As expected, there has been a lot of talk about the Wall Street Reform Act and what company's may do/not do if the permanent reprieve is granted. This is a very interesting topic for us since we understand the need to lessen the financial burden of an audit but we often find it ironic that, even though our clients have been subjected to SOX 404(a) since 2007, they still are debating on changing up their 404 activities if the reprieve is granted. To that end, I have to ask the question, what do you expect to change for your company if the reprieve were to happen (given that most of the companies debating this issue have never been subjected to a 404(b) audit – I’m missing the trigger that would cause the need for this debate…could it be that most of them were only doing Sarbanes-Oxley work because of the fear of review by their external auditor and now that they may never be subjected to a full-blown 404(b) audit they may decide to do nothing?!?!?… (which would be fraud by the way per the 302/906 certifications and 10Q Item 4’s and 10K item 9’s but that is beside the point))?
The biggest debate point we hear about is the desire to bring testing "in-house."
This can be a good option for some company’s but some of the pitfalls we see when companies try to do this are that they get busy and do not allocate enough time to the testing effort. Then, come audit time, because 404(b) isn’t in effect, there is an assumption that the external auditors will not ask for any documentation which isn’t a safe assumption. I was at Windes & McClaughry in Irvine, CA on Friday and Partner Vernon Moore said if 404(b) gets pulled, they will start reviewing their client’s claims about 404(a) compliance before they sign off on the 10K’s which could include testing, etc. This makes sense to me considering they have liability associated with their audits and if they believe a company isn’t necessarily doing everything need to warrant their clean 404(a) claim then they could be on the hook if a shareholder lawsuit were to happen because of fraud (think Koss).
To this extent, they are planning to travel to China to test controls that support the 404(a) claims in-person for a non-accelerated filer this year, regardless of the vote outcome. I expect this to be the norm if the 404(b) reprieve is handed down.
Another thing to consider is that 404(b) isn’t the only requirement for external auditors to review internal controls as part of their audit. The AICPA handed down the mandate that all external auditors must review internal controls as part of their audit. This has been in place since 2006. If you are a non-accelerated filer and your external auditors asked you for internal controls documentation then this is probably why. At one of our clients last year, their external auditors tested their controls for the entire year and only relied on our testing for the time frame that was within the remediation period (so, yes, they were testing controls for a non-accelerated filer during Q1 who had claimed the control had only started working in Q2). Luckily, we were able to save them 50% on their audit fees associated with their control testing since their auditors understand our documentation and appreciates our independence and that allows them to rely on our testing more so than when this client was doing it in-house. This could be a good measure for anyone considering taking testing in-house; if you are able to decipher how much of your audit fee is related to control testing, then a good calculation would be to double that figure to see if it would be worthwhile to bring it in-house.
Another thing to be cautious of is who you would allocate for the controls testing job. Often, this job falls to a more junior person who in most cases, will not catch issues or in the past has been the reason deficiencies were found. Long story short, it is our experience that company’s who bring it in-house experience more costs due to lack of independence, deficiencies not being found, and external audit dissatisfaction which ultimately leads them to taking it back out-of-house. It is often a situation of penny wise and pound foolish.
Final note – it is VERY easy to assume compliance. Of the 366 companies who received a qualified opinion through May 2, 2005 (the first year of 404(b) for acceleratedfilers), 94% of these companies said they were clean in the previous quarter’s 302/906 certifications (from Compliance Week SOX 404 Deficiencies Preceded By "Effective" 302 Reports by Melissa Klein Aguilar — July 26, 2005). So, 94% of them assumed wrong. This always leads me to question, was it fraud for the CEO/CFO to sign off on the 302/906? I am certain in some cases, if the argument was made, it could be shown that there was some previous knowledge of lack of controls or that there was not enough diligence made by management to ensure the controls were in place, properly tested, and functioning, etc. So, if this were to be brought to court and proven, remember, if fraud is found, your D&O insurance will NOT cover you.What is your peace of mind and freedom worth? Penny wise and pound foolish….saving the company a few thousand dollars will prove to be cheap if you are found negligent by your shareholders.