SOX Compliance Full of Holes

Michael Gips

2/1/2006 February 2006

PUBLIC COMPANIES seeking to report their assessment of the effectiveness of internal controls, as required by Sarbanes-Oxley and the auditing standard that implements it, may deserve an "A" for effort, but not for execution.

Last year was the first year in which public companies had to comply with this requirement, and they made diligent efforts. However, results were spotty at best, according to a report by the Public Company Accounting Oversight Board (PCAOB).

"It would be difficult to overstate the efforts expended by both corporate managements and auditors to comply" with the new requirements, the report states, "especially given the short deadline for compliance that many of the largest companies confronted."

But based on their own inspections of a sampling of public companies, compliance efforts, the PCAOB found that in their auditing processes, many companies failed to take a top-down or risk-based approach, perform adequate "walkthroughs," use proper judgment, or otherwise approach the auditing task as judiciously as necessary.

For example, the PCAOB had issued guidance recommending that auditors assess controls by starting with company-level controls, then moving to significant accounts at the financial level, eventually making their way down to individual controls at the "process, transaction, or application levels"—a top-down approach.

This is an efficient method, the report states, because "the auditor is able to tailor the remainder of his or her testing of controls over significant accounts to reflect the conclusions reached while evaluating company-level controls."

Instead, many companies wasted time, money, and effort by taking a bottom-up tack, starting at individual controls and making their way to company-level controls. In addition, much of the auditors' activity didn't factor risk into the equation, so a good deal of their time was wasted on low-risk concerns. This approach led to the high compliance costs that companies then lamented.

Another common mistake was the failure to perform complete walkthroughs of each major class of transactions. In a walkthrough, the auditor follows a transaction from its origin through its appearance in company financial reports, so as to understand the process flow of transactions and identify where misstatements could occur. But many auditors didn't perform walkthroughs or abandoned individual walkthroughs before completing them.

Also, in the quest for consistent benchmarks, some auditors seemed to mechanically apply quantitative rules in areas where judgment was called for, the report notes. Consequently, this may have driven "auditors' decisionmaking processes unduly toward simplistic quantitative thresholds and away from the qualitative evaluation that may have been necessary in the circumstances."

Despite these issues, the PCAOB expressed confidence that auditors would be more effective and efficient as they gain experience with the requirements and continue to adapt their practices.