls, and some companies tested more than 50,000 controls.
• For companies with $5–$20 billion in annual revenues:
  • 60% invested more than $5 million in initial SOX section 404 compliance.
  • 24% tested more than 5,000 controls.

It is not surprising that the scope of controls identified for section 404–related tests is a primary cost driver.

The Ernst & Young survey also found that, for 63% of companies, less than 30% of the SOX section 404–related controls were IT-based, which means that the opportunity to realize long-term cost savings and to improve confidence through the automation of controls is significant. It will not, however, be enough to realize the cost savings that many companies seek.

Multi-location testing strategies can also have a pervasive impact on the overall scope and cost of SOX section 404 assessments, so determining the right multi-location testing approach is very important. In most cases, company size, complexity, and geographic scope will affect the number of locations identified for section 404 testing, but the selection criteria can also have a sizable impact on the number of locations. Beyond the location’s size, companies should consider other criteria, such as whether the site is potentially a significant financial-statement risk.

Reducing Compliance Costs

There are several ways to lower SOX compliance costs, including improving training, streamlining SOX processes, and automating controls; however, implementing a top-down, risk-based approach to establishing scope and testing strategies will have the largest impact on ROI.

Part 2 of this article will describe a four-step process for implementing a top-down, risk-based approach to establishing scope and test strategies for internal controls. It will also discuss how a technology solution can support this process and make it more efficient.