New guidance for interpreting the 2002 Sarbanes-Oxley Act could bring a return to value-added audits and help further cut related compliance costs, according to one expert.

Section 404 of the law (SOX 404), which requires senior management at public companies to document, test and monitor the effectiveness of internal financial reporting controls, has been particularly burdensome. Some companies have been paying millions of dollars each year in audit and related expenses, yet they haven't been receiving much consultative value from their auditors due to the law's focus on greater auditing independence.

However, new SOX 404 guidance approved by the Securities and Exchange Commission (SEC), including release of a new Public Company Accounting Oversight Board (PCAOB) auditing standard earlier this year, is expected to reduce SOX-related audit costs. The new guidance could also turn back the clock to the days when auditors were able to provide valuable advice and recommendations to clients, says Claudia Volk, principal at CJVolk Associates, an Arlington, VA, treasury and cash management consulting firm, and a former auditor.

"SOX 404 created a very adversarial relationship between auditors and their clients," says Volk, who spoke on the new SOX 404 compliance guidance at the recent Association for Financial Professionals (AFP) Annual Conference in Boston. "Under the new guidance, auditing may once again become a value-added process."

Impact on Compliance Costs
SOX 404 compliance has been extremely costly for corporations. "Every auditing practice developed its own interpretations and audit methods, and there was a lot of audit overkill," Volk explains. "For all practical purposes, companies had to pay two accounting firms to do a lot of redundant work. Auditors focused on management's internal control evaluation process, resulting in 'pre-auditing' work to develop documentation of processes."

The cost picture today is mixed, according to Financial Executives International (FEI), which has been conducting annual SOX compliance surveys. The bad news is that SOX 404 compliance costs are still exorbitant: FEI's most recent survey revealed that in 2006 the total average cost of compliance for respondents — who averaged $6.8 billion in annual revenues — was $2.9 million. Furthermore, respondents said their auditor attestation fees remained essentially unchanged from the previous year.

The good news is that there is a continuing trend of declining overall SOX compliance costs due to companies introducing efficiencies that reduce both internal and external (non auditor) people hours spent on compliance. Total compliance costs reported for 2006 represent a 35% decrease since SOX's first year, FEI says.

This year's SOX 404 compliance guidance is expected to allow companies to reduce auditor fees and further support this cost reduction trend, Volk says.

Key Points of the New Guidance
Here are the four major points that Volk says treasury managers need to know about the SEC's new guidance document and the PCAOB's new Auditing Standard No. 5 (AS5):

• They both promote top-down, risk-based assessments. Auditors have been testing all underlying systems and processes. But under the new guidance, companies and their auditors only need to focus on the areas of risk that directly impact internal control over financial reporting.
   
• "Materiality" has returned as an important concept. Companies and their auditors only need to test and document controls that would have a "material" or significant impact on financial statements if they were weak. So, once again, you don't have to test everything.
   
• A company can integrate internal control and financial statement audits. A major factor resulting in hefty compliance costs has been that many companies have been paying for two separate audit processes, a pre-audit of internal controls and the actual financial statement audit. The new guidance says that much of that redundant audit work is unnecessary.
   
• Auditors are now permitted to rely, to an extent, on the testing of others. External auditors don't necessarily have to repeat tests that have already been conducted by your company's internal auditors.
  
  Registered audit firms are required to use the new AS5 standard for all audits of internal control no later than for fiscal years ending on or after Nov. 15, 2007.

Less Adversarial, More Advisory
By heeding the new guidance, companies should be able to lower their SOX-related audit costs. In addition, Volk says, the guidance should allow auditors to resume their historical advisory role.

When SOX became law, auditors stopped making the type of recommendations about internal controls that they previously offered in management comment letters, she says. "They were just providing testing. It was costing you money but offered very little value," she says. "But under the new guidance, your auditors can again offer value-added advice on best internal-control practices."

COSO Weighs In
Another important development, in September, was the release of additional SOX 404 compliance guidance in the form of a "discussion document" from The Committee of Sponsoring Organizations of the Treadway Commission (COSO), the private-sector standards setter. Companies need to be as familiar with the COSO guidelines as they are with the new SEC and PCAOB guidance. Volk explains why:

"The SEC has established the requirements for interpreting the SOX legislation. The PCAOB provides the guidance to help you determine what you have to do. And the COSO standards are complementary in that they tell you what techniques you can use to get it done."

View other articles in this edition
With Just a Few Months to Go, Are You Ready for SEPA?
Supply Chain Finance Unlocks Working Capital
Banks to Play Key Role in Next-Generation Shared Service Centers