Auditing the Big Picture - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Information Management

Auditing the Big Picture

PCAOB shifts focus to top-down SOX audits.

VentanaView™

Summary
In response to criticism of excessive costs for complying with the Sarbanes-Oxley Act, the Public Company Accounting Oversight Board (PCAOB or "Peek-a-boo"), a private-sector nonprofit created by Sarbanes-Oxley to oversee the auditors of public companies, recently issued new guidelines on how auditors should approach these audits. The guidelines begin to address the complaint that auditors and audit firms have been overly expansive in their interpretations of "materiality" and "probability" when it comes to assessing the degree of risk of a lapse in audited companies' financial or reporting controls and the likelihood that such will occur. The Board's new guidelines under Auditing Standard No. 2 favor a top-down approach over the exhaustive detail that has characterized Sarbanes-Oxley audits and driven up costs. This is a major shift in its position. The change of this "tone at the top" is likely to cut SOX compliance costs for companies that have reasonably good controls while forcing those with inherent problems to address them. Ventana Research thinks the move will diffuse some of the pressure to scrap the law, as we believe that by now, a solid majority of companies has adequate control systems in place and the SEC's moves will cut their compliance costs. We continue to recommend that companies focus on eliminating manual processes and the use of spreadsheets by increasing finance process automation and designing processes to simplify control.

Assessment
Evidence is mounting that Sarbanes-Oxley is receding as a critical issue for finance organizations. That does not mean it is going away: The SEC just rejected a recommendation from an advisory board that would exempt companies with market valuations of less than $128 million from the Act. The legislation, passed hastily in the wake of the outsized financial scandals of the turn of the century, touched off a firestorm of activity as companies and their auditors raced to figure out what the law required, particularly in Sections 404 and 302, and then meet the deadline. The Act was supposed to prevent new scandals from occurring by forcing all public U.S. companies to review their financial control systems periodically and make changes if auditors reviewing them determined they posed a risk of financial fraud or misstatement with respect to their public financial statements. In effect, it forced companies to switch from informal control systems to an explicit approach that relied more on preventive controls and monitoring than after-the-fact audits.

There has been pressure to roll back SOX and ongoing criticism of its enforcement because compliance has been expensive in direct costs for auditors and consultants as well as time spent by employees. In our judgment, Sarbanes-Oxley could not have prevented an Enron or any other major financial fraud from occurring, and we fully expect there will be at least one other major case of malfeasance exposed sometime in the next five years. Our research suggests that the SOX exercise was a waste of time for about one-fifth of the accelerated filers (the largest publicly traded companies), which were the first group to have to comply because they already had reasonably tight controls. Still, we do not believe the law was a complete waste of time. We estimate about one-fourth of the accelerated filers were far enough out of control to be major accidents waiting to happen. Sarbanes-Oxley was useful to the shareholders and management of those companies because it exposed major shortcomings in their systems. We also expect the law will prevent many minor frauds from occurring, but since many of these are never discovered and it is an avoided cost, no one will be able to put a value on it. Moreover, we have asserted for the past three years that companies that implement Sarbanes-Oxley correctly will be able to reduce their finance department's operating costs by increasing automation and eliminating errors and other process defects.

Recognizing the merit in many of the criticisms of the Act, the PCAOB has provided formal guidance on the intent of the law that should cut compliance costs. Confirming what most observers have said for the past few years, the Board has noted that rather than focusing on the big picture, auditors have been demanding that companies document and test a plethora of financial reporting processes and related controls. The oversight board now has directed that this detailed, bottom-up approach be replaced by an exception-based, top-down methodology. The initial focus now will be on enterprise/entity-level controls and examination of only those accounts and processes relevant to controlling financial statements against material fraud and misstatement.

This "clarification" is likely to save companies a significant amount of money in audit costs and reduce pressure on PCAOB and the SEC to dilute or eliminate Sarbanes-Oxley. Audit firms will no longer feel compelled to be punctilious simply to demonstrate due diligence, and their clients will have standing to push back on activities that inflate the cost of the audit. Companies with real control issues will continue to experience higher-than-average compliance costs if they do not address the substantive causes, but the bad apples will no longer be in the barrel with companies that have decent controls.

View
It was inevitable that the path to implementation of this hastily drafted legislation would be rocky. In the wake of the spectacular series of financial frauds early in this decade and the collapse of Arthur Andersen, audit firms and the PCAOB were understandably cautious in their approach to effecting the law. Now this major shift in how audit firms approach Sarbanes-Oxley assessments is further evidence of a swing in the compliance pendulum from caution to cost-effectiveness. Ventana Research recommends companies take advantage of this shift by updating accounting and other business processes to reduce compliance costs. In some cases, compliance management software and better use of an existing ERP system can be helpful in catalyzing and supporting such process changes.

About Ventana Research
Ventana Research is the leading Performance Management research and advisory services firm. By providing expert insight and detailed guidance, Ventana Research helps clients operate their companies more efficiently and effectively. These business improvements are delivered through a top-down approach that connects people, process, information and technology. What makes Ventana Research different from other analyst firms is a focus on Performance Management for finance, operations and IT. This focus, plus research as a foundation and reach into a community of over two million corporate executives through extensive media partnerships, allows Ventana Research to deliver a high-value, low-risk method for achieving optimal business performance. To learn how Ventana Research Performance Management workshops, assessments and advisory services can impact your bottom line, visit www.ventanaresearch.com.
2006 Ventana Research

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
What Becomes of CFOs During Digital Transformation?
Joao-Pierre S. Ruth, Senior Writer,  2/4/2020
News
Fighting the Coronavirus with Analytics and GIS
Jessica Davis, Senior Editor, Enterprise Apps,  2/3/2020
Slideshows
IT Careers: 10 Job Skills in High Demand This Year
Cynthia Harvey, Freelance Journalist, InformationWeek,  2/3/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Slideshows
Flash Poll