IMA pursues alternative to COSO guidance on SOX 404

Make no mistake about it: The Institute of Management Accountants supports the Sarbanes-Oxley Act. It has even said that the legislation was long overdue.But that doesn't mean that the IMA thinks SOX is working.

IMA president and chief executive officer Paul Sharman, ACMA, said that the intent of the act is not being realized, that the problem is in implementation, and that the solution is in better guidance.

"Small public companies are struggling with SOX compliance," Sharman said. "Oddly enough, the implementation guidance was written from an external point of view, when in fact internal accounting staff are the ones that have to implement it and make it work in their businesses."

The problem has become so serious, Sharman warned, that some small public companies are considering delisting themselves from stock markets as a viable alternative.

Sharman said that auditors are generally supportive of Sarbanes-Oxley and the stiff audit requirements issued by the Public Company Accounting Oversight Board simply because they mean more work - and more fees - for audit companies.

"It's all about the attestation that auditors are doing to test management assertion that their internal controls are effective," Sharman said. "Putting auditors in charge of determining whether internal controls are satisfactory is like putting the monkey in charge of the peanuts."

And it will only get worse in 2007, he said, when smaller companies - roughly 80 percent of corporations in the United States - have to start meeting the requirements of SOX Section 404.

The burden of compliance will be relatively heavier on these companies, because they lack the infrastructure, know-how and personnel to implement new controls.

Aware of the problem, the Securities and Exchange Commission's Advisory Committee on Smaller Public Companies has suggested exempting smaller companies from the need to comply with Section 404, but critics are warning that the Sarbanes-Oxley Act makes no such allowance for any companies, and those smaller companies are precisely the ones where fraud and inaccurate financial statements occur.

The IMA has fired off a comment letter on the exposure draft, questioning the legality and wisdom of creating a multi-tier or scaled system of control governance and audit opinion reliability. A more realistic, and legal, solution, the letter said, is to find cost-effective ways to help companies comply.

"We believe that ... the focus of corrective actions to the current SOX regime should be on addressing this core root cause 'head-on,'" the letter said. "The absence of practical 'top-down/risk-based' assessment guidance for management is the real root cause that is at the heart of the massive and unintended consequences currently impacting companies of all sizes."

Can COSO handle it?

COSO - the Committee of Sponsoring Organizations of the Treadway Commission - recently took up a project to write SOX compliance guidance for small companies. Big Four firm PricewaterhouseCoopers was hired to write the guidance, but the IMA, which is one of COSO's five sponsors, said that the guidance, which is expected to be issued in late spring, isn't getting down to the fundamental problem, let alone solving it.

"The new COSO guidance is being written by auditors," Sharman said. "And why would they want to do that? For auditors. The document is checklists, not guidance for companies about how to implement internal controls. It's guidance on what auditors will be looking for - the checklist that auditors would be using."

To enable effective Sarbanes-Oxley implementation, Sharman is dedicating the IMA to the development of a "management-centric" implementation framework for SOX Sections 302 and 404, one that is focused on the identification and mitigation of real and plausible risks underlying the various accounting processes within an organization. That includes anti-fraud controls and the processes used by management to produce financial statements.

The working title of this framework is "Collaborative Assurance and Risk Design - Management Edition." To establish a basis for its guidance, the IMA has joined with the Institute of Internal Auditors to sponsor an independent research study. Parveen Gupta, a professor of accountancy at Lehigh University and co-author of Sarbanes-Oxley: A Practical Guide to Implementation Challenges and Global Response, has just compiled the raw data from the research and hopes to issue a completed study in May.

Preliminary analysis, Gupta said, indicated that companies are not really using the COSO framework that was issued in 1992, and which was never intended to be used as guidance on complying with Sarbanes-Oxley. Instead, they are using the PCAOB's Auditing Standard No. 2 to guide them toward compliance, or at least toward passing their audits.

"Management should come to the table with a certain opinion on the effectiveness of their internal controls based on a management-centric framework, and the auditors should arrive at a certain conclusion based on their auditing of the management process," Gupta said. "I, personally, am of the opinion that faulty implementation of the intent of Sections 302 and 404 is not a ground for absolving companies of any size of their responsibilities under that law. Rather, the right thing to do is to fix the implementation of this important law by taking a more management-centric, risk-focused approach."

Management accountants, Sharman said, are inherently more qualified than auditors to design, implement and monitor guidance on internal control.

The institute is pulling together an advisory board to develop and deploy the new guidance, which, it hopes, the SEC will sanctify as the appropriate framework for establishing adequate, functional, cost-effective SOX compliance. The institute plans to follow a due process involving exposure drafts and public comment.

Jeffrey C. Thomson, IMA vice president of research and practice development and a member of the COSO board of directors, reiterates that the IMA is hoping to work with COSO on the new framework.

"Our overall objective isn't to slam COSO, but to address a market need," Thomson said. "There are some good things about the COSO framework. It's principles-based, it describes what internal control is about and it has stood the test of time. But I don't know too many products that go 15 years without improvement or rejuvenation. We need to take COSO to the next level."

For reprint and licensing requests for this article, click here.
Accounting standards Regulatory actions and programs
MORE FROM ACCOUNTING TODAY