|Alexander Steffan is an attorney at Robinson & Cole LLP. The views expressed in this article are his own and do not reflect those of Robinson & Cole or its clients.
When Congress adopted the Sarbanes-Oxley Act in July 2002, one of the less controversial provisions was section 404. In the statute it sounds fairly simple: Management must review its company's internal controls regularly for weaknesses that could lead to fraud. The auditor then attests to, and reports on, management's assessment. For lawyers, in particular, this seems innocent enough. It is accounting related and something for the auditors to deal with. However, with the final implementing rules due to go into effect at any time, section 404 is posed to be the most expensive of all the Sarbanes-Oxley reforms and, unfortunately, one that ultimately weakens public company audit committees and fails to address the problems at the heart of many of the recent corporate scandals.
A common theme links many of the stunning corporate collapses of the last four years: powerful upper-level management, despite detailed audit protocols and accounting rules, deceived their outside auditors and audit committees. Enron executives only opaquely disclosed off-balance-sheet liabilities. At Parmalat, management allegedly convinced the company's auditors that the company had billions in cash reserves that actually did not exist. Adelphia belatedly disclosed the fact the corporation was liable for billions of dollars of the controlling family's debts, despite alleged earlier knowledge by Adelphia's auditor. Also prevalent at Enron, Adelphia and Parmalat was the use of corporate assets by management, either with the board of directors' approval or without. In almost every instance, the audit committee and the auditors did not force greater disclosure.
Many commentators have concluded this was the result of an imbalance of power between management and those who oversaw it. Compared to audit committees, management had an advantage because they had vastly more information about the corporation's activities than the audit committee members. Many have concluded the auditors were in a weakened position because of lucrative, and carefully cultivated, relationships they were loath to ruin by challenging management. If there is a lesson, it is that rules are not enough. Checks and balances have to be built into the relationship between management and its overseers.
In response to these scandals, Congress passed the Sarbanes-Oxley Act. Many of the provisions and subsequent implementing rules directly address the imbalance of power that led to so many of these scandals: Enhanced disclosure on fees paid to auditors, higher standards for director independence, a new emphasis on audit committees, requirements that management be personally responsible for financial statements, better disclosure of off-balance-sheet liabilities and forced rotation of the people overseeing a corporation's audits.
Add to this mix section 404. This provision does not follow the same path. section 404 addresses "internal controls over financial reporting," i.e. the process designed to "provide reasonable assurance regarding the reliability of financial reporting," including procedures regarding the maintenance of records and the recording of transactions in a manner that permits the accurate preparation of financial statements, control over payments and the detection of unauthorized acquisition, use or disposition of assets. Section 404 requires management to review these processes to find weaknesses that would allow employees to distort results or misuse corporate assets. The auditors "attest" to management's review to ensure it has been through and complete. However, this ignores the central lesson: if there is an imbalance of power between management and the corporation's auditors, no amount of process oriented rules are going to even the balance.
Nevertheless, section 404 mandates the Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board to issue the necessary implementing rules. The SEC has completed its rules, which go into effect later this year. See Final Rule: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Release Nos. 33-8238 and 34-47986. The PCAOB has finalized its rules, which as the Section Review went to press, only await final SEC approval.
The SEC rules, tracking section 404, require all corporations that report under section 13(a) or 15(d) of the Exchange Act (i.e., all "public" companies) to evaluate their internal controls over financial reporting annually, then have their auditors attest to this evaluation and, finally, report their findings in the corporation's annual report.
The first issue under section 404 is what standards management should use in evaluating its internal controls. This question may be easier than it first appears. The Committee of Sponsoring Organizations of the Treadway Commission (COSO), a long-standing private sector organization dedicated to reducing financial fraud, has developed a set of recommended practices they refer to as "Internal Control - Integrated Framework." The SEC has stated these guidelines "satisf(y)" its "criteria, and by doing so has essentially made them the standard against which companies should evaluate their system of internal controls.
However, addressing the second issue, how to implement those standards, quickly escalates costs. Once an external review of a process is put in place, the process must be documented with more care. This creates more work for a corporation's staff both initially, in setting up more formal systems, and in executing them in the future. In addition, the PCAOB has taken a strong position on the auditor's role that is contributing to higher expenses.
The PCAOB has concluded section 404 requires an auditor to attest management's assessment "that internal control is effective, not just to the adequacy of management's process for determining whether internal control is effective." Barring a highly unlikely eleventh hour intervention by the SEC, the auditor's review of internal controls will be integrated into the more general audit process.
This has important consequences. It means auditors need not only evaluate management's assessment, but also need to test the effectiveness of the internal controls. Such testing requires auditors to "walk through" how a corporation's routine and extraordinary transactions are processed from origination, into the accompanying paperwork (bills of lading, approval forms, etc.), through the corporation's accounting and information systems and, finally, to its internal and external financial reports. This is, by necessity, an expensive process.
Interestingly, the audit committee that oversees the company's financial statements has only a limited role in this process. As a sign of how little they are involved, PCAOB rules contemplate an evaluation of the audit committee's performance as part of the auditor's review. In fact, by the structure of the rules, management is wholly responsible for the internal financial controls.
In the end, management will do an evaluation and the auditor will attest to the report. The audit committee will only be tangentially involved. In essence, section 404 and it accompanying rules create the same dynamic as Enron or Adelphia in preparing financial statements: Management has control of the process, a well-compensated auditor is involved to make sure a detailed set of requirements are met, while the independent audit committee is left in the dark with only a limited role.
Costs and benefits
The costs are expected to be significant. A survey by Financial Executives International shows corporations expect to spend next year between $174,000, for corporations with less than $25 million in revenues, and $750,000, for corporations with more than $5 billion in revenues, on additional fees to auditors and consultants alone. A third of this money is expected to go to company auditors for the necessary additional audit work. This does not count the estimated 1,150 hours of additional staff time even the smallest public companies expect to spend. The benefits are likely to be incremental. Douglas Carmichael, the PCAOB's chief auditor, believes these rules will help smaller companies because fraud is more prevalent at smaller companies, which in turn hurts their access to capital. While laudable, Congress was not targeting these smaller companies. Congress aimed Sarbanes-Oxley at solving the problem of the largest and most scrutinized public companies deceiving their auditors and external analysts. While it seems the rules will help tighten internal controls and prevent embezzlement by lower level management and employees, the rules do not address the problem of senior management systematically deceiving their auditors and audit committee. While reducing fraud of all types clearly benefits investors, section 404 does not seem likely to prevent the large-scale fraud that Sarbanes-Oxley was designed to prevent because it does not address the risk that senior management is deeply involved.
Section 404 and its related rules seem to force the innocent to expend significant resources proving their innocence, while providing little protection to investors from the excesses of unchecked management.
It is hard to argue that stronger internal controls are an unworthy goal. However, in corporate governance, as in national governance, a system of checks and balances on power is the best method for reducing corruption. And it seems to me the audit committee of the board of directors is best positioned to provide the necessary oversight of the relationship between management and the auditors.
With new rules recently adopted by the New York Stock Exchange and NASDAQ specifically designed to strengthen the independence of audit committees, it might be better to make them a major player. Indeed, PCAOB has already made the argument for their involvement. Internal control is critical to supporting reliable financial reporting, the PCAOB has argued, therefore internal controls should be audited just like the balance sheet. It would seem the PCAOB should take the next logical step: if internal controls are integral to the production of reliable financial statements, audit committees should be at the center of the review. However, the PCAOB is stuck thinking of audit committees are part of the system instead of the auditor's ultimate boss. I believe if audit committees where asked to include a section on internal control in their annual report, and, given the resources and responsibility to hire their own experts, perhaps they would have the information and incentive to provide an independent perspective. A better use of the $50,000 smaller public companies expect to spend on additional audit fees might be for the audit committee to hire their own expert to do a truly independent review of the company internal controls. Investors could then be comforted that their representatives, the board of directors, were truly knowledgeable about the strengths and weakness of the corporation's internal controls and, hopefully, in a better position to challenge management when they need to.