Saturday, February 11, 2012
[ – ] Text Size [ + ] | Print Page
Home > Bank Resources > Bank Resources Publications > SRC Insights > 2006 > Third Quarter
SRC Insights: Third Quarter 2006
Sarbanes-Oxley Section 404 Compliance:
What Lessons Have Been Learned?
The feedback from public companies, including many financial institutions, on the first year of implementation for section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404) was that the requirements were unexpectedly laborious and costly. Now that the second year of SOX 404 implementation is behind most financial institutions, several questions need to be asked. Did the lessons learned from year one of SOX 404 compliance help to create a more efficient and effective compliance process in year two? Overall, are internal controls over financial reporting generally better? This article intends to address these two questions, and it will also briefly discuss the regulatory response to feedback received from the first two years of SOX 404 compliance.
Year One: Lessons Learned
During the first year of the SOX 404 compliance process, many financial institutions may have underestimated how arduous the implementation process would be. It was especially difficult for those institutions that were already filers under section 36 of the FDI Act, because they envisioned that only minor to moderate changes would be necessary to their internal control assessment processes to satisfy SOX 404 requirements.
Consequently, some institutions encountered challenges with their compliance process, including a lack of ongoing communication with their board of directors and independent auditors, inadequate documentation and testing of controls, and insufficient allocation of resources. These challenges produced the following negative results:
- Additional costs for outsourcing or hiring additional employees to meet compliance deadlines
- Delays in scheduled internal audit programs
- A significant number of reported material weaknesses
Year Two: Slow Improvement
The results from year two of SOX 404 compliance were mixed. While the cost of compliance was reduced as anticipated by the Securities and Exchange Commission (SEC) and others, the decline was not as significant as anticipated. In addition, because the audit of internal controls is slowly becoming more integrated into the financial statement audit, it is often difficult to differentiate the costs of the two audits. Overall, year two did produce some improvements, but challenges remain.
Improved communication. Learning from the mistakes made during year one, many institutions communicated with their independent auditors early and often. Proactive discussions with their auditors provided a mutual understanding of the identified key controls, risks, and testing scope. Ongoing communication helped ensure continued agreement with regard to the sufficiency of required testing and the adequacy of remedial actions. As mentioned previously, during year one of SOX 404 compliance, some institutions incurred additional costs related to the need for additional resources to ensure compliance by the reporting deadline. Often, this was a result of the lack of early and ongoing communication with the auditors.
Cost reduction. As anticipated, the costs incurred for SOX 404 compliance declined in year two. A survey conducted by CRA International, Inc. reflected that smaller companies (i.e., with market capitalization between $75 million and $700 million) achieved a cost savings of approximately 31 percent, and large companies (i.e., with market capitalization over $700 million) benefited from a cost reduction of 44 percent.1
Financial institutions have indicated that they were able to achieve cost savings in year two primarily due to efficiencies gained from learning curve improvements. During year one, a considerable amount of time and effort was spent in establishing a framework to develop policies and procedures, identify controls, determine the key controls to be tested, and ascertain the adequacy of the documentation. The resources used to choose the method of identification, the mapping of controls, and the testing of procedures were greatly reduced in year two.
An analysis of some Third District institutions indicates cost savings, resulting from a reduction in professional fees paid. In year one of SOX 404 compliance, many institutions engaged consulting firms or CPA firms to assist them at various stages of the SOX 404 implementation process. These institutions were generally able to continue utilizing and enhancing existing processes in year two without employing external resources.
Ongoing challenges. The independent auditors' lack of reliance on testing and other work performed by internal staff was one of the major complaints received by the SEC after year one of SOX 404 compliance. After the year two compliance process was complete, some financial institutions commented that, while their auditors did place more reliance on the work performed by internal staff, they also required management to conduct more transactional tests in order for the auditors to obtain a comfort level. As a result of this additional testing, some potential cost savings were lost.
Integrating the audit of internal control effectiveness over financial reporting with the financial statement audit continues to be a challenge. More progress is needed in this area in order to achieve efficiencies and to reduce audit costs. Currently, the Public Company Accounting Oversight Board (PCAOB) is considering amendments to Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (AS 2), which would reinforce the PCAOB's expectation that audits must be integrated and conducted in the most efficient manner while still achieving the objectives of the standard.
Another area that remains challenging is the role of the internal audit function in the SOX 404 compliance process. During the initial implementation of SOX 404, it was not uncommon for the regular audit program to be delayed or incomplete, as resources were diverted. In year two, there is still some evidence that internal audit's role remains significant, and as a result, there is the potential for independence to be compromised. In directing the resources to be used for the SOX 404 compliance process, management must accept and maintain the responsibility for internal controls over financial reporting.
Are Controls Generally Better?
Internal controls over financial reporting appear to have improved in 2005 based on a reduced number of institutions reporting material weaknesses in their annual reports. A review of more than 30 financial institutions' 2005 annual reports and 10Ks in the Third District revealed that only two institutions had disclosed material weaknesses in internal controls over financial reporting. The disclosed material weaknesses pertained to misreporting or misclassification of items on the statement of cash flows.
In the prior year, nine institutions had received an adverse opinion on the effectiveness of internal controls over financial reporting due to material weaknesses uncovered either by bank management or independent auditors. The primary sources of the material weaknesses disclosed last year were related to a lack of segregation of duties affecting financial reporting controls, the ineffectiveness of controls over certain GAAP applications, and inadequate controls for and testing of information technology-related functions. One other positive sign after year two of the compliance process is that none of the nine institutions reported material weaknesses in their 2005 reports.
Potential Regulatory Changes
Both the SEC and the PCAOB continue to take action to address the ongoing feedback from public companies related to the cost of and the difficulty with implementing SOX 404. Additional guidance was issued after year one in an effort to reduce misconceptions surrounding compliance requirements and to clarify the regulators' expectations of the implementation process.
Recently, the SEC announced a three-part plan for issuing SOX 404 guidance for management. The guidance is intended to assist management in performing a top-down, risk-based assessment of internal controls over financial reporting. Part one of the plan, the release of a concept statement for public comment, was completed on July 11, 2006. Also as part of its plan, the SEC intends to address specific SOX 404 compliance concerns related to smaller public companies.
As mentioned previously, the PCAOB is currently considering amendments to AS 2. These amendments are part of a four-point plan announced on May 17, 2006, to improve implementation of internal control reporting requirements. The four points in the plan are listed below:
- Amend AS 2. The PCAOB plans to amend the auditing standard that would direct auditors to perform their integrated audits in the most efficient manner without compromising quality.
- Reinforce auditor efficiency through PCAOB inspections. Planned PCAOB 2006 inspections of registered public accounting firms will focus on the firms' efficiency in performing internal control audits.
- Provide guidance and education to auditors of small companies. The PCAOB plans to facilitate opportunities for auditors of smaller public companies to obtain guidance and education on conducting internal control audits.
- Host PCAOB forums on auditing in the small business environment. The PCAOB will hold eight forums in 2006 for auditors, directors, and financial officers of smaller public companies to provide them general knowledge about PCAOB issues.
Conclusion
Financial institutions and their registered public accounting firms used the lessons learned from year one of the SOX 404 compliance process and were able to gain some efficiencies and improved effectiveness in year two. Overall, however, while some financial institutions have indicated that SOX 404 compliance costs have declined, many institutions still have reservations about the benefits of implementing SOX 404 versus the costs incurred to implement the compliance process.
- 1 Sarbanes-Oxley Section 404 Costs and Implementation Issues: Spring 2006 Survey Update
, CRA International Inc., Washington D.C., April 17, 2006.
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.
In This Issue
Contact Us
Federal Reserve Bank
of Philadelphia
Supervision, Regulation & Credit
Ten Independence Mall
Philadelphia, PA 19106-1574
FEDERAL RESERVE BANK OF PHILADELPHIA . TEN INDEPENDENCE MALL . PHILADELPHIA, PA 19106-1574 . TEL: (215) 574-6000
Research & Data | Education | Payment Cards Center | Bank Resources | Community Development | Newsroom | Careers | Publications
About the Fed | Contact | FAQs | Feeds 
| Site Map | Terms of Use | Privacy Policy | Web Feedback 
| PDF Reader | Home
Copyright 2012. All rights reserved. Links with the orange box icon () go to pages outside of the Federal Reserve Bank of Philadelphia's website.