When the U.S. Securities and Exchange Commission moved last week to relax a provision of the Sarbanes-Oxley Act, it signalled the end to what could be called the Great Audit War.
Ever since U.S. lawmakers passed the corporate reforms in 2002, legal and financial executives have been waging a behind-the-scenes war with external auditors over the staggering costs and management burden stemming from what surely has been the largest corporate list-making exercise in history.
The culprit is a four paragraph passage in the now infamous Section 404 of Sarbanes-Oxley which requires thousands of U.S. and about 200 Canadian companies listed on American stock exchanges to "review and assess" the controls they have in place to detect financial reporting errors or fraud. The kicker is a requirement that outside auditors test and deliver an annual opinion about the effectiveness of the corporate safeguards.
With no guidance from the SEC about how to arrive at the annual opinion, the accounting police went, well, berserk demanding exhaustive tests and reports so auditors wouldn't be liable if financial shenanigans were exposed.
The idea behind Section 404 was to build better warning systems to prevent an Enron-style accounting fraud meltdown. The result, however, is a classic tale of how well-intentioned lawmakers can gum up the business machinery by failing to properly draft the language or assess the economic impact of new rules.
"Section 404 was an overreaction to the failures of Enron, WorldCom and other corporate frauds," said Kevin Cramer, a New York-based securities lawyer with Osler Hoskin & Harcourt LLP.
Initially the SEC estimated public companies would only spend an average of $90,000 annually to comply with Section 404 every year. In reality, however, business experts say it has cost companies an average of $1-million in additional annual auditing fees.
Money isn't the only cost. According to a recent Ernst & Young survey, the majority of companies with revenues between $5-billion and $20-billion invested more than 25,000 employee hours to meet the internal control and testing requirements. A majority of companies with more than $20-billion of revenue, devoted more than 100,000 hours.
What were they all doing? Making lists and flow charts. A lot of lists and flow charts. If a new employee was hired, for example, companies had to document that it checked the employee's signature; had a designated supervisor to oversee the person who made the hire; outline how it traced and supervised the entry onto the payroll; and reconcile salary payments with bank transactions, and so on and so on. When that was done, the auditors moved in to conduct spot tests on the accuracy of these and thousands of other safeguards at each corporate division.
Not surprisingly, the result has been a tense standoff between auditors and corporate lawyers and financial executives. The strain is so bad that now even the accounting firms who saw their practices and revenues explode in recent years are happy to wave goodbye to the auditing motherlode.
"It is time," said Massimo Marinelli, a Section 404 specialist and accounting partner in Toronto with Ernst & Young, which credits the rule as a key factor behind the 70-per-cent growth in its Canadian practice since 2003.
"There has been a lot of friction … Clients thought we were being too inflexible and too strict. Their people were worn out and we were telling them they had to do more to comply with the rules," Mr. Marinelli said.
Responding to the audit battles, Canadian securities regulators have backed away from a proposal requiring auditors to attest to the effectiveness of internal financial controls. Instead the provinces' new so-called 52-109 rule, which takes effect next year, leaves it up to chief executives and financial officers to evaluate and describe their internal safeguards.
Some critics argue the U.S. requirement for broad audit tests of financial controls has damaged financial accountability because corporate executives fear the consequences of communicating with auditors.
"Many company officials are reluctant to seek guidance from their auditors lest their internal controls be found deficient," said Osler's Mr. Cramer.
Better times are around the corner. Last week the SEC issued for the first time guidance as to how companies should monitor the adequacy of their financial controls. The new language, which will take effect shortly, requires public companies to only identify and test the biggest potential risks to their companies' books. The approach gives managers more discretion to decide for themselves what the financial reporting hot spots are and eliminates the need for extensive checks.
Falling in step with the SEC, a U.S. accounting regulator last week voted to pare back the number of tests it requires auditors to conduct to check the effectiveness of corporate controls. The new auditing standard by the Public Company Accounting Oversight Board is expected to be approved by the SEC later this year.
Ernst & Young's Mr. Marinelli estimates the easier regime will eliminate 20 to 30 per cent of the work involved in annual audit inspections of financial reporting controls. It should also thaw the chilly state of management and auditing relations.
"Companies can now focus more of their energies on major financial risks," he said.
© The Globe and Mail
