Unit I Homework Assignment • • Weight: 6% of course grade Grading Rubric Instructions ▪ ▪ ▪ The purpose of this homework assignment is to allow you to research the Enron fraud case and the compliance requirements of the Sarbanes-Oxley Act. You are to complete the following components: Provide researched information and references documenting your findings. Identify elements of fraud and compliance laws that have been drafted as a result of Enron and other industries. Write an executive summary describing the Enron fraud case’s impact and the U.S. government’s reaction to it. Complete each section of the lab by following the instructions for the exercises in each section. You will use a text document to develop your homework assignment by completing the sections listed below: Lab 1.1a From your computer workstation, create a new document called SOX Lab 1. Once you have created the document, complete the following exercises, and save your responses as the SOX homework assignment #1. 1. On your local computer, create the lab deliverable files. o Review the following information about the Enron Corporation: o Enron Corporation was an energy company that, at one point, was the seventh largest company in the United States and the largest trader of natural gas and electricity in the country. Enron started in the mid ‘80s and, by the ‘90s, the company was involved with trading and ownership in electric, coal, steel, paper, water, and broadband capacity. In 2001, Enron filed for bankruptcy, making it the largest bankruptcy in history at the time. An accounting scandal caused the company’s collapse. Thousands of Enron’s employees were laid off. Employees lost their life savings because of the loss of the company’s stock. Shareholders lost $11 billion. On your local computer, open a new Internet browser window. Using your favorite search engine, search for more information on the following topics regarding the Enron fraud case: o early history of the investigation, o misleading financial accounts, o accounting scandal of 2001, and o California’s deregulation and subsequent energy crisis. In your homework assignment, summarize your findings and the differences between governance and compliance connected to the Enron case. Lab 1.1b 1. Using your favorite search engine, search for more information on the following topics regarding the requirements of Sarbanes-Oxley: o Incidents that led to passage of SOX Chronology of SOX passage from bill proposal through signing into law o Pros and cons of Sarbanes-Oxley o Sarbanes-Oxley Section 302 o Sarbanes-Oxley Section 401 o Sarbanes-Oxley Section 404 o Section 404’s consequences from small businesses o Sarbanes-Oxley Section 802 o Sarbanes-Oxley Section 1107 In your homework assignment, describe the elements of the fraud Enron committed that led to the creation of SOX. In your homework assignment, identify the other U.S. compliance laws that have been drafted as a result of the Enron case. Lab 1.2 In your homework assignment, write an executive summary describing the impact of Enron’s fraud case, describe the components of IT assessments and IT audits, and the U.S. government’s reaction to it and to other industry compliance needs. NOTE: When you submit your homework assignment, you should combine the assignments into one document for grading. Please clearly mark the answers for Lab 1.1a, Lab 1.1b, and Lab 1.2 within your submission by labeling those sections within your assignment. Your homework assignment should be a minimum of two pages in APA format. Include a minimum of two sources with at least one source from the CSU Online Library in addition to your textbook. Please use any of the websites below for your research. Feel free to use any of your own. You can also use more than 4 references as well. Enron Corp: Retrieved via Google search Lab 1.1a https://www.britannica.com/event/Enron-scandal https://www.journalofaccountancy.com/issues/2002/apr/theriseandfallofenron.html https://www.cnn.com/2013/07/02/us/enron-fast-facts/index.html https://www.wsws.org/en/articles/2002/05/enro-m10.html Sarbanes-Oxley/SOX PDF (choose at least one): Lab 1.1b I have attached 3 PDF articles from CSU’s library. Please use at least one of these as a reference. PDF’s are named: Fixing 404 SOX Five Years Later Enron and SOX Sarbanes-Oxley: Retrieved via Google Search https://www.sarbanes-oxley-101.com/ https://connectusfund.org/4-serious-pros-and-cons-of-the-sarbanes-oxley-act https://www.corporatecompliancepartners.com/klmbill4.html http://dodd-frank.com/2010/08/05/whistleblowers-dodd-frank-and-sarbanes-oxley/ https://www.chicagotribune.com/news/ct-xpm-2002-10-31-0210310266-story.html UNIT I STUDY GUIDE Introduction to Information Systems Security Compliance Course Learning Outcomes for Unit I Upon completion of this unit, students should be able to: 1. Examine procedural issues for securing infrastructure. 1.1 Describe the components of IT assessments and IT audits. 1.2 Summarize the differences between governance and compliance. Course/Unit Learning Outcomes 1.1 1.2 Learning Activity Unit I Lesson Chapter 1 Unit I Homework Assignment Unit I Lesson Chapter 1 Unit I Homework Assignment Reading Assignment Chapter 1: The Need for Information Systems Security Compliance Unit Lesson Security Compliance and Why it is Needed External regulations generally refers to governmental regulations and laws. Industry standards refers to industry regulations such as peripheral component interconnect (PCI) compliance for credit card use. Failure to adhere to these regulations and standards can result in various consequences. In the case of regulation violations, chief executive officers (CEOs) or other leaders of the organization may face fines or even imprisonment. Credit cards (MacEntee, 2014) Origins of the Need for Information Technology (IT) Security Compliance One notable example of the need for security compliance stems from the Enron scandal. Investors rely on good information in the form of financials from organizations in order to make decisions regarding how to invest their money. Investors will choose organizations using this information. If those financials are falsified, investors may invest money they normally would not have had they been given an accurate picture of the financial health of the company. The Enron Corporation was once the seventh-largest energy company in the United States. Enron falsified financial records and filed for bankruptcy in 2001. Thousands of employees lost their jobs and retirement accounts. Shareholders (investors) lost approximately $11 billion (Weiss & Solomon, 2016). The unethical practices performed by Enron and the auditing firm Arthur Anderson led investigators to discover other major organizations with discrepancies. The resulting legislation was the Sarbanes-Oxley Act (SOX). SEC 4302, Planning and Audits 1 Ann Arbor went through a big effort to remove all the parking meters and put in kiosks. These look like a retrofit that kept the coin-op base and added a credit card scanner, simple user interface (UI), and a solar panel. The most important outcome of SOX was to require adherence of UNIT xthe STUDY GUIDE standard accounting practices and signoff of the financials by the CEO. If Title fraud is found in an organization’s financials, there will be fines at the very least, and the CEO may face jail time. SOX also calls for procedures in organizations to protect data and to account for any data changes in any financial database. For example, if your organization has software created inhouse, then one of the SOX rules might be that someone other than the software developer has to bring the software program into production. Why? This is because within the scripts to alter a procedure or create a new procedure, you have to include statements to grant permissions to access the objects. Usually, you grant permission to execute the procedure based on an application role or database role. However, you could potentially add statements into the code, granting yourself sysadmin permissions on the server. Having another person review and implement the code will prevent this from happening. Part of doing this requires a workflow of changes to software programs and management approvals. Just like with financial payouts, organizations should have levels of approvals for software development work and data changes. PCI Compliance Failure to meet payment card industry (PCI) compliance can have serious consequences such as preventing a business from using credit card (Hritz, 2011) machines. People expect a certain level of security when they shop and use credit cards. In addition, the credit card banks have rules that require any merchant who processes or stores data belonging to cardholders to comply with all PCI requirements. On the Internet, websites should use secure hypertext transfer protocol (HTTPS). HTTPS uses encryption so no one monitoring can see credit card numbers. This encryption occurs via a certificate from a trusted certificate authority such as VeriSign. When people refer to PCI, they are referring to the Payment Card Industry Security Standards Council (PCI SSC), that creates and maintains the most important standard, the PCI Data Security Standard (PCI DSS). PCI is the foremost data security standard required by banks in order to use credit cards. PCI was developed to protect credit card information during and after a transaction. The theory is that if a company is fully compliant, then that company cannot suffer a credit card breach. Most of the time, an IT security audit of IT controls is performed to make sure that an organization is compliant with external regulations and industry standards. An IT security audit is an independent assessment of an organization’s internal policies, controls, and activities (Weiss & Solomon, 2016). The auditors perform the audit and provide the organization with a report. When an organization does not pass an audit, they are at risk of fines from the credit card company or, in extreme cases, loss of the use of payment-reading devices. Nowadays, organizations can buy insurance and insure themselves against a data breach. One of the requirements is PCI compliance. SEC 4302, Planning and Audits Types of assessment (Weiss & Solomon, 2016) 2 Difference Between an Assessment and an Audit UNIT x STUDY GUIDE Title Understanding the difference between what constitutes an assessment versus an audit can be confusing. An IT security assessment is part of an organization’s security framework and involves managing risk. Within this process, security controls are implemented, managed, and assessed for effectiveness. More specifically, assessing IT security involves identifying and categorizing the information within the organization and the information systems that control the information. Some potential types of assessment include the following actions:     ensuring that correct or appropriate security controls are implemented and applied to the system, assessing the controls for their effectiveness, authorizing systems by accepting risks based upon the selected security controls, and monitoring the security controls on a continual basis (Weiss & Solomon, 2016). Most people think auditing is part of the accounting realm, but that is not completely true. Auditing can occur in many areas of a business. For example, you can have operational audits. An operational audit will usually involve a systematic review of an organization’s operations to appraise its effectiveness and identify opportunities for improvement. Another area subject to audit involves financials. However, financial information can be found in many areas of an organization. IT usually has domain over databases that house the data. Therefore, practices for securing financial data are subject to auditing. This will involve showing auditors the policies and procedures around requesting a data edit change. Any time an employee has to edit data, especially financial data, a record needs to be logged and some level of approval needs to be obtained. For simple changes, there may be a form that the employee can use to change something that is related to his or her job. For example, the employee may have realized they misspelled a name during data entry and need to correct it. For larger changes, the database administrator may have to run a script to do a mass update. Either way, there should be records kept of the changes made in case of an audit. In addition, the database administrator will show the auditor how database backups are taken and maintained. In most larger organizations, there are both internal and external auditors. It is better for your internal auditors to find issues well before the external auditors do. Many times, the external auditors are hired from larger accounting and auditing firms. The scope of an IT audit usually involves the following categories: 1. Organizational: involves the management control over IT and related programs, polices, and processes. An example of this would include the management approval process for requesting data edit changes. 2. Compliance: ensures that specific guidelines, laws, or requirements have been met in reference to the information and information systems. 3. Application: involves the applications that are strategic—those that involve finance and operations within the organization. For example, ensuring that the applications perform the tasks they are supposed to do and no more. 4. Technical: examines the IT infrastructure and data communications internal and external to the organization (Weiss & Solomon, 2016). It is important to note that publicly traded companies must adhere to SOX guidelines. This is not optional, although some industry standards might be. Failure to comply with PCI may cost the organization monetarily, especially if there is a data breach; and the organization is taking a risk. Failure to comply with SOX may mean large fines and jail time for the neglectful CEO. Another important concept is IT governance. IT governance is a framework that helps ensure that management understands the business strategy and how to align the organization’s technology strategy with that business strategy. IT governance is the effective use of IT in enabling organizations to meet their goals. It involves the processes, procedures, policies, practices, and information needed to accomplish the organization’s objectives. Compliance helps governance by ensuring information and controls also satisfy applicable standards or regulations (Weiss & Solomon, 2016). Thus, IT is needed to ensure that the infrastructure meets the needs of the business and stays compliant with external regulations such as SOX and industry standards such as PCI. SEC 4302, Planning and Audits 3 See Chapter 1 of your textbook for more information about these concepts. In UNIT addition, there are case studies x STUDY GUIDE in your textbook that outline what happened to Enron, WorldCom, and TJX Companies, Inc. Title References Hritz, J. (2011, March). Ann Arbor went through this big effort to remove all the parking meters and put in kiosks. These look like a retrofit that kept the coin-op base and added a credit card scanner, simple UI and a solar panel [Image]. Retrieved from https://www.flickr.com/photos/jhritz/5572908198/in/photolist-ntQ1N8-qU8iCD-qGK3vy-ncBYc4qGR2br-qZdMMq-qZdu4E-pXh9Jm-oMdwgZ-qX11CN-qX1jAG-oMcX6d-qGK3v3-5uyzDq-pYeSueqUcHWb-nwPENa-nwPF5n-nQEdeb-nSvuJa-nDniQD-nyeyeo-oURzNz-nSxdap-nwKkZR-nwshHFnxmMYk-oVgNK MacEntee, S. (2014, February). Credit cards [Image]. Retrieved from https://www.flickr.com/photos/smemon/12696032183/in/photolist-kkUu3B-7dfoH9-ayZf5K-aFDofKbu6uz5-4LMc7W-4LMcLE-4LMaCo-4LMcfj-4LGZTF-4LGY52-4LMaqQ-4LMc3J-4LH1oR-4LMcTW9WQDyw-4LH1Lv-4LGZZt-4LH1za-n5ofth-4LH1DV-4zonm6-f2YHgE-4LMagm-pbDFWd-7PyxhUb6MFfg-bqpM Weiss, M. M., & Solomon, M. G. (2016). Auditing IT infrastructures for compliance (2nd ed.). Burlington, MA: Jones & Bartlett Learning. Suggested Reading To access the following resource, click the link below: The following article from the CSU Online Library (Business Source Complete database) provides a refresher on the objectives of Sarbanes-Oxley Act and the criticisms of the Act as well. Regardless of the positive outcomes, there are still issues that need to be addressed. Willits, S. D., & Nicholls, C. (2014). Is Sarbanes-Oxley Act working? CPA Journal, 84(4), 38–43. Retrieved from https://libraryresources.columbiasouthern.edu/login?url=http://search.ebscohost.com/login.aspx?direc t=true&db=bth&AN=95569700&site=ehost-live&scope=site Learning Activities (Nongraded) Nongraded Learning Activities are provided to aid students in their course of study. You do not have to submit them. If you have questions, contact your instructor for further guidance and information. The Chapter 1 PowerPoint linked below provides a quick overview of the information provided concerning the need for ISS compliance. Click here to access the Chapter 1 PowerPoint presentation. Click here to access a PDF version of the presentation. It’s a Puzzle! To work the crossword puzzle, use the definitions of key terms from this unit. How well do you know your terms and definitions? Click here to print the puzzle and see how quickly you can complete it. Answers are provided here. How did you do? SEC 4302, Planning and Audits 4 Apply What You Have Learned UNIT x STUDY GUIDE Title The following questions relate to your reading in Chapter 1. What do you recall from your study of this unit? Answer each question as completely as you can. 1. What section of the SOX compliance law requires proper controls and, hence, security controls to ensure the confidentiality and integrity of financial information and recordkeeping within an IT infrastructure? 2. Who is Richard Scrushy and why is he relevant to SOX? 3. What are some of the criminal penalties for falsifying documents or covering up information related to financial matters and SOX? 4. Explain how the sections within SOX compliance law require proper security controls as they relate to having internal controls. After you complete this activity, you can click here to check the answers to the above questions. SEC 4302, Planning and Audits 5 FIXING 404 Joseph A. Grundfest* Steven E. Bochner** Although debate persists as to whether the costs of Sarbanes-Oxley's Section 404 regulations exceed their benefits, there is broad consensus that the rules have been inefficiently implemented. Substantive and procedural factors contribute to the rules' inefficiency. Emm a substantive perspective, the terms "material weakness" and "significant deficiency" are central to the implementing regulations and are easily interpreted to legitimize audits of controls that have only a remote pmbahility of causing an inconsequential effect on the issuer's financial statement.s. As a quantitative matter, the literature suggests that a contml with a remote probability of causing an inconsequential effect has cm expected value of only five one-hundredths of one percent of a firm's net income. Procedurally. the Section 404 rules are implemented in an economic and political environment that generates a powerful tropism for inefficient hxperenforcement. Auditors have been broadly criticized for a rash of audit failures and restatements. They do not want to be further criticized for implementing Section 404 with insufficient vigor. Auditors are also .subject to significcmt unlnsurable litigation risk. That provides an incentive to e.xternalize risk by forcing clients to absorb greater precautionary costs that benefit auditors by reducing the probability of an audit failure. Auditors also make money selling Section 404 services to audit and nonaudit clients alike. These three forces combine to create powerful incentives for the audit industry, incentives that contribute to Inefficient expenditures on Section 404 procedures much like the forces that drive inefficient expenditures on defensive medical procedures. To address these concerns, the Securities and Exchange Commission ("Commis.sion" or "SEC") and the Public Company Accounting Oversight Board ("PCAOB") should aggressively redraff ihe rules implementing Section 404 to eliminate the need to examine controls that are unlikely lo have a material effect. At the same time, the PCAOB should monitor audit firms' Section 404 practices and discipline auditors who promote or engage in cost-inefficient procedures. * William A. Franke Professor of Law and Busines.s. Slanford Law School; Co-Director. Rock Center on Corporate Governance. Slanford Llniversily. The author is a former commissioner of the United Stales Securilies and Exchange Commission (1985-1990). ** Partner. Wilson Sonsini Goodrich & Rosati. Palo AUo. California; Lecturer, Boah Hall School of Law, University of Califomia at Berkeley; Co Chair, NASDAQ Lisling and Hearing Review Council. The author is a former member of the Uniled Slates Securities and Exchange Commission Advisory Committee on Smaller Public Companies (2005-2006). The authors gratefully acknowledge ihe contributions of Bryan Ketroser, an associate at Wilson Sonsini Goodrich & Rosati. 1643 Michigan Law Review [Vol. 105:1643 We are not confident that these or any other reforms will be sufficient to remedy the problems already created by Section 404. The audit profession has incorporated inefficient Section 404 procedures into its integrated audit framework, and experience suggests that auditors are loathe to weaken processes already in place. While the Commission and the PCAOB should act aggressively to rationalize Section 404 costs. Section 404 as implemented under the current rules may have established an irreversible process that will continue to impose inefficient costs on publicly traded firms for years to come. TABLE OF CONTENTS INTRODUCTION I. II. III. 1544 THE HISTORY AND EVOLUTION OF SECTION 404 1649 BASIC COST-BENEFIT ANALYSIS THE SUBSTANTIVE FIX 1657 1660 A. A Precise Definition of the Problem B. A Proposed Solution IV. THE PROCEDURAL FIX A. A Precise Definition of the Problem B. A Proposed Solution V. THE SMALL COMPANY PROBLEM CONCLUSION POSTSCRIPT 1660 1666 1667 1667 1668 1669 I672 ^673 INTRODUCTION It's time to fix the rules that implement Section 404 of the SarbanesOxley Act of 2002 C'Sarbanes-Oxley Act" or "Sarbanes-Oxley").' Section 404 is a delegation of authority to the Securities and Exchange Commission ("Commission" or "SEC") to "prescribe rules" governing management's internal control reports, and to the Public Company Accounting Oversight Board ("PCAOB") to "set standards for attestation engagements" relating to management's reports.' The difficulties arise not in the text of Section 404 but in the structure of the rules adopted by the PCAOB, and approved by the SEC, implementing Section 404. The specific language of Auditing Standard No. 2 ("AS2")/ which defines the standards for attestation referenced in the statutory text, was a product of these rules. An important political point deserves emphasis at the outset. There is nothing inherently wrong with the language of Section 404 as enacted by Congress. It is entirely possible for strong supporters of Sarbanes-Oxley to 1. 2. 15 U.S.C. § 7262 (Supp. IV 2004). Id 3. AN AUDIT OH INTERNAL CONTROL OVER FINANCIAL REPORTING PERFORMED IN CON- JUNCTION WITH AN AUDIT OF FINANCIAL STATEMENTS. Auditing Standard No 2 (Pub Co Accountmg Oversighi Bd. 2004) Thereinafter AS2|. effective pursuant to Order Approving Proposed Auditing Standard No, 2. Exchange Act Release No. 49.884. 69 Fed. Reg, 35,083 (June 17 2004) June 2007) Fixing 404 1645 be vigorous opponents of Section 404 as implemented by the PCAOB and the SEC through AS2. This Article's critique is directed entirely at AS2. Resolution of these problems will not require Congressional action because the PCAOB and the Commission can implement al! necessary and appropriate amendments at the administrative level. While there is substantial debate over the costs and benefits of Section 404 as implemented by AS2, there is far greater consensus that the PCAOB's rules are not cost effective in the sense that a very large portion of Section 4O4's benefits can be generated while imposing substantially lower costs on the economy." Consistent with this view, the head of the PCAOB has stated that "it is . . . clear to us that the first round of internal control audits cost too much." The cost of Section 404 compliance seems to have surprised the very regulators who put the rules in place. A recent study found that the direct cost of implementing Section 404 in its first year averaged about $7.3 million for companies with market capitalizations in excess of $700 million and about $1.5 million for issuers with market capitalizations of $75 million to $700 million.'' The SEC initially estimated the average cost of complying with Section 404 at approximately $91,000.^ First-year implementation 4, For a recent summary of the argument thai the Sarbanes-Oxley Act of 2002 in general. and Section 404 in particular, have imposed heavy burdens on the economy, see, for example, HENRY N . BUTLER & LARRY E . RIB.STF.IN, THE SARBANES-OXLEY DEBACLE: WHAT WE'VE LEARNED: HOW TO FIX IT (2006). For a strong assertion that the Sarbanes-Oxley Act in general, and Section 404 in particular, are "'the principal factorfs) in increased costs" faced by publicly traded firms and generate a situation in which the "costs of regulation clearly exceed its benefits for many corporations." see William J. Carney, The Costs of Being Public After Sarhanes-Oxley: The Inmy of "Going Private." 55 EMORY L.J. 141. 141-42 (2006), For an argument that the implementation of Section 404 has created harmful unintended consequences, see Alex J, Pollock, Undoing SOX's Unintended Consequences:. TCS DAILY, May 23, 2006, http://www.tcsdaily.com/article.aspx? id=052506D. See also Donna Block, Agency attempts to clarify SOX burden.';. THE DEAL, July 13, 2006 (quoting Representative Tom Feeney as stating that "|t|he high burden of regulation and compliance is outsourcing America's lead in world capital markets," and "|tjhe London Slock Exchange is going around tbe country advertising itself a.s a "SOX-free zone""), For an example of the oppos* ing view, suggesting tbat "Sarbanes-Oxley, for all its reputation as a bard-biiting law, fails to correct a crucial accounting system weakness: the potential for ,. , 'moral seduction' of outside auditors." see Don A. Moore, SarbOx Doesn 't Go Far Enough: Further rules are needed to counter auditors' natural hia.s in favor of their clients. Bus, WK.. Apr. 17,2006, at 112. See also Don A. Moore et al.. Conflicts of Interest and the Case of Auditor Independence: Moral Seduction and Strategic Issue Cycling (Harvard Bus. Sch., Working Paper No, 03115, 2005), 5. PCAOB. PCAOB Isxues Guidance on Audits of Internal Control, May 16. 2005. bup://www.pcaobus,org/news_and_events/news/2005/05-l6,aspx (quoting Cbairman William J. McDonougb). As a technical matter, ibe optimal implementation of Section 404 regulations would equate the rules" marginal social benefit of compliance with their marginal social cost, lt is therefore entirely possible for one to believe tbat Section 404 rules generate aggregate benefits in excess of their costs but that the Section 404 rules are nonetheless socially wasteful because they force expenditures beyond tbe level at which marginal benefits equal marginal costs. Tbe proposal described in this paper presents just such a set of recommendations. For a more complete treatment of this subject, see Section IH, infra. 6, CRA INT'L. SARBANES-OXLEY SECTION 404 COSTS AND IMPLEMENTATION ISSUES: SURVEY UPDATE 5-6 (2005) [hereinafter SARBANES-OXLEY SECTION 404 COSTS AND IMPLEMENTATION ISSUES]. 7. Management's Reports on Internal Control Over Financial Reporting and Certification of Disclostire in Exchange Act Periodic Reports. Securities Act Release No. 8238, 68 Fed. Reg. 1646 Michigan Law Review [Vol. 103:1643 costs for larger companies were thus eighty times greater than the SEC had estimated, and sixteen times greater than estimated for smaller companies. This observation raises additional questions about the fundamental costbenefit calculus underlying Section 4O4's implementing regulations. If, at the time of the rules' adoption, regulators believed that AS2 would generate benefits in excess of projected costs, by how much did they expect benefits to exceed costs? Did they believe that benefits would exceed costs by some modest amount, or did they actually believe that AS2's benefits would range from sixteen to eighty times greater than its expected costs? It follows that, unless regulators believed that AS2 would generate benefits enormously in excess of its projected costs—a proposition entirely unsupported by the record—the standard has sorely disappointed its drafters. AS2 may stand as one of the greatest failures of cost-benefit analysis in the history of the Securities and Exchange Commission. The debate over Section 4O4's cost effectiveness is not limited to its first-year implementation costs.*' While Section 404 stan-up costs were quite high and second-year compliance costs appear to be lower, there is significant dispute over the magnitude of second-year cost declines. Data generated in a study supported by the audit industry suggest that average second-year Section 404 compliance costs for smaller companies were $900,000, or 39% less than first-year costs, and that second-year compliance costs for larger companies averaged $4.3 million, or 42% less than first-year implementation costs." In contrast, a study by Financial Executives International found that "total average cost for Section 404 compliance . . . during fiscal year 2005 [was] down 16.3 percent from 2004," and suggests that these reductions were only "about half of what were anticipated"'" and about half of the magnitude of the cost declines reported by the audit industry's sponsored study. While news of reduced Section 404 compliance costs was no doubt welcome, the simple observation that costs have declined addresses neither the eore cost-benefit question nor the cost-efficiency concerns raised by the Sec36.636. 36.637 (June 18. 2003) [hereinafter Management's Reports] ("Using our PRA [Paperwork Reduction ActI burden estimates, we estimate the aggregate annual costs of implementing Section 4{)4(a) of the Sarbanes-Oxley Act to be around $1,24 billion (or $91,000 per company)."). To be sure, this estimate relates only to Section 404(a) and not to Section 404(b), but il is hard to conceive that the stand alone costs of Section 404(b) compliance would dramatically change the Commission's cost analysis. 8, The actual cost-benefit calculus as it relates to Section 404 is more complicated than this simple ratio test suggests. Section 404 compliance involves large stan-up costs and lower subsequent maintenance costs. Similarly, first-year benefits of Section 404 should also be greater than benefits generated in subsequent years, A complete cost-benefit analysis would consider the full lifecycle costs and benefits of the Section 404 t^les and would discount those costs and benefits accordingly. 9. SARBANES-OXLEY SECTION 404 COSTS AND IMPLEMENTATION ISSUES, supra note 6 at 6-7. 10. FEI Survey: Sarbanes-Oxley Compliance Cost.s are Dropping: Average Compliance Costs are $3-8 Miiiion. Down 16% from Prior Year; Reductions About Half of What Were Anticipated, PR NEWSWIRK ASS'N, Apr, 6. 2006. http://www.pmewswire,com/cgi-bin/storiespi? ACCT= 104&STORY=/ww w/story/04-06-2006/0004335523&EDATE=. Junc2OO7[ Fixing 404 1647 tion 404 rules. In particular, just as first-year implementation costs would reasonably be expected to exceed second-year costs, first-year implementation benefits would also be expected to exceed second-year benefits." The available surveys do not. however, quantify first- or second-year benefits in a form that supports any clear inference as to whether Section 404 is more or less cost effective in its second year than it was in its first. Further, assuming that the audit industry's more aggressive estimates of cost declines are correct, these declines are from a very high base. The audit industry's estimate of second-year compliance costs for the average firm still runs about 9.5 times greater than the Commission's initial estimate for first-year costs. For larger firms, second-year compliance costs now run about fifty-two times the Commission's initial expectations. These data suggest that Section 4O4's second-year implementation costs remain quite inefficient in comparison with the SEC's initial expectations. Just as it is widely appreciated that "the first round of internal control audits cost too much,"'" there is a high likelihood that the second round of internal control audits also cost too much. Absent fundamental reform, the third, fourth, and fifth rounds are also likely to cost too much, ad infmiium.^^ How and why did such a gap arise between expected and actual costs? What, if anything, can be done to bring Section 404 costs more in line with the regulators' own initial expectations? Responding to both questions calls for a detailed examination of the substantive definitions of two terms at the core of the Section 404 rules—"significant deficiency" and "material weakness"—as well as a nuanced appreciation of the procedural environment in which these rules were initially adopted and the litigation environment in which they continue to be enforced. From a substantive perspective, the root cause of Section 4O4's cost inefficiency resides in the PCAOB's definitions of the terms "significant deficiency" and "material weakness" combined with the pre-existing definition of the term "remote likelihood" as applied to the Section 404 process. As explained in detail below, these definitions force auditors and registrants to expend a great deal of effort worrying about issues that are highly unlikely ever to cause a material misstatement. More precisely, AS2 creates I 1, Tbe rationale underlying this proposition is straightforward. In the first year of Section 404 implemenlation, registrants would likely encounter and rectify their most serious control issues. Tbe control deficiencies identified in subsequent years would be. in all Hketihood. the more modest sorts of deficiencies that were not identified in earlier implementation cycles, and would likely generate lesser benefits. Thus, if costs in Section 4O4's second year of implementation were only balf of first-year costs, but if benefits were only a quarter of first-year benefits, tben Section 4O4's cost-benefit ratio for its second year of implementation could actually be twice as bad as it was in Section 4O4's first year of implementation, 12. PCAOB, supra note 5. 13. Although both the SEC and PCAOB rules are technically concerned with the defined term "internal control over financial reporting." for tbe sake of brevity tbis Article refers simply to "internal controls." As a technical matter "'internal control over financial reporting" comprises only tbat subset of internal controls addressed in the Committee of Sponsoring Organizations of the Treadway Commission ("COSO") repon wbich relates to financial reporting objectives. See Management's Reports, .supra note 7, at 36.638-41. 1648 Michigan Law Review [Vol. 105:1643 an incentive for auditors to examine processes that arise at the borderline of the remote and the inconsequential, processes that have an expected value impact as low as five one-hundredths of one percent of an issuer's net income. Indeed, the technical definitions of "significant deficiency" and "material weakness" produce a rather clear roadmap of how and why Section 404 compliance costs have mushroomed out of control, far beyond the Commission's initial aggregate $1.2 billion estimate.'^ Until these core definitions are amended to draw auditors' and registrants' attention out of the weeds and to force a focus on processes that are likely to have a material effect on a registrant's financial statements, the Section 404 process will continue to be unnecessarily wasteful.'^ From a procedural perspective, the audit industry is subject to three distinct incentives to pu.sh Section 404 compliance to a point of socially inefficient hypervigilance. First, the audit industry has been broadly criticized for a rash of audit failures and restatements"^ and does not want to be further criticized for failing to implement Section 404 with sufficient vigor. As a result, auditors are encouraged to interpret the rules' ambiguities in an expansive manner so as to require more heightened vigilance. Second, the litigation environment has a significant in terrorem effect, and auditors are subject to significant uninsurable litigation risk. Section 404 provides auditors the opportunity to externalize a portion of that risk by forcing audit clients to absorb greater precautionary costs that redound to the auditors' benefit by reducing the probability of an audit failure. Put another way, by forcing clients to spend more money on Section 404 compliance, auditors can reduce the risk that they will be sued because of an audit failure. Third, auditors make money providing Section 404 audits to audit clients and selling Section 404 services to nonaudit clients. All else being equal, the more onerous the Section 404 compliance efforts, the more money the audit profession can earn. None of this is intended to criticize the audit profession as being unique in any material respect. Indeed, the profession's conduct can be viewed as a rational response to the environment in which it operates, and many professions can be criticized on quite similar grounds. Physicians, for example, are often aeeused of practicing unnecessarily expensive defensive medicine be- 14, See id. at 36,657. 15, The history of the terms "significant deficiency" and "material weakness" is worthy of consideration. A.-; discussed in greater detail below, both terms were contained in generally accepted auditing standards as they existed prior to enactment of the Sarbanes Oxley Act, and nothing in tbe Act required tbe PCAOB to redefine those concepts. The PCAOB. however, decided tbat the two concepts sbould be revised to "promote increa.sed consistency in evaluations." AS2. .supra note 3. 1 E78. In ligbt of subsequent experience witb the impact of the newly-adopted definitions, the PCAOB may determine tbat tbe usage of the.se terms sbould once again be modified in order to avoid undue cost and inappropriate attention to immaterial matters, 16, See. e.g.. Royd Norris. Big Auditing Firm Gets 6-Month Ban on New Business. N.Y. TIMES. Apr. 17, 2004. at Al; Larry Dignan. Afier Andersen, accounting worries stick, CNET NEWS.COM, June 17, 2002. bitp://news.com.com/After-fAnderson9t-2C+accounting+worTies+stick/ 21OO-lOI7_3-936813.html; Enron: Lessons from the External Auditors, CAE BULL., Dec. 7. 2001, http://www.thei ia.org/CAE/index.cfm?iid=211. June 20071 Fixing 404 1649 17 cause of the litigation environment in which they operate, and the audit profession's reaction to the Section 404 rules can be analogized to a fmancial form of defensive medicine. The natural "defensive medicine" forces set in place by Section 404 cannot, however, be constrained unless the PCAOB follows through with its recent public statements and restrains audit firms from pursuing overly aggressive Section 404 implementations, just as it penalizes them for inadequate attention to Section 404. The SEC and PCAOB can best reduce the cost inefficiency currently embedded in the Section 404 compliance process through a fundamental redefinition of the key terms that are at the core of AS2 combined with a vigorous procedural inspection program designed to deter hypercompliance. This Article develops the argument as follows. Part I summarizes the short but complex historical evolution of Section 404 and its implementing regulations. Fart II reviews a set of basic economic concepts relafing to costbenefit analysis that help explain how and why Section 404 has been pushed far beyond the point of economic rationality. Part III describes the issues raised by the core definitional provisions of AS2—"material weakness" and "significant deficiency"—and offers a "substantive fix" for these problems. Part IV describes the issues raised by audit finn incentives in implementing AS2 and offers a "procedural fix" for these problems. Part V expands on the particular problem faced by smaller issuers confronting the relatively high fixed costs imposed by Section 404. We conclude by offering observations about the viability of reforming AS2, including the possibility that it may be impossible to turn back the sands of time and refashion AS2 so that it generates benefits in excess of its costs. While regulators should do all they can in an effort to regain that balance, there is room for skepticism as to whether it can be achieved. If this skepticism proves correct, then Section 404 will be a permanent and unjustified burden on the capital formation process in the United States, and it will continue to impose unnecessary costs on issuers and shareholders alike. Early versions of this Article were circulated broadly at the SEC and PCAOB. Subsequently, the SEC and PCAOB announced proposed amendments to AS2 that would implement all of this Article's central recommendations. We provide a postscript that describes these more recent developments and brietly discusses the extent to which these developments may in fact help resolve the inefficiencies generated by AS2. I, T H E HISTORY AND EVOLUTION OF SECTION 404 Section 404(a) of the Sarbanes-Oxley Act directed the SEC to promulgate rules requiring companies reporting under the Securities Exchange Act of 1934, as amended (the "Exchange Act"), other than registered investment companies, to include in their annual reports 17. See, e.g., Daniel Kessler & Mark McClellan, Do Doctors Practice Defensive Medicine?. 111 Q,J, ECON. 353 (1996); David M. Studdert et al,. Defensive Medicine Aniong High-Risk Specialist Physicians in a Volatile Malpractice Environment, 293 J. AM. MED. ASS'N 2609 (2005). 1650 Michigan Law Review [Vol. 105:1643 an internal control report, which shall—(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting: and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectivenes.s of the internal control structure and procedures of the issuer for financial reporting.'" Section 404(b) further required the company's independent auditors to attest to and report on this management assessment. Under this directive, on June 5, 2003, the SEC adopted the basic rules implementing Section 404. These rules were designed to be phased in over several years based predominantly on the size of the issuer. Today, all but nonaccelerated filers are obliged to comply with the requirements of Section 404.'" On June 17, 2004, the SEC issued an order approving the PCAOB's AS2.'' This standard, titled "An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of the Financial Statements," established the requirements that apply to an independent auditor when performing an audit of a company's internal controls.'' The rules adopted by the SEC require management to base its evaluation of the effectiveness of internal controls on a suitable, recognized control framework established by a body that has followed certain procedures, including distribution of the framework for public comment. While no particular framework is mandated, the SEC and PCAOB have specifically identified the internal control framework published by the Committee of Sponsoring Organizations of the Treadway Commission ("COSO") as suitable," and this framework has emerged as the dominant one applied by U.S. companies. The COSO framework identifies the components and objectives of internal control audits, but it does not contain general guidance as to the steps management must follow in as.sessing the effectiveness of such controls. Since its well-intended adoption, the actual implementation of Section 404 by companies and their auditors has been characterized by significant cost overruns and intense criticism. For example, on July 6, 2006, SEC Commissioner Paul S. Atkins observed that Section 404 can serve to improve the quality of financial information, but acknowledged that it is also "cited as the law's most costly provision because of the excessive way in 18. ]5 U.S.C. § 7262 (Supp. IV 2004). 19. Nonaccelerated filers are generally defmed to mean reporting issuers with an aggregate market value of common equity held by nonaffiliates of less than $75 million. Cf. 17 C.FR § 240.12b-2 (2006). 20. Order Approving J^oposed Auditing Standard No. 2, Exchange Act Release No. 49,884, 69 Fed, Reg, 35,083 (June 17, 2004). 21. Id. 22. AS2, supra note 3,1 \4. June20071 Fixing 404 1651 which accountants and management have implemented it."" And while the actual costs incurred far exceeded those anticipated for companies of all sizes, costs in relation to revenue have been disproportionately borne by smaller public companies. The SEC took a number of preliminary steps designed to address the problems encountered during the first year of Section 4O4's implementation. On March 23, 2005, the SEC chartered an Advisory Committee on Smaller Public Companies (the "Advisory Committee") to assess the current regulatory system for such companies under the securities laws and to make recommendations for changes in a number of areas, including internal control assessments and audits.'' On April 13. 2005, the SEC held a roundtable discussion concerning the implementation problems under Section 404. It responded to the feedback received from the roundtable by offering guidance in the fonn of a policy statement.'*' The policy statement included the following observations: Although it is not surprising that lirst-year implementation of Section 404 was challenging, almost all ot" the significant complaints we heard related not to the Sarbanes-Oxley Act or to the rules and auditing standards implementing Section 404. but rather to a mechanical, and even overly cautious, way in which those rules and standards apparently have been applied in many ca.ses. Both management and exietnal auditors must bring reasoned judgment and a top-down, risk-based approach to the 404 compliance process. A one-size fits all. bottom-up, check-the-box approach that treats all controls equally is less likely to improve internal controls and financial reporting than reasoned, good faith exercise of professional judgment focused on reasonable, as opposed to absolute, assurance.' In a parallel statement issued on the same day. the PCAOB urged auditors to • exercise judgment to tailor their audit plans to the risks facing individual audit clients, instead of using standardized "checklists" that inay not reflect an allocation of audit work weighted toward high-risk areas (and weighted against unnecessary audit focus in low-risk areas); 23. Paul S, Alkins. Commissioner, SEC. Remarks Before tbe Inlernalional Corporate Governance Network lltb Annual Conference (July 6, 2006). http://www.sec.gov/news/speech/ 2006/spch070606psa.htm, 24. ADVISORY COMM'N ON SMALLER PUB. COS., SEC. FINAL REPORT OF THE ADVISORY COMMITTEE ON SMALLER PUBLIC COMPANIES TO THE UNITED STATES SECLiRtTiE.s AND EXCHANGE COMMISSION 32-34 (2006), http://www,sec,gov/info/smallbus/acspc/acspc-finalreport,pdl' |bereinafter FINAL REPORT). 25. See Notice of establishment of the Advisory Committee on Smaller Public Companies, Securities Act Release No. 8514, Exchange Act Release No. 50,864, 69 Fed, Reg. 79.498 (Dec, 16, 2004}; Notice of first meeting of SEC Advisory Committee on Smaller Public Companies, Securities Act Release No, 8560, Exchange Act Release No. 51,417, 70 Fed, Reg. 15.699 (Mar, 23, 2005). 26. Press Release. SEC, Commission Statement on Implementation of Internal Control Reporting Requirements {May 16, 2005). available at http://www.sec.gov/news/press/2OO5-74,htm, 27. Id. 1652 Michigan Law Review [Vol. 105:1643 " use a top-down approach that begins with company-level controls, to identify tor further testing only those accounts and processes that are, in fact, relevant to internal control over financial reporting, and use the risk as.sessment required hy the .standard to eliminate from further consideration those accounts that have only a remote likelihood of containing a material misstatement; [and] • take advantage of the significant flexibility that the standard allows to use the work of others.'" Subsequently, in its "Report on the Initial Implementation of Auditing Standard No. 2," issued on November 30, 2005, the PCAOB found that "both firms and issuers faced enormous challenges in the first year of implementation, arising from the limited timeframe that issuers and auditors had to implement Section 404; a shortage of staff with prior training and experience in designing, evaluating, and testing controls; and related strains on available resources."''' Accordingly, "audits performed under these difficult circumstances were often not as effective or efficient as Auditing Standard No. 2 intends."'" Among the "most common reasons why audits were not as efficient as the Board expects them to be" were the findings that "[s]ome auditors did not effectively apply a top-down approach [and] . . . did not alter the nature, timing, and extent of their testing to reflect the level of risk[;] [a]s a result, some auditors appeared to have expended more effort than was necessary in lower-risk areas." ' The November 30 report also attempted to clarify and reinforce the meaning of some of the text of AS2 by observing that [t]he objective of an audit of internal control is to obtain reasonable assurance as to whether any material weaknesses exist. An important corollary to this fundamental principle is that the standard does nor require auditors to .search for deficiencies other than material weaknesses. Further, the standard does not re-defme materiality for the purposes of auditing internal control.. . . This means that the auditor should plan and pertbrm the audit of internal control using the same materiality measures as the auditor uses to plan and perform the annual audit of the financial statements." Notwithstanding these observations, the November 30 report recognized that "fa]necdotal claims have suggested that some auditors applied a more stringent threshold to the evaluation of control deficiencies than the definitions in Auditing Standard No. 2 require."" More fundamentally, however, 28. PCAOB. .supra note 5. 29. PCAOB. RELEASE NO. 2005-023, REPORT ON THE INFTIAL IMPLEMENTATION OF AUIMTING STANDARD NO. 2. AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING PERFORMED IN CONJUNCTION WITH AN AUDIT OF FINANCIAL STATEMENTS 1 (2005). available at http://www.pcaobus.org/Rules/Dockel_014/2005-I RELEASE No. 2005-0231. 30. Id. 31. W. at 2-3. 32. Id. at 15-16 (citations omitted). 33. Id. al 16. t-3O_Release_2OO5-O23.pdf [hereinafler PCAOB June 20071 Fixing 404 1653 the November 30 report failed to confront the reality that AS2 states that a tnaterial weaktiess can arise as the consequence of the cumulative effect of a set of less significant deficiencies^'' and that the text of the standard itself therefore compels a search for control deficiencies that are, in and of themselves, submaterial. The difference between the policy statements and reports issued by the SEC and PCAOB and the text of AS2 is quite striking in many respects. These statements and reports suggest a sensible approach to the audit of control systems in which auditors avoid processes that are unlikely to be material. In contrast, the text of AS2 is rife with language that, as a practical matter, requires audit procedures that test the boundaries of the inconsequential and remote. Thus far, the additional regulatory guidance has appeared to do little to address the inefficiencies of a Section 404 audit. The perception that the initial regulatory releases and public statements have failed to improve the efficiency of Section 404 audits sets the stage for the later consideration of more significant measures, including the amendment of AS2 itself, as discussed below. The Advisory Committee issued its Final Report to the SEC in April 2006 after thirteen months of fact finding and deliberation, including oral testimony from a wide variety of market participants and evaluation of hundreds of written comments. The Final Report contained thirty-three recommendations in the areas of capital formation, accounting, corporate governance, disclosure, and internal controls." In its discussion of Section 404, the Advisory Committee highlighted the disproportionate costs imposed by AS2 on smaller public companies.^'' The Final Report recommended partial or complete exemptions from Section 404 requirements for smaller public companies under specified conditions, including enhanced corporate governance standards, "lu]nless and until a framework for assessing internal control over financial reporting for such companies is developed that recognizes their characteristics and needs."" In April 2006, the Government Accountability Office issued a Report to the Senate Committee on Small Business and Entrepreneurship.*'* The Report recommended that in considering the concerns of the Advisory Committee, the SEC should assess the available guidance to determine if additional action was needed, noting that implementation and assessment efforts were largely driven by A S 2 . ' The following month, in testimony 34. See AS2, .-iupra note 3,1 10. 35. For a discussion of the definition of smaller public company recommended by the Advisory Committee, see FINAL REPORT, supra note 24, at 14-19. 36. Id. at 32-35. 37. W. at 43,48. 38. U.S. GOV'T AccouNTABiLrrY OFFICE, SARBANES-OXLEY ACT: CONSIDERATION OF KEY PRLNCLPLES NEEDED tN ADDRESSING IMPLEMENTATION FOR SMALLER PUBLIC COMPANIES 52-53 (2006), 39. Id. 1654 Michigan Law Review |Vol. 1O5:1643 before the House Committee on Small Business. Representative Nydia M. Velazquez highlighted the disproportionate burden of Section 404 on small firms, noting that compliance costs approach three percent of revenue for some companies and urging Section 404 relief for small companies/' In May 2006, Congressman Tom Feeney introduced the Compete Act to reduce the burdens associated with the implementation of Section 404.^' If adopted, the Compete Act would provide an exemption from auditors' internal control assesstnent requirements for smaller public companies along the lines recommended by the Advisory Committee. The Act would alter the standard for review in internal control audits from a remote likelihood standard to an objective de minimus standard of five percent of net profits. And the Act would direct the Commission and the PCAOB to promulgate specific guidelines for measuring the terms "reasonable," "significant," and "sufficient" in the context of internal control audits. More recently, there has been a flurry of regulatory and other developments intended to address continued criticism regarding the inefficient implementation of Section 404. On May 1, 2006, the PCAOB released a statement announcing that a key area of emphasis in their 2006 inspections of accounting firms' internal control audits would be the efficiency of such audits, defined as whether the objectives of AS2 were being achieved with the least expenditure of effort and resources."^ Areas of focus include, among other matters, the degree to which internal control and financial statement audits were performed as a single, integrated process and whether a risk-based approach was used in formulating the audit.^' A few weeks later, the PCAOB announced a four-point plan to improve the internal control audit process that, significantly, included possible amendments to AS2.^ One amendment under consideration would "clarifyfj the definitions of significant deficiency and material weakness in internal control."''^ These new developments are steps in the right direction. However, if, as we contend, key definitions in AS2 are so flawed as to make the pursuit of the objectives of the standard inherently inefficient, then the SEC and PCAOB must substantively amend these definitions, rather than merely clarify them, in order to achieve their policy objectives. More specifically, the contemplated amendments must change the fundamental definitions in a way that elimi- 40. Sarbanes-Oxley Seclian 404: Whai is rhe Proper Bakince Between Imestor Protection and Capital Formation for Small Public Companies'.': Hearing Before Ihe H. Comm. on Small Bus. Democrat.s. 109th Cong. (2(X)6|. http://www.hou.se.gOv/smbiz/democrals/Statement.s/2006/ stO5O3O6.htm (lasl visited Feb. 10. 2(X)7| (slalemenl of Rep. Nydia M. Velazquez. Ranking Democratic Member, House Comm. on Small Bus.). 41. CompeteAcI. H.R. 5405, 109th Cong. (2d Sess. 2006). 42. Press Relea.se, PCAOB, Board Issues Statement Regarding 2006 Inspections (May 1, 2006), available at http://www.pcaobus.org/News_and_Events/News/2006/05-01a.aspx, 43. Id. 44. Press Release, PCAOB, Board Announces Four-Point Plan to Improve Implementation of Internal Control Reporting Requirements (May 17. 2(X)6), available at hitp://www.pcaobus.org/ News__and^Events/News/2OO6/O5-l7.aspx. 45. Id. (emphasis added). June2OO7J Fixing 404 1655 nates the perceived need to test near the levels of remoteness and inconsequentiality.^ Also in May 2006, the SEC announced further steps designed to improve the implementation of Section 404. These steps included the issuing of a concept release, discussed below, offering guidance concerning internal control assessments. To ensure that its guidance is helpful to smaller public companies, the Commission intends to make its guidance scalable, as recommended by the Advisory Committee/^ The May 2006 announcement and other recent statements by SEC officials make clear that the Commission intends to address the Advisory Committee's recommendation by promulgating a more cost-effective standard rather than through an exemption for smaller public companies. While noting the forthcoming guidance from the SEC. the PCAOB, and COSO concerning Section 404, John White, director of the SEC's Division of Corporation Finance, stated in a speech on May 25, 2006, "that it looks as if the 'unless and until' condition suggested by the Advisory Committee [as an alternative to an exemption] will be met, and the Commission has indicated that it does not intend at this fime to extend a permanent exemption to smaller companies."'^" Mr. White also commented on the need to amend AS2: "After the second [Section 404| Roundtable earlier this month, and consideration of extensive public comments, the Commission and the PCAOB now agree that the PCAOB should amend AS 2 [sic], in part to fully reflect the earlier guidance in the standard itself."*'^ On May 16, 2006, COSO released a response to the recomtnendations of the SEC Advisory Committee suggesting that forthcoming guidance would address the Committee's concerns regarding the inefficiency and lack of scalability of current guidance.^" The additional COSO guidance was issued 46. For an ai^umeni supporting a change in definitions such as thai suggested in Ihe Compete Act, .see Pollock, .lupra note 4 ("In an essential reform, ihe Compete Acl would direct ihe SEC and PCAOB to change the audii review .standard from 'other ihan a remote likelihood,' which has caused Satt)anes-Oxley to bc everywhere associated wilh nitpicking and trivial paperwork, to a reasonable "material weakness'criterion."). 47. Press Release, SEC. SEC Announces Next Steps for Sarbanes-Oxley Implementafion (May 17. 2006). available at htip://www.sec.gov/news/press/2OO6/2OO6-75.htm. As foretold by ihat announcement, the SEC recently postponed Section 404 implemenlalion again for nonaccelerated filers from fiscal years ending on or after July 15, 2(X)7. lo Thscal years ending on or afler December 15. 2007, wilh respecl to the managemeni assessment: and lo fiscal years ending on or after December 15. 2008. wilh respecl lo the outside auditor attestation. Press Release, SEC, Further Relief from the Section 404 Requirements for Smaller Companies and Newly Public Companies (Dec. 15. 1006), available at http://www.iasplus.eom/u.sa/06l2sox404sme.pdf. 48. John W. White, Dir, Div. of Corp. Fin., SEC, Remarks Before the SEC Institute 21st Annual Mid-Year SEC Reporting Forum: Section 404: The Need for Input (May 25. 2006). http://www.sec.gov/news/speech/20O6/spchO52506jww.htm. 49. Id. 50. See Leiter from Larry E. Rittenberg, Chairman. Comm. of Sponsoring Org. of the Treadway Comm'n. lo Christopher Cox, Chairman, SEC. & John White. Dir.. Div. of Corp. Fin.. SEC (May 16.2006). 1656 Michigan Law Review [Vol. 105:1643 SI in June 2006. While the COSO response is helpful in providing general guidance for smaller public companies in applying the COSO framework, it does not address the root cause of the inefficiencies experienced in implementing Section 404. The SEC issued its Section 404 concept release on July 11, 2006." The concept release was intended as a prelude to forthcoming guidance designed to improve the implementation of Section 404 ^^ and defined the general areas likely to be addressed in the course of Section 404 reform, including the use of company-level controls to address risk within an organization, improvement of evaluation procedures, and clarification of documentation requirements. In the press release accompanying the concept release, the SEC's then-acting Chief Accountant, Scott Taub, noted: "The guidance we issue should help companies further improve and streamline their processes for assessing the effectiveness of internal controls. We intend for the guidance to be flexible and scalable, such that it will assist companies of all sizes."*" The press release also reiterated the SEC's intention to work with the PCAOB to amend AS2. The concept release discussed this intention further: "[BJased on feedback received, a number of the implementation issues arose from an overly conservative application of the Commission rules and AS No [sic] 2, and the requirements of AS No. 2 itself, as well as questions regarding the appropriate role of the auditor."" In the concept release, the SEC further expressed the belief that additional guidance following the comment period and revisions to AS2 "may help reduce or eliminate the excessive testing of internal controls by improving the focus on risk and better use of entity-level controls."^*' Although the concept release did not provide detail on how AS2 might be amended. Question 25 requested public comment on whether guidance would be helpful regarding the definitions of the terms "material weakness" and "significant deficiency."" This Article answers that question in the affirmative but argues that mere guidance will not resolve the inherent inefficiencies resident in the core definitions themselves. More serious surgery is required to accomplish the objective of improving the implementation of Section 404, and the terms "material weakness" and "significant deficiency" must be dramatically redefined if the Section 404 process is to have any chance of being reengineered to strike a reasonable cost-benefit balance. 51. COMM. OF SPONSORING ORG. OF THE TREADWAV COMM'N, INTERNAL CONTROL OVER FINANCIAL REPORTrNG—GUIDANCE FOR SMALLER PUBLIC COMPANIES (2006). 52. Concept Release Concerning Management's Reports on Inlemal Control Over Financial Reporting. Exchange Act Release No. 54,122. 71 Fed. Reg. 40,866 (July II. 2006) [hereinafler Concepi Release]. 53. Press Release, SEC, SEC Moves Forward on Sarbanes-Oxley 404 Improvements (July 11. 2006), available at hitp://www.sec.gov/news/press/2006/2006-112.htm. 54. Id. 55. See Concept Release, supra note 52, at 9. 56. fd. at 22. 57. Id. at 23. June 2007) Fixing 404 1657 The nation's two major trading markets have also commented on the harm caused by an overly conservative implementation of Section 404. Robert Greifeld, president and CEO of NASDAQ, has written that the "constant refrain I hear [from international entrepreneurs] is that when it comes time to do an IPO, they will be reluctant to list on American markets," due in large part to Sarbanes-Oxley.''*' Greifeld has also noted that "[o]ur research has shown that the burden on small companies [from SarbanesOxley], on a percentage of revenue basis, is 11 times that of large companies."^''According to a New York Stock Exchange working group, "[c]urrent implementation of SOX 404 is putting the US capital markets at a competifive disadvantage as the largest capital raising activities are taking place outside the United States due to cumbersome and costly regulations."*^ The working group identified the definitions in AS2 as one of the culprits: "The current definition regarding 'reasonable assurance' in Accounting Standard No. 2 with the focus on 'remote likelihood" is causing auditors to test controls at the lowest of levels with no real benefit being derived."^' II. BASIC COST-BENEFIT ANALYSIS The problems generated by AS2 are readily illustrated by reference to classic cost-beneftt analysis. Assume that it is possible to rank order all audit control procedures from most valuable to least valuable—where value is measured in terms of the marginal benefit generated by that control process—and that controls are in fact implemented in sequence from most valuable to least valuable."' "Top-down" planning for control audits, a process that is now strongly advocated by the Commission and the PCAOB, should naturally generate sequences of this sort." Assume also that the costs of each of these audit processes can be normalized so that each control is composed of a certain number of "control equivalents," each of which has a 58. Bob Greifetd, Ifs Time To Pull Up Our SOX, WALL ST. J., Mar. 6, 2006. at A14. 59. Id. 60. NYSE Working Group, Observations and Recommendations to Improve SOX 404, http://www.nyse.eom/fxlfs/RecommendationstoImproveSOX404.pdf. 61. Id. 62. Marginal costs and benefits are measured here from a social perspective, that is, the extent to which the control generates costs and benefits lo shareholders and all other stakeholders in lhe process. By defining costs and benefits In terms of social cost and benefit, the analysis includes effects on constituencies oiher than the corporation and its shareholders, such as employees who might become unemployed or auditors who mighf sutTer financial losses in the evenl of a conlrolsrelated tinancial failure. 63. See. e.g.. Press Release, SEC. Commission Statement on Implementation of Inlemal Control Reporting Requirements (May 16. 2005). available at http://www.scc.gov/news/press/200574.him: PCAOB, RELEASE NO. 2005-009. POLICY STATEMENT REGARDING IMPLEMENTATION OF AUDITING STANDARD NO. 2. AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL RETORTING PERFORMED IN CONJUNCTION WITH AN AUDIT OF FINANCIAL STATEMENTS, 2, 8-9 (2005), available at http://www.pcaob.coin/RuIes/Docket_008/2005-05-l6_Release_2005-009.pdf. Michigan Law Review 1658 [Vol. 105:1643 constant dollar cost.'^ The costs generated by the 404 process would then be linear in the number of "control equivalents" implemented through an audit process. By construction, it follows that a graph describing the total benefits generated by the Section 404 process, where controls are implemented in a sequence of declining marginal returns, will show diminishing marginal returns to the nutnber of controls implemented because the control with the greatest marginal benefits will be the first to be implemented. It also follows that a graph describing the costs generated by the Section 404 process will be linear in the number of control equivalents because the total cost of implementing any number of "control equivalents" is a constant function of the number of "control equivalents" being implemented. Figure 1 describes just such a set of hypothetical costs and benefits for Section 404 and AS2.''^ Basic economics teaches that the auditors and the registrant should only implement controls that fall to the left of the point n in Figtjre 1, that is, the point at which the marginal benefit of implementing a control equals its marginal cost."" By construction, every control to the left of this point generates marginal benefits greater than the marginal cost of implementing that control, and every control to the right of this point generates marginal costs that exceed the marginal benefits of implementing that control. The optimal implementation of a Section 404 process would cause controls to be implemented to the point n , but no further. Total social benefits of the Section 404 process at the point n are represented by the distance B in Figure 1. FIGURE I ILLUSTRATIVE COST-BENEFIT PROFILE FOR SECTION 404 CONTROLS Number ol Sequenced end Narmaliirsd Cpnitols 64. For example, if the most valuable control is five limes more expensive ihan the average control, ihen that conlrol could bc described as generating costs equal to five "control equivalents." A control that is only a tenth as expensive to implement would then be described as generating a tenth of an average "conlrol equivalent." 65. For a similar graph see W. KIP Visrusi, JOHN M . VERNON & JOSEPH E. HARRINGTON. JR., ECONOMICS OF REGULATION AND ANTITRUST 30 (3d ed. 2000). 66. See id. at 29. June 20071 Fixing 404 1659 If the audit process continues to force controls beyond the point n', then the marginal cost of implementing each of those controls is. by construction, larger than the marginal benefit generated by those controls. As a consequence, the total social benefit generated by the process will gradually diminish until the number of controls implemented equals the point n", where the aggregate benefits generated by the Section 404 process will equal its costs. While many commentators argue over whether Section 404 costs exceed benefits. Figure 1 makes clear that if society actually itnplements Section 404 regulations to the point where the regulations' total costs equal their total benefits, then society will have already overinvested in the control process by adopting controls that exceed the optimal arrangement at the point n . Simply phrasing the debate over Section 404 in terms of whether its aggregate costs exceed its aggregate benefits biases the outcome toward overinvestment in the Section 404 process. If auditors have an incentive to force clients to adopt control processes that generate very low levels of marginal benefit, then they may force clients to adopt controls to a point such as n \ where the marginal benefit of the control to the auditor is close to zero. It is only at the point n' that the Section 404 process ceases to generate additional benefits for auditors in terms of potential litigation risk reduction in a manner arguably consistent with the text of AS2. But at that point, the total cost of the Section 404 process exceeds its benefits by the amount C, and society would be involved in a massive overinvestment in internal control processes. Figure 1 helps illustrate and explain four basic points about the Section 404 debate. First, Figure 1 focuses on a simple economic rule that has been all but forgotten in the stiinn und drang over implementing Section 404. The Commission and the PCAOB should focus on ensuring that the Section 404 process only implements controls up to the point n. However, as we are about to demonstrate, the wording of AS2 and the incentives built into the audit process effectively guarantee that the process will be pushed beyond this point of optimality, possibly even toward a point approaching n'". Second, while it is entirely understandable that much of the debate has been framed in terms of the total costs and benefits generated by Section 404 and AS2, to conduct the debate on these terms is essenfially to concede that the process is already suboptima! because total costs may not equal total benefits until the number of controls implemented exceeds the point at which marginal cost equals marginal benefit. Third, because the audit profession largely decides the number of controls to be audited, and because the audit profession can apply its own private calculus to the computation of marginal costs and benefits, the audit profession has the ability to drive the number of controls to a point where the private marginal benefits to the profession equal the private marginal costs to the profession. This point can be far beyond the point at which social marginal costs equal social marginal benefits, or even the point at which total social costs equal total social benefits. Fourth, as the Commission's chairman has recently noted, there is much room for improvement at the Commission in the application of cost-benefit 1660 Michigan Law Review [Vol. 105:1643 67 analysis to the rulemaking process. The chaiienges encountered with Section 404 may serve as an excellent starting point for self-analysis by the Commission and by the PCAOB as to how both agencies might improve their application of cost-benefit principles to the audit process. in. THE SUBSTANTIVE FIX While the goal of the Section 404 process is to obtain reasonable assurance that no material weaknesses exist as of the date of management's assessment, the definifions applied by AS2 require, as a pracfical matter, that auditors also assess the presence of "significant deficiencies." AS2 asserts that a combination of significant deficiencies can constitute a material weakness. An auditor therefore cannot reasonably conclude that no material weaknesses are present unless the auditor has also searched for significant deficiencies and evaluated those significant deficiencies to determine whether, when aggregated, they constitute a material weakness. Identifying and assessing significant deficiencies, in tum, requires that auditors identify and assess myriad controi deficiencies that do not individually constitute significant deficiencies. The result is a cascade downward from the material, through matters that are merely "more than inconsequential," to matters that do not even reach the threshold of inconsequentiality, all in an overzealous effort to identify controls that might, in fact, be material. The rules thus have an embedded incentive that drives the search not only for material weaknesses but also for less important "significant deficiencies," notwithstanding exhortations by the PCAOB that auditors should focus on material weaknesses.'''* Further, given the standards that are commonly applied by the audit profession, it is not unreasonable to approximate the lower limit of a "significant deficiency" as being triggered by a value that can be measured as five one-hundredths of one percent of a company's net profits (or of any other quantitative performance measure). We do not suggest that every Section 404 audit has actually pursued the search for significant deficiencies that reside at these extreme borders of remoteness and inconsequentiality. We merely observe that this incentive is deeply embedded in the very definitions at the core of AS2. Unless and until these definitions are changed or AS2 is otherwise amended or superceded, the root problem that drives and legitimizes the process' inefficiencies is not likely to be fixed. A. A Precise Definition ofthe Pwblem Auditors must issue adverse opinions if they identify material weaknesses. AS2 requires auditors to search for material weaknesses, which, as 67. See Christopher Cox, Chairman. SEC, Remarks Before the Securities Industry Association (Nov. 11. 2(X)5), http://www.sec.gov/news/speech/spchll 1 IO5cc.htm. 68. See supra notes 26-31 and accompanying texi. 69. See \S2, supra noie^.WlS. June 2007] Fixing 404 1661 a practical matter, requires that they search for significant deficiencies and, below that threshold, control deficiencies generally. A significant deficiency is defined as a control deficiency, or combination of control deficiencies, that adversely affects the company's ability to initiate, authorize, record, process, or report external financiai data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstalemeni of the company's annual or interim financial statements that is more than inconsequential will not he prevented or detected. The definition includes a note clarifying that "[al misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements."" The import of this language is difficult to overstate. The note expressly explains that unless the auditor can reasonably reach the affirmative conclusion that the potentially aggregated misstatements. including the possibility of further undetected misstatements, would clearly be immaterial, then a significant deficiency must be found whenever the likelihood is greater than remote. This is, of course, in many instances a difficult conclusion to reach, and experience has shown that this standard can lead to the identification of vast numbers of significant deficiencies. A material weakness is defined as *'a significant deficiency, or combinafion of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected."^' Here again, because material weaknesses can arise through the aggregation of significant deficiencies, auditors must inquire not only at the high level of presumptive materiality but well down into the weeds to ascertain which combination of significant deficiencies might aggregate to have a material effect. The usage of these terms in the promulgation of AS2 is striking when compared with their usage in generally accepted auditing standards as they existed prior to enactment of the Sarbanes-Oxley Act. AU Section 325 of the American Institute of Certified Public Accountants' Professional Standards ("AU 325"), "Communication of Internal Control Related Matters Noted in an Audit," provided guidance in identifying and reporting conditions relating to an entity's internal controls observed during an audit of financial statements.'^ AU 325 employed the concepts of "reportable conditions" and "material weaknesses." Reportable conditions were broadly defined as 70. ld%9. 71. Id. 72. Id. 1 10. 73. AM. INST. OF CERTIFIED PUB. ACCOUNTANTS. CODIFICATION OF STATEMENTS ON AuDrriNG STANDARDS (INCLUDING STATEMENTS ON STANDARDS FOR ATTESTATION ENGAGEMENTS) AU §325(2001). 1662 Michigan Law Review |Vol. 105:1643 matters coming to the auditor's atlention that, in his judgment, should be communicated to lhe audit committee because they represent significant deficiencies in the design or operation of internal control, which could adversely affect the organization's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements.'* A material weakness was defined as a reportable condition in which the design or operation of otie or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud in amounts that would be material in relation to lhe financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions." Under the preexisting standards, "reportable conditions" were deficiencies judged by the auditor, in its experience and discretion, to be worthy of reporting to the audit committee, rather than deficiencies that cross the hairtrigger threshold of "more than remote and . . . more than inconsequential," as per the new AS2 concept. Likewise, the preexisting standards set the likelihood threshold for the presence of a material weakness at a "relatively low level," rather than at the more stringent AS2 threshold of "more than remote." AS2 thus introduced a major innovation through its definitional shift away from preexisting auditing standards. Congress did not require this innovation in the Sarbanes-Oxley Act. The quantitative implications of these definitions also bear close consideration. The audit profession has further clarified the term "inconsequential" as used in AS2's definifion of significant deficiency as relating to "[p]otential misstatements equal to or greater than 20% of overall annual or interim financial statement materiality," subject to the proviso that even smaller amounts can be considered as more than inconsequential "as a result of the consideration of qualitative factors, as required by AS 2."'^ Therefore, if one begins with the common assumption that a 5% change in net income or in some other quantifiable accounfing measure is material, then the audit industry's definition of "inconsequential" suggests that a 1% change (which amounts to 20% of 5%) in an annual or interim finaticial statement line item may be the dividing line between consequential and in74. !d. AU § 325.02 (emphasis added). 75. Id. AU § 325.15 (emphasis added). 76. A FRAMEWORK FOB EVALUATING CONTROL EXCEPTIONS AND DEFICIENCIES 15 (2004), available at hltp://www.deIoine.com/dtt/cda/doc/content/us_assur_Framework-Version3%281 %29.pdf (version 3). 77. Studies suggest "widespread use of a 'rule of thumb" of five to ten percent of net income" as an objective measure of materiality. SEC Staff Accounting Bulletin No. 99. 64 Eed. Reg. 45,150. 45.152 (1999). available at http://www.sec.gov/interps/account/sab99.htm (citing FIN. ACCOUNTING STANDARDS B a . STATEMENT OF FINANCIAL ACCOUNTING CONCEPTS NO. 2: QUALITATIVE CHARACTERISTICS OF ACCOUNTING INFORMATION i 167 (1980). available at ht[p://www,fasb.org/pdf/con2.pdO. However, SAB 99 rejects exclusive reliance on a quantitative lest for determining materiality. June 20071 Fixing 404 1663 consequential—subject, of course, to the proviso that items can certainly be material at levels lower than 5% and that items can also be consequential at levels lower than 1%. Accordingly, the 1% test would seem to define the upper bound of inconsequentiality. The term "remote likelihood" is defined to have "the same meaning as the term 'remote' as used in Financial Accounting Standards Board Statement No. 5, Accounting for Contingencies ('FAS No. 5')."^** Paragraph 3 of FAS No. 5 explains: When a loss contingency exists, the likelihood that events will confirm the loss or impairment of an asset a liability can range from probable to remote. This terms probable, reasonably possible, and remote to within that range, as follows: a. the future event or or the incurrenee of Statement uses the identify three areas Probable. The future event or events are likely to oecur. b. Reasonably possible. The chance of the future event or events occurring is more than remote but less than likely. c. Remote. The chance of the future events \.sic\ or events occurring is slight.'^ An event is therefore " 'more than remote' when it is either reasonably possible or probable." The PCAOB has expressly stated that: the terms "probable," "reasonably possible," and "remote," should not be understood to provide for specific quantitative thresholds. Proper application of these terms involves a qualitative assessment of probability. Therefore, the evaluation of whether a control deficiency presents a "more than remote" likelihood of mis.statement can be made without quantifying the probability of occurrence as a specific percentage. We put aside for the moment the unassailable fact that probabilities are mathematical constructs and must therefore correspond to some quantitative value or range of values. Due to the absence of quantitative guidance, people will implicitly assign different quantitative values to the phrases "reasonably possible" or "remote" or, alternatively, reduce the analysis to the vagaries of subjective feelings. This variability adds to the difficulties generated by the definitions at the core of AS2. These definitions inescapably imply that, in order to determine whether a company's controls suffer from significant deficiencies, auditors are required as a practical matter to evaluate a broad spectrum of controls, all the way down to the border between those that (a) raise a more than remote 78. AS2,5upranote3.'H9. 79. Id. (quoting ACCOUNTING FOR CONTINGENCIES, Statement of Fmancial Accounting Standards No. 5 , 1 3 (Ein. Accounting Standards Bd. 1975)). 80. Id. 81. PCAOB RELEASE NO. 2005-023, supra note 29. 1664 Michigan Law Review [Vol. 105:1643 likelihood of an immaterial—but more than inconsequential—misstatement of the company's financial statement, and (b) raise a less than remote likelihood of an inconsequential misstatement. Because it will often be impossible for auditors to know, ex ante, on which side of that border any particular control or combination of controls might fall, this process can easily require the evaluation of many controls that are ultimately determined to fall below either the remoteness or inconsequentiality thresholds. If we then import into this analysis the prior observation that the borderline between consequenfiality and inconsequentiality is no more than 1% of net profit (or of any other objective accounting measure), then auditors must search for controls near the border between (a) those that raise a more than remote likelihood of an immaterial—but more than 1%—misstatement of the company's financial, and (b) those that raise a less than remote likelihood of a 1% mi.sstatement. Further, if we assume for sake of argument only, and clearly against the PCAOB's direct instructions, that a probability of 5% or less would constitute a less than remote probability, then the preceding articulation of the definition of significant deficiencies implies that auditors have cause to search for any audit control processes with a 5% probability of a 1% implication for a firm's financial statements. The expected value of a 5% probability of a 1% impact is only five-hundredths of 1% of net profits, or of any other objective line-item accounting standard that might be selected. This is, by any standard, a low threshold of sensitivity for triggering an audit requirement. At this point, the game is immediately lost and massive inefficiencies become hard-wired into the system. It is impossible for an auditor to determine whether the probability of an event is more or less than remote (say 5%), or whether the consequence of any failure would be more or less than inconsequential (say 1%), unless the auditor dives deeply into the weeds in search of the elusive border that distinguishes "more than remote events with sub-material but more than inconsequential implications" from events that are too remote or inconsequential to be categorized as a significant deficiency. Unless and until these definitions are amended, the prospects for meaningful and efficient reform are quite limited because all other modifications or interpretations of AS2 will relate to a process by which auditors are either obligated or encouraged to search for low-probability, low-magnitude events with which they probably should not be concerned in the first instance. Absent such reform, it becomes inevitable that the Secfion 404 audit exercise will generate excepfionally large costs as it addresses a wide range of processes that will never have a material effect on the company's financial statements. As former SEC Commissioner Glassman observed, the idea of a company having 40,000 "key controls" is an oxymoron, and a "check the box" exercise for Section 404 compliance is "inefficient and ineffective."" 82. Glassman Says 404 Rules Aimed at Holding Management Accountable, 37 Sec. Reg & L. Rep. (BNA) No. 41, at 1738 (Oct. 17. 2005). June 2007] Fixing 404 1665 Yet that result appears to be an inescapable consequence of the definitions inherent in AS2. Several additional features of the rule compound the problems caused by AS2's approach to materiality. Bob Pozen underscored three of these features in a Wall Street Journal article." First, Pozen observed that the Commission has defined internal structures and procedures for financial reporting to include "more items of infonnation with more details than those ordinarily included in the financial reports of public companies."'*'' Internal controls must therefore provide assurances that "receipts and expenditures of the company are being made only in accordance with authorization of management and directors of the company.""^ The result, as Pozen observes, is that "[bjy unlinking 'internal controls' from 'financial reporting' in Section 404, the SEC encourages management and auditors to scrutinize detailed procedures for controlling ordinary expenditures . . . even in cases where they are clearly immaterial to the company's financial reports."'*'' Pozen also observes that AS2 states that an auditor must apply materiality "in an audit of internal controls over financial reporting at both the financial-statement level and at the individual-balance level." ^ This "tends to lead management and auditors to incur tremendous expense by examining controls over balances that are not fmancially significant for the company as a whole—for example, reserve balances in a minor subsidiary, or inventory balances in a small factory."**'^ Finally, Pozen observes that AS2 states that " '[tjhere is no difference in the level of work performed' by the auditors when attesting to management's assessment of the company's internal controls, versus when the auditors express an opinion directly on the effectiveness of the company's internal controls."^'' This aspect of AS2 forces redundancy in the tesfing process because "[mjanagement must test all of the company's internal controls" but the auditors can rely on management's testing "only for less important areas of internal controls."** Taken together, Pozen's observafions suggest that the text of AS2 contains provisions that amplify the rules' tendency to force a focus on obscure and immaterial process controls and provide a rationale for applying insufficient processes to audit those controls. This is hardly a recipe for a costefficient regulatory process. 83. Robert C. Pozen. Why Sweat the Small Stuff?, WALL ST. J.. Apr. 5, 2006, al A20. 84. Id. 85. Id. 86. Id. 87. fd. 88. Id. 89. Id. 90. Id. 1666 Michigan Law Review [Vol. 105:1643 B. A Proposed Solution The probiem generated by the rules' incenfive to search for lowprobability/Iow-magnitude events can be addressed by amending AS2 so that auditors are required to test only for material weaknesses and not for significant deficiencies. The definition of a "material weakness" should be restated as a weakness that creates a likelihood that a material misstatement will not be prevented or detected at a probability threshold that is meaningfully greater than "remote"—for example, to return to the terminology of AU 325, where there is more than a relatively low level of risk of material misstatement of the financial statements. If, and to the extent that, AS2 maintains the concept that the aggregation of significant deficiencies can lead to the existence of a material weakness, then a revision to the likelihood threshold for material weaknesses should also be combined with a restatement of the definition of the term "significant deficiency." A significant deficiency should then be understood as a control deficiency that creates a likelihood that a misstatement will not be prevented or detected at a probability threshold that is meaningfully more than "remote" and with a magnitude meaningfully greater than inconsequentiality. The various policy statements and other exhortations by the Commission and PCAOB are insufficient as long as the rules themselves are hard-wired with definitions that can easily be used to rationalize processes that test the fringe of remoteness and inconsequentiality. This proposed standard would raise the probability threshold above the level of remoteness and the materiality level above the level of inconsequentiality that now triggers the search for significant deficiencies while still pursuing inquiries that would catch reasonably possible material failures. This is an entirely rational point at which to begin the inquiry into the adequacy of controls. The controls that would no longer be subject to audit under this modified standard are those where the risk of a material misstatement falls beneath a relatively low level. Expenditures on these low-likelihood, submaterial controls can be a significant contributing factor to Section 404 compliance costs. By eliminating the need to address these controls, compliance costs can be reduced while focusing auditor attention on the reasonable risk of a material misstatetnent—which is where the auditors' attention belongs in the first instance. Such a redefinition would also be consistent with the PCAOB's own repeated exhortations that the purpose of the audit is only to obtain a reasonable assurance that no material weaknesses exist as ofthe date specified in management's assessment.^' 91. See supra note 32 and accompanying text. June 20071 Fixing 404 1667 IV. T H E PROCEDURAL FIX A. A Precise Definition ofthe Problem Whatever the substantive definition ofthe requirements imposed by Section 404, simple economic analysis suggests that the audit industry, acting rationally and in a manner similar to that which would be followed by other professions subject to analogous economic and social forces, has a powerful incentive to force their clients to overinvest in Section 404 compliance. Three distinct factors contribute to this powerful tendency. First, the audit profession has been thrashed before Congress, in the media, and in the courts for a range of accounting frauds and restatements. Section 404 requirements create a new set of audit-related demands that can form the basis for further criticism and additional liability if the audit industry proves too lax in compliance. The easiest way for the industry to avoid such criticism and liability is to be quite demanding when it comes to Section 404 compliance and to interpret any atnbiguity in the rules as requiring the investment of additional resources by audit clients. Second, the new federal enforcement climate and the threat of class action securities fraud litigation create great personal and financial risk for the profession. A large portion of this financial risk is uninsurable. It is reasonable for auditors to calculate that requiring clients to purchase additional Section 404 control processes can reduce the probability that an audit will result in a litigation claim. Auditors therefore have an incentive to require that clients continue to spend on Section 404 compliance up until the point where the marginal benefit to the auditor (not to the client or to society) equals the marginal cost to the auditor, which could well be zero. The net result is a surfeit of detailed compliance processes that auditors can point to as consistent with Section 4O4's ambiguous requiretnents. These processes can reduce auditors' litigation exposure but can be hugely wasteful to society. Third, Section 404 can act as a profit center for the audit industry. Section 404 has significantly increased the number of hours billed by the audit profession, and reports suggest that the first full year of Section 404 compliance was highly profitable for auditors as well as for other providers of Section 404 services." To the extent that the audit profession can also increase its profitability by adopting an expansive view of Section 4O4's requirements, it would ignore human nature to suggest that these incentives are irrelevant to the profession's actual conduct. In addition to these three incentives, a fourth factor must also be considered in crafting an effective solution to the Section 404 implementation problem: the inertia of established practices and policies that have evolved as part of the integrated audit. AS2 encourages integration of the financial 92. .See supra note 16 and accompanying lexl. 93. See. e.g.. Amy Gunderson, Caii'l Find an Accountant?. INC.. Aug. 2005, at 19; Mark Jatfe, Sarhanes-O.dey a Boon for Auditors, N.Y. SuN, Nov. 5, 2004, available al http://www.nysun.com/anicie/4372; Thomas E. Hartman, The Cost of Being Public in the Era of Sarbanes-Oxley (June 16, 2(X)5), http://www.fei.org/download/foley_6_16_2005.pdf. 1668 Michigan Law Review [Vol. 105:1643 statement audit and the internal control audit.** In an integrated audit, the auditor designs and executes procedures that accomplish the objectives of both audits."^ According to the PCAOB, most auditors were unable to integrate their first-year audits under AS2, due largely to timing constraints.** Because of the PCAOB inspection process and client pressure to reduce costs, the trend towards the integrated audit has continued to gain momentum, and there is evidence to suggest that such integration may be partially responsible for the decline in second-year costs.^' Although integration of the two audits is intended to enhance process efficiency, integration also raises the possibility that the level of review currently required under AS2 has been "hard-wired" into existing processes. If so, it may be very difficult to reduce Section 404 compliance costs through amendments to AS2 because AS2 will no longer apply to a discrete component of the audit process and the entire integrated audit process will have to be reworked in order to achieve the necessary efficiencies. The inefficiencies propounded by Section 4O4's early implementation may already be so well entrenched in the integrated audit process that there is little meaningful hope that an amendment of AS2, no matter how well crafted, can return the system to a point where the marginal costs of compliance equal the marginal benefits. B. A Proposed Solution The PCAOB is the only organization reasonably positioned to constrain the audit profession's natural and unavoidable tendency to push clients to overinvest in Section 404 compliance efforts. The PCAOB should not only inspect firms for the possibility that they have failed to be sufficiently diligent in reviewing Section 404 compliance, but it should also investigate whether the firms, in their dealings with audit and nonaudit clients, have recommended procedures that were not reasonably necessary to comply with Section 404. As noted earlier, the PCAOB has recently stated that it will emphasize efficiency in connection with its 2006 inspections.'" However, the PCAOB's ability to deter inefficient Section 404 audits will be constrained until the core definitions that shape Section 404 audits are substantively amended. Under the current scheme, which rationalizes the search for processes at the edge that might have a remote possibility of having an inconsequen...
Purchase answer to see full attachment