top stories

Comments from ACCA
September 2006

We support the intention behind Sarbanes-Oxley Rule 404 and the SEC rules to implement it. We are concerned however that, in practice, the internal control evaluation process has become dominated by PCAOB Auditing Standard No2 and the way the audit standard has been applied. This has caused two problems:

1. control evaluation has become over focussed on documenting and evidencing key controls at the expense of a proper evaluation of the control environment
   
   
2. the process has become more expensive than was necessary.

The control environment (as articulated in COSO and other frameworks) is the foundation of all other aspects of control, it was weakness in the control environments at Enron and WorldCom that were their undoing and which brought about the need for the Sarbanes-Oxley Act. Because the control environment includes people factors such as culture and ethics, much of its assessment has to be subjective. It is therefore something that cannot reasonably be comprehensively and totally documented. Nor can such subjective assessment be satisfactorily verified solely by traditional audit methods.

There is a danger with the present practice that the over reliance on documentation will mean that fundamental weaknesses in the control environment are missed. Further, anecdotal evidence suggests that some companies which have found it necessary to document thousands of controls are experiencing an adverse reaction from staff who resent burdensome controls: this weakens the control environment. 

If guidance on assessing internal control is to be issued, it should be brief and keep to high level principles to avoid any risk of it becoming another set of rules. 

In summary, such principle-based guidance should emphasise the importance of assessing the control environment and recognise that certain aspects of the control environment, such as culture and ethics, cannot be fully assessed by objective means alone and require subjective, but structured and rigorous, assessment by management. The following considerations are particularly relevant:

• The purpose of internal control is to enable the organisation to operate effectively and have reasonable assurance that significant risks to achieving objectives are identified and managed.
  
  
• It follows that internal control should be owned by managers and staff throughout the organisation at all levels rather than by internal or external auditors.
  
  
• Too much focus on documentation of, and compliance with, procedures can have unintended consequences and potentially create a culture which is either risk averse and/or inclined to circumvent written rules.
  
  
• A structured and facilitated ‘self-assessment' approach should be used as part of the evaluation process. Such an approach can be particularly effective in providing assurance on the control environment. It works best when initiated as a top down approach involving managers and staff in constructive face to face communication; it can also lead to improved team working, improved control culture and better operational effectiveness.

Finally we suggest that the PCAOB Auditing Standard No2 should be realigned to become consistent with any revised SEC guidance thereby allowing both management and external auditors to apply reasoned judgement. It should be the SEC guidance, rather than any PCAOB auditing standard, which determines the approach that management follows in order to comply with s404; we are not convinced that this has been so, to date.  

Back to top