Magazine article The CPA Journal

Implementing Sarbanes-Oxley Act Section 404

Magazine article The CPA Journal

Implementing Sarbanes-Oxley Act Section 404

Article excerpt

Lessons Learned from the Front Lines

In the first year of compliance with section 404 of the Sarbanes-Oxley Act (SOX), affected companies produced a volume of opinion on how the process could be improved. Following the sec's call for suggestions on the topic, Edison Electric Institute (EEI) collected the views and experiences of the electric utilities industry. The participants' thoughts and ideas presented are summarized below.

Overall, the electric utility industry believes that SOX section 404 compels a company to take a hard look at its business processes and systems, which is good. To achieve its full promise, however, the compliance process must focus on lowering costs, reduce the level of ambiguity surrounding compliance, and expand a too-narrow interpretation of the compliance requirements for outside auditors.

Rely on internal audit activity to a greater extent. To avoid the duplication of effort during audits, EEI's members believe that the Public Company Accounting Oversight Board (PCAOB) should modify its requirement that independent auditors perform more than 50% of the total procedures upon which they base their opinion. The 50% threshold is artificial, and also requires the independent auditor to duplicate work that already has been done by in-house auditors, thereby increasing the cost of the audit.

Many internal auditors report to their company's audit committee directly, just like the independent auditors do, and thus are sufficiently independent to merit direct reliance on their work product But even if an internal auditor does not report directly to the audit committee or the board of directors, if the independent auditor is satisfied that the work meets certain indications of reliability, then the independent auditor should be able to rely on the internal auditor's work. This can be done by reviewing and agreeing with the internal auditor's testing approach (e.g., scope, timing, sample size), reviewing and signing off on the internal auditor's documentation, and assessing and concurring with the qualifications and objectivity of those performing the work. If these requirements are met, the independent auditor should be permitted and encouraged to use the internal auditor's work as his own. Internal audit work has properly been relied on for financial statement purposes; it should equally be relied on for SOX section 404 purposes.

Depend more on work performed in prior periods, and allow more testing prior to year-end. Performing some level of testing of all key controls on an annual basis is both appropriate and necessary. However, management and auditors should be permitted to target their testing based on relative risks, and to consider the results of prior years' tests in determining the nature and extent of testing in the current year.

For example, transactions and processes such as payroll or expense processing are static from period to period, barring some significant change. If a company's controls in an area have worked effectively for several years without exception, and there have been no significant changes in those controls during the year, then to limit the sample tested in the current year, or to perform such testing earlier in the year, would seem appropriate.

EEI's members also believe that requiring all testing to take place in the latter half of an entity's fiscal year is counterproductive to the objective of having internal controls operate effectively throughout the year. Rather than extensively retesting controls at year-end, where the process does not change, greater reliance should be placed on interim testing.

This approach would have numerous benefits:

* Bringing deficiencies to light in a time-lier manner;

* Facilitating SOX section 302 confirmations;

* Supporting consistent performance of controls throughout the year due to the possibility of testing at any time; and

* Reducing costs by allowing both management and auditors to spread their evaluation of internal controls throughout the year rather than clustering such work during the same time the financial statement audit, of necessity, must be performed. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.