Well, those days are over, right? Corporate executives should start to see 50 percent reductions in their Sarbanes-Oxley Section 404-related audit fees by the end of the year, right?

Don't bet on that just yet. But relax knowing better judgment has just been approved by the Securities and Exchange Commission. On July 25, the SEC approved the Public Company Accounting Oversight Board's new Auditing Standard No. 5, or AS5, which aims to provide clear management guidance. It replaces the PCAOB's previous internal control auditing standard, Auditing Standard No. 2.

More importantly, irrespective of what the PCAOB or the SEC promulgate as changes or guidance, simple techniques exist now that can help streamline your risk assessment and keep your overall costs down, by keeping your 404 audit scope from creeping.

First, let's provide a brief background. The newly approved AS5 for internal controls assessment:  

• Provides clearer explanation and definitions;
• Stresses top-down risk assessment -- with the goal to "right-size";
• Emphasizes focus on controls that have the potential to detect or prevent material misstatements.

This is a reasonable change from AS2 in that it attempts to clarify some of the confusing aspects of an assessment of internal controls over financial reporting. However, it is not a dramatic change.

The concept of top-down risk assessment, as well as emphasizing it's use, is not new. PCAOB itself released updates back in May 2005 discussing the use of this approach to ease some of the burden of compliance. In addition, focusing on controls that have the potential to detect or prevent material misstatements isn't new either. While it was not emphasized in earlier years, or simply got lost in the SOX hysteria, management could have reached these conclusions in previous assessments since any audit, with the possible exception of forensic, is based on "reason" and "judgment" of what could happen and/or what is material to the financial statements.

You can reason, as an example, that travel expenses have a relatively immaterial impact on your company's financial statements and that the volume of transactions are generally low. From that reasoning, management's judgment could result in a decision to exclude that area from scope. The problem was that very few did, or not many performed top-down risk assessments that could result in significantly smaller scopes, which would in turn result in considerable reductions in cost, both tangible and intangible as well as internal and external.

We all followed the general guidance and risk-intolerance of our auditors. From some perspectives, that was understandable -- the natural evolution of new legislation and regulation. However, with guidance from the SEC (#34-55929) that no longer requires auditors to provide an opinion on management's methodology used for their assessment, and with the new AS5, the perception is changing.

The SEC and PCAOB have finally figured out what most filing companies have known for years -- that the requirements for 404 compliance were too cumbersome and driven by external auditors, for external auditors.

Now, companies can use the new guidance set forth in AS5. However, our research and subsequent review of AS5 revealed that it is still at a general level intended to help all filing companies from all industries, which is tough to accomplish in a single, albeit 172-page document. And as mentioned above, the SEC has also issued guidance. Yet both documents are still relatively vague and require just as much judgment and subjectivity as before. (The Institute of Management Accountants has issued a response that is worth reading and addresses their concerns with the new guidance.)

So what should management do? What tools or techniques can be used to ensure your company is using a top-down approach and covering areas that are indeed material with respect to properly recording financial information?

There are several options that allow managers, auditors and consultants to measure and manage a company's 404 audit scope with more precision and provide management with metrics that truly make sense and drastically reduce the scope of your audit and the associated gigabytes of documentation.

As a former financial executive, I was as frustrated that the original guidance was designed with essentially only external auditors in mind. This provided major challenges that are now well documented, including the sky rocketing costs.

Later, as a consulting executive, I was challenged to find ways to help clients save time and money on compliance, but generally forced to use the AS2 standard and its myriad rules and "must dos."

Whatever method your company uses or plans to use -- COSO as a framework, AS5, or some other approach that management feels can properly assess their control environment -- you can apply simple techniques at the appropriate phases from the beginning (assessment), middle (documentation), and end (testing/remediation) of your effort to avoid scope creep and provide qualitative and quantitative support for your conclusions.

Risk Map

This technique is truly top-down. It looks at the company in its organic, natural state, not as a series of financial statements. Looking at the financials and understanding the financial account structure and content is critical; however, it is not necessarily the first place to start. Any astute executive, especially those with strong financial backgrounds, can visualize the financial account structure, volume, and content just by getting a good understanding of the company, its industry, departmentalization, software applications and other functional or operational information.

Exhibit 1 is a simplified version of a Risk Map. The concept would be modified to fit the operational, functional and technological geography of each company. However the result would be to understand where the greater areas of risk are located from the top -- a sort-of "heat-map" of risk. Each area of high risk (represented with an "H") could be further broken down into its own Risk Map, giving management the ability to communicate, visually, the areas of greater risk.

The next two techniques can be used together or separately during one or more phases in the assessment. The 1, 2, 3-Out scoping technique and the S.O.D risk ranking technique (which stands for Severity, Occurrence and Detective).

Both are more detailed by design and can be applied directly to a business process or a specific control activity, and each will result in a reasonable assessment of risk using a combination of qualitative and quantitative information. S.O.D in particular removes as much subjectivity as possible by applying numeric scores based on both factual and subjective information.

1, 2, 3-Out

The more simple of the two, it is a criteria-based assessment of a process or control activity. Management can review a control activity (for example, journal entries are reviewed prior to entering into the general ledger), determine if it is a level 1, 2 or 3, with level 1 almost certainly in scope, level 2 most likely yet debatable, and level 3 clearly out of scope.

Exhibit 2 is an illustration of the criteria that again can be modified for each company.

It is in the spirit of using high, medium and low rankings that have been used extensively by most of the Big Four and other auditing firms; however, this technique allows management to directly apply, or modify, the criteria for each level, rather than using purely subjective analysis and "risk-guessing." When used in combination with S.O.D. (which is explained next) it is hard, even for the most conservative reviewer, to challenge.

S.O.D. – Severity, Occurrence, Detection

The most complex of them all, this technique is still easy to use and results in comprehensive usable metrics regarding the inherent risk of a particular process or control activity.

For each risk character trait in Exhibit 3, management must choose a risk factor between 1 and 10 (10 being of greatest risk for a particular risk trait or attribute). The factor of each individual score results in an overall risk score. Once all of the control activities have been assessed and ranked, management can see the distribution of risk by department or function, depending upon what additional information is collected for each control. Then, based on the risk distribution and range, management can determine a "cut-off" score. All control activities with a score below the cut off are out of scope. And instead of a spreadsheet listing myriad control activities ranked high, medium and low, management now has better insight into risk, and a much better assessment tool to discuss with their auditors.

Department	Control Activity	Frequency	Manual/ Automated	Severity	Occurrence	Detective	Risk Score
Accounting	Journal entries are reviewed and signed	Monthly	Manual	10	7	10	700
Sales	Sales orders are filed in a secure location	Daily	Manual	2	8	10	160
Purchasing	Purchases over $100 are approved in writing by authorized personnel	Daily	Manual	7	8	4	224

The example in Exhibit 4 above illustrates how the S.O.D. ranking for three different control activities may appear.
 
The results give management the ability to look at each score individually and in comparison to the overall score to determine its accuracy and gain additional insight into the nature of risk surrounding their controls. For instance, note in our example that the control activity in the Purchasing department is ranked low compared to Accounting (700 versus a total score of 224). However, the Detective character trait is clearly driving the score lower. This could mean that the compensating controls are very strong for this activity and no further action may be required with respect to the 404 audit. It is deemed out of scope, and you have the proper analysis to support your conclusions.

In addition to providing comprehensive risk assessment support, the information in this analysis could be used to give management a road map for areas of improvement not related to internal controls and an opportunity to improve operational processes. For instance, this type of risk analysis would tell management the percentage of processes with low detective scores, which could mean some processes or activities are redundant, or at least nonessential. Activities with high Occurrence scores could be further analyzed for opportunities to automate the process if it is currently manual.

Conclusion

No matter how management chooses to adopt and apply new guidance from the governing entities, they should be aware that several simple techniques are available to further reduce scope, and ultimately cost, regardless of what approach they use today or plan to use if they have not already had to comply with Section 404.

It could be as easy as 1-2-3.

ERIC J. BARBERIO, CMA, is a recognized accounting executive and consultant who has been managing large-scale engagements including Section 404 Compliance, System Implementations and Process Improvements with MSi Consulting since 2003. He has managed national and global Sox efforts over the past several years helping clients realize cost reductions after a very expensive first year of compliance.  Clients include Tyco International, ADT Security, Cross Country Healthcare, Ocwen Financial and First Fleet (a subsidiary of GE Capital Solutions). As a former CFO and Controller during his 17 plus year career, one of his goals is to educate business and accounting professionals on ways to continually reduce the costs of change. He can be reached at ebarberio@comcast.net.