EXECUTIVE SUMMARY

AUDITORS CAN’T CRITIQUE THEIR OWN WORK and must avoid the appearance of conflict to comply with section 404 of the Sarbanes-Oxley Act. That gives CPAs a new consulting opportunity to document and test nonclient companies’ internal controls. A FIRM INTERESTED IN DEVELOPING THIS NICHE has to know the skills it will need, the time and staff required, the depth of the market, the best way to approach clients, the limits on auditor involvement and what information technology tools are available. THE MARKET EXISTS BECAUSE COMPANIES temporarily may be unable to meet the project management and staffing needs to design the section 404 internal audit functions that later will be checked by the company’s external auditor. Others may be dealing with new concepts and technology. WHAT CONTROLS A COMPANY TESTS and exactly how its consulting CPA does so largely will depend on company circumstances and the internal control objectives. ONE FIRM NOT ONLY DOCUMENTS internal controls for nonaudit clients but also recommends improvements such as eliminating unnecessary manual controls in low-risk areas or adding some controls for high-risk transactions. It says small companies should pass any questions by their external auditors rather than guess at the PCAOB’s intentions. AN AUDITOR SHOULD KEEP SOME DISTANCE from management’s internal control compliance project; it may explain to its client how a cash disbursement system works but should not advise the client how to assess its risks or which controls management needs to test, for example. Designing controls requires the CPA to have a high skill level and extensive knowledge of the client’s business.

MAUREEN NEVIN DUFFY is a New Jersey-based freelance writer. She also is the editor/publisher of the Corporate Governance Fund Report, www.cgfreport.com.

he Sarbanes-Oxley Act of 2002 has ushered in a new era of reporting accountabilities for public companies. It requires management of such entities to certify the effectiveness of the internal controls that are the underpinning of financial reporting, and a main tenet of the law is that auditors avoid conflicts of interest. The specifics are delineated in section 404 of the act, with which public companies having more than $75 million in market capitalization will have to conform in 2004, if their fiscal year ends on or after November 15, 2004. Smaller companies, foreign private issuers and companies with only registered debt securities get a reprieve until July 15, 2005.

The SEC and the Public Company Accounting Oversight Board (PCAOB) have declared that leading or directing an internal control documentation or testing engagement for management of an audit client is a conflict for a company’s regular auditors (which may be internal or external, depending on the business). Some good news is that CPAs now have a new professional opportunity—to document and test companies’ internal controls for the managements of nonaudit clients. The market exists because companies temporarily may be unable to meet staffing needs to verify the section 404 functions that later will be checked by the company’s external auditor. Others may be struggling to understand new concepts such as control objectives, control “frameworks” such as the COSO framework and the impact of information technology on controls. Here’s the JofA’s first look at what developing a niche for this service entails.

TAKE TIMELY ACTION
Under Sarbanes-Oxley, management must present to the auditor its internal control system, and the auditor must verify the management assessment process and the controls themselves “work.” A CPA who wants to service nonaudit companies’ internal control needs should address several important development issues: Does he or she have the skills? What time and staffing commitments are necessary? What’s the depth of the market and the best way to mine these clients? Is there a practice benefit beyond revenues? What technology tools are available to smooth the way? Will the service be limited to the first few years of implementation, or will it be ongoing? Most firms offering this consulting expect a strong need in the period leading up to the initial deadlines, and CPAs who want section 404 business would be wise to move quickly, sources say.

The original effective date for larger companies (“accelerated filers”) was for fiscal yearends on or after June 15, 2004, but the SEC extended that to November 15, 2004. Smaller public companies do not have to comply with the new rule until their reports are prepared for fiscal years ending on or after July 15, 2005. The compliance deadlines mean demand for internal control documentation and testing consulting services likely will be strongest in early 2005. Nevertheless, the pressure is still on for yearend filers that will need to report on internal controls this year.

With all the extra work auditors must do to comply with new fraud standards, meet quarterly review requirements, document and audit fair value assessments and render audit reports on internal controls for clients, there may not be enough qualified advisers available to meet the needs of companies that postpone their compliance projects, sources say. Lynford Graham, CPA, national director of audit policy at BDO Seidman LLP and a member of the AICPA task force on internal control reporting implementation, says it’s likely “only less experienced advisers may have the time to take on new clients next spring and summer.”

David Morgan, CPA, of Lattimore, Black, Morgan & Cain in Brentwood, Tennessee, says many companies will “wake up and realize they need a lot of help” to make the next compliance deadline. “The smart companies are working on it now,” he says. Susan Menelaides, CPA, partner at Chicago-based Altschuler, Melvoin & Glasser LLP, agrees. “There’ll be a big push with the coming deadlines” and “a demand for people with this expertise,” she says.

THERE'S A BROAD CLIENT BASE
Mike Umscheid, CPA, with Norfolk, Virginia-based Witt, Mares & Co. PC, was part of an ASB task force that developed proposed revisions to AT section 501, “Reporting on an Entity’s Internal Control Over Financial Reporting” (AICPA, Professional Standards), in response to Sarbanes-Oxley. He believes large and small companies will have to outsource internal control work quite a bit. “Smaller companies clearly need help they might not have in-house,” he says. “In that respect it’s just like outsourcing internal audits.”

The target market consists of the public companies whose external auditors are required to opt out of helping their clients design, set up and document internal controls. Some other companies may be temporarily unable to meet staffing needs to perform the extra work, while still more may find themselves dealing with new concepts and technology where they don’t have the people to define the processes or to test them.

Although they do not need to, some nonpublic companies think it’s in their interest to comply with Sarbanes-Oxley and are part of the burgeoning client base, too. Julie McCollum, CPA, managing director of Jefferson Wells, whose core business is supporting clients’ internal controls, says, “We’re getting a lot of calls from private companies that aren’t sure what is going to happen in the future.” Add to them companies going public in the near future, private companies with public debt and those involved in mergers or who are being acquired by a public company and you’ve got a sizeable market, says McCollum.

Lynne Burkart, CPA, audit director of Postlethwaite & Netterville in Metairie, Louisiana, thinks the niche will be profitable. She expects section 404 services to add 10% to 15% to her practice, for example. Burkart’s 170-person firm, the largest in the state, has just started providing such services. Its first client hired Postlethwaite to design the company’s 404 internal audit functions that later will be checked out by the company’s external auditor.

A FEW SERVICES OR MANY
Variety is another advantage to this market niche, since CPAs can offer a few or a range of services. “Generally, you’re assisting management with assignments that can take on a life of their own,” says Anthony Sirica, CPA, national business line leader for BridgeMark, the risk-consulting division of BDO Seidman LLP in New York City. Usually, says Sirica, the company appoints a lead manager for the internal control project, but each job is different. Since companies are responsible for reporting on controls and certifying quarterly to their effectiveness, management generally takes active “ownership” of the project and process.

What and exactly how a company tests largely will depend on its circumstances and the internal control objectives (see Under Control: A Simple Summary). However, the business will need to evaluate its controls for initiating, recording, processing and reconciling account balances, classes of transactions and disclosure and related financial statement assertions; controls related to initiating and processing atypical transactions; controls for selecting and implementing appropriate accounting policies; and those related to preventing and detecting fraud.

A company may fully outsource the project, or it may have the internal audit function provide project management and oversight and use a provider such as BridgeMark to supply the extra staff to document and/or test processes. “They’re all consulting engagements,” says Sirica. While companies are permitted to have their auditors supply staff to transcribe the documentation of controls under management direction, most audit committees and boards choose not to engage their auditors for this task to avoid the risk of appearing to violate independence restrictions.

A business’s “character,” which encompasses management’s perceived integrity, operating philosophy and commitment to competence, is integral to the internal control environment, too. While some qualities can be quantified by traditional auditors’ tests, others cannot. One approach is to develop a reliability model for the internal control environment’s characteristics at various levels, then design tests to evaluate the presence or absence of those characteristics (see “Evaluate the Control Environment”). “Companies are finding it challenging to get it all done. We anticipate a lot of business yet,” Sirica says.

WEIGHING RETURNS
BridgeMark started in late 2002 “when [Sarbanes-Oxley section] 404 started hitting radar screens,” Sirica says. While public companies still were trying to figure out what it was all about, the firm formulated an approach to the marketplace and began offering its section 404 services in April 2003. It found many companies in panic mode, throwing money at huge documentation processes. Then, in June, the regulators issued a reprieve pushing the deadlines back.

“That gave companies the opportunity to go from a sunk cost of compliance to getting some return on the investment,” says Sirica. What are those returns, for example? Well, says Sirica, “some aren’t tangible. You can’t put a dollar amount on the value of staying off the front page of the Wall Street Journal.”

Sirica’s group not only documents internal controls but also recommends improvements such as eliminating unnecessary manual controls in low-risk areas or adding some controls for high-risk transactions. The 2003 exposure draft of the auditing standard covering audits of internal control from the PCAOB emphasized the rules’ higher expectations for Fortune 500 companies vs. smaller public companies. While vague, it seemed to imply smaller companies need not be held to as rigorous a level as their larger brethren. Interestingly, the revised PCAOB standard, issued March 9, 2004, dropped this concept from the standard. When in doubt, Sirica recommends small companies pass any questions by their external auditors rather than guess at the PCAOB’s intentions.

STAFFING
CPA auditors considering this niche should not underestimate the time commitment the service will demand. Each client company can vary significantly in complexity. Morgan says that on just two documenting engagements his firm spent from 1,000 to 1,500 hours using a staff of more than eight full-time employees.

A great deal depends on the level of sophistication the client starts out with and the existing quality of its procedures and systems, Morgan says. That uncertainty means firms will have to maintain a flexible workforce. He recommends that firms hiring for this function ask applicants up front whether they know the COSO internal control framework. If they don’t, they’ll have to attend about two days of training to become thoroughly familiar with it, since it forms the basis for documentation.

At Postlethwaite, Burkart expects the firm to be able to use its 170 employees to develop, test and monitor services, which now include risk assessment of areas affected by section 404. The work is more detailed but similar to regular audit work, she says. Staff for this type of work, she says, should excel in communication skills, because employees need to interview the client’s key people to elicit information.

At Jefferson Wells, an independently operated subsidiary of Manpower Inc. of Milwaukee, McCollum says the division doesn’t hire recent graduates for this work because people need 12 to 15 years experience in the industry where they’re placed. The majority are CPAs or internal audit or fraud examiners; all have consulting or operational experience in internal control, finance and tax operations. Jefferson’s largest focus is on financial institutions and government.

“Designing controls takes knowledge of the type of client,” says Umscheid, who also cautions auditors to limit their involvement when dealing with clients. For example, an auditor may explain how a cash disbursement system works but should not advise the client how to assess its risks. “You have to be very careful how far you go in helping audit clients do this. The SEC’s preference is that you don’t do anything,” he says. CPAs can advise, but ultimately it’s management’s responsibility.

Under Control: A Simple Summary

Source: Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements—Frequently Asked Questions Regarding Section 404, Protiviti Inc., www.protiviti.com, 2003.

FILLING SKILLS GAPS
With auditing workloads already stressed by the CPA profession’s cyclical demands on staff, the section 404 deadlines will make it difficult for most firms to expand their offerings to include internal control services. Plus, industry-specific controls demand a high level of expertise, says Morgan. He advises small and midsize firms to consider an alliance with other audit firms to expand their capabilities to fill these needs quickly.

Umscheid strongly recommends that auditors interested in seeking 404 clients stick with the core industry they now serve. Internal controls are related to the unique workings of a company, so a grasp of the components is vital. “If you already have a niche in a certain area, you may be able to build on that,” he says. Menelaides agrees: “You have to know enough about the business to ask the right questions.”

Besides industry knowledge, practitioners must understand the nuances of the entity’s processes, what internal controls should be in place given those processes, how technology is used within the business, what (and how) controls must be engineered into automated processes as well as what processes have been outsourced and what controls need to be designed around or through those outsourced processes.

Postlethwaite concentrates on the process side in its audit practice, catering to companies in banking and manufacturing. “We’re going after all of it,” says Burkart. Postlethwaite has been working with other CPA firms that have a conflict in providing section 404 services to their existing audit clients.

WHERE TO FIND CLIENTS
Because the opinion on a public company’s internal controls must be an outside one, the company’s external or staff auditor may make several recommendations for the engagement of a section 404 project manager. Some firms rely on referrals from consultants who advise companies. Lattimore, a CPA firm with 110 people, brought in additional help to find business in this market, says Morgan. Its lead hire had many contacts as well as industry expertise. However, most sales at Lattimore are generated at the partner level and through existing relationships with public companies.

Postlethwaite advertised in its city business magazine, in newspapers and on radio. The firm also offered a seminar and placed a sales message on its voice mail.

BridgeMark is using limited advertising, mainly in the Institute of Internal Auditors’ magazine, says Sirica. Most of the firm’s section 404 project clients come from BDO’s partner network and its business development network, which follows up on leads from cold calls and requests for proposals. “Other firms recommend us,” says Sirica. In general, small audit firms shy away from competition, and the Big Four are more likely to refer internal control clients to other firms, sources say.

TECHNOLOGY
Internal controls inherent in a company’s technology system require the expertise of a specialist who understands how technology affects the financial statements. For public companies that are automated (most), the CPA has to be able to test controls in a highly computerized environment. Not only must the practitioner understand control design, he or she must know how to test for effectiveness. That requires the knowledge (or access to it) to test the entity’s general computer controls, application controls and controls that may be embedded in the system software. To discern whether they are operating effectively, the expert has to document and test all those controls: checking passwords, security elements and backup procedures and conducting a basic audit of the status of the infrastructure (see “Choose the Right Tools for Internal Control Reporting,” JofA, Feb.04, page 34).

Sirica says in some cases BridgeMark may put whole new systems in place as part of an internal control overhaul and it needs specialists for that. His firm tries to assess a company’s overall needs in light of restructurings or system upgrades. “Some technology additions will subsume manual controls and should,” he says. If the firm can improve other parts of the system by eliminating redundant procedures, it offers to do it.

Most Big Four firms are creating custom programs to provide to clients, and a plethora of products is being offered by software houses both old and new. As a service to clients, Sirica estimates he has reviewed at least 15 to 25 different products created in answer to Sarbanes-Oxley section 404. He whittled that list down and now works with just four programs, which his firm demos for clients to help them choose the best software for their needs and their budget. (The firm makes no commissions from the vendors.)

PRACTICAL TIPS TO REMEMBER

Because section 404 deadlines will make it difficult for most firms to expand their offerings to include internal control services, small firms should consider an alliance with other audit firms to expand their capabilities quickly. Firms hiring for this function should ask applicants up front if they know the COSO standards. Make sure your staff members are thoroughly familiar with the internal control framework, which forms the basis for documentation. Auditors interested in seeking section 404 clients should concentrate on the core industry they now serve to maximize strengths. Don’t hire recent graduates to lead internal control consulting projects. Tasks that are industry-specific demand greater expertise. People may need 12 to 15 years experience in some specialty areas where they will serve. Make sure staff members have excellent people skills because they need to elicit information from the client’s key employees. Since much of the software for this work didn’t exist until last year, advisers and management should look for products that can provide clean, simple reporting and can drill down to the subsidiary or division level to see the status of compliance. The software manufacturer ideally should have been in business prior to Sarbanes-Oxley. You don’t want clients running into a problem and finding the company that sold the product has gone under.

Because much of the software didn’t exist last year, one of Sirica’s three criteria for his short list was that the manufacturer of the product must have existed prior to Sarbanes-Oxley. He doesn’t want clients running into a problem with the product and finding the company that sold it has gone under. Additionally, the software must cost no more than $100,000 and require no special hardware to operate. “The software market hasn’t flushed out yet. The products are still in 1.0 and 2.0 versions,” says Sirica, who expects product refinements and the probable entry of software giants such as Oracle, MicroSoft and PeopleSoft to produce a shakeout in the industry.

Many of the currently offered programs act as repositories for the blizzard of documents to be brought under control. Some versions allow CFOs to access screens where they can monitor things such as ongoing quarterly compliance, show where controls are changing, link documents, provide testing and send e-mails when deadlines are missed. Project managers should look for clean, simple reporting and software that can drill down to the subsidiary or division level to see the status of section 404 compliance.

EXTENDED LIFE CYCLES
Unlike the fleeting rewards of Y2K preparation, which many see parallels with, some auditors foresee long-term advantages from offering section 404 services. “I think doing a very in-depth analysis of a company’s internal control is going to make us better auditors when we do our regular financial statement audits,” says Menelaides. “This experience probably will benefit us in ways more difficult to measure—less tangible ways—but it will make us better auditors.” And she doesn’t expect the workload to abruptly end either, as it did in Y2K.

Altschuler Melvoin is currently helping 404 clients make self-assessments their external auditors will evaluate. “But companies may need some continuing help,” she says. “They’ll need to track changes each quarter and assess controls every year. So there’s a lot of work for companies from now on.” Under Sarbanes-Oxley, mergers, acquisitions, upgrades or any adaptations to the way the business does things could trigger the need for a new audit. Umscheid agrees: “If you change the controls, you have to [document and] test the new ones.”