March 4, 2005
During the past 15 months, I have assisted ten public companies with their SOX 404 compliance effort for 2004. Some of the challenges Ive seen include:
- Delayed guidance in 2004 final PCAOB ruling provided in early March 2004
- Delayed reaction to the guidance by the public accounting firms - the Big 4 firms really didnt begin to address this internally via training or externally with their clients until May 2004
- Lack of very specific guidance from the PCAOB has left too much to interpretation. For example, the level of detail documentation required varied by partner and resulted in unnecessary costs as firms redirected their teams approach toward documentation and testing.
- Expectations of documentation and testing efforts varied across firms and across the industry resulting in little or no consistency in identifying and evaluating deficiencies.
- Lack of standardization of the approach across the accounting firms has resulted in varying levels of scrutiny of controls e.g, one partner in a Big 4 firm insisted the fact the same person could initiate and post a journal entry was is significant design deficiency, yet another partner in the same firm didnt recognize this as a deficiency at his respective client. Another example is one Big 4 firm emphasized the need to provide a detailed review documentation and testing of each of the control environment areas and provided many of their clients with a template to assist them in this effort where another Big 4 firm didnt require nearly as much documentation and testing of the control environment.
-Lack of knowledge and training in controls documentation and testing effort - External auditors were used to testing financial results through substantive testing and had little or no experience testing controls around financial reporting. Internal auditors were used to testing operational controls or investigating specific account balances and had little or no experience testing controls across the entity at a controls objective and risk level.
-Limited resources with the appropriate skill set led to poor documentation and testing efforts by management as they either outsourced the work to third parties who often provided little or no training to their contractors or they attempted the effort internally with limited knowledge of the expectations of their external auditor
- Excessive amount of judgement in determining the significance of a deficiency and mitigating controls in place has resulted in similar deficiencies at different entities between reported differently
- Focus of the effort should also be placed on the Board i.e., they should be criminally and financially responsible for SOX violations. Boards of Directors generally reward their executives based on the companys performance which provides a strong incentive to manipulate the results temporarily with the thought theyll make it up in the next period - which generally never occurs
- At the end of the day, if the executives of a public company want to manipulate their financial results, they can still do it
These are just a few thoughts. Im sure youll hear several similar to these from others.