By Harvey L. Pitt, Compliance Week Columnist—February 27, 2007

In the movie, “Groundhog Day,” Bill Murray plays Phil Connors, a self-absorbed, egotistical, and determinedly obnoxious Pittsburgh TV weatherman, who finds himself in Punxsutawney, Pa., to cover Groundhog Day. Phil doesn’t like this assignment, but his unwelcome endeavor turns into a spectacular nightmare, as he’s required to repeat Groundhog Day over and over again until he finally inculcates the true meaning of life and figures out the proper way to engage in human relations. Phil goes from anger, to frustration, to deception, to learning finally how to behave.

To a similar extent, American corporations have been forced into a time warp of their own. In 2002, Congress adopted Sarbanes-Oxley and, in particular, Section 404, which requires managements to report on the state of their internal controls, and auditors to report on managements’ assessments of their internal controls. It is, by now, commonly agreed that the initial guidance provided by the Public Company Accounting Oversight Board and the Securities and Exchange Commission were significantly at odds with reality, and produced costs and diversions of

manpower that were wholly out of proportion to the presumptive benefits of the exercise. As costs mounted, and auditors became defensive in their audits of internal controls, a crescendo of criticism and despair arose, ultimately persuading the PCAOB and the SEC to revisit their prior guidance, and to make the beneficial purposes of SOX 404 more obtainable, with lower costs and more focused efforts.

The recent SEC release on “Management’s Report on Internal Control over Financial Reporting” and the PCAOB’s re-write of Auditing Standard No. 2 are important steps in enabling companies to reduce the costs of complying with Section 404. Both releases endorse the use of a “top-down, risk-based evaluation of internal control over financial reporting.” The SEC provides a “safe harbor” for companies using this approach. The reports also separate the responsibilities of management and auditors for certifying a company’s internal controls. The PCAOB report allows auditors to rely upon the work of others to a greater degree than previously and, perhaps most importantly, outlines the PCAOB’s philosophical approach toward organizing and executing the internal control audit.

Taken together, these concessions represent an important first step in reducing the costs of 404 audits. Prospectively, to paraphrase Winston Churchill, they represent only the end of the beginning, not the beginning of the end. Successful implementation of these options will require management time and attention, and coordination between with outside auditors. Fortunately, managements that invest this time and effort will reap the savings and certainties that these revisions were intended to affect.

The change to a “top-down, risk-based” approach toward evaluating financial controls should streamline the process for identifying and testing key controls and potentially reduce the required documentation. A “topdown, risk-based” approach allows management to use its expertise to identify the substantive risks in reporting on internal controls and the policies and procedures that prevent these risks from becoming material misstatements. Management can tailor its approach to include only the highest level controls necessary to adequately contain the risk.

Once these controls have been identified, even if they are “entity-level” controls, the analysis can stop, provided those controls are sufficiently effective in controlling the risk. This approach eliminates the redundancy that a “bottom-up” approach entails, where all controls relevant to a particular risk are analyzed and evaluated even if one control is sufficient. In a risk-based approach the evaluation of the effectiveness of the control can be tailored to the risk of the misstatement.

The higher risk areas require more extensive testing of controls than controls over lower risk activities. This risk-based approach also impacts the level of documentation surrounding a particular control. As an example, daily interactions with particular controls require less formal documentation than quarterly reviews. Finally, the evidence supporting the effectiveness of the controls can also be tailored around the risk of the misstatement, the frequency with which employees and management interact with a control, and the evidence of the interaction in the way of emails, memos, and similar communications.

These releases have a considerably more principle-based tone than traditional SEC or PCAOB releases. They allow managements considerable flexibility in designing their own systems for meeting the spirit of the rule. This is useful for all companies, especially the small-to-mid-size and/or foreign companies that won’t have reported on internal controls prior to the effective date of the new guidance. The SEC and the PCAOB expect that this “top-down, risk-based” approach should save considerable time by eliminating many of the redundant evaluations that have previously occurred.

The designation of the SEC’s proposal as a safe-harbor for SOX 404 methodology should hasten its adoption. The SEC’s original release was silent about using any particular methodology. The new SEC release states that companies reporting under Exchange Act Rules 13a-15(c) and 15d-15(c) can satisfy the effectiveness of their internal controls by using this methodology. If companies use this approach, they can no longer be questioned about their method of certifying their internal controls—they can only be accused of failing to apply the methodology correctly. If, as expected, civil courts follow the SEC’s thought process and adopt a “top-down, risk-based” approach as the desired standard, this will remove one uncertainty that companies and auditors face in shareholder lawsuits. The widespread acceptance of this approach as the standard methodology for SOX 404 compliance will be a powerful incentive for companies to adopt it, and will remove a significant hurdle in the way of 404 compliance.

The SEC and the PCAOB decided to eliminate confusion by requiring a company’s management and its external auditors to certify independently the company’s internal controls over financial reporting. Previously, the external auditors certified management’s reports, which led to redundancy as auditors tested the controls themselves and then validated management’s testing. While it is now theoretically possible that a company’s management and the auditors independently reach the same conclusion while using different approaches, the SEC and the PCAOB expect that companies and auditors will continue to work closely so that their methodologies and procedures are consistent.

One of the most meaningful provisions in the PCAOB release concerns the ability of auditors to rely upon the work of others. The original PCAOB AS No. 2 required an auditor’s work to be “substantially” its own. In today’s litigious environment, auditors were compelled to accept the PCAOB’s literal interpretation of this requirement, which led to needless duplication of efforts with a concomitant increase in expenditures. The PCAOB’s new release enumerates procedures and standards that auditors must meet in order to justify their reliance upon the work of others. As the PCAOB relates, “the auditor should evaluate the nature of the subject matter tested by others, evaluate the competence and objectivity of the individuals who perform the work, and test some of the work performed by others to evaluate the quality and effectiveness of their work.” This should lead to a large reduction in SOX 404 certification costs for companies that have invested in a sound internal audit department—or its equivalent—and are qualified to assist external auditors.

The PCAOB statement’s most valuable contribution is its discussion of the concepts and philosophy behind a “top-down, risk-based” approach to auditing internal controls. In paragraphs 16-80, the PCAOB discusses Using a Top-Down Approach, Testing Controls and Evaluating Identified Deficiencies. These sections should be read by managements planning to adopt this new methodology, since they offer the regulator’s perspective on how to identify significant accounts, processes and controls, how to select controls to test, how to balance risk and reward in testing the effectiveness of controls, how to time-test controls, and how to identify and classify deficiencies, especially significant ones. Taken together, these sections provide a road map which will enable companies efficiently to implement a “top-down, risk-based” approach to the certification of internal controls with greater certainty that its auditors will approve the process. Managements should save money and time in the implementation of this methodology as well as saving money in subsequent SOX 404 audits.

The SEC and the PCAOB made other changes to the language and scope of 404 audits. They have revised the definitions of “significant deficiency” and “material weakness” to encompass higher probabilities of failure. The PCAOB in particular felt that some auditors were imputing too low a probability to the possible occurrence of these events—in statistical jargon, a 1 percent cumulative probability of a material event occurring is a much more stringent test than a 25 percent cumulative probability. These changes should help reduce some of the efforts made confirming the effectiveness of controls.

These changes form an excellent beginning for companies to reduce the time and the expense involved in SOX 404 certifications. There are now established roadmaps to follow to be in compliance, to reduce auditor involvement, and to use cheaper internal resources. Here are eight steps that managements should consider to implement these new procedures successfully:

1. Manage your risks. This is an ideal opportunity to implement enterprise-wide risk management. Financial statement risk management is but a subset of enterprise-wide risk. If management implements a comprehensive company-wide risk- management approach, the danger of material errors in financial statements will be vastly reduced.
   
   
2. Read, don’t skim, the guidance. The new rules are much better than the ones they replace, which were too specific; however, occasionally they’re vague. The COSO report supplies many of the missing parts, especially illustrating how to identify the probability of an event occurring and the severity of its occurrence, which leads to conclusions about materiality. This may not replace your favorite fiction writers, but it definitely is required reading.
   
   
3. Coordinate with your auditors. The ability to take advantage of these changes, especially reliance on the work of others, is going to depend upon close coordination between management and the outside auditors. Pick their brains on approaches for designing a “top-down, risk-based approach” and for shoring up areas that might need re-enforcing in order to assist your auditors in their certification process. Time spent at the outset may have a significant ability to reduce time and expenses when actual audit time occurs.
   
   
4. Don’t discard your existing experiences. The results of the current Section 404 certification process are useful. You have taken the engine apart once, if not twice. Now you’re being asked to make improvements and re-assemble it. The prior certification audits provide a valuable road map to help determine what steps to avoid.
   
   
5. Test early and often. The actual certifications under the new methodology won’t begin until September 2007, or later. You can use the results of this year’s certification to model on a small scale what a review would have looked like if your company had used a “top-down, risk-based approach.” By sharing these examples with your auditors, you can refine your approach.
   
   
6. Don’t become frustrated. Having suffered through the Section 404 experience, some may not be anxious to try a new alternative process. The eventual goal of certainty and savings is, however, worth the cost. Innovations always take time and effort, but it is time and effort well spent.
   
   
7. Tone at the top is critical. By definition, a “top-down” approach depends on senior management. Senior managers have to identify the appropriate risks and the relevant controls for these risks. After senior management has an opportunity to start the process, the process can be pushed down to lower levels in the organization for validation of the assumptions.
   
   
8. Talk to the regulators. The SEC and the PCAOB have morphed radically from their “prescriptive rule” standards to principles-based standards. They need to know what works, what doesn’t, and where improvements can be made. Managements should send comment letters to the SEC and the PCAOB about their reactions to the new rules, and suggest changes or clarifications. Legislators gave little or no credence to the concerns and knowledge of businesses when they drafted Sarbanes-Oxley. This is an opportunity for business to evince that it can manage the process in a thoughtful manner that will achieve the desired result—investor confidence in financial statements—in a less costly manner.
   
   

The new SEC and PCAOB statements represent the end of the beginning of 404 certifications. SOX Section 404 certification has a worthwhile purpose to restore investor confidence in financial statements. This has been achieved at too high a cost to both companies and capitalism. These new pronouncements represent a blueprint that companies can use to obtain the same results. It is up to companies to use these blueprints to create a structure for the future. In SOX, we received more government than we ever imagined or were willing to pay for. This is our opportunity to reduce our bill.