Despite dire predictions last fall that 20% or more of
companies might flunk the first audits of internal controls under Section 404 of the Sarbanes-Oxley Act, it now appears that only 8% didn't clear the bar. And for the most part, even those that had to admit to material weaknesses in their systems did not find themselves severely punished by equity markets. Yet, the process was hardly painless and companies have been howling for months about the resources needed for the first year of compliance. In 2004, the costs for just the nation's largest companies have been estimated at $1.4 billion.
The hand-wringing may not have been in vain. Although no one at the Securities and Exchange Commission (SEC) or the Public Company Accounting Oversight Board (PCAOB) would characterize it as such, there is evidence that the two agencies primarily responsible for Section 404 compliance are backing off a bit from their take-no-prisoners stance of last year. In mid-May, for example, the two came out with guidance for external auditors that emphasized exercising good judgment and relying on the work of others when auditing internal controls. Auditors should integrate the audits of financial reporting and internal controls, the regulators say. They should work from the top down, rather than wasting time checking low-level controls that aren't that important, and they should rely on controls assessments performed by the company when that's appropriate. Regulators say the guidelines should help cut 404-related costs in the second year of compliance, and observers agree.
Other signs of a softer stance include the one-year extension on 404 requirements that the SEC gave to smaller public companies and foreign-based companies. "The SEC faced a lot of pressure on this," says Joseph Carcello, director of research at the University of Tennessee's Corporate Governance Center.
Despite the fact that the SEC has beefed up its staffing by 33% to a full complement of 4,000--the first time in years that the agency has been fully staffed--the SEC claims that it has no plans to do random audits of Section 404 compliance or special reviews of Section 404 filings. "Section 404 documents are filed as part of a company's 10-K," says SEC spokesman Matt Well, adding that they will be reviewed as part of "the usual process of 10-Ks." Nor are there any plans to crack down on companies that reported material weaknesses. "Basically our message is that we want to focus on the important things and not get bogged down in minutiae," says Well. Explaining that the SEC sees Section 404 compliance as a learning process, he says, "Experience comes through doing."
In part, the SEC may have decided to rely on the vigilance of external auditors and of the PCAOB, which is mandated to monitor them. The PCAOB has hired 150 crack inspectors and plans to add another 70 by yearend. It is midway through a review of all the accounting firms in the nation that audit public companies--a massive undertaking that includes sample reviews of 404 audits of clients' internal controls. Even here, however, tough-talking PCAOB chairman William McDonough told a gathering at Emory University's Goizueta Directors Institute in mid-May that his board's emphasis would be on providing "new tools to identify and resolve problems early in their development" and not on punishment, even when faced with "financial reporting and auditing failures."
"I think there is an element of truth to the idea that both the SEC and the PCAOB are going to be taking a more cooperative approach to regulating Section 404 compliance," says Dennis Beresford, former head of the Financial Accounting Standards Board and a member of the audit committees of Legg Mason Inc., Kimberly-Clark Corp. and MCI Inc. "But I don't view that as backing away from enforcement. It's more a recognition that it could take three to four years before everyone is settled in" with the new internal controls rules.
Dan Langer, director of the internal controls practice at Jefferson Wells International, says it's not surprising that regulators have shifted their position a bit. "There was so much devaluation in shareholder value from some of these events that [regulators] came out very conservatively initially," Langer says. "As we've gotten our sea legs a little bit, they're reinforcing some level of practicality around it all."
Surprisingly, investor groups seem comfortable with the SEC's approach. "There's an awful lot of gray area in the implementation of Section 404, and after talking with enforcement staff, I suspect that the SEC will be spending a lot of time on defining that gray," says Patrick McGurn, special counsel and executive vice president of Institutional Shareholder Services. "I'm guessing you'll see them take on a few companies that really didn't get what they wanted done with 404, but for the most part I think you'll see them trying to make things clearer."
Howard Sherman, COO of GovernanceMetrics International, agrees. "I think the SEC and PCAOB aren't backing off of enforcement as much as they're saying 'Let's see what the problems are and fix them,'" he says. "Institutional investors, too, are working with firms on fixing material weaknesses, not just jumping on them. That's why you haven't seen stock prices fall when Section 404 issues are reported."