Implementing Sarbanes-Oxley Act Section 404
Lessons Learned from the Front Lines

By David K. Owens

APRIL 2006 - In the first year of compliance with section 404 of the Sarbanes-Oxley Act (SOX), affected companies produced a volume of opinion on how the process could be improved. Following the SEC’s call for suggestions on the topic, Edison Electric Institute (EEI) collected the views and experiences of the electric utilities industry. The participants’ thoughts and ideas presented are summarized below.

Overall, the electric utility industry believes that SOX section 404 compels a company to take a hard look at its business processes and systems, which is good. To achieve its full promise, however, the compliance process must focus on lowering costs, reduce the level of ambiguity surrounding compliance, and expand a too-narrow interpretation of the compliance requirements for outside auditors.

Rely on internal audit activity to a greater extent. To avoid the duplication of effort during audits, EEI’s members believe that the Public Company Accounting Oversight Board (PCAOB) should modify its requirement that independent auditors perform more than 50% of the total procedures upon which they base their opinion. The 50% threshold is artificial, and also requires the independent auditor to duplicate work that already has been done by in-house auditors, thereby increasing the cost of the audit.

Many internal auditors report to their company’s audit committee directly, just like the independent auditors do, and thus are sufficiently independent to merit direct reliance on their work product. But even if an internal auditor does not report directly to the audit committee or the board of directors, if the independent auditor is satisfied that the work meets certain indications of reliability, then the independent auditor should be able to rely on the internal auditor’s work. This can be done by reviewing and agreeing with the internal auditor’s testing approach (e.g., scope, timing, sample size), reviewing and signing off on the internal auditor’s documentation, and assessing and concurring with the qualifications and objectivity of those performing the work. If these requirements are met, the independent auditor should be permitted and encouraged to use the internal auditor’s work as his own. Internal audit work has properly been relied on for financial statement purposes; it should equally be relied on for SOX section 404 purposes.

Depend more on work performed in prior periods, and allow more testing prior to year-end. Performing some level of testing of all key controls on an annual basis is both appropriate and necessary. However, management and auditors should be permitted to target their testing based on relative risks, and to consider the results of prior years’ tests in determining the nature and extent of testing in the current year.

For example, transactions and processes such as payroll or expense processing are static from period to period, barring some significant change. If a company’s controls in an area have worked effectively for several years without exception, and there have been no significant changes in those controls during the year, then to limit the sample tested in the current year, or to perform such testing earlier in the year, would seem appropriate.

EEI’s members also believe that requiring all testing to take place in the latter half of an entity’s fiscal year is counterproductive to the objective of having internal controls operate effectively throughout the year. Rather than extensively retesting controls at year-end, where the process does not change, greater reliance should be placed on interim testing.

This approach would have numerous benefits:

  • Bringing deficiencies to light in a timelier manner;
  • Facilitating SOX section 302 confirmations;
  • Supporting consistent performance of controls throughout the year due to the possibility of testing at any time; and
  • Reducing costs by allowing both management and auditors to spread their evaluation of internal controls throughout the year rather than clustering such work during the same time the financial statement audit, of necessity, must be

Allow independent auditors to discuss proper accounting treatment of business transactions. Prohibiting independent auditors from giving input until management provides a white paper or other formal assessment of a complex rule or transaction is inefficient and conflicts with the objective of section 404: maintaining controls that ensure that the financial statements are materially correct.

The EEI agreed with the PCAOB’s 2005 Policy Statement, which recognized that independent auditors should be encouraged to discuss the proper accounting treatment of complex business transactions with management without jeopardizing their independence with respect to the audit of internal controls over financial reporting. Likewise, the EEI agreed with the PCAOB position that company management and staff should be able to seek advice from independent auditors without fear of triggering a “significant deficiency” or “material weakness” finding by the auditor or otherwise running afoul of section 404.

Allow companies to comply on behalf of their subsidiaries. Companies with a number of subsidiary registrants face an unnecessary burden in having each of their subsidiaries comply with SOX section 404. Recognizing that parent companies can fully oversee the operations of their subsidiaries, the SEC already has granted them an exemption from the requirement that each subsidiary have its own audit committee. As such, EEI’s members recommend that subsidiary registrants which meet all of the following criteria should be exempt from the requirements of section 404:

  • The parent company has successfully complied with the requirements of sections 404 and 302;
  • The subsidiary is a wholly owned subsidiary of the parent;
  • The subsidiary meets the SEC audit committee exemption; and
  • The parent company has included in its management assessment those corporate allocation processes, systems, and controls that significantly impact the subsidiary filers.

General Suggestions

In addition to the key recommendations outlined above, EEI’s members presented a few general suggestions that could ensure compliance with SOX section 404 while also reducing the expense of compliance to companies.

Clarify that management, not the independent auditor, makes the ultimate decisions regarding implementation. Little guidance exists from either the SEC or the PCAOB to help management structure its approach to documenting, testing, and evaluating internal controls under SOX section 404. The limited guidance provided is tailored to what procedures the independent auditor must perform to render an opinion.

The result is that the independent auditor has effectively become the sole and final judge of the sufficiency of documentation and testing according to a particular audit firm’s standards. This infringes on a company’s responsibility to implement and document its own internal controls over financial reporting. It also creates an inconsistency in the evaluation of those controls when there is no objective standard for making such judgments.

EEI has encouraged the SEC and the PCAOB to balance the independent auditors’ judgments by clarifying that company management, not the independent auditor, is principally responsible for developing, evaluating, and approving the internal controls reviewed under section 404. EEI has also encouraged the SEC and the PCAOB to ensure that any guidance they provide is developed through an open process, with opportunity for input by affected companies and the public, and provided in a timely fashion, allowing companies adequate lead time to adopt the guidance.

Clarify that company management should evaluate and address only truly consequential deficiencies in control systems. The PCAOB Auditing Standard 2 (AS 2) definition of a “significant deficiency” is appropriate. The EEI was glad to see the SEC clarify whether an internal control deficiency is “inconsequential” under the provisions of AS 2. In EEI’s view, too many trivial deficiencies are being sent to company management for further evaluation. The goal should be to identify pervasive internal control failures, not to focus so heavily on minor, immaterial, or technical deficiencies.

For example, during the first round of section 404 audits of internal controls, independent auditors interpreted the term “inconsequential” almost exclusively using quantitative thresholds, with little or no consideration of qualitative factors. The SEC’s guidance on assessing materiality, Staff Accounting Bulletin (SAB) 99, clearly requires consideration of both qualitative and quantitative factors. But this is not being applied in the context of SOX section 404, resulting in inappropriate classification of control deficiencies as significant when, in fact, they are inconsequential. Furthermore, many deficiencies are so trivial that few reviewers would pay attention were it not for the requirement that all deficiencies be communicated to management and considered for aggregation.

Although PCAOB Release 2004-001 (March 9, 2004), “Concept of Reasonable Assurance,” suggests that the PCAOB is looking for reasonable rather than absolute assurance, this has not been sufficiently adopted by independent auditors in practice. EEI believes that better guidance should be provided as soon as possible, especially for accelerated filers who are currently facing the consequences of having to address all deficiencies rather than only those that are truly significant.

Require documentation for only key controls. Appropriate, verifiable documentation of all key controls should be the standard to which management aspires in performing internal controls over financial reporting. Of course, many controls are performed by individuals and thus are susceptible to error, either in performance of the control itself or in the documentation of performance. Although an error in performance of the control may indicate that the control is not operating effectively, an error in, or absence of, certain documentation does not necessarily indicate that the operation of the control is deficient.

AS 2 recognizes and allows for this in the auditor’s testing of controls. Specifically, paragraph 97 of AS 2 states that “the quality of the evidence regarding the effective operation of the control might not be sufficiently persuasive. If that is the case, the auditor should re-perform the control … as part of the test of the control.” Consequently, a control may be deemed to exist and be operating effectively, even in the absence of sufficient documentation of its performance, if the auditor is able to test its effectiveness through re-performance.

In EEI members’ experience, however, independent auditors have applied a more stringent threshold for documentation of performance of controls than that required by AS 2. They have effectively enforced a standard that the “absence of evidence [i.e., inadequate documentation] is evidence of absence.”

As a result, controls that are being performed effectively may be deemed to be deficient solely due to an absence of certain evidence, some of which may be trivial (such as signatures in specific locations, etc.). It would be helpful—and it would promote the objectives of section 404—if the SEC or the PCAOB were to provide additional clarification regarding this aspect of the testing of internal controls over financial reporting.

Looking ahead, EEI encourages the SEC and the PCAOB to consider its insights, and those of others, as they seek to improve the SOX section 404 compliance process. By doing so, EEI believes the result will be more accurate, reliable, and transparent financial information about a company—the true goal.

David K. Owens is executive vice president of Edison Electric Institute (, an association of United States investor-owned electric companies, international affiliates, and industry associates worldwide. Its U.S. members generate more than 70% of the electricity produced in the United States.