Peeling away financial reporting issues one layer at a time

AS 5: The Latest Chapter in the SOX 404 Saga

Following an extended comment period, Auditing Standard No. 5, which supersedes AS 2, was approved by the SEC on July 25, 2007.  Now that another chapter in the regulatory saga of SOX 404 is complete, it is time once again to take stock of what has (and not) been accomplished by Congress, the SEC and the PCAOB.

Frederick Lipman, founder and president of the Association of Audit Committee Members, Inc. (AACMI) trenchantly observed as follows in a recent communication to its members (Fred is also the leader of the securities law practice at Blank Rome LLP):

“The corporate corruption scandals which motivated the Sarbanes-Oxley Act of 2002 were the result of fraud by CEOs and CFOs and it is unclear how Section 404 mitigates this risk, since internal controls can be overridden by the CEO or the CFO.  The SEC has conceded as much in  SEC Release No. 33-8810 (June 27, 2007) which contains the following revealing comment: 

‘ICFR cannot provide absolute assurance due to its inherent limitations; it is a process that involves human diligence and compliance and is subject to lapses in judgment and breakdowns resulting from human failures.  ICFR also can be circumvented by collusion or improper management override.  Because of such limitations, ICFR cannot prevent or detect all misstatements, whether unintentional errors or fraud.  However, these inherent limitations are known features of the financial reporting process, therefore, it is possible to design into the process safeguards to reduce, though not eliminate, this risk.’ [Emphasis supplied by Lipman] 

It therefore remains questionable whether any of the corporate corruption scandals would have been avoided by the costly internal controls mandated by the regulators.  The regulators are to be congratulated, however, for at least attempting to mitigate some of these costs by adopting Auditing Standard No. 5.”

I have long argued that SOX 404 was flawed, and that investors would have been better served by requirements for mandatory audit firm (as opposed to partner as provided in SOX).  I’ll explain why I feel that way in a subsequent post.  I’ll also be commenting on the new definitions of ‘material weakness’ and ‘significant deficiency’ as used in both AS 5 and SEC rules.

Other Things You Were Dying to Know about AS 5

The new standard is effective for audits of internal control over financial reporting (ICFR) required by Section 404(b) of SOX for fiscal years ending on or after November 15, 2007.  Earlier adoption is permitted, but auditors who elect to comply with AS 5 before its effective date must also comply at the same time with PCAOB Rule 3525, and other PCAOB standards as amended by Auditing Standard No. 5.  Auditors who do not elect to comply with AS 5 before its effective date must nonetheless use the kinder and gentler definition of "material weakness" contained in AS 5.

PCAOB Rule 3525, relating to auditor independence, requires auditors to comply with specific documentation and other procedures when requesting audit committee pre-approval of internal control-related services.  Similar requirements were contained in AS 2, and they parallel the auditor’s responsibilities in seeking pre-approval to perform tax services for an audit client under PCAOB Rule 3524.

1 Comment

  1. Reply Rick Julien August 6, 2007

    Tom
    I only have time for a quick reply
    You and I have discussed this before during some presentations…..I respectfully disagree with you and Fred on this. The effectiveness of SOx 404 if effectively implemented and audited will work in most cases. It is not about any specific requirement but the interrelated nature of the entity level controls that will created an environment that there will need to be substantial collusion for financial fraud to continue for any amount of time. An active, knowledgeable audit committee, an effective hot line , ethics training, sub certifications, qualified financial reporting staff, a thoughtful 302 disclosure committee, a strong internal audit function etc etc
    This really requires a strong active audit committee that believes in good corporate governance ………
    SOx has been a good thing for our capital markets
    Rick

Leave a Comment