Reducing Sarbanes-Oxley Compliance Costs
Is the Top-Down, Risk-Based Audit Approach a Solution, or a Mistake?

By Thomas A. Basilo

E-mail Story Print Story

Historical Background and the Big Picture

In a top-down, risk-based approach, the auditor identifies the controls to test by starting with entity-level controls and then moving on to controls for significant financial statement accounts. Finally, the auditor examines individual controls at the transaction level, as well as disclosure controls.

This approach is the exact same starting point that most SOX consulting firms advised for the first wave of accelerated filers. There seems to be a misconception that this approach was not considered for accelerated filers. It was, in fact, strongly recommended by the PCAOB in its Auditing Standard (AS) 2. Certainly, the tone at the top is extremely important in assessing the nature, timing, and extent of testing the process, transaction, and application-level controls. What, then, is so different from the PCAOB’s May 2005 guidance that will lead to drastically reduced SOX compliance costs?

A few years ago, the use of risk-based auditing by the Big Four was deemed to be a major contributor to the frauds at HealthSouth, Tyco, Parmalat, and WorldCom. In 2004, Jonathan Weil, then a reporter for the Wall Street Journal, was extremely harsh on auditors and stated that a risk-based audit can miss problems. In 2003, PCAOB board member Daniel Goelzer called the risk-based approach a major contributor to the erosion of public trust in auditing.

I firmly believe that risk-based auditing is one of the main reasons for the high cost of SOX compliance. The risk-based audit approach usually minimizes the testing of controls and focuses the audit on a test of significant or high-risk balance sheet accounts. By concentrating on accounts identified as high risk, other areas that may pose risks but have not been labeled as such are often overlooked. Because many auditors have been using a risk-based audit approach in their financial statement audits, many companies, in an effort to satisfy their auditors’ needs, have failed to keep their internal control systems documentation current for less-relevant accounts, and therefore need considerable time to update the documentation for SOX compliance.

When I began my auditing career 35 years ago, all of the then–Big Eight were using an integrated audit approach (defined as a process that combined detailed testing of internal controls with testing of the year-end balance sheet). The years passed, and competition for clients became intense as rules restricting advertising and the unwritten agreement to “not covet thy competitor’s client” went by the wayside. Pressures on cost containment became paramount, and bidding wars ensued as the audit became more of a commodity. The integrated audit approach was deemed inefficient, and auditors began to develop new approaches to reduce costs. KPMG is widely believed to have been the first firm to advocate risk-based auditing, in the early 1990s. Because the “new” audit approach helped reduce audit hours by greatly reducing the time required to assess internal controls, all of the other large firms quickly embraced it, thereby leading to the reduction of both internal control system documentation and detailed internal control testing.

The bigger picture indicates that the integrated audit approach was shelved in favor of the risk-based audit approach because of the difficulty auditors had in making the correlation between the internal control testing and the reduction of year-end tests of balance sheet items. Even if no exceptions were found in any of the internal control tests, auditors were hard-pressed to find which substantive tests of account balances could be reduced or eliminated at year-end. For example, maybe the number of accounts receivable confirmations could be reduced, or the number of bank reconciliations could be cut back, but because both areas were always considered high-risk the audit partner was often reluctant to go that route.

As the audit became a commodity, many accounting firms started to more aggressively pursue new areas for revenue enhancement, such as consulting and tax shelters. Ultimately, this laid the foundation for the unfortunate incidents that placed a dark cloud over the profession.

Identifying high-risk areas is a matter of judgment, and these judgments are not always easy to make. Some risk areas are somewhat obvious. For example, the application of new accounting rules is high-risk, and auditors pay significant attention when a new rule needs to be adopted. Similarly, complex accounting rules, such as hedging and derivative accounting, business combinations, and revenue recognition, are also audited closely. Determining other areas of risk is not so easy, and inconsistencies can be made on the assessments of those risks. Monographs issued by the Big Eight started to talk about the use of analytical techniques, industry data, and more involvement in the planning process by the partners as supplements to the risk-based audit to compensate for the lack of detailed internal control testing. Back in the 1980s, however, attitudes were different and the investment community generally understood that the auditing standards emphasized the limitations on the auditors’ ability to detect fraud, especially if there was collusion.

It seems to me that a major cause of corporate fraud that led to SOX can be traced back to the institution of risk-based auditing, because audits became predictable. Merely asking questions of top executives regarding risks, and documenting their responses—which drove the selection of the nature, timing, and extent of audit procedures—often did not work, because the executives being asked the questions were also the ones involved in the fraud. I wonder whether the corporate fraud issues would be as prevalent if the integrated audit of 30 years ago had been in place during the past decade. I doubt it would have prevented Enron, but it might have deterred the situations at WorldCom and HealthSouth.

Although I do not believe that instituting a top-down, risk-based approach will be the complete answer to reducing SOX compliance costs, I think the initial costs of SOX compliance were out of line and that implementing a modified risk-based approach is in order. I believe that the high initial-year costs for accelerated filers were due to three critical, but solvable, problems:

• The learning curve associated with implementing a new standard such as SOX always takes longer the first time around. The increased experience of SOX consulting firms, coupled with improved software to manage SOX compliance, will reduce costs going forward.
• Companies neglected their internal control documentation because of risk-based auditing. Now that companies have gone through the painful initial process of updating their documentation, the SOX compliance process will go smoother.
• Companies that waited until the last minute to start their SOX compliance process caused an increased demand for qualified SOX consulting firms, which could not be met in time for many companies to complete their documentation and testing requirements. Today, more companies are qualified to do SOX compliance consulting work, and the nonaccelerated filers have been granted extensions through December 31, 2007. If nonaccelerated filers act soon, deadline pressure will not affect them and their costs will be reduced.

No Simple Answers

During this era of SOX compliance, there are far too many instances where simplistic answers are offered for complex questions. Companies and regulators need to use caution in thinking that any one approach will solve all of the issues. Regulators should also understand the inherent limitations of a risk-based approach and weigh the consequences of missing potential internal control weaknesses and making the compliance assessment process predictable.

AS 2 already provides for auditor reliance on the work of independent and competent internal auditors and SOX consulting firms. Many independent auditors, however, failed to use this provision in the first round of testing and chose to retest all of the accounts. The most effective way to accomplish the goal of SOX compliance is to create a well-thought-out plan with open and frequent communication among the company, its SOX consultant, and its independent auditor. This should be coupled with an independent auditor that places more reliance on internal audit work wherever permitted, but not tied solely to low-risk accounts, especially when the definition of low-risk is so subjective. We cannot afford another era of scandal and a weakened investor market caused by applying techniques that have failed in the past. As the saying goes, “Those who do not learn from history are bound to repeat it.” We are at a crossroad where this is as relevant as ever.