Compliance Week has a new survey (available for free, although the site is well worth a paid subscription) which confirms what I said several months ago – It’s up to the auditors whether to allow Auditing Standard 5 to be implemented and in many cases they are saying “No way!”
This survey of nearly 300 publicly held companies finds that more than 80 percent of companies responding said they expected no better than a 20 percent reduction in key controls going forward – with more than half of respondents expecting only a 10 percent drop in key controls going forward.
The results suggest:
1) Companies are likely to initially reduce their number of key controls after their first year of meeting SOx requirements, but such efficiency improvements don’t continue over time.
2) Auditing Standard No 5 – the more relaxed standard approved last year by the Securities and Exchange Commission to help drive greater SOx financial reporting efficiency — apparently isn’t helping to streamline key controls as hoped
3) Lowering SOx compliance costs is much more about iterative refinement than any dramatic shift that new rules like AS5 were supposed to deliver. Just because the PCAOB and others say you should be getting more efficient and your costs will be going down, doesn’t make it true.
Is this reluctance because the auditors want to continue to reap the revenues associated with staff heavy, long, and detailed reviews? Or is it because companies are still inherently risky , especially when it comes to their Information Technology controls? I will be writing later this week about the forgotten step-child of SOx, IT General Controls. Many companies still have significant work to do there and, perhaps, additional significant deficiencies and material weaknesses to come.
“One of the most pressing questions in the financial reporting community right now is whether Auditing Standard No. 5 and accompanying Section 404 guidance from the Securities and Exchange Commission will be of any practical help to companies. Many suspect not; they fear their auditors will continue to force their own interpretations of key controls and SOX compliance onto the company, regardless what Auditing Standard 5 theoretically allows a company to do.”