Deloitte Insights Podcast Transcript: Leveraging the New Sarbanes-Oxley 404 Guidance: A Refined Approach to SOX

Moderator: Welcome to another edition of Deloitte Insights, a production of Deloitte & Touche USA LLP. Deloitte Insights is an audio news magazine that looks at important business issues. Today’s program: “Leveraging the New Sarbanes-Oxley 404 Guidance: A Refined Approach to SOX.”

You don’t want to travel to an unfamiliar destination without a map, but a map is only useful if you can figure out where you are and where you’re going. The same holds true for companies as they try to figure out where they are on the road to Sarbanes-Oxley (SOX) 404 compliance, and they have good reason to get it right.

In fact, many organizations have reaped significant benefits by following new guidance from the Securities and Exchange Commission (SEC), as well as the revised auditing standard issued by the PCAOB, the Public Company Accounting Oversight Board.

By getting a handle on their internal controls, companies can reduce the risk of making material misstatements in financial reports and minimize the possibility of fraud. And by anticipating what can go wrong and marshaling resources such as IT (information technology), global companies and small companies alike can bolster their efficiency while safeguarding the interests of investors. For those companies that are at the start of their journeys, it’s time to get out the maps and find out where they are with SOX 404 compliance.

Here today to act as our guides and explain what the SEC recommendations and revised PCAOB auditing standard mean for both accelerated filers and smaller reporting companies, are Nick Tommasino and Steve Wagner.

Nick Tommasino is chairman and CEO of Deloitte & Touche LLP. Steve Wagner is the managing partner for the Deloitte & Touche USA LLP Center for Corporate Governance.
Welcome to Deloitte Insights.

Steve Wagner: Thank you very much.

Nick Tommasino: Thank you.

Moderator: Why did the SEC issue additional guidance around Sarbanes 404 at this time, and basically what does the guidance say?

Nick Tommasino: Well when Section 404 was initially adopted there was actually very little guidance issued to management around what management needed to do. Management tended to default to what the auditors were required to do. They relied on outside consultants in terms of readiness and at the end of the day that proved to be pretty much an inefficient and very costly process. Management and corporate America, of course, over the past few years have talked about the need for additional guidance to really streamline the efforts and to make sure that at the end of the day the process was cost effective and that they could play an important role in also reducing the amount of work that auditors would need to ultimately perform.

Steve Wagner: One of the things that I think is appropriate to comment on is the fact that over the past several years the SEC has attempted to open the doors and really encourage as much input as they could possibly get from registrants from both large and small companies and particularly from audit practitioners who were involved in actually executing the internal control audit assessment. And essentially on the basis of all of that feedback, I think they concluded clearly that we really couldn’t get by without having the benefit of some reasonably precise guidance from the SEC to help companies to determine exactly how they should approach their assessment of internal control over financial reporting because, as you mentioned, this defaulting to AS2 (Auditing Standard No. 2) created a cumbersome and overly complicated methodology for companies to follow, which resulted in very, very high costs, which were frankly, I think, determined to be unacceptable and so this new path was provided.

Nick Tommasino: That’s right, and I think one thing that’s also important to note is that right now where we are there’s probably a very significant difference between the accelerated filers and small reporting companies in terms of what needs to be done. For example, the larger accelerated filers have had the benefit of a couple of years of implementation, have drawn on some of the recommendations that the PCAOB when issued back in May of 2005 relative to some efficiencies and important recommendations, and at the end of the day they’ve taken a journey that is focused on basically rationalizing controls, using technology, their technology platform is a way of being more efficient in their testing and testing the appropriate controls. On the other hand, for many of the smaller reporting companies, that journey is just beginning. So, they will have the advantage of taking many of the learnings, but at the end of the day I think we’re at a point now where we really do need to step back and look hard at what management is doing and the interaction and communication that they’re having with their auditors.

Steve Wagner: Good point, and it might be worth just commenting on some of the maybe the specifics of what this SEC guidance contains. You know, one of the things that we talk about frequently in our discussions with clients is this top-down risk-based approach, and the fact that we’re moving towards a principles-based concept. Both of those things I think are key to effectively understanding the direction that the SEC was headed in when they introduced these new guidelines. And I think essentially the concepts of top-down and principles-based are intended to empower registrants with more judgment and more ability to customize their approach without this reliance on the way the auditors execute their responsibilities. So, it’s essentially giving them the freedom to choose the path that they want to go on to perform their assessment of the effectiveness of internal controls over financial reporting and starting with those big risks that affect the quality of financial reporting and then moving down as opposed to starting in the opposite direction, which is really what happened in the first round of compliance. They started at the bottom with the detailed process level and transaction level controls and worked their way up and that proved to be inordinately inefficient.

Nick Tommasino: Well that’s right, and I think companies did initially start with a bottom-up approach and certainly learnings over the years have really mandated that they take more of a top-down risk-based approach. And one of the more significant changes that has also occurred over the years is a reliance on entity level controls. You know, companies have internal control structures established where there might be a whole series, 10, 15, 20 controls in place around a particular area, but at the end of the day there could be an entity level control. That one control might be sufficient in performing the testing that will give management the coverage that they need in order to be satisfied that they are appropriately managing the risk in that particular area.

Steve Wagner: Of course it’s also appropriate to point out that not everything was thrown out, right? I mean, you can still, companies are still encouraged to use COSO (Committee of Sponsoring Organizations of the Treadway) Commission as the framework that they rely on as the basis of their evaluation of internal controls. And much of the work that has previously been done can continue to be utilized. It’s not as if companies need to start all over again and completely reengineer their whole approach. They really have the option, right? They can stay on the path that they were on previously or they can embrace this new top-down risk-based approach.

Nick Tommasino: That’s exactly right. One of the other benefits that’s probably worth mentioning is under this new guidance, you know, clearly management does need to look at the organization, the different subsidiaries, locations and make assessments as to where the testing is actually required. Early on when AS2 was in place and companies looked to the auditors in terms of guidance and outside consultants for guidance, it was very apparent that they were looking to get a certain level of coverage as opposed to covering specific risks at certain entities abroad. And I think management now has the opportunity to rethink that entire process and truly focus on where the risks are. Where the risks for material misstatement might lie in each of its foreign entities as opposed to simply trying to get coverage across the board.

Moderator: How well do you think companies are doing in understanding the new guidance, and how well do you think they’re doing implementing its recommendations?

Steve Wagner: Good question. Well, I’ll tell you. I think it’s sort of all over the place. We’ve done some recent surveying using our communications and Dbriefs for financial reporting, and we’ve covered the topic of the new guidance over a series that we’ve done. We’ve also asked for input from our listeners which, and the audiences tend to be quite large, well in excess of 2,000 attendees at each of those presentations. And we asked them how they were doing. Whether they understood the new guidance, how they were feeling about their confidence level in applying it and so forth. I think we found that about 25 percent of our listeners really did not have a grasp of the new guidance and how to implement it. About 50 percent felt somewhat comfortable and then the balance of 25 percent felt more confident in their abilities to handle to new guidance.

Now, what that means is that simply that any time something new rolls down the pike it takes time to actually absorb the new guidance and figure out how it applies to your particular situation and then to customize it. There’s still a lot of work to do. And I know that there are a number of companies who are in situations where there’s a lot of, for example, they’re in a state of flux, lots of change, embracing perhaps implementation of new complex IT systems or other things that may cause them to defer from embracing the new guidance holistically and immediately because they have so much other change to manage. There’s only so much capacity within an organization to manage change. Having said that, I think those are a relatively small percentage of the populations of companies, and I think once we get beyond this kind of initial year both for the smaller reporting companies and for those accelerated filers that have been doing this already before. Once we get beyond this first year, I think the comfort level is going to increase quite a bit.

Nick Tommasino: Yeah Steve, I think in particular for some of the smaller reporting companies it is a bit more challenging. They’ve never gone through this process. They’ve certainly heard a lot about it. They’ve been following it, but if I were to just look at our own clients as a basis, we have several hundred smaller reporting companies, and I will tell you it isn’t until just recently that we’ve really seen our clients begin to get engaged or the vast majority of our clients getting engaged in this process and starting to communicate with the auditors. And one of the really important things about this new guidance is that it really does require constant communication with the external auditors to insure that what management is doing is acceptable from the auditor’s perspective, certainly following the SEC guidance, but at the end of the day some of the biggest impact and most significant efficiencies will come from the auditor’s ability to rely on what management has done in order to come to its own assessment of reports on the internal controls processes.

And to the extent that they’re not communicating with auditors early on, I think a lot of that benefit will be lost, but we are now seeing companies realizing that that is an important part of the process and we’re seeing much more communication. So, maybe they didn’t get it at first, but we’re seeing many more companies stepping up and reaching out and wanting to make sure that they understand what needs to be done.

Steve Wagner: I think if we were to assemble all the lessons learned from that first round of compliance activity that occurred actually over a three year period, I think there is quite an assemblage of things we wouldn’t do again, both on the auditor’s side and on the company’s side, and we’d certainly engage executive sponsorship much earlier. I think companies would try and make sure they had a more clearly defined role for their internal auditors in relation to what the external auditors would be doing. I think there would be an earlier plan developed to address and correct deficiencies that were identified. Not just those material weaknesses, but all deficiencies. I think there would be much better cooperation or communication with the audit committee and bringing them on board much sooner. There are lots of lessons learned that I think will be beneficial to companies going forward and will help those smaller reporting companies if they avail themselves of those learnings, to set themselves up well for success during this first year of their implementation effort.

Moderator: The new SEC guidelines and revised auditing standard can help management and auditors in several important ways. Could you discuss these benefits in more detail?

Nick Tommasino: With respect to management, there are a couple important things that the new guidelines should accomplish. First of all, we’ve already talked about how it focuses on the most important risk. I mean, when you have a top-down risk-based approach, you really are going to focus on those areas that represent potential for material misstatement in the financial statements. And you really need to focus on the financial statements. We should not go much beyond that. What we’re talking about are, you know, the internal controls over financial reporting and ultimately the end product is the financial statements that are issued by management. So, certainly focusing on the important risks, clearly important.

Reducing the cost of compliance in a number of ways. First of all by using this more efficient method, focusing on the controls internally. Management should be able to realize significant savings. If there is appropriate communication with the external auditors around what management is doing, the auditors can actually plan upfront what type of work they will like to rely on that management is doing because one of the important changes on the new SEC guidance is it does allow auditors to place reliance on work in certain areas that management has performed in order to complete its own assessment. So, clearly there can be some significant savings there.

The other thing, which we alluded to before, is reliance on entity level controls. I think in the past as Steve described before, many companies were taking this bottom-up approach and really starting with the controls at the lowest level and then ultimately working their way up. With this top-down approach you can really look at whether or not entity level controls will be satisfactory in addressing and eliminating or preventing many of the potential material misstatements. And I think companies need to avail themselves of many of those controls, especially those that are automated controls.

Steve Wagner: One other, I think, really profound improvement that will occur as a result of this new guidance is a greater sense of being imputed to the auditors that they can have a much more meaningful dialogue with their clients. You know, we went through a period of time as auditors when we were confused as to the degree to which we could engage in discussions and provide advice to our clients. That was as a result of some very strict interpretations of independence rules, which were being discussed by the PCAOB and frankly being relayed to us. And I think what we’re seeing now is a much more balanced perspective. I think our clients understand and rightfully expect us to be able to provide them with help even though we can’t do their work for them, we can’t design their controls, we can’t execute their controls and we can’t evaluate their controls for them. We have to do our own independent assessment. At the same time, however, we can help them with an outline of a successful program, we can help them understand the steps they need to take, you know, we can help them benefit from the experience that we have had in doing literally hundreds and hundreds and hundreds of these internal control audits, which we’ve done now over the past several years, and they can benefit tremendously from that. So, that’s really I think one of the profound shifts that is occurring as a result of this new guidance, in this new era that I’ll say we’re moving into.

Nick Tommasino: Yeah, and I think Steve, we shouldn’t lose sight of the fact that a lot of progress had actually been made even prior to the new guidance coming out, but I think the new guidance really does make it very clear as to where some of the further efficiencies can be achieved. I mean, clearly when you look at year one, we talked about the lack of guidance, reliance, on consultants and what the auditors were doing, but over the years companies have really worked with their auditors. As you said, once we kind of clear it up what it is that we could and could not do relative to communications, advice, etcetera, and we’ve realized a lot of savings and efficiencies, but the new guidance with the concepts of top-down risk-based approach, entity level controls, auditors relying on what management is doing in terms of assessment, I think takes that now to another level and a lot of the savings clearly are going to be internal type savings because management really will be looking at internal controls over financial reporting and the assessment that they make from a different perspective than perhaps they had been in the past. And the auditors will still need to do what they do, but I think they too under the new guidance under AS5 have significant opportunities for efficiencies.

Moderator: Can you describe the relationship between management and auditors, both internal and independent, and their individual roles in addressing the new guidance?

Steve Wagner: You know, management and auditors have a similar set of responsibilities although they need to be executed separately. I mean, each of us needs to do a risk assessment, each of us needs to devise a methodology for assessing the effectiveness of internal control over financial reporting. The auditor’s set of responsibilities is dictated by AS5, Auditing Standard 5, issued by the PCAOB. Auditing Standard 5 has taken some major changes and shifts from what was previously required by AS2. It’s far less prescriptive. We’re not required to do the level of detail activities that we were required to do under AS2. We ourselves are given more opportunity to exercise judgment in the exercise of our responsibilities similarly to management. Management no longer has to follow the path that the auditors had to chart. We didn’t have guidance for companies, so they were defaulting to this AS2, which Nick referred to in his comments earlier.

So, you know, I think the relationship between the company and management and the auditors really is far more healthy under this current set of guidance. And I think we’re finding that using a principles-based approach which I mentioned in my early, in my initial comments, is really vital to what I’ll characterize as a healthy effort that’s positive and that really results in very positive observations and things that can help a company improve the overall quality of its financial reporting because we can never forget what the objective is of all of this effort.

At the end of the day, it’s to assure investors that the information that they are getting and that they are relying on to make investments decisions is appropriately communicated and that it's based on an effective, well-controlled system that gives rise to that information.

Nick Tommasino: Steve, I think part of what this SEC guidance has accomplished is it has made it a little bit clearer as to you know, what management’s responsibilities are and what the auditors responsibilities are. Prior to that, there really was no guidance and I think there was some confusion as to who was responsible for what. Certainly under the SEC guidance it’s very clear that management has responsibility for designing an effective system of internal control. They also are responsible for assessing it. They’re responsible for making sure that they are addressing the significant risks and addressing those areas where there’s potential for material misstatement. The auditors, on the other side, of course are charged with evaluating management’s assessment and doing the work around understanding what management has done, what the controls are and ultimately getting to the point where they will be issuing an opinion on management’s controls.

So, while there’s a lot that there is working together, clearly there are very distinct differences in what the responsibilities are and I think they’re more clearly defined now as a result of the SEC guidance.

Steve Wagner: Good point.

Moderator: A top-down risk-based approach to compliance consists of two basic components: identifying scope and identifying relevant financial reporting risks. First, could you tell us what’s involved in identifying scope and then what companies have to do to identify risk?

Steve Wagner: Well, scoping really involves figuring out what’s significant. What are the things that can have a significant impact on your company’s financial reporting? And when you look at kind of the major areas on the balance sheet it gives you a clue. It helps to kind of set your mind on concepts like materiality and what can really go wrong in that process.

One of the interesting things that didn’t occur or occurred rather in the first round of SOX 404 activities that companies felt victimized by, was that when the laws first came out, when the rules first came out, companies kind of rushed to their compliance activities. And I would characterize it as a ready, shoot aim concept. And what I mean by that is companies are so eager to get on with their internal control activities and their projects that they really didn’t set their sights well on what the target was, what they were actually trying to achieve. And so they ran out and documented everything they could find. Every control they could find they tested vastly more controls than were necessary to test. They included controls from an operations perspective and from a perhaps even from a strategic — strategic controls were tested, identified, documented and tested.

And as a result, there was an enormous amount of work that was undertaken, which was not required for the mission. And I think one of the things that we’re seeing now is that we’re taking much more of a ready, aim shoot perspective than was the case in the first round.

Nick Tommasino: Well, that’s right, Steve. I think as companies look at what they want to do, first companies are much more focused on the financial statements and the risks associated with material misstatements in the financial statements and really moving away from many of the other areas as you just referred to that they were looking at testing and assessing controls, which were not really relevant to the financial statements.

In terms of scoping I think management today has a much better understanding of what it is that they need to focus on. I mean, clearly anything that involves significant judgment could be susceptible to a potential misstatement. So, they are certainly focused on areas where judgment is involved. Anything where the risk of fraud is significant is something that they need to be considering. Something with complex accounting requirements, like, for example, hedging transactions, financial instruments, all of these areas would represent a much higher degree of risk because the competencies required are much greater, the technical requirements are very complex, and the risk — potential risk for misstatement and material misstatement are usually greatest in those areas. So, these are the areas that I think management needs to focus much more on today and as we go forward and I think that message certainly came out loud and clear in the SEC guidance.

Moderator: Let’s turn to controls. How does a company decide which controls should be implemented, and how do they decide which ones take precedence?

Steve Wagner: Well, I’ll refer back to some comments which Nick has made several times during our conversation here relating to entity level controls. I mean, Nick had emphasized the fact that entity level controls play a very big part in creating an efficient program around your assessment, and they do because they cover large territory, large turf. And the more you can concentrate on effective entity level controls it helps you to be able to kind of trade off those activities in that assessment process against testing far more controls at a lower level within the organization. So, ELCs (entity level controls) are one great option to concentrate on.

The second relates to automated controls and if you think about what automated controls are essentially controls that operate within the IT system. Why would we want to prefer those over manual control? Well, it’s pretty easy, I mean, we use the analogy of automated controls never call in sick. And what we mean by that is simply that manual controls are done by human beings. Human beings only have so much reliability. You know, things happen with people, they get distracted, or they don’t come to work, or they don’t feel well, or something may occur that influences their ability to operate at 100 percent effectiveness. Whereas IT controls operate at 100 percent effectiveness and they can be easily tested throughout the year using monitoring techniques that can actually test the effectiveness of those controls on a constant basis. Whereas it’s not so easy to do that when you’re dealing with individual or controls executed by human beings.

Nick Tommasino: Right. In fact Steve, and the one point I would like to make here is that both of these concepts around automated controls and entity level controls extremely important in particular with the non-accelerated filers or small reporting companies. Many of these companies are not going to have the resources necessarily, the technical capabilities, segregation of duties, so it becomes much more important to really begin looking at how smaller companies, smaller reporting companies can rely on these types of controls in order to effectively establish an internal control over financial reporting process. Very important because some of the smaller companies just will be strapped for resources and won’t necessarily have the competent resources to do what some of the larger entities are doing.

Steve Wagner: It also might be worth spending a minute just talking about preventive controls versus detective controls. When I was raised, my mother always reminded me that an ounce of prevention is worth a pound of cure. And what that simply meant was you know, preventive measures from a health point of view are good things to do and as similarly with controls. If you think about controls that prevent bad things from happening, those controls are probably preferential to those controls that detect a bad thing once it's happened. It’s better to avoid it if you can or prevent it. And so the concentration on preventive controls is a preferred method. However, they do operate it in a kind of a symbiotic manner. I mean, you know, you can’t operate exclusively with preventive controls without having detective controls within your system, so it’s worth spending some time thinking about the character of controls. Are they preventive or detective, preferential to preventive, but without throwing out the detective controls entirely as well.

Moderator: What are the major challenges that smaller companies face in assessing their internal controls?

Nick Tommasino: I actually started to allude to some of those just previously. Our smaller reporting companies face a whole host of challenges around compliance under 404. Some of the areas, first of all, smaller companies clearly need to continue to focus on running their business, and certainly this can be viewed as a distraction by a lot of companies and in fact has been a point of contention for many smaller reporting companies that the 404 will be a distraction.

The purpose of this guidance and the purpose of the revised standard under AS5 is really to make sure that it does not become a distraction, but management needs to make sure that they have the right processes in place, the right communications with their auditors, so that it is not a distraction.

Talked about limited resources at smaller companies. Limited resources in terms of the amount of resources and sometimes also in terms of the technical competency of those resources, so there will be some challenges in that arena. And of course, as we just talked you know, the automated controls, entity level controls, will play a much more important role in terms of getting satisfaction around the assessment that management needs to perform.

Also, some smaller companies may not have the requisite expertise at the board level to truly understand what needs to be done, how the board should oversee the process, what their roles and responsibilities are, and that could lead to some inefficiency because some board members that are “green” may look to overreach and do too much in terms of protecting themselves, protecting the shareholders and not be as efficient as in fact they could otherwise allow to be.

Steve Wagner: There are probably a couple of other things too that may be worth mentioning. One is segregation of duties. That’s always going to be a challenge in a small company because they just don’t have the breath of resources that the larger organizations have. Nick referred to that in his comment around limited resources, but the whole notion of segregation of duties can become troubling because it can trigger some control deficiencies that you might not be anticipating.

And of course the last thing is, management’s got to be in the game. You know, I think that with smaller companies management tends to be more passionate and deeply involved in the operations of the business and it may be that management is actually in the way or finds themselves in the way if they don’t understand the appropriateness of their role in this whole process.

Moderator: What lessons can small companies learn from large accelerated filers?

Nick Tommasino: Well, I think one of the first things some of the smaller reporting companies should do is certainly reach out to some of the accelerated filers to understand the experiences that they’ve had. I also believe that right at the very start they really need to reach out to their auditors and have open and frequent communication around expectations around what needs to be done. The auditors have a great deal of experience now, not only using the new standard with some of the accelerated filers, but certainly in the four years since we’ve been doing this I think we can provide a wealth of information, a lot of anecdotal information around how to get things done, some things to be concerned about, open communication with the auditors, frequent communication, I think will lead to a more efficient and more effective process.

Steve Wagner: The list goes on and on actually. There are a lot of lessons that we can learn here. You know, Nick again, I’ll reinforce the notion of the use of ELCs, entity level controls, and how important that the role that they play is. In the first round of compliance ELCs were really kind of underutilized and many companies didn’t even understand the role that ELCs play in the internal control process, so I’d emphasize that. I’d say you know, some of the basics are well make sure you focus on the financial reporting risks and not on operational risks or strategic risks or reputational risks. Stay narrowly focused. You know, it gets to that ready, aim shoot. Well, make sure you take a good sight on the target and know what it is that you're trying to accomplish and don’t go beyond that.

Make sure you get executive sponsorship involved immediately. I mean, there have to be people within the organization who are extremely senior who embrace and adopt this responsibility as their own and that they make sure that the organization understands how important this is to the organization's reputation, to the veracity of its financial reporting, to the relationship that this activity has to stakeholders and shareholders. There’s a whole lot of stuff involved here which only senior executive sponsorship can actually kind of drive through the organization.

Nick Tommasino: The only other one I would add, and we touched on this before, is the importance of automated controls and therefore getting your IT departments involved very early on at the smaller reporting company level. I do believe that there's significant opportunity for efficiency if you have your IT people involved, if you've designed a platform that incorporates many of the control features that would otherwise be done manually. As Steve referred to before, the great thing about IT controls is that they don’t get tired, they don’t call in sick, they don’t get distracted, they’re reliable and certainly much easier to test.

Steve Wagner: You know, we’ve covered some of the other challenges and lessons previously in the conversation, so things like: making sure that the audit committee is involved and that they understand what their role is in this process; making sure that you identify those most effective controls and most efficient controls and start there in the process; make sure that you address those deficiencies early on and remediate them as quickly as possible; have a plan to make sure that they get remediated. And we talked about the allocation of resource challenge.

When you break it all down, you know, the simple and elegant kind of road map to compliance is very easy and very straightforward. If you just organize it in five simple ways. The first is, organize and launch your program, the second is identify your financial reporting risks, the third is identify those controls that address those financial reporting risks, recognizing you’re going to start with the most severe risks first, evaluate the evidence of effectiveness of those controls and then conclude and report. And if you break it down into those five simple kind of processes it helps to keep control of what you’re doing and helps you to avoid getting inefficient and ineffective in what you’re executing.

Nick Tommasino: Agree.

Moderator: Thank you both for joining us today on Deloitte Insights.

Steve Wagner: It was a pleasure.

Nick Tommasino: Thank you.

Moderator: Visit Deloitte.com to find “SOX Optimization: Improving Compliance, Efficiency and Effectiveness,” which served as the basis for today’s discussion, as well as articles, newsletters and other information of interest.

You’ve been listening to Deloitte & Touche USA LLP’s production of Deloitte Insights, the program that looks at today’s important business issues. We want to hear from you. Contact us with your feedback or suggestions for future podcast topics and find Deloitte Insights at Deloitte.com/US/podcasts. This has been a production of Deloitte & Touche USA LLP. Thanks for listening, and bye for now.