The FEI survey found that companies between $500 million and $1 billion in revenues predict that they will dedicate more than 5,110 internal personnel hours, and 1,833 external people hours for Sarbanes-Oxley 404 compliance. External consulting, software, and other vendor charges (excluding audit fees for attestation) are projected as being just over $513,000 and audit fee estimates are shown as $272,000.
As the new mandated deadlines loom either in 2004 or 2005, many middle-market executives are faced with tough decisions regarding cost and compliance. My colleagues and I have found that compliance readiness is first and foremost on the minds of executives from mid-sized companies.
According to the FEI survey, 25 percent of respondents have already deployed their permanent solution for Section 404 compliance, while another 52 percent plan to do so in 2004. About 14 percent have no specific plans to implement a “solution tool” at this time. These companies are at risk of either not completing their 404 preparations or ending up with major deficiencies that could result in qualified attestation reports. Specific observations include:
At present, a majority of mid-size companies are either in the planning or control/process documentation stages and are scheduled to finish in the late spring or summer, not earlier.
Since the documentation phase is still in process, management is unclear as to the scope, effort and/or timetable for remediation and testing, along with any anticipated iterations of the process. In addition, the Public Company Accounting Oversight Board (PCAOB) is still sifting through more than 1,200 pages of comments on its proposed internal control audit standard. As a result, they are miles behind the originally expected fourth quarter 2003 issuance of a final standard, and auditors still cannot tell their clients exactly what procedures they as internal control auditors will have to perform to issue their own reports.
Company readiness, or the lack thereof, may conflict with the external audit firm’s need to begin its attest work during this spring or summer. There may be an insufficient passage of time between remediated controls and a suitable sample test period, thus preventing the external auditor from issuing a “clean” opinion on the internal control structure.
Internal Staffing is an Issue
Many mid-sized companies operate with a lean or downsized staff, and regulators haven’t sufficiently considered how the required segregation of duties necessary to achieve an effective internal control system can be accomplished in a mid-sized company environment. There is some concern within these companies about the cost of adding on supervisory or management layers that produce no incremental revenue.
Additionally, the expectations for increased senior management oversight, in some cases requiring management to sign off on all significant transactions, is also perceived as a burden that distracts them from other critical aspects of running the business such as sales, finance, or operations.
The question being raised in middle-market boardrooms across the country is, “When, if ever, is it acceptable to allow organizational structures to operate without optimal segregation of duties?”
Auditor Relationships May Be Impacted
Accounting firms’ expectations regarding 404 scope, format, content and depth of required documentation continues to evolve. Without final PCAOB rules for performing audits and internal control, auditors are faced with more questions than answers. For example:
What testing methods, sample sizes, and over what periods should companies test their controls?
Most of the historical guidance relates to external auditors performing tests of internal controls in a financial statement audit. The scope and purpose of management’s testing to support the 404 assertion is much different, and consequently, historical testing guidance isn’t always a good fit.
Expectations vary from office to office and among partners in the external audit firms. We have participated in many discussions with financial executives and their auditors, who are totally noncommittal, and effectively provided little or no guidance to their clients.
While larger companies may have the resources to re-deploy staff into the field when more process/system specifics are needed, mid-sized companies often do not have the people or cannot afford to hire new staff.
Few internal financial accounting resources are available to work on SOX projects in addition to their normal day-to-day functions such as closing the books or preparing materials for the disclosure and audit committees. Many companies lack fulltime SOX project managers to run a 404 project and may also lack sufficient internal audit resources to perform independent testing and documentation.
Ethics programs, management integrity, tone at the top, and other governance themes must also be implemented and operated effectively. But typically these areas are not exposed as control weaknesses or deficiencies until something goes wrong.
CFOs are frustrated that the initial estimate of the hours required to get ready was significantly short of the mark; yet their audit committees and CEOs have memorized and sometimes budgeted based on those estimates.
Outsourcing, Information Systems, and Fees Pose More Questions
Mid-sized companies outsource many functions to third parties, and it is often difficult to get SAS70 Type II reports, especially from small, third-party organizations where the customer has no contractual right to audit. Type II SAS 70 reports typically include the organization’s description of their internal controls and detailed testing performed for at least a period of six months. The problem is exacerbated if the CFO is being told to immediately upgrade to a new payroll package because the legacy version will no longer be covered within the scope of the SAS70.
Most businesses of this size depend on manual processes or legacy information systems that lack current, relevant, and complete documentation. MIS staffing can be lean, and there is often no in-house talent to close any discovered gaps in technology processes. Finally, audit firms are still awaiting the final rules for performing an audit of internal control and, as such, can only estimate the level of effort it is going to take to issue a 404 attest report.
Companies have typically relied on their external auditor for guidance and knowledge regarding the latest accounting pronouncements and their impact, providing internal control recommendations, and reviewing tax accruals. The constantly evolving standards and regulatory interpretations can lead to confusion on both sides of the table about who can help who do what.
Fortunately, the SEC pushed back the deadline for compliance with Section 404 to begin with accelerated filers with fiscal year-ends on or after Nov. 15. Additionally, the Public Company Accounting Oversight Board recently adopted a standard on internal control over financial reporting. This new standard will need the SEC’s final approval.
Given the unique challenges faced by mid-size companies in implementing those new requirements, an extension of the deadline for reporting under Section 404 and the requisite implementing of permanent governance and control improvements was needed. Now, it’s time to take advantage of this reprieve and get to work.
Larry Baye is a principal in Grant Thornton’s Business Risk and Management Advisory Services group. Having joined the firm more than 20 years ago, he serves a broad range of public and private companies, government agencies, and not-for-profit organizations. He can be reached at email@example.com or (212) 542-9750.