Compliance with Section 404 of the Sarbanes-Oxley Act (SOX) is required in 2006. A report by the Public Company Accounting Oversight Board (PCAOB) states that both accounting firms and the public companies they audit will face “enormous challenges” this year as reported in CFO.com. This section of SOX requires that companies document their internal controls.
“It is clear to us that the internal control assessment and audit process has the potential to significantly improve the quality and reliability of financial reporting. At the same time, it is clear to us that the first round of internal control audits cost too much,” PCAOB chairman William J. McDonough told CFO.com.
At the time of this writing, McDonough has stepped down as chairman and the Securities and Exchange Commission (SEC) is in the process of finding a replacement with national stature and accounting industry experience according to the Washington Post.
Staff with prior training and experience in designing, evaluating, and testing internal controls will be a challenge especially with the short time companies have to implement Section 404. CFO.com reported that, “These challenges were compounded in cases in which companies needed to make significant improvements in their internal control systems to make up for the deferred maintenance of those systems,” as stated by the PCAOB.
The report was issued by the PCAOB in the course of covering the implementation of Auditing Standard No. 2. This SOX requirement states external auditors must certify and report on clients’ estimation of their own internal controls.
CFO.com reports, PCAOB chairman William J. McDonough said, “While our inspections identified several opportunities for auditors to improve audit quality and efficiency, the board remains confident that auditors will be able to perform more effective and efficient audits in future years. These improvements are already appearing as auditors and their clients gain experience and as challenges that were unique to the first year’s implementation abate.”
Several strategies have been recommended by the PCAOB. One suggestion is integrating financial statement audits with internal control audits in order to contribute to the completion of both audits. Also judgment should be used in implementing audit plans to client risks. Pre-existing or standardized checklists may not identify clients’ particular high-risk areas, allow misallocation of resources, and may cause potential material restatements.
The SEC stated in its report, “A one-size fits all, bottoms up, check-the-box approach that treats all controls equally is less likely to improve internal controls and financial reporting than reasoned, good-faith exercise of professional judgment focused on reasonable, as opposed to absolute, assurance.”
After the April 13 roundtable discussion of the Section 404 requirement with the PCAOB attending, the SEC released a report titled “Staff Statement on Management’s Report on Internal Control Over Financial Reporting.” The report stated, “While a portion of the costs likely reflect start-up expenses from this new requirement, it also appears that non-trivial costs may have been unnecessary, due to excessive, duplicative, or poorly focused efforts.