| |
||
| August 1, 2005 | The
Newspaper of the NYSSCPA |
Vol.
8, No.14 |
Section 404: Lessons Learned in 2004
To say that 2004 was one of the most exciting and challenging years for auditors of public companies would be an understatement. Through Section 404 of the Sarbanes-Oxley Act of 2002, which requires public companies to annually provide the investing public with an assessment of the company’s internal control over financial reporting, the profession has seen a shift in how audits of these companies are performed.
For a number of us, the last 12 months have looked something like this: repeatedly reading the Public Company Accounting Oversight Board’s Auditing Standard No. 2, advising clients of this new and, at times, vague standard, coordinating walkthroughs, debating internal control deficiencies, performing testing, more debates over deficiencies, more testing, reporting, and, finally, getting some badly needed rest. But now that this first year with the standard and Section 404 is almost over (at least for those who have accelerated filers with years ending before July 15), we thought it would be a good idea to share some of our firm’s experiences and help others draw from our lessons learned.
Preparation
Regardless of how many walkthroughs we have attended or volumes of documentation we have pored over, nothing has prepared us as well as having repeatedly read through and thoroughly studied Auditing Standard No. 2, “An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements.” We found the related FAQs published by the PCAOB helpful as well. This preparation has enabled us to answer countless questions from the partners we work for, the clients we serve and the colleagues from other firms with whom we network.
At times, we found ourselves debating the finer points of Section 404 with clients and coworkers alike. These debates typically revolved around the requirements under 404. As might be expected, the position we took often was more conservative than that of our clients. In the early weeks after Audit Standard No. 2 was published, matters subject to interpretation and judgment were given more leniency. However, as the PCAOB and the Securities and Exchange Commission provided additional guidance during the remainder of the year, arguments could no longer be summed up with a “this is okay for year one” response.
Finding the time to study up on the standard is challenging. Breaks that we used to enjoy following year-end, in between quarterly reviews and during the summer have grown smaller. Nevertheless, to be successful in the world of servicing public company audits, in-depth familiarization with standards is a necessity. Anything related to Section 404 is no different. Conflicts with clients regarding Section 404’s requirements most often can be resolved by referencing the section of the standard, or other subsequent guidance, accordingly.
Lessons Learned: Big Client
One of the former clients of the author happens to be one of the largest financial-services companies in the world. Beginning in 2002, management took the effort of complying with Section 404 seriously and communicated this attitude throughout the organization. The company was composed of four separate and significant business units, at least six significant locations (two of which were international) and more than 50 systems that had some role in the direct or indirect process of financial reporting.
The CFO was the executive sponsor and the controller was the project leader for the 404 compliance. The company established a project management office and hired a national accounting firm to serve as the company’s Section 404 advisors and to assist with the scoping, risk assessment, documentation and testing processes. We, the independent accountants, coordinated with our client and their advisors every step of the way. The parties did not always agree on everything and debated on matters such as the scoping of entities, the composition of auditable documentation, and findings that may or may not constitute a deficiency in controls design. Accordingly, representatives from the client, the advisors and our firm used weekly conference calls to address and resolve any differences that we had on these issues.
In the end, the client’s implementation project and our firm’s audit finished on time. We identified five important lessons from the experience:
-
Open communication between management, consultants and independent accountants ensures efficient coordination and resolves issues timely.
-
All parties should agree on scope and approach up front.
-
Documentation should be straightforward. Flowcharts and narratives can be a wonderful aid in understanding how processes operate, but, in the end, the impact that key controls can have on financial reporting must be clear, based upon the review of management’s internal control documentation.
-
Deficiencies or perceived deficiencies should be communicated to appropriate parties as soon as possible.
-
Although participation from management and line employees is necessary, they also have normal daily responsibilities to fulfill. Their schedules and commitments must be respected.
Lessons Learned: Small Client
Public-company management from numerous non-accelerated filers, along with a few accelerated filers, has commented on the feasibility and practicality of applying Section 404 to their companies. Their concerns range from costs associated with compliance to strains the Act puts on their employees. After having participated in the audit of a company with fewer than 50 employees, we now have an appreciation for the challenges that compliance with the Act places upon smaller public companies.
We were pleased to see that senior management made compliance with Section 404 a priority for 2004. Before we, the audit team, had an opportunity to investigate the client’s efforts, on the surface the company appeared to be moving along with its implementation nicely. The company had carried out the following steps:
-
A scoping of areas that would be documented and tested had been performed. These included significant locations, business processes and accounts.
-
The client had obtained the services of a consultant to assist them with the documentation and testing processes on behalf of management.
-
Management had reported that all known deficiencies had been remediated.
Unfortunately for all interested parties, the road to full compliance had its share of bumps and pitfalls, as noted below:
-
It was determined that much of the documentation of key processes and controls was inaccurate and difficult to audit.
-
The consultants who were hired proved unqualified for performing the work that they did on behalf of management.
-
There were a number of gaps in the design of controls that later became an ongoing discussion topic between management and the audit team.
There were times when our firm wished it could serve as the company’s decision maker, primarily to streamline and help reduce the cost of the implementation effort. One of the biggest frustrations for management and auditors alike was taking the requirements of Section 404 and trying to apply them to a company operating at a much smaller scale than perhaps Congress envisioned when it created the law. Although concerns surrounding documentation and the hiring of qualified consultants can be resolved easily enough, debates between management and auditors over perceived control gaps are harder to work through.
Given that the potential effect that control design can have on the financial statements is difficult to quantify, it seems likely that such debates will continue. Although the PCAOB has attempted to provide management and auditors with guidance in this area, applying their recommendations to real life remains challenging.
For this non-accelerated client, we learned several lessons:
-
A company’s management and board should be diligent in gaining an understanding of the qualifications and experience of consultants for Section 404 implementation projects. It’s helpful to check with your auditors on this as well.
-
Education on Section 404 requirements is paramount to getting management teams to “buy in” to concerns communicated by the auditor.
-
Additional guidance from the PCAOB on how small public companies can comply with Section 404 is needed. (Such guidance is expected to be released this summer.)
Looking Ahead
For accelerated filers, we expect compliance with Section 404 to become fairly routine somewhere between the second and third year of implementation. Similarly, we anticipate more guidance to auditors as a result of public-company criticism that auditors have taken an overly conservative approach to Standard No. 2.
Making predictions about non-accelerated filers, however, is more difficult. As previously mentioned, more guidance is needed on Standard No. 2’s application in order to ensure that Section 404 does not become a barrier to the capital markets for small and growing enterprises. Given the SEC’s decision to move the deadline for compliance with Section 404 to July 15, 2006, for non-accelerated filers, we believe such guidance is not only forthcoming, but will also be scrutinized heavily by auditors and public company management.
Editor’s Note: Written by fellow practitioners, Notes from the Firm provides a first-person account of the decision making and steps taken by CPA firms to address professional issues and concerns commonly encountered.
Matthew A. Snyder, CPA, is a manager with Marcum & Kliegman LLP in Manhattan and a member of the NYSSCPA’s SEC Practice Committee. He can be reached at msnyder@mkllp.com.
