WEBMASTER NOTE: This is the unedited transcript of the Roundtable Discussion on Implementation of Internal Control Reporting Provisions held on April 13, 2005, which we received directly from the court reporter. We are posting the transcript in this form to make it available as soon as possible. ================================================================================ 1 2 3 4 5 6 UNITED STATES SECURITIES AND EXCHANGE COMMISSION 7 8 9 10 11 ROUNDTABLE DISCUSSION ON 12 IMPLEMENTATION OF INTERNAL CONTROL 13 REPORTING PROVISIONS 14 15 16 17 Wednesday, April 13, 2005 18 9:00 a.m. 19 20 21 SEC Headquarters 22 450 Fifth Street, N.W. 23 Washington, D.C. 24 25 1 C O N T E N T S 2 PAGE 3 4 Opening Remarks . . . . . . . . . . . . . . . . . . . . . . 4 5 Chairman William H. Donaldson, U.S. 6 Securities and Exchange Commission 7 8 Chairman William J. McDonough 9 Public Company Accounting Oversight Board 10 11 Introduction and Panel One - The First Year . . . . . . . 15 12 Moderators: 13 Alan L. Beller, Division of Corporation Finance 14 Donald T. Nicolaisen, Office of the Chief Accountant 15 16 Panel Two - Reporting to the Public . . . . . . . . . . . 59 17 Moderators: 18 Alan L. Beller, Division of Corporation Finance 19 Carol A. Stacey, Division of Corporation Finance 20 21 Panel Three - Planning and Design . . . . . . . . . . . . 105 22 Moderators: 23 Andrew D. Bailey, Office of the Chief Accountant 24 Donald T. Nicolaisen, Office of the Chief Accountant 25 1 C O N T E N T S 2 PAGE 3 4 Lunch Break . . . . . . . . . . . . . . . . . . . . . . . 144 5 6 Panel Four - Documentation and Testing . . . . . . . . . 144 7 Moderators: 8 Andrew D. Bailey, Office of the Chief Accountant 9 Donald T. Nicolaisen, Office of the Chief Accountant 10 11 Panel Five - Using Judgment in . . . . . . . . . . . . . 195 12 Communication and Conclusions 13 Moderators: 14 Alan L. Beller, Division of Corporation Finance 15 Carol A. Stacey, Division of Corporation Finance 16 17 Panel Six - Next Steps . . . . . . . . . . . . . . . . . 238 18 Moderators: 19 Alan L. Beller, Division of Corporation Finance 20 Donald T. Nicolaisen, Office of the Chief Accountant 21 22 Conclusion . . . . . . . . . . . . . . . . . . . . . . . 281 23 24 25 1 P R O C E E D I N G S 2 (9:00 a.m.) 3 MR. BELLER: Good morning. Okay. Thank you all 4 for joining us, and I want to get started as close to on time 5 as we can. I'm Alan Beller, the director of the Division of 6 Corporation Finance. Don Nicolaisen, the Chief Accountant 7 for the Commission, is sitting on my right. 8 I'm going to ask the Commission chairman, William 9 Donaldson, to open the proceedings. Mr. Chairman. 10 OPENING REMARKS 11 COMMISSIONER DONALDSON: Thank you, Alan. Good 12 morning ladies and gentlemen. Thank you all for coming 13 today, and we welcome all of you on behalf of my fellow 14 commissioners sitting here, and on behalf of the Commission 15 itself. 16 I want to thank the panelists in particular for 17 their willingness to come to Washington, devote their energy 18 and constructive thinking to a topic of great importance to 19 the nation's public companies. 20 I'd also like to extend a particular welcome to 21 Chairman Will McDonough, sitting over there, and Directors 22 Kayley Gillan, Dan Goelzer, Bill Gradison, Charlie Niemeier, 23 all directors of the PCAOB, the Public Company Accounting 24 Oversight Board. 25 I think this is a great opportunity for all of us, 1 and in particular our two organizations, to work and learn 2 alongside each other. 3 And so we thought was a necessary and 4 understandable response to an unprecedented string of 5 corporate scandals, which were rooted in intolerable 6 governance, accounting and audit failures. 7 Section 404 of the Act requires that management 8 assess and report on the ineffectiveness of our internal 9 controls over financial reporting, and that the company's 10 external auditor report on both the internal controls and 11 management's assessment of these controls. 12 As I've said before, all of the provisions of the 13 Sarbanes-Oxley Act, the internal control requirements of 14 Section 404, may have the greatest potential to improve the 15 accuracy and reliability of financial reporting. 16 Strong controls are an important part of this goal, 17 because our capital markets run on the basic premise that 18 companies will present reliable and complete financial data 19 for investment and policy decisionmaking. 20 But we also understand that the process of 21 implementing the requirements of Section 404, as well as the 22 related SEC and PCAOB rules, has consumed considerable time, 23 energy, resources and has generated intense debate. 24 Our staff and the Commission and I have all heard 25 stories, as I'm sure many of you have, of substantial and 1 unanticipated expenses, including internal overhead, audit 2 fees and software expenses, companies pulling staff from 3 other strategic projects to help with internal control 4 reporting, management and auditors talking past one another, 5 and duplicative testing procedures with little or no reliance 6 on prior work. 7 With the distinguished and diverse group of 8 panelists we've assembled, this is an opportunity for us to 9 hear how the process really works for issuers in general. 10 Are these isolated instances or are they widespread? 11 Which of the problems encountered this year were 12 attributable to first-year growing pains, and which are 13 likely to reoccur each year? What are your suggestions for 14 improvement, and how can we help further? 15 We also want to know whether the steps we took to 16 ease the process, such as issuing staff guidance and delaying 17 compliance dates for some groups, were helpful. We'd like to 18 get an idea of how registrants and others feel they have 19 benefitted from the internal control reporting process. 20 We know that over 2,500 registrants have filed 21 their internal control reports by March 31st, approximately 22 eight percent reporting material weaknesses. But we also 23 heard from at least one accounting firm that within a group 24 of 225 registrants the firm audits, approximately 63,000 25 control deficiencies, that's an average of 275 per company, 1 were identified and most importantly, remedied. We look 2 forward to hearing more about these. 3 We also want to hear from investors. Was the 4 internal control information provided by companies helpful? 5 What was the investor community's reaction to reports of 6 material weaknesses? 7 This roundtable is an important vehicle for 8 gathering feedback on all aspects of the reporting process, 9 and as you can tell, I welcome the candid and constructive 10 feedback from each of our panelists, as do our Commissioners. 11 It's extremely important to me and our five 12 Commissioners, as well as the PCAOB board members, that we 13 hear the experiences and views of people who are familiar 14 with implementing the internal control reporting provisions 15 of Section 404. 16 We also want to make sure we're helping companies 17 and auditors accomplish the goals of Section 404 in the most 18 effective and efficient way. In addition to the information 19 we learned from this roundtable, we also will be considering 20 the written submissions we have received in response to our 21 request for feedback. 22 These submissions are available to the public on 23 the SEC website. The important work of the SEC Advisory 24 Committee on Smaller Public Companies, which had their first 25 meeting yesterday, also will inform our understanding of how 1 Section 404 can be implemented in a most sensible way for 2 smaller companies. 3 I'm going to keep my remarks brief, because we have 4 a lot to cover. Again, let me express my thanks to all of 5 the panels who agreed to be here today. We appreciate the 6 time that you're taking out of your very busy schedules, and 7 willingness to share your views with us. 8 We will be listening carefully, and I can assure 9 you that we intend to consider all of the different views 10 expressed today. I will have further comments at the end of 11 the roundtables regarding next steps. For now, I'd like to 12 give Bill McDonough, Chairman of the PCAOB, an opportunity to 13 say a few words before we get started. Bill? 14 MR. MCDONOUGH: Well, thank you, Bill. On behalf 15 of the Public Company Accounting Oversight Board, I would 16 like to extend our appreciation to you, your fellow 17 commissioners and the staff of the SEC for convening the 18 roundtable discussion today. 19 I know that we have all read many of the same 20 surveys about the implementation of Section 404, and that we 21 have all had occasion to meet and talk with issuers, with 22 corporate directors, and with the auditors who are on the 23 front lines of implementing the requirements of 404. 24 But this roundtable gives us an important 25 opportunity for public discussion of the specific issues that 1 companies and their auditors have confronted, as they work to 2 comply with the rigorous demands of this new law. 3 I expect, based on my own conversations, that this 4 will be a lively discussion. I hope that it will also be 5 constructive. 6 Although companies have been required to have 7 internal control over their accounting since the Congress 8 enacted the Foreign Corrupt Practices Act in 1977, there is 9 no doubt that the Sarbanes-Oxley Act's requirement for annual 10 assessments and auditor attestations to those assessments, 11 took corporate responsibilities to an entirely different 12 level. 13 At the same time that the board approved its 14 standard for audits of internal control over financial 15 reporting, my fellow board members and I acknowledged that 16 the standard would entail extra work and cost for public 17 companies. 18 We also did our best at the time of our vote and at 19 every opportunity in the year since the vote, to emphasize 20 the flexibility and judgment that we built into Auditing 21 Standard No. 2, including the provisions related to the 22 auditors' use of the work of others. 23 Unfortunately, we are hearing anecdotes that 24 auditors are not always using the flexibility available in 25 AS-2. Instead of using judgment to tailor audit programs to 1 the nature and size of an audit client, some auditors are 2 applying a checklist approach to all audit clients, 3 regardless of their complexity. 4 I will say again what I have said many times, there 5 is no one-size-fits-all approach to assessing company's 6 internal controls. Auditors should apply AS-2 in a manner 7 that is proportional to the quality of management's 8 monitoring of controls, as well as the complexity of the 9 company. 10 Untailored checklists to me are an early sign of 11 poor quality judgments, which can lead to poor quality 12 auditing. 13 On the other hand, I have no doubt that some of the 14 complaints being lodged about the assessment process being 15 too rigorous and too extensive are being lodged in response 16 to good auditors making hard decisions, auditors that are 17 putting pressure on exactly the points of poor quality 18 financial reporting that need to be squeezed. 19 Whatever actions we take, we must not undermine the 20 work of auditors who are using their best professional 21 judgment to drive exactly the kind of improvements in quality 22 financial reporting that the Act intended. 23 I have said before, we will use our inspections, 24 which begin this year in May, to assess the effectiveness of 25 registered firms' implementation of AS-2, including the 1 quality of the firm's judgments about planning audit programs 2 appropriate to the nature of their clients. 3 These inspections will provide the board with a 4 powerful opportunity to learn the substance behind the 5 anecdotes that we've been hearing. Undoubtedly, there is 6 more that we can do to encourage a smooth and reasonable 7 implementation of 404, and that is what we are here to learn 8 today. 9 It may be that some confusion or hardships in the 10 implementation of AS-2 can be addressed by additional 11 guidance. That would be the most rapid way to execute 12 changes and the most timely for companies and their auditors. 13 To the extent that what we hear today and read in 14 the comment letters causes us to believe that any of the 15 principles in AS-2 are fundamentally flawed, however, we 16 would undertake rulemaking to improve the principals. 17 In the end, no matter what action the board or the 18 Commission may take as a result of the information we gather 19 today, the ultimate responsibility for fulfilling the 20 requirements of Section 404 remains with the men and women 21 who lead and audit the companies that seek capital in our 22 securities markets. 23 The owners of those companies, investors, will 24 ultimately determine whether the benefit that inspired 25 Section 404, the increased reliability of company's financial 1 statements, is overshadowed by labor and costs that bear no 2 relationship to the goal of reassuring investors in our 3 capital markets. 4 Now with that in mind, I hope that we on the Board 5 and Commission can come away from today's discussion with 6 some very concrete ideas about specific actions that might 7 address any unintentional burdens of Section 404. 8 I also hope that participants in the roundtable 9 will share specific examples of how the closer examination of 10 internal controls has improved financial reporting, and 11 provided the confidence and assurance we are all seeking on 12 behalf of investors. I look forward to the discussion. 13 MR. BELLER: Thank you, Chairman Donaldson and 14 Chairman McDonough. We're going to dive right in here. Let 15 me lay out a couple of ground rules. I'm going to introduce 16 the panelists in a moment. 17 For the benefit of folks on the web who are 18 observing this, or listening to this via webcast, I am going 19 to tell you who's around the table and each of the other 20 moderators will do that at the beginning of the panels. 21 We have today the members of the Securities and 22 Exchange Commission, starting -- we'll do this in order. 23 Rowell Campos, Harvey Goldschmid, William Donaldson, Cynthia 24 Glassman and Paul Atkins. 25 We also have the members of the Public Company 1 Accounting Oversight Board. We're pleased to have you with 2 us this morning. Kayley Gillan, Charles Niemeier, William 3 McDonough, William Gradison and Dan Goelzer. Thank you for 4 joining us. 5 The ground rules are I think fairly simple. We 6 have a lot of subjects to cover. We have a large number of 7 panelists, because we want to get a large number of views. 8 We need all panelists to submit written statements and the 9 vast majority, if not all of them, where their organizations 10 have. 11 Those are on our public website in the file that 12 we've opened for this event, and the audience is encouraged 13 to, if they have not already, to look at them. But we are 14 going to ask panelists not to make opening statements as part 15 of today's activities. 16 There are too many of you, and we have too much 17 ground to cover. The moderators will take the liberty of 18 directing certain questions at certain members of panels, and 19 perhaps asking other members for specific follow-up. 20 On the other hand, we want this to be interactive 21 and we want this to be a discussion. We encourage panelists 22 who would like to add something with respect to any question, 23 to let us know. 24 We have over the years learned that we can learn a 25 lot from our European brethren. One of the things we've 1 learned is that the best way to run one of these things and 2 to seek to be recognized is to take your tent card and turn 3 it up on end like that. The moderators will see you. It's 4 much better than leaping out of your chair and raising your 5 hand. 6 We do want our panelists to not just echo other 7 answers that have been given, again for the sake of time. We 8 will recognize as many panelists as we can in the course of 9 the proceedings. 10 As Chairman McDonough already indicated, it would 11 be really helpful to the Commission and the board and their 12 respective staffs to have answers that are as specific as 13 possible. Also, concise and to the point. We are going to 14 try to keep this moving. We have a number of things we want 15 to cover. 16 We also very much encourage the members of the 17 Commission and the members of the board. You will have two 18 moderators here for each of these panels. Members of the 19 Commission staff, Don Nicolaisen and I, will do the first 20 panel. 21 But if any Commissioner or board member has a 22 subject that they think we're not getting to adequately or 23 has a question they want to raise, please let us know in the 24 same fashion and we will call on you and give you the floor. 25 Finally, because we are being webcast, including 1 audio, I think it's very helpful for our audience if people 2 before they speak could just identify themselves, tell us who 3 they are or tell the audience who they are. 4 With that, I'm going to introduce the first panel 5 and we're going to get started. 6 PANEL ONE - THE FIRST YEAR 7 From my left, the panel's right, the Honorable Mary 8 Bush, who's the president of Bush International and is also 9 the member and chair of an audit committee or two and a 10 director of a number of public companies. 11 To Ms. Bush's left, Michael Cook, who is also the 12 audit committee chair or a member of audit committees of a 13 number of public companies. 14 To Mr. Cook's left, Colleen Cunningham, who is the 15 president and CEO of Financial Executives International. 16 To Ms. Cunningham's left, Sam DiPiazza, who's the 17 global CEO of PriceWaterhouseCoopers. 18 Next in line, Randall Kroszner, who is a professor 19 of Economics at the University of Chicago. 20 Next to Mr. Kroszner, Bob Miles, who's the Senior 21 Vice President and Controller of Washington Mutual. 22 Next to Mr. Miles, Dr. Klaus Patzak, who is the 23 Corporate Vice President for Financial Reporting and 24 Controlling of Siemens, AG, and I want to thank Dr. Patzak 25 for coming across the Atlantic for us this morning to 1 participate. 2 To Dr. Patzak's left, Casey Sylla, who is the 3 chairman and president of Allstate Financial. 4 To Mr. Sylla's left, John Thain, who's the CEO of 5 the New York Stock Exchange. 6 And finally, to Mr. Thain's left, Lynn Turner, who 7 is with Glass, Lewis and Company, an advisory firm. 8 Thank you all for joining us this morning. I'd 9 like to start off with a rather open-ended and general 10 question. I promise you other questions in the course of the 11 day will be more pointed. But let's start with a broad one. 12 What in your view has been the most significant 13 impact of the internal control reporting requirement of 14 Section 404 in this, the first year of implementation? I 15 guess I'd like to ask Mr. Sylla to take the first crack at 16 that question. 17 MR. SYLLA: Thank you. As a sample of one fairly 18 large company, the short answer is the impact has been 19 positive. With respect to more specificity, not to suggest 20 that 2004 was the beginning of an internal control process 21 with an organization of our size. 22 But clearly, the impact of being able to increase 23 the amount of oversight and governance has been positive, 24 certainly looking at it in the long run. In the short run, 25 one could always conclude that there is a cost-benefit 1 analysis which may or may not be deemed positive. 2 However, the increased involvement -- I would list 3 two or three items very quickly. The increased involvement 4 on the part of senior management with respect to the 5 awareness of financial reporting has significantly increased. 6 There is no question about that. 7 Secondly, with respect to the awareness of 8 financial controls throughout the entire organization, on the 9 part of line managers, that awareness has increased 10 dramatically as well. 11 I would suggest finally that certainly informal 12 processes which in fact give you the ability to establish and 13 update a maintenance program will serve us well in the 14 future. 15 All of this, of course, is intended to create a 16 greater level of confidence, certainly by senior management. 17 It gives me a greater level of confidence, but more 18 importantly, with respect to our board, audit committee and 19 investors in general, we would put this very much on the 20 positive side. 21 MR. BELLER: Thank you very much. Mr. Miles, 22 what's your reaction? 23 MR. MILES: The most significant impact for our 24 organization was really the awareness that was created at the 25 senior level, senior management level throughout the 1 organization and down through the business lines. 2 Internal controls had always been a key part of our 3 structure, and certainly with the FDIC Improvement Act, banks 4 have been required to comply with an internal control 5 reporting framework for many years. 6 But I do think that this awareness was very 7 significantly strengthened, and also for the senior officers 8 that had to certify for Sections 906 and 302, this helped 9 them to have the confidence to make those assertions. 10 MR. BELLER: From the auditors' side, Mr. DiPiazzo, 11 what do you -- what would you underline as sort of the two or 12 three headline points of the overall impact in the first 13 year? 14 MR. DIPIAZZO: Mr. Chairman, I think you have to 15 reflect on the overall change of the environment that we're 16 facing today in the Sarbanes-Oxley. 17 Maybe the most significant change in behavior 18 within the capital markets, a dramatic shift of governance 19 from the executive suite to the board room, ownership by the 20 board around the issues of transparency and controls. 21 The auditors changed focus of an audit process 22 that's moving from analytics to a deeper sense of focus 23 around controls. 24 The auditor dealing with the fact that he's now 25 subject to oversight, and frankly the whole process for how 1 wide is the difficulty that our profession is having as it 2 transitioned from a self-regulated to a regulated profession. 3 Overall, I think the most significant impact coming 4 out of 404 is the transparency. Chairman Donaldson mentioned 5 60,000 deficiencies in just 200 of our clients. I think what 6 it shows is that controls were underfocused-upon. Now 7 they're owned by management, by the leadership of companies, 8 and I think significant progress is being made in remediating 9 those problems. 10 MR. BELLER: Mr. DiPiazzo mentioned transparency. 11 Mr. Turner, what's your take on the advantage that 404 has 12 brought to investors by virtue of increasing transparency 13 around the control process? 14 MR. TURNER: There's no question that investors now 15 have a better flavor for those companies who have high risk 16 with their financing reporting because of a lack of controls. 17 We've seen through the end of last Friday about 750 companies 18 actually report that they have problems. 19 The good news is that not only were investors now 20 able to determine whether those risks by NSS about what to do 21 with that, but they were also then in a number of instances 22 provided disclosures that indicated that the companies had 23 adequately dealt with those in a number of cases, which is a 24 very positive thing as well. 25 I think one of the things that's come out of this 1 process is that at the beginning of it, while there was maybe 2 a lack of awareness on the part of boards and corporate 3 executives, I think equally there was a lack of awareness 4 amongst investors, and investors really didn't know how to 5 react to this. 6 I think with the increased disclosures and 7 increased information, which is much better than what it was 8 before; we were never getting this type of disclosure about 9 weaknesses but now are, they are now able to differentiate 10 better between those companies where there's a problem that 11 they should impact the stock price, and those that aren't. 12 We are finding that the impact on the stock price 13 is very much company by company. There's no general trend. 14 MR. BELLER: Thank you. Turning this, rotating 15 this a little bit from the foreign private issuer, from the 16 non-U.S. issuer perspective, Dr. Patzak. I know your company 17 has been working very hard at implementation, even though you 18 have more time than some of the other companies represented 19 around the table this morning. 20 What would you say is different or special about 21 the impact or the experience for a foreign private issuer? 22 DR. PATZAK: I would think that the difference, 23 there is not a big difference between a foreign private 24 issuer and the U.S. company. It's more a difference between 25 an international company, a decentralized company, a company 1 doing business in a lot of industries, compared to a company 2 which is perhaps not so diverse and international. 3 For us being so diverse and fragmented was a huge 4 implementation effort. We started our 404 approach in late 5 2002. At that point of time we thought that we had to comply 6 with it at the end of our fiscal year '03. 7 Then we heard that there is a postponement, that we 8 would not have to comply at that point of time. So we 9 requested a first progress report from our auditor. Then we 10 expected to have that implementation done at the end of our 11 fiscal year '04. 12 There was another postponement, which gave us more 13 time. We requested again from our auditor a progress report 14 now based on Auditing Standard No. 2, and this standard 15 significantly changed the way how we implemented 404. 16 Now, as you know, we would even have one year more 17 time, but we are now right in the middle of the 18 implementation phase, and therefore we decided not to stop 19 our progress, and we are finishing all the implementation 20 work and testing work to be prepared for auditors to come in 21 and make their analysis. 22 As I mentioned earlier, the most significant 23 problem that we have companies all over the world. We 24 operating in 190 countries, and only -- and most of our 25 companies are insignificant by themselves, so we had to limit 1 it to companies which have revenues of 0.1 percent of our 2 consolidated revenues. 3 These companies are located in -- all over the 4 world. They are in the United States and Europe, of course, 5 and Germany. But also in India and Singapore, and that makes 6 it very costly and challenging for us to implement that. 7 MR. BELLER: I want to come back later, either to 8 this panel or later panels, at the point that Dr. Patzak has 9 identified, about both multiple locations and also the issue 10 of hundreds or dozens of smaller operations which 11 individually are not significant or material, and how they 12 have been dealt with in this process. 13 But having put that marker down, I guess Mr. 14 Koszner, I'd like to ask you. We've heard the problems of 15 people who've been on the front lines, both at the companies 16 and at the audit firms. 17 Basically benefits, perhaps more costs than 18 anticipated. What's your take on sort of the overall impact 19 and what we should be looking at in evaluating the first year 20 on both sides of the ledger. 21 MR. KROSZNER: I'm very pleased that the focus has 22 been on costs and benefits. I know that's sort of an old 23 song from economists, but it wasn't something that was always 24 part of the regulatory framework, and I praise both Chairman 25 McDonough and Chairman Donaldson and the members of the board 1 and the Commission for focusing on that issue, because that's 2 exactly how we have to think about these things, costs and 3 benefits. 4 In terms of the costs, certainly many of the 5 members of the panel have done studies by their institutions 6 to document the costs. But we have to remember that the 7 costs are not just simply based on business as usual in 2001 8 and 2000. 9 Things had to change, and the markets would have 10 changed things anyway. There would have been more emphasis 11 on internal controls, more emphasis on transparency and 12 conveying the stability and sturdiness of the internal work 13 to the outside world. 14 So we have to realize that costs would have gone up 15 under any circumstance, just by market forces, completely 16 independent of Section 404 or completely independent of 17 Sarbanes-Oxley. There have been a lot of private sector 18 responses in addition to just the internal audit pieces. 19 But the benefits are really where we have to focus 20 on now, and we're still in the early part of trying to 21 understand that. 22 There's been a lot of concern, I think, about legal 23 liability, which has gone to -- which has sometimes led to 24 extreme moves to protect against potential liability, even 25 though there may not be a great deal of substance that's 1 associated with that. 2 Mr. Turner mentioned something about market 3 reactions, and I think that's where we need to go and 4 continue to look at that much more carefully, because I think 5 that could provide very good guidance to the Commission and 6 to the board about where does the market thing that some sort 7 of deficiency is material or not. 8 Certainly there are thousands of potential 9 mistakes, problems that can come up, but many of them aren't 10 material. We shouldn't be putting our ammunition there. We 11 shouldn't be putting our costs there. We should be looking 12 at what the markets really think are important. 13 We're still in the very early stages of that. 14 We're just getting the revelations out, but I think that 15 would be a very valuable study for the Commission and the 16 board to do, for academics to continue to look at. 17 Also, as Mr. Miles had mentioned, the banking and 18 financial services industry has a good benchmark to look at 19 also, because since the FDIC Improvement Act of '91, there's 20 been an emphasis on internal controls, the so-called Basel II 21 new capital standards are really emphasizing these things 22 also. 23 So there's been a lot of work that's been done in 24 Basel on the bank regulators. It might be useful to begin a 25 discussion between the board, the Commission and the bank 1 regulators, to see where they have gone. 2 MR. BELLER: Thank you very much. Mr. Thain, you 3 talk to a lot of issuers, and I guess I'm curious as to your 4 perspective on the balance sheet at the end of the first 5 year. 6 MR. THAIN: Yes, thank you Alan. I do. My 7 perspectives here are different because I have input from 8 many of our listed companies. There are 2,760 companies 9 listed on the New York Stock Exchange. So I get input from 10 them. 11 So my comments are compilation of different views. 12 On the positive side of the ledger, and some of these 13 reflecting comments you've already heard. First, there's no 14 question that Sarbanes, actually broadly speaking, was 15 necessary and very crucial to restoring investor confidence 16 broadly. So I think that's a big plus. 17 I mean there's no question that boards are now more 18 independent of management. I think audit firms are also 19 taking a more independent posture with their clients. I 20 think there is definitely more of an awareness of internal 21 controls throughout companies. 22 I also think that both boards and senior management 23 have formalized their risk management policies, which is 24 good. I think the internal audit function has been given 25 greater importance in companies. 1 There's no question that documentation of 2 companies' policies and procedures has improved. I think 3 broadly speaking, the organizational tone at the top, the 4 emphasis on this subject has also improved. Again, all of 5 that's good. 6 Audit committees have been strengthened. I think 7 corporate behavior has in fact changed, and I broadly think 8 that the financial markets, confidence in the financial 9 markets, confidence in the integrity of financial statements 10 have all been improved. So that's on the plus side. 11 On the negative side, and I hear this a lot, and 12 this will be repetitive to what you've already said. There's 13 no question that the costs of 404 have been much higher than 14 companies had expected or I think pretty much anyone had 15 anticipated. 16 There's a lot of discussion about the cost and 17 benefits. I think there are many companies who would say 18 that they don't believe that the benefits achieved through 19 404 have been worth the costs. 20 I think a lot of what we should hope to get out of 21 today, is how can we, going forward, what things can we do to 22 keep all the benefits and all the positives, but try to 23 reduce some of the costs, try to reduce some of the 24 duplication of efforts, try to reduce some of the, what some 25 companies would say is an overly degree of focus on what they 1 would say are detailed transaction-level processes, rather 2 than bigger picture firmwide risk management issues. 3 MR. BELLER: Mr. Thain, thank you very much. I 4 want to come back to costs and spend a fair amount of time on 5 it. Before I do that, I want to continue this general theme 6 for just one more twist, and that is we have two members of 7 this panel who spend a lot of time sharing and working on 8 boards of directors and audit committees. 9 I want to ask first Ms. Bush, from the perspective 10 of an audit committee member, one of the things that 11 Sarbanes-Oxley was intended to accomplish and I believe has 12 accomplished is to increase the responsibility and importance 13 of audit committees, and particularly their direct 14 responsibility for what in plain English is sort of 15 supervising, hiring and firing external accountants. 16 From the perspective of an audit committee, and 17 with the particular question of the internal control 18 reporting requirement of 404 in mind, how do you see the 19 overall impact in the first year, and how do you see the 20 relationship between audit committee members and particularly 21 external auditors? 22 MS. BUSH: I think that formalizing the reporting 23 of external auditors to audit committees is probably a very 24 good thing. 25 I had the good fortune of having served on boards 1 and on audit committees, where we as members of the audit 2 committee always felt that we have very clear and open 3 communication with the outside auditors, and that even though 4 it's not a formal reporting relationship, that they indeed 5 did report to the audit committee. But as I say, the 6 formalization is a good thing. 7 What I find also has happened with regard to that 8 is that there is a lot more communication off line by me as 9 an audit committee chair, and by some of our other audit 10 committee members, with the outside auditors. That's also a 11 good thing. 12 That is not to say that we didn't have, as I said 13 earlier, frank and open conversations with the external 14 auditors earlier. I am accustomed for a number of years now 15 to always having the executive session with the outside 16 auditors. 17 Sometimes they are very short and sometimes they 18 take a little more time, because I personally, and some of my 19 colleagues on various audit committees, really take seriously 20 getting the views of the outside auditors on what's happening 21 internally, both with regard to the control process and the 22 financial statements. 23 Again, I think it's a good thing overall, and the 24 other point that I want to make is that the benefit from what 25 I have observed ranges the spectrum from company to company, 1 and the benefits of 404 overall. 2 I have seen some companies that -- where this was 3 probably really needed, that even though there were no 4 problems in the company, there were no problems with the 5 financial statements, the controls and the documentation of 6 the controls really were not up to par. 7 There are other companies at the other end of the 8 spectrum where the controls were in Triple A shape. Making 9 some tweaking in terms of documentation, but that was about 10 all that was required. 11 So I think that the benefits and therefore the 12 costs that somebody earlier was raising, really vary widely 13 over a wide spectrum. 14 MR. BELLER: Thank you very much. Mr. Cook, I 15 guess I'm curious as to your take on the same issues, but 16 also would ask you to address the question of whether the 17 internal control requirement has, in your view in any way 18 interfered with communications between audit committees and 19 their external auditors? 20 MR. COOK: Perhaps this is just the general view, I 21 also see and I'll try not to repeat what others have said, 22 see substantial benefits in 404. I think it would be true in 23 all companies, and the degree of benefit does vary. I agree 24 with Mary, considerably from company to company. 25 But I think a lot of folks are sort of measuring 1 the scorecard by how many people fail, as a measurement of 2 benefit. Perhaps that is at least one of the measures that's 3 appropriate. But there are a lot of excellent companies who 4 have Double A if not Triple A controls, who have 5 substantially improved their controls by the consequence of 6 the focus that's been given to controls. 7 I would suggest that the companies that I'm 8 directly involved with are fine companies; they have 9 excellent controls. I think they would have passed the 404 10 test the day Sarbanes-Oxley was passed. I think they would 11 have passed it a year ago, before the intense efforts of this 12 past year were put in. 13 But I would say each one of those companies 14 benefits from the attention that was given deficiencies that 15 were identified, improvements that were made, even though it 16 would not show up in a report, and would not necessarily be 17 evident and transparent to the investing community. 18 So I think that's an important consideration, but I 19 think -- and maybe we'll come back to this -- that may be a 20 benefit which is much more in the first year and not a 21 benefit that will be repeated as we go forward, which will 22 bring us to a different part of the cost-benefit analysis. 23 It has certainly changed what our committees do. I 24 think the audit committee agendas have been taken over. I 25 wouldn't say it's hostile, maybe not even unfriendly. But 1 there has been a takeover of our agenda during this past 12 2 to 18 months, with the focus on 404. 3 Unlike anything in my experience, all the way back 4 to the Y2K, when we spent almost all of our time at audit 5 committee meetings focused on Y2K for the best part of one to 6 two years, depending on when you got started and how long it 7 took you to finish. 8 We have spent a great deal of time on this subject, 9 and I think that's good. I think it's been good for audit 10 committee members. They have become much more aware of 11 controls. They've been educated about the controls in a way 12 that has been beneficial to them. 13 But at the same time, it has taken time away from 14 attention to other issues that are also very important, and I 15 don't think that can be continued at that level. I would say 16 my experience would be all of our audit committees have spent 17 the majority of their time during this past year -- whether 18 it's 55 percent or 65 percent of 75 percent I don't know -- 19 but somewhere over 50 percent of our time on matters related 20 to 404. 21 That's fine, but that has to go back in a different 22 direction going forward. There are important accounting and 23 financial reporting issues that need more time than they 24 received during this past year, with the level of focus on 25 404. 1 The issue about relationships with the external 2 auditing firms is interesting. We have certainly refereed as 3 many fee discussions -- I won't call them disputes -- heated 4 and spirited discussions about fees during this past year, 5 under the requirements of 404 and dealing with the costs of 6 implementing it. 7 As I have already experienced before, I don't think 8 anybody is happy with the outcome. I don't think the 9 corporate community writing the checks is happy. The 10 external auditors, despite the views of some I don't think 11 are particularly happy with the difficulties of dealing with 12 the cost issues and the client relationship issues that have 13 come from this. 14 The audit committees kind of referee, and the best 15 we can hope is that both parties will be equally unhappy at 16 the end of the day, and that's kind of the standard that we 17 aspire to. But I do think there have been -- 18 MR. BELLER: Sounds like shareholder proposal 19 season in the Division of Corporation Finance. 20 MR. COOK: But there have been some tensions around 21 this, to answer your question there. There have been real 22 tensions around this. It's been a tough go, and there have 23 been benefits achieved, but there have been a great deal of 24 effort go into this and I think my own view of it is that 25 there are lots of things that we can focus on in year one, 1 but most of them are important only as they relate to what we 2 do in the future and how we go forward from here. 3 We can spend a lot of time debating cost-benefit 4 without any clear answers, and my view is that if this has 5 achieved one of the important objectives, which is restoring 6 or enhancing investor confidence after some of the issues 7 that caused this legislation to be enacted, as they say in 8 the advertisement "that's priceless." 9 So if they have achieved that, if they have 10 achieved that, that certainly would justify a lot of the 11 costs. 12 MR. BELLER: Ms. Bush, you have your card up. I 13 guess I'd ask you to address one thing that Mike has left 14 with us, which is do you think and sort of how do you think a 15 lot of committees can refocus their attention on things other 16 than internal controls, to the extent that's a direction they 17 should be moving in? But also you sought the floor, so -- 18 MS. BUSH: I sought the floor, because I thought 19 there was one other point that I really should make, and this 20 is not an issue that I have had as an audit committee member 21 with the external auditors. 22 But I've heard several companies, the internal 23 audit staff and the finance staff, complain that the 24 relationship with the external auditor has really changed, 25 that they don't feel as free to consult with the external 1 auditor about accounting treatments for various things. 2 This, in my mind, is not good. I think that 3 managements of companies, finance staffs, have relied on that 4 in the past. Something needs to be done, so that those 5 communications can be freed up again. 6 I relate to that, because as an audit committee 7 member, I have always found it invaluable to be able to sit 8 there facing the outside auditors, and ask them very 9 pointedly about accounting treatment for some issues that 10 were questionable or that could have several different 11 treatments. What's the most conservative treatment, and 12 that's invaluable to me. 13 So if the internal auditors and finance staffs are 14 complaining that they can't get that kind of advice because 15 the outside auditors feel that that might jeopardize their 16 independence, then that is indeed a problem. We need to have 17 that kind of communication and open relationship and advice. 18 The other issue with regard to the way that outside 19 auditors, in many cases, are working with companies, is that 20 I think probably because one, you know, 404 and 21 Sarbanes-Oxley and 404 were done in a hurry, and because 22 companies got very little, if any, guidance as to how to 23 apply 404, how to assess their internal control processes. 24 The guidance that they were getting really was from 25 their outside auditors, and that has presented difficulties 1 for many companies. 2 If you take something like as simple as -- not 3 really simple, because it's a very important thing I think, 4 and that is the materiality of a control or a business 5 process. 6 That's something that I have traditionally looked 7 at quite a bit, you know, where the high risk areas in the 8 company. But for this process in this first year, it seems 9 that equal weighting has been given to all processes, whether 10 they are insignificant or whether they are highly significant 11 and highly risk. 12 So that is something that I really think needs to 13 be addressed as a joint effort by regulators and outside 14 auditors and internal audit. 15 How do we focus? I think that hopefully the 16 refocusing will come naturally, but I think that the 17 refocusing also is going to depend, to some extent, on how 18 the regulators intervene with some more comments about what 19 is important. 20 Because I believe AST suggests that each year must 21 end on its own. If each year, the outside auditors have to 22 audit every process without any rotation, without any 23 emphasis on risk, then we are back in the bind of having to 24 spend a lot of time on 404, possibly to the neglect of other 25 things. 1 MR. BELLER: Thank you very much. Ms. Cunningham, 2 you've got your card up. I also wanted to come back to the 3 cost question, and I think FEI, certainly if not the most 4 comprehensive and detailed work on costs, has certainly done 5 among the most detailed. It's the most detailed I've seen, 6 and would like you to, in addition to whatever else you 7 wanted to talk about, address the cost issue, I think with 8 particular reference. 9 The first year is what is was or is. What do you 10 see happening? The survey suggested, your survey suggested 11 that about 85 percent of companies think the costs will come 12 down. How do you see that? What do you see? What areas and 13 how much? But please, go ahead. 14 MS. CUNNINGHAM: Sure. First of all, I just want 15 to say one of the benefits, you know, were discussed already, 16 and we've learned sort of the notion that having an effective 17 internal control environment as a member of COSO, is vital to 18 the integrity of financial statements. But I won't go into 19 depth in what all those benefits are. You heard them all. 20 The costs. We've done several surveys. We've done 21 three or four over the last year and a half or so. Our most 22 survey we've done in March of 2005, which will hopefully 23 reflect more of the actual costs, particularly for the 24 accelerated implementation costs. 25 The average cost of implementing 404 is about 4.3 1 million. Companies that have over 25 billion in revenues 2 spent considerably more, about 15 million on average. 3 According to our survey, companies logged an average of over 4 26,000 hours to comply with the regulation, and one dramatic 5 thing more. 6 We've seen -- over the term that we've done the 7 surveys, we've seen the costs go from the first survey we did 8 in January of 2004, double by the time March 2005 hit. 9 The one thing that, you know, we also and I think 10 Mike alluded to it, but we also have to consider the cost 11 that isn't in there, is the opportunity cost. You know, the 12 audit companies are spending a considerable amount of time on 13 Section 404. It's diverted a lot of attention for senior 14 management and board time. 15 You know, we've taken time away from strategy, 16 dealing with competition in a global marketplace, innovation, 17 and moving the company forward. I think that opportunity 18 cost is another important aspect of the cost factor, if you 19 will, of 404. 20 MR. BELLER: How about looking forward? 21 MS. CUNNINGHAM: Looking forward, according to our 22 survey, we do expect to see a decrease in cost. A big piece 23 of that, the companies spent a lot of time hiring consultants 24 and staffing up to document initially a lot of the 25 transactions, if you will. So we'll see a lot of that cost 1 go down. 2 We're hopeful that the audit fees will also go down 3 in Year 2, as we see the training and the learning curve of 4 the auditors. Hopefully, they've learned some, you know, got 5 some efficiencies from the process. 6 So we are anticipating, and I believe our survey 7 said we are anticipating a decrease of about 40 percent of 8 total cost. 9 MR. BELLER: Thank you. 10 MR. NICOLAISEN: If I can follow up on that just 11 for a minute, I think the Big Four survey said something like 12 a 46 percent on the first year. 13 MS. CUNNINGHAM: Very consistent. 14 MR. NICOLAISEN: A lot of that, I think, is 15 understandable, and probably is best taken off the table for 16 consideration because it's history, and we need to move 17 forward. 18 But one of the conflicting things that we do here, 19 and maybe you can help us with that, is we do hear from a 20 number of different places that companies, while they have 21 closed the books on 404 for the first year, they don't 22 necessarily have in place the sustainable process that they 23 want to live with long-term. 24 They reacted. They did what they had to do, but 25 aren't necessarily yet in the position where this is routine 1 and baked into the process. Just curious as to what, you 2 know, is there an element of truth to that? 3 MS. CUNNINGHAM: I think, you know, we're moving 4 from a project orientation to a process orientation. I think 5 it will take time for companies to get to that sort of 6 sustainable ability to implement 404 and make it part of the 7 process. So that may take a little bit more time. But I 8 think it's a fair statement. 9 MR. BELLER: Mr. Miles, do you have a view on sort 10 of whether this is -- whether the sustainable processes are 11 now "baked in," or whether that's something you're going to 12 have to revisit over the coming years? 13 MR. MILES: We have already begun a process to 14 re-look at the way we implemented 404. We have made some 15 changes going into 2005. I don't think they're going to be 16 dramatic. One failed experiment was we tried to turn a lot 17 of people into auditors for a day. 18 MR. BELLER: Sounds like what Nicolaisen was doing 19 to me, and I too, have failed. 20 (Laughter.) 21 MR. MILES: I couldn't understand that. But there 22 were a lot of business people and operations people who were 23 not excited about that prospect. So we'll have teams that go 24 out and do the test work, is one of our major changes this 25 year. 1 MR. BELLER: Dr. Patzak? 2 DR. PATZAK: Well, first of all I would like to say 3 that I think that the present changes are necessary, and 4 these changes are a prerequisite that the costs come down. 5 But I had mentioned earlier, one example earlier, and that, 6 you know, that would lead me to the recommendation that it 7 should be possible to exclude a larger number of individual, 8 insignificant companies if there is a rigorous control and 9 risk management process in place. 10 Another example would be that we should have more 11 interpretive guidance on qualitative considerations when we 12 decide what's accounting significant. Allowing for a 13 risk-based approach. That, I think, a risk-based approach, 14 that would make it possible to get the costs down without 15 losing the benefits of 404. 16 I do feel that also in the implementation year, 17 that there's a downside out of this bureaucratic approach, 18 because we had to, for example within Siemens, we had to 19 focus a lot of our internal audit resources on checking the 20 progress on 404. 21 We have a specific financial audit group, you know, 22 comprising 70 auditors, which usually focus heavily on high 23 risk areas and huge projects and things like that. A lot of 24 their time was really now focused on checking specific 25 documentation needs and things like that. I do not think 1 that this really helps the confidence in financial reporting. 2 On the other hand, I think that a lot of companies 3 in that first year, because there was not enough guidance, 4 they come up with too many significant controls, which are 5 perhaps not really significant. 6 So for our company, we had more than 20,000 7 controls, nearly 30,000 controls. There will be, at least I 8 would see a need for a Phase 2 approach, one which basically 9 tries to get rid of controls which are not really necessary, 10 and more into the direction of preventing measures. 11 More use of IT controls, controls which are already 12 embedded in the ELP systems, in case manual controls and 13 things like that don't work. 14 So there is room also from the company side to 15 improve efficiency. There must be and that would be my 16 recommendation for some changes in the standard, and also see 17 that there is a clear, a logical consequence that the audit 18 fees should come down because there should be less need for 19 substantive audit procedures after so much time is spent on 20 assessing the internal controls structure. 21 MR. BELLER: Thank you very much. I see 22 Commissioner Glassman has her card up. Mr. Sylla, were you 23 going to address the same question before we -- 24 MR. SYLLA: I just wanted to make a quick comment 25 on the cost structure, but we can defer. 1 MR. BELLER: Okay. Commissioner Glassman? 2 COMMISSIONER GLASSMAN: Just following upon the 3 last point, is there -- since this is supposed to reflect 4 management's assessment of the effectiveness in their 5 internal controls, in being able to certify their financials, 6 that they're accurate and transparent, is there a difference 7 between what management sees as sufficient, necessary and 8 sufficient, in order to be able to make that certification, 9 and what the auditors have been required, been requiring 10 for -- to comfort themselves that management has the right 11 information? 12 MR. BELLER: Who would like to -- 13 (Laughter.) 14 MR. BELLER: A lot of people. Let me start with 15 Mr. Thain. 16 MR. THAIN: Yes. Commissioner, I think the 17 answer -- the simple answer to your question is actually yes, 18 because where companies, many, many companies have made 19 comments along the lines of there is not sufficient guidance 20 on what's material, that there needs to be more of a 21 risk-based approach, that in fact there's not enough reliance 22 on what management does. 23 Both management themselves and internal audit. 24 Even though the rule does in fact allow for reliance on 25 management and internal audit, that the response from 1 companies has been that the accounting firms have been 2 unwilling to do that. 3 So what has happened is that attestation has turned 4 into duplication. So companies have been, even companies who 5 do a lot of their own internal testing, have found their 6 accounting firms requiring them to test a much broader range 7 and a much greater sample size than what the companies think 8 is necessary. 9 MR. BELLER: Mr. Turner, you had your -- 10 MR. TURNER: Yes. When you go back in and start 11 digging through the companies that have actually filed with 12 material weaknesses, the 750 or so that we talked about, 87 13 percent of those had filed just previously with the 10-K or a 14 Q to that with a clean certification from the management 15 team, saying everything was fine. 16 Then all of the sudden when the auditors came in, 17 it became clear that the auditors saw it differently and saw 18 it as a material weakness. When we dig down into those, 19 where there is information, where there is disclosure about 20 the facts or you go pick up the teleconference call with the 21 executives, where they've described it on the teleconference 22 call, I must say that in most of those situations, as we 23 analyzed them, we thought that the auditors were absolutely 24 right-on and correct in their conclusions. 25 So the answer to your question, at least from the 1 public transparent disclosures is there's clearly a 2 difference. But as we see it, the auditors are calling it 3 right from an investors' perspective. 4 MR. BELLER: I see Commissioner Goldschmid has his 5 card up. Ms. Cunningham, did you want to address 6 Commissioner Glassman's question? 7 MS. CUNNINGHAM: Yes, just quickly. I want to 8 reiterate a lot of what John had said, but I think, you know, 9 the issue of the auditors spending a lot of time on the less 10 risky areas. I think particularly in the first year, they 11 spent a lot of time on areas that weren't, you know, didn't 12 hold out a lot of risk. 13 But I think the higher risk areas, the tone at the 14 top, etcetera, needs to be focused on a little bit more. 15 Taking a more risk-based approach would be appropriate. 16 I think, you know, the issue will be, you know, the 17 auditors are being regulated for the first time. I think the 18 issue will be how that inspection process comes out in the 19 first year, and what the inspectors' reactions are to the 20 process that the auditors took. 21 Because I did, were overly-cautious in the first 22 year because of the second-guessing, and because of the 23 plaintiffs' bar. 24 MR. BELLER: Mr. DiPiazza? 25 MR. DIPIAZZO: Let me begin by making it clear That 1 this was a very difficult year, and by anybody's description 2 you'd have to say that the process could be improved, that 3 the process had its inefficiencies, that judgments could be 4 second-guessed. 5 I think you have to put it in context. The focus 6 on controls, although companies have focused on controls for 7 years, they've never focused on them quite this way. They've 8 never focused on them with the level of ownership and 9 responsibility that you have today. 10 We refer to that as a level of deferred 11 maintenance. There was for years underinvestment in 12 documentation, underinvestment in truly understanding and 13 owning controls, deep into organizations. 14 Now I absolutely respect of my fellow colleagues or 15 panelists who say that maybe judgments were made that took 16 controls testing down levels that were too far. But I'll 17 give you an example. You want to test the human capital, a 18 human resource group. You want to test the controls they 19 have about new employees and employees leaving. 20 Most people would say "What does that have to do 21 with financial statements?" Until you find out what the 22 company real life was not taking people off of computer 23 access for two months after they left. These people had the 24 ability to transfer, wire cash, affect accounts after they 25 left the company. Is that an insignificant control? For 1 lots of people it might be. 2 I think you really have to say what did we find? 3 We found, and what are the differences between the way 4 management looked at this and the way the auditor looked at 5 this? Three-fourths, two-thirds to three-fourths of the 6 calls for the investment here was by the company, not by the 7 auditor. 8 We're in the process of going through this, 9 focusing on key controls. Maybe at times they went beyond 10 key controls, but I think that's the exception to the rule. 11 An average of 275 deficiencies per company had to be fixed 12 before the end of the year, from the best company down to the 13 smallest company or the weakest company in the group. 14 The ownership around that subject, the cost of that 15 remediation. Probably 10 to 15 percent of all the time that 16 was spent was just on the learning. What did all this mean? 17 That's not going to be duplicated. 18 Twenty percent was on documenting controls that 19 hadn't been documented clearly for a decade. That's not 20 going to be repeated, at least substantially not repeated. 21 And the remediation, which was again, 15 to 20 percent of 22 this process, which you would hope you would get it right. 23 There were some areas we could improve on. Costs 24 were spent because auditors were testing things that 25 companies just tested. The problem was this was all real 1 time. The standard was time; the companies were remediating, 2 defining, documenting and testing. If the auditors had 3 waited until the end and looked at that, you wouldn't have 4 had time. 5 I think in the future we clearly have to make that 6 much more efficient. But to be very fair, the standard 7 allows us that judgment. You don't have to change the 8 standard. What you have to do is impose that judgment and 9 inspect it in a way that's consistent. 10 MR. BELLER: Thank you. Commissioner Goldschmid? 11 COMMISSIONER GOLDSCHMID: Well, I was just reacting 12 to the tension, I think, that I've heard reflected around the 13 table. I think feel too, talking about risk-based 14 approaches, more use of internal staff, we're not counting 15 trivial subs and such, all make some sense. What I keep 16 suffering with is internal controls have been on the books in 17 the United States since 1977. We all know that was not taken 18 seriously year after year after year. The use of the outside 19 auditor clearly creates a discipline. 20 Now the trick is to make it as efficient and 21 sensible, and with as much judgment as possible. But the 22 natural tensions between management -- I mean, we left it to 23 management from 1977 on, and I take it no one here would 24 defend in general the quality of internal controls during 25 that period. 1 MR. DIPIAZZA: Just to be clear, and Commissioner, 2 I think it's fair to say that there were improvements to be 3 made. Ninety-plus percent of the companies had good control 4 structures. They needed to fix some things, but they got to 5 the end and they'd fix it, and financial statements were 6 fine. 7 So we shouldn't expand it and say management was 8 not doing good controls. But there was not the ownership. 9 There was not the focus at the board level or at the 10 management level that we have today. So we're better through 11 the process. 12 COMMISSIONER GOLDSCHMID: I think it's fair, but 13 when we first proposed the internal controls rules at the 14 SEC, the reports we got from business of how much change it 15 would take ran into the number of fingers and on the hours 16 per company, because everyone said we have internal controls. 17 Then they began to seriously look at them, and it was a 18 different kind of picture, you admit. 19 MR. BELLER: Chairman Donaldson. 20 COMMISSIONER DONALDSON: I want to take advantage 21 of this panel before it disappears. I want to ask the 22 question, which is how do we get out of the anecdotal phase, 23 and how do we get into the measurement phase? 24 What are the thoughts of all of you, anybody who 25 wants to comment on this, on methodology, if you will, 1 analytical methodology that can measure, truly measure the 2 effect of all of this? 3 MR. BELLER: Again, Mr. Kroszner? 4 MR. KROSZNER: Well, certainly this is something 5 that I think is extremely important. One way of doing it is 6 looking at the market reactions to whether something is 7 material or not material. 8 As Mr. DiPiazzo spoke about, an average of 275 9 deficiencies per company, but how many of those are material, 10 and what is the market judged as material or not material. I 11 think people are much more aware of these things, as Mr. 12 Turner spoke about before. The markets are much more aware, 13 much more sensitive and much more attuned to these. 14 But also, we can't look at just the -- a particular 15 type of deficiency in and of itself. It has to be put in 16 context, because its credibility in terms of the firm. Some 17 firms are more opaque and some firms are more transparent, 18 simply by the business that they're in. 19 Some businesses are much newer; some businesses are 20 much more volatile. That's always going to create a greater 21 information asymmetry, as economists talk about, between 22 what's known inside of the firm and what's known on the 23 outside. 24 So at a firm that is in a very steady business 25 where there's very little volatility, a deficiency there 1 might not be a problem. But that same "deficiency" could 2 raise more of an issue where there are potentially more 3 risks, because there's more volatility. 4 So I think the type of study that should be done 5 would look at not just the material violations or material 6 deficiencies themselves, but look at the characteristics of 7 individual firms. 8 Because exactly as Ms. Bush was mentioning and Mr. 9 Cook was mentioning, that there are -- there's an enormous 10 amount of heterogeneity. So not just say that one size 11 should fit all, but it should be the same. Look at the 12 details of the potential problems in the context of the firm. 13 There can be greater or less transparency in a 14 firm, depending on their characteristics, and really kind of 15 drill down into that. I think we're beginning to see that 16 and do that, and I think that would be an excellent thing for 17 the Commission to undertake, for the board to undertake and 18 certainly Mr. Turner has already started down that line. 19 MR. BELLER: Mr. Cook. 20 MR. COOK: Answering the chairman's question about 21 what do we do to take some of these things and turn them into 22 action and turn them into results. I think we've all 23 acknowledged we had to get through the first year, and there 24 was an awful lot of inefficiencies as there will also be in a 25 process that's this complicated the first time you take it 1 on. 2 I think everybody learned from that and has learned 3 some lessons that will be beneficial. I think maybe this 4 roundtable is the time to declare last year last year and get 5 conversations going that will help us do better going 6 forward. 7 I think we need to get the parties together to talk 8 about this, the different participants, because people are 9 not necessarily talking past each other but they're not 10 necessarily connecting either around what is it that the 11 standards require, what are the levels at which we should be 12 testing controls, what are the appropriate approaches. 13 I think we really ought to get onto that pretty 14 quickly. Sitting in an audit committee chairman's role, 15 we're waiting with eager anticipation for the plans for the 16 coming year, which usually are delivered some time around the 17 time of an annual meeting or shortly thereafter. 18 We've asked the auditing firms in all cases to give 19 us their estimates about what the costs of the 404 are going 20 to be in Year 2. I'm wildly encouraged by this 46 percent 21 figure, and I had been hearing much less than that. So that 22 at least is a sign. I'm only little bit concerned that 46 is 23 as high as it is, because the figures for last year ended up 24 being as high as they were. 25 There's certainly an element of possibility in 1 that. But the 46 percent is a pretty encouraging notion, and 2 we do have to get to this issue of cost and get it working. 3 I do really think the PCAOB people are very responsive and 4 interesting in doing what they can do to be helpful with 5 respect to implementation and guidance, that will lower the 6 expectations to an appropriate level. 7 A lot of this is not particularly new. The notion 8 that every year's audited internal control stands on its own 9 isn't substantially different in my thinking from the notion 10 that every year's audit of financial statements stands on its 11 own. 12 I don't think those are done in batches. I think 13 they're done in separate years, and so the notion of how you 14 go about auditing something each year is not completely new 15 and different. But I do think people need to get together 16 and start talking about the practicalities. 17 That's the leadership of the firms, the leadership 18 of the financial community, PCAOB, the SEC to the extent that 19 they have an interest and an opportunity to participate. I 20 think it's time to get this going, and try to do something 21 pretty quickly, because planning is underway for next year. 22 A lot of work is going to be done between now and 23 the summertime in getting ready for this. How much resources 24 we need to put behind it, how much we need to keep our 25 internal auditors deeply focused on 404 as opposed to other 1 activities, all of that has to get resolved in the next 2 couple of months, and I think we need to get the parties 3 going. 4 MR. BELLER: Right, and I think certainly speaking 5 for Don, we recognize the urgency of some of this. We only a 6 few minutes left. I do want to hit on a couple of things 7 that have been alluded to and maybe bring them out a little 8 bit more. 9 One, I want to ask Mr. Sylla, this issue of 10 opportunity cost. We had a meeting of our Small Business 11 Smaller Public Company Advisory Committee yesterday, and one 12 of the co-chairs, Tim Kim, the CEO of Kimball International, 13 who I think is in our audience, talks about the same thing, 14 which is the mind-share costs to senior management of some of 15 these requirements. 16 I guess the question I have for you is again, if 17 you put Year 1 sort of behind you, but with that as context, 18 is there an issue with mind-share and opportunity costs at 19 the senior management level? Certainly, the comments we've 20 received have suggested that there is, and if so, what should 21 be done to address it sort of by all the parties, auditors, 22 managers, regulators and so forth? 23 MR. SYLLA: You know, we would concur. With the 24 numbers that have been thrown out here, we probably for large 25 companies would on the high side of the numbers. Frankly, 1 you could characterize that as a class or you could 2 characterize it as an investment in the future. 3 Clearly, from our perspective, a significant amount 4 of time was spent in the first year, in things like 5 information-gathering, establishing processes and controls. 6 That we believe will not necessarily repeat itself. 7 As a result of having to do that, a good deal of 8 outside external resources were brought in to augment the 9 internal resources that we used. So we think that's a 10 one-time, and as long as we're throwing in numbers, I might 11 as well throw our number out. 12 We believe, based on what we know, and that's a 13 qualifier, that our costs would be down probably in the 14 vicinity of 50 to 60 percent moving forward. That's because 15 we've established, if you will, the internal infrastructure 16 and spent the money maybe up front in preparing, knowing that 17 this was not a one-shot deal. 18 Now I think from a senior management perspective, 19 as I indicated, the ownership in this thing clearly takes a 20 lot of time. There is no question, as you go through this, 21 we can't help but if you're putting your name on things, and 22 putting in your cost of risk, you take a lot of attention. I 23 don't think anyone would minimize that. 24 The challenge, of course, from an internal 25 perspective is the prioritization, not only with respect to 1 the work that had to be done on 404, but taking people from 2 the technology side of the business and various other pieces 3 of our business, and reallocating them to this process to get 4 it right. 5 As a result of that, it was very difficult to 6 quantify other aspects of the business that took a back seat 7 to this, because you could only put so much in the plate. So 8 other than wrestling with what we expect in the future, 9 clearly we see very little modest resources from the outside 10 required. 11 But the prioritization internally for both senior 12 management time and all the other people that make this thing 13 work is going to continue. I don't see that stopping in the 14 short run. 15 MR. BELLER: Mr. Miles, you have your card up, and 16 I'll recognize you. But I also want to ask you, do you think 17 that's a good thing or not? 18 MR. MILES: Good thing with regards to the 19 substantial amount of senior management focus on this 20 subject, as kind of a medium and long term issue. I think to 21 some degree it's probably going to be negative, in that it 22 will distract them from things that really are probably much 23 more significant, in terms of operating control strategy, 24 that they really should be focused on. 25 I do think they need to spend time on internal 1 controls, but that should not be their primary focus at the 2 top of the house. 3 The comment that I would like to make, and is 4 really to the Commission, was first of all, to say thank you 5 for delaying the acceleration of the filing deadlines. But I 6 would also ask that consideration be given to freezing that 7 at the point that it is. 8 That is, as the small filers come on line and the 9 foreign filers. I don't know within the accounting industry, 10 within our businesses, that there are the resources there to 11 staff up and get everything done by a March 1st deadline, and 12 a 35-day 10-Q deadline, without increasing the possible of 13 the occurrence of a reporting issue that could lead to a 14 material weakness, just because of the haste that would be 15 required by a business. So I would request that we keep that 16 there. 17 MR. BELLER: Following up on that a little bit, a 18 question for Mr. DiPiazza. A lot has been said, including in 19 the comments, about accounting firms being stretched for 20 resources, accounting firms bringing on large numbers of 21 people, accounting firms training on the fly, accounting 22 firms having people who aren't very experienced doing this 23 work. 24 Going, is Year 2 different? Is it more of the 25 same, and also I think a related question, all of the large 1 accounting firms have put comments in. Some of them suggest 2 that while other company costs may be going down in Year 2 3 and thereafter, people shouldn't expect the audit fee for 4 internal controls would go down, because we're in a brave new 5 world. What thoughts do you have on that? 6 A PARTICIPANT: What brave thought does he have? 7 (Laughter.) 8 MR. DIPIAZZA: There is no question that Year 1 9 resources were stretched both within companies and within the 10 audit firms. I mean, we bought 1,000 people from around the 11 world into the U.S., both to train them on how to apply this 12 to foreign and private issuers, and to get us through the 13 process. 14 We spent $50 million out of pocket training our 15 people. I hope I don't have to do that next year. If you 16 really look at what was accomplished in Year 1, with the 17 enormous documentation, the enormous remediation of controls 18 that had weaknesses. Whether they are material or 19 significant, these were all key controls. 20 A lot of that goes away, or at least it goes into a 21 continuance mode, as opposed to a first-year mode. So I 22 clearly see that the time and the energy and the effort and 23 the cost of the 404 audit will go down. 24 As we integrate the financial statement audit, and 25 remember this year we had a financial audit and we had a 404 1 audit, and they were running parallel. They were not 2 integrated. 3 All of the firms, not just the Big Four but all of 4 the firms dealing with public companies are looking at ways 5 now to make that a much more efficient process. So we also 6 believe these numbers are reasonable. 7 Just one other observation to the chairman. We 8 have an enormous level of transparency now, just a matter of 9 weeks after the filing, about what we've now learned. 10 Where are these weaknesses, and which people in the 11 organization spend hours and hours and hours assessing where 12 are the weaknesses? Where are the weaknesses in terms of big 13 companies and small companies? 14 I mean, it's clear. Companies under 200 million 15 have more material weakness issues than companies over five 16 billion. We have some issues around that. 17 Industry differences. There's a tremendous amount 18 of transparency, but I think both the analysts, the 19 regulator, the company and the auditors are now going to 20 begin to apply going forward that information, all of which 21 is going to make this system better. 22 I think a lot can be done within the current 23 standard, with good inspection and advice from the PCAOB, and 24 as Mike Cook says, good cooperation between the parties. 25 MR. BELLER: We are at that hour, the end of our 1 time. I'm going to give Chairman McDonough the last question 2 and maybe the last word. 3 MR. MCDONOUGH: It's actually a comment. I think 4 the secret of making sure that Year 2 is both more efficient 5 and better quality as it regards both the work of management 6 and the audit, is that the audit will in fact be integrated. 7 That's what it's supposed to be. 8 But in the first year, that was absolutely 9 impossible for the firms to do. By integrating the audit of 10 the financial statement and of the internal controls, there 11 will clearly be better efficiency, and we will have the 12 advantage that the firms had to jump through enormous hoops 13 in order to get enough bodies to do the internal control 14 work. 15 Those people are now much better trained in going 16 into Year 2, and they're going to do a better job. 17 MR. BELLER: Thank you very much Chairman 18 McDonough. I'm going to thank the panelists. We are going 19 to take a 15-minute break. Can we back here at 10:40 please? 20 Thank you. 21 (Break.) 22 PANEL TWO - REPORTING TO THE PUBLIC 23 MR. BELLER: I'd like to get started again. The 24 second panel this morning is going to address generally the 25 subject of disclosure and reporting to the public, around 1 Section 404. 2 As we have mentioned in the first panel, the 3 requirement to have effective internal control in fact dates 4 from 1977, and Section 404 does not change that requirement. 5 Section 404 is a disclosure and a reporting provision, which 6 requires managers to assess and disclose for the first time 7 whether their internal control is effective in their annual 8 reports, and for auditors to, in accordance with Auditing 9 Standard No. 2, audit management's assessment and the 10 effectiveness of internal control and deliver an audit report 11 on that subject. 12 Joining me on Panel 2 as the moderator is the chief 13 accountant of the Division of Corporation Finance, Carol 14 Stacey, who is an accountant, not just for a day. 15 (Laughter.) 16 MR. BELLER: Again, I'll introduce the panelists in 17 a moment. I don't know if all of the panelists were here for 18 the first, the introductory remarks for the first session. 19 I'll go over them very quickly. 20 One, if you want to be recognized, we want this to 21 be interactive. The moderators will reserve the right to 22 call on specific people. 23 But I would encourage you, as well as the members 24 of the Commission and the board, to seek recognition and the 25 way to do that is to turn your tent card on end, so we can 1 see it. 2 Second, we have asked you all to submit written 3 statements and all of your or most of you certainly have done 4 so. They are on the website, but for the sake of time, we're 5 asking that there not be opening statements and we will 6 enforce that. 7 Finally, if you are recognized and because we're 8 being webcast and not everyone who's listening can see us, if 9 you would identify yourselves. If one of the moderators has 10 not in recognizing you, that would be great. 11 I'm going to start again by introducing the panel 12 again for the folks that can't see. So I'm not going to go 13 back to the Commission and board again. 14 But the panelists, starting at my left, Mark Anson, 15 who's the chief investment officer at CALPERS. 16 To Mark's left, Jim Copeland, who's a member and 17 chair of a number of audit committees. 18 Nick Cyprus, who's the Senior Vice President, 19 Controller and Chief Accounting Officer of the Interpublic 20 Group of companies. 21 To Mr. Cyprus' left, the Honorable Barbara 22 Franklin, who is again a director and member of the boards of 23 directors of a number of public companies. 24 To Ms. Franklin's left, Curtis Hage, who's the 25 chairman and CEO of Home Federal Bank. 1 To Mr. Hage's left, John Huber, who's a partner at 2 the law firm of Latham and Watkins. 3 To Mr. Huber's left, Greg Jonas, who's the Managing 4 Director of Accounting Specialists Group at Moody's Investor 5 Services. 6 To Mr. Jonas' left, Bob Kueppers, who's the 7 Chairman of the Executive Committee of the AICPA's Center for 8 Public Company Audit Firms, and is also the Vice Chairman and 9 National Managing Partner for Professional Risk and 10 Regulatory Matters at Deloitte and Touche. 11 Finally, to Mr. Kueppers' left, Ed Nusbaum, who's 12 the CEO of Grant Thornton. 13 I guess I would begin with a question for Ms. 14 Franklin. As of the end of March, and I guess the numbers 15 are slightly changed, but certainly over 2,500 companies had 16 filed their 10-K's containing their initial assessments of 17 internal controls, and about eight percent had indicated that 18 their controls were not effective as a result of one or more 19 disclosed material weaknesses. 20 From your perspective, has that information and 21 disclosure and the disclosure around those assessments been 22 useful, and what suggestions would you make going forward for 23 improving that disclosure? 24 MS. FRANKLIN: Well, thank you and thanks to the 25 Commission for having this session. I think it's an 1 important subject. 2 I've got a couple of this with me, the kinds of 3 disclosures that are -- that you have just referred to. I 4 can look at this a couple of different ways. One as an audit 5 committee member and chairman, am I getting what I want from 6 management and the auditors. Look at it from just being a 7 director, or an investor. 8 There is something else that I would like assurance 9 of, with respect to how we get to reasonable assurance in 10 here. It's this, and I'll pick up a thread from your last 11 panel. 12 I would like assurance that the 404 internal 13 control compliance process was in fact focused on the areas 14 of greatest risk to financial statement misstatement. I am a 15 real advocate of risk assessment and enterprise risk 16 management, and prudent companies that are doing this, and I 17 think everybody ought to be doing it. 18 Out of that process, we do get a sense that what is 19 the magnitude of the impact of some risk; what is the 20 probability of it; and then who in management actually owns 21 that area to manage through. 22 You could just overlay that one thing right on 404, 23 and you could put your documentation, your testing, your 24 aggregation of significant deficiencies right into that kind 25 of a context. I know this was brought up the last session, 1 but I really think it's worth saying it again for each line 2 item in the financial statements. 3 I know we talked a little about key controls in the 4 last panel. It's not clear to me that key controls are the 5 same thing as -- if they're coming out of a risk assessment. 6 I think that's been true at the audit committee level. 7 We were so focused, particularly as the deadline 8 neared, on what was a significant deficiency and whether all 9 this stuff was going to get fixed, that we were not clear and 10 we were not really being told clearly what was really 11 important from a risk standpoint to a financial statement's 12 misstatements, and whether this may be operational or a 13 process or something else. 14 So I think this point is really important, and as 15 an investor, I would like some assurance, because I'm a 16 committee chairman too. 17 Related, each of the things had their own -- let me 18 back up here. The definitions of significant deficiency and 19 material weakness are wonderful. They're fascinating to read 20 that stuff. That's another conversation. 21 But beyond that, each of the firms have devised 22 their own quantitative guidelines as to what was a 23 significant deficiency and material weakness. The difficulty 24 that I saw through several different audit committees was 25 that the firms were not consistent among each other, in terms 1 of what those guidelines were, and I'm not sure they were 2 consistent among their clients either, each firm consistent 3 among its clients. 4 My concern was that again, looking at this from an 5 investment perspective, if we can have a lower threshold, 6 meaning a higher standard than what was a material weakness, 7 and that firm's clients had more material weaknesses than 8 some other firm's clients, how is the investment community, 9 how is an investor going to look at that, and what would be 10 the consequences? It could be unfairness across corporate 11 America. 12 The same thing with the consistency issue. How we 13 fix that, I'm not sure whether it's the PCAOB's ball to fix 14 it, whether the firm somehow has to get together and fix it, 15 whether the SEC has a role. But I see that as an issue, and 16 no matter which chair I'm sitting in, I would like some 17 assurance about both those things. 18 MR. BELLER: Okay. Thank you very much. Mr. 19 Jonas, what's your assessment of the utility of the reporting 20 and the disclosure that's been going on? 21 Let me throw one little supplemental question in 22 there as well, which is the companies are operating with -- 23 under a rule that's a Commission rule, that does not 24 prescribe a form of disclosure for management's assessment. 25 We've basically left it to management to describe 1 what they believe is material and important. The auditors 2 are operating under a board standard, which is quite 3 consistent with other audit standards, which does prescribe 4 pretty closely a form of report. 5 Do you think there should be more of a template for 6 management, or are there other ways to get management to 7 address what investors and users such as yourselves would 8 like to see? 9 MR. JONAS: Well, first on the broadest question, 10 you know, we perceive substantial benefits from these 404 11 reports, both in the reports that cite material weaknesses, 12 as well as reports that are clean. 13 (End Tape 1) 14 We think this is a central plank, 404 is, to 15 restoring investor confidence in the financial reporting 16 process, confidence that was badly damaged in the last few 17 years. 18 We perceive that companies are more focused on 19 accounting, auditing and quality financial reporting than 20 they have in the recent past. We perceive the companies are 21 investing, some for the first time in many years, their 22 infrastructure supporting quality reporting. 23 We also perceive that there's some better auditing 24 going on these days, under the notion that the more the 25 auditor knows about controls, the better the audit work. All 1 of which causes us, and we think other market participants, 2 to take comfort in the 404 process. 3 Where companies disclose material weaknesses, we 4 are getting benefits from that as well. We think that in 5 certain, but not all cases, and I'm sure in a later question 6 we'll be addressing does the market distinguish between some 7 material weaknesses than others. 8 But certainly in some cases, we believe that the 9 weaknesses cited are credit-relevant, and that it provides an 10 additional red flag that we would not have perceived absent 11 the 404 process. For that, we think it is credit-relevant. 12 Finally, and this is anecdotal as opposed to direct 13 evidence, but we have had a number of managements tell us 14 that they perceive benefits to them of having gone through 15 the 404 process, benefits not only in terms of approving 16 their accounting but just improving their control over the 17 business in general. 18 Now having said that, of course you'd be perhaps 19 disappointed if I didn't have a wish list of what might be 20 better in public disclosure, and I have five items on the 21 list. 22 First, while some companies do an excellent job of 23 describing exactly what is the material weakness, others do 24 not. We think that describing in detail what the problems 25 are is important, particularly if we're trying to distinguish 1 between certain material weaknesses that we think are 2 credit-relevant and those that are not. 3 Looking forward, we're particularly interested now 4 in what companies say about their plans to remediate their 5 control weaknesses. Again, we've some companies who are 6 quite explicit about what they plan to do and others that say 7 next to nothing about that. Looking forward, we're very 8 interested in the plan of remediation. 9 We would hope that the companies would update 10 investors quarterly about their remediation progress, and 11 that they would indicate when the remediation is complete 12 over the material weakness that was the subject of an earlier 13 report. 14 We would also like it if auditors were to be able 15 to report on the successful remediation of the control on an 16 interim basis, and not have to wait until the next audit 17 cycle. Thus, we're big fans of the PCAOB's proposal to at 18 least allow auditors to write those reports. Thank you very 19 much. 20 MR. BELLER: Mr. Anson, as another user of the 21 reports, including these disclosures, what is your reaction 22 to what we have seen so far and what we could or should be 23 doing going forward, "we" being everybody and not just the 24 Commission? 25 MR. ANSON: I always like to use the word "we." 1 First, I'd just like to add a comment. I know the first 2 panel talked a lot about costs, the cost of applying and 3 implementing Section 404. 4 You know, the people who ultimately bear the costs 5 are shareholders like CALPERS. We're willing to bear that 6 cost, because if those costs can prevent one more Enron or 7 one more WorldCom or one more Tyco-Adelphia, choose your 8 favorite corporate accounting scandal, that is money 9 well-spent in our opinion. 10 As an investor, if I can't trust the integrity of 11 the financial statements, they're worthless to me. Indeed, 12 we saw this in 2002, when saw that the risk premiums for 13 stocks in the U.S. stock market rose to its highest level in 14 25 years. The risk premium for stocks was higher than even 15 after 9/11, simply because people were so risk-averse because 16 they couldn't trust financial statements. 17 So I think it's a cost that shareholders are 18 willing to bear, and it helps trust the integrity of those 19 financial statements. 20 In terms of the benefits beyond that, they're less 21 tangible, but I think they're out there. There are one or 22 two things I'd like to point out. I think now, with the 23 advent of Section 404, you see the fiduciaries, the boards of 24 directors paying much keener attention to their fiduciary 25 duties. 1 If nothing else, they're much more inquisitive, 2 particularly those that sit on audit committees with regard 3 to the controls of the company. Now that doesn't mean that 4 Section 404 is a panacea, but my gosh, if you're getting 5 directors on audit committees to start asking questions with 6 their auditors and their management, that's a pretty good 7 start. 8 That's what it really, I think, is the best benefit 9 of Section 404. It forces people to think critically about 10 the integrity of the financial statements, the integrity of 11 the internal controls, and are we producing the right 12 information that all stakeholders need, using the word "we." 13 Not only shareholders but creditors, rating 14 agencies, directors forejudging the performance of management 15 when they grant their bonuses. So I think the bonuses are 16 hard to translate yet into dollars, but I think the benefits 17 will far outweigh the costs. Let me stop there with my 18 comments. 19 MR. BELLER: Thank you. Mr. Kueppers', you've left 20 your card up. 21 MR. KUEPPERS: I do. Thank you, Alan. I wanted to 22 comment on a couple of the previous points, including Barbara 23 Franklin's point about getting some assurance that the word 24 had a risk focus, a risk-based approach. 25 I do think there is room for improvement in that 1 area, and I think that many of us could observe, based on 2 experience now, some very minor areas that might have 3 received more focus than they otherwise might have. 4 I think that the key would be for the -- for our 5 regulators, the PCAOB, to provide some additional 6 interpretive guidance, because I think people would take that 7 very well as we get into Year 2 and begin to think about our 8 scope, which frankly is we're on the threshold of doing right 9 now. 10 The other element of this management reporting that 11 I want to point out is one of the things that makes it quite 12 useful is the requirement that in the event there is a 13 material weakness, there is a description or discussion. I 14 mean, this kind of transparent information to investors has 15 never existed before. 16 You know, Greg referred to the fact that maybe not 17 all material weaknesses are created equal when you hit that 18 threshold that requires public disclosure. It's helpful for 19 me to know that as an investor or as just a user of the 20 financials, that the company had an issue with the method by 21 which they reconciled their income tax accounts, and it rose 22 to the level that it created a judgment that material 23 weakness was present. 24 That's much different than having some pervasive 25 tone at the top issue, an ineffective audit committee or 1 something that would have a completely different flavor. 2 So I think the most useful thing is in the 225 3 reports that have already been filed, that have ineffective 4 controls and adverse reports, you get some sense of the 5 "what" that caused that trigger to be pulled. I think that's 6 tremendously helpful to investors. 7 MR. BELLER: Thank you. Turning to maybe the 8 preparer's side next, Mr. Cyprus, from an issuer's 9 perspective, what are your thoughts about the disclosure and 10 reporting requirements, and do you need more guidance from 11 us? Is it or do you feel comfortable knowing what it is that 12 investors and we want you to say, if there are material 13 weaknesses? 14 MR. CYPRUS: Well, I'd like to say one, I 15 appreciated actually, the flexibility that we got. So I 16 wouldn't say right off the batt that we would need more 17 guidance. At IPG, I want to say that the 404 process helped 18 us a lot. 19 In fact, I've been a controller at two Fortune 500 20 companies during this process, and I could tell you this. I 21 believe that 404 and Auditing Standard 2 as it was written, 22 has created significantly more focus by senior management on 23 control deficiencies. 24 They've been more active. They've been willing to 25 use budget dollars to solve control problems that might not 1 have been available in the past. I'm actually confident that 2 404 will result in the long run in better and more 3 transparent financial reporting. 4 I actually believe that due to the tenor of all the 5 controls that you've heard, that you'll probably have less 6 restatements in the long run too, because incidental 7 mistakes, because people have tightened and looked at the 8 control environment, I believe will be prevented. So I'm a 9 big advocate of 404. I would not make any changes at the 10 time. 11 As far as the flexibility of financial reporting, 12 IPG, because we noticed that we had material weaknesses and 13 we'd been disclosing those weaknesses in each quarter as soon 14 as we knew about them. In the second quarter, for instance, 15 of '04 we told the world that we didn't think our disclosure 16 controls were effective, because we had multiple material 17 weaknesses. 18 As we got into the third quarter, we gave you more 19 detail on those control activities that we felt had material 20 weaknesses. As we got to understand our material weaknesses, 21 we said "Geez, one of the reasons we delayed and one of the 22 companies that delayed 10-K filing," we had a map on where 23 our issues were. 24 We believed that more work needed to be done on the 25 numbers, and we basically delayed the K filing, putting 1 additional procedures in place, to make sure we as management 2 could get comfortable with the numbers. 3 The disclosure pattern we chose was actually to 4 follow almost literally the COSO framework itself. So if 5 you'll look at 12B25 filing that we filed under an 8-K, you'd 6 actually see that we talked about the control environment. 7 We talked specifically about control activities. We talked 8 about information and communication, and we talked about 9 monitoring controls. 10 We gave you our current assessment of where we 11 stand on that, so that analysts and investors could 12 understand better what the risk profile was of the company. 13 So I'm not sure if there wasn't a 404 whether you 14 would have seen this in the past. But there is, and I think 15 the benefits are significant in that one, management has a 16 map to what it needs to do to get its numbers better. 17 I believe what we also saw is that the auditors 18 have a map in what they need to do address these issues by 19 changing their audit scope, so that they could do substantive 20 testing more than they would have done in the past in those 21 areas that we've identified to be materially weak, so we 22 could get assurances and they could audit those numbers. 23 So I think 404 has done its job. 24 MR. BELLER: Thank you. Mr. Copeland, as somebody 25 who was in the auditor's chair for many years, and is now 1 sitting on audit committees, and particularly in the latter, 2 from the audit committee perspective, how did you see the 3 reporting and disclosure process and how do you think it 4 could be improved going forward? 5 MR. COPELAND: I'll repeat what everyone has said. 6 I think, you know, 404 has been a positive thing for 7 financial reporting in general, whether you're on the 8 management side or on the governance side of things. 9 Certainly, if you're an auditor, I would suspect that that's 10 viewed positively. 11 I would say, however, that we have paid an 12 unnecessary price for it. I'm not complaining about paying 13 the price for 404. It's worth something. But we have 14 created, perhaps unavoidably, unnecessary costs associated 15 with the benefits that we're receiving, and we have created a 16 distraction and again perhaps an unavoidable distraction to 17 both management and governance mechanisms in corporate 18 America. 19 On the positive side, weaknesses have been 20 identified. They've been remediated or plans have been 21 developed for remediation, and as an audit committee chair, I 22 can now insist that that remediation plan be completed. It 23 makes me sleep better at night. 24 But I do believe that it's very important that we 25 not oversell investors on what has occurred. Operating 1 controls were not covered by 404. So it is entirely possible 2 that we will very accurately report on an operational 3 disaster. 4 Even the best controls cannot necessarily preclude 5 collusive fraud, and I worry that we are communicating that 6 the investor does not have to worry about collusive fraud. 7 You can write this down. We will see some collusive fraud in 8 companies where there are no reported material weaknesses. 9 It will occur. 10 Financial statements are inherently imprecise, and 11 the various reports and attestations could reinforce an 12 unreasonable expectation of investors about the precision of 13 financial reporting, and particularly with the FASB's 14 direction of toward fair value accounting, the imprecision in 15 financial statements is perhaps likely to increase. 16 As far as how the usefulness of the reporting could 17 be improved, I would say that management and auditors need 18 more guidance, and they need more specific guidance. I would 19 say they need a better process for offering that guidance 20 before the fact, particularly with respect to the PCAOB. 21 The PCAOB's primary role is the interface with the 22 auditors. But it has an incredible indirect impact on 23 issuers. I do believe there needs to be an official process 24 or a formal process for allowing issuers to have access and 25 input in the process and development of PCAOB standards. 1 Allowing more flexibility in the timing of work and 2 reporting could significantly reduce the cost, and also avoid 3 some of the unintended consequences, which had been to delay 4 reorganizations of corporations, delay the implementation of 5 new IT systems, and also delaying acquisitions. 6 I think it would be helpful if we'd modified the 7 pass-fail system. It would allow for more, dare I say the 8 word "nuanced" reporting of internal control weaknesses. The 9 investment community is now trying to do that on their own. 10 They are trying to differentiate among the various 11 weaknesses, on the theory that all material weaknesses are 12 not created equal. 13 I believe that it's not necessary to have to 14 struggle with that. We could do that through the reporting 15 process. 16 We need better definitions about materiality, 17 particularly with respect to potential misstatements rather 18 than actual misstatements, as they relate to quarters. 19 That's a technical problem in the way that we look at 20 internal weaknesses from quarter -- internal control 21 weaknesses from quarter to quarter, and how you determine 22 whether or not they are material. 23 Then finally, we need an effective system, again, 24 for taking input around these issues before the fact. Thank 25 you. 1 MR. BELLER: Commissioner Glassman? 2 COMMISSIONER GLASSMAN: Thanks Alan. To the extent 3 that some of these infernal control weaknesses or 4 deficiencies are really not that important to the ultimate 5 financial reports, some are, some aren't, but all are being 6 reported equally once they're identified, either to the audit 7 committee and the board or to the public, are we diluting -- 8 is this diluting the meaningfulness of the ones that really 9 are important? 10 MR. BELLER: Mr. Huber? 11 MR. HUBER: Yes. My answer to your question, 12 Commissioner, is yes, and my concern about the disclosure 13 that is being done here is that rather than in essence 14 promoting a disclosure policy of material weakness being a 15 canary in the mine shaft for an investor, i.e., a warning to 16 an investor that there is something there that the investor 17 should look at, that he or she should pay attention, we as 18 preparers of this disclosure have to treat all material 19 weaknesses equally. 20 You've heard that now from Deloitte; you've heard 21 it from the preparers; you've heard it from everybody. I 22 think there is a fundamental difference between a one-time 23 error in a complicated tax point, which is corrected before 24 the 10-K is filed, and a pervasive revenue recognition 25 problem in a multi-national company. 1 It's just different, and the fact of the matter is 2 right now the rules do not make a distinction between one and 3 the other. So therefore, from my side, in terms of preparing 4 it, I endorse the flexibility. I don't want to have precise 5 checkpoint kinds of rules, because the multiplicity of these 6 issues are such that you want management to tell their own 7 story, just like you want management to tell its own story in 8 MD&A. 9 However, we need help with respect to the idea of 10 what is a material weakness with respect to these issues, 11 because companies can't differentiate right now. 12 In terms of some of the points that Mr. Jonas was 13 making, my answers to a number of his points are that the 14 review staff in the Division of Corporation Finance is 15 already implementing most of his points, and the PCAOB is 16 implementing another one. 17 But the fact of the matter is, this disclosure is 18 brand new. We've been here one year on this disclosure, and 19 this disclosure has evolved from vague references to there is 20 something wrong down in the engine room and we can't figure 21 it out, to specific kinds of we have a hole in the boat, have 22 you found it, and this is what we're doing about it with 23 respect to the disclosure. 24 The disclosure in the past year has gone from what 25 I'd call one to an eight or a nine. The difficulty is we 1 can't differentiate between them. My first point to the 2 Commission if you have to decide what the purpose of this 3 disclosure is. 4 Is it the canary in the mine shaft, or do you just 5 want to have disclosure for all of these things? From my 6 standpoint, it's the canary in the mine shaft, and from the 7 investor's standpoint, I think the marketplace standpoint, 8 they're going to make those distinctions whether you do it or 9 not, and quite frankly, there go my people. Must go and lead 10 them is a standard that I would commend to your attention, 11 because this is happening very quickly. 12 MR. BELLER: Mr. Nusbaum. 13 MR. NUSBAUM: Thank you. What has been discussed 14 is the fact that the disclosure of material weaknesses is 15 significantly improved if everyone understands what the 16 weaknesses are all about, and what the remedial actions are. 17 So I would encourage, we would encourage the SEC to 18 require plain English standards for the disclosure of 19 material weaknesses, so that all the investors know what 20 we're talking about, and also to provide greater flexibility 21 on the disclosure of the remediation plans, including as I 22 think was alluded to earlier, the proposal to allow the 23 auditor or require the auditor to disclaim an opinion or add 24 disclaiming language on those remediation plans. 25 The disclosure of the material weaknesses, I think, 1 are even more difficult on small and mid-cap public 2 companies, because the COSO standards have been developed 3 really for the largest of companies. 4 Therefore, small and mid-cap public companies find 5 that they have a higher incidence of reporting material 6 weaknesses, simply because of these fixed standards. 7 While we all try to avoid the one-size-fits-all 8 requirement, because a standard does need to be improved for 9 small businesses, as I know it's being worked on, but for 10 many mid-cap public companies and small-cap public companies, 11 they're already reporting material weaknesses that are a 12 problem. 13 If I can comment on one other thing, the discussion 14 from an audit firm standpoint, the inconsistencies that are 15 being applied, I think there really are some inconsistencies, 16 unfortunately. We do need to focus on best practices amongst 17 the accounting firms in applying 404, the reporting on 404, 18 and expanding the active and whole discussion of integrated 19 auditing, where we combine the 404 test with the rest of the 20 audit. 21 That best practices really needs to be assisted by 22 the PCAOB, by the SEC and by various professional 23 organizations like the AICPA, to ensure that we really have 24 consistency and improve efficiency. 25 I think that the audit firms needs to share their 1 methodology, share their software, share their policies in an 2 organized manner, which will allow and foster the development 3 of principle-based standards, and I think improve the use of 4 judgment, as was discussed this morning. 5 MR. BELLER: Thank you. There are a number of 6 cards up, but I'm going to ask one follow-up first, because 7 I'm confused. What is it, and I'll let any of you answer, 8 but poor old Mr. Huber may be the natural audience for this 9 question. 10 What is it about the SEC's rules that precludes 11 companies and their advisors, their auditors and their 12 lawyers from making sensible distinctions in their disclosure 13 about material weakness A versus material weakness B. 14 I will tell you, I'm not aware of anything. So I 15 guess I'd like to be enlightened. 16 MR. HUBER: Yes, it's always the warrior that comes 17 up. The answers, the rules do not differentiate. Once you 18 pass this threshold, once you go into material weakness, then 19 the trigger mechanism for disclosure comes in. 20 From my standpoint, the five W's, who found it, 21 what is it, why did it happen, how does it affect your 22 financial statements, what are you doing about it, who's 23 doing it and when is it going to be fixed, comes in. 24 The fact of the matter is by your description, you 25 will in essence differentiate in embedded material weakness 1 from a one-time kind of disclosure problem, either disclosure 2 controls or procedures that are ineffective, tax or something 3 like that. 4 My point, though, is a different one. My point is 5 in terms of the disclosure policy that you're trying to come 6 up with, the heart of this definition is SAB 99. From my 7 standpoint, SAB 99, which has a bridge to the financial 8 statements, is an issue with respect to material weakness, 9 because a lot of people, and this goes to the standard as 10 well as how it's being applied, are applying it in a way that 11 scoops up a lot more than what everybody on this panel and 12 the prior panel was talking about investors really should 13 know about, as opposed to it's nice to know about. 14 So therefore my answer is the rules require you to 15 go into material weakness. They don't require you to go into 16 significant deficiency. I don't think this is an issue with 17 respect to AS-2, as much as it an issue with respect to the 18 concept of materiality and how it should be applied. 19 For example, a material weakness that is pervasive 20 and is going to take a long time to fix, is different than 21 one that was identified before 12/31/04, was fixed before the 22 10-K was filed, but the outside auditor on the measurement 23 date is going to say you have a material weakness, and there 24 is going to be an adverse opinion coming in with respect to 25 404. 1 Even though the management can say "We fixed it." 2 It's one of the most frustrating things, incidently, if you 3 want to talk to management, is the CFO that looks at you and 4 says "We fixed it. Why do I have to carry this cross?" 5 So the fact of the matter is, that's the way the 6 disclosure system works, and I would respectfully submit that 7 the tinkering necessary to fix that would go a long way 8 toward making this disclosure much better, and implementing 9 what I think is the purpose here, which is the canary in the 10 mine shaft. 11 MR. BELLER: I see Chairman McDonough has his card 12 up. I'm going to pursue this one more round, if I could. 13 Ms. Franklin. 14 MS. FRANKLIN: I wanted to add an anecdote to this 15 discussion about material weakness. I want to say first yes, 16 to Commissioner Glassman's question. 17 The anecdote is this, and this happened in a board. 18 This is not a committee happily, an audit committee that I am 19 chairing. But it's a situation that I know a lot about. 20 There was a material weakness determined toward the 21 end of the process by the auditor, and the auditor and the 22 CFO and actually the CEO, as I'm told the story, got into 23 this, and they really had a terrible time of disagreement. 24 Such that the lead partner in this case is going to be 25 removed. Somebody else is going to be put in there. 1 There are two things here. Number one, this was a 2 material weakness that probably wasn't a terribly important 3 material weakness, as I got the story. There are material 4 weaknesses and material weaknesses. So I'm agreeing with 5 what's been said here about more clarity and what's important 6 and what needs to be put before the public, etcetera. 7 But the other point is the rupturing of 8 relationships that I think has occurred in many cases, 9 through this 404 process because of the stress of it, and a 10 few other aspects, between management and the auditors. I 11 think there are a couple of things going on here. Some of it 12 had to do with what everybody thought was required, and I 13 believe auditors are -- forgive me, those of you who are 14 here, for saying this, but I think the firms are afraid. 15 After you get to the situation of Andersen going 16 down the drain, and then you have a new regulatory body, and 17 not sure quite what that's going to be, not sure what the 18 inspections of 404 are going to be. I think auditors are 19 afraid. 20 In the case I'm talking about, when we partners 21 said well, look right here. It says this, and management you 22 are being way too literal. Well, I think the auditor can't 23 help himself. He has to be literal, because he's afraid of 24 the situation he's in in this environment. 25 So I think there's this kind of issue that we need 1 to resolve. How this gets resolved, I don't know. How do we 2 have auditors employing more judgment, a little more 3 flexibility on all sides of the question. But it really 4 comes back to what is, in this case, what was the material 5 weakness. I'm worried about these relationships going 6 forward. 7 MR. BELLER: Mr. Hage? 8 MR. HAGE: Just from the preparer and creator of 9 the chaos out of this argument, I'd like to offer some 10 observations. I think that one of the problems is the notion 11 of rule-based versus a principle-based concept here. 12 In my experience, infernal controls in our company 13 have been established as the culture of our company, and they 14 were long-standing long before I came on the scene and were a 15 part of my basic training. 16 The observation is that they're continually 17 evolving. That isn't to say they're in a state of flux. But 18 they are always being reviewed, always in a state of being 19 improved. 20 For an audit examination to come in and at a point 21 in time look at it and say "Okay, this is what I saw today," 22 may not clearly describe the environment of the company or 23 the situation as a reality. So to me, there has to be some 24 balance of what's the underling culture and discipline here? 25 That has to balance off, you know, that on this day, this 1 event wasn't properly in place. But there was a process, 2 there was a system to eventually get there. 3 Risk-based is really important, I think. To 4 suggest that all failures of internal control are material is 5 of the same magnitude as a gross overstatement and 6 misrepresentation. 7 I think, too, there has to be some redress to the 8 qualifications of the person making the observation. We're a 9 smaller company and perhaps we don't get the highest, most 10 experienced auditors on the audit team. I think we've had 11 good people, but every year we have at least a third of the 12 team freshmen out of college, who are making their first 13 experience on our premises. 14 We teach them a lot, and at the end of the day, be 15 subject to the student telling the teacher what's right and 16 wrong about our process. So most of that is not being 17 brought out in the kinds of rules we're talking about here. 18 So I would caution us to draw the conclusion that 19 at the end of the day, only the auditor is absolutely 20 correct, and no matter what management may have done, they're 21 wrong. I think there is room for the balance of experience 22 and interpretation. 23 So it's a multidimensional thing. I'm not sure 24 it's as simple as saying there can be one rule, one process 25 that will solve the problem. 1 MR. BELLER: Okay, thank you. Chairman McDonough? 2 MR. MCDONOUGH: I have three quick comments. First 3 of all, if there is a material weakness and the issuer says 4 we have solved the material weakness after the date of the 5 certification of the financial statement and of the internal 6 control by the outside auditor, we have proposed a new 7 standard which will allow that to be corrected in the course 8 of the year, and that's one of the reasons we have it. 9 Common sense prevails. 10 I'm really rather disturbed to hear about a lead 11 partner being withdrawn because he or she didn't get along 12 with the CEO and the CFO. Rather to the contrary, I would 13 think that if the top management of the audit firm felt that 14 the partner was correct, they should resign. 15 I don't think that we can have lead partners 16 bullied into thinking that they've got to get along with the 17 CEO or CFO or they're going to get canned. I think that that 18 is just very, very bad public policy. 19 MS. GILLAN: I would agree with that, Bill. 20 MR. MCDONOUGH: Jim Copeland mentioned that it 21 would be good if the PCAOB had more investor input into our 22 creation of standards. Our standing advisory group on our 23 standards has 30 people. A distinct minority of those, like 24 six or seven, are auditors. 25 The rest are investors, issuers and even a few 1 lawyers. But for an example of the importance of investors, 2 when we put out our proposed standard on the tax services 3 that an audit firm could provide to an audit client, we were 4 particularly interested in how investors felt about that. 5 Through the work of the standing advisory group, 6 through the very active contacts we have with investors, it 7 turned out that some of the most congratulatory comments made 8 on this proposal, which actually leaves the audit firms to do 9 most of the old fashioned audit work. We got them out of the 10 knotty contingent stuff they should never have been in, for 11 moral if not other reasons, and we say that they cannot do 12 the personal tax returns of senior managers in line of 13 financial reporting. But essentially we leave the most other 14 things. 15 Well, needless to say the audit firms thought that 16 was a pretty good idea. What we were really interested in is 17 how investors felt about it. The reason that we felt that we 18 could go forward and will continue to go forward is because 19 of the strong positive investor reaction. 20 MR. BELLER: Thank you. Ms. Gillan. 21 MS. GILLAN: Thank you. I wanted to follow along 22 that same line, and I've been intrigued with some of the 23 comments both by this panel, as well as the first panel, 24 about how investors have reacted to the reports that we have 25 seen to date. 1 I think Mr. Turner made the point that it has been 2 on a case by case basis, which I applaud the investment 3 community for not taking kind of a blanket or knee-jerk 4 approach to these disclosures and looking at them. I know 5 the credit agencies have done this as well in determining 6 what is really important to them going forward and what's 7 not. 8 This panel has suggested that perhaps that should 9 guide a change, perhaps, in what is reported to investors and 10 kind of learn how the investment community has reacted, what 11 they consider to be more significant. Rather than sort of 12 speculate as to what investors want, should or need, I was 13 jus hoping we can perhaps get some comments from the 14 downstream users, Mr. Anson and Mr. Jonas, as to whether they 15 would like fewer things reported to you. 16 MR. ANSON: Well, I guess I'll start and see what I 17 can do to answer that. First, before we had Section 404 of 18 Sarbanes-Oxley, and we've heard my earlier comments, the 19 whole stock market discounted financial statements in total. 20 That's why we had such a high equity risk premium in 2002 21 across the whole stock market, because collectively we didn't 22 trust the financial statements of all public companies. 23 Now with the advent of Sarbanes-Oxley and Section 24 404, we can now focus and localized our lack of trust on 25 individual companies. But this is a good thing, because we 1 can focus in and drill down and find out what is wrong; is it 2 a material weakness, and then we can use our judgment. 3 Now there is the judgment of the auditor in 4 reporting it to our management. There is the judgment of 5 management and how they disclose it in their financial 6 statements. Last, there is the judgment of investors. How 7 do we interpret it? Do we think this is sufficiently 8 red-flagged that we need to discount this company more 9 heavily? 10 We always like more information rather than less, 11 and greater transparency than opaqueness. But I think to the 12 extent that affirmation comes out, we will look at companies 13 on a one-by-one basis, and look for those where we think 14 there truly are material weaknesses. 15 You know, we're pretty smart people. Just give us 16 the information. We'll know what to do with it. 17 MR. BELLER: Mr. Jonas. 18 MR. JONAS: Well, put us in the camp that not all 19 weaknesses are created equal. Last fall, we published a 20 framework for thinking about which ones we were going to 21 think was a big deal and which ones we weren't. 22 I'm finding that after looking at all the companies 23 that have reported material weaknesses, that it doesn't take 24 us long, provided we have some details in the disclosure, it 25 doesn't take us long to distinguish between those that we 1 care about and those that we don't. 2 Just a couple of brief statistics. So far, 93 3 companies that our rating agency rates have reported 4 weaknesses, and of these we have considered 71 of the 5 companies in detail with the rest yet to go, mostly because 6 the data is still very fresh. 7 We have -- of the 71 cases we've considered 8 closely, we have had negative rating action in 12 of those 9 cases, which is roughly 20 percent of the cases. Which means 10 in 80 percent of the cases, we're pretty relaxed about the 11 nature of the control weaknesses that are reported. 12 Now what I would observe, though, would you 13 conclude from that that we ought to have a dramatic reduction 14 in the number of weaknesses that companies talk about, and 15 then, you know, maybe I would find that acceptable if you all 16 were to adopt our particular framework for thinking about 17 this. 18 But I suspect that you're not, and I suspect that 19 investors differ in their views about what's important and 20 when, just as they differ on about every other issue. That's 21 what makes a market. 22 So my vote would be the hold the course, report 23 material weaknesses. I don't think we have a robust amount 24 as we do today. Let the market figure out what's important 25 and what's not. I don't sense market overreaction today. I 1 do sense a balanced, measured approach on a case-by-case 2 basis, and it seems to me that that's a reasonable way to 3 proceed. 4 MR. BELLER: Mr. Kueppers, you have your card up? 5 MR. KUEPPERS: Yes, I remembered that. Thank you. 6 Thank you, Alan. I think one of the things we have to keep 7 in perspective, and the eight percent number's been mentioned 8 as sort of the scorecard so far. In other words, eight 9 percent of companies reported had material weaknesses. 10 You know, John's point earlier. Yes, they're 11 different. They may not all be the same, but you know, they 12 all have met a threshold, sometimes using judgment, of a 13 single common definition. 14 The system we have has one class that is very 15 public, one class significant deficiencies that's largely an 16 internal reporting mechanism, and then another class that 17 just doesn't, you know, just gets dealt with by the company. 18 You know, several have mentioned a 270-some 19 average, and that's exactly what your survey showed as well. 20 The truth is that many of the routine things are getting 21 dealt with very routinely, and they don't deserve or require 22 public disclosure. 23 I think that's what you want. You want constant 24 repairs and maintenance on controls, as opposed to some of 25 the catch-up we had to do this year, given the point made 1 earlier about deferred maintenance. 2 So I'm inclined to leave sort of this three-tiered 3 system. I mean, it is the design of the standard. There are 4 two issues with the definition that are sensitive; perhaps 5 one is material, which John mentioned. The other is interim 6 has the same sort of status as annual, and that also creates 7 a larger number of weaknesses and I'm not sure what to do 8 with that. 9 I will just point out that having interim in there 10 does sort of change, you know, the calibration of the system. 11 One more point, and this is very much off the point 12 that I was just making, to Barbara's point about tension. 13 You know, I really do believe, and this is based, you know, 14 this is maybe anecdotal but it's based on my experience in 15 working with our clients and with my partners. 16 There is much more tension today than would have 17 been evident, you know, a couple of years. I think a certain 18 level of that is the result of 404 may be the topic de jure; 19 it certainly is today while here. 20 But I think it's also become sort of the repository 21 for other changes and feelings about those other changes, 22 whether it's frustration of getting, you know, good 23 accounting advice from your auditor that used to be sort of 24 just second nature and now seems to be a struggle. 25 Some of the other changes about audit committee 1 relations, rotation. I mean, all the reforms that have come 2 through in the last couple of years have aggregated into, in 3 many ways, the focus on 404. 4 I think that many people would expect there would 5 be a healthy level of tension by the auditors, with 6 management, in the audit committee room, in the board room 7 when necessary, and it's very hard to measure when it's too 8 much or when it's unhealthy. 9 But I really believe a certain amount of that is 10 the whole point. I mean, auditors aren't the most positive 11 people. We tend to look for problems as opposed to anything 12 else. But you know, I sort of sense that that's what we're 13 getting paid to do. 14 I do believe the one area that could make a 15 tremendous difference in the attitudes, and I think our 16 colleagues at the SEC and the PCAOB can help us tremendously. 17 I think this notion of not giving accounting advice to audit 18 clients on the fear either that it will breach independence 19 rules or that they aren't good enough so they have material 20 weakness has just gotten completely off track. 21 We have to be able to work with our clients on 22 these complicated matters or nobody's going to get it right. 23 I think we have to get some sensibility back into that part 24 of the equation. 25 MR. BELLER: I actually want to follow up on the 1 tension point with Mr. Copeland, as an audit committee 2 member. Take not Ms. Franklin's scenario, and certainly not 3 Ms. Franklin's outcome, which I think we probably all agree 4 is the inappropriate one. 5 How does an audit committee react when there is a 6 completely honest, completely good faith, completely at 7 loggerheads disagreement between management and the outside 8 auditors with respect to whether there's a material weakness? 9 MR. COPELAND: Well, and I actually have not seen 10 that event where it was not resolvable. If I had been 11 involved in that situation, I would have been Looking for an 12 audit committee advisor to try and bring closure to that 13 issue. 14 Let me just say, though, that I'm aware of at least 15 one other situation where, as in the issue that Barbara 16 mentioned, there was a difference of agreement. The 17 auditors, the internal auditors and the CFO raised tone at 18 the top issues. 19 The CEO's solution to that was to fire those 20 individuals. The audit committee's approach to changing the 21 tone at the top was somewhat different. I think that 22 Chairman McDonough would be happy with the resolution of that 23 issue. 24 PP Me too. 25 MR. COPELAND: Now let me, if I can, with the 1 privilege of the floor, just mention one other thing, and 2 that is with response to Chairman McDonough's comment about 3 the process. 4 There is a process there and I have had access to 5 it and I don't feel the least bit restricted in my ability to 6 bend his ear on occasion. But I've been told for years now 7 when I was wearing my other hat as CEO of Deloitte that 8 perception is really, really important. 9 That is not the perception. The perception out 10 there is that the issuers do not have access to the SEC on 11 issues of guidance about their extended scope and testing 12 under 404, and they don't have access before the fact, to the 13 PCAOB on issues that will profoundly affect them. 14 So I will just say, as having been party to a 15 profession that got beaten about the head and shoulders about 16 perception, I would just encourage the participants in this 17 process to accept the fact that the perception out there is 18 that people don't have access and ability to influence things 19 that are going to profoundly affect them, and long-term 20 that's not good. 21 MR. BELLER: Thank you. Mr. Nusbaum, you've had 22 your card up for a while and have been very patient. I want 23 to respond to something Mr. Anson said, and our experience 24 shows, and I think everyone would agree, that the reporting 25 as well as the testing, but the reporting on internal 1 controls and on the process has improved the quality of the 2 financial statements and the reliability of the financial 3 statements. 4 While it may not eliminate all collusive fraud 5 certainly, it certainly will reduce, I think, the likelihood 6 of material financial statement fraud. But internal controls 7 are not just about the financial statements, and Mr. Anson 8 referred to all of the other financial information that is 9 used to make investor decisions. 10 I think there is an area opportunity for us to look 11 at internal controls on a broader level, and I'm not talking 12 about operational controls. But internal controls and the 13 recording of financial information, other financial 14 information. 15 Our experience is by improving the controls on the 16 financial statements, there has been maybe an unintended 17 consequence that's a good one, to improve the controls over 18 the reporting of other financial information. 19 But there's an opportunity for us and I think a 20 requirement for us to focus on how to improve the quality and 21 reliability of the vast amount of other financial information 22 that investors use to make decisions. 23 MR. BELLER: Mr. Huber, you've also been patient. 24 MR. HUBER: I want to go back to the comment about 25 the marketplace and the need for information and disclosure. 1 My son is a buy-side analyst. He's a charter financial 2 analyst. There's no amount of information you can give him 3 that will satisfy him. 4 He wants more all the time, just like in the movie 5 with David Copperfield. The fact of the matter is at a 6 certain point the regulatory system has got to draw a line 7 with respect to what the purpose of the regulation is, what 8 the cost of the regulation is, and what disclosure is being 9 put out there. Otherwise, you will have regulatory 10 dysfunctions. 11 Moody's has already come up with a two bucket 12 standard. If you look at institutional shareholder services' 13 Friday report from April 8th, they now have a eight-point 14 grid. 15 As a person who is supposed to link this with 16 companies, I don't know whether I should follow the Moody's 17 approach, the ISS approach, the SEC approach, which approach. 18 Because we're going to fracture this disclosure system soon, 19 if some additional guidance isn't given with respect to what 20 material weakness is and what it isn't. 21 Because we're hearing sort of a uniform theme here 22 that the analysts are going to discount the little stuff, but 23 they still want it. But I would respectfully submit the 24 companies will not really tolerate the littler stuff when 25 they see no need for it. 1 It's the bridging of that gap, pardon my pun. It's 2 the bridging of that gap that I would respectfully submit is 3 the job of the SEC and the PCAOB. 4 MR. BELLER: John, is the point -- maybe it's both 5 points. But is the point that the definition of material 6 weakness sweeps in too many deficiencies, or is the point 7 that once you've set that level, once you've set that 8 materiality standard at an appropriate level, companies and 9 their advisors are unable to make differentiations on their 10 own between what's a material weakness that is a material 11 weakness but shouldn't keep you up at night, and what's a 12 material weakness that should keep you up at night? 13 MR. HUBER: It's the second, from my standpoint 14 Alan. I think what's really important is everybody is taking 15 this area seriously. Companies are taking it seriously. 16 Audit committees are taking it deadly seriously. Auditors 17 are. 18 The fact of the matter is, in terms of 404, the 19 threshold obtained is a material weakness. It's not a, you 20 know, little material weakness or a big material weakness. 21 It's a material weakness. So therefore the system is 22 predicated on that, and my suggestion from a disclosure 23 policy standpoint is make changes to the materiality part of 24 material weakness. 25 That's something the SEC can do. PCAOB doesn't 1 have to do that, and the system will -- the other pieces of 2 this system will work better. 3 MR. BELLER: Mr. Cyprus. 4 MR. CYPRUS: Just a couple of points. One, you 5 know, when we were talking about tension. I actually think a 6 little bit of tension is healthy. I not only have a little 7 tension in my auditors; sometimes I have tension with my own 8 management team, you know, as we all talk about issues. It's 9 natural. It's a good thing. 10 Two, I believe that the issue of auditors being 11 responsive to you when you deal in technical issues, I'm 12 guessing that that might be more of an issue for companies 13 that might not have technical staffs available to them. 14 Because I have a pretty good technical staff, and I 15 haven't really noticed that being an issue, because 16 management usually makes the decisions. Management usually 17 analyzes the situation. Management usually goes to the 18 auditors and says "I think this is what we ought to do," and 19 then it's appropriate for the auditor to comment, and that's 20 what we've seen. 21 So we haven't seen the auditor say "I'm sorry, we 22 won't analyze." What I have seen and what I have heard was 23 when someone went to the auditor and says "Here's a 24 transaction, what should I do?" Well now you've got a 25 different situation, and I think you've got to be specific 1 between these nuances of what you're saying. 2 Unless you're a company that doesn't have those 3 capabilities, in which case what you'll need to do is figure 4 out how to, in essence, get it. You can buy it externally 5 from -- there are other sources to get that help, all right. 6 So I think we have to be really careful. 7 I also think that when you're dealing in those 8 particular issues, I think it depends on who the staff is. I 9 just think different partners react differently, and you've 10 got to sort of figure that piece out. But I'm not seeing 11 that as the overwhelming problem. But I would see it as an 12 issue for small businesses. 13 What I was going to follow up is just that I have 14 two more brief points as to the comments that were being 15 made. As far as disclosure of material weaknesses, you know, 16 I think management has enough flexibility to disclose what it 17 believes is a big weakness versus a little weakness. 18 So I think the flexibility's there to get the 19 points across. On the other hand, if you think about it, I'm 20 trying to figure out myself, if I think about the definition 21 of a material weakness as more than a remote likelihood that 22 something could go bump in the night. 23 Well, if something could go bump in the night, in 24 other words, you could have a material change to your 25 financial statements, I find it hard to believe that that's 1 not a material weakness that needs to be disclosed. 2 So are we trying -- I'm a preparer too, and so to 3 me, I think it's pretty clear if you read the types of 4 material weaknesses, and I've disclosed probably nine control 5 activities and other areas of material weakness. 6 I think someone could go through mine and say 7 "Revenue, that's a big one. This one's a big one. Now these 8 aren't as big." Any one of them, right, have a chance of 9 more than a remote likelihood to have an impact on my 10 financial statements. So tell me which one I should decide 11 not to disclose. 12 So I might have a different point of view on that. 13 I think someone else can make the decision of what's more or 14 less important to them. I think we as preparers need to 15 disclose it. 16 The last issue, and I want to revert back to 17 something that was done on Panel 1. Robert Burroughs made a 18 statement about financial reporting deadlines. For those of 19 us who do have control issues, and need to take time to make 20 sure we address those issues in our financial statements, I'd 21 like to encourage keeping the freeze on. 22 If we move those deadlines forward, I could tell 23 you that companies like mine and smaller businesses that need 24 time to get good assurance around its results, will have a 25 more difficult time that could either lead to more risk or, 1 frankly, missing the deadline. 2 So I would like to at least put that out there for 3 you consideration. 4 MR. BELLER: Thank you. I'm going to end this by 5 Commissioner Goldschmid had his card up, and we'll -- 6 COMMISSIONER GOLDSCHMID: Oh no. I put it down, so 7 we could hear from the others. But, well two quick comments. 8 One is constructive tension is the language I like to use for 9 our burden. We don't want to go over that, I think. 10 COMMISSIONER GLASSMAN: It's my language as well, 11 yes. 12 COMMISSIONER GOLDSCHMID: The other is that the 13 disclosure system for material weakness is as principled as 14 the United States will ever get. 15 The idea was to give you lots of room to explain, 16 and whether it's S&P or some other standard, you have room to 17 write it in a way, take a look at what the market wants, and 18 write it in a way that will explain "This one is a six-month 19 problem; we'll get rid of it. It's a one-shot affair and 20 it's material but not all that big a deal. This one is 12 21 years and it's really deep." 22 Write it. Tell us, and then the market, the 23 analysts and everyone else, including your son, John, will 24 understand. 25 MR. BELLER: With that, I will close this panel. 1 Time is over. I'm going to ask the audience, please, Panel 2 No. 3 is going to start immediately. We're just going to 3 switch people and cards. 4 So please, don't leave your seats. This is not a 5 break, and I'd like to thank the panelists, each and every 6 one. A very good discussion. Thank you very much. 7 (Break.) 8 PANEL THREE - PLANNING AND DESIGN 9 MR. BELLER: I think we're ready to get going with 10 Panel No. 3 and we'll continue. Thank you very much for 11 sticking with us, and we thank you in particular for this 12 very quick turnaround. 13 Getting started here, I think we will just remind 14 you, and I think most of the panelists have been here, so we 15 don't need to get into too much detail. If you want to 16 speak, card goes up. No opening comments. No detailed, 17 lengthy ten-minute dissertations, and we say that in the 18 interest of respect to all the panelists. 19 The Commissioners and the board members are of 20 course encouraged to participate and ask questions, and they 21 too will put their name tags up at the appropriate moment. 22 Let me introduce Andy Bailey. Andy is my deputy, 23 and heads up the Professional Practice end of what we do in 24 the Office of Chief Accountant. That means he has an awful 25 lot of contact with the PCAOB, and with the audit profession, 1 and has oversight of most of the audit areas. So with that, 2 Andy, you want to get us started? 3 MR. BAILEY: I'll try to do that. I think we're 4 now moving into the sessions that get us down kind of on the 5 ground, with respect to the actual documentation and testing 6 that takes place. 7 404 requires that management design and operate and 8 test their own internal control systems, in order to make an 9 independent assessment, while AS-2 requires auditors to test 10 management's assertions and also test sufficiently to arrive 11 at an independent assessment about performance of internal 12 controls. 13 Because the auditors all dependent so heavily on 14 management traces, management and the auditor must ultimately 15 agree on the scope and extent of testing necessary to 16 accomplish both goals. 17 I'm going to open with a fairly general question on 18 this, and then we're going to proceed to a series of 19 questions that have to do with issues that have been raised 20 already, definitions of material weakness, what we mean by a 21 risk on materiality issues, in terms of driving the extent of 22 testing. 23 Let me introduce the panelists. From my left, 24 working to the right, Chuck Bowsher, former Comptroller 25 General of the United States or the Honorable Charles 1 Bowsher. 2 Frank Brod, VP and Controller of Dow Chemical and 3 chair of the FEI Committee on Corporate Reporting. 4 Alex Davern, Chief Financial Officer and Senior 5 Vice President of Manufacturing and IT Operations of National 6 Instruments, and chairman of the American Electronics 7 Association Committee on the Reform of Sarbanes-Oxley 404. 8 Lisa Flavin, Vice President, Audit, Emerson 9 Electric. 10 Jay Haberland, Vice President, Business Controls, 11 United Technologies Corporation. 12 Damon Silvers, Associate General Counsel of the 13 AFL-CIO. 14 Dr. Albert Teplin, Audit Committee Chair of Viad; 15 Audit Committee member of Moneygram International. 16 James Turley, Chairman and CEO of Ernst & Young, 17 and Richard Ueltschy, Executive in Charge of Financial 18 Institutions Audit Practice, Crowe Chizek. 19 If I don't identify you or Don doesn't when we call 20 on you, would you please identify yourself for the broadcast 21 audience that does not have video. 22 Turning first to Mr. Bowsher then, in your prepared 23 statement, you indicated that the communications between 24 management and the auditor need attention; that both 25 management and the auditor may have made too little use of 1 risk-based approaches to planning, design and testing; that 2 auditors may have placed too much reliance on the work of 3 others; and that the net result was an excessive duplication 4 of work. Quite a mouthful. 5 If this is the case, what are the needs, the top 6 priority needs for change, that have to be accomplished going 7 forward. 8 MR. BOWSHER: Okay, Andy. That's what I said in my 9 prepared, and that's the way I do feel about it. I do want 10 to say though first, I also said in my prepared that I 11 thought we made a lot of progress here in Year 1, and I think 12 a lot of the people that worked very, very hard in the firms, 13 the auditing firms, have brought us a long way on 404. I'm 14 very pleased where we're at right now. 15 I do believe, though, that we now have the 16 documentation in front of the audit committees and in front 17 of the managements that allow us to become much more 18 efficient and effective in the second year and in the third 19 year. I hope that will also play into the way the assessment 20 is done by the external audit firms. 21 What we really have today for the first time is we 22 have our accounting system documented by different processes. 23 We have it rated by risk. 24 We have -- where we had some weaknesses going 25 through this past year, where we got it remediated, and when 1 we finally get our final report from the external audit firm 2 and this company that I'm on the audit board, we had three 3 material weaknesses -- three significant weaknesses and no 4 material weaknesses. 5 So we now literally have a report pride, and we 6 know what we have to do here in the second year in that. 7 Also, I think it is also incumbent upon the 8 leadership of the companies and the audit committees to say 9 how can we improve our financial management systems. How can 10 we modernize them so that they are not as costly to operate, 11 and also not as costly to assess. 12 In other words, we have to do management assessment 13 every year. We have to do an external audit assessment, and 14 we really want to get either through centralization or 15 computerization or outsourcing, whatever it takes to really 16 get down to a financial management system that is very 17 cost-effective. 18 Then at that point, I hope we can get the 19 assessment process down to a cost-effective. I do believe 20 that there was some miscommunication or misunderstanding 21 between the PCAOB and the auditing firms this past year. 22 But I think that can be corrected, and I know I've 23 been talking. I'm on an advisory committee to the PCAOB and 24 I know they want to get it right, and I'm sure the accounting 25 firms do too. 1 So I think what we want to do is make sure when our 2 engagement partner comes into our meetings, that he doesn't 3 feel like he can't talk or discuss issues and things like 4 that, which there was some of that this past year. We want 5 him to be or her to be a major partner, and how do we do this 6 better the second and third year. 7 One of the questions is how much work does the 8 internal audit function do, and how much reliance does the 9 external auditor place on that work. I think that was not 10 sorted out too well the first year, which you can expect. 11 But I think we ought to get it sorted out very well 12 in the second and third year here, so that we're not spending 13 a lot of money for duplication, especially on the lower risk 14 areas. The higher risk areas, of course, you don't want to 15 ignore them at all in the subsequent years. 16 So I think you really needed some real good 17 planning and meetings here, and I was a little disappointed 18 at one of my audit committees, where I got next year's 19 estimate, which was not much lower than this year's for the 20 404 work by the external auditor, without ever suggesting we 21 even have a meeting. 22 In other words, I really think now in the next few 23 weeks and months here, we ought to be getting together, the 24 external auditor, the internal auditor, the CFO, all the key 25 players, and especially even some of the people down the 1 line, where they've had the delegation down there, that they 2 own the process in the larger companies. 3 So I think there's a lot of opportunity here to 4 make cost savings, but also more effective assessments. But 5 it should also be based on trying to get a more effective and 6 efficient accounting and financial reporting system at each 7 company. 8 MR. BAILEY: Thank you. We're going to try to 9 delve into some of those detailed issues. But before that, 10 Dr. Teplin I know recently is an audit chair of an audit that 11 was recently completed, and so had to go through that process 12 this first year. He was also a committee member on a firm, a 13 company that is about to enter this process. 14 I'm kind of wondering what your first experience 15 was in getting the communications among the stakeholders, in 16 order to get a reasonable plan, and what you think you're 17 going to recommend as changes as you go forward with this 18 second part? 19 DR. TEPLIN: Well, you're right, that we did -- at 20 Viad, we did complete our audit at the end of this year or 21 file early this year, and at Moneygram International we're in 22 the process. I wouldn't say that we're about to begin. I 23 would say that we're into the process. 24 I think that first of all, the 404 clearly focused 25 the attention of the audit committees that I'm on at least, 1 and I'm sure all of them, on these internal controls. We 2 pushed and I'm sure that others pushed to make this, of 3 course, a top priority work, using it as an opportunity to 4 sharpen the controls that were in place. 5 But we also, as we went through the process of 6 scoping out the work and then carrying out the work, we found 7 some surprises. One, of course, was the cost. Everybody 8 underestimated these costs. We underestimated our own 9 internal costs. The auditor underestimated their costs. 10 I would not minimize the tension that was added to 11 the system. I agree. Some of this tension probably was 12 necessary. However, at some point, and I think I'm beginning 13 to believe we've reached that point, some of these tensions 14 are non-productive. 15 So far in 2005, we're looking for ways at Viad to 16 refocus the process, to make it more cost-effective and so 17 on, and looking for some fuller guidance and so on. We were 18 able to use, I think, our experience going forward into 19 Moneygram, or at least I was. 20 Of course, it was a spinoff. So that the people 21 that are on the Moneygram board were aware of what Viad was 22 doing, and make the scoping process much more -- much 23 sharper. I think that one problem or one issue that we 24 developed is where in the scoping process does the outside 25 auditor come in. 1 If they're not -- obviously you don't want your 2 outside auditor, or they don't want to tell you they're going 3 to audit this, this and this, all right. So what happened I 4 think in some companies, at least our experience was, that we 5 thought the auditor was going to audit the middle of the 6 onion. We wanted to look at the whole thing around it, and 7 make sure we captured everything. 8 I think that some of that experience is being used 9 now by Moneygram, and it's a much more focused process, and 10 process that probably will be somewhat cleaner, although I 11 don't think it's going to be less costly. 12 MR. BAILEY: To pursue a little bit further the 13 tension issue and the potential imbalance we see in many of 14 the letters coming through, that in this planning process, 15 because the auditors and management have to come to an 16 agreement, there are disagreements. We're hearing that there 17 may be an imbalance in the relationship. Mr. Davern, would 18 you like to comment on that? Do you have any experience with 19 that? 20 MR. DAVERN: Thank you, Andrew. Well, in this 21 whole area, I think that there certainly needs to be some 22 consideration of the relationship and where the balance lies. 23 From our work at the AEA, we've seen a number of significant 24 problems with the implementation all during 2004, especially 25 for smaller companies. 1 There's been a lot of discussion here today 2 obviously with bigger companies. I think it's interesting 3 that the first panel really bore out, I think, the real issue 4 that is faced by the majority of public companies. That is 5 that the framework being applied, the COSO framework being 6 applied were designed for large companies with multibillions 7 of dollars of revenue. 8 Therefore, for them the implementation and their 9 position as a valued client of a large auditor, is 10 appropriate. From our role, the average cost for large 11 companies of more than $5 billion is about .05 percent of 12 revenue. However, the situation is dramatically different 13 when you shift profile down to companies of less than $100 14 million. 15 Obviously significantly less valued as clients 16 generally, because of their size and perceived risk, and from 17 our estimates the average cost is about 2.5 percent of 18 revenue or about 50 times greater relatively for a smaller 19 company than it is for a large company. 20 It's also, I'm sure, well-appreciated by all the 21 members of the Commission and the board that a large number 22 of public companies are less than $100 million of revenue, 23 although they make up a very small percentage of the market 24 cap of public companies. They make up less than ten percent 25 of the market cap of public companies, and therefore of the 1 risk to investors. 2 In terms of the balance of relationship, when we 3 looked at the issue from an AEA perspective, and the majority 4 of our members are small companies, we see a number of issues 5 that drive the costs disproportionately. Those really rank 6 in terms of number one, a lack of a small company framework 7 which we talked about yesterday in the advisory committee 8 meetings. 9 Number two, is a checklist approach where most 10 small company CFOs felt they had very little negotiating 11 power in discussing with the external auditor how the 12 approach would actually happen. 13 I think if you talk to the majority of small 14 company CFOs, and I think I've talked to well over 100 in my 15 duties as the chairman of the AEA Committee, they received a 16 checklist and had a very difficult time convincing the 17 auditors to change that. 18 Now I will say in the auditors' defense that a lot 19 of this comes from the late standards that were issued, and a 20 lot of confusion as to what the standard and metric will be 21 applied by the PCAOB in the examination process. 22 As several other panelists have said already, I 23 think the examination process that goes on later this year is 24 a really critical element in determining whether we're going 25 to turn the corner on 404 in 2005, and bring the costs and 1 benefits into balance. 2 Another issue that came up clearly from our members 3 is the lack of competition, or certainly very strongly 4 perceived lack of competition in the audit market for public 5 companies. I think that's a public policy issue that 6 deserves serous consideration. 7 I think the area of most frustration in this whole 8 area of balance in what should and should not be done really 9 came around the area of IT controls. IT controls became a 10 major, major focus during the process of 404 in 2004. 11 We dealt with a situation where most audit partners 12 and a vast, vast majority of the audit staff really did not 13 understand IT controls, I'll say very well. But in many 14 cases, very, very poorly. 15 They underwent some quick training and then they 16 were put in a position where they were trying to assess and 17 dictate how very experience IT Department managers should run 18 their IT operations. 19 I think that that lack of balance in the 20 relationship, and maybe it's also a lack of balance in the 21 relationship between the PCAOB and the Big Four that led to 22 this, resulted in a massive, I think, focus on largely 23 irrelevant IT costs. 24 I'll just close by saying from our estimates at the 25 AEA, 45 percent of this total effort was spent around IT 1 controls. That's about $15 billion, based on our estimate. 2 We estimate the total effort cost of about $35 billion for 3 all public companies in the aggregate. 4 We have looked very hard and cannot find a single 5 major investor loss that resulted from a materially 6 inaccurate financial statement filed with the SEC, as a 7 result of a failure of IT controls. Now I'm sure there may 8 be some out there, but I've looked hard. I can't find them. 9 So my conclusion is we spent $15 billion on this 10 issue to solve a problem that does not exist, and I think 11 putting more balance back into the relationship and I think 12 giving more guidance and showing through the examination 13 process that auditors will be allowed to use their 14 professional guidance would be greatly beneficial in 15 reassessing this going forward. 16 MR. BAILEY: Mr. Turley, would you like to wrap 17 this up with public accountants' view of how that 18 relationship has developed in this last year? 19 MR. TURLEY: Yes, and in fact while we probably 20 have done things differently, for now I think we have common 21 ground on many, many points. 22 A couple of panels have consistently said there's 23 great value that's been generated, and good things coming out 24 of 404. The first one, I think, one thing that has been 25 undercommented is the impact it's had in conjunction with 302 1 certifications and cascading out around organizations, and 2 the combined impact on the culture of the people within the 3 clients that we serve, and their commitment to controls, 4 their commitment to getting it right. 5 But I think that by anyone's estimation, there was 6 an awful lot of rough start-up issues, and on that 7 profession, we'd be the first to say, you know, we'd love to 8 get more guidance and make sure we get it right. I think 9 someone on the first panel talked about, I think the words he 10 said is, you know, "What is it the standards require?" They 11 were already said. 12 And I think more guidance would be beneficial for 13 the profession. I think more guidance for issuers would be 14 very beneficial. I think the inspection process, as Alex 15 said, would be very helpful in terms of shaping issues, both 16 in areas where the profession spent too little focus and in 17 areas where we spent too much focus. 18 So I think that all of these issues are incredibly 19 important as we move forward. You know, our submission 20 points out there are some other areas where I think we need 21 to really put our heads together, to figure out the best way 22 both to continue maximizing the great positives that come 23 from 404, but to also make sure that the first year 24 efficiencies or inefficiencies are eliminated. 25 The learnings that have come from enormous effort 1 by issuers, by regulators, by profession are then transmitted 2 to all the second wave of auditors. So I think today's the 3 beginning of that process. 4 MR. NICOLAISEN: Jim, let me follow up, if I may, 5 with just a quick question, and Richard, if you want to join 6 in on this you certainly can. But in the Big Four 7 submission, you describe that there were an average, I think, 8 of 348 deficiencies that were noted per company. For the 90 9 companies it's not a lot better, it's 30-some thousand 10 deficiencies that were encountered. 11 Different people could draw different inferences 12 from that. One group of people may look at that and say 13 "Perhaps the level of detail that's being identified as a 14 deficiency is too low, or the threshold is set too low." 15 Other may say "Is this indicative that we have more of a 16 problem in the control world than we might think?" 17 When you cut through it, you've described that 96 18 percent of those deficiencies don't meet the threshold of 19 being a significant deficiency. They're reported to 20 management, but they don't have to go to the audit committee. 21 Only, I think, five out of 30-some thousand ended up being 22 material weaknesses. 23 How could you put that into perspective? I think 24 this sort of plays, and this is a complicated question, but 25 it sort of plays into this whole question of materiality, 1 which from what I gather from much of the discussion earlier 2 this morning, sets the threshold as to how much work both the 3 company does in documenting controls, and how much work the 4 auditor does. Maybe you can give us a little more feel 5 around that? 6 MR. TURLEY: Before you do that, because it really 7 leads into the next question. We may as well just keep the 8 whole thing moving. 9 Materiality judgments and risk judgments drive the 10 extent of documentation and testing for both management and 11 the auditor. So rather than just address it in the narrow 12 sense, you might pick it up and we'll just keep moving on 13 that issue. 14 But let me frame some of the material that the Big 15 Four send to you collectively. Each of the firms thought 16 that getting it from, you know, real, live data on this would 17 be beneficial for you. So while we each submitted individual 18 firm letters, collectively we accumulated some data for 19 submission. 20 The number of deficiencies you talked about, 21 roughly 350 per big company, were deficiencies identified by 22 the management processes, not by the firms. So they were 23 going through and so at one level, you know, the level of the 24 filter was driven by management. Now -- 25 MR. NICOLAISEN: Let me just ask a question about 1 that. Now some people have said that that filter, while it 2 may have been management's filter, was driven in large part 3 by expectations set by the audit. 4 MR. TURLEY: Heavily driven by working together on 5 that. You're absolutely right, Don. Of the 350, what the 6 data showed is roughly 75, 77 I think was the actual number, 7 at year-end had not been remediated. 8 The 96 percent you talked about was the 96 percent 9 of the unremediated weaknesses, or those that were then 10 categorized, if you will, as control deficiencies, 11 significant deficiencies or material weaknesses. 12 You know, auditors and everyone did not go through 13 and have to, if you will, categorize and make the decisions 14 on those that were remediated. 15 My own gut feel from talking with a lot of our 16 clients, a lot of our teams, is in fact that it was very much 17 in management's and in fact the profession's focus that as 18 many of those that would have been material weaknesses or 19 significant deficiencies were probably addressed first. 20 I can't tell you whether, you know, it's more 21 than -- and how much more than four percent. My instincts 22 are that a lot more of those that were remediated than four 23 percent -- 24 MR. NICOLAISEN: There could have been more. 25 MR. TURLEY: --would have been either significant 1 deficiencies or material weaknesses, because it's in 2 everyone's interest to get that fixed. 3 Certainly the flip side is those regular control 4 deficiencies that were easy, quick fixes were just fixed. So 5 I think that, you know, the issue is actually more of a 6 positive statement on the strengthening of controls that has 7 been a result of this process. 8 Because when I look at the number of identified 9 weaknesses, deficiencies, and how many of them have been 10 remedied before year-end and absolutely every one that is 11 identified and remains unremedied is going to be fixed, I see 12 that as being a huge positive. 13 MR. BAILEY: Mr. Ueltschy. 14 MR. UELTSCHY: Yes, I would, and I think that Jim's 15 interpretation of the data is pretty accurate. I would also, 16 though, like to compare his comments to Mr. Davern's, and 17 point out that there are some significant differences between 18 the data coming out of these larger companies, and the middle 19 market companies that were largely represented based on the 20 statistics that Mr. Davern described. 21 The companies he's talking about are mostly the 22 companies that could take advantage of the exemptive order 23 that the Commission permitted. It's important to note that 24 we're having this conference before that deadline has passed. 25 I think we will probably see some increases in the 1 percentages of material weaknesses reported as a percentage 2 of total filings when those companies hit. Our firm largely 3 deals with those middle market companies, and I think what we 4 have seen from this whole question of scoping and materiality 5 and duplication of effort, is that that's not the real 6 question from a resource standpoint. 7 But the real question for those companies from a 8 resource standpoint is the issue raised in Panel 1 about mind 9 share and opportunity costs and understanding. Many of the 10 companies that could take advantage of the exemptive order, 11 with the market cap of under $700 million, simply only have a 12 handful of people capable of understanding the concepts in 13 AS-2, and in the COSO framework. 14 Those people are under enormous time pressure, 15 because of the tightness of deadlines, and they often do not 16 fully understand the implications of the entire process until 17 later in the year. So the cost issues associated with many 18 of the companies that would probably be in Mr. Davern's 19 survey had to do with project management issues, 20 understanding the framework issues. 21 Many of them did not get their work completed 22 until, you know, until near year-end. Auditors certainly 23 couldn't rely on their work, because their work wasn't 24 completed timely. Those are the many different challenges in 25 that arena than with the large company arena. The 1 inefficiencies are orders of magnitude because of project 2 planning issues. 3 I think that's an important distinction, and while 4 it doesn't represent the majority of market cap in the 5 country, it's the vast majority of companies are going to be 6 faced with those particular concerns. 7 MR. NICOLAISEN: And I think we're going to look 8 for the Small Business Advisory Committee to help us out with 9 some thoughts on that. 10 MR. BAILEY: I'll come back to the panelists. 11 Commissioner Glassman? 12 COMMISSIONER GLASSMAN: Thank you. This is a 13 variation of the question I asked the earlier panel. Of 14 the -- and this is really to Jim Turley and I guess any of 15 the management types. 16 How many, if any, of the 350 average deficiencies 17 were ones that management really wouldn't have thought were 18 important from the risk perspective, but were raised because 19 of the auditor focus? 20 MR. TURLEY: Well, I think that without question 21 the auditor focus and the management focus for many companies 22 united reasonably earlier. Not without great tension, as has 23 been talked about before, but united early on sort of a 24 framework view on how to look at things. 25 Clearly, some of the matters that were, you know, 1 common everyday control deficiencies, no one really got into 2 a fight over, because they were nothing that would ever have 3 been, you know, reported. There are things that the company 4 and the auditor felt ought to be strengthened. So it didn't 5 become a source of tension. 6 Where the tension actually came at the back end, 7 after tension at the front end, then the tension came at the 8 back end on assessing whether or not for the remaining 9 unremediated control deficiencies, they were significant 10 deficiencies or material weaknesses. 11 That's where we get into the great discussions. As 12 the last panel talked about, sometimes it got fairly heated. 13 So that's where it really came. 14 MR. BAILEY: I'm going to go to Mr. Silvers and 15 then to board member McDonough or Chairman McDonough. 16 MR. SILVERS: I was hoping to respond from the 17 investor perspective to the comments of the folks from the 18 American Electronics Association, because I think it's 19 important in this discussion that the common ground exists 20 among the various parties at the table, that those pieces of 21 common ground be identified. 22 It's not, I don't believe, in the interest of 23 investors to have a sort of one-size-fits-all or checklist 24 approach to the structuring, the planning of 404's 25 implementation or its execution. 1 To the extent that smaller enterprises are 2 identifying this as a fact of this first round, that's 3 something that needs to be remediated. I believe that just 4 as the gentleman from the Electronics Association indicated, 5 the appropriate way for that to be remediated is through 6 dialogue between the PCAOB and the audit firms. 7 Investors, I believe, are very supportive of the 8 general tone and direction that the PCAOB has indicated 9 they're going to take in that regard. 10 Secondly, there is, I believe, a significant 11 investor concerns about the lack of competition in the audit 12 market. However, there's an ambiguity to this. To the 13 extent that that lack of competition essentially means that 14 it's possible for auditors to extort high prices for their 15 services from issuers, that's a problem for investors. 16 On the other hand, if what the climate of real 17 competition is really about is about the desire to be able to 18 find a soft-hearted or soft-minded auditor. That's -- we're 19 not really interested in that. It's a little hard to sort 20 out which is which. 21 Finally, with respect to IT controls, I believe 22 it's correct that there has been perhaps some overemphasis in 23 the area of IT controls. However, I'm skeptical about the 24 claim that IT controls are irrelevant to things that have 25 gone wrong in corporate America in the last few years. 1 Unless I'm mistaken, most of the ledgers that are 2 kept in contemporary corporations are no longer kept in big 3 binders. They're kept on computers. 4 I'm not an expert in IT controls, but it strikes me 5 that the ability of somebody to alter an asset to a liability 6 or the sort of thing that occurred at WorldCom, where large 7 numbers moved from one column to the next did not occur with 8 a pencil. Thus, it seems to me that some expenditure on IT 9 controls is probably a good thing. 10 And finally, I believe that the general notion, and 11 I think that Mr. Ueltschy -- I hope I've not mispronounced 12 your name -- the general notion that there's a strain on 13 smaller companies, smaller companies' staffing in relation to 14 the initial round of compliance with 404 seems to me a 15 plausible statement. 16 The response by the Commission and the board in 17 giving more time is the appropriate response. What the 18 investor community is very concerned about is the implication 19 that anywhere at any point that ultimately somehow smaller 20 companies do not have adequate controls. 21 Our view is is that smaller companies need to have 22 adequate, audited controls if they wish to access the public 23 markets, and that no individual, certainly no union member 24 should ever get -- should ever be asked to invest in a stock 25 of a company which does not have audited and adequate 1 internal controls. 2 There's a part of the capital markets with highly 3 expert people who are willing to take those risks, and that's 4 where those companies should go. 5 MR. BAILEY: Chairman McDonough. 6 MR. MCDONOUGH: Thank you very much. The people at 7 the Public Company Accounting Oversight Board spent an 8 immense amount of time reaching out around the country to 9 find out what we think is really going on. 10 We've had, for example, six meetings in various 11 places around the country, where we spent a day with always 12 two members of our five-person board present, talking with 13 small and medium-sized audit firms, and then the next day we 14 spend half a day with the -- typically the chairperson of the 15 audit committee of small issuers. This was an idea, by the 16 way, inspired by my distinguished colleague, Kayley Gillan. 17 One of the things that I think has become clear 18 from those meetings, but especially dramatically from the 19 pleasure I had in spending an hour with Alex Davern's AEA 20 group, the fact that Alex has that wonderful soft language of 21 County Tipperary in Ireland. I should tell you he was 22 playing nice guy today in his presentation, compared with the 23 vitriol which he shared with me on that occasion. 24 (Laughter.) 25 MR. SILVERS: I've developed a working hypothesis, 1 which I think is going to be quite a challenge to the people 2 from the accounting profession, and especially from the large 3 firms, because some of these small companies use very large 4 audit firms, very large accounting firms for their auditors, 5 largely because their lenders and the rating agencies think 6 that's a good idea. 7 Now the opposite extreme is a company, which I 8 won't identify, but a very large, very sophisticated company, 9 that has Jim Turley's firm as its auditor. They have a 10 splendid dialogue between the audit company, the auditor and 11 the firm, and at the end of the day, a very good result in 12 the infernal control review attestation, and the increase 13 from one year to the next in the audit fee was 28 percent. 14 You'll total for that in a minute, right Alex? 15 I think what's happening is that for the small 16 companies, especially in the technology area, where they're 17 in a very sophisticated business, they may need a very 18 sophisticated audit partner to be running the engagement. 19 The nature of the big audit firms is it's very 20 difficult for them to have a very sophisticated, highly 21 experienced audit partner as the engagement partner. Now 22 either we're going to have to have some change over time, by 23 which smaller firms have different auditors, or the -- which 24 I think -- but I think a better solution would be. 25 But however great a challenge it is, that the 1 larger audit firm, certainly the top eight, figure out how do 2 you get truly experienced people on these accounts where they 3 are desperately needed. Thank you. 4 I wanted to take the opportunity of Chairman 5 McDonough's comments with respect to relying on others to 6 kind of pose a question for Frank Brod, if you don't mind, 7 and that is in all of this, we are dealing with planning, 8 costs of documentation and testing. 9 There has been a lot of discussion about relying on 10 the work of others, relying on the internal auditor, relying 11 on the auditor, the external auditor. 12 I wonder if you could comment on that in terms of 13 how this has played out at your firm? 14 MR. BROD: First of all, planning and design does 15 drive costs. There is no question about it, and the level of 16 testing that goes on is really the biggest concern that we 17 have. 18 Just to correct a comment that my colleague from 19 Ernst & Young said, because we proposed to our auditor an 80 20 percent coverage ratio of all our assets, liabilities, income 21 and expense accounts. We wound up using 98 percent. It was 22 a full coverage of that. 23 And Cynthia, to your question on deficiencies, our 24 company had a comparable number to the averages. I think 25 they were a little over 300, but 290 of those were known 1 before we ever started the evaluations, so there was very 2 little new found. 3 We had to evaluate that because of compensating 4 controls and risks, but there was not a cost benefit to 5 correcting those except in the Sarbanes-Oxley 404 requirement 6 schemes. 7 The extent of internal audit testing and all is a 8 very interesting topic because we in our company have a very 9 independent and competent internal audit function. In fact, 10 you heard from two of our audit committee members on the two 11 previous panels. 12 That group we use to do the predominant testing. 13 Our approach was to have control objectives set up, to set up 14 a self assessment process, to have our internal audit group 15 test those self assessments, and then have the external 16 auditor go through and do the work they wanted. 17 There was very little work that was relied upon by 18 the auditor of the internal audit work or even management's 19 work in that regard. 20 It was a little bit disappointing. In fact, we 21 operate with four global service centers that handle all of 22 our financial recordings and reporting. The one in Singapore 23 had 11 consecutive weeks of audit testing going on, all 24 within one quarter. 25 I did get a phone call from our service center 1 leader who indicated he was a little concerned as to the 2 accuracy of his quarterly results maybe because his folks did 3 not have the attention on the work. 4 I think it's a bit of a crime if the scope of the 5 testing itself can create a potential deficiency. 6 (Laughter.) 7 MR. BROD: We are very supportive at Dow and at FEI 8 of the 404 standard. We think it has benefits, but between 9 the risk aversion added that the auditors have taken, whether 10 it be from reading the words to mitigating their own 11 litigation risks or perhaps in a revenue enhancing way of 12 doing more testing. 13 The other side is that there has to be a balance to 14 the benefits that shareholders are going to gain from this. 15 We have raised confidence. I'm not so sure that investors 16 raising confidence is fully justified because there isn't a 17 good view, I don't believe, that all this testing is going to 18 eliminate fraud, where people act collusively in certain 19 controls. It still has the potential to exist. 20 I think as we re-shape or re-look at how we can 21 fine tune the standard going forward, we need to look at 22 those areas, maybe not get the external auditor so involved 23 in the very detailed testing of a mundane transaction. 24 That is a very good area where the internal audit 25 group could be relied upon, and let them put their attention 1 where fraud actions start, which are in the minds of some 2 executives even in structuring transactions or 3 mischaracterizing transactions that are taking place. 4 As you look at the types of things that have been 5 uncovered, that seems to be more the area where it is. I 6 think there was only one instance where transactions were 7 going through the system below the materiality screen. 8 Materiality is the other point I think you need to 9 look at and address as you go through these. Those words in 10 a standard about more than inconsequential. In the words of 11 our auditor, that is an extremely low standard. 12 Is that really where we want to be for a 13 significant deficiency, because it does drive a very deep 14 level of testing. 15 My audit committee, our management, would not 16 accept anything but a clean opinion. We will do whatever it 17 takes in order to assure that. We did as we went through 18 that process. 19 We do need to make sure, especially with the other 20 words in AS-2 which says that each year must stand on its 21 own, how that is interpreted, the fact that auditors cannot 22 rely upon communicative knowledge of the fact that they would 23 presumably have to re-test everything again, it is really an 24 issue. 25 The internal audits have tested IT controls very 1 well in the past. It's an area where they can be relied 2 upon, as the way the standard is written today. 3 If you have systems that haven't changed, if you 4 have no change of processes around that, it's hard for me to 5 believe the same level of testing is required in year two 6 that would have been in year one. 7 With each year having to stand on its own, the 8 audit standard clearly says that the audit cannot reach back 9 and use that judgment going forward. That's an area that I 10 think you will have to consider to modify. 11 MR. BAILEY: Frank, you commented on the more than 12 inconsequential, but you did not comment on the more than 13 remote, and both probability and materiality. 14 Do you have any difficulty with the more than 15 remote? 16 MR. BROD: That is risk based. You have to look at 17 what is the subsequent outcome of that, the auditor 18 compensating controls and make it less risky or not. You not 19 only have to look at gross risk, but you have to look at net 20 risk once all the other things that go on, the control 21 things, are taken into consideration. 22 Those standards are extremely low. We have an 23 entire project management system dealing with deficiencies. 24 In fact, it was so good in dealing with deficiencies, we 25 added all our operational audit issues to it, too. We are 1 using it for tracking. 2 Those levels are very, very small and we really 3 need to concentrate the auditors' attention, even 4 management's attention, on those things that will really make 5 a difference. I think the levels are way too low today. 6 MR. BAILEY: Ms. Flavin, thank you for patience. 7 MS. FLAVIN: I just wanted to make two comments, I 8 guess. One deals with who is really driving management's 9 assessment process, and the other one on duplication of 10 effort. 11 We have certainly seen benefits to 404. They are 12 real and they are present, but the cost and the 13 implementation at a certain point did exceed the benefits, 14 and not in terms of direct dollars, but for us in terms of 15 duplication of testing in low risk areas, and the 16 conservative interpretations of the standard that meant 17 additional testing and scoping. 18 A perfect example that I can give you in that 19 regard for us was the fact that we as management really have 20 virtually no professional judgment in this whole thing, 21 because the firms are driving the interpretation, and they 22 are the source that we look to. 23 When we first identified a threshold for 24 significant accounts, we used the threshold of five percent. 25 Our external auditor came in and said you know, no, we think 1 it's 3.75 percent. We, wanting to test as much if not more 2 than them, dropped it to 3.5 percent. 3 We picked up nine no risk accounts as being 4 significant and added 15,000 hours of effort, all to raise 5 our consolidated coverage of assets from 96.1 percent to 96.9 6 percent, and raised our coverage of liabilities from 91 7 percent to 94 percent. 8 That additional effort and that conservative 9 interpretation does very little to add to the assurance that 10 we can provide to our stockholders. 11 I think this is where we need to reign things in, 12 when we look at these conservative interpretations. Somebody 13 needs to monitor the guidance, and we need additional 14 guidance to make sure we are limiting this duplication of 15 effort. 16 I'll give you some examples of where we would like 17 to see more guidance from the PCAOB. 18 In terms of coverage, the concept of covering a 19 large portion of the company, again, as management, we 20 conducted a risk assessment to determine that. We looked at 21 factors such as size, results of last audit, complex 22 accounting issues, management turnover, system changes, and 23 we came up with a coverage level of 60 percent of the 24 consolidated sales of the company. 25 Our external auditor came in and said no, we think 1 it needs to be 70 percent. As a result, we went totally to 2 the coverage based approach because we were a decentralized 3 company with 620 operations around the world, the large 4 majority of those of which are individually insignificant. 5 That meant that we added 40 locations and another 6 12,000 hours of additional time in documentation and testing. 7 I think the PCAOB can be helpful if they can 8 encourage a risk based approach to coverage. 9 In addition, the concept of testing all relevant 10 assertions over all significant accounts every year also 11 needs to be looked at. Again, I don't think we should ignore 12 the knowledge that we have of our companies, the knowledge 13 that we have of our control environment, and make sure we 14 focus on the high risk areas, not just spending an inordinate 15 amount of time on the low risk areas. 16 I also think another way we can eliminate this 17 duplication of effort is subtesting of internal audit work by 18 the external auditor is allowed to constitute primary 19 evidence, so we don't have this redundancy in the low risk 20 areas. 21 MR. BAILEY: Lisa, what is clear to me is you have 22 a lot of good points. 23 MS. FLAVIN: I have one more. Can I make that? 24 (Laughter.) 25 MS. FLAVIN: One more very important point is 1 flexibility in the roll forward procedures. Right now, the 2 way the standard is written, if you are going to get any 3 efficiencies, you need to do all your testing in the fourth 4 quarter, which is really contrary to the concept that 5 controls are a continuous process. 6 We test at Emerson, right now we are doing the 7 majority of our testing in the second quarter, and external 8 auditors going back into the same locations testing the same 9 controls in the third quarter, and we are both going back in 10 the fourth quarter to roll forward all that testing. 11 It's just very disruptive to our organization. If 12 we could use the risk based approach to determine those roll 13 forward procedures, it would be much more effective. 14 MR. BAILEY: Jay Haberland, I appreciate your 15 patience as well, and then we will go to Commissioner Atkins. 16 MR. HABERLAND: Just a couple of quick comments. A 17 lot of these sessions are going to be somewhat repetitive as 18 themes become fairly common. 19 Chairman McDonough has said a number of times and I 20 agree with him 100 percent, that he endorses the use of 21 judgment and believes the standard allows judgment. I agree 22 with him. 23 However, the way it has been interpreted by the 24 four firms, and I stress "interpreted," and I'm told by each 25 of the firms interpreted in close concert with the PCAOB, it 1 doesn't allow for the use of a lot of judgment. It's very 2 prescriptive. 3 Benchmarking with colleagues across the country, 4 the cover ratios are 60 to 70 percent of the balance sheet, 5 50 percent of all major account line items and it is lock 6 stepped across the businesses. 7 Similar business to Lisa with similar operating 8 entities, it forced us with numbers of cover well beyond what 9 we had anticipated. Similarly, we also scrapped for the 10 first year our risk based model because it kind of looked 11 silly in terms of the coverage we were getting. 12 I guess what I would ask, it's very difficult to 13 say to people we want you to use more judgment, we encourage 14 that. I think the proof is going to be in the inspection 15 process, and I think as we look at the firms' workpapers, I 16 would encourage them to look at that heavily in terms of how 17 things are done. 18 I think if that happens, I think we can drive down 19 costs considerably on this. 20 MR. BAILEY: Commissioner Atkins? 21 COMMISSIONER ATKINS: I just want to be very quick 22 and follow up on that, to maybe focus on what exactly is the 23 question with Standard Two. The heart and soul of the COSO 24 framework is a risk based approach. 25 What we have heard all morning actually has been 1 shocking to me, that the accounting firms have been driving 2 you towards more of a granular approach, and so I guess the 3 problem is in looking at Standard Two again last night, all 4 150 some pages of it, it is fairly granular already. 5 They invite professional judgment, but I was just 6 focusing on, for example, paragraph 16, which talks about 7 inherent limitations in these internal control reports, and 8 basically at the end invites, and I guess that is what you 9 are focusing on when you are talking about what is going to 10 happen in the examination process. 11 If the examiners are going to go in and second 12 guess the determinations that are made, it seems like that is 13 driving what the auditors are doing. 14 I was wondering if you all had anything to say 15 about that. I think that is probably the problem. 16 MR. HABERLAND: Internal control assumes the 17 assumption of risk. I think whenever you do that, whenever 18 you exercise judgment, two people can have perfectly correct 19 but very different perspectives on how you accomplish 20 something. 21 Again, I think the firms right now are reacting to 22 the fact that they are going to be in effect audited for the 23 first time. If everybody gets together, if it is a very 24 prescriptive approach, we did what we were supposed to do. 25 Again, I don't know exactly how you say to people 1 you use judgment, because it's just difficult. Some people 2 will. Some people won't. 3 I think it is also going to be an effort for the 4 inspectors to exercise discretion and professional judgment 5 as they review the work of the auditors. 6 MR. NICOLAISEN: I think we are going to have to 7 close it out. We are extremely appreciative of everybody's 8 comments, and I really would like to say one more thing. 9 My rule is whatever you say in one breath, when you 10 have to take a breath, you're done. 11 (Laughter.) 12 MR. NICOLAISEN: Anybody who would care to, you 13 have an opportunity to do that right now. Alex? 14 MR. DAVERN: I would just like to make one 15 response, that decontrols related to the movement of 16 accounts -- this is a big breath -- I think you should focus 17 on a decision by someone to do something illegal, not IT 18 control. I hope that people will really focus on the reality 19 of the lack of benefit of a lot of this focus on IT controls. 20 Thank you. 21 MR. BAILEY: Albert? 22 MR. TEPLIN: I want to just return quickly for one 23 breath to the $12 million, we don't find a lot of 24 deficiencies, I would really wonder. Internal controls were 25 there before, we were finding deficiencies on inspections 1 before 404. 2 I don't think that those small deficiencies that 3 were there or those deficiencies that were there should be 4 used as a judgment that this is a good thing. It's the 5 material problems that matter. Those are the ones you should 6 focus on. 7 MR. BAILEY: Damon? 8 MR. SILVERS: It's been suggested that perhaps the 9 concept of a genuinely independent audit and the concepts of 10 timing with words like "annual" in the statute ought to be 11 revisited. 12 It has also been suggested perhaps that there is 13 something wrong with the notion of the reviews of the firms, 14 which I think are actually the solution to this problem 15 rather than the cause. 16 All three of those concepts are extremely dangerous 17 to investors and to our economy. 18 MR. BAILEY: James, final word. 19 MR. TURLEY: I think it's clear from the comments 20 up here that the term "soft hearted auditors" is an oxymoron. 21 (Laughter.) 22 MR. TURLEY: At some level because the stories up 23 here, they are not clients of ours, but we do take it 24 personally. This profession, the biggest eight firms, worked 25 very closely together at the outset, trying to work with 1 PCAOB to understand what was probably the biggest most 2 fundamental change in many, many years, and we have tried our 3 best to diligently implement the complex rule. 4 We, like everyone here, look forward to the 5 process, look forward to the inspections, and look forward to 6 trying to get this in a way that is maximizing the benefits 7 and minimizing the costs. 8 MR. BAILEY: Chairman McDonough, deep breath. 9 (Laughter.) 10 CHAIRMAN McDONOUGH: Our inspection process is 11 meant to be even handed. We certainly have developed a great 12 deal of excessive comments, from me especially, that it isn't 13 one size fits all. 14 When we do an inspection and look at the workpapers 15 of individual audit engagements, it is at least as likely 16 that we can come to the conclusion that the work done was 17 excessive then it was inadequate. 18 Is it likely that we will throw somebody in jail 19 because we think they over did it? Probably not. Is it 20 likely with our tough love approach to our responsibilities 21 that we would have a very direct and perhaps severe 22 discussion with the top management of the firm? You bet. 23 MR. BAILEY: Thanks. On that note, we will close 24 and at 1:45, we will reconvene. 25 (Whereupon, at 12:50 p.m., a luncheon recess was taken.) 1 A F T E R N O O N S E S S I O N 2 PANEL FOUR - DOCUMENTATION AND TESTING 3 MR. NICOLAISEN: This is panel number four of a six 4 panel series. We have passed the halfway mark, and we are in 5 the home stretch. 6 This afternoon, I think we are going to have an 7 awful lot of interesting dialogue. What we are looking for 8 is increasing granularity to a point, and at the end of the 9 day, we are going to try to summarize what we have actually 10 heard. 11 As we said earlier this morning, we are going to 12 ask the panelists to reframe from reading any prepared 13 speeches. We have a limited amount of time and a maximum 14 number of people. It's just helpful if we would all do our 15 best to make the point and then move on and let somebody else 16 comment. 17 It is appropriate to follow up with a response if 18 you have a comment responding to what somebody else has said. 19 That's great. I would not just repeat what somebody else has 20 said, even if you agree with them. You can kind of nod your 21 head and we will get the message that you do agree with them. 22 Let's keep our responses concise. If you have a 23 question, and this also applies to the Commissioners and 24 Board members, if you have a question or you want to comment, 25 please lift your little name tag up and turn it on its side, 1 and we will as appropriately and as quickly as we can, 2 recognize you. 3 Let me introduce who we have here. This is being 4 Webcast. I think in some places, it is sound only. For the 5 benefit particularly of those people, as you speak, if we 6 don't do a good job of introducing you, it might be helpful 7 just to identify who you are. 8 To my left, we have the Board of the PCAOB, all of 9 whom have been duly acknowledged earlier this morning. On my 10 right, the Commissioners of the SEC. 11 Our panelists this afternoon include, and I'm going 12 to read from left to right, Kimberly Parker Gavaletz. She is 13 vice president, head of Corporate Internal Audit, Lockheed 14 Martin Corporation. 15 Sitting next to her is Susan Gordon. Susan is 16 senior vice president and chief accounting officer at Viacom. 17 I know from past experience, one of the most enthusiastic 18 people I've ever met about Section 404. 19 (Laughter.) 20 MR. NICOLAISEN: Next to her is Keith Holmberg. He 21 is vice president of Financial Control Processes at British 22 Petroleum. He's probably responsible for the price of our 23 gasoline. 24 (Laughter.) 25 MR. NICOLAISEN: Jay Howell. Welcome, Keith. Jay 1 Howell, who is associate director of assurance northwest 2 region, BDO Seidman. 3 Lee Level, corporate vice president and chief 4 financial officer, Computer Sciences Corporation. I think, 5 Lee, you set the record in giving us three responses that we 6 posted to our website, and we appreciate each and every one 7 of those. 8 Peter Minan, who is a partner with KPMG. Chuck 9 Noski, who is with Microsoft. He chairs the audit committee. 10 Shelley Stein is chief operating officer of Grant Thornton. 11 Welcome to all. We look for a lively discussion. 12 Chuck, I am going to start with you. I know Microsoft has 13 not yet finished their process, if I'm correct. 14 MR. NOSKI: That's correct. June 30th year end. 15 MR. NICOLAISEN: You are working hard towards that. 16 The way I would kind of like to start this session is to give 17 you an opportunity to say what you think is working and what 18 isn't. Of course, you have to do that concisely. All of 19 these other people probably have some advice for you. We 20 would really welcome that advice from various perspectives. 21 If you would care to get us started, Chuck. 22 MR. NOSKI: Sure. Thank you, Don. 23 I think probably the thing we want to focus on in 24 this topic of documentation and testing, which is where an 25 awful lot of the work has occurred and where much of the 1 concern that was expressed this morning, really starts with 2 the scoping, which was, as I recall, the topic of the last 3 committee. I'll try not to spend much time on that. 4 I think scoping out what is in scope and what is 5 not in scope in determining how you are going to document and 6 test the internal control system for financial reporting is 7 kind of key. 8 Once you have done that, the experience so far that 9 I have seen in the companies I'm associated with is about 10 two-thirds in the implementation effort, the actual total 11 effort, is associated with documentation and testing. I 12 think that is where you get a lot of the energy. 13 For example, one Fortune 100 company that I'm 14 familiar with is not Microsoft. They identified some 1,500 15 processes and subprocesses, over 60 IT systems were 16 identified and documented. Within those 1,500 processes and 17 subprocesses, they identified 9,000 key controls that were 18 identified and tested, and about half of those were IT 19 controls and half of those were financial and operationally 20 oriented controls. 21 MR. NICOLAISEN: Does that strike you as an 22 oxymoron, 9,000 key controls? 23 MR. NOSKI: Knowing the company, no, but 9,000 is a 24 big number. You start to imagine the amount of documentation 25 and the amount of testing, and the number of people that got 1 to test, as management and internal audit tested and then the 2 outside auditors made selections from those 9,000 key 3 controls. A lot of work there. 4 The work was probably impacted to a degree. It was 5 a 12/31 year end company, so it was impacted to a degree by 6 the timing of the AS-2 issuance, so there was a bit of 7 re-work there. 8 I would also point out that in the testing phase, 9 the company used their internal audit staff and devoted some 10 90,000 hours to the testing element, as well as kind of 11 remediating a bit of the documentation that they found was 12 not completely effective. 13 That's a pretty significant effort, and I would say 14 largely in line with the statistics that were discussed this 15 morning in terms of number of deficiencies found and the 16 costs and the like that were determined. 17 Maybe a couple of take aways, and then I'll turn it 18 back to you. I think from this year one experience, I think 19 understanding whether we can move to more of a risk based 20 approach, which was touched on this morning, for 21 documentation and testing is really key. 22 It's not clear to me we really need to test every 23 key control every year for the full year, and how much 24 testing do you need to be done by which constituencies, 25 management, internal audit, external audit. 1 More significantly, and maybe I can raise up the 2 dialogue just a little bit, I think considering refocusing on 3 the process, particularly in the testing area, with respect 4 to key controls like management override of judgments, 5 selection of alternative accounting principles, key estimates 6 and judgments that management will make, non-routine 7 transactions, we haven't talked about that much today, but as 8 an audit committee member and as the chair of Microsoft's 9 audit committee, I'm obviously very interested and concerned 10 about controls. 11 There is a lot of good reasons, good business 12 reasons why companies want to have good internal controls, 13 but from the perspective of the audit committee, I'm also 14 interested in the quality of the financial information and 15 disclosures that are presented to investors. 16 That is one of the reasons why we are going through 17 this gigantic exercise, to convince investors that they are 18 getting a high quality of information, good judgments are 19 being made, best estimates by management, transparency and 20 the like. 21 That would really suggest that we may want to spend 22 more time in the testing and examination in the future on 23 those kinds of controls which can really move the numbers 24 probably more so than whether the payroll system is operating 25 effectively in 70 different countries, whether the accounts 1 payable systems are being done. 2 In what I've seen to date, about two-thirds of the 3 documentation and testing effort has been dedicated to 4 transaction based activities, not to these key judgments of 5 management tone at the top. 6 Some of the things that we have seen, just by 7 reading the newspaper, appear to be the areas that have 8 really driven financial accounting and reporting fraud. 9 MR. BAILEY: Excellent. Does anybody care to 10 follow up on that? Lee, you were shaking your head. 11 MR. LEVEL: I agree with most of what Chuck said. 12 MR. BAILEY: Don't say any more. That's our rule. 13 (Laughter.) 14 MR. LEVEL: I'll have my chance. 15 MR. NICOLAISEN: Let me ask you, in earlier panels, 16 I also would have liked to have asked this and didn't get a 17 chance, and it may not be fully appropriate here, but let me 18 try any how. 19 One of the things that we have heard is that the 20 level of work that is being done by the external auditor is 21 pretty well dictated by the external auditor, and is at a 22 level of granularity that is pretty detailed. 23 We have heard a lot about quality internal audit 24 functions, what is the value that the internal audit function 25 brings. 1 If a company say the size of Microsoft had ten 2 internal auditors or 500 internal auditors, would it make a 3 difference in the work that is likely to be done by the 4 external audit firm? 5 Shelley, maybe you would want to take a crack at 6 that. 7 MS. STEIN: What panel number are we on now? 8 (Laughter.) 9 MR. BAILEY: Everything is fair game today. It's 10 in the documentation. 11 MS. STEIN: Absolutely. I think one of the 12 significant issues is the things that we have been talking 13 about, AS-2, the guidance that is there, all relates to what 14 the auditors need to go do. If you go back to one of the 15 panels this morning, specifically one of the participants 16 said we went through and we did our risk based assessment in 17 terms of what we needed to test and what our documentation 18 needed to be, and then the auditors came in and applied AS-2, 19 and we had to throw out what we were doing. 20 I think it would be really helpful if the 21 Commission could provide some guidance to the companies in 22 terms of what their expectations were in that area, and I 23 think it would make a huge difference. 24 MR. NICOLAISEN: One of the things -- I do hear 25 that quite a bit. I'm half serious and half joking here, but 1 in part, what I hear is that the management side -- the 2 auditors have AS-2, so they describe what they are doing and 3 why they do it, and management says, well, do you really have 4 to do that, and they hold up AS-2 and they say yes, we are 5 required to do this. 6 Whether that is totally true or not, I think is a 7 subject of discussion. 8 What I hear from management sometimes is a desire 9 to have SEC guidance and hold it up against the auditors' 10 guidance and say look, we don't have to do that. 11 I have always suggested to people, to registrants 12 in particular, be careful what you ask for because if you ask 13 for guidance from us, it's not going to be targeted to a $100 14 million market cap company. It is going to be targeted to 15 the Microsoft's of the world. 16 Unfortunately, unless we have some real 17 breakthroughs here with our small business advisory group, 18 which we are hopeful of, it will likely be reasonably 19 comprehensive guidance. 20 Is that what you are talking about or is there some 21 other level? Is it a question of what is material or how do 22 you define "materiality," just what is it you are really 23 looking for when you talk about guidance that the Commission 24 would provide? 25 MS. STEIN: May I follow on a little bit before you 1 turn it over to the companies? 2 MR. NICOLAISEN: Yes. 3 MS. STEIN: I think part of it, too, is just the 4 timing of when AS-2 came out, so therefore the companies were 5 taking their best shot at what they thought they needed to 6 do, and then they looked to AS-2 as a guide as well. 7 I think part of it shakes out just from the fact 8 that we are the first year going through. 9 I also think it's important that we do be able to 10 rely on the internal auditors. I think we have to use some 11 judgment and we need some guidance with respect to the 12 principles, but common sense has to enter into it as well. I 13 think part of what the firms and the companies are waiting 14 for is the PCAOB to go through and do their reviews so that 15 we can get some best practices out of that and be able to 16 apply it. 17 Clearly, it would help the efficiency and the 18 effectiveness of the audit, without a doubt, and it would 19 make it easier on management as well as the auditors, and I 20 think there is still a benefit to the stakeholders as well. 21 MR. NICOLAISEN: Kimberly? 22 MS. GAVALETZ: On your question about guidance, I 23 really think there probably are three tiers of individuals 24 involved here. I think the intent of all of Sarbanes-Oxley 25 and of the efforts there were to really make sure that the 1 integrity of financials that everyone utilizes were really of 2 the highest quality and you could count on those. 3 I think the first fundamental component is the 4 management ownership of everything. That management team, in 5 our group, they have done a control assessment across 6 everything, and they actually do those almost quarterly, so 7 they are on top of this throughout time, and they are not 8 only documenting, but they are testing on an ongoing basis. 9 It's not going to be just for last year. It's 10 ongoing and it was going on before that. 11 Then on top of that, internal audit comes on and 12 looks, how is that control assessment process really working. 13 Is it working, and doing some deeper dives in places, and 14 they are also going across and looking, is this working, is 15 it sufficient, is it covering the risk of the corporation not 16 only in the financial but in other areas as well. 17 Then you go up a tier to where the external 18 auditors are really checking that whole umbrella. They are 19 seeing did management really do in their assessment what you 20 expected them to do. 21 This last year, we were doing everything so in 22 parallel that I think it is remarkable what we have gotten 23 through. I think the state of internal controls across all 24 the corporations is raised. The awareness is hugely raised. 25 I think the panel that was before this is in the 1 key, the planning and the scoping. I don't think we stepped 2 back, and I think this is an excellent forum right here, 3 where we are starting to step back and look at that, because 4 the roles and the ownership of management keeping that 5 ongoing monitoring and control function and having an 6 internal audit shop that is able to look at that on an 7 ongoing basis and be part of the culture is very healthy. 8 I don't think we want to lose that. I think the 9 external auditors can actually get -- we have talked coverage 10 versus risk -- both. They can get both. If they look at 11 that whole landscape and what each group is doing and step 12 back, they can figure out where the risks are, how are things 13 being covered by the different contingents, and then going in 14 and doing the level of re-testing they need to do in areas, 15 or their own testing in other areas. 16 I think there is a bigger picture here that in the 17 planning side of this can actually even with less effort be 18 able to do even more and sustain that. 19 I'm afraid right now, unless we do something about 20 looking at prior year's work or doing something relative to 21 risk, we are still going to do a checklist sort of mentality 22 and not really learn, and really move this state of internal 23 controls, move the state of industry itself forward, unless 24 we keep that ownership there, you can't audit it in. 25 Being the head of audit, I know I can't audit it 1 in. When management owns it and takes it forward, that is 2 the best thing that can happen with the company, and we need 3 to be able to reinforce that. 4 Some guidance along that way. I don't know that it 5 is rules. I think examples, forums where management can talk 6 among themselves, maybe with the external auditors there, 7 maybe with some folks from the PCAOB that can help give their 8 insights into some of these debates that are probably 9 happening without the PCAOB in the room. They are happening 10 between the audit firms and their clients. 11 I think that would be helpful and for people to 12 view that. That would help us go forward and again, keep the 13 ownership where it belongs, keep the overall oversight and 14 management of the companies moving forward, and really 15 elevating and really making even stronger the role of the 16 internal auditors. 17 MR. NICOLAISEN: Talk to me a little bit about 18 documentation. There probably are at least some people in 19 this room who wouldn't be familiar with what you are actually 20 talking about when we say "documentation." 21 If I walked into the room of your documents, what 22 would I see? 23 MS. GAVALETZ: For us, it is going to be on an IT 24 system. We actually did take that step. Prior to 25 Sarbanes-Oxley, we did have documentation, but it was all in 1 people's files or on their shelves. 2 It was a camp notebook. Our accounting monitoring 3 process that we had at that time, you would go get the camp 4 notebook and you would see the processes, you would see the 5 testing that management did behind that. We as audit went 6 and looked at that and then went and sampled different 7 transactions and did some streams through there. 8 Today, we have put it into kind of a data warehouse 9 that has all of -- we are using Risk Navigator, and it has 10 all our processes contained within it. It has the process 11 owners listed with it. It also has the evidence of the 12 testing. You are able to go through that. 13 We invested in that because going forward, we knew 14 this wasn't an one time shot. We wanted to keep going 15 forward. 16 As internal audit, it was great for us because just 17 getting the matrix there together of knowing what were the 18 controls you were going to test and what were we looking at 19 was huge, because then we could at least test existence of 20 the documentation. 21 I think we went overboard, as someone said, is 22 9,000 controls too many. We have 6,000. There are too many. 23 We are going to be doing this year a lot more of looking at 24 those key controls, and not to ignore the others, but to 25 determine how are they being monitored on their own, but they 1 may not need the external auditors. They may not even need 2 internal audit. It may be something within the business 3 itself that looks at them, and then we will keep looking at 4 that, is that universe correct, and going from there. 5 MR. NICOLAISEN: Susan? 6 MS. GORDON: Hi. It's rare to address a crowd 7 without a video, being in the entertainment business. 8 (Laughter.) 9 MS. GORDON: Normally, I don't think Viacom people 10 ever show up without a video, but we will pass on the video. 11 Viacom was a very interesting adventure over the 12 last two and a half years. Being a media and entertainment 13 company, you brought together cable networks, television, 14 radio, outdoor entertainment, motion picture people to talk 15 about 404. Very interesting. 16 (Laughter.) 17 MS. GORDON: What we took, and I think it was one 18 of the wisest decisions we had from the beginning, was we 19 standardized documentation requirements. As many people are 20 asking for the Commission and the PCAOB to standardize what 21 you are looking for, we took the position at corporate that 22 we were going to standardize what documentation we needed. 23 We sent out to all, and there were 12 business 24 units throughout the world that we have looked at, 111 25 locations. We had many, many different types of businesses, 1 transaction cycles and everything that had to be addressed, 2 but we said we were going to use a flow chart that was 3 standard for everybody. 4 We were going to have risk and control matrices 5 similar to what you had, and we were going to house them in a 6 repository. We picked Open Pages. Probably too late in the 7 process, which was a big struggle kind of coming out at the 8 end with getting the software up to date. 9 Allowing us to have documentation housed in this 10 repository gave us an opportunity to have all the results and 11 be able to look at it without going out to each of the 12 locations. 13 The team at corporate was able to have access to 14 what was happening with test results, what was happening with 15 changes in key controls, if there were any. 16 The important part about it is if you look at test 17 results and having that housed in the system and documenting 18 the test results for both the auditors, internal auditors, 19 and management to look at, it gave us an opportunity in Open 20 Pages to kind of grade, and have a competition, which I think 21 helps with the media companies. It helps in my case. 22 You go to a sales department who never would have 23 been concerned about controls, but if you identify you have 24 an 86 percent pass rate on signing off on these sales orders, 25 all of a sudden, they are as competitive as anybody else. 1 You have operations people to buy in on this and say I'm 2 getting 100 percent next time. Does that mean extra credit? 3 Do I get a day off? 4 (Laughter.) 5 MS. GORDON: In many respects, it was key to kind 6 of making 404 successful, that it wasn't accountants talking 7 to accountants, but it was accountants talking to operations 8 and business owners that took responsibility that they were 9 going to be at the top of the class. 10 MR. NICOLAISEN: Really drove it into the business. 11 MS. GORDON: Drove it down to the lowest common 12 factor for all of accounting and sales reps to general sales 13 managers to television programmers. It really took off. 14 I think that was key to the success. You still 15 just ended up with a pass. We were talking at lunch. It 16 wasn't like summa cum laude. 17 (Laughter.) 18 MS. GORDON: It was well worth to have it and still 19 be able to continue to have it and manage it and know what is 20 going on. 21 MR. BAILEY: Absolutely. Did you have any trouble 22 getting a budget for this? 23 MS. GORDON: Yes. Once again, entertainment. I 24 saw some fellow entertainer convincing entertainment people 25 you are going to spend money. We went in with a zero budget, 1 maybe a couple of million here and there. We spent three 2 times more than we had anticipated, but well worth what we 3 spent. 4 I think we see some cut back in that going forward, 5 as well as it took us three times as long to do it. From 6 that standpoint -- right now, we are working with project 7 managers and internal audit. All of our testers are 8 internal. We do not use internal audit. We have identified 9 key independent testers within each of the operations that 10 goes in and looks at the tests. 11 From that standpoint, those costs will continue, 12 and it is just a drain on the time they have to spend on 13 other areas. 14 MR. BAILEY: The auditors in this room are 15 wondering what the controls were over the control process. I 16 think that is just inherent in the first time through in this 17 exercise. I would assume that tightens up. 18 MS. GORDON: I think as a company, we are better 19 off for it. There wasn't a time that we said we didn't come 20 out ahead on this. 21 MR. BAILEY: Your documentation, you are feeling 22 pretty good about? 23 MS. GORDON: Very good about the documentation. I 24 think we had the flow charts. We had the key controls. We 25 had the matrices in there. I'm able to look -- believe it or 1 not, you don't think you have the time. You are able to go 2 into a system and drill down to test results at every one of 3 the 111 locations and see if they actually passed themselves 4 correctly or I would have had a different decision on it. 5 MR. BAILEY: That's great. Peter Minan. 6 MR. MINAN: I wanted to respond to the question 7 asked a while ago. We are one of the audit firms that 8 actually recommends there be some additional guidance for 9 issuers. 10 You had asked what kind of guidance we are looking 11 for. First, I want to try to put it into perspective. From 12 my perspective as an external auditor, I believe AS-2 is 13 fundamentally sound. As an auditor, it provides the guidance 14 and flexibility I need to do my job, including testing and 15 documentation. 16 MR. BAILEY: You are not one of those guys that 17 holds that up in front of you? 18 MR. MINAN: Pardon me? 19 MR. BAILEY: You don't hold it out and say this is 20 what I have to do? 21 MR. MINAN: No, but as we all know -- 22 (Laughter.) 23 MR. BAILEY: Just checking. 24 MR. MINAN: The standard was new, the process was 25 new. It was evolving as we were going on. It was evolving 1 real time. 2 Obviously, we didn't have a lot of precedent and 3 historical experience by which we could make our judgments. 4 Frankly, that resulted in a steep learning curve, obviously, 5 for us and for issuers, but also impacted our judgments. 6 Frankly, going forward, I think there are some 7 judgments that are going to be made that are different than 8 were made in the past, particularly in an area such as the 9 reliance by the outside auditor on the use of work of others. 10 I think the guidance in AS-2 is adequate as it is 11 now and provides all the flexibility we as auditors need to 12 do that. 13 I think there were some judgments made in the first 14 year, a significant undertaking, that perhaps in some cases 15 didn't make that as extensive a practice as it otherwise 16 could be. 17 For issuers on the other hand, I think -- 18 MR. NICOLAISEN: Let me just follow up on that. 19 Does that expressly say the value of an internal audit 20 function is worthwhile and it can impact on -- 21 MR. MINAN: Absolutely. Not only does the standard 22 provide for that, but that's a well established practice 23 among auditors for years and years. 24 I think there are some practical applications that 25 we dealt with in the first year of operations that may have 1 led to some different courses, but that's a fundamental 2 concept I believe strongly in. 3 For issuers on the other hand, the process was just 4 as new, just as evolving, just as everything else. The 5 guidance was considerably more limited. COSO certainly 6 provided a good framework for internal controls, but frankly 7 didn't provide enough and wasn't intended to provide enough 8 details to the nature and extent of testing that would be 9 needed. 10 As a result, I think with the concurrence of their 11 auditors, maybe that is the right word, companies defaulted 12 to an AS-2 standard by which they would evaluate their own 13 assessment. 14 What kind of guidance is needed? I agreed with 15 what was said earlier. The guidance needs to be probably in 16 the form of case studies or examples more than anything else, 17 but it should cover a couple of key areas. 18 First, it should cover specifically the nature, 19 timing and extent of testing and documentation that is 20 sufficient for management to reach its assessment, not for 21 auditors, but for management. 22 It also should address to what extent a company's 23 ongoing control environment, risk assessment, monitoring 24 processes should be considered and how that affects the 25 testing. Again, it's to kind of take some of the judgment 1 out, but to allow maybe some case studies that would clarify 2 what would be acceptable. 3 Lastly, it should provide some guidance as to what 4 extent management's activities that are performed on a day to 5 day basis in the normal course of being management should be 6 considered to be "management testing." Even though that 7 testing doesn't necessarily bear the characteristics of what 8 I as an auditor would review as a traditional audit test. 9 MR. BAILEY: That is helpful. Lee? 10 MR. LEVEL: As you know, I'm not in the 11 entertainment business, but I am from Los Angeles. 12 (Laughter.) 13 MR. LEVEL: To set the stage briefly on a couple of 14 facts. Our company is a March 31 year end. We documented 15 1,500 process controls and another 3,500 IT general controls. 16 Because of the type of company we are, we can give you an 17 EAC, even though we are not quite done, we anticipate 18 incurring some 125,000 hours in our effort. 19 I want to flash back to a couple of points that 20 were made earlier, which is why I asked for the mike. 21 We really believe that additional guidance needs to 22 be in the form of emphasizing the points that Chuck made up 23 front around scoping. We ended up with a percentage of 24 coverage test, the risk assessment was removed from the 25 process early on, and it had a material impact on our effort. 1 We also find conservatism around documentation. We 2 find conservatism around the potential auditor workpaper 3 documentation. 4 To give you one small example, we reached an 5 agreement with our auditors that we will literally remediate 6 each and every deficiency, no matter what size, because we 7 were told they have a firm policy that they need to dispense 8 with in one form or another with every deficiency, no matter 9 what the scale. 10 As you indicated earlier, I guess before the mike 11 was turned on, actually, after the mike was turned on, we 12 have provided three letters. I won't bore you with the ten 13 suggestions we made. 14 We think they would have an impact on all of these 15 issues, and most importantly, they would allow us to achieve 16 the ends that we all want at a lower cost. Some of those, 17 I'm sure, will come up later. 18 MR. BAILEY: I was listening to the documentation 19 issue over here, and I like the use of the technology. You 20 said you benefitted. Did you benefit in any way other than 21 you understand your system better? Were there payoff's for 22 the company in terms of efficiencies, finding redundant 23 activities that you were able to get rid of, things of that 24 nature? 25 MS. GAVALETZ: Definitely, across all those areas. 1 For my company, we had been integrating companies for a long 2 time. This was a huge synergistic effort for us. All 3 companies have corporate, then there is the business areas 4 and business units. There is that nice healthy tension 5 across all of that, and how much corporate guidance did you 6 give. 7 This was a huge draw to synergy crossing. 8 Businesses wanting to understand. They wanted direction from 9 corporate. They wanted input from each other, and wanted to 10 share best practices. I think that just in culture alone and 11 in getting a consistent view of internal controls across a 12 corporation was enormous. 13 I think going forward, it will give us the platform 14 for more efficiencies going forward. They will want to hear, 15 okay, we have found a better way to do it across the whole 16 corporation, and be quicker adopters. It really has shown 17 the value bringing things together. 18 It has had many other tangential benefits for us. 19 MS. GORDON: I would agree with Kimberly. We are a 20 diverse company where we have had growth over the last few 21 years. We took this as an opportunity to kind of share what 22 we thought key controls should be, so that we were able to go 23 to perhaps maybe a smaller unit that didn't necessarily have 24 those key controls built in from day one and say this is best 25 practice here at this division, make sure we have it there. 1 It wasn't necessarily just an ability for us to 2 learn, but we really had some significant changes that we 3 were able to put in. Nothing to change anything from a 4 material problem to an immaterial problem, but that we were 5 able to say across the board this is how we think is best, 6 that we want all account receivables write off's to be 7 approved by the controller's office. That was standardized. 8 MR. NICOLAISEN: You both said you were involved 9 with large organizations that are emerging periodically. Do 10 any of you have active mergers going on at the moment? 11 MS. GAVALETZ: Active acquisitions. Actually, 12 that's very helpful. Some of them are international 13 acquisitions. It is also setting a common framework in 14 expectation, one, in the due diligence, really of the 15 companies that want to be acquired. 16 I was very thankful for the relaxation on the 17 guidance around that because it really was affecting how 18 companies did their business. We can't buy this now because 19 we can't integrate them in by the time we have to make our 20 center. 21 I think it is going to make more companies that are 22 on the market to be bought get more ready ahead of time. 23 That will actually build industry over time into a healthier 24 place, and it really is already happening. It has definitely 25 helped the due diligence process already, and it is going to 1 help with the integration. 2 I think the things we have already put in place, 3 there is a template for them to use. It is going to be 4 easier to integrate them in. 5 MR. NICOLAISEN: Suppose the two of you merged. 6 (Laughter.) 7 MS. GORDON: We're merging but we are also at the 8 same time considering breaking up. 9 MR. NICOLAISEN: If you merged, would you be 10 speaking a common language in your control processes and how 11 you would document them, or would you assume each other's are 12 acceptable? Would you assume you would move to one platform? 13 MS. GAVALETZ: We would probably move to one 14 platform before it's over. 15 MS. GORDON: We would move to one platform, I would 16 think, and which had the best strength. 17 MS. GAVALETZ: We looked at every one of them. 18 That is what this helped us with a lot. We already had a lot 19 of different platforms, different things. It really helps 20 things come together. We are not to be optimal yet, but we 21 made more progress in one year than we did in the nine years 22 before that. 23 MS. GORDON: Just to answer one further point on 24 that. On the documentation, what we have also benefitted 25 from, when you look at your question back about the number of 1 deficiencies, we are able to look at and drill down to those 2 deficiencies, and where those deficiencies are coming from in 3 the majority of cases, we were able to find out, it wasn't a 4 problem as much as it was a test design problem, or it was a 5 problem with there wasn't really a key control there that 6 should be there, or we shouldn't have that as a key control. 7 If you look at it, how many deficiencies, and we 8 all have hundreds and hundreds of issues and deficiencies we 9 have to look at, but if you have a personnel authorization 10 form that's been signed by the receptionist on up to the 11 senior vice president of human resources, but it was missing 12 a clerk's signature, that's a failure. 13 That's a deficiency that we go back and say let's 14 redefine what is the actual key control there. Is it 15 sufficient that you have five senior vice presidents signing 16 off on it. That allowed us the documentation to kind of get 17 that granular at times, which I think helped. 18 MR. BAILEY: Did you conclude in any of those -- 19 MS. GORDON: The receptionist was the most 20 important signature, no, in that particular case. Only 21 kidding. 22 MR. BAILEY: The more people that signed, the more 23 the last signer depends on everybody else up to that point. 24 MS. GORDON: Yes, but there is only one key, and 25 that is what we really had to hone in on, as opposed to 1 defining and documenting and testing a process. Everyone 2 will say they do 100 percent of what they do correctly. 3 MR. NICOLAISEN: In that effort, was there any 4 evidence that you were over controlled in some areas where 5 you had actually cut back? 6 MS. GORDON: I know we were over controlled, our 7 key control definition was way too many controls. I think 8 there were some inefficiencies that I think this year we are 9 going to be spending more time on getting some of those out 10 of the system. It highlighted it because you had to 11 understand the processes all across the company. 12 MR. NICOLAISEN: Jay? 13 MR. HOWELL: What I wanted to touch on, you picked 14 up on the M&A access, and I wanted to develop that a little 15 bit more. One of the challenges that BDO has observed with 16 our clients is clients that are going through rapid change 17 process and the difficulty of implementing, documenting and 18 testing controls where their business operations are changing 19 underneath them very quickly. 20 I know in the change process, there is often 21 additional risk, and I'd like to emphasize that I think the 22 404 process really does need to be risk based, and where 23 there are changes, risk should be focused -- work should be 24 focused on the risks resulting from those changes. 25 However, where a company is a discontinuing 1 operation or planning on discontinuing operations after year 2 end, but spending a lot of time documenting controls that 3 will exist at year end that are going away shortly, I don't 4 know if that really lends itself from a risk standpoint to 5 where work should be focused. 6 A lot of the problems that we encountered were with 7 regard to changes or events that were occurring from a 8 corporate life cycle. 9 One example is a company that in fourth quarter had 10 a strike in a major operation, and as a result, was unable to 11 test key controls in that operation. There wasn't a lot they 12 could do, management could do about that situation in the 13 time they were permitted. 14 MR. NICOLAISEN: I'd like to follow up on that a 15 little bit, not the strike, because that is an unique event. 16 You described continuous change in the control 17 systems as you go through. Is there an implication then of 18 some desire for continuous audit, something other than an one 19 time activity at the end of a year? 20 MR. HOWELL: I think management needs to be 21 continuously evaluating its controls. If controls have 22 changed materially quarter to quarter in its operations, 23 there is a requirement for disclosure there. 24 To continuously audit those changes, that is a good 25 question. 1 MR. NICOLAISEN: I was using it a little more 2 generically than continuous external audit. I had more in 3 mind a continuous activity within the organization that the 4 external auditor might be able to rely on to a large extent 5 if it was handled in the manner in which it was described 6 over here. 7 MR. HOWELL: I definitely support that. As I 8 indicated earlier, I think the change processes entities are 9 going through often do result in increased risk. 10 MR. NICOLAISEN: Peter, let me ask you a question. 11 You have visited a number of companies and tone at the top is 12 something that everyone has talked about so far this morning, 13 how important that is. 14 You walk into a company, can you get a sense of the 15 place by walking in as to whether the tone at the top is 16 right, or is there something you actually have to do? 17 MR. MINAN: It's probably more than just walking 18 in. You can often get a good feeling or bad feeling as the 19 case may be based on a few interactive meetings, and not just 20 meetings with the auditor and the client, but attending 21 meetings with the CEO, CFO, and his or her staff. 22 I think you can get a very good feel. A lot of 23 that doesn't lend itself necessarily to documentation and 24 testing that we as auditors are used to seeing or in fact 25 managements are used to doing in the context of reaching 1 their assessment. 2 I do think that there is some good feel or bad feel 3 you can get by doing something other than verifying 4 signatures occurring when you are talking about control 5 environment and particularly tone at the top. 6 I've seen that on clients. We do it all the time 7 when we go through the perspective client evaluation process. 8 We try to consider based on limited inquiries and limited 9 attention we have in a particular circumstance whether we can 10 kind of gauge that sense early on. 11 I think you are absolutely right. 12 MR. NICOLAISEN: Chuck? 13 MR. NOSKI: Don, let me give you an anecdote from a 14 board perspective on how you assess tone at the top. About 15 two years ago, I was invited to join the board of a Fortune 16 500 company and went out and visited with the CEO and some of 17 the senior management for the first time. I didn't know 18 these folks. 19 I sat with the CEO for an extended period of time. 20 I asked him to tell me about his control attitude and his 21 internal audit staff. He explained to me that they didn't 22 need an internal audit staff. Imagine being an audit 23 committee member of a company that doesn't have an internal 24 audit staff. You do your own risk assessment there. 25 He said we look to our senior managers and their 1 financial leaders to ensure we have good controls, and if 2 something goes wrong, we fire them. So, we don't need 3 internal audit. 4 I filed that away. He then invited his chief 5 financial officer in to visit with me. The meeting went long 6 enough and we drank enough coffee that the CEO had to finally 7 leave the room. I had the opportunity to visit with the CFO. 8 I asked him how do the board meetings go, what kind 9 of communication goes on there. I said I assume you start 10 out with a financial presentation. He says, no, only the CEO 11 makes presentations to the board. I said even the 12 presentation of monthly or quarterly operating results. He 13 said, yes, I've been here 17 years, I've never made a 14 presentation to the board. 15 I filed that away. At the conclusion of that 16 visit, I went back to the chairman of the nominating 17 committee and declined to join that board, and that 18 individual said gee, when I first joined the board, I had the 19 same concerns you did, but after a while, I got used to it. 20 (Laughter.) 21 MR. NOSKI: I thanked this individual for their 22 time and attention and didn't join the board. This is a well 23 respected Fortune 500 company. 24 MR. NICOLAISEN: Peter has his head down and he is 25 probably wondering is that his client. 1 (Laughter.) 2 MR. NOSKI: Peter, we will talk. 3 MR. MINAN: None of those conversations sound 4 familiar. 5 (Laughter.) 6 MR. LEVEL: I've only been at CSC 15 years, and I 7 do make financial presentations. 8 (Laughter.) 9 MR. LEVEL: And our board hears from many others. 10 This tone at the top thing is much broader than the 11 CEO and what not. It comes full circle back to the risk 12 assessment issue, and it comes full circle back to how much 13 documentation we need to do around 404. 14 If we have any impressions from our first year, it 15 is there has been too little effort committed to entity level 16 controls, governance practices, risk assessment and the like, 17 and much too much on process controls. 18 I want to reiterate what one of the panelists in 19 the last panel said. Exceedingly too much around IT 20 controls. Part of that is due to the whole thing being new. 21 Part of it is the fact that there are inadequate resources 22 around the world that have the expertise to do reviews of IT. 23 Our IT auditor gave me a fact last night, that 24 worldwide, there are 36,000 CICI's, because of the escalation 25 in wages, which I hope you will give us a chance to talk 1 about, there are 14,000 applicants to be certified right now 2 because of so much demand for those people. 3 We commented in our letter, and I won't deal with 4 it in detail, about the fact that the public accountants did 5 not take, at least in our experience, did not take a holistic 6 approach to the controls, IT controls. 7 As you know, we manage IT infrastructure and secure 8 networks around the world for large companies, large 9 governments, including this one. We think we have -- I 10 don't -- I think we have expertise in our company around 11 those issues. 12 We had to work harder than we should have to have 13 our auditors look around the network controls, which have 14 eight or ten layers, rather than looking at the individual 15 process controls underneath it. 16 I think if you in one form or another, coming back 17 to the risk thing, and the judgment issue that came up 18 earlier, encourage the public accounting profession to move 19 in that direction, management will equally be able to do so. 20 MR. NICOLAISEN: Keith? 21 MR. HOLMBERG: As a representative of a foreign 22 filer, we are still not through this process completely 23 ourselves, so I'm learning as much as I have to give. 24 I think to your tone at the top question, to the 25 extent that you think companies have been working under the 1 Turnbull environment for a number of years, they have 2 actually focused a lot of time on developing tone at the top 3 in those activities. 4 It would not behoove me as a representative of a 5 European company to ask for more rules when we often talk 6 about being principles' based. Having worked as a VP now for 7 about six companies, while you always hear that, it actually 8 is very true. For me to go to our chairman, our CFO, who are 9 very supportive of this in principle, and if I can explain to 10 them the principles of why we are doing this and they can 11 understand that, getting resources, getting time, getting 12 dollars is not an issue at all. 13 If I go in and say I need resources and dollars for 14 something that I can't explain from a principle based 15 perspective, I have a very large struggle. 16 Many of the people this morning have talked about 17 duplicative testing and so forth. I think that is an area 18 where when I go in and talk to our senior executives about 19 the need to have resources for testing at a process level and 20 then independent internal testing and independent external 21 testing, all for the same processes, that's when they start 22 to vibrate and start asking why are we using resources for 23 something that doesn't seem to be adding value. 24 It's not only a dollar issue. I think it is also 25 we have a harder time keeping the hearts and minds of the 1 organization when you begin to do that. When you are asking 2 them to document controls that they know they should have 3 been keeping up for years and years, their heart is in it. 4 When you ask them to remediate deficiencies that are 5 important to their business, their heart is in it. 6 When you start asking them to support multiple 7 testing environments with the same documentation, you kind of 8 lose them. You lose their hearts. 9 I think that is where VPs, if we had something to 10 say, that's where we would focus our attention, how do we 11 make sure the time we are putting into it, which we don't 12 mind if it is value added, how do we make sure we are 13 focusing it in that area. 14 MR. NICOLAISEN: Is that attitude fairly typical in 15 the U.K.? 16 MR. HOLMBERG: Yes. 17 MR. NICOLAISEN: When you think about us and what 18 we are doing here? 19 MR. HOLMBERG: The times we get together with other 20 U.K. based companies, by and large, again because of 21 Turnbull, they spend a lot of time with tone at the top, and 22 they don't mind conversations around documentation. That is 23 important. They should have been doing it. We all should 24 have been doing it for a long time. 25 They get very frustrated with asking questions as 1 to why is the SEC or the PCAOB requiring things which don't 2 seem to make sense from a business perspective. They 3 struggle with that. 4 MR. BAILEY: I would like to pursue a little 5 further Lee Level's comment about technology. Aside from the 6 documentation issue generally, technology seems to be an area 7 that has incurred a fairly high level of cost. 8 I am wondering how many of you have experienced 9 that in terms of looking to the application controls and 10 testing application controls to the extent of not relying as 11 heavily on the general controls in the IT systems. 12 I think that is kind of what Lee was telling us, 13 trying to get people to focus on those general controls. I 14 wonder if that is the experience across all the firms. 15 MS. GAVALETZ: I will just start. From our area, 16 it was kind of a mix. I think it is because the guidance was 17 kind of sketchy at the beginning. It is kind of the last 18 thing everybody got to, what do we really need to look at 19 relative to IT. 20 I think we successfully got through the general 21 controls, and what we tried to do in the application controls 22 area was understand there were processes controlling that. 23 If there were processes and they were being controlled and 24 being utilized, we were able to rely on that more within my 25 internal audit world, but also the external auditors. 1 I do tend to agree that seems to still be the least 2 focused area across all of the contingents. I think this was 3 a huge integrating function of the IT side with the financial 4 controls themselves. 5 We had people that were sitting two floors above 6 the people they were supporting who had never met each other. 7 There were just such different communities, that this has 8 already taken them to a whole new step and a new 9 relationship, but I think going forward, the area that I 10 would look to is the conflict is out there, for the folks 11 that are IT, and that is what I spent most of my life doing, 12 they know their IT stuff. They will do it. We would never 13 finish anything because there is always something better you 14 could do. 15 That is in the mindset of a lot of the environment, 16 and it does take the management and the assurance type folks 17 to say we are really done. 18 I would ask you to look at COSO and COBIT because I 19 think that is part of where the underlying conflict is coming 20 here. 21 The real IT experts and folks that will tend to be 22 the most zealous about this are very COBIT based. They will, 23 even argue it against COSO. We heard it in one of the panels 24 earlier today. I think what happened, and I saw that was 25 probably a little damaging at the beginning, was people just 1 took the COBIT framework and started to use that as a 2 checklist for every one of their audits. That is very 3 extensive. It is a great framework, but I believe it is 4 probably an overkill if you just sweep it across all of your 5 financial applications. 6 I think there is probably some research or some 7 work across that, understanding what really needs to be done 8 there, and again, giving some examples across it. That 9 conflict existed before Sarbanes-Oxley, and it will probably 10 exist after, but I think it is at the heart when you really 11 start to talk to the people auditing, that is where some of 12 the conflict was. 13 MR. BAILEY: Jay, maybe before the original 14 question, you could comment on that. 15 MR. HOWELL: Definitely. I think IT controls 16 continue to be an issue that should be focused on in the 404 17 process. 18 One of the things that I observed that was 19 challenging and I think it has been challenging throughout 20 time in the audit world is analyzing the IT controls and then 21 looking at the deficiencies that result and the interplay of 22 those deficiencies with other control deficiencies. 23 Generally, you will have the IT people that come 24 out and we think along with a number of the firms we are 25 under resourced in that area. It's an area where we do not 1 have enough people and training, and it is something we will 2 be focusing on to build our resources in that area. I think 3 it is a very important area. 4 It is very important for those people to not just 5 understand the IT aspect, but the interplay of the IT 6 controls with the rest of the control environment, and to be 7 able to analyze and assess that up to a final conclusion with 8 respect to an area. 9 That is a challenging aspect of the implementation 10 of the standard. I think it is something that we will all be 11 learning, we are learning, how to do that better. 12 My earlier comment was with regard to quality 13 versus quantity. I see again with the risk based emphasis 14 that I'm advocating, an emphasis on quality. A lot of the 15 documentation is quantity oriented. When you go look at the 16 documentation, you actually look at what the teams and the 17 companies have put together, it is in mind numbing detail. 18 It is really hard to step back in the big picture 19 and aggregate all of the various different findings up into 20 final conclusions that are meaningful. I think if the 21 quantity wasn't there and the quality was focused on, it 22 would be an easier and more meaningful process to go through 23 and analyze from an aggregation standpoint. 24 MR. NICOLAISEN: This time through on the audit 25 process will be an integrated audit, is what we have heard 1 repeatedly. 2 How different is that likely to be from what you 3 have experienced this first year? 4 MR. HOWELL: From our standpoint, it's a challenge 5 because in order to do the integrated audit, you have to have 6 a certain base level of controls that you can then rely on. 7 If companies are operating in a changed environment and you 8 are never really able to get that base level of controls, you 9 are able to integrate to a certain point, but often the full 10 benefits of that integration concept are hard to obtain, I 11 think, in a lot of situations. 12 MR. NICOLAISEN: You may not be appreciably 13 different. 14 MR. HOWELL: It remains to be seen. 15 MR. NICOLAISEN: Peter, would that be true of your 16 firm, too? 17 MR. MINAN: As I said earlier today, we probably 18 didn't get where we needed to get to this year for 19 integrating our controls audit and our financial statement 20 audits, and it is actually a number one priority for us going 21 forward. 22 I think that integrating the audit to the extent we 23 can and recognizing there is some constraints that Jay 24 mentioned, I think will result in efficiencies, and whether 25 it is just the coordinating of the audit procedures with 1 respect to the financial audit and the controls audit, 2 whether it is developing the audit plan from the increased 3 baseline of knowledge that we as auditors and management have 4 of their internal control systems. 5 I think it may be hard to crystallize that, but I 6 think we should and do in fact expect there will be benefits 7 in terms of efficiencies and effectiveness of going to our 8 integrated approach. 9 It was our desired goal this year. We just didn't 10 get there. 11 MR. NICOLAISEN: Shelley? 12 MS. STEIN: I just wanted to add that we probably 13 have gone through some of the most sweeping changes that we 14 have in our profession, at least in my career to date. 15 The companies have gone through quite a lot in 16 terms of trying to get this implemented, and certainly the 17 firms have, and even the PCAOB has in terms of trying to get 18 the guidance out there, as well as coming in to take a look 19 at how we are doing it. 20 We can't be sitting back and waiting to see how 21 each firm is individually going to try and make it better. I 22 think one of the things that we can really take advantage of 23 is if an implementation group was formed, probably similar to 24 what FASB did with 133 on derivatives, if we can get together 25 and talk about these things and come up with ideas on how we 1 can do this better, I think it is going to have a huge, huge 2 impact. 3 Some of the things that we haven't touched on so 4 much but I've heard bits and pieces of it, when you talk 5 about continuous audit, I think these things are really 6 important in terms of the ability to be able to get the work 7 done. 8 The amount of work that we have heard that is 9 associated with this, both from the company standpoint, the 10 firm standpoint, and the PCAOB standpoint, has been huge, and 11 oh, by the way, we have only done the accelerated filers, we 12 still have the non-accelerated filers to go. 13 If you think about the time frame in terms of 14 getting all this work done, being able to spread it out a bit 15 and finding ways to do that that are acceptable to the 16 companies and the firms and the regulators is huge. 17 I think it has been great that you have relaxed 18 some of the deadlines in this process, and you have taken a 19 humanistic approach to it, but I would just encourage both 20 the SEC and the PCAOB to reach out to the companies and to 21 reach out to the firms in terms of when -- obviously we want 22 the information better and faster. 23 I am very concerned that the companies can't get 24 enough people to do the work. The firms can't get enough 25 people to do the work. The PCAOB can't get enough people to 1 do the testing to come in to tell the firms, hey, this is 2 right, here are some best practices. I would hate to see us 3 all losing people, leaving the profession, because we are 4 trying so hard to get it done so fast. 5 I think we even have to take a risk based approach 6 to how we pursue this ourselves. 7 MR. BAILEY: There is an issue that actually might 8 have been better for the second panel, but I think given the 9 panel here, costs are driven by the nature of the auditors' 10 requirement to do an audit of management's process and their 11 test and the reasonableness of their opinion and a separate 12 extension of that, if you would like, enough testing, in 13 order to arrive at their own independent opinion. 14 They rendered two opinions. I wonder if you could 15 reflect on what you think of that as a concept but also how 16 you think the cost break might be breaking down between these 17 two things. 18 Do you really have to do a tremendous amount of 19 more work in order to render that second opinion? 20 Peter? 21 MR. MINAN: What was the question again? 22 MR. BAILEY: No. I managed to mess that up. I 23 think you got it. 24 MR. MINAN: I firmly believe in the fundamental 25 concept that management should reach its assessment on its 1 internal controls structure and should do sufficient testing 2 and documentation of that testing to be able to do that. 3 I also firmly believe we as auditors should attest 4 both elements of that, both their successful assessment 5 process as well as the effectiveness of the internal controls 6 structure. I'm behind this. 7 What is the breakdown of costs? I don't know. 8 There has been obviously some guidance through speech making 9 and others that suggested whatever auditors do, management 10 needs to do more of it. 11 I think one of the things we talked about earlier, 12 one of the things I talked about earlier, is to the extent we 13 can get additional guidance out to the issuers, specifically 14 directed to issuers, that can maybe take into consideration 15 some of the things they do on a day to day basis that aren't 16 "auditor type" tests, but can nonetheless serve as a basis 17 for their assessment, I think you might see the costs 18 improved, the costs reduced. 19 MR. BAILEY: The costs that the auditor incurs? 20 MR. MINAN: No, the costs -- when I use "costs," 21 generally the costs of the compliance with 404, which 22 includes -- certainly an element of it is the external audit 23 attestation, but a more significant element of it frankly is 24 the costs in terms of their documentation, their monitoring 25 and their ongoing testing. 1 As I said earlier, because of a limited amount of 2 guidance for issuers, I think we kind of maybe defaulted to 3 an AS-2 standard for issuers, and perhaps that can be 4 remedied or improved upon in future years if we are able to 5 give some guidance examples where we as auditors can reach 6 the conclusion that management's assessment is good and this 7 process for doing it was also good based upon some guidance 8 that they would be able to follow that is different than what 9 we as auditors normally expect and what we are required to 10 follow. 11 MR. BAILEY: Keith, do you have a comment on that? 12 MR. HOLMBERG: Yes, to some extent. I think most 13 companies would agree with his conclusion that we should be 14 doing management assessment testing as well as external audit 15 testing. 16 I think it is the ratio and relationship between 17 those two that needs to be adjusted, where we end up doing 18 both too many times. 19 Maybe by having a group of people representing all 20 of the interested parties might get you there in terms of 21 what different ideas might exist, but at the end of the day, 22 I think it will rest with the Commission and PCAOB as to 23 really dictating what the right incentives are for all the 24 interested parties. 25 Companies before 404 had the wrong incentives in 1 terms of not doing internal controls, not following those 2 because nobody cared and therefore, no costs or efforts were 3 put into it. 4 I think with 404 coming into play, that switched to 5 where the audit firms have the wrong incentives to try and 6 limit the amount of work they need to do. Their incentives 7 are driven, as many people have said today, by the avoidance 8 of litigation, by protecting themselves, PCAOB reviews that 9 will take place. 10 They want to make sure everything is done. They 11 don't have an incentive to make those judgment calls. 12 I think it is only yourselves that can actually say 13 what are the right incentives that need to be in place so 14 they get that balance right. 15 Before lunch, Mr. McDonough said they would make 16 that part of their review, not did you go far enough, but 17 also did you go too far. I think those are the kind, the 18 tone from the top from the PCAOB that would actually help 19 both companies and audit firms to recognize exactly what the 20 expectations are from you all. 21 MR. BAILEY: I take away from these two answers, 22 and I don't know what everybody else is going to say, but 23 that we are not really having a discussion here about the 24 basic principles behind the standard, the integrated audit, 25 the various opinions. It is strictly a matter of how can we 1 bring the cost relationships more in line with what we 2 perceive to be the benefits. Is that correct? 3 MS. GAVALETZ: That's correct. 4 MR. HOLMBERG: That would be our conclusion. 5 MR. HOWELL: I would agree with that. I would 6 emphasize particularly for smaller companies, and I know the 7 advisory committee that has been formed will be addressing 8 that area, but a lot of these factors have a lot bigger 9 impact on the smaller companies, and when they become due in 10 2006, that is going to be a big hurdle to get over, to do 11 these 404 audits for all of those enterprises, and for those 12 enterprises to get maximum leverage from the things that we 13 are uncovering today. 14 MR. NICOLAISEN: In closing, let's do left to 15 right. Kimberly, Susan and Lee. 16 MS. GAVALETZ: I would just like to comment on what 17 Jay said there. I think you had it perfectly, it is the cost 18 relationship. I don't think the principles, anybody is 19 differing with here. 20 I think on the cost side of it, there are a couple 21 of things to look at. We have all talked about the risk 22 based approach. That is clearly available in the standard. 23 I believe there is probably been a fear or a reluctance to do 24 that in this first year, and also to see how the inspections 25 come out. Are they willing to make those risk judgments. 1 I think relative to the use of other resources, the 2 reliance on work of others, that is another part of that 3 equation. If you look at where all the work is being done 4 and make some judgment calls about that being sufficient or 5 needing to do a little bit on top of it, the use of internal 6 audit. It's just there for both management and for the 7 external auditors to determine where is the best balance in 8 all of that. 9 I think there is a lot of opportunities as we go 10 forward here to make this even better, and to make it more 11 cost effective and to balance that cost benefit equation 12 going forward. 13 I think it has definitely been useful to this 14 point. I think getting this first round of documentation and 15 testing together has been beneficial to firms. 16 It was a road to hoe even for those of us who had a 17 lot of it there. It was a push to the finish line. I think 18 it gives us all a basis to take industry and our governance 19 overall to another level. 20 I loved the conversations on tone at the top. You 21 can walk in and have a few conversations and start to know 22 that. That is an auditable skill. It's not the same way as 23 checking numbers, but it's very auditable. 24 Thank you again for having this forum and inviting 25 me. 1 MR. NICOLAISEN: Thank you. Susan? 2 MS. GORDON: I just wanted to say a few words. 3 Year two is going to be much better. 4 MR. NICOLAISEN: You promise? 5 MS. GORDON: I promise. As the registrants out 6 there know you got through it. The fear factor of what was 7 going on with what your auditors were going to be able to do. 8 We talked at lunch about this earlier. We have 9 spent since March 16th, the day of the filing, we have spent 10 that time to today going through and redefining our scope. 11 As a company, we are going to go and I think 12 present to the audit team and take like an aggressive 13 position to say we are going to integrate this. We are going 14 to see where we can cut back and where we need to add. 15 Some way, it is not going to be like it was like 16 for year one and year two can only be better. 17 MR. NICOLAISEN: Lee? 18 MR. LEVEL: Very briefly. We are on record of 19 recommending the elimination of a separate management 20 opinion. I'd just like to state that orally as well. 21 Further to the point about how the U.K. companies 22 and others look at this, we found as one of the intangible 23 costs, there are lots of dollar costs, but one of the 24 intangible costs that we have faced is we have three regional 25 offices outside the United States. 1 We have lost internal auditors in each of those 2 regions because the individuals involved don't want to do the 3 more detailed type of work that we have talked about as the 4 most significant to eliminate. 5 In the U.S. in terms of costs, we have data. 6 Internal audit in the U.S., we have had twice as much 7 turnover in the last year as we did historically. We have 8 had to raise pay levels in our internal audit staff three 9 times our corporate merit level. 10 The demand for these skills is just outrunning the 11 supply. I'm sure we are not the only company facing those 12 issues. Thank you. 13 MR. NICOLAISEN: Thank you. Encourage your 14 children to go into that business. 15 (Laughter.) 16 MR. NICOLAISEN: To the audience, this session was 17 an extremely important session. It is also the toughest if 18 you are not a technically minded person to participate in. 19 The next two are now coming back up to the more 20 generalized role. The next panel deals with use of judgment, 21 which I think everyone can equate to. The last panel is an 22 extremely important group, because that is where we talk 23 about next steps and try to take inventory of what we have 24 really learned here today. 25 To this panel, I say thank you very much. I 1 sincerely appreciate your efforts, your participation. Lee, 2 if you want to send one more letter in, we would appreciate 3 that, too. 4 Thank you so much. We will be back at 3:15. 5 (A brief recess was taken.) 6 MS. STACEY: Good afternoon. Thank you, everyone, 7 for coming. We are going to start panel five. 8 PANEL FIVE - USING JUDGMENT IN 9 COMMUNICATION AND CONCLUSIONS 10 MS. STACEY: Panel five is called using judgment in 11 communication and conclusions. Alan Beller and myself, Carol 12 Stacey, will be leading this one. 13 I wanted to mention again for those of you who may 14 have just shown up, sort of the rules of order. We won't 15 have any opening remarks. If someone has already said what 16 you were dying to say, please keep it to yourself, 17 recognizing that has already been said. 18 If you would like to discuss a matter, please turn 19 your tent cards on the end, and we will recognize you. 20 We are joined once again by the Commissioners and 21 by the members of the PCAOB. We are going to dive right into 22 it. I am going to introduce who we have on panel five. 23 From my left, we will start with Philip Ameen, vice 24 president and comptroller of General Electric. On his left, 25 we have William Brunner, who is the chief financial officer 1 and vice president and treasurer of First Indiana Corporation 2 and is also a member of the American Bankers Association, 3 actually the chairman of their accounting committee. 4 To his left, we have Robert Hodgkinson, secretary 5 of the Turnbull Review Group, and to his left, we have Larry 6 Koch, a partner with Deloitte & Touche. To Larry's left, we 7 have Ron Lalonde, senior executive vice president and chief 8 administrative officer of the Canadian Imperial Bank of 9 Commerce. 10 To Ron's left, we have Peter Lyons, a partner from 11 Shearman & Sterling. To Peter's left, we have David 12 Shedlarz. David is the chief financial officer of Pfizer. 13 To David's left, we have Teresa Sparks. Teresa is the 14 corporate controller of Symbion, and to Teresa's left, we 15 have Garrett Stauffer, a senior partner from the National 16 Risk & Quality Practice of PricewaterhouseCoopers. 17 Welcome, everyone. 18 I'd like to start off this panel by throwing a 19 question to Mr. Brunner. Mr. Brunner, we have talked quite a 20 bit about obviously the provisions of internal reporting, the 21 American Bankers Association provided us with a number of 22 suggestions in their comment letter to us. 23 One of the specific areas that they discussed was 24 the relationship between external audit and management, and 25 basically suggested, as other panelists in earlier panels 1 have, that there has been a decline in communications this 2 past year, due to several areas. The American Bankers 3 Association attributed it to independence concerns, and there 4 are other theories, too. 5 What has been your experience with this issue or 6 your association's experience? 7 MR. BRUNNER: As an association, we talk to all our 8 members. We may have the benefit of having an extremely 9 broad range going anywhere from very small organizations to 10 very large. 11 We have found on a very consistent basis that 12 across the board, organizations have found that their ability 13 to use their auditors as sounding boards or as collaborators 14 on issues has essentially gone down. 15 I think it is a good bit more noticeable in smaller 16 organizations than larger ones, which may have more core 17 resources on their staffs. 18 Yes, we have found that the environment is very 19 much now where in our case banks, and quite a bit of 20 isolation, to analyze situations as we always would, but 21 before, completely before, you would take it to the auditor. 22 Some of the consequences that we find that bring us 23 concern is we think it can lead to quite often some 24 suboptimal decisions. You lose the benefits of some of the 25 early synergistic thinking and talking between the parties. 1 Some of these issues are extremely complicated. We 2 deal with a lot of financial assets which have a lot of 3 changing and continuing review of the accounting treatment. 4 There is a fear at times of companies being deemed 5 significantly deficient or worse, if they have a fear of 6 coming up with a different answer than their auditor might. 7 Again, this situation we find particularly 8 troublesome for smaller organizations who don't carry the 9 breadth on staff of highly technical people to deal with all 10 the changing issues that occur. 11 One alternative we find is that companies are 12 having to turn to yes, another outside advisor, again, 13 layering on another level of costs. 14 Because there is more layers, we are also finding 15 and have evidence that timeliness of decisions sometimes are 16 compromised. It is just taking longer to work through the 17 system and get them all worked out. 18 In total, we believe this is quite an unfortunate 19 consequence of the environment we are in, for whatever reason 20 it is occurring. We do believe that local informed and 21 quality decisions are best made when the forces can get 22 together and work on a transparent answer that truly reflects 23 the financial economics of a given transaction. 24 MS. STACEY: Do you think it is more geared towards 25 the smaller firms having difficulties rather than the larger? 1 MR. BRUNNER: I believe everyone is probably 2 feeling a little bit more distant. I think we hear more 3 vocal the smaller you get, because quite honestly, that 4 relationship of being able to have the other party to talk to 5 is very, very important. 6 In quite large organizations, my belief is if you 7 want to talk to someone else professional in an given area, 8 go next door. There is probably another person on your 9 staff. 10 MS. STACEY: I'd like to get probably the large 11 company perspective and the small company perspective and the 12 audit perspective. Larry Koch, if you could weigh in. 13 MR. KOCH: First of all, Carol, I would agree with 14 Mr. Brunner that there has been some confusion and 15 uncertainty with respect to this matter I think throughout 16 the public accounting community, the registrant community. 17 I would say I do not believe the issue is limited 18 to smaller companies. GAAP these days is very, very complex. 19 Transactions are very, very complex. Large companies have a 20 propensity to enter into very large, very complex 21 transactions. 22 I think the issue is germane really to the whole 23 registrant community. 24 Again, this is an area where judgment needs to be 25 exercised as well. I do believe it would be helpful to 1 clarify and reaffirm the auditors' ability to work in a 2 constructive manner with registrants early on with respect to 3 the resolution of complex issues. 4 I also would say I recognize that having the 5 appropriate, if you will, technical resources for a 6 registrant is an important element of internal control. I 7 personally believe that it is entirely feasible, in fact, I 8 believe I do it in my working relationships with clients, it 9 is feasible to be involved, be contributing, engage in 10 dialogue constructively, yet not take the place of management 11 in terms of being an element of the internal control, and 12 still preserve the ability to step back and objectively 13 assess whether the company, given its size and complexity, 14 does indeed have the right level of expertise internally. 15 MS. STACEY: Basically what you are saying, the 16 company needs to do a certain amount of their own homework, 17 but then obviously the dialogue can be open between the 18 auditor and the company. It's not the company has to totally 19 come up with a conclusion before they even start to talk to 20 the auditor. 21 MR. KOCH: I would say it's not even clear to me 22 that the company necessarily "has" to go first. I think it 23 can be an open dialogue from the very beginning. There is no 24 lock on good thinking, good ideas, and in depth 25 understanding, particularly of the more complex standards as 1 they apply in complex situations. 2 MS. STACEY: Mr. Ameen, maybe from a large company 3 perspective? 4 MR. AMEEN: From a somewhat larger company 5 perspective, I suppose, yes. 6 It is clear to me that Sarbanes-Oxley has had a 7 somewhat chilling effect on our communications with our 8 auditors on accounting matters, which is unfortunate. It was 9 true before that we simply never ran into any sort of risk of 10 having the auditors observe to our managers, to the audit 11 committee, that we had a deficient depth or breadth of 12 accounting expertise. 13 I have something like 2,000 certified or chartered 14 public accountants. I have a technical staff reporting 15 direct to me that I would compare with any in the world. 16 They are quite capable of what they are doing. 17 Nonetheless, we now half a step before we take 18 matters to our public accountants, which puts them at 19 something of a disadvantage. 20 The whole system, I think, the fear of reporting 21 aspects is at a disadvantage. I think there is long 22 throughout history consultation on accounting matters before 23 the deals are done and we are deciding where to make the 24 debits and credits, going back to the old days of pooling of 25 interest accounting in this very building of many a 1 conversation, and one chief accountant said that about 50 2 percent of his office time was spent consulting on poolings 3 of interest. I think that is not a bad precedent. 4 There are also areas of expertise that regardless 5 of how good my staff is, we are occasionally going to run 6 into areas that we need supplemental information on. My 7 auditors have access to experience that I don't have. They 8 see other client situations. They see other cases. They in 9 fact deal with conversations here in Washington that I'm not 10 a party to, thankfully. 11 (Laughter.) 12 MR. AMEEN: All of that information is relevant 13 sometimes to the ways I structure, to the way I execute, and 14 the way I account for transactions. 15 I think it is unfortunate that we have lost that, 16 but I do think under the current interpretations, it has been 17 lost. 18 MS. STACEY: We have also heard just as a follow up 19 to this conversation, not just communication issues between 20 the auditor and the company, but also things like the 21 financial reporting process has been slowed down because one 22 party or another doesn't want to give or receive a draft of 23 the financial statements until it is entirely final on 24 management's point. 25 I don't know if anyone here has experienced that, 1 but I would be interested in that issue also. 2 MR. AMEEN: I will just respond to that one 3 specifically, whereas each draft, and we go through probably 4 a dozen drafts of the year end financial statements as an 5 example, had previously been made available to KPMG 6 immediately on preparation. We don't do that now. We wait 7 for completion of a review cycle by my staff before we pass 8 it onto KPMG. 9 That is chilling in a process where the time cycle 10 is getting shorter and shorter. 11 MS. STACEY: Can you give us some background as to 12 why that is happening? 13 MR. AMEEN: These early drafts inevitably have 14 errors in them, and I don't want a competition between the 15 auditors saying that error is evidence of a weakness in 16 internal control or we found it first. It's a competition 17 that you simply can't afford to have. 18 MS. STACEY: Maybe from a small company 19 perspective, if Ms. Sparks could speak to the communication 20 issue also. 21 MS. SPARKS: Sure. Thank you. 22 I think I bring two unique perspectives to the 23 panel today. One, I do represent a small to mid-sized 24 company. Our revenues are about $250 million, compared to my 25 next door neighbor here, we are just a dot on the map, so to 1 speak. 2 Also, we were not classified as an accelerated 3 filer. We are currently in the midst of year one of 404. 4 Those are my two unique perspectives. As it 5 relates to our communication with auditors -- I am also a 6 representative of many health care companies that I have 7 polled as I did my research in preparing to come here, just 8 to get their feedback as well. 9 We really reached a consensus that those 10 relationships have been strained. As a small company, we do 11 operate as a health care company in a very highly regulated 12 environment. We are used to and accustomed to seeking expert 13 advice as complex issues present themselves. 14 The same holds true as we are preparing and 15 determining today's complex accounting standards, and with 16 having a limited staff, that has been something that has been 17 an extremely valuable tool to our size company, of being able 18 to seek our auditors' opinion and their guidance in those 19 certain areas. 20 Now, we always do our homework, but as I mentioned, 21 we have a very limited staff. We do see that as a very big 22 issue for our company. 23 MS. STACEY: Mr. Lyons? 24 MR. LYONS: I just wanted to go back to the 25 question of how often and when one sees drafts. It is 1 affecting transactions materially and slowing them down. 2 If you are doing, for example, a carve out 3 acquisition and the buyers are, for example, private equity 4 firms, and there is going to be audited financials which will 5 ultimately then probably be used in a 144(a) offering 6 memorandum, you will thereafter be audited. 7 The length of time it takes to get them out, and 8 people are very reluctant because when you take the carve out 9 and the accountants come in, it is going to take a long time 10 because the nature and extent of the changes that we are 11 seeing, these are financial statements that have been audited 12 for years, but if it's a carve out, there is a different 13 level of materiality, but there is also a different level of 14 focus. 15 It is slowing down transactions simply because 16 people are very nervous to give them out until -- in the old 17 days, you would say you know what, I can give them, they are 18 management's financial statements, I can get an audit, it is 19 not going to be a problem. 20 People are very reluctant to take that position 21 because they expect a lot of changes. That is unfortunately 22 what they are going in with the mindset. There will be a lot 23 of changes. That may not be well founded in all cases, but 24 people have seen it often enough that they are very concerned 25 about it. It is affecting transactions in material ways. 1 MS. STACEY: Mr. Lalonde? 2 MR. LALONDE: I wanted to make two comments on 3 this. First of all, I'd say that I would certainly concur 4 that the nature of the relationship between management and 5 the auditors has changed. 6 The first observation I was going to make is I 7 think this predates Sarbanes-Oxley. I think this really was 8 driven in the first instance by independence issues, and I 9 think independence like trust is as much a perception issue 10 as it is a substantive issue. 11 I think that is what drives the zero tolerance 12 approach to independence and the rule structure, but also in 13 the processes and procedures that are established by 14 managements and audit committees. 15 We actually had an unique circumstance in Canada on 16 this point, as this change was taking place, I think. The 17 Canadian banks all had two auditors, and for historical 18 reasons. With the demise of Arthur Andersen, that left four 19 major firms, and if you had two of them as your auditors, and 20 as the tone of that conversation with management was 21 changing, you were starting to find you had limited sources 22 of advice for the kinds of complex issues that one would 23 normally deal with accounting professionals on. 24 That was one of the reasons frankly that we decided 25 and the industry subsequently followed to move to a single 1 auditor as opposed to employing two auditors. 2 The second comment I was going to make is that I 3 think I would also agree with the sentiment that has been 4 expressed that this has had a bit of a chilling impact on the 5 relationship between management and the auditors. 6 I would say, however, I think there is an offset 7 there, and the offset is I think it has had an enhancing 8 impact on the relationship between the external auditors and 9 the audit committee. 10 My sense is that it was independence that drove 11 this rather than evaluation of control issues, and I think 12 that same thing that drove independence drove the 13 relationship between the external auditors and the audit 14 committee to become much more close. 15 I would observe that I think audit committees, at 16 least our audit committee, is using our external auditors 17 much better as advisors and consultants, so management may be 18 getting less value out of that relationship, but I think our 19 audit committee is getting more value. 20 MS. STACEY: That is an interesting comment. Thank 21 you. Mr. Hodgkinson, I hate to put you on the spot, but I am 22 wondering across the pond if you are encountering the same 23 issue in the U.K.? 24 MR. HODGKINSON: I think it would be fair to say 25 no, but it is probably worth saying that the Turnbull 1 guidance is not exclusively on financial reporting. 2 I would also say that if we are thinking about the 3 application of judgment, there is perhaps a linkage to this 4 issue. I think the application of judgment does require that 5 you have a clear idea of what the objective is you are trying 6 to achieve. Something perhaps has gone a little wrong if 7 provisions which are designed to improve the quality of 8 financial reporting actually levitate against a process in 9 which you improve the quality by consulting with those who 10 can contribute to the decisions. 11 At a basic level, we must have focused on some 12 intermediate objectives which aren't appropriate. The 13 objective of this is to improve financial reporting. That 14 would seem in the common sense way that people have talked 15 about to require that you have an informed debate because 16 more informed people contribute to better decisions. 17 I think that focus upon objectives is perhaps a 18 theme that might be pursued here. 19 MR. BELLER: I guess I have a somewhat similar 20 take. I was going to describe it as what's wrong with this 21 picture. If the ultimate policy objective is to have the 22 most accurate possible financial reporting in the most 23 painful possible way, is what we are hearing good policy or 24 not. 25 I guess I would ask Mr. Stauffer, is what we are 1 hearing good policy or not? To the extent it's not, what do 2 we need to get it back on the right track? 3 MR. STAUFFER: No, it's not good policy. Clearly, 4 in our mind, it's an unintended consequence. It's driven bad 5 behavior. It's prevented good communications. It has the 6 impact of going backwards when you think about quality of 7 financial reporting. 8 I will say that early on, let's say right after the 9 standard was issued last Summer, I believe there was a very, 10 very stifling effect at that point in time. It has gotten 11 better, I believe, as we sit here today. That's due to 12 speeches made by both the SEC and the PCAOB, the PCAOB's FAQ 13 on this topic. 14 We, as I think industry, have made an effort to try 15 to make sure we keep our partners and our staff informed of 16 the issue and where the lines should be looked at. 17 Management can advocate its responsibility for the 18 selection of generally accepted accounting principles. 19 Management can have the auditor come in and record the 20 journal entries and close the books and write the financial 21 statements. We all know that. 22 That is a far cry from what I think we are talking 23 about here, which is good communication that will improve the 24 quality of financial reporting. 25 MS. STACEY: Mr. Shedlarz? 1 MR. SHEDLARZ: With your indulgence, I will address 2 the issue but maybe take it down a slightly different path. 3 I think what we are dealing with is human nature, 4 one of the toughest things to arrest in this type of 5 environment. The utilization of professional judgment is 6 critical to getting the balance right, even in terms of 7 independence, but also in terms of the review and attesting 8 to the internal controls. 9 Both management and the outside accounting 10 community are moving towards a mode of very conservative 11 practices. Until this is tested in the open environment, 12 they are likely to stay there. 13 This is a critical period in terms of getting the 14 balance right. I don't think the rules need a lot of 15 modification. I think the human activity needs a lot of 16 addressing in terms of defining what is acceptable practice. 17 I watch directly a lot of the constituencies 18 reaching for absolute assurance in terms of independence, 19 absolute assurance in terms of the internal control 20 environment, when the best you can ever hope for is 21 reasonable assurance. 22 When you are trying to reach for the unobtainable 23 goal, that is when you start to get practices that are going 24 to start to weigh the balance risk of all this in terms of 25 the benefit and the cost, probably in the wrong direction. 1 You only have to take a look at the extent to which 2 they are willing to rely on other activity, on behalf of the 3 internal audit departments of various organizations, the 4 extent to which they are defining at a certain level 5 significant deficiencies. You can go down through just about 6 every major element and what you are finding is ultra 7 conservatism. 8 I look to the PCAOB in part in terms of listen, 9 they allow for this flexibility, but maybe there is not a lot 10 of belief in terms of the level of acceptance. This critical 11 stage now in terms of how you are going to exercise your 12 authority which is so critically important and no one is 13 begrudging is going to be defining in terms of whether or not 14 we can strike this balance more correctly, whether it comes 15 to engagements on the independence side, or it's the level of 16 activity which is being carried out in a highly duplicative 17 nature in terms of the internal control environment. 18 It is a very important thing to get right in terms 19 of human nature. 20 MS. STACEY: Let's go to Commissioner Goldschmid. 21 COMMISSIONER GOLDSCHMID: Picking up on David 22 Shedlarz's comments, which I agree with, although 23 conservatism isn't a bad word in this town right now. 24 (Laughter.) 25 COMMISSIONER GOLDSCHMID: What we are really 1 talking about is the chilling effect that seems to cut in 2 lots of areas, certainly independence has been there, worry 3 about scope, worry about reliance. It is cutting across a 4 bunch of areas and arguably creating a lot of -- I'm not sure 5 any of this, by the way, comes out of Sarbanes-Oxley. It may 6 come out of other doctrines and other fears and the 7 conservatism, using that word again, that may have developed. 8 What can we do to bring it back into a more 9 balanced cause, I guess is the question I would ask the 10 panel. 11 MS. STACEY: Who would like to weigh in on that? 12 Mr. Lyons? 13 MR. LYONS: I'll give you a lawyer's response. 14 Really what I think, the accounting firms have been quite 15 conservative. I think they are responding appropriately. 16 If I were the general counsel of an accounting 17 firm, I would want them in facing the current environment 18 with the liability they face, with a brave new world, where 19 unfortunately they are out there doing something they have 20 never done before, they have to conclude they face new and 21 different risks. 22 They have to be conservative about it. I think the 23 PCAOB has to give them comfort that when they make judgments, 24 that is okay, that they make reasonable judgments, and they 25 are going to have to communicate that those reasonable 1 judgments are going to be consistent. They will have to know 2 that it's not going to increase the exposure to the four 3 remaining big firms. 4 I think the legal environment and the legal risks 5 they face, and I think Commissioner Goldschmid's point, it is 6 not just this, but it is part of it, that the whole 7 environment that the accountants face is driving a lot of the 8 conservatism we see. 9 I don't think it is going to change unfortunately 10 as much as we might like it to, unless and until the 11 accountants can see a change in the regime they face that 12 will allow them to exercise more judgment and allow their 13 general counsel to be comfortable that they are not crazy 14 doing it. 15 MS. STACEY: Before we move onto judgment related 16 to material weaknesses and significant deficiencies, let's 17 finish up this topic. 18 Mr. Hodgkinson, did you have your tent up for this 19 one or the last one? 20 MR. HODGKINSON: Yes, just to take up on the points 21 about the preconditions of people exercising judgment. I 22 think you mentioned there has to be trust and others will 23 accept that you have exercised judgments, and in fact, that 24 others are prepared to exercise judgment. 25 There are some deep things which need to be 1 accepted as a consequence, and that is if you are going to 2 have judgment, then you have to accept there will be some 3 variability of outcome. You can't have judgment which always 4 leads to the same outcome in all circumstances. That is 5 quite difficult to accept, because a lot of people today have 6 been asking for more and more guidance presumably to give 7 them certainty that they are exercising judgment properly, in 8 which case, they are not exercising judgment properly. 9 (Laughter.) 10 MR. HODGKINSON: That is just a guy who has read 11 all the detailed literature that tells him what the right 12 answer is, whether it's right or wrong. There has to be a 13 broader atmosphere of trust. 14 Actually, judgment isn't a little bit of seasoning 15 that you sprinkle on some otherwise unpalatable meat. It is 16 actually the core of what you are after. You want a system 17 in which people exercise judgment, and the rigidity is 18 something which you have to put up with, that goes with it, 19 of certain pieces of guidance and rules, not the other way 20 around. 21 As soon as you are down the path of prescription, 22 it is very hard to just sprinkle a little judgment around the 23 edges. It will look like a fairly illusory form of judgment. 24 There are some big issues to accept, I think, and 25 by all parties before judgment can simply be implemented. 1 MS. STACEY: Before we go to Mr. Koch, Commissioner 2 Glassman wants to ask a question. 3 COMMISSIONER GLASSMAN: Thank you. It's a 4 follow-up on the judgment, although more specific, in this 5 world of judgment, if management thinks something is not a 6 material deficiency, a material weakness, and the auditors 7 do, using their own judgments, how does that get resolved, if 8 there are no specific guidelines? 9 MS. STACEY: I think that is one of the things we 10 were going to go to next. How do you determine that. They 11 are very good questions. We were going to actually put Mr. 12 Ameen on the spot. 13 Let's hear Mr. Koch's answer first. 14 MR. KOCH: I would just say I believe in the near 15 term, in terms of practical help in the exercise of judgment, 16 perhaps in this area as well, I do think the upcoming PCAOB 17 inspection season really does present quite an opportunity 18 for the PCAOB to look at complicated real world examples, 19 real world best practices and communicate that. I think in 20 near term, that is key. 21 In terms of resolution of differences in judgment, 22 I will confess I have not found that to actually be the case. 23 My sense is that reasoned people vetting through the specific 24 facts and circumstances of the condition or sometimes 25 combination of conditions at hand, will tend to arrive at a 1 common judgment. 2 Perhaps maybe even more important than that, in my 3 experience, I have found that the issue so much doesn't turn 4 on is this a material weakness or is it a significant 5 deficiency. It tends to turn on what is the issue, what is 6 the best way to remediate it, let's get the remediation done 7 and let's be in a position where at the "as of" date, at the 8 end of the year, there is not even a question because it has 9 been remediated. 10 MS. STACEY: You haven't experienced that many 11 instances of disagreements over either what is a significant 12 deficiency and what is a material weakness, how do you 13 aggregate significant deficiencies? 14 MR. KOCH: Good healthy dialogue, yes. Hard held 15 differences of view at the end of the day, no. We have been 16 able to drive to commonality, again, in an environment where 17 first and foremost, the issue is let's take care of the 18 problem. 19 MS. STACEY: Mr. Ameen, can you comment on the 20 judgments involved in identifying what is a deficiency? 21 MR. AMEEN: Just to give you a little scale, we 22 identified a lot of controls, probably somewhere in excess of 23 50,000, and tested many of those. It's difficult in my 24 environment to find one of those that would have been a 25 material deficiency, because so many of them are distributed 1 so broadly across so many organizations. 2 However, the place you would start looking for such 3 a deficiency would be at the very top level, where it all 4 comes together, in corporate, and those systems sometimes are 5 not the most robust, but have the largest numbers and 6 therefore the greatest risks flowing through them. 7 Fortunately, we did not run into deficiencies in 8 those controls. The numbers, once they are put together, are 9 pretty well monitored and articulated pretty fluidly. 10 It didn't turn out to be an issue, but I think the 11 right answer is to err on the side of reporting in the 12 interest of openness to the markets in all cases where there 13 is any doubt. 14 MR. BELLER: Just to follow up, do you think you 15 were able, both as a preparer, use your judgment, and were 16 your auditors successful in using their judgment to focus 17 their attention on that proportion of the 50,000 plus 18 controls that were worth focusing on, or was it less 19 rationally distributed than that from a risk assessment point 20 of view? 21 MR. AMEEN: I have to say this was our second time 22 through, 2004 was our second time through. We had done what 23 turned out to be a dry run for internal control reporting in 24 2003. 25 MR. BELLER: For which we apologize. 1 (Laughter.) 2 MR. AMEEN: Actually, it was a very significant 3 learning process for us and for our auditors. We were doing 4 it without benefit of PCAOB rules, of course. Having been 5 through the exercise, having put the documentation together, 6 we were miles ahead we thought of where we would have been 7 otherwise. 8 We had no push back at all that I'm aware of from 9 KPMG on which controls we identified. If anything, we would 10 step a bit back from where we are, I think, on an internal 11 evaluation basis. In a distributor organization as 12 diversified as we are, you really have to push down pretty 13 deep. 14 MS. STACEY: Mr. Lalonde, I wanted to get to you 15 because your company actually wasn't required to do it this 16 year, and you actually went through the assessment process. 17 I wanted to get your thoughts. 18 MR. LALONDE: Yes, go figure. 19 (Laughter.) 20 MR. LALONDE: I was just going to reinforce a 21 comment. I don't think the issue here on judgment is around 22 evaluating control deficiencies. At least that certainly 23 wasn't our experience. 24 We evaluated and tested about 3,500 controls in 25 this area, and because we thought that the gap between 1 deficiency and significant deficiency was a little too big, 2 we even invented an intermediate category between those two 3 to get a little bit more granularity. 4 Even looking across those four categories, I would 5 say that the differences of opinion between management and 6 the auditors were like a handful, and they were easily 7 resolved. 8 There is, however, I think a much bigger judgment 9 issue that comes into play, and I think that comes back to 10 something one of the previous panels was discussing, around 11 scoping exercises and planning. 12 My sense is that is where the big judgment factor 13 comes in and where the big conservatism factor comes in, in 14 figuring out what needs to be documented and tested. My 15 sense is that is where if there is dramatic overkill taking 16 place because of the conservatism bias built into the whole 17 process, and I'd say frankly not just auditors. I think that 18 bias exists amongst management as well to over club this in 19 the current environment. 20 I think that is where you have a problem with 21 judgment being applied perhaps a little bit overly 22 aggressively. 23 MS. STACEY: Mr. Shedlarz? 24 MR. SHEDLARZ: I would tend to agree with a lot of 25 the former comments. I would tell you interestingly enough, 1 I think when you have a material weakness, everybody knows 2 you have a material weakness. You don't get a lot of debate. 3 If you do, whether we like it or not, the auditor 4 rules. The debate tends to be around significant 5 deficiencies. That is important as well, because there you 6 want to focus on things that are really important to the 7 internal control environment and the integrity of the 8 financial statements. 9 My sense is again due to this conservative posture, 10 a lot of things get thrown up on the table in that category 11 that then get reviewed robustly and dealt with, which might 12 not have a good payoff, and may in fact have a negative 13 consequence in that you are not focusing on the things that 14 really count in that category. 15 Again, the extent to which we can help the 16 community in understanding where the cut line is as not a 17 material weakness, but more a significant deficiency, and 18 where the focus needs to be in the system would probably be 19 healthy. 20 Some of that has to be worked out between the 21 outside accounting firms and management and some of that can 22 be assisted by the PCAOB as well. 23 MS. STACEY: I want to come back to the 24 communication of significant deficiencies in a minute. 25 Mr. Brunner, you had your tent up a little while 1 ago and put it down and it is up again. Go ahead. 2 MR. BRUNNER: To close up the item that I took it 3 down for, my personal feeling is the desire and willingness 4 -- I don't mean to speak for the auditors, but the ones I 5 know -- and for management, they do prefer to have that open 6 ongoing early dialogue. 7 I don't think it is a fear or mistrust factor 8 between the two individually. I think it is fixable. I 9 think it is really a little bit of a given freedom of 10 guidance of saying the judgment of determining when you have 11 crossed that line of independence is one you have to make 12 every day. It can't be done by simply not talking. 13 On the other, and this might be bleeding into the 14 next topic, in judgment, the other areas, materiality, I find 15 to be a very slippery slope. We all talk about percentages 16 and such. The struggle with materiality is much from the 17 concept of what could happen, and the judgment that goes into 18 effect of saying what is the likelihood or what are the 19 string of events that are going to have to make a "could." 20 Taken to its extreme, the "could" could take you to 21 a 100 percent assurance because well, some remote thing could 22 happen. I think there is some work that can be done on 23 helping everyone get to the proper level of "could," and that 24 would really substantially help in scoping. 25 MR. BELLER: This is more in terms of scope than in 1 terms of what is a material weakness? 2 MR. BRUNNER: I think it can help in scoping 3 because it will set the tone of what you work on in this 4 period. When an issue comes up, let's say you have scoped it 5 and it comes in, then you get into the debate of significant 6 deficiency or not. 7 Then you are dealing with it came to the table 8 possibly because it may or may not have been a material item, 9 but once it is there, the "could" I find drives what the 10 breaking point between not a significant deficiency, a 11 significant deficiency, and a material weakness. 12 I agree with an earlier comment. Material 13 weaknesses, they are pretty obvious. 14 MS. STACEY: Mr. Stauffer? 15 MR. STAUFFER: Just to go back on that one point I 16 wanted to close out on relative to advice and the 17 Commissioner's question as to what else can be looked at. 18 The effect of not wanting to give your auditor 19 information before it has been reviewed five times and 20 causing delay, I think, is a very interesting topic. It gets 21 back to the issue that the standard talks about, who caught 22 it first. 23 I think more light around that issue on who caught 24 it first and the debate on what that is really trying to 25 drive at is very important because as mentioned here numerous 1 times, it is stifling the process and creating timing 2 problems as we move forward. 3 Relative to deficiencies, it is clearly very, very 4 judgmental. There is no bright lines in this area, unless 5 you have a slam dunk material weakness because the auditor 6 found an error in financial statements that is 50 percent of 7 net income, things start to become very difficult and 8 judgmental. 9 I would tell you that is a learning process also. 10 Most people, as most people didn't have to evaluate controls 11 before and most people did not have to evaluate deficiencies 12 before, so the newness of the process, the lack of guidance 13 in the area, the implementation of the process, and I agree 14 very much so with the "could" factor, has all driven this 15 process to be highly judgmental, and help in the area of 16 evaluating deficiencies and good practices, best practices, 17 and guidance in that area is very important. 18 MS. STACEY: There was some suggestion in the 19 comment letters that the engagement partners were in terms of 20 determining what is a significant deficiency or material 21 weakness consulting with their national risk partners and 22 deferring to them on these types of issues. 23 I wanted to see what the experience was with that, 24 if those comments are in fact true. It does beg the question 25 are they being overly conservative if they are consulting 1 with the risk partners whose main goal is probably to 2 minimize risk. 3 MR. STAUFFER: I wouldn't call it consulting with a 4 risk partner, but I would say we urge consultation in this 5 first year to make sure number one, that we had a consistency 6 in thought practice, and also to make sure that it was new, 7 people weren't in a different area than we thought was 8 appropriate, and it required a lot of judgment, so we thought 9 it was important to bring enough resources to bear to draw 10 the conclusion correctly. 11 Yes, we did encourage consultation at the national 12 level, but not necessarily from a risk perspective, but from 13 a quality perspective and a consistency perspective. 14 MS. STACEY: Mr. Koch? 15 MR. KOCH: I would echo that. We certainly 16 encouraged and did consult quite a lot with our national 17 office, but I would definitely say it did not become a matter 18 of deferring to the national office for a conclusion. That 19 process always arrives at a commonality of judgment and a 20 view of the firm. 21 I wanted to touch also for a minute on the 22 significant deficiency point, and a little bit of a different 23 take on it. 24 I think the level of communication interaction with 25 audit committees has been extremely good throughout this 1 process. I think that in part has been driven by audit 2 committees' expectations to be communicated with, and the 3 higher level of interest that they obviously have had. 4 I think if you will, the judgment, the capability 5 to exercise judgment around significant deficiencies has been 6 very helpful in, for example, situations where in the past, 7 it may have been hard, if I can put it this way, to encourage 8 management to get ahead of a fire, rather than fight it year 9 in, year out from behind. 10 I think the ability to aggregate situations -- 11 earlier there was discussion about information technology. 12 That would probably be the one area I would point to as an 13 example of this. To really have attention focused at the 14 audit committee level driving to solutions that really I 15 believe became more permanent solutions rather than, if you 16 will, band-aids on individual items. 17 Another point I would want to make about 18 materiality as it plays into the judgments around significant 19 deficiencies and material weaknesses, I do believe the 20 question or the point of requiring deficiencies to be 21 assessed as they may relate to quarters is something that 22 should be given serious reconsideration. 23 It can drive the materiality level to what I would 24 argue at times is an inappropriately low level, and perhaps 25 raise the risk of over reporting to the audit committee, 1 maybe to an extent where the audit committee has difficulty 2 separating the wheat from the chaff. 3 MS. STACEY: Before we go back to the panelists, 4 Commissioner Atkins? 5 COMMISSIONER ATKINS: I just have a question 6 regarding informal guidance. When we are talking about as a 7 policy maker here, when we set out our rules and what not, 8 part of what happens is things get shaped by informal 9 rulemaking from our staff and of course, staff at the PCAOB, 10 through staff accounting bulletins and speeches, which were 11 referred to before, which fall outside of any formal 12 rulemaking process. 13 I was wondering in this area in particular, when we 14 are talking about what you all are struggling with, have you 15 been getting any informal guidance? Speeches have been 16 referred to before. 17 Has that been consistent with Commission rulemaking 18 or has it tended to make the waters more murky, and then if 19 we look down the road towards an inspection or examination 20 program, which you all have suggested, how do we make that as 21 transparent as possible? 22 You are going to have a conflict between 23 confidentiality concerns on the one hand and then guidance 24 concerns on the other. 25 I am worried about muddying the waters even more 1 going ahead, and want to keep it as transparent as possible. 2 MS. STACEY: Anyone in particular? 3 MR. BRUNNER: I'll take a stab. I'm not sure I can 4 give you a fully quality answer. Yes, I have seen where the 5 water has been muddied through informal guidance coming out 6 there. I think it's a bit of a natural outcome of a very 7 unsure environment. 8 A lot of people working in an environment with 9 regulators and so to speak bosses that are different, so they 10 are grasping at pretty much anything that can be found to 11 give guidance. 12 I think yes, it is happening. I think the more 13 that can stabilize and the more we can give assurance that 14 professional judgment still has a very strong place, your 15 judgment can still have a strong place in this business, I 16 think we will go a long way towards taking some of that 17 grasping out of it. 18 COMMISSIONER ATKINS: Through a formal notice and 19 comment process and maybe the FAQ process, that would 20 probably be the most helpful in that area? 21 MR. BRUNNER: I think it would. 22 MS. STACEY: Mr. Lyons? 23 MR. LYONS: I want to come back to audit 24 committees. I would say as a general matter, our view is 25 that in most of our clients, the audit committees are 1 functioning far better than they did in the past. 2 I don't think that is really a 404 result. I think 3 that is just the overall environment. That has been a very 4 good thing. 5 I think we are seeing management -- far more often, 6 you hear the CFO say well, you know, I'm just going to call 7 the chairman of the audit committee to give him a heads up on 8 this. That is largely a good thing, although I think we do 9 have to temper it. 10 Some audit committee members would say I need 11 better information, but I don't need the volume of 12 information. I think you need to recognize it. 13 I would say, for example, to be on the audit 14 committee of a General Electric, it has to be one of the most 15 daunting tasks one can imagine, to actually spend the time 16 and energy actually understanding an organization that large 17 and complex. 18 Sometimes audit committee members are saying we 19 need more distillation. It's not they don't want the raw 20 data. They can't do it. They do urge sometimes a little bit 21 of moderation. I'm hopeful that will work itself out in a 22 natural cycle, that perhaps now in some cases people are 23 getting more -- there is maybe a little bit more 24 communication than there might need be because you are 25 imposing burdens that may be a little bit too much, but to me 1 that is okay, if we can work out an equilibrium. 2 I do think as a general matter, most audit 3 committees are far better than they were. The level of 4 communication with audit committees between management is far 5 better than it has been and with their auditors, as a general 6 matter. In that area, we have seen substantial improvements. 7 MS. STACEY: What do you think they are being 8 provided that they don't necessarily need? Is there anything 9 as a result of our rules that they are being provided? 10 MR. LYONS: I don't know if it is a result of your 11 rules, but what you need is something that distills it down, 12 that tells them what are the issues. 13 If I'm on an audit committee, I want something that 14 says what are the ten issues or whatever the number is, that 15 you guys wrestled with. Why don't we start with that. Tell 16 me what are the things you spent -- what did you spend your 17 most time talking to your auditors about. Let's start with 18 that. I need to know how the company is doing. Let's start 19 with the ten things or whatever the number is, and Larry, you 20 might comment. I want to start with that, tell me what you 21 wrestled with, let's start there. 22 MS. STACEY: Let's give Mr. Stauffer a chance. He 23 has had his tent up for a while. 24 MR. STAUFFER: I'd like to just make sure you 25 consider five areas in this evaluation of deficiencies that I 1 think from my experience this past Winter have clearly made 2 it a difficult area to deal with. 3 The first area, and this is where I would agree 4 with Larry, in the interim, the materiality issue. 5 Evaluating a potential deficiency, potential, not known 6 deficiency at the interim level effectively reduces the 7 materiality measures at quarterly levels. 8 I think it makes it highly complex and probably not 9 as appropriate as it should be. 10 Second area is the aggregation or the combination 11 of weaknesses, taking significant deficiencies in an area and 12 aggregating to a material weakness. That has proven to be 13 highly complex. 14 More best practices examples in that area, I think, 15 would be very helpful, very judgmental to try to pull that 16 together. 17 The "could" factor is the other area that makes it 18 very difficult. You are looking at a control deficiency that 19 has not resulted in an error, and you are trying to determine 20 what could happen here and develop some level of materiality 21 criteria and magnitude and likelihood factors around 22 something that never has maybe resulted in a significant 23 adjustment to the financial statements. 24 The other area which a lot of people had a problem 25 with is what I would call the "well reasoned position." 1 Companies who have designed very good controls and processes 2 around selection and application of GAAP find themselves 3 having an incorrect decision being made, although very well 4 reasoned. 5 When you sit back and say should that -- that 6 correction results in a misstatement to the financial 7 statements that is material or maybe even a restatement, you 8 sit back and say to yourself what would you have done 9 differently there, and what control failed. Very difficult 10 area to deal with. 11 Finally, I think some best practices and examples 12 in the compensating control area. It is an area that has 13 prevented many significant deficiencies or deficiencies from 14 becoming material weaknesses, but it is very difficult, not a 15 lot of information and examples out there on how that should 16 be applied. I think there may be some inconsistency in that 17 practice. I think some help there would be very useful. 18 MR. BELLER: I want to make sure we get the two 19 things in the few minutes we have left. I know there are a 20 lot of cards up. I am hoping some of them address this, they 21 both are follow ups to what we have been talking about. 22 One is we have heard a lot today and there is a lot 23 in the comments file about the need for additional guidance 24 to issuers, so that they can -- it is guidance that goes 25 beyond what is material, or at least it seems that it is 1 guidance beyond what is material. 2 It seems to be a suggestion that if the Commission 3 either by rulemaking or by interpretation came up with 4 something that looked like AS-2, then issuers would be better 5 prepared to reach their own conclusions about scope and 6 materiality, and they would have something to point at when 7 the accountants pointed to AS-2 and said see. 8 The 404 rules were consciously written to be very 9 principles' based. Reasonable assurance, reasonable levels 10 of documentation, reasonable levels of scope. 11 I guess if anyone on the panel could sort of help 12 us out. What would you want from the Commission that would 13 make it easier to -- I guess the way I would describe it is 14 allow issuers to be more comfortable and allow auditors to be 15 more comfortable with issuers using their judgments. 16 Another way I could phrase it would be that would 17 make auditors more comfortable in deferring to issuers' 18 judgments that conclusions are reasonable. 19 Is there anything the panel can do to help us out 20 on that one? I think if you look at the file, a crucial 21 piece of what we are hearing about, kind of the context in 22 which it would be easier to exercise judgment. 23 MS. STACEY: Ms. Sparks, while you haven't adopted 24 404 yet, perhaps you have a good perspective. 25 MS. SPARKS: That's currently where we are in the 1 process. I'm sure other members on the panel haven't 2 forgotten that process. It's not been that far removed. 3 There is a lack of guidance for issuers. If the 4 issuer has the guidance they need to make the 5 planning/documentation type decisions that fit their company, 6 that makes sense for their company, and the auditors feel 7 comfortable that they can rely on the judgment of management. 8 I guess that goes back to the two things, one 9 having some sort of guidance. The last thing we want is to 10 have more rules. In the absence of rules, our judgment, our 11 testing, our documentation is not allowed to be relied upon. 12 Therefore, we are back to okay, we need more rules. 13 The second thing is what are the repercussions to 14 the auditors if they say well, we did rely, we did allow 15 management's documentation, management's testing, 16 management's conclusions to stand, what are the repercussions 17 in that situation when they go through the inspection phase. 18 MR. BELLER: David? 19 MR. SHEDLARZ: I think this is where I started with 20 all this. Don't wish too much for what you want, you may get 21 a lot of it. 22 (Laughter.) 23 MR. SHEDLARZ: I don't want a lot of rules. Let me 24 say it right up front, I'm not looking forward to that. 25 Again, for the outside accounting community, they 1 are looking at the way this is going to be practiced. They 2 are playing into a dark hole. 3 This season of reviews and investigations is going 4 to be somewhat defining in terms of the extent to which we 5 are going to encourage the utilization of their professional 6 judgment, and also the extent to which they are going to show 7 some flexibility. 8 I just used as one example the principal evidence 9 standard, which is basically we will rely on nothing the 10 company has done. I'm not sure, in fact, I'm pretty sure 11 that is not what the PCAOB intended in terms of its guidance. 12 Until they actually see the practice, until they 13 actually see the evidence of the season, it is going to be 14 very difficult to kind of change the behavior of the 15 accounting community and in some respects management. 16 I think some of the frequently asked questions and 17 answers can help a little bit. I think the proof is going to 18 be how we are going to practice this in terms of the review 19 of the PCAOB in this particular season. 20 My sense is and I've heard Chairman McDonough talk 21 about this on a number of occasions, they expect to be very 22 balanced in their approach. If that in fact occurs, I think 23 some of this at least will show greater flexibility going 24 forward, and maybe a greater balance in some organizations in 25 terms of the cost and benefit. 1 We did a survey of the business roundtable. We had 2 some numbers thrown on the table. The upper end of the 3 survey in terms of the number of internal controls that were 4 reviewed is 80,000. The upper end in terms of internal 5 utilization of manpower in order to accommodate what is going 6 on in terms of internal control testing and documentation is 7 approaching a million hours by a firm. 8 Again, I'm not pointing to any regulatory body here 9 sitting at the table, but it does say some people are 10 practicing this at the extreme in the interest of very 11 conservative and a risk adverse approach to what is going on. 12 MR. BELLER: We are going to give Commissioner 13 Glassman the last word, but Robert Hodgkinson has been very 14 patient with having his card up. Go ahead, please. 15 MR. HODGKINSON: Thank you very much. I don't want 16 to seem like I'm giving an advertisement for Turnbull, 17 especially since we are in an open consultation phase and 18 listening to people's experience. 19 MR. BELLER: For the audience who doesn't know what 20 Turnbull is, it is the framework for internal control that 21 has been adopted in the United Kingdom, and which is being 22 examined. 23 MR. HODGKINSON: It was issued in 1999 and was one 24 of the SEC approved frameworks. 25 I think there are two points about the guidance for 1 issuers coming first. I think our experience was if it comes 2 first, as it did in the case of Turnbull, it can be quite 3 principles' based. That is the guidance. It is 15 pages, 4 and in six years, there has been no supplements. 5 It relates to the whole risk management and 6 internal control spectrum, it doesn't just cover internal 7 financial control. 8 The guidance for auditors has followed, but it is 9 for the review process, not an audit, and it is even slimmer, 10 not even in its own book, at five pages. 11 The lesson you might want to draw from this is 12 perhaps there is an issue in kind of holding the nerve here, 13 because in some of the feedback we have had on the 14 consultation about whether we should revise this, people have 15 said in the early years, they were compiling risk registers 16 which were very voluminous and this is all controls. This 17 wasn't just financial reporting controls. 18 Over the years, boards have wanted to kind of take 19 control of the issue and get it away from the experts because 20 they have to own it. They have to sign up to this. There is 21 no excuse for not being able to read 15 pages. There has 22 been a transition towards boards taking ownership of it. 23 There is an issue of kind of keeping the nerve and 24 not issuing more and more guidance, which pushes it further 25 away from boards to management because they are not paid to 1 read 100 to 300 pages of guidance. 2 This issue of holding the nerve there, and also one 3 of the interesting issues is people have not been tempted to 4 go into an endless kind of definitions here. We have talked 5 a lot today about definitions of significant deficiencies and 6 control deficiencies and material weakness. 7 Actually, what people have been asked to do is 8 express an opinion on effectiveness. In the guidance, we 9 never went beyond the effectiveness. That is the word. That 10 is the word that management have to identify with. As soon 11 as we are off into the undergrowth of defining more and more 12 terms, even the proposal, which seemed sensible at the time 13 that we should define the word "could," we are never going to 14 end. 15 You can just say we are always going to have an 16 undefined term, let's try to keep it as high level as 17 possible, and get people to actually think what it means for 18 them, and then when a PCAOB inspector comes along or an 19 investor who wants to have a dialogue, you can talk about 20 what it means to you, and then it might mean something 21 different to them, but at least you are having a real 22 conversation. You are not having a theological debate about 23 the word "could" or significant deficiency or whatever. 24 MR. BELLER: Commissioner Glassman? 25 COMMISSIONER GLASSMAN: I think my comment follows 1 on that comment, which is perhaps we should think about 2 rather than more guidance for issuers, pulling back on the 3 specificity of the guidance for auditors. Maybe we can deal 4 with that in the next panel. 5 MR. BELLER: Time is up. For the audience, we are 6 going to go right into the last panel. Please don't take a 7 break. 8 I'd like to thank this panel, Carol and me, for a 9 very constructive session. Thank you very much. 10 PANEL SIX - NEXT STEPS 11 MR. NICOLAISEN: This is the panel I have been 12 looking forward to, not because it is the last, but because 13 this is the one where we actually get some direction as to 14 where we might take this next. 15 This is it, panel six. We are going to be asking a 16 few questions that I don't think have been asked yet. We are 17 also going to be looking for some guidance and advice and 18 input from all of you. 19 This is a session that I would really encourage 20 both board members and commissioners to participate in, to 21 the extent that you care to. 22 Once again, if you put your tents up, that is the 23 easy way for us, your name tags, that is the easy way for us 24 to identify who is on the cue to speak next. I'm not going 25 to go through a whole lot of other rules because I think we 1 have done that enough at this point in time. 2 Let me get on with introduction of this panel. 3 Starting with Rodgin Cohen on my left, chairman of Sullivan & 4 Cromwell. Tim Flynn, who is vice-chair of audit practice at 5 KPMG. Robert Greifeld, president and chief executive officer 6 of Nasdaq. Michele Hooper, president, Chicago Chapter, 7 National Association of Corporate Directors and managing 8 partner of The Directors' Council and audit committee chair 9 and other things. 10 Deborah Lambert. Deborah is a founding partner of 11 Johnson Lambert & Company. She is also a member of COSO. She 12 is on our small business advisory committee. 13 Rebecca McEnally is a senior director of Capital 14 Markets, CFA. She is one of the analysts who keeps me honest 15 and asks me a lot of questions, and for that, I am grateful. 16 Tom Szlosek is vice president and controller for 17 Honeywell International. Of course, the Honorable David 18 Walker, comptroller general of the United States. Ann 19 Yerger, who is executive director of the Council of 20 Institutional Investors. 21 Welcome to each of you. Dave Walker, you haven't 22 had an opportunity to give the voice of experience yet from 23 the governmental perspective. I know you wear a lot of hats 24 or have worn a lot of hats that are much broader than that. 25 You have listened to some of this. You have tremendous 1 experience. 2 Any suggestions for us as we go forward? 3 MR. WALKER: Well, Don, I think I and GAO may be 4 somewhat uniquely positioned to be constructive here because 5 in a former life, I was with Arthur Andersen when it was 6 arguably the world's best firm, PricewaterHouse, Coopers & 7 Lybrand, and now as comptroller general of the United States, 8 we audit the U.S. Government, the I.R.S., the Bureau of 9 Public Debt, the F.D.I.C., and yes, the SEC. 10 (Laughter.) 11 MR. WALKER: I think it is important to understand 12 that we, before 404 came around, and before Sarbanes-Oxley 13 came around, GAO was voluntarily expressing opinions on 14 systems of internal accounting controls ourselves in all of 15 our audits, and we also had dealt with some of the 16 independence issues and other issues. We try to be ahead of 17 the curve. 18 Let me give you the bottom line, because we are in 19 the business of speaking truth to power, and the SEC is 20 power, and so is the PCAOB, I might add. 21 I would respectfully suggest several things from 22 all the evidence I have seen and that my very capable staff 23 has seen. 24 One, the concept behind Section 404 with regard to 25 the additional emphasis on internal controls is valid, and 1 that the law doesn't need to be changed. 2 Secondly, the cost of implementation has been far 3 in excess of what many anticipated, and I think there are 4 several reasons for that. In one case because I think people 5 weren't doing nearly as much work on controls as some people 6 thought they were or should have been doing, and in some 7 cases because the reaction to the guidance under Standard 2 8 has been such that people are now auditing every key control 9 every year. That is a huge swing in a pendulum in a very 10 short period of time. 11 Obviously, first year costs are a lot higher than 12 recurring costs. How much it will come down, reasonable 13 people can differ. I think the real question is where do you 14 go from here, and not just with regard to the large public 15 companies, but also those with a deferred implementation 16 date, where do you go from here. 17 I would respectfully suggest that our experience 18 may be relevant for you to consider. Under the financial 19 audit manual that we use as a basis to express an opinion on 20 internal controls, we use a risk based approach. We do allow 21 for a risk based approach where the auditor uses judgment to 22 determine which key controls should be tested each year, and 23 that determination is made each year with the idea that over 24 a reasonable period of time, all key controls will be tested. 25 I think what you get with that, with appropriate 1 documentation, is you get a better balance from the 2 standpoint of cost benefit, and I think it is something that 3 could potentially be applied broadly going forward. 4 I think the other thing that you have today that 5 didn't exist in the past is you have the PCAOB's inspection 6 program. Therefore, the PCAOB's inspection program is such 7 that it has the ability to look and to find out what the 8 firms are doing in this regard, to try to help provide 9 reasonable assurance that people aren't cutting back too far. 10 I do think the answer is, and I would respectfully 11 suggest, some type of a risk based approach similar to the 12 financial audit manual that we use to do our audits. We 13 would be happy to share more details should the PCAOB and/or 14 the SEC so desire. 15 MR. NICOLAISEN: Terrific. Thank you very much. 16 Let me just shift gears for a minute. One of the 17 things that we didn't talk a lot about is what doesn't the 18 internal control work accomplish. 19 I suppose some people might have been sitting here 20 today and they listen to a company that has 50,000 or 60,000 21 control processes in place that they view as key, which again 22 sounds like an oxymoron to me, but I assume it is just 23 important controls, and others that have looked at 9,000 or 24 20,000 controls, and some people, I assume, could walk away 25 from here assuming there will never be another fraud or there 1 will never be another set of accounts that require 2 restatement. 3 Rebecca, you are raising your eyebrows. Would you 4 care to comment about that? 5 MS. McENALLY: Quite frankly, our view is Rule 404 6 is the linchpin of Sarbanes-Oxley. If we get this really 7 right, just about everything else in all of Sarbanes-Oxley 8 falls into place. As we investors have had to re-learn very 9 painfully in recent years, if we mess all of this up, it's 10 going to be very bad indeed. 11 The question for us is as it is for any kind of a 12 system, what are the specific vulnerabilities of this system 13 that we need to worry about most, not the 50,000 key 14 controls, but what is the ultimate risk that we investors, 15 the auditors, everyone else involved in this might face. 16 The biggest wolf that we have to worry about eating 17 us, we learn time and time again, as all of the painful 18 collapses occurred, and that is the risk that a company's 19 business model either is failing or has failed, and we don't 20 know about it yet. That's the biggest risk. 21 In every one of them, from the tech bubble collapse 22 all the way through the mega company collapses, that was the 23 key element that somehow had escaped. 24 What happened when that began happening was that 25 first the accounting became increasingly exotic. It is 1 almost funny if it weren't so painful to read about it now. 2 Following that, in order to try to paper over the cracks as 3 they were occurring increasingly in the public eye, was an 4 override of the internal controls, circumvention of the 5 internal controls, until our whole system finally crashed. 6 What do we do about this? That is the question. 7 It's not all that complicated, but it requires that we 8 rededicate ourselves and shift some resources. 9 Evaluating business risks, since I first studied 10 auditing a very long time ago, has always been part of the 11 objective of an audit. However, it has usually gotten very 12 short shrift. I think most auditors, if you take them aside, 13 would agree, well, we have lots of other things we have to 14 do, yes, we pay attention, but that's not the biggest focus 15 that we have right now. 16 I would propose that we marry an evaluation of the 17 ultimate business risks in the business model of a company to 18 the broader audit plan. It's not that big a deal to do it. 19 Auditors can do this if they are willing to do it and 20 evaluate it. Then target the controls from that perspective. 21 We will stop there. 22 MR. NICOLAISEN: Don't stop there. Give me a little 23 more detail. What would you envision that being, that the 24 auditors would -- if I visit my friendly family doctor once a 25 year, which my wife always tells me to do, and I get there 1 and he usually says something like I want to take your blood, 2 we are going to do this and that, test your blood pressure, 3 basic things, can you still see across the room. 4 Then he says some specific things. Well, you are 5 getting a little older. I think this is a test that we ought 6 to run now, but he doesn't do that every year. He doesn't do 7 the same test every year and the same thoroughness. 8 Is that what you are talking about? There would be 9 some de-emphasis in certain areas from time to time, those 10 things that are less risky? Maybe you could just flush that 11 out a little more for us. 12 MS. McENALLY: I think this helps focus the 13 auditors' concern on the major problems that we are likely to 14 face. The big big overwhelming problems. We are all talking 15 about risk based audits, and that's fine. I'm fine with 16 that. Internal control evaluations. 17 Where are the big risks? The biggest risks to 18 investors are not that one tiny control down in the process 19 will fail, but that the biggest part of the business, the 20 business model itself is failing, and the potential for 21 failure of all of the other systems cascading down is not 22 caught early enough to bring that to light and to put the 23 focus of the audit on that. 24 It is patently obvious that is what occurred. We 25 could evaluate that in one way or another. I think it is the 1 evaluation of the model and the risks in the company's basic 2 business model, where it stands in its business, is it 3 profitable, is it failing, has the 20 percent compounded 4 annual growth for 25 years started to cool. That is a 5 typical one. 6 You start worrying after the tenth year of that, 7 but they still continue on until they collapse. 8 These are the kinds of things that we are concerned 9 about. Let's focus on some of the biggest issues. 10 MR. NICOLAISEN: On the big issues. Michele? 11 MS. HOOPER: I totally agree, but I would also 12 encourage us to step back because the whole issue of risk 13 based approach and enterprise risk management is not new with 14 Section 404. 15 When you look at what we have been doing on audits 16 historically, we have been using risk based approaches to 17 determine where the priority areas are. We use cycling of 18 those businesses. Even though it may be a smaller part of 19 your business, it may be a less significant part of the 20 overall revenues and profits to a firm, over a period of 21 time, it does get reviewed and it does get looked at. 22 New systems that come into an organization in terms 23 of application process systems gets reviewed as those systems 24 are implemented. 25 In looking at 404 implementation, I would be saying 1 and the NACD would be saying that those risk based approaches 2 already have a model out there, and in integrating them, the 3 process of internal controls, more with the financial audits, 4 that we would be bringing those two closer together. We 5 would be using resources more efficiently. 6 To use the term that was used in our last panel, I 7 think improve the overall effectiveness of how we are using 8 resources within our firms. 9 MR. NICOLAISEN: Rodg? 10 MR. COHEN: If I could comment quite briefly on 11 what I thought were two critical points which the comptroller 12 general made. 13 One is benefit versus burden, and the other is risk 14 based. There is no question that there is substantial 15 benefit from 404, and to me, the real issue is reducing the 16 burden so it is more commensurate with the benefit. 17 It is hard to imagine anything that could go 18 further to doing that. As Mr. Walker suggested, and I think 19 the next two panelists suggested, to be more risk focused. 20 Now let's go, if we may, to several other themes. 21 One is conservatism. I think you have heard that universal, 22 as an universal concern. The danger here is that 23 conservatism will say that everything is risky. What good 24 have we done. 25 Then we have talked about rules, but there is a lot 1 of skepticism about rules. I'd like to come to a last theme 2 which was struck, which I think does make very good sense in 3 trying to deal with this risk based approach, and that is 4 best practices. 5 That is one where either elements of an industry 6 can get together or you can go across industry lines. It 7 would be very important that this have the endorsement of the 8 Commission and the PCAOB as a process so people can feel 9 comfortable with it. 10 Best practices has the opportunity to fill in a lot 11 of gaps which there is an absolute reluctance to fill with 12 rules. 13 MR. NICOLAISEN: Bob? 14 MR. GREIFELD: Two comments. One, with respect to 15 concentrating on the risk areas, I relate to the NASDAQ 16 operation directly from a technology point of view, our core 17 value added that we bring to the market is systems that stay 18 up. We have made what I think are wise decisions with 19 respect to ascertaining the risk of various systems and how 20 often they have to be tested. 21 We have what we call a full and an incremental and 22 a full cycle that we go through. In a given year, certain 23 systems have to be tested completely. They have to be tested 24 every year completely. Other systems, you can bypass because 25 they are just not as critical. 1 Year one, we will test every system we have to make 2 sure that in a disaster scenario, in a regular outage 3 scenario, we can continue to serve the market. Then we will 4 have an incremental year where only the high value systems 5 are tested. Then we go back to a full year again. 6 It is a risk based approach, and in our world, this 7 operational risk is certainly more substantial than a 8 financial risk. People don't think of NASDAQ primarily on 9 the financial side, but certainly on the operational side 10 from operation of the market. 11 We think that concept can be brought to bear in 12 this arena. We conducted a survey of our listed companies, 13 and that was one of the top three responses. Please let us 14 have a risk based approach. 15 The second comment I would make is with respect to 16 having the business model tested as part of the audit 17 process, with all due respect, I probably disagree with that 18 point. I believe if we have good numbers, then there is 19 enough infrastructure in the industry through the analyst 20 community that will opine upon whether the business model is 21 going to work or not. 22 I believe we got into trouble when the analyst 23 community was opining upon numbers that were essentially not 24 proven. 25 If we do the Sarbanes-Oxley 404 correctly, then the 1 business model testing or the business model testing that 2 exists, there is the infrastructure that can make that 3 determination. 4 MR. NICOLAISEN: Does that lead you to a conclusion 5 that as long as the control processes are effective and 6 working and people are doing what they say they are doing, 7 that you would not end up with a potential restatement in a 8 set of financial statements? 9 MR. GREIFELD: That sounds like a set up question 10 to me. 11 (Laughter.) 12 MR. GREIFELD: Any system you devise or any rules 13 that you set up obviously are not going to be perfect and 14 where there is a human will, there is a way to get around 15 them. I think we are just trying to increase the probability 16 that it won't happen, and certainly I think that will be one 17 of the net benefits. There is no absolutes. 18 MR. NICOLAISEN: If you look at the banking 19 industry, if they never had a bad loan, they would say they 20 were too conservative in their lending practices and their 21 various policies and procedures. 22 Should we expect that we would not reach that level 23 or we would have zero tolerance for a restatement or an error 24 or a human mistake to occur? 25 MR. GREIFELD: Are you saying do we think we will 1 get to that level? 2 MR. NICOLAISEN: I'm asking you if you think we 3 should. Do you think this process is intended to do that. 4 MR. GREIFELD: I don't believe the process is 5 intended to get there, and I think it's an impossible goal to 6 establish that as an outcome. To the extent that you can't 7 have one person do something improperly based upon 404 8 controls, it doesn't mean you cannot have collusion between 9 two or three. That will happen. The odds of them getting 10 caught will increase dramatically, but it still will happen. 11 MR. NICOLAISEN: We just want to make sure there is 12 some appropriate understanding. 13 MS. YERGER: Very quickly, and I am going to be 14 unfortunately reiterating a few things. I agree with Rebecca 15 that the business risk is a key issue for all investors. 16 However, I also agree with what was just said, that what is 17 most important is that investors have access to high quality 18 financial statements to assess those risks. 19 The problem we have had is we have not had those 20 high quality financial statements, and in fact, we still are 21 having problems, for anyone reading the paper these days. 22 Clearly a few years ago, there was extreme distrust 23 that internal and external auditors I think candidly were 24 doing the jobs that investors were expecting of them, that 25 they were looking at the internal controls, these were being 1 evaluated, reviewed, updated and corrected when there were 2 problems that hadn't been happening, and I think 404 is just 3 vitally important in terms of getting the processes and 4 requiring us to go through. 5 I do not think 404 can stop fraud. Unfortunately, 6 bad people will do bad things. The hope here obviously is 7 that any kind of fraud hopefully will be uncovered before we 8 are at a point where Worldcom is or some of these other 9 companies. 10 Regarding the risk based comments, which I think 11 have been repeated themes throughout the morning and 12 afternoon, my sense is that AS-2 does allow for that. 13 I think the problem here is there may be an overly 14 conservative construction and interpretation of AS-2 right 15 now, and that's why I believe that what the PCAOB is going to 16 be doing with its inspections and what is going to be coming 17 out of the inspections is going to be vitally important in 18 terms of signaling to the audit community what your 19 expectations are of the audit process. 20 MR. NICOLAISEN: Tom Szlosek? 21 MR. SZLOSEK: Just listening to what Ann said, I 22 totally agree. We are probably in the sixth or seventh 23 inning. This probably might go to extra innings for all we 24 know. 25 The point is we have to let everybody get through 1 the process, the inspectors, the non-accelerated filers, and 2 then take a collective assessment of learning. 3 Don, you asked about what doesn't this accomplish. 4 We heard a number of times today about eight percent of the 5 companies have reported material weaknesses, but that means 6 92 percent have not reported material weaknesses. 7 Does that mean all 92 percent of us are good? I 8 would say no way. There is a lot of opportunity. There is 9 probably a wide degree of excellence in financial reporting 10 amongst those 92 percent. 11 For me as a new controller to the company I'm in, 12 and I'm surprised our audit committees aren't starting to ask 13 for this, how good are you even though you passed relative to 14 your peers and relative to the industry. 15 Maybe that is something as we move on into the next 16 cycle that we need to consider. That is something probably 17 for the regulators to decide. 18 There are also things that the issuers can do as 19 well. We are not waiting for any magical solution to come 20 along for us to reduce our costs by 46 percent. We are not 21 waiting for the auditors to come and give us a credit memo or 22 anything like that. 23 (Laughter.) 24 MR. SZLOSEK: You heard Susan talk about it earlier 25 from Viacom. We are sitting down and going through the 1 process internally, and how can we be more efficient. In a 2 big multi-national company with lots of locations, one of our 3 biggest challenges is standardization. We have such a wide 4 degree of standards in documentation and test scope. There 5 is a lot of homework that we can do, even in efficiency 6 assessment internally, that can therefore make the auditors 7 more efficient. 8 We have a lot of homework to do. I think the 9 auditors also have a lot of homework to do. The discussion 10 on the risk based framework I think is very powerful. I 11 would encourage them to embrace that, and just to get away 12 from the form driven aspects of this and really try and do 13 what they do best, which is deploy their experience. 14 I don't know how to encourage that. It is 15 certainly something that will address a lot of things we 16 talked about earlier. 17 MR. BELLER: As specifically as you can, you have 18 done some of it but I want to kind of ask you to go one step 19 lower down, as specifically as you feel comfortable telling 20 us, what are you planning to look at on your own in this 21 first step, and is there anything that we can do that would 22 encourage that in a constructive way? 23 MR. SZLOSEK: I talked about establishing 24 standards. 25 MR. BELLER: Standardization. 1 MR. SZLOSEK: In everything from what is the form 2 of your documentation. We struggled and wrestled with that 3 throughout the years. We finally came to a standard, but 4 it's not fully rolled out. 5 Other examples in that area would be deficiency 6 evaluation. The second thing is striving for linearity. 7 This had a tendency to bunch up towards the end of the year. 8 We talked a lot about the tensions that existed between the 9 auditors and the issuers. 10 I think a lot of it had to do with the snow plow 11 effect, suddenly it's November and December and you are still 12 not there yet, and there is still guidance coming out. 13 Trying to pull that in is one thing we are really going for 14 as well. 15 A good tracking mechanism for deficiencies. If you 16 are a multi-national company like us with hundreds of 17 locations, we learned a little bit too late that our tracking 18 mechanisms were a deficiency in themselves. We ended up 19 getting it corrected. 20 It is really important from an aggregation 21 perspective to have something that you can use when you know 22 you are going to be dealing with lots of deficiencies. We 23 are working on that. 24 Company level controls. One of the biggest 25 deficiency areas for us, and we didn't have any material 1 weaknesses, but one of the biggest deficiency areas for us 2 was access to computer systems. Honeywell has come together 3 over the years through acquisition and acquisition, not a lot 4 of integration systems. You don't have centralized controls 5 over access. 6 You find yourself looking at each individual pocket 7 and how you are controlling that. What we ended up 8 concluding -- what we did is we ran a number of different 9 test scripts, like Oracle has its own test script, SAP has 10 its own. We had granted a lot of access that was not 11 appropriate. Theoretical in a lot of cases, very, very 12 theoretical. Nonetheless, things that were flagged. 13 We had to sort through hundreds of those, literally 14 hundreds of them to find the key few that we really needed to 15 do something about, but the other 80 percent were mitigated 16 by company level controls. 17 We said, well, if that could happen, what would be 18 the next step and what would be the next step. 19 We came back and said during our planning for 2005, 20 if the mitigating controls were the company level controls, 21 the monitoring and so forth, why isn't that a major part of 22 your up front emphasis to reduce the amount of the kind of 23 testing I'm talking about. 24 Those are kind of examples of the practical things 25 we are trying to do. 1 MR. NICOLAISEN: That is very helpful. 2 Commissioner Atkins has his tent up. I am going to ask David 3 Walker first, because you have had yours up for a while as 4 well. 5 MR. WALKER: First, I will quickly follow up on 6 Rebecca's comment about business model risk. I think that is 7 a very, very important comment, and obviously that is 8 something auditors ought to be taking into consideration with 9 regard to the timing and scope of their control testing, if 10 you will. 11 I also think it has to do with the reporting 12 element, because it is really above the traditional types of 13 controls. I would respectfully suggest that auditors need to 14 think beyond going concern opinions. Going concern is where 15 you are within a year of tanking. We need a little earlier 16 warning system. 17 Part of that has to do with the issue of is the 18 business model broken. I would respectfully suggest that if 19 you read the GAO's audit opinion on the U.S. Government's 20 financial statements for fiscal 2004, you will see an 21 emphasis paragraph that says somebody's business model is 22 broken. While we are not issuing a going concern opinion, 23 the business model is broken and needs to be fixed. 24 (Laughter.) 25 MR. NICOLAISEN: Try following that. 1 (Laughter.) 2 COMMISSIONER ATKINS: I just wanted to get back, 3 because I agree with all the comments about risk based 4 approach and what not, and to pick up Don's analogy of going 5 to a doctor. We all know doctors in a lot of ways are 6 practicing defensive medicine. That's what we have been 7 hearing today, I think, about the accountants as well. 8 We have all been hearing how one of the keys will 9 be the exam process that the accounting board will be doing. 10 My worry is, and I asked this of the last panel, 11 that could yield a very ad hoc approach, and you all are 12 expecting reasonable approaches to be coming out of this exam 13 process. It could go the other way as well, as we have seen 14 on the banking side 15 years ago, and arguably in other 15 places elsewhere. 16 Rather than policy being set by examiners, I wanted 17 to ask about what Rodg brought up about best practices, which 18 I think is attractive, but that's exactly what COSO arguably 19 was supposed to be. I think some of us when we voted to 20 approve AS-2, we felt that was also going to be best 21 practices. 22 Obviously, something has not clicked. How do we 23 effect this without having either an uncontrolled ad hoc 24 approach, which will be not transparent, how do we approach 25 this type of best practices thing to get to exactly what we 1 are all trying to strive for? 2 MS. McENALLY: I'll take a shot at least at part of 3 that. I think a couple of things have to happen. I think 4 there is not just one mechanism to get feedback. I think 5 things like this are part of the feedback, where people start 6 to at least develop a consensus as to what the problems and 7 issues are. 8 Clearly sitting here today, there are themes that 9 recurred in every single panel we heard. 10 There are lots of forums and opportunities as we 11 move into the accounting world, where people get the 12 opportunity to share ideas in different kinds of forums. I 13 think there will be consensus through articles, through 14 forums, through that kind of thing. 15 I think also the different bodies will have 16 opportunities. I am involved with the COSO project that is 17 looking at this from the small business, and if we think the 18 large companies have had trouble implementing this, we have a 19 potential real big issue with the smaller companies. 20 I think we have a real advantage right now, that we 21 have a little bit of time on our hands, that we have a 22 delayed implementation for the smaller companies, and we have 23 the lessons we are hearing and learning from the larger 24 company implementation, and we have to make sure that we take 25 advantage of that. 1 The COSO group has set up a project, a task force 2 now, that is trying to develop implementation guidance for 3 COSO, for the smaller public companies specifically. Very 4 narrowly focused on smaller public companies. It is guidance 5 that is intended to be published this Summer. It will be an 6 exposure draft this Summer, that will at least get the 7 thinking in people's hands at that point in time, and then at 8 a later point in time with the smaller companies, it would 9 then be published in a final form in September. 10 This is not intended to be prescriptive. It tends 11 to be very risk based. This whole idea of the risk 12 assessment and business risk and feeding that into the 13 assessment of internal controls in these smaller companies is 14 clearly the driver. 15 It is intended to focus on some of the unique 16 issues that impact the smaller companies, just for example, 17 the management override issue in a smaller company can be 18 very different and very uniquely addressed in the internal 19 control system in a smaller company, and what compensating 20 controls or monitoring might be in effect, whether it is 21 through board and audit committee monitoring or some other 22 type of monitoring to help mitigate that management override. 23 You have similarly control activities, where you 24 typically might not have segregation of duties. How might 25 that be addressed in the smaller entity. 1 The idea that perhaps because management provides 2 more oversight, maybe there will be some examples there. 3 I think as we move forward, that is one whole 4 sector in terms of maybe it is not a large market cap, but it 5 is a lot of companies where we have opportunities to in 6 various forums to present and help people deal with 7 implementation and deal with future tweaking of what is being 8 done. 9 I think in that case, this guidance is intended to 10 be used both by the companies and by the auditors working 11 with those smaller companies. 12 That is one example of the kind of things I think 13 you will see evolving now. 14 MR. NICOLAISEN: Ms. Hooper, was your tent card up, 15 too? 16 MS. HOOPER: Yes. I agree with that, but I would 17 also say that part of the issues that I've seen and others 18 have talked to me about and on the audit committees that I 19 participate in and chair, part of a real issue we had last 20 year was timeliness of information and guidance getting out 21 to us. 22 We already are in year two. We are already 23 beginning to scope out, we are already beginning to talk 24 about what went well, what we need to do differently as we go 25 into year two. We are in year two. 1 I would respectfully encourage us to move with some 2 deliberate speed. We can't take months and months to begin 3 to dialogue and bring out additional information on how both 4 we as corporations and the external audit firms approach the 5 second year. 6 I do agree with the comment that was made earlier 7 about being able to look at best practices. Best practices 8 work. It is something that allows you to begin to get a 9 level of consistency about how people see things. It allows 10 you to see case studies, if you will, so that you can then 11 bring that knowledge in house. 12 We can't take forever to begin to do that. I agree 13 with what I am hearing, but would encourage speed. 14 MR. NICOLAISEN: There is some urgency to the task. 15 MS. HOOPER: Absolutely. 16 MR. NICOLAISEN: Mr. Greifeld, were you responding 17 to the Commissioner? 18 MR. GREIFELD: Yes. The way we see the world is 19 the audit firms are in a very difficult position in that the 20 threat of lawsuits is very real, and there hasn't been very 21 clear guidance or very clear direction to refer to this 22 guidance as the standard to move along. 23 If I'm in charge of an audit firm, I know I want to 24 protect against lawsuits, I also know I would probably like 25 to increase revenue. To the extent I take a conservative 1 view on what the requirements are, then I accomplish both 2 goals. 3 When we talked to our listed companies, 76 percent 4 of them actually said Sarbanes-Oxley was a good thing and 5 they were in support of it. The support is there, but where 6 it falls down is in terms of the cost of implementing this. 7 This is the last panel. You obviously have heard this 8 before. 9 The solution has to be where the audit firm has 10 clear direction with respect to what the standards are, and I 11 posed this to certain CEOs. I said what you are asking for 12 basically is for more rules, if you follow this to the 13 logical end. Their answer, surprisingly enough, was I would 14 prefer at this point to have more clear set rules if you can 15 relief some of the costs and the uncertainty of the 16 implementation. 17 I think those are fairly dramatic comments. 18 MR. NICOLAISEN: Conditional rules. Rules if we 19 like them. 20 MR. GREIFELD: Rules that they know their audit fee 21 will be reduced or the cost of just the total implementation 22 and the continued implementation of 404 would be reduced. I 23 think they are dramatic comments. 24 MR. BELLER: I actually want to ask Mr. Flynn of 25 KPMG kind of a variant of the question that Tom Szlosek posed 1 and answered, which is sort of what are you doing in the next 2 two to three months without regard to what we are doing as an 3 urgent matter to make your two different from your one? 4 MR. FLYNN: Let me comment. Number one, in regard 5 to fraud and your question regarding fraud, clearly 6 Sarbanes-Oxley and 404 have gone a long way to deter fraud, 7 to limit fraud, but they are not going to prevent fraud. We 8 talked about collusion, human nature, certain things. 9 In terms of what we are trying to accomplish, our 10 number one goal is audit quality, for the benefit of the 11 capital markets, transparency in the investors. That is what 12 we are focused on within our profession today. I think we 13 have made a lot of strives. 14 We have talked about some of the tensions today and 15 the costs associated with different things. Part of that is 16 we are doing more robust audits. We are trying to balance 17 all things. 18 Is the business model and the business risk 19 assessment a process of the audit? Is the internal control 20 risk assessment process part of the audit as it relates to 21 the financial statement risk and assertions? The control 22 environment and how that relates to our substantive audit 23 procedures, and then reporting and disclosures and 24 transparency. 25 We are simply doing more audit work, more testing 1 of controls and transactions than we did two or three years 2 ago. That is to improve audit quality across the profession 3 as well as improve transparency in financial reporting. 4 I think we have made great strives working with the 5 regulators and working in the profession and with our clients 6 to make that happen. 7 If you look at 404, 404 was not intended to be a 8 mild exercise. It was intended to be a robust exercise to 9 bring great benefit to the financial reporting and 10 transparency. 11 There is no question that in year one, we didn't 12 all get things right, and there is great room for 13 improvement, both at the auditors' perspective as well at the 14 issuers' perspective. 15 What we are doing, what we believe the auditors can 16 do, are the following three things. Number one, truly 17 integrate the audit process this year. It was a goal in year 18 one. It didn't get accomplished. We can give you all the 19 reasons why and we all know the deadline slipped, the timing 20 of guidance, the timing of the pronouncement, but the reality 21 is it was a first time through the process. 22 To make judgments of what we could rely on and what 23 the outcomes might be ahead of time to adjust the audit 24 process, we simply didn't have the ability to do that in the 25 first year. 1 We are focused as a firm in its profession to make 2 that happen in year two. We have the time to work with our 3 clients. 4 We brought together 50 partners on April 7th to be 5 briefed in our firm on 404. What went well, what didn't go 6 well, what can we improve, how can we help our clients 7 improve their process. 8 We have the time to plan the audit as an integrated 9 audit and with our clients to make that happen in year two, 10 and we are confident that will happen. 11 Number two, better use of other's work. Statement 12 number two has the flexibility to allow that to happen. It 13 did not happen in year one to the degree we would have liked 14 it to happen. Again, there are reasons why that was the 15 case. 16 It was the first time through. Our clients' 17 resources were dedicated on their responsibilities, executing 18 their management assessment process. Again, having applied 19 the time to execute with the deadlines we all faced and not 20 knowing the outcomes, it didn't allow that to happen. 21 We are focused on making that happen in year two. 22 The third point is being more consultive with our 23 clients. We talked about that in the last panel. How can we 24 work with our clients more, scoping and designing and more of 25 a cooperative process. Working together in an appropriate 1 way to bring independence and transparency to the process. 2 That is what we are doing over the next number of 3 months to improve the process. We think there are things the 4 issuers can do as well. Embed the 404 process in the fabric 5 of your organization. Make the operating people responsible 6 for the control environment. Then use internal audit to go 7 check and do compliance work on top of that, additional 8 assurance. 9 In addition, companies have a vast knowledge of 10 their control portfolio today. They didn't have it two or 11 three years ago. Look at that control environment, how can 12 you improve it. Go from manual controls to automated 13 controls. Go from detective controls to preventive controls. 14 Look at the business processes those controls impact and use 15 it to improve the business processes, reduce the number of 16 controls but make them stronger by automated and preventive 17 controls. 18 That is a key opportunity to recover the investment 19 on 404 beyond compliance. Let's do it not as a compliance 20 exercise, but a business improvement opportunity. 21 The regulator, a lot of our guidance, there are 22 areas we can all use guidance on. We heard all about it 23 today. Statement number two can work. It is not about 24 re-doing statement number two. It's about getting practical 25 examples. 1 As the PCAOB does inspections this year, we would 2 encourage you early on in the process to have another forum 3 like this where you talk about what were your early findings, 4 so we can embed those findings in this year's audit cycle to 5 help us integrate 404, and make sure you are making the 6 proper judgments that are based upon facts and based upon 7 experiences. 8 We can use that now to make better judgments in 9 year two with the help of all parties in the process. 10 MR. NICOLAISEN: Rodg and then Commissioner 11 Goldschmid. 12 MR. COHEN: There are, I think, two very key 13 questions which have been asked, Commissioner Atkins' and 14 then Don, yours. Actually, I think they are related. 15 Let me start with Commissioner Atkins' question, 16 which I think is quite important. This may be unnecessary 17 because the chair of the PCAOB, I think, knows better than 18 anybody in the United States what I am going to say, but 19 there is an issue of tone from the top, not merely at 20 registrants, but also at agencies, and particularly that is 21 critical when the agency has an examination function. 22 If the tone is you better not make a mistake in 23 your examination, that is going to lead to one result. If 24 the tone is to err is human, to forgive is divine, that is a 25 very different way the examinations are conducted. 1 How that relates, I think, Don, to your question, 2 is what can you expect out of 404. I would suggest that in 3 this area, perhaps the greatest enemy of the good isn't the 4 bad but striving for perfection. It is not going to be 5 perfect. There will still be fraud. 6 I do believe that even robust internal controls and 7 excellent accounting oversight is not going to prevent in all 8 cases loss of value or even insolvency due to flawed business 9 models. The most that you can hope for is that the flaws 10 will be disclosed as early as practical. 11 MR. NICOLAISEN: Commissioner Goldschmid? 12 COMMISSIONER GOLDSCHMID: I wanted to test what I 13 think I have been hearing in this panel and all day, in fact. 14 If I understand it correctly, there has been relatively 15 little criticism of Section 404 itself in Sarbanes-Oxley, and 16 relatively little, and Alan Beller is biased, but I am, too, 17 about the SEC's drafting in the area. 18 (Laughter.) 19 COMMISSIONER GOLDSCHMID: Relatively little, I 20 would say, about audit standard two in the PCAOB's drafting, 21 most of the focus all day, and it's been true in this panel, 22 has been on implementation, and on the conservative 23 atmosphere, and that drives excess costs. It drives the lack 24 of communication. It drives most of the problems that have 25 been raised all day. 1 If I understand where you are telling us it ought 2 to be driven now, it would be towards more guidance, good 3 practice, some combination of that type, to a sensitive 4 PCAOB/SEC review of this first year, where we know there have 5 been bumps and we know the second year would be better, and 6 then to look at the judgmental areas, reliance, risk based 7 assessments, integrated audit, as a way of moving -- these 8 are all contemplated, if I read our documents correctly, in 9 what has already been done in terms of framework. 10 And then there is a special area that was 11 mentioned, which is the small public company area, and I am 12 hoping COSO and the new committee that is meeting is going to 13 bring us fruit to bear. 14 That, at least if I'm hearing it correctly, is what 15 I think I am hearing. Does anyone want to correct me? 16 MR. WALKER: It wouldn't be a correction. It would 17 be a clarification. I think some of the language that I have 18 seen at least in the preamble of standard two is such that in 19 implementing standard two, some have taken a very 20 conservative approach. 21 Reasonable people can differ on what language is 22 intended to mean, but the bottom line is guidance now needs 23 to be provided as to what the intent was, and that can get 24 the job done without necessarily changing the standard. 25 COMMISSIONER GOLDSCHMID: I accept the amendment, 1 David. 2 (Laughter.) 3 MR. NICOLAISEN: Deborah Lambert? 4 MS. LAMBERT: I agree with everything you said, but 5 would take it one step further regarding COSO, and one 6 additional thought there. 7 There is a limit to where COSO stops, particularly 8 when it gets to the CPA firms and the implementation of 9 auditing standard number two, particularly as we start to 10 deal with these many smaller companies coming up, many of 11 which were not audited by the big four or big eight firms. 12 We need to pay careful attention to make sure we 13 are getting best practice type guidance and best thinking to 14 those firms. They are harder to reach. There has already 15 been some outreach efforts. Those can't stop. Those need to 16 continue because this is a whole other cycle of thoughts and 17 issues. That is a really important factor if we are going to 18 be successful in the next wave of implementation. 19 MR. NICOLAISEN: Robert Greifeld? 20 MR. GREIFELD: I completely agree with the 21 Commissioner. He is my commissioner. He regulates my 22 markets. 23 (Laughter.) 24 COMMISSIONER GOLDSCHMID: You didn't need that 25 clarification. 1 MR. GREIFELD: I do actually completely agree and 2 it was incredibly well said. 3 (Laughter.) 4 MR. GREIFELD: I would just add a point with 5 respect to the small companies. Again, with the survey that 6 we did, it was more dramatic than I thought, the differential 7 on the impact. It really was ten times the cost as a percent 8 of revenue for a small company versus a large company. To 9 me, that is a crisis point that we have to respond to. 10 Another issue you have with small companies, with 11 the crunch for 404, there are a decent percentage of them 12 that were essentially fired by their auditing firms. There 13 has to be something in the regulation that says if you get 14 dumped by your audit firm, that you have some type of leeway 15 or some type of consideration with respect to testing for 16 these controls. 17 MR. BELLER: Just as a data point, when you say 18 "small firm?" 19 MR. GREIFELD: The smallest category we had was 20 $100 million market capital or less. 21 MR. NICOLAISEN: Michele? 22 MS. HOOPER: I also agree with what you said. I 23 believe that there is a "but" to the end of what you said in 24 my opinion, which is I think I've heard full support, but 25 only if it can be a reasonable situation for firms to 1 undertake. 2 Right now, as it is currently being implemented, as 3 we have currently gone through it, the costs far outweigh the 4 benefits when you look at the inability and the way in which 5 the accounting firms are indeed executing and implementing. 6 If indeed we are able to implement some of the 7 things that Mr. Flynn said, which I was quite frankly 8 delighted to hear, and I'm sitting here thinking, good grief, 9 we can go home now. 10 (Laughter.) 11 MS. HOOPER: If they are indeed going to implement 12 it as the spirit from what you all say was intended, then I 13 think that will greatly go forward to easing the burden on 14 companies. 15 The way it is structured now, and the way we are 16 seeing -- quite frankly, in some discussions that I've 17 already had relating to the execution of year two, that 18 flexibility is not getting down to the bottom line troops. 19 Part of the challenge for us is to bring the spirit 20 of what the SEC and PCAOB is trying to garner into the 21 reality of what we are facing on a day to day basis. There 22 is still a very large gap there. 23 MR. NICOLAISEN: Commissioner Atkins? 24 COMMISSIONER ATKINS: Actually, I just wanted to 25 take a moment and maybe somebody on the panel can address 1 this, maybe Bob or somebody, but here we obviously have in 2 this coming year the rest of non-accelerated filers who are 3 coming on board, and literally thousands of companies. 4 The question is do we need more of a phase in? 5 Right now, we have heard them, but there still is a date 6 certain by which they need to comply. 7 Is there a capacity to deal with that, do we need 8 to have like a staggered implementation? 9 MR. NICOLAISEN: Let me do sort of a follow up to 10 that same theme. One of the things we heard from a number of 11 preparers and auditors today was an appeal to say the 12 accelerated filing that is now in effect will be in effect 13 for everyone, could we re-visit that and go back to an extra 14 two weeks in the closing process. 15 Anyone who knows me knows I always feel information 16 delayed is information lost. I'm not a firm advocate of 17 that, but I would certainly be willing to listen to those who 18 have strong views. 19 Certainly, we heard those today from the preparers 20 and auditors. From the investor perspective, I would be 21 particularly interested in your thinking on that. 22 MS. YERGER: I think I would agree. Clearly, we 23 want the financials out as quickly as possible, but if they 24 are not ready or they are not going to be high quality, then 25 I think a delay is perfectly reasonable. 1 I don't think there is any problem with the small 2 companies. We all want to be reasonable and give them time 3 to implement. I just don't think this needs to be sort of an 4 ongoing promise they are going to have this additional time. 5 I think we need -- frankly, it just seems to me it is too 6 early to tell what is going to happen with the small 7 companies, and I'm sure in a few months, we will all have a 8 much better sense. 9 MR. NICOLAISEN: It wasn't just the small 10 companies, it was everyone that was asking for it. 11 MS. YERGER: We would strongly disagree with that. 12 MR. NICOLAISEN: Rebecca? 13 MS. McENALLY: I agree with Ann on this, 14 straightforwardly. 15 MR. NICOLAISEN: I think we are very close to the 16 end. What I like to do is to give everyone a chance to 17 express one last thought. We can go right down the table, if 18 that works, starting with you, Rodg. If you don't care to 19 say anything, that is certainly fine, too. 20 MR. COHEN: Let me just say my thanks to the 21 Commission and PCAOB for doing this. I think this is a very 22 critical start. There is not as much substance today, lots 23 of ideas, nothing directly coming out, but the tone is very 24 important. It is equally important that the music be carried 25 through with some action coming out of today's meeting. 1 MR. FLYNN: I just would leave the thought that it 2 has been a very painful process for many people involved with 3 it this year. I think a lot has been learned in year one. I 4 think a lot has been accomplished to strengthen the financial 5 markets and transparency and quality, and I'm confident that 6 year two will be a much different experience, if we balance 7 the appropriate implementation and changes. 8 We talked about guidance. At the same time, keep 9 the same rigor in terms of what we are trying to accomplish 10 here to 404. 11 MR. NICOLAISEN: One of the things that I think 12 would be helpful, and we have talked about this, the best 13 practice examples, and also the databases that the firms have 14 accumulated of a whole lot of information, and I'm not sure 15 all of that is suitable for public dissemination, but perhaps 16 it is. 17 I think the academic community and economists would 18 be particularly interested in having the ability to study 19 that data. I would encourage particularly those of you who 20 have done a lot of research and have accumulated significant 21 information to think about making that available. 22 MR. GREIFELD: Certainly, I appreciate the 23 opportunity to be here today. One thought I'll express which 24 I haven't heard so far is there is a true up side to 25 Sarbanes-Oxley 404. We have documented a number of different 1 processes, certainly nowhere near 80,000, but in reviewing 2 some of these processes that are now documented, we realize 3 they don't make a lot of sense. 4 We have the opportunity now to go back and 5 re-engineer it, and based upon the time constraints, we said 6 just document. We will certainly look to do that in 2005. 7 Just a final thought with respect to small 8 companies, again, to try to really make the point real. When 9 you are asking a small company to segregate duties where you 10 have one person doing three jobs, it just comes across as 11 obviously an expense and counter-intuitive, and trying to 12 introduce formality in a small company where their reason for 13 being is their informality and their ability to adjust very 14 quickly to market opportunities and respond quicker than 15 larger better capitalized firms, you can realize how big of a 16 set of damages you can create for these small firms. 17 MR. NICOLAISEN: Michele? 18 MS. HOOPER: At the NACD, we are very pleased to be 19 a part of this discussion and I applaud the taking of time to 20 spend in listening to the dialogue for a whole day. That 21 sends a very strong signal to the constituents of the 22 organization. 23 The opportunity to bring more judgment and more of 24 a focus on best practice and enterprise risk management, I 25 think, benefits not only the large firms but also the small 1 firms. 2 Within the NACD, we have a number of members and a 3 great constituent in the small and mid-sized mid-cap 4 companies. They are crying out for a process that is more 5 efficient for them than what they have seen, people that have 6 filed as of March 31 going through. 7 Part of the opportunity I believe is learning from 8 each other and learning from what we have done and getting 9 information out on a more timely basis. 10 MS. LAMBERT: This day has been very valuable, and 11 I thank you very much for all the effort you have put into 12 it. 13 My plea really runs to everybody's Summer vacation 14 and the COSO exposure draft should be available this Summer, 15 just in time for beach reading. 16 (Laughter.) 17 MS. LAMBERT: We truly want as much input as 18 possible into the guidance that will be in this COSO 19 implementation guide for the smaller public companies. I 20 really encourage everybody to please provide feedback to that 21 from the beach. 22 MR. NICOLAISEN: Do you have a www.com for that? 23 MS. LAMBERT: We will have one. 24 MS. McENALLY: I don't know, Deborah, I will do my 25 best. 1 (Laughter.) 2 MS. McENALLY: About the cost benefit issue, just 3 one small observation. I kept hearing that companies are 4 paying the costs. No, companies don't pay the costs. The 5 costs are borne by the share owners ultimately, and the 6 question is what costs will the share owners pay. 7 Mark Anson remarked this morning he's happy to pay 8 the costs. This is worth it. The alternatives are higher 9 costs of capital, which is what we share owners do when we 10 start getting really edgy, or in the worse possible case, 11 where the business model has collapsed, and everything is 12 gone, the entire investment, which amounted to hundreds of 13 billions of dollars in all of the cascading costs. 14 I think yes, the costs are large, they are falling 15 disproportionately on small companies, and I hope we can make 16 some adjustments that ease that a bit, but that is very 17 important. 18 At the end of the day, let me return to what I 19 first said. I think Sarbanes-Oxley is by far the most 20 important thing we investors have received in years and 21 years. I think it is has worked extremely well. It is 22 reflected in the votes we investors are making, but above 23 all, 404 is the most important part, and we have been 24 particularly happy with the way that has played out. 25 MR. SZLOSEK: Just quickly, as a controller of a 1 Fortune 100 company, all kidding aside or all complaining 2 aside about 404 and Sarbanes-Oxley in general, the provisions 3 have gotten a lot more people into the tent with me, in terms 4 of the management team, the operations team and so forth. 5 I am not in there alone any more. That if nothing 6 else is a huge benefit for somebody in a position like mine 7 and a lot of similar positions. 8 I truly embrace the provisions. I don't think 404 9 is the best part of Sarbanes-Oxley yet. I think we have 10 talked a lot about the wrinkles that need to be worked out. 11 I don't think anything needs to change from a legislative or 12 guidance perspective until we get through the second year. 13 I think we need to be cognizant of all we have 14 heard about, see how each of the constituents react, the 15 auditors, the preparers, the inspectors, and come back in a 16 year and say did it really make a difference, did we get 46 17 percent of the costs out. Did we see less material 18 weaknesses and so forth. 19 That will be the proof. We can't force that. We 20 can't accelerate that until we get a chance to learn from our 21 experiences from the first year. 22 MR. WALKER: I want to very quickly compliment you 23 on holding the roundtable. Thanks for the invitation. I 24 would encourage you to take a look at the financial audit 25 manual because I think it has a lot of relevant information 1 that could be useful to your discussions and deliberations. 2 MR. NICOLAISEN: Will do. 3 MS. YERGER: Final comment on cost benefit. Costs 4 are obviously making all the headlines. We have heard today 5 they should be going down. We expect they will continue to 6 go down. We think the benefits are much longer term in 7 nature. They are very difficult to quantify. In the long 8 run, improved financial statements, higher quality audits, 9 more engaged audit committees and improved tone at the top 10 will benefit everybody in the markets. 11 MR. NICOLAISEN: Terrific. Thank you all very 12 much, thank you to all the panelists. 13 MR. BELLER: Thank you. 14 Chairman Donaldson, would you like to say a few 15 words in conclusion? 16 CONCLUSION 17 CHAIRMAN DONALDSON: Definitely. Let me begin on 18 behalf of my colleagues on the Commission to thank a lot of 19 people. First and foremost, I'd like to thank these two 20 gentlemen and their staff, who have really put in a lot of 21 work in terms of preparing this meeting. I would say it 22 evidences a great deal of judgment in the selection of the 23 panels we have had. 24 I want to thank the panel and the rest of the 25 panels for being here and spending your time as you have. 1 I would like to thank the people in the audience. 2 This has been an amazing attendance. I hope that the press 3 is still here. 4 (Laughter.) 5 CHAIRMAN DONALDSON: I hope everybody in this 6 audience is here because they have an interest in this 7 subject and today's proceedings are adding to. I know they 8 have added for me a dimension of thought that you only get by 9 listening to people talk. 10 I think we are going to fill up on the Internet on 11 our website with lots of recordings on what has been said 12 here. I hope all of us will do a little bedtime reading as 13 we reflect not only on what we have heard, but what we read. 14 Of course, I want to thank Bill McDonough and the 15 PCAOB Board, your colleagues, for your participation as 16 partners in this with us. 17 Today, I think we have had a very open and 18 insightful dialogue about the implementation of the internal 19 control reporting provisions. Several themes have been 20 identified. For example, the discussants revealed that many 21 companies have experienced benefits and improvements to their 22 internal controls as a result of the implementing of these 23 requirements. 24 Internal control requirements also have led to an 25 improved focus on internal controls by all stakeholders 1 involved, improved focus on controls has a potential to pay 2 dividends for sure in the future in terms of investor 3 confidence, transparency, the quality of financial 4 statements, as you say so correctly, cost of capital 5 ultimately and shareholder returns. 6 However, we also have heard there are some areas 7 related to implementation of the new requirements that may 8 need further attention or clarification, implementing this 9 major new requirement has not been without costs and not 10 without a learning curve. 11 Therefore, I am instructing the staff to evaluate 12 the feedback we have received on these topics and consider 13 whether and how we can improve the guidance available to 14 management and auditors in order to improve the effectiveness 15 of the process. 16 Given the importance of the issue and the 17 preparatory work that is already underway for assessments of 18 internal controls for 2005, I have asked the staff to 19 complete their evaluation as quickly as possible. We are 20 well aware of what is coming down the pike. 21 Finally, we have heard some of the very special 22 challenges that smaller companies may face. With our small 23 company advisory board and their ongoing work and very 24 valuable input here, well organized and well underway, we are 25 very sensitive to the concerns of Section 404. We know it is 1 a priority issue for our advisory committees. 2 I look forward to their work and the potential 3 recommendations. 4 Again, I want to thank everybody. I think this has 5 been a great meeting, and I think it has been not only 6 informative, but as they say, really fun to get at the 7 issues. 8 Thanks a lot. 9 MR. NICOLAISEN: Bill? 10 CHAIRMAN McDONOUGH: I think we have all agreed 11 that 404 has many positive results and yet the cost benefit 12 has to be improved, especially for small and medium sized 13 companies. 14 As a former central banker, I am convinced that 15 small and medium sized companies create all the economic 16 growth in our country, and certainly create ultimately new 17 jobs. We have to do something for them. 18 Our responsibility at the PCAOB has to do with the 19 accounting firms which audit public companies. I don't think 20 there are people on this planet more convinced than those of 21 us at the PCAOB that auditors must show judgment which also 22 means they must have a risk based approach to their work. 23 It is also clear from what we have heard today that 24 we and they have not been completely successful in the first 25 year in bringing full judgment to bear. 1 We have been listening very carefully, not only 2 today, right after we put out our auditing standard two a 3 year ago, we created two internal control implementation task 4 force working groups, one for auditors, the big eight plus, 5 one for issuers, mostly large and a few small companies. 6 They met most recently with the issuers on Friday 7 and with the auditors on this Monday. We are putting 8 together a small firm implementation working group. 9 You may have noticed during the breaks that our 10 five board members got together, and then I had a little 11 staff meeting with our three distinguished senior staff 12 people in the standards area, Doug Carmichael, Tom Ray and 13 Laura Phillips, sometimes known as Miss 404. 14 Here is what we have decided to do. We will put 15 out the first staff guidance 30 days from today. Actually, 16 that is a Friday, and people don't pay attention to things 17 put out on Friday's, so we will in fact put out the guidance 18 on the following Monday, which will be the 16th of May. 19 Our standing advisory group for our standards area, 20 which as I mentioned this morning, is made up of a relatively 21 small number of accountants, issuers, and especially 22 investors, and they meet next on June 8th and 9th. 23 We will dedicate the entire agenda of that meeting 24 to what is it that we need in additional staff guidance 25 coming from all the input that we get, and we will also 1 decide about that time whether we have to re-open auditing 2 standard two in order to clarify some basic principles 3 through rulemaking. 4 The reason we want to do it through staff guidance 5 as much as possible is because we can do it quickly. The 6 rulemaking would take about another four or five months, and 7 that puts us much too late into the next cycle. 8 On our inspection process, I should remind you of 9 the view of the relationship of the PCAOB towards the 10 accounting profession that is shared by all the board 11 members, but especially was brought by me from being a 12 banking supervisor. 13 I had the hottest seat in banking supervision in 14 the United States for ten years, and chaired the Bazelle 15 Committee on Banking Supervision. 16 What we do is we relate to the accounting firms in 17 the following way. As long as you are trying to improve the 18 quality of your service to the American people in the way 19 that the representatives of all the audit firms who were here 20 today spoke, but especially very eloquently just recently by 21 Tim Flynn, we will work with you, the profession, in order 22 that you can do your job better to help the American people. 23 They know fully well that if they do something 24 wrong, especially if it involves moral turpitude, we will 25 beat the hell out of them. 1 What will we learn from our inspections? The 2 inspections aren't meant to go and say you did a great job, 3 you did a lousy job. It is did a given firm in some areas do 4 quite well, but in other areas, what I suspect and spoke 5 about earlier this morning, in dealing with the smaller 6 clients, where their staff is not as experienced, it's pretty 7 clear they didn't in fact do as good a job as they did with 8 their big clients, what are they going to do about that? 9 You heard something from Tim on what his firm is 10 planning to do about it. 11 From this will come the best practices approach. 12 Here is the best practice for an audit firm to use in dealing 13 with its clients and in dealing with internal controls. That 14 way, without punishing anybody or hanging people on lamp 15 posts, we can get the best practices out to the audit firms, 16 and in that way, through the most possible, to improve the 17 credibility of financial statements and the internal controls 18 related thereto, so that we can have greater economic growth 19 for the people of our country and the world. 20 That is what we plan to do. 21 MR. BELLER: Thank you, Chairman McDonough. I am 22 going to hold you all for 30 more seconds while I thank the 23 people who are really responsible for this being a successful 24 day, and that is Don Nicolaisen's and my staff. 25 I know Chairman Donaldson mentioned them, but I 1 want to do it as well. Don Nicolaisen's and my staff are in 2 the Office of Chief Accountant and the Division of 3 Corporation Finance. People are going to say we did a great 4 job, but Don and I know they did a great job. We are just 5 up here doing what they told us to do. 6 Thank you very much, and thank you all. Thank you 7 to the panels. Thank you to the board members, the 8 Commission, those in the audience, and those unseen people on 9 the web who have listened to us today. 10 Thank you. 11 (Applause.) 12 (Whereupon, at 5:39 p.m., the roundtable was 13 concluded.) 14 15 16 17 18 19 20 21 22 23 24 25