2010 The Great SOX Caper

By

James J. Finn, MBA, CISA, and CIA

Finn Consulting LLC
Independent Consultant

James J. Finn, is the founder of an independent Financial, IT, and ICFR

consulting business, and has worked as a CFO, program manager (PMO),
internal auditor, and compliance consultant for small, medium and large public companies as well as for Mutual
Insurance Companies. Mr. Finn holds a BSBA degree in Finance with Honors, and an MBA from Northeastern
University, Boston Massachusetts. Through the years, Mr. Finn has acquired over 25 years of hands-on
experience at various financial positions ranging from “Management Trainee” at the First National Bank of
Boston, to “CFO and VP of Finance” at a commercial printer, Dynagraf Inc. Also, as a qualified, CIA, and
CISA, he has focused on internal controls and compliance programs for Sarbanes Oxley, since 2004.

Prior to authoring this “White Paper”, he has written comments to the SEC on Sarbanes Oxley related
issues, and was the editor for a comprehensive accounting policy and procedures guideline for Digital
Equipment Corporation’s worldwide internal “Product Line Management Accounting” system. He has also
authored a statistical guideline “Sampling for Internal Audit SOX, MAR Compliance Testing”.

Version 1.60, 2/21/10

While this document is believed to contain correct information, the author, James J. Finn does
not make any warranty, express or implied, or assume any legal responsibility for its accuracy,
completeness, or usefulness. Reference herein to any specific product or publication does not
necessarily constitute or imply its endorsement, recommendation, or favoring by the author. The
views and opinions are those of the author.

Copyright © 2009 by James J. Finn, Finn Consulting LLC All rights reserved. For information about the
procedure for requesting permission to make copies of any part of this work, please contact the author at sox-
transformer@comcast.net or call him at 781 307 7857.

SOX; AS-2 “Too Early”, and SEC Guidance “Too Late”

Foundation:

Management at many companies responded to Sarbanes Oxley by focusing on the practical objective of
getting a clean audit opinion, and, in an effort to anticipate their audit needs, drove their SOX programs
using the PCAOB’s AS-2 auditing standard as a company guideline. Unfortunately, management’s
requirements for compliance with SOX section 404 had almost nothing to do with the AS-2 auditing
standard. Simply stated, AS-2 was designed specifically for auditors, not for companies.

Also unfortunate was the fact that AS-2 was unprecedented in its requirement for skilled professional
labor. This excessive labor requirement was partially driven by the AS-2 requirement for “mandatory
walkthrough’s” to collect financial transaction processing information. In order to be done effectively,
this usually required an auditing background. However, companies frequently used employees that were
not trained in auditing; and, as a result, incurred unnecessarily high labor costs to perform the
walkthroughs. Also, when the demanding requirements of AS-2 were combined with a company’s
insufficient workflow and procedures documentation, it dramatically increased the overall confusion and
costs for a SOX compliance effort. Employees who were not trained auditors (and probably should not
have been assigned to an AS-2 based SOX project) made mistakes when establishing the document
“foundation” for SOX testing and control design. This frequently resulted in a recipe for disaster. This
recipe for disaster (i.e. the AS-2 standard, untrained staff, and poor documentation) could occur even
when audit firms were engaged to assist companies with their SOX efforts, but for a different reason.
Although auditors were familiar with the AS-2 auditing standard, they were not necessarily familiar with
the company’s workflows and procedures. As a result, they had to rely on the documentation that the
company had established in order to plan walkthroughs and control testing; and the walkthroughs were
only as good as the documentation and the stability of the processing workflows and procedures. Also,
walkthroughs did not work as well in practice as they could in theory because transactions are not
“Routers” in that not all transactions contain all “Branches” of a process required for recording a journal
entry to the general ledger. If the transaction selected for the walkthrough does not hit all the steps and
controls in a process, the information is incomplete or incorrect. ??? This could become more of a
problem that one would first think since walkthroughs are recommended in the AS-5 auditing standard
paragraph 37 as the correct approach for understanding likely sources of misstatements.

37. Performing Walkthroughs.

Performing walkthroughs will frequently be the most effective way of achieving the
objectives in paragraph 34. In performing a walkthrough, the auditor follows a
transaction from origination through the company's processes, including information
systems, until it is reflected in the company's financial records, using the same
documents and information technology that company personnel use. Walkthrough
procedures usually include a combination of inquiry, observation, inspection of relevant
documentation, and re-performance of controls.1

In either case, AS-2 was frequently “forced” to work with inadequate workflow and procedures
documentation, and with company employees who had very little training in AS-2 auditing. In addition, a
company’s learning curves for AS-2 and its need for “walkthroughs” were exacerbated by the fact that

1 PCAOB Release 2007-005; May 24, 2007; Page A1–19– Standard

Page | 2
Preliminary, Draft; For discussion purposes only.
documentation for financial reporting workflows was usually inadequate or out of date. In many
companies, the resources and costs related to efforts to comply with AS-2 were out of control because the
company couldn’t provide sufficient ICFR workflow and process documentation to minimize the learning
curves, or to reduce “walkthrough” labor requirements. The “AS” in AS-2 stands for “Auditing Standard”,
not corporate guidance. Management should have stopped and seriously thought about this fact, because
… “YES” it did make a difference.

The “underlying theme” for actual SOX problems, and the “substance” for this analysis and presentation,
is the fact that management and the auditors were from two different worlds in terms of their SOX
section 404 responsibilities, but never appeared to realize it. In addition, they did not share a common
database or source of financial reporting workflow and procedures information that could serve as a
central information source to synchronize their compliance efforts. Communication and mutual
understanding was rarely, if ever, achieved because management generally accepted the auditors AS-2 as
the “compliance model” for SOX without any real understanding of its implications or underlying
principles. This is especially true when it comes down to AS-2 risk and control auditing concepts
including walkthroughs and control attribute testing methodologies. In reality, each party’s SOX
responsibility was based on different risk requirements and objectives yet they tried to standardize on
AS2 as the common point of agreement and compliance guidance. The almost complete lack of attention
to the real differences contained in an accurate interpretation of section 404 requirements reminds me of
the “Twilight Zone” TV episode titled “To Serve Man”. In which interpretation of a key document (a book)
was wrong, and the consequences of decisions made on the basis of this wrong interpretation – were
catastrophic. As in the case of both the TV show and SOX compliance, there is no “Rosetta Stone” to
translate each party’s “Role” and responsibility. That is, to translate the core differences between
managements’ assessment requirements and the auditors AS-2 auditing standards. However, once the
differences are understood, it is clear to me that there is no imaginable reason for a company to be using
AS-2 or AS-5 as a SOX compliance guideline. The companies’ legal and practical responsibility is to
establish and assess internal control and financial reporting procedures for misstatements in their
financial reports, not to assess for misstatements to the AS-2 standards for financial reporting. This
makes a big difference! Just like misinterpreting the “Book” in the “Twilight Zone” episode made a big
difference. 2 The validity of the position that there are significant differences between the auditor’s
responsibilities under AS-2, and management’s assessment requirement, is supported by the SEC
interpretative guidance (Federal Register June 20073).

SOX history:

Most SOX programs failed to meet management’s expectations in terms of cost, scheduling, predictability,
and integration with the companies’ daily procedures. In addition, at some companies control testing was
full of surprises and disrupted the continuity and scheduling of SOX programs. These surprises occurred
partially because the sampling methodology used for testing the effectiveness of internal controls was
based on an auditing approach for control “acceptance sampling” which could produce unexplainable,
unreliable or unrepeatable results when used without adequate training and understanding. This
“authoritative” sampling methodology used by most companies was based on the minimum acceptable
auditing sampling plans, and used small sample sizes. These sampling plans were more useful to auditors
than they were to management since AS-2 allows auditors to increase their confidence in testing results
by “cross applying” financial audit substantive testing to support their internal control evaluations;

2 The episode can be viewed off the internet at http://www.imdb.com/video/cbs/vi54853657/ after a minute commercial.
3 The Federal Register version can be seen on the internet at http://www.sec.gov/rules/interp/2007/33-8810fr.pdf
Page | 3
Preliminary, Draft; For discussion purposes only.
unfortunately, most management SOX teams did not have that advantage. Also, for auditors, the sampling
plan is only one of many considerations used to form an opinion, whereas companies had a tendency to
rely exclusively on the test results to reach conclusions. Drawing conclusions using these sampling plans
requires experience and judgment not necessarily available to companies using employees for testing.

Eventually, an authoritative guidance for companies was provided by the SEC (June 2007) which
recognized both the differences and the common elements of the auditors and the companies SOX
assessment responsibilities. This is referred to as the “SEC interpretative guidance 4” and is focused on an
SEC acceptable methodology for a company to perform an assessment of ICFR. In many respects, this was
too late because, prior to this guidance, project managers and informal SME’s with an accounting or
auditing background used their experience in “walkthroughs” to collect process information (usually for
processes that were not stable or documented), and to create Risk Control Matrices (RCM) for control
documentation. Because of the alignment of these procedures and RCM’s to the auditing requirements of
AS-2, I consider this approach “ineffective” for management’s assessment; however these procedures
became the norm at many companies and could not be dislodged easily. Employees who applied these
techniques to comply with the AS-2 “model” for SOX compliance usually created a program that was
unacceptably expensive because - without process flow documentation - they were working in the dark.
In many cases, this resulted in control and testing “over-kill to eliminate any perceived risk. This
phenomenon of trying to produce a “Zero-Risk” internal control system occurred partially because
companies could not provide the basic “total process” workflow and procedures documentation and
partially because of uncertainties and anxieties by employees trying to comply with AS-2. In addition,
company personnel were confused and misdirected by AS-2, and usually did not understand what they
were doing or what was expected from them.

In retrospect, I now believe that fully documenting the workflows and procedures first, and allowing or
facilitating employees to analyze and resolve SOX compliance issues as they were discovered would have
been a more productive and less costly approach for companies. As a result, my approach is to do
precisely that by first determining “up front” what the total financial reporting process looks like, and
then determining what each employee contributes to the process. This is designed to decentralize the
workload to the most qualified people for process documentation (the actual employee doing the job).
Once the workflows and employee procedures have been documented; the significant risks can be
evaluated and necessary controls developed “in context” with other controls by using pre-designed
workflow models. In my opinion, it doesn’t matter when this workflow and procedures mapping process
is completed. What really matters is that it must be completed; only when it has been completed can the
controls and risks be viewed in context. After this is done, then, and only then, do I recommend auditing
and testing the process controls for effectiveness? Premature testing can be a disaster that has happened.

SOX also resulted in a paradigm shift in auditor and management responsibilities that disrupted their
existing “Roles” in financial reporting. The change in the auditors focus from auditing the end results
(financial reports) to auditing the management controlled internal workflows in a more comprehensive
manner minimized the auditing firms’ ability to “deliver” inexpensive solutions to problems or issues that
were found during the audit. Prior to SOX, auditing issues could be resolved with inexpensive accounting
entries that were usually provided by the auditors. However, the paradigm shift in responsibility
eliminated the auditor’s capability to provide management with this low cost solution. Accounting entries
could not solve internal control (workflow) problems, and the cost of remediating internal control
deficiencies (which was deferred until after the audit) fell back on company management. This “surprise”

4 The Federal Register version can be seen on the internet at http://www.sec.gov/rules/interp/2007/33-8810fr.pdf

Page | 4
Preliminary, Draft; For discussion purposes only.
and the resulting remediation expenses were not planned for. As a result, remediation reaction time was
too slow, decisions were not made, and management’s compliance objectives were at risk. In some
instances, full SOX remediation was still not completed even after four or five years of patchwork and
band aid fixes. In addition, company SOX compliance teams usually couldn’t get much assistance from
their auditors during the first few years because the auditors were focusing on solving their own AS-2
“SOX problems” in order to comply with SOX Title I section 103, in addition to section 404. Consequently,
the auditors were not focusing on, or (in many cases) even willing to discuss, the company’s compliance
issues.

Defaulting to the PCAOB’s AS-2 or AS-5 auditing standards for guidance created a major problem for
many companies, and eventually misdirected the companies’ resources and personnel into performing
auditing work rather than strengthening and documenting the company’s internal procedures and
control workflows. Management paid a very high price for allowing the PCAOB AS-2 auditing standard to
drive their SOX compliance programs. In fact, using AS-2 and a “checklist” approach is recognized as the
cause of many expensive and unsustainable SOX programs. The checklist approach, which is usually
based on the “AS-2” auditing standard, put at least as much emphasis on auditing risks as it did on the
company’s financial reporting assessment risks. This did not focus sufficient attention on establishing and
documenting financial reporting workflows and procedures or leave sufficient funds for companies to
provide supporting documentation for auditors to perform inexpensive walkthroughs in accordance with
AS-2. In addition, since there is a substantial element of subjective interpretation involved in using AS-2
as a company guideline, it was extremely difficult – if not impossible (in many cases) to reconcile year to
year control descriptions, narrative wording, and test plans to each other.

This inability to effectively compare an earlier years control and documentation wording to the current
years wording exacerbated existing communication issues with external auditors since they usually
preferred to begin a new years audit with the documentation, control wording, and testing results from
the previous year. However, many companies changed wording during the year as the result of
discovering discrepancies or inaccurate workflow and procedures documentation. This problem was
compounded when contractors were used to make midyear changes which were not documented, or
where remediation projects reorganized a company’s workflows and internal controls, or made major
changes to information systems involved in the financial reporting process.

This could become a serious source of compliance project delay or “audit panic” when auditors wanted to
“track” changes in wording from one year to the next because monitoring and documenting these
changes was:

1.) Usually not expected, and the requirement wasn’t known until after the fact.
2.) Extremely labor and cost intensive without a “system” in place to track changes.

In many cases companies could not explain specific changes because of employee turnover on the project,
unmanaged changes in definitions, and revisions or updates of control attributes. Also, “control
rationalizing programs” frequently combined controls which resulted in rewording an existing control
multiple times, or eliminated portions of a control description or completely re-wrote a workflow or
process walkthrough narrative.

Page | 5
Preliminary, Draft; For discussion purposes only.
This created irreconcilable changes in documentation when performed without a SOX “change
management” process. Also, when remediation took more than a year, it could create new process
documentation that could not be reconciled or compared to the old documentation.

At an extreme, new wording could not be reconciled, and could stop a SOX audit. This could result in all
related documentation for the old processes being replaced by new documentation then re-tested and
“re-audited” from scratch. However, as costly as this could be, I believe the greatest cost was that the
unrealistic effort to reconcile wording created “compliance inertia” in the respect that everyone became
unwilling to change anything. As a result, efforts to correct errors could come to a halt because it was
easier to leave things the same and “Rinse and repeat” the previous year’s tests.

In my opinion, the most obvious area of avoidable compliance cost (walkthroughs) was a result of the
unnecessary attempt, by companies, to comply with the AS-2 auditing standards combined with a lack of
“overall” financial reporting workflow and procedures documentation. Not having accurate and
comprehensive financial reporting workflow and procedures documentation forced an unexpected and
expensive reliance on multiple “redo’s” which required additional skilled labor to provide “iterative”
“walkthroughs” just to collect basic information on the financial reporting processes. The economic
severity of this problem is reflected in the fact that the auditing walkthrough requirements were
“declawed” from AS-2 to AS-5 from “mandatory” to “as needed” after negotiations between the SEC, the
PCAOB, and corporations. Walkthroughs are an expensive SOX AS-2 auditing procedure; but, from an
auditor’s point of view, someone had to do it because it is difficult to opine on “something” if you do not
have a clear understanding of what that “something” is.
Page | 6
Preliminary, Draft; For discussion purposes only.
However, the relevant question that has to be asked is: Did companies have to become auditors and
adopt AS-2 as an internal SOX guideline????

Unfortunately many companies never created and documented an accurate overall “Business Model” or
“Map” of the financial reporting workflows to support a cost effective walkthrough. In my opinion this
cost companies dearly, and will continue to do so until each company completes a workflow model. This
is because workflows and procedures are the foundation for effective walkthroughs, and contain all the
transaction processing activities that comprise internal control. Even years after SOX became effective;
many companies still do not have an overall dynamic model of their financial reporting process.
Consequently, because this foundation is essential to understanding and working with a companies’
financial reporting processes, I recommend that companies take the critical first step in a SOX “recovery”
program, and use a “vetted” process modeling methodology such as “IDEF0” to create a financial
reporting production “model” to serve as the foundation for future efforts.

Obviously, I have an interest in doing this type of work.

In order to create an authoritative and legal basis for management to rely on for SOX 404 compliance, the
PCAOB, the SEC, and other interested stakeholders negotiated for years to find an effective alternative
(solution) to the inappropriate use by companies of the AS-2 auditing standard and checklists. However,
while these negotiations were being conducted, companies were still committing major funds to finance
SOX compliance projects based on AS-2, and, as a result, AS-2 became deeply entrenched as the company
compliance standard. Consequently, a lot of unnecessary or redundant controls were “baked” into many
companies SOX compliance documentation and testing programs. The SEC and the PCAOB did eventually
present a joint theme for SOX compliance that consisted of two components. One component was
designed and intended to apply only to the auditing community. This was finalized as the PCAOB’s AS-5
auditing standard, and established requirements for auditors in a format that addressed their
responsibilities in both financial and internal control auditing. AS-5 was never intended to apply to
companies, and, in my opinion, is not an economically viable guideline for a company’s SOX compliance
program. At about the same time that AS-5 was finalized (June 2007), the SEC released its own SOX
compliance guideline for companies. This was referred to as the “ SEC Interpretative Guidance”, and was
designed to provide companies with a comprehensive guideline covering managements SOX section 404
responsibility for an assessment of internal control while at the same time reducing excessive costs that
had resulted from the “checklist” approach. The guidance also provided guidelines to reduce the rigid
“documentation” and walkthrough requirements of AS-2. In addition, since this guidance is somewhat
based on the concept of “Information Asymmetry”, it holds management to a higher level of
understanding and responsibility for internal control assessment than that expected from auditors.

Both the PCAOB AS-5 auditing standard and the SEC interpretative guidance focus on a “Top Down “risk
analysis; but, each refers to a “different” set of risks. The companies’ “risks” are for financial reporting
risks inherent in producing the financial reports themselves; that is, quality control over the production
workflows and procedures for producing their financial reports. On the other hand, the external auditor’s
responsibility is to evaluate risks to financial reporting in accordance with the requirements of AS-5. Both
the SEC interpretative guidance and the PCAOB AS-5 refer to risks as being the “drivers” for an ICFR
evaluation, but, AS-5 requires a prescriptive, structured, approach focused on “auditing”; whereas the
interpretative guidance is based more on a “situational awareness” of management for their financial
reporting procedures and their effectiveness at controlling risks of a misstatement in the actual financial
reports. Beyond that, there are other differences in documentation and evaluation requirements that can
provide sufficient financial justification for a company to discard the use of the AS-5 auditing standard
Page | 7
Preliminary, Draft; For discussion purposes only.
and focus on investing in a workflow “modeling” and documentation project while applying the SEC
guidance for the assessment of internal control. The interpretative guidance’s instructions related to
“documentation” are centered on management’s information availability and tools to address
misstatements in financial reports while still providing basic documentation for the auditors to support
their need to audit for misstatements according to AS-5. This addresses and “demonstrates” the
management vs. auditor “information asymmetry” point of view of the SEC.

The duality and separation of SOX compliance responsibility is highlighted by the laws original focus on
increasing auditor oversight and their independence from management. In accordance with the
separation of responsibility indicated by paragraph (a) and (b) of section 404, the SEC recognized the
need for a formal second guidance document in addition to AS-5 that applies specifically to the company’s
management assessment. The increased regulatory focus on management’s internal financial reporting
procedures and workflow responsibility will tend to increase costs for companies trying to maintain both
the AS-5 auditing standard, and the development of their own improved workflows, procedures,
assessments, and financial reporting documentation. This can further increase the economic distance
between companies and their auditors since, in the final analysis; someone has to pay for the auditors to
audit based on the AS-5 standard. The key to working both issues is to build the compliance and
documentation requirements into the company’s daily operations as an investment in workflows,
procedures, and documentation using pre-designed formats. In fact, the existing separate requirements
for management and auditors provides an impetus for management to look at SOX compliance as a
dividing line or point of separation transforming the old world of accounting and auditing based on the
individual “contributing professional” approach - to a remodeled “internal corporate production
workflow where internal control is maintained with monitoring and self assessment”. This could result
in a financial reporting “production-line” and “quality control” approach.

The workflows, procedures , documentation, and automated audit reporting software that I have
developed into a “remodeling package” for financial reporting ICFR compliance moves a company in that
direction by offering an investment based “automated” option as a present and future compliance
solution. In my opinion it is not a question of “if” financial reporting will become a production process
with automated monitoring and audit trails, but, rather a question of “how soon can it be done?”, and
what is available for pre designed workflows and procedures. Migrating away from the “AS” auditing
standards provides an opportunity for a company to establish its own internal workflow ”model” of
financial reporting and truly “invest” in a dynamic “process approach” rather than a “Rinse and Repeat”
auditing “test and retest” approach to ICFR compliance. The resulting financial reporting “business
model” and documentation would serve to keep the auditors and the companies’ assumptions and
conclusions “synchronized”. This results in significantly lower costs.

However, since one fundamental problem is that a comprehensive financial reporting workflow model
and documentation may not exist at many companies, the first priority for a cleanup program is to build
that foundation through a “discrete Project” designed for that single purpose. I believe it would be best
done by a discrete project team that is independent and separate from both the company and their
auditors since its intent is to further separate the auditor’s responsibility from management’s
responsibility. The deliverable would be a common, shared, comprehensive financial reporting workflow
documentation database available for both parties to use in performing their separate compliance tasks.

A company cannot make effective and financially sound decisions regarding the appropriateness or
necessity of an internal control without putting the risk to be mitigated and the control or controls
related to mitigating the risk in context with all other financial reporting controls and mitigating
Page | 8
Preliminary, Draft; For discussion purposes only.
procedures. Ignoring this reality was, and, in my opinion, still is, the primary sources of cost, confusion,
conflicts, and wasted money in SOX compliance programs. The most effective long term investment for
controlling present and future compliance costs is to build an accurate and dynamic sustainable
workflow model, and document the corresponding procedures covering the complete financial reporting
process. In addition to supporting external auditing needs, this structured documentation “foundation”
provides the necessary information for an assessment based on the SEC interpretative guidance. The
purpose of the SEC interpretative guidance was to address problems and cost issues that companies were
having as a result of efforts to comply with AS-2, and the auditing checklist approach which is why it is
the only authoritative document that “declares” that it is one way for companies to “legally” comply with
a companies internal control reporting requirements of the SEC as modified by SOX.

An evaluation that complies with this interpretive guidance is one way to satisfy the
evaluation requirements of Rules 13a–15(c) and 15d–15(c) under the Securities Exchange Act
of 1934. 5

See Below “Best available solution”:

Financial
Reporting
Operations
w
k flo

AS
or

t
en
W

-5
,
m
d

In
an

ss

te Sta
se
s

rn nd
re

As

al
du

Co ard
ce
ce

an

nt s
ro

ro
id
P

Gu
y,

lA
lic

ud
e
Po

tiv

iti
ta
FR

ng
e
pr
r
te
In
C
SE

Control &
Compliance External
Documentation for AS-5 & Audit
SOX Section 103 QC Compliance

5 The Federal Register version can be seen on the internet at http://www.sec.gov/rules/interp/2007/33-8810fr.pdf

Page | 9
Preliminary, Draft; For discussion purposes only.
The above illustration shows the final SEC and PCAOB resolutions that defined which authoritative
guidance and standards applied to management versus those that applied to the external auditors for
documentation and SOX compliance. In order to work efficiently and cost effectively, a suitable
centralized and separate “Control and Compliance” group is essential to provide the professional and
clerical support not economically available in the financial reporting operating groups or from the
external auditors. This group should not be biased toward the finance department or any other
individual department. The best organizational solution I have seen is the one that establishes an ongoing
SOX program reporting to a steering committee consisting of all CXO’s and chaired by the CEO, or a BOD
audit committee member. This is also recommended in OMB A-123.

Probably for many reasons, but, primarily because of “sunk costs”, the above separation of the SEC’s and
the PCAOB’s authoritative guidance was never put into effect at many companies. As a result, the AS-2 or
AS-5 auditing standard that was “force fit” into many companies is still the dominant guideline and
“authoritative reference”; and many companies have not even evaluated the benefit of a change!
The “Normal” result I observed is as follows:

Financial
Reporting
Operations
AS
-5
,I
nt
er
na
lC
on
SO

Do Sec

tro
X
cu tio

lA
m n

ud
en 10
ta 3 Q

iti
tio C

ng
n

St
fo C o
rA m

an
S- plia

da
5 nc

r
&

ds
e

Control & FR , NARRATIVES, WALKTHROUGHS, and External

Compliance RCM documentation for Auditor compliance Audit

Many companies are too financially committed to AS-5 to even consider a switch to the SEC’s
interpretative guidance. This is unfortunate since the approach supports developing computerized
workflow monitoring and “self assessment” procedures that could substantially reduce the annual
“expense” related to assessment and auditing by incorporating compliance requirements into workflows
and procedures that would be a “one-time” investment that could be cost effective for years and remain
applicable under increasing regulatory pressures for financial reporting process controls.
In any case, as a consequence of the confusion and deadlines that sealed corporate acceptance of the “AS-
5” auditing standard, a desirable balance was never achieved at many companies. The result is as
Page | 10
Preliminary, Draft; For discussion purposes only.
illustrated above; an unbalanced reliance on an auditing standard that was a poor fit for companies from
the beginning, and that, without special training, was very frustrating for internal personnel to follow as a
guideline. Since the “control and compliance” function was usually inadequately staffed, both operating
personnel and the auditors went into “overload” and costs skyrocketed as labor became unproductive. A
“take away” of this discussion is that even though the final negotiations between the SEC and the
PCAOB resulted in two separate standards or guidelines related to SOX compliance, that
separation has not been implemented or applied at many companies. This is an event waiting to
happen at companies that can afford to invest in a cleanup and reengineering of their workflows. A
program focused on returning workflows to their last stable condition or to a reengineered state would
find that using a comprehensive ICFR model and pre designed workflows are a good part of the solution.

In summary, the PCAOB AS-5 auditing standard directs compliance efforts required from auditors,
whereas the SEC “Interpretative Guidance” directs or provides an acceptable compliance approach for
company management to perform its section 404 assessment.

In addition to confusion and communication problems caused by employees not knowing “which
authoritative document covered what SOX requirement”, a massive gap in expectations was created
between planned project performance and actual performance because management (and the SOX team)
treated the compliance project as an audit engagement or an auditing project rather than as a “discrete”
fully funded project. A separate project that included how to “find, fix, or establish, and then assess”
internal controls while focusing on a deliverable of a full financial reporting workflow and procedures
documentation package would have been the best approach.

One result of the auditing approach was that “on the fly” documentation and control testing methods
were created during the auditing activities that responded poorly to multiple iterations caused by failed
controls and “project resets”. The documentation and testing procedures which reflected the prescriptive
nature of AS-2 were authoritative, inflexible, and rigid. Documentation was established with a “Maginot
Line” mentality. That is, build it once and forget it. However, multiple iterations and “do over’s” were
required because controls were frequently out of context or inappropriate for the overall process and
failed during testing. I attribute this entire debacle to the fact that a stable “full overall view” of the
financial reporting transaction processing workflow was not available to provide a common base of
information support. Everyone was working in the dark! This frequently resulted in “first pass” test
failures and inaccurate process narratives, procedures and control RCM documentation. The need for a
“second pass” was usually not built in to the schedules so panic set in and “on the fly” patches were
implemented. Once a project’s results became unreliable or unrepeatable, panic set in and controls were
created out of context in an authoritative manner; “knee jerk” band-aid “fixes” added controls
everywhere that there was even the smallest possibility of a risk in an effort to restore confidence in the
internal control processes. This resulted in futile efforts to create “Zero Risk” financial reporting
processes. Redundancy was the rule rather than an exception. Compounding this uncertainty and
confusion was the fact that the “authoritative” audit sampling methodologies that were used were not
effective for management’s “process control” decision making. The use of small sample sizes could result
in unreliable or inconsistent testing conclusions which added to the confusion and prevented effective
decision making by project managers.

By following an “auditing engagement” model, project managers focused on maintaining a low cost
infrastructure with a “temporary” in and out auditing approach. This did not work well because a SOX
project is much more than auditing and requires a sense or permanency as well as a separate and
extensive infrastructure. The auditing based project approach was ineffective at most companies because
Page | 11
Preliminary, Draft; For discussion purposes only.
the companies really needed a “discrete project” approach with the infrastructure and resources required
to “change” or repair the internal controls “as needed” rather than just auditing them. Internal control
“change management” projects are infrastructure intense projects that require leveraging sophisticated
statistical sampling techniques as well as information systems technology and SME level knowledge to
maximize the value of labor resources. The auditing approach resulted in too little focus on the
companies’ workflows and procedures, and too much focus on auditing and control testing. In addition,
internal and outside auditors involved in the project had to follow auditing standards for maintaining
independence related to the processes they audited which restricted them from becoming active
participants in solving problems when remediation was required. This problem was compounded by the
fact that many auditors did not have the actual operations management background and experience
required to contribute effectively to the problem resolution process. A realistic compliance project should
be viewed as a full scale process evaluation and reengineering project that can be broken into four major
objectives.

These are:

1. Determine and document what presently exists for actual financial reporting transaction
processing workflows, procedures and internal controls.
2. Determine what workflows and procedures should exist based on a risk analysis and develop
controls designed in context with the workflows, procedures, and documentation developed in #1 above.
3. Implement and test the workflows, internal controls and financial reporting procedures
developed in #2, in an iterative manner, until they are effective.
4. Fully document and maintain the results of the above efforts.

Many SOX programs also became “mired in uncertainty” because SOX compliance teams had difficulty
defining who “Management” was for Section 404 responsibility. The teams wasted resources on
fragmented efforts caused by being torn between focusing on “consolidated” top level financial reporting
vs. local process and activity level reporting. In addition, after the first year, senior executives were
unwilling to repeat the expense of the “surge” of professional labor required to maintain both the AS2
auditor requirements and the company’s internal control and procedures requirement. SOX compliance
managers were strongly pulled in different directions by the conflict between the auditors’ needs and
management’s needs when allocating scarce labor and limited skill sets.

In addition, in an effort to cover every possible activity where employees or auditors thought there may
be an AS-2 financial reporting risk, there was an “aggressive” case of control “over-kill” and an
inappropriate overly sensitive identification of control needs (especially during the first few years). In
later years most programs went through a “control reduction”, or “control rationalization” process
intended to reduce redundant or unnecessary controls implemented in year one. Success varied from
company to company, however, in some cases new holes were created in the control environment based
on erroneous assumptions regarding coverage elsewhere in the reporting workflow that may have been
changed.

Because of unexpected setbacks and expense overruns in SOX implementation, as well as other well
publicized poor project results, the negative impact on employee morale and management frustration
was unprecedented. SOX projects resulted in resource conflicts, damaged management relations, and
unnecessary “collateral damage” to employee confidence and program involvement. This collateral
damage usually resulted from employee confusion, misdirection, and uncertainty on what to do, how to
do it and when it was required to be delivered. In many cases, project costs were out of control, and
Page | 12
Preliminary, Draft; For discussion purposes only.
misinterpreted control testing resulted in excessive and costly process changes as well as unnecessary
remediation actions. At an extreme, SOX project managers became obsessed with AS-2 compliance, and
destabilized financial reporting workflows and procedures by attempting substantial changes that could
not be completed within the time and funding allowed. As a result of these attempts at remediation,
revised workflows and or systems were left in a state of partial completion. In many cases, the changes
were never fully approved, or funded or even fully agreed to by management or the operations
employees involved. In other instances, control reductions and rationalizations resulted in destabilizing
processing workflow narratives and control testing because the documentation couldn’t catch up with
the changes in operations. In those cases where the control environment became disorganized with
misleading documentation and unreliable testing results, it could deteriorate to the point where it was
just a chaotic paper exercise. Under those extreme circumstances, the control environment could become
so confusing and uncertain that it could require a complete cleanup and stabilization of workflows and
documentation to restore financial reporting workflows and procedures documentation to their “last
known stable state of operations”. Sort of like “unscrambling” eggs.

As a result of the inconsistent results that companies experienced at control reduction and
rationalization, an effort was made on my part to develop a cost effective method for re-establishing
stable financial reporting procedures and controls for companies impacted by SOX. My approach is to
return financial reporting processes to their pre SOX stability by creating specific methodologies to
determine what controls are actually needed for effective compliance. In order to accomplish this, I
invested substantial time into research and into developing a repeatable and consistent method of
filtering controls and aligning them in a contextual hierarchy based on their risk mitigating attributes. At
this point, I believe I have successfully developed an effective approach to resolving these types of SOX
issues, and for getting ICFR processes and procedures to an effective and controlled stable state.

NOW – For those who made it this far; I do not believe that companies can use the AS-2 or AS-5 auditing
standards as a guideline in any cost effective manner. In my opinion it did not work, does not work now,
and never will be successful either financially or from a practical operations perspective. I recommend an
alternative, and, of course, I have one available as a product.

A SOX cleanup project should and can be done at a reasonable cost by using pre designed workflows and
internal control filtering methodologies. However, it must be accepted that cleaning up a process is
neither “accidental” nor “free”. Companies must make a conscious decision to clean up and fully
document their SOX workflows and procedures, and to fund the effort as a discrete project using separate
“unshared” resources.

Page | 13
Preliminary, Draft; For discussion purposes only.