Leveraging Auditing Standard No.5 to Streamline SOX Compliance

If you think that a lot of your enterprise’s resources are being drained on Sarbanes-Oxley (SOX) compliance, you’re not alone. Despite three years of experience with Sarbanes-Oxley, auditors and enterprises still struggle to achieve a balance between effective compliance, and the high cost sustaining the SOX initiative. Kenneth Wilcox1, President and CEO of SVB Financial Group, alleges that his company paid over $20 million to the Big Four accounting firms in 2006 - an increase of more than five times what it paid in 2003. In particular, he says audits today are prolonged, require more personnel, and auditors have an overly broad definition of "materiality", than what is relevant to SOX.

The soaring SOX costs have not gone unnoticed by the Public Company Accounting Oversight Board (PCAOB). The PCAOB has seen how the accounting firms have run up huge fees, and forced clients to spend millions of dollars on redundant IT systems and unnecessary controls. In response, on May 24, 2007, the PCAOB adopted a new auditing standard - “An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements” (AS5) - that replaces the relevant guidance in Auditing Standard 2.

AS5 has added new dimensions to SOX 404 compliance - focusing audits on core matters, eliminating unnecessary procedures, scaling audits for smaller companies, and simplifying compliance requirements. As a result, many finance experts expect AS5 to trim down the costs for SOX 404 compliance. “With AS5, we now have clearer, more substantial support for a risk-based approach,” says GRC expert of a leading enterprise, "It will be a catalyst to help auditors rely more on their judgment and that will cut costs.” AS5’s Impact: Streamlined and Less Costly SOX Compliance
As corporations and auditors eagerly await the outcome of the new standards, the question on everyone’s mind is “Did the PCAOB and SEC (Securities and Exchange Commission) meet the goal of a streamlined and economical SOX compliance?” To evaluate this question, let’s breakdown the key elements of AS5 that affect SOX compliance procedures:

Top- Down and Risk- Based Approach: Focus on matters resulting in material weakness
AS5 promotes a top-down, risk-based approach while assessing internal controls of an enterprise - eliminating numerous prescriptive requirements in AS2 that drove overzealous auditing. Most financial executives see the new standard leading to fewer checklists and more work in identifying areas where a company’s risks of financial misstatement are greater. For example, for auditors and management it means moving away from documenting and testing almost all the controls and focusing instead on the risk -prone areas.

Entity Level Controls: Critical component and not after thoughts
Entity level controls are a critical component of internal controls, and not the after thoughts of a financial misstatement. This concept finds relevance in the AS5 guidelines, which defines the position of entity-level controls within COSO’s internal control framework, and includes measures like monitoring inherent risks in key accounts and operations, establishing an ethical code of conduct for all employees, maintaining an appropriate tone at the top, developing comprehensive risk management policies especially anti-fraud policies, performing a background check for all new accounting and financial positions, and having an appropriate whistleblower procedure in place.

Compliance Tied to Financial Reporting: Re-evaluating key controls based on financial statements
AS5 requires auditors to tie compliance directly to its impact on financial reporting and eliminate non-financial reporting related controls. As stated by one of the PCAOB’s technical policy implementation directors, “If you can’t link something to the financial statements, it’s out of scope. We used to hear people talk about the financial-transaction flows through the system, so the system is brought into scope. Now, you only need to focus on the parts that apply to the risk.” Most enterprises believe that this will result in significant efficiency gains in SOX documentation and testing phases, and reduce overall compliance costs.

Flexibility in Using Work of Others and Walkthroughs: Eliminating unnecessary procedures
AS5 consistently emphasizes the need to eliminate unnecessary audit procedures and higher-than-expected SOX compliance costs. It endorses the use of work of company personnel, other than internal auditors and third parties working under the direction of management, by an external auditor. Recalibrating walkthrough requirements, AS5 gives the auditor flexibility to achieve the objectives of a walkthrough, or to use a client’s internal staff, or other outside resources under the auditor’s supervision to perform the walkthrough. Also, auditor can leverage results of the prior years in assessing risk.

Exercise Judgment, and Knowledge of Relative Risk in Designing Plan: Simplifying requirements
Previously companies were forced to react and align their approaches to those of their external auditors. Now, management can step back, think through the process, and use more judgment in designing and implementing SOX compliance program, focusing on efficiency in low-risk areas while performing more extensive testing in high-risk areas. There is no longer a ‘one-size-fits-all’ approach to SOX implementation.

Opportunities for the Management: Benefits Outweigh Cost of Compliance
AS5 allows management to take a fresh look at its organization’s compliance process - allowing the organization to focus on the issues likely to pose a greater risk to financial reporting, and reduce the number of controls to be actually tested in performing its evaluation- thus reducing effort and cost. Since AS5 is relevant to companies of all sizes, non-accelerated filers that did not previously comply with SOX Section 404 will now have to comply. Also, in the past organizations viewed SOX 404 as a huge compliance cost. The SEC and PCAOB, through the revised guidance, want to change this perspective. Arnold Hanish2, Executive Director, Finance, and CAO at Eli Lilly & Co. and Chairman of FEI’s Committee on Corporate Reporting (CCR), thinks AS5 will bring cost- relief for most multinationals because of reduced testing - based on its new “top-down, risk-based” ethic. He anticipates that the companies will narrow their focus to the high risk areas, achieving a better tradeoff between the quality of controls assurance and the cost of compliance.

Technology - Driven Solutions: Taking Control of SOX Compliance
Opportunities never come without a price. With Auditing Standard 5 come new compliance definitions, requirements and standards; forcing boards and managers to adopt an integrated approach to risk management as a business enabler and value driver. Amidst this dynamic environment, profitable companies are adopting various technology-driven solutions, like MetricStream, which leverage a variety of tools and strategies to ensure compliance in an efficient and cost-effective manner. These solutions employ tools, like materiality analyzer, risk calculator, central risk repository, reports and risk dashboards, which help companies to reduce risk and audit complexity, and alleviate the costs arising out of risk mismanagement. By leveraging risk-adjusted metrics and following processes like audit trails, control self assessments, entity- level controls’ documentation, and structured workflow for evaluating deficiencies, these solutions help enterprises follow the AS5’s guidelines diligently, and increase an enterprise's potential to drive growth and sustain value. As put by the CRO of a large enterprise, “We are much better poised to address ensuing audit and regulatory requirements while armed with an automated solution.”

(Please click on image for enhanced version)

Conclusion:
The PCAOB and the SEC have good intentions in developing AS5: more flexibility, more discretion, less cost and the ability for smaller public companies to develop their compliance structure. AS5, if implemented efficiently, should result in a more focused and efficient process. Now is the time for management and auditors to "re-vamp" their SOX 404 compliance framework, and continue to work together to determine if they can realize greater efficiencies and value from their compliance processes. Enterprises have the opportunity to employ automated tools like materiality analyzer, risk calculator, central risk repository, comprehensive reports, and risk dashboards, review and improve their entity-level controls and risk management processes, and reduce compliance costs. In addition, by working with the external audit firm to incorporate this guidance into the audit scope and implementing technology-driven solutions, companies can reap the business benefits that come with improved risk management, including loss reduction, improved credit ratings and enhanced overall organizational performance.