The following is a written comment submitted to the Securities and Exchange Commission in connection with its proposed rule modifying the standards for internal controls under Section 404 of Sarbanes-Oxley.
It is of course commendable that the Commission is attempting now to ease the burden of Section 404 of the Sarbanes-Oxley. However, given the incentives of the parties involved, this effort is unlikely to be successful in significantly reducing the costs of this unnecessary and burdensome statutory provision.
Under the litigation system that prevails in the United States today, auditors and managements have a strong incentive to require and accede to excessively detailed internal controls. Auditors have incentives to require detailed internal controls because they are required to certify the adequacy of controls, and after a fraud or other loss occurs their failure to require a particular control that might have prevented the loss could well be a source of liability. Management’s incentives are somewhat more complex, since the additional costs adversely affect the company’s results, but management also receives a certain degree of protection if the absence of a control is not the reason for a financial restatement and a loss of share values for which they are sued in a class action. Together, these incentives are strongly analogous to defensive medicine--where doctors order too many tests and procedures to protect themselves against liability.
Accordingly, if the Commission sincerely wishes to reduce the burden of Section 404, it should consider the removal of a provision in its 404 regulations that goes beyond what Congress required in the Sarbanes-Oxley Act. The act required the Commission to prescribe rules that that would
"(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting."
It is important to note that both requirements specified by Congress in section 404 refer to and are directed at controls for "financial reporting." However, the SEC’s regulation (RELEASE NOS. 33-8238; 34-47986; IC-26068; File Nos. S7-40-02; S7-06-03, the "404 Release") specifies that the issuer’s internal controls must also include controls for the "safeguarding of assets." The safeguarding of assets is certainly important for companies, but only under the rarest of circumstances would the theft or other loss of assets have such a material impact on a company that it rises to the level of financial reporting. Accordingly, the Commission’s initial regulation requires more than Congress sought in Section 404.
The Commission’s reasons for requiring the inclusion of the safeguarding of assets were explained in several virtually impenetrable paragraphs in the 404 Release. There, attempting to explain why safeguarding of assets was included among the internal controls required for financial reporting, the Commission stated:
Our definition also includes, in clause (3), explicit reference to assurances regarding use or disposition of the company's assets. This provision is specifically included to make clear that, for purposes of our definition, the safeguarding of assets is one of the elements of internal control over financial reporting and it addresses the supplementation of the COSO Framework after it was originally promulgated. In the absence of our change to the definition, the determination of whether control regarding the safeguarding of assets falls within a company's internal control over financial reporting currently could be subject to varying interpretation.
Safeguarding of assets had been a primary objective of internal accounting control in SAS No. 1. In 1988, the ASB issued Statement of Auditing Standards No. 55 (codified as AU §319 in the Codification of Statements on Auditing Standards), which replaced AU §320. SAS No. 55 revised the definition of "internal control" and expanded auditors' responsibilities for considering internal control in a financial statement audit. The prior classification of internal control into the two categories of "internal accounting control" and "administrative control" was replaced with the single term "internal control structure," which consisted of three interrelated components--control environment, the accounting system and control procedures. Under this new definition, the safeguarding of assets was no longer a primary objective, but a subset of the control procedures component. The COSO Report followed this shift in the iteration of safeguarding of assets. The COSO Report states that operations objectives "pertain to effectiveness and efficiency of the entity's operations, including performance and profitability goals and safeguarding resources against loss." However, the report also clarifies that safeguarding of assets can fall within other categories of internal control.
In 1994, COSO published an addendum to the Reporting to External Parties volume of the COSO Report. The addendum was issued in response to a concern expressed by some parties, including the U.S. General Accounting Office, that the management reports contemplated by the COSO Report did not adequately address controls relating to safeguarding of assets and therefore would not fully respond to the requirements of the FCPA. In the addendum, COSO concluded that while it believed its definition of internal control in its 1992 report remained appropriate, it recognized that the FCPA encompasses certain controls related to safeguarding of assets and that there is a reasonable expectation on the part of some readers of management's internal control reports that the reports will cover such controls. The addendum therefore sets forth the following definition of the term "internal control over safeguarding of assets against unauthorized acquisition, use or disposition":
Internal control over safeguarding of assets against unauthorized acquisition, use or disposition is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the entity's assets that could have a material effect on the financial statements.
As indicated above, to achieve the desired result and to provide consistency with COSO's 1994 addendum, we have incorporated this definition into our definition of "internal control over financial reporting." We are persuaded that this is appropriate given the fact that our definition will be used for purposes of public management reporting, and that the companies that will be subject to the Section 404 requirements also are subject to the FCPA requirements. So, under the final rules, safeguarding of assets as provided is specifically included in our definition of "internal control over financial reporting."
What one gets out of this discussion is that the safeguarding of assets was included in the 404 Release because internal controls relating to the unauthorized us or disposition of assets were included in the controls required under the Foreign Corrupt Practices Act. This is an inadequate rationale for including safeguarding of assets in the SEC’s regulations under Section 404. The FCPA is a statute that attempts to control, among other things, the paying of bribes. Obviously, a set of controls that were intended to address use of assets for bribes would include provisions for the safeguarding of assets.
The point in the Release that all companies subject to Section 404 would also be subject to the FCPA is inapposite, because the internal controls under the FCPA did not have to be certified by the issuer’s auditor. Including the safeguarding of assets in the 404 Release, and subjecting these controls to an auditor’s scrutiny and certification, has probably added significant costs that Congress never intended.
Accordingly, one step that the Commission can take now that will have the immediate and certain effect of reducing the burden of Section 404 would be to withdraw that portion of its own Section 404 regulation that addresses the safeguarding of assets, and clearly goes beyond what Congress required in the Sarbanes-Oxley Act. Since the loss of assets is only in the rarest of cases a significant matter for financial statement purposes, the elimination of this requirement will immediately reduce the burden of companies and auditors, both of whom will recognize this as an area where they do not need protection against subsequent litigation.