Add to collection(s) Add to saved
  1. Business
  2. Finance
  3. International Finance

Tone from the top: SEC and PCAOB issue first SOX

Vol. 3, No. 1 Spring/Summer 2005
CorporateGovernor
Providing vision and advice for management,
boards of directors and audit committees
In this issue
1
Tone from the top: SEC and PCAOB
issue first SOX guidance since the
implementation of Section 404
3
Gymboree controller provides
companies with building blocks for
dealing with Sarbanes-Oxley
requirements
An interview with Lynda Gustafson
CorporateGovernor is published
quarterly by Grant Thornton LLP, the U.S.
member firm of Grant Thornton
International, one of the six global
accounting, tax and business
advisory organizations. Through member
firms in 110 countries, including 49
offices in the United States, the partners
of Grant Thornton member firms provide
personalized attention and the highest
quality service to public and private clients
around the globe.
For additional information on the issues
discussed in this newsletter, consult your
Grant Thornton client-services partner.
Comments or questions to the editor may
be directed to editors@gt.com.
To subscribe to an electronic version of
CorporateGovernor in place of a printed
copy, fill out the online request form at
www.grantthornton.com/corporategovernor.
Trent Gazzaway
Trent.Gazzaway@gt.com
Managing partner of corporate governance
Editor: Laura A. Perry, editors@gt.com
www.grantthornton.com
Grant Thornton LLP
US member of Grant Thornton International
© 2005 Grant Thornton LLP
All rights reserved.
Tone from the top: SEC and PCAOB issue first SOX
guidance since the implementation of Section 404
During the Securities and Exchange Commission’s (SEC) April 13, 2005 roundtable
meeting debriefing on the first year of Sarbanes-Oxley Section 404, both the SEC and the
Public Company Accounting Oversight Board (PCAOB) received much feedback
regarding the experiences of companies and auditors. During that meeting, many of the
participants expressed positive comments about the impact of the implementation of SOX
404. The primary purpose of the meeting, however, was to identify improvements that
might be made in the guidance related to the implementation of the rules and standards.
Along those lines, several themes emerged that have now been at least initially addressed
by guidance issued by the SEC and the PCAOB on May 16, 2005.
To review, the SEC’s guidance is primarily directed towards public companies and the
PCAOB’s guidance is technically directed towards auditors of public companies. But all
technicalities aside, both organizations coordinate the issuance of guidance of this nature,
and companies and auditors should carefully consider both.
The SEC’s guidance (http://www.sec.gov/info/accountants/stafficreporting.htm)
encouraged the application of reasoned judgment and a top-down, risk-based approach to
the evaluation of internal controls. This particular encouragement, which is probably the
most significant of all of the guidance issued, was fleshed out in greater detail in the
PCAOB’s Q&A document discussed below. In addition, the SEC offered much desired
relief in three key areas:
1. As long as management is making the final determination regarding accounting
application, and the auditor is not designing or implementing accounting policies,
then the auditor’s related involvement and timely dialogue with management is
appropriate and often desired.
2. A financial statement restatement due to errors does not automatically mean that a
material weakness exists. Management and the auditor should use judgment in
assessing the reasons for the misstatement in determining whether a material
weakness exists.
3. Auditor-identified errors in draft financial statements should not be the sole basis for
the determination that a deficiency in internal controls exists. Again, management
and the auditor should use judgment in assessing the reasons for the error in
determining whether a material weakness exists.
The PCAOB issued their guidance through their fifth staff Q&A document
(http://www.pcaobus.org/Standards/Staff_Questions_and_Answers). Like the SEC, the
PCAOB pressed for a top-down, risk-based approach, while also encouraging the further
integration of the audits of internal controls with the audits of financial statements. >
2
CorporateGovernor • Spring/Summer 2005
Tone from the top: SEC and PCAOB issue first SOX guidance
since the implementation of Section 404 (continued)
In calling for a top-down approach with appropriate
judgment, the PCAOB suggested that auditors should
first evaluate and test the company-level controls
within an organization and use that evidence to
support risk assessments at the account, assertion and
process levels. This will prove to be the most helpful
and, at the same time, the most difficult change to
effectively apply in the coming year. In a nutshell, the
top-down approach involves a continual filtering of
risk throughout the evaluation process.
other controls, but it will not eliminate that work.
In addition the PCAOB’s encouragement for
auditors to more fully integrate the audit of the
financial statements with the audit of internal controls
will help advance that cause in fiscal 2005 in the name
of efficiency. However companies should not expect
auditors in the main to immediately reduce drastically
the amount of substantive audit work they perform
on the financial statements. It will take several years
of understanding and testing internal controls before
auditors, investors and regulators will be comfortable
with substantial reductions in the amount of financial
statement audit work for the average company. That
said, the understanding and comfort gained last year
will have a positive impact on the efficiency of the
upcoming financial statement audit process.
The PCAOB also provided relief in the following
areas by allowing for:
1. The expansion by the auditor of the use of
others’ work (e.g., internal audit) to support their
audit conclusions in areas of lower risk, or in
areas where the company’s test was conducted by
someone not directly responsible for the
execution of the control(s) being tested.
Focusing on the company-level controls first will
help from an efficiency perspective because it will lend
support for the auditors to lower activity-level audit
scopes in certain areas. Specifically, the auditor can use
the results of the company-level controls audit work to
support the testing strategy for activity-level controls.
On the other hand, the elevation of the importance
and impact of the company-level control audit work
will prove to be one of the most difficult aspects of this
latest round of guidance to apply. First, determining
where company-level controls can effectively reduce
risk at the activity-level will require significant
judgment with few existing precedents.
Likewise, determining the level to which “effective”
company-level controls should reduce the amount of
detailed control testing at the activity-level is equally
judgmental with no existing precedents. Undoubtedly,
management and the auditors will be wrestling over
these judgments during the 2005 audit season.
It is important to note, however, that the PCAOB
stated in the answer to question No. 44 that “testing
of company-level controls alone is not sufficient.”
In other words, effective company-level controls can
impact the amount of testing work performed on
Grant Thornton
2. The consideration of prior year results in the
current year risk assessment process.
3. Simplified information technology testing (i.e.,
testing for the absence of changes) in areas where
an initial baseline can be established for effective
controls.
4. Late-term system changes by a company as long
as the auditor can test the controls over the
change and any temporary controls put in place
to prevent or detect errors to the financial
statements during the change period.
5. More interim testing in areas where risks are
deemed to be low.
Related to the interim testing issue, the PCAOB
also provided some criteria to help determine the level
of update testing a company may need to perform at
or near year end.
CorporateGovernor • Spring/Summer 2005
Factors that might impact the amount of testing
necessary include the:
1. Length of time between the interim tests
and year-end
2. Amount, if any, of exceptions noted
during interim testing
3. Presence of significant non-routine
transactions
4. Amount of judgments or estimates
required in the area
3
Framework. That information is being developed
primarily for smaller public companies, but you
can expect all companies regardless of size to gain
valuable insights. In addition, the SEC and the
PCAOB may issue additional material as the
months go on. The passage of the Sarbanes-Oxley
Act of 2002 was the single biggest change to
public company financial reporting since the
Securities Exchange Act of 1934. The adoption of
Auditing Standard No. 2 was the single largest
change to public company auditing in the history
of auditing. We can expect continued
improvement for many years. The May 16, 2005,
guidance is a good start.
5. Presence of controls related to
period-end adjustments
Overall, both the SEC and the PCAOB
provided much needed guidance to help ease the
burden of applying Sarbanes-Oxley Section 404.
But the May 16, 2005, material is not the last
word. COSO is set to issue some additional
guidance this summer for applying the COSO
Trent Gazzaway
Managing partner of corporate governance
Gymboree controller provides companies with building blocks
for dealing with Sarbanes-Oxley requirements
An interview with Lynda Gustafson
As an accelerated filer, the Gymboree Corp. – a well-known
retailer of apparel and accessories for children and women – is
a frontrunner in implementing the requirements of the
Sarbanes-Oxley Act. Read as Lynda Gustafson, Gymboree
controller, shares some of her thoughts on Gymboree’s
experiences with the implementation process thus far.
What do you think were the biggest changes that occurred at
Gymboree as a result of implementing the requirements of the Act?
that several other companies have struggled with the
documentation and compliance of their information
technology systems. In this area we were very fortunate,
having recently installed new systems to support two of our
largest areas.
What are you currently doing for continued
compliance to maintain the processes put in place
by your company?
I think the most significant change was the formalization of all
of our processes. Things that would have been done before,
but were lower on the priority list are now a standard
requirement and must happen within a certain time period. I
think the documentation process, especially of accounting
policies, has been very positive, solidifying the importance of
the finance department in the company and improving its
visibility.
We are continuing to work with
our steering committee, as well as
with Grant Thornton, who
serves as our SarbanesOxley advisors, to make
sure that things are still
operating smoothly.
However, most of the changes in our company were small
rather than drastic; nothing significant stands out as something
we weren’t doing before Sarbanes-Oxley was passed. You hear
Turn to page 4 for
the rest of the story.
Grant Thornton
4
CorporateGovernor • Spring/Summer 2005
Sarbanes-Oxley requirements: An interview with Lynda Gustafson, Gymboree controller
(from page 3)
How has the relationship with your external auditor
changed?
What advice do you have for other companies also going
through this process?
We are certainly closer with our external auditors now
than in the past, as they are much more involved in all
aspects of the financial reporting process. Each and
every process that we perform has to be discussed as it
relates to Sarbanes-Oxley and how it must be
completed going forward to be compliant with the law.
In this process, communication is very important,
especially with the departments that in the past were
not part of the audit process. To help avoid confusion
or problems down the road, it is critical to explain
upfront what the audit process is and how it will impact
each of these groups.
In addition, as a January year-end filer and one of the
first companies to comply with the legislation, we have
also partnered with our external auditor in planning and
updating as the law has continued to evolve and more
guidance has been reissued from the regulatory
agencies. Adhering to these changes in the legislation
has been difficult at times, requiring us to alter things
we thought were complete.
With fiscal year revenues of more than $590 million, the
Gymboree Corporation is a specialty retailer operating
stores under the Gymboree, Janie and Jack, and
Janeville brands, as well as play programs for children
under the Gymboree Play and Music brand. The
company operates stores in the United States and
Canada, in regional shopping malls and in selected
suburban and urban locations. Grant Thornton LLP
advised Gymboree on their Sarbanes-Oxley
implementation process.
Grant Thornton LLP
US member of
Grant Thornton International
CorporateGovernor
Grant Thornton National office
175 West Jackson Blvd.
Chicago, IL 60604
www.grantthornton.com
Prsrt. Std.
U.S. Postage
PAID
Chicago, IL
Permit No.
4427
Related documents
Case
Case
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Big Data As Complementary Audit Evidence
Big Data As Complementary Audit Evidence
Internal Controls in the Crosshairs: What the PCAOB's
Internal Controls in the Crosshairs: What the PCAOB's
Thank you for welcoming me back to USC, it is good
Thank you for welcoming me back to USC, it is good
SEC Adopts New Guidance for Management's Internal Control Over
SEC Adopts New Guidance for Management's Internal Control Over
Presentation - Accounting Day
Presentation - Accounting Day
Green Impact Auditor
Green Impact Auditor
Free Enterprise Fund v. PCAOB - Competitive Enterprise Institute
Free Enterprise Fund v. PCAOB - Competitive Enterprise Institute
Download