WEBMASTER NOTE: This is the unedited transcript of the Roundtable Discussion on Implementation of Internal Control Reporting Provisions held on May 10, 2006 which we received directly from the court reporter. We are posting the transcript in this form to make it available as soon as possible. 1 THE UNITED STATES SECURITIES AND EXCHANGE COMMISSION 2 3 4 5 6 ROUNDTABLE DISCUSSION ON 7 SECOND-YEAR EXPERIENCES WITH INTERNAL CONTROL 8 REPORTING AND AUDITING PROVISIONS 9 10 11 12 Wednesday, May 10, 2006 13 9:00 a.m. 14 15 16 17 18 SEC Headquarters 19 100 F Street, N.E. 20 Washington, D.C. 20549 21 22 23 24 Diversified Reporting Services, Inc. 25 (202) 467-9200 1 C O N T E N T S 2 PAGE 3 Opening Remarks 4 4 Chairman Christopher Cox, U.S. 5 Securities and Exchange Commission 6 7 Acting Chairman Bill Gradison, 8 Public Company Accounting Oversight Board 9 10 Introduction and Panel One - Overview of the Second Year 16 11 Moderators: 12 Thomas Ray, Office of the Chief Auditor, PCAOB 13 Nancy L. Salisbury, Office of the Chief Accountant, SEC 14 John W. White, Division of Corporation Finance, SEC 15 16 Panel Two - Management's Evaluation and Assessment 59 17 Moderators: 18 Laura J. Phillips, Office of the Chief Auditor, PCAOB 19 Scott A. Taub, Office of the Chief Accountant, SEC 20 John W. White, Division of Corporation Finance, SEC 21 22 Lunch Break 23 24 25 1 C O N T E N T S (CONTINUED) 2 PAGE 3 Panel Three - The Audit of Internal Control Over Financial 4 Reporting 118 5 Moderators: 6 Laura J. Phillips, Office of the Chief Auditor, PCAOB 7 Thomas Ray, Office of the Chief Auditor, PCAOB 8 Nancy L. Salisbury, Office of the Chief Accountant, SEC 9 10 Panel Four - The Effect on the Market 176 11 Moderators: 12 Thomas Ray, Office of the Chief Auditor, PCAOB 13 Carol A. Stacey, Division of Corporation Finance, SEC 14 John W. White, Division of Corporation Finance, SEC 15 16 Panel Five - Next Steps 220 17 Moderators: 18 Thomas Ray, Office of the Chief Auditor, PCAOB 19 Scott A. Taub, Office of the Chief Accountant, SEC 20 John W. White, Division of Corporation Finance, SEC 21 22 Closing Remarks 23 24 25 1 P R O C E E D I N G S 2 MR. WHITE: I'm John White, the Director of the 3 Division of Corporation Finance at the SEC, and I want to 4 welcome you to today's Roundtable on Second-Year Experiences 5 with Internal Control Reporting and Auditing Provisions. 6 The roundtable is being hosted, as you know, by the 7 Securities and Exchange Commission and the Public Company 8 Accounting Oversight Board. We have a full agenda today that 9 I'm sure you will find very informative and a very 10 interesting program. We're going to start this morning with 11 brief statements from Chairman Christopher Cox of the SEC and 12 Acting Chairman Bill Gradison of the PCAOB. 13 It's my pleasure now to turn the podium over to 14 Chairman Cox to start the roundtable. Chairman Cox? 15 CHAIRMAN COX: Thank you very much, John. Thank 16 you to all of you. Welcome. This is a beautiful spring day. 17 We're going to spend it indoors with no windows. 18 But I know that it's going to be a vigorous and 19 substantive discussion. I'm very much looking forward to it 20 myself. I'd like to thank each of our panelists, many of 21 whom were kind enough to join us last year as well, for their 22 willingness to come to Washington today and to devote their 23 energy and constructive thinking to a topic of great 24 importance to the nation's public companies. 25 I would also like to extend a particular welcome to 1 Acting Chairman of the Public Company Accounting Oversight 2 Board, Bill Gradison, and the PCAOB Board members who are 3 holding this roundtable with us as well. 4 The Sarbanes-Oxley Act was a critical step in 5 addressing an unprecedented string of corporate scandals that 6 were rooted in very serious governance, accounting and audit 7 failures. The Act, and in particular its internal control 8 requirements embedded in Section 404, has great potential to 9 improve the accuracy and reliability of financial reporting, 10 and it's already done so in many ways. 11 That potential, however, can only be realized if we 12 implement the statute properly, and in the manner that 13 Congress intended it when it passed the Act in 2002. In 14 practice, it hasn't always worked out that way. But we at 15 the SEC are committed to making sure that the provisions of 16 the Act work for public companies and for investors for whom 17 this is all designed. And I have no doubt that the PCAOB 18 shares this commitment. 19 Strong internal control over financial reporting 20 has long been recognized to be important to the reliability 21 of financial information. For that reason, companies have 22 been required to have such controls since the Foreign Corrupt 23 Practices Act was passed in 1977. The requirement to assess 24 and report on these controls, however, is new. It began with 25 Sarbanes-Oxley. Our accelerated filers have now been 1 required to comply with the internal control reporting 2 requirements for two years. 3 During the initial year of reporting, approximately 4 3,900 companies reported on the effectiveness of their 5 internal controls over financial reporting, with almost 16 6 percent of those companies concluding that their internal 7 control over financial reporting was not effective. A total 8 of approximately 1,500 material weaknesses were reported. 9 These reported weaknesses reflected a variety of control- 10 related topics. 11 During the second year of reporting, through April 12 25th, 2006, approximately 3,000 companies have reported, with 13 7 percent of those companies concluding that their internal 14 control over financial reporting was not effective. A total 15 of approximately 400 material weaknesses were reported, again 16 reflecting a variety of control-related topics. 17 At the roundtable that we sponsored last year, we 18 heard about the time, energy and resources that went into 19 implementing the internal control requirements in the first 20 year. We also heard a great deal about first year 21 inefficiencies in the process. We and the PCAOB took this 22 input and issued additional guidance shortly following that 23 roundtable. 24 The purpose of today's discussion is to hear 25 directly from those who have experienced now two years of 1 compliance with the internal control reporting requirements. 2 We hope to hear very specific feedback that will allow the 3 Commission and the Board to further assess the implementation 4 of the internal control requirements and to find out whether 5 impediments remain to reaching a sustainable process that is 6 both efficient and effective. 7 We are particularly eager to hear whether there are 8 actions that we can take to improve the internal control 9 documentation, assessment, reporting and auditing processes. 10 For example, the PCAOB's Auditing Standard Number 2 gives 11 guidance to independent external auditors tasked with 12 determining whether a company's internal controls are 13 effective. 14 No similar guide, however, exists for companies and 15 for their management. And in the absence of direction from 16 us, companies have been basing the assessment of their 17 controls on AS-2. Management and auditors clearly have 18 different duties and responsibilities. Wouldn't management 19 benefit from having guidance from the Securities and Exchange 20 Commission on what constitutes adequate controls? 21 The ultimate goal, of course, is to have good 22 controls and complete disclosure so that investors can make 23 informed decisions without unduly impacting a company's day- 24 to-day business. I'm certain that the distinguished and 25 diverse group of panelists that we've assembled will let us 1 know how the process has really worked for issuers in general 2 in year two. 3 As we did last year, the SEC and the PCAOB 4 solicited written feedback in connection with this 5 roundtable. In addition to what we hear today, therefore, we 6 will be considering the written submissions that we've 7 received. Those submissions are available to the public on 8 the SEC's and the PCAOB's web sites. 9 Today's proceedings come on top of reports from the 10 Government Accountability Office and the SEC's own Advisory 11 Committee that we set up last year to report on the problems 12 peculiar to small business. I hope and expect that today's 13 roundtable will bring us much closer to the finish line, and 14 we have every intention at the SEC and the PCAOB of getting 15 404 right sooner rather than later. 16 As compared to the importance of our topic, we have 17 a limited amount of time today. So I'm going to keep my 18 remarks brief. Our moderators will be going through the 19 rules of the road for the panel discussions in more detail, 20 but I hope that we can engage in a focused and useful 21 discussion, just as we did last year. 22 Again, let me express my thanks to all the panelist 23 who have agreed to be here today. We appreciate the time 24 that specific you're taking out of your very busy schedules 25 in order to share your views with us. We'll be listening 1 carefully. And I can assure you that we intend to consider 2 all of the different views expressed today. 3 Now I'd like to give Bill Gradison, the Acting 4 Chairman of the PCAOB an opportunity also to say a few words 5 of welcome. Bill? 6 MR. GRADISON: Thank you, Chairman Cox. On behalf 7 of the Public Company Accounting Oversight Board, welcome to 8 today's roundtable. 9 The Board and staff of PCAOB have been actively 10 monitoring the implementation of the internal control 11 reporting requirements of Sarbanes-Oxley, and this roundtable 12 is an important aspect of our information gathering. 13 We expect the panelists will share their 14 experiences with the internal control requirements, the nitty 15 gritty that doesn't always come across in the surveys that 16 we've seen. In that sense, this roundtable is much like the 17 congressional testimony that Chairman Cox and I are familiar 18 with from our days -- our years, actually -- in the House of 19 Representatives. Like the testimony that we heard from 20 congressional witnesses, what we hear today will give us 21 guidance for adjusting and improving the rules that govern 22 the assessment of internal control by auditors and 23 management. 24 After last year's roundtable, the SEC and PCAOB 25 both made mid-course corrections with respect to reporting on 1 and the auditing of internal controls. Without prejudging 2 anything we'll hear today, based on the information we 3 already have, it would seem that some further changes may be 4 in order. 5 The SEC, of course, writes the rules and oversees 6 the implementation of companies' responsibilities for 7 assessing and reporting on internal control. PCAOB writes 8 the standards for and oversees the implementation of the 9 auditors' responsibilities with regard to internal control. 10 Section 404, along with the SEC's implementing 11 rules, and the PCAOB auditing standard, Auditing Standard 12 Number 2, or AS-2, as it's affectionately known, won't by 13 themselves drive all the necessary improvements in financial 14 reporting. 15 It is important to keep in mind that public 16 companies by their very nature have special responsibilities 17 to their owner investors. Indeed, the Sarbanes-Oxley Act 18 recognizes by stating in the preamble that it is, quote, "an 19 Act to protect investors by improving the accuracy and 20 reliability of corporate disclosures." Close quote. 21 In furtherance of this goal, Congress was quite 22 explicit when it mandated in Section 404 of the Act specific 23 requirements for companies and their external auditors with 24 respect to internal control over financial reporting. 25 Yet at the same time, Congress gave PCAOB and the 1 SEC considerable flexibility in determining how to implement 2 these requirements. Indeed, both Senator Sarbanes and 3 Chairman Oxley have stressed this flexibility repeatedly. My 4 Board colleagues and I have always had flexibility in mind 5 when dealing with AS-2. 6 From the time we voted to adopt it, we've 7 emphasized that the application of significant auditor 8 professional judgment is an essential part of the standard. 9 My sense is that auditors as well as management of public 10 companies should exercise even more judgment as they look to 11 the third year of implementing the internal control 12 requirements. 13 My fellow Board members and I at PCAOB are 14 particularly concerned about small audit firms that have yet 15 to perform internal control audits. We hope to encourage 16 these firms to continue auditing public companies by helping 17 them prepare to implement AS-2. I believe we will succeed if 18 we can communicate to them that AS-2 is not only flexible but 19 scalable. And a standard can only be properly implemented by 20 exercising good, sound professional judgment. 21 A key part of any action we take must address 22 implementation of AS-2 in the internal control audits of 23 smaller public companies. PCAOB is uniquely positioned to 24 understand how well auditors are fulfilling their 25 responsibilities through our inspections of registered public 1 accounting firms. We've heard some say that our inspections 2 have driven auditors to do more work under AS-2 than is 3 necessary. 4 In this regard, the Board last week announced that 5 our inspectors will focus on audit efficiency, that is 6 whether auditors meet the -- whether audits meet the 7 objectives of AS-2 with the least expenditure of efforts and 8 resources. 9 In addition, our inspections, that actually began 10 last week, will combine our inspections of internal control 11 audits with our inspections of financial statement audits, 12 much as auditors are expected to integrate their audits of 13 internal control with the audits of financial statements. 14 Consistent with past guidance, our inspectors will 15 also be looking for top-down approaches to audits, whether 16 auditors properly assess and respond to risk, and whether 17 auditors use the work of others to the greatest extent that 18 is appropriate. 19 We believe that focusing our inspections in this 20 manner will be a significant step towards preserving the 21 parts of the auditors' work that are truly necessary and 22 essential while cutting out unnecessary costs. Because of 23 the importance of our inspections, some of the questions for 24 panelists will focus specifically on our inspections program. 25 We look forward to hearing panelists' reactions to our 2006 1 inspections approach. 2 As our monitoring of the reporting requirements 3 continues, the Board welcomes ideas about how the 4 implementation of Section 404 can be made scalable to 5 companies of all size. 6 I was a general partner of a New York Stock 7 Exchange firm that built its business around the needs of 8 smaller businesses and investors of modest means. From that 9 experience, I firmly believe there is significant public 10 interest in providing investors in all companies with the 11 same level of assurance as to the accuracy and reliability of 12 financial reporting, which of course is what Sarbanes-Oxley 13 is all about. 14 Addressing the various implementation issues in a 15 constructive manner will require action by PCAOB, the SEC, 16 issuers and auditors, which must of course be geared toward 17 investor protection. Whatever actions are taken, we'll 18 certainly be informed by today's roundtable. 19 With that, let me turn the floor back to John 20 White. 21 MR. WHITE: Thank you, Chairman Cox and Acting 22 Chairman Gradison. We have a very full day ahead of us with 23 five terrific panels to walk us through a range of issues 24 that people have faced as accelerated filers have completed 25 their second year of compliance with Section 404's 1 requirements. 2 Before we get to the roundtable itself, however, I 3 need to make a few introductory points and lay out the rules 4 of the road, as Chairman Cox described. First, we are very 5 fortunate to have here today all of the members of the two 6 hosts of the roundtable, the SEC and the PCAOB. Seated at 7 the table to my left starting nearest to the audience we have 8 the five SEC Commissioners, Chairman Chris Cox, whom you have 9 met, Commissioner Cynthia Glassman, Commissioner Paul Atkins, 10 Commissioner Roel Campos, and Commissioner Annette Nazareth. 11 Sitting at the table to my right we have the four 12 current members of the PCAOB. Again starting at the end 13 closest to the Audience, Acting Chairman Bill Gradison, who 14 just spoke, Charles Niemeier, Kayla Gillen and Dan Goelzer. 15 The Commissioners and the Board members will be here 16 throughout the day for all five panels, and for that I say in 17 advance they have my gratitude and admiration, because it 18 will be a long day. The rest of us get to come and go up 19 here. 20 The rules of the road for today's program are I 21 think actually fairly simple. The lead moderator on each 22 panel will introduce the panelists, and the other moderators 23 for that panel, and I'll do that in just a moment for the 24 first panel. But I want to cover a few other things firs. 25 As Chairman Cox said, we have asked each of the 1 panelists to submit written comments if they choose to, and 2 many have done that. And their submissions, along with the 3 other submissions received from the public, are all available 4 on the Commission's web site. The PCAOB also has public 5 comments posted on its web site. 6 And finally, a transcript of today's program will 7 posted on the Commission's web site once it's been prepared. 8 In the interest of time and so we can move quickly 9 through the proceedings today, we have asked the panelists 10 not to make opening statements so that we can start questions 11 right away with each panel. The moderators will take the 12 liberty of directing certain questions to certain panelists, 13 and in some cases follow-up questions to panelists. But at 14 the same time, we do encourage the participation of all the 15 panelists when you have something to say and would like to 16 make a comment. 17 But there is one very important rule for all that, 18 and that is, so that we can maintain order, if you would like 19 to speak, you need to take your tent card like this and set 20 it up like that, and then we will know that you wish to be 21 called on. 22 The Commissioners and the PCAOB Board members have 23 also agreed to follow the same tent card rules to the extent 24 that they have questions, or at least I hope so. 25 With that, I'm going to introduce the first panel, 1 and we're going to get started. So, the first panel. 2 PANEL ONE - OVERVIEW OF THE SECOND YEAR 3 This panel has been set up to look at the 4 experiences people have had specifically with their second 5 year of compliance with 404. And we are especially 6 interested in changes in the second year as companies and 7 their auditors have gained more experiences, whether 8 resources have been allocated efficiently and effectively in 9 the second year, and whether progress has been made towards 10 the goal of improving the reliability of financial reporting 11 in the second year. 12 To work through those issues, we've assembled a 13 very impressive panel, and I will go through and introduce 14 each of the panel members. Starting on the left, we have 15 Philip Ameen, the Vice President and Controller of GE. 16 Next we have Mary Bush, the president of Bush 17 International. Ms. Bush is also a member of several boards 18 of directors of public companies, including one in which she 19 serves as the chair of the audit committee. Rodg Cohen, who 20 is the chairman of the law firm of Sullivan & Cromwell. 21 Colleen Cunningham, President and CEO of Financial Executives 22 International, or as I think many of us know it, FEI. Bob 23 Davis, Chief Financial Officer of CA, Inc. Mr. Davis is also 24 here representing the U.S. Chamber of Commerce at today's 25 roundtable. 1 Next, Samuel DiPiazza, Global Chief Executive 2 Officer of PricewaterhouseCoopers International, if I got all 3 that right. Barbara Hackman Franklin, President and CEO of 4 Barbara Franklin Enterprises and a former U.S. Secretary of 5 Commerce. Ms. Franklin is also the director of several 6 public companies, including one of which she serves as the 7 chair of the audit committee. 8 Next, Joe Grundfest, who is a professor at Stanford 9 Law School. Professor Grundfest is also a former SEC 10 commissioner, although I bet he was not in such a nice room 11 as this. And he is a director and audit committee member of 12 two public companies. 13 Seated next to Professor Grundfest is Dennis 14 Johnson, who is the Senior Portfolio Manager, Corporate 15 Governance Office of CALPERS, the California Public Employee 16 Retirement System. 17 And finally, Ed Nusbaum the CEO and Executive 18 Partner at the accounting firm of Grant Thornton. 19 The moderators for Panel One are myself, John 20 White, to my right, Nancy Salisbury, the Senior Associate 21 Chief Accountant in the Commission's Office of the Chief 22 Accountant, and to my left, Tom Ray, the Chief Auditor at the 23 PCAOB. 24 So, that's I think all the introductions, so let's 25 turn to the substance of the first panel. And we'd like to 1 organize this first panel along the lines of five topics with 2 roughly equal time for each one. The first topic will be the 3 benefits and costs of 404, speaking broadly. 4 The second is the specifics of second year 5 compliance compared to first year compliance for accelerated 6 filers. Third, we want to talk about costs and a couple of 7 studies that have been done on costs. And then we want to 8 move to experiences with the management's assessment and then 9 close with experiences with the audit. 10 So those are basically our five topics to get to 11 our first topic. We want to hear about the second year 12 compliance and whether the panelists believe that the 13 requirements of 404 have helped improve the quality and 14 reliability of companies' financial statements. 15 And I guess I'd like to actually call on three 16 panelists to get a variety of perspectives. So I'd like to 17 pose these questions in that area first to Barbara Franklin, 18 then Rodg Cohen, and then Dennis Johnson. And those are, 19 what are the improvements we've seen in 404? What are the 20 source of those improvements? What are the countervailing 21 costs? How do you see the balance of the benefits and the 22 cost? 23 We start with you, Ms. Franklin. You need to turn 24 your mic on. 25 MS. FRANKLIN: Thank you. I would like to first 1 thank the SEC and the PCAOB for holding this roundtable again 2 this year. Last year's was very productive, and so was the 3 guidance that emanated from it, and I assume that will happen 4 this time, too. 5 To answer your question, to begin to answer, of 6 course I speak as an audit committee chairman and member. I 7 think the second year implementation of AS-2 has been 8 smoother and in general, control systems are more effective. 9 Fewer material weaknesses have been noted. And presumably, 10 that does mean stronger reliability of financial statements. 11 But there are ongoing costs, and the balance 12 between costs and benefits has improved, but it still isn't 13 quite right. On the benefits side, hard to quantify, but 14 what I've noted about management is, that there's been a 15 change in mindset from a semi-crisis to a more steady state 16 ongoing effort. There's more understanding of the function 17 and importance of controls, more ownership of them throughout 18 management, not just the financial side. 19 There have been some efficiencies. Deferred 20 maintenance has been taken care of. One caveat, though, is 21 small companies. I think there's some guidance that is 22 really needed there. 23 With respect to auditors on the benefit side, I 24 think they have done better with respect to risk, risk-based 25 approach, more reliance on the work of others and just a 1 little less nervous. But I still think that there is still a 2 lot of sticking to the literal wording of the standard with 3 good reason, fear of litigation, of the memory of Arthur 4 Andersen, what the PCAOB inspections might turn up, all of 5 that. 6 And then with respect to audit committees, I think 7 audit committees now are more engaged. From the beginning, 8 the planning of the scoping of the process to the final 9 opinions and the oversight that has to go on in between. 10 On the cost side, there are these surveys that 11 we'll I'm sure hear about later. And in every one of them, 12 the cost has gone down. There is not agreement about how 13 much the cost has gone down, and generally I think there's 14 still the view that the costs are still a little bit too out 15 of line. 16 I think with respect to management on the cost 17 side, it was very hard to predict what the second year was 18 going to be like. So maybe the estimates early on were not 19 quite accurate, and there is an ongoing cost to maintaining 20 and testing controls. 21 With respect to auditors, I've said I think there 22 is an issue there about the overdoing some kinds of testing 23 because of the literal interpretation of the standards, and 24 about audit committees, we spend more time on this, but, hey, 25 that goes with the territory. 1 So I think there's still more work to be done to 2 balance the costs and the benefits, and it's really important 3 to get this right, because you don't want to create an undue 4 regulatory burden. You don't want to discourage companies 5 from our capital markets, and you don't want to do anything 6 to diminish the entrepreneurial risk-based culture that has 7 made this U.S. economy what it is today. 8 I've got two quick comments to throw in, and then I 9 will stop. I think it's now time to amend the standard. And 10 literally take the guidance that you put forth last year and 11 put it into the wording of the standard, and that will 12 empower auditors in a way that they don't feel empowered to 13 make judgment right now. 14 Second thing would be to give -- SEC would have to 15 do this -- give guidance to managements about their role 16 here, and particularly to small companies. 17 MR. WHITE: Thank you. Mr. Cohen, do you want to 18 give us your insights? 19 MR. COHEN: Thank you very much. And again, I 20 would echo Barbara's comments, how positive it is that the 21 Commission and the PCAOB are doing this. 22 At the risk of apostasy, I really do believe that 23 there are significant benefits from 404. You have it at the 24 individual company level where companies have discovered 25 problems before they became far more serious. You have it in 1 the capital markets because there is greater confidence in 2 the capital markets. And something I spend a lot of time 3 doing, which is consolidation, you have a major benefit, 4 because there is greater reliability. 5 So the effort really needs to be on balancing the 6 burdens, the costs, against those benefits to make the 7 equation work. 8 I do think it's fair to say that the burdens have 9 declined in the second year based on what we are hearing from 10 clients. To some extent, that is a function of experience. 11 I think to an extent maybe not fully realized, it is a 12 function of the guidance which the Commission did provide 13 last year. 14 But I think when you try and measure the benefits 15 and the burdens, in addition to the costs, which presumably 16 can be quantifiable, there is a more qualitative cost, and 17 that remains the continuing very conservative environment in 18 the accounting profession with respect to the internal 19 controls procedure. 20 We are seeing and continue to see almost a direct 21 correlation between a failure to apply a complex accounting 22 standard, FAS-133 is probably the best example, to a 23 restatement to a material weakness. That line seems to be 24 almost inevitable. Likewise, error seems to correlate 25 directly to a significant deficiency. 1 Further guidance from the Commission would be very 2 helpful in trying to lighten that environment, and if the 3 environment is made easier, then costs will go down. 4 Thank you. 5 MR. WHITE: Thank you. Mr. Johnson, can you give 6 us your perspective, I guess I would say an investor 7 perspective, from CALPERS? 8 MR. JOHNSON: Yes, from CALPERS' perspective, we 9 believe the second year has been a positive. The benefits 10 are several. Number one, there's been improvements in 11 disclosure, and we believe that's very positive for 12 investors. 13 Secondly, you may be familiar with our focus list 14 initiative at CALPERS. And as we have engaged companies 15 through this initiative, focusing specifically on the audit 16 committee, we have determined that the members of the audit 17 committee are of better quality, they're far more engaged, 18 and there's better planning that seems to be taking place at 19 the board level. 20 Also as a result of our focus list initiative, 21 there have been fewer concerns around internal control 22 weaknesses in the last 12 months versus previous periods. 23 And then last, I would just point to a study that 24 was published recently by Lord and Benoit that talked about 25 companies without internal control problems outperforming 1 companies with internal control problems since the 2 implementation of SOX 404. So we look at these as being 3 examples of the benefits of the second year of 4 implementation. 5 In terms of cost, we would note two. Number one 6 being the increase in audit expenses. And then secondly, we 7 note a Wall Street Journal article that was published 8 recently that talked about the perceived cost related to 90 9 percent of the non-U.S. IPOs occurring outside of the United 10 States, and so therefore a perception of market opportunity 11 or investment opportunity being lost. 12 But in summary, we view the benefits as being 13 positive. We believe as a result of the second year of 14 implementation here, market integrity continues to improve. 15 Investor confidence continues to rise, and these two 16 characteristics are very vital for an institution like 17 CALPERS in order for us to be fiduciaries and make the 18 benefit payments to our 1.4 million members. 19 Thank you. 20 MR. WHITE: Thank you. I guess I'd like actually 21 to move to our second topic, which is to try to get an 22 understanding of the second year experience under 404 23 compared to the first year experience. And I guess I'd like 24 to approach that from -- hear from that from the perspective 25 of management, the independent auditor and the board of 1 directors. 2 So I'm going to pose -- at least start my questions 3 with Phil Ameen, Ed Nusbaum and Mary Bush. And the questions 4 really are, how did the second year of assessing, reporting 5 and auditing differ from the first? Were there changes? Are 6 there other changes that you would like to see? And I guess 7 if possible, I'd particularly like you to address whether 8 companies and auditors were successful in your view in 9 implementing the guidance that the SEC and the PCAOB issued 10 last May right after the first roundtable. 11 So, Mr. Ameen, can you give us the GE perspective? 12 MR. AMEEN: I'm not sure I'm speaking for all of 13 GE, but I'll be happy to share what I can on that from that 14 angle. First of all, thank you for the opportunity to be 15 here today and to share the views. 16 We were not at GE actually in our second year in 17 2005. We started implementation and documentation in 2003, 18 and therefore, when we went into the 2004 period with which 19 I'm going to give you the comparisons, we already had a 20 pretty good set of documentation. So our cost and hours data 21 are probably not typical of what you'd see. But I'd say they 22 are typical of implementation of a complex undertaking, which 23 this certainly was. 24 We said last year that our total costs of 404 25 approximated $33 million, and they ran about the same in 1 2005. We did in probably acknowledgement of Commissioner 2 Glassman's observation that no company should have 40,000 3 significant controls, we managed to restrict that number to 4 38,000 that were tested. 5 And I think in sort of sitting back and looking at 6 the overall conclusions that we can reach, one, we're 7 certainly more focused on controls, both in our underlying 8 operations and in operations that we're assessing for 9 acquisition. 10 Two, we are more sophisticated in those 11 assessments, and we're more targeted in analyzing and 12 assessing the controls that are important to our reporting 13 process. 14 And thirdly, we have a common vocabulary for 15 talking about the controls. So, overall, on balance, I think 16 the management team, the board of directors and people down 17 in the trenches actually doing the testing are favorably 18 impressed with the progress that's been made in the second 19 year of 404. 20 MR. WHITE: Okay. Mr. Nusbaum? From the auditor 21 perspective. 22 MR. NUSBAUM: Thank you. Well, first of all, the 23 first observation from an auditor perspective is that the -- 24 in the second year, management's documentation was much 25 better. It had already existed. It was refined and 1 improved. Some of the bugs in the software were gotten out, 2 and companies did a much better job in the second year, a 3 much more efficient job in documenting their controls. 4 From our perspective as auditors at Grant Thornton, 5 I think at all the firms, we truly embraced some of the 6 concepts that came out of last May's discussion. We 7 conducted integrated audits where we combined the testing for 8 internal controls with the substantive testing, which made us 9 more efficient, certainly reduced redundancies, duplicative 10 questions and processes and testing, which made our clients 11 happier. 12 It also allowed us to place reliance on those 13 controls, which made us more efficient. And we took a risk- 14 based approach, a very top-down approach to make our audits 15 effective and efficient. 16 So I believe one of your specific questions was, 17 was the guidance last year helpful, and did we succeed in 18 implementing it? I think as a profession and certainly our 19 firm found the guidance extremely helpful, and I believe we 20 did succeed in implementing it in many different ways. 21 The principles of AS-2, which some have suggested 22 mending, I think Barbara mentioned that, clearly the 23 underlying principles of AS-2 I believe work. And while one 24 could debate some of the specifics, the principles should be 25 kept. 1 Having said that, I think we do need more guidance 2 on internal controls, whether it comes from the SEC or 3 whoever it comes from, it should be in my view very 4 principle-based guidance, principle-based standards, and then 5 specific guidance should come from a panel or a consortium of 6 relevant interests, including corporations, preparers, 7 preferably from the FEI or other groups, from investor 8 groups, whether it's CALPERS or others, and from of course 9 the auditors. And then also with strong representation from 10 the SEC, the PCAOB and maybe any other regulators. 11 That kind of real, practical guidance that would be 12 based on examples and case studies would allow us to use 13 judgment, and allow companies to use judgment, but provide 14 better guidance on the definition of material weaknesses, 15 significant deficiencies, which I think would make us more 16 efficient going forward, particularly benefit smaller 17 companies, as Chairman Gradison talked about, which we're 18 particularly concerned about and making it as easy as 19 possible for those companies to be able to enact the rules. 20 I think that Chairman Cox and Mr. Johnson have 21 talked about the benefits to the investors and so forth, but 22 we could continue to make the process better from an 23 auditor's standpoint by looking at best practices in the 24 audits of 404 going forward. 25 MR. RAY: Excuse me, Ed. I have a short follow-up 1 question on a remark you made just a moment ago. You gave a 2 very positive report on your implementation of the May 16th 3 guidance from last year. Do you think you fully implemented 4 that guidance, or if not, how many more -- how much more time 5 do you think it will be for auditors to really get most of 6 the, or all of the efficiencies that the Board had intended 7 when issuing that May 16th guidance? 8 MR. NUSBAUM: Thank you, Tom. It's an excellent 9 question because -- and I know you were once an auditor -- 10 the process for the audit really evolves over time. And as 11 with all the big firms, it takes us time to modify our 12 approaches, modify our software, and it's really an 13 evolution. There's no finish line on any of these endeavors. 14 As soon as the May rules and May guidance came out, 15 we embarked on a process and issued guidance by August, 16 revising our computerized audit tools, our software, and 17 providing guidance to all of our people in August of 2005. 18 Having said that, I think that further 19 modifications in our case and in all the firms can be made to 20 implement that guidance, and particularly by looking at best 21 practices. The PCAOB can identify, and I know through the 22 inspection process this year will look at further 23 efficiencies we can adopt, because they see all the reports, 24 and they see the underbellies of every firm. So they can 25 help us provide best practices. 1 And I think the accounting firms have already begun 2 discussing how we can work together better, and we need to 3 work together better to identify best practices and figure 4 out how we can further implement this guidance. 5 I don't think we're complete on this at all. I 6 think it is a multiyear. I think we've accomplished it. 7 Some will happen next year, and some will even happen in 8 future years. 9 MR. WHITE: Okay. Ms. Bush, can we get the board 10 of directors' perspective? 11 MS. BUSH: Yes, certainly. 12 MR. WHITE: You need to turn your mic on. 13 MS. BUSH: Yes. Thank you. I think there were 14 changes from year one to year two, in many ways some internal 15 to the companies, some from the outside auditors, and some in 16 the ways in which those bodies interact with each other. 17 I think that managements overall are taking more 18 responsibility, more personal responsibility for controls, 19 rather than simply leaving it to the internal auditors. 20 Internal auditors are in many cases I think pushing 21 managements to take more responsibility. 22 Managements are beginning to integrate the control 23 process into their everyday operations, into the work 24 processes. And this in many ways can be a benefit to the 25 company to its operations. So, in some ways, what one might 1 say is that we're experiencing sort of a cultural change 2 within companies in terms of the emphasis that they're 3 placing on controls. 4 Secondly, I think that -- or certainly the internal 5 audit departments with which I deal, are placing much more 6 emphasis on designing controls as a method of prevention of 7 problems as opposed to detecting problems after the fact. 8 This is also a good thing when it comes to financial 9 reporting and when it comes to safeguarding shareholder 10 assets. 11 Also, independence was an issue with the outside 12 auditors. In many cases in year one, many firms felt that 13 they could not engage with the company or advise them, shall 14 we say, on finding the best approach to financial reporting 15 on whatever the specific accounting matter might have been. 16 I find a mix of experiences there. I find that 17 some outside audit firms are engaging more if they do not 18 feel that they are sacrificing their independence by advising 19 companies when they're trying to choose the best method for 20 accounting for transactions or whatever. I find, on the 21 other hand, I hear comments that some still refuse to engage 22 in talking with the auditors with the financial management 23 early on regarding methodologies. And that I think is a 24 problem. 25 I believe that in the guidance last year, which I 1 also compliment both bodies on, that outside auditors were 2 encouraged to engage more with financial management on how 3 they would account for certain transactions and the like 4 early on rather than after the fact. 5 The checklist approach is still an issue, I think. 6 And what I mean by that is that there still seems to be as 7 much emphasis placed on low level controls, low level process 8 controls, as there in on controls that really have a risk for 9 incorrect financial reporting. That is an issue that I think 10 needs additional attention. 11 And as for guidance, I think there is still room 12 very definitely for guidance, and that that guidance, one of 13 the areas on which I would focus if I were doing it, is on 14 giving guidance with regard to what is truly important in 15 terms of misreporting on financial statements, and this goes 16 back to the issue of that there are areas where there is 17 extraordinary risk for accurate financial reporting, and that 18 there are areas where there is almost no risk at all. And if 19 some guidance could be given to managements as well as to the 20 accounting profession with regard to that issue, I think that 21 it would be very helpful. 22 MR. WHITE: Okay. Thank you. Before we move to 23 the cost issue, Mr. DiPiazza, you have another comment on the 24 first year versus the second year from the auditor 25 perspective? 1 MR. DiPIAZZA: Thank you, John. I just thought it 2 would be helpful to maybe put a few more facts out there that 3 -- and I agree with the comments that Dennis, Mary and Ed 4 have all made. 5 The chairman said that -- he said that we were down 6 from 16 percent material weaknesses, adverse opinions a year 7 ago, now to 7 percent. Over 75 percent of the companies that 8 had material weaknesses a year ago have found those 9 remediated and are not repeating. 10 When you begin to look inside the control 11 atmosphere and the activity inside companies, there's some 12 very clear things that have happened, and we like to think 13 that they are the result of 404 focus. Standardizing 14 processes, eliminating redundant controls, integrating far- 15 flung activities around the world. Bringing new employees 16 quickly into the control environment versus not doing that. 17 A lot of these things were things that were pointed 18 out in the first time through in 404 and clearly have 19 affected the way companies are behaving. And we think the 20 regime of management certification and auditor testing has 21 created that. 22 A couple of more facts. The key controls and all 23 the surveys we're going to talk about, we'll probably talk 24 about cost. But those surveys also did some other things, 25 and I'm not sure which one, whether it was the FEI or the 1 Internal Auditor Survey, but it said that key controls are 2 now down 20, 25 percent from where they were a year ago. So 3 there clearly has been a change in the way key controls are 4 being looked at. 5 So what you are seeing are some pretty clear 6 changes in behavior. The May 16th guidance has clearly had 7 an impact in the way we behave, and I think the way the 8 companies, the standards in which they're holding their 9 auditors, but there's more to come, especially along the 10 lines of reliance. 11 As management and companies become more confident 12 and more independence in their testing, we'll be able to test 13 fewer controls as well. 14 MR. WHITE: Okay. Thank you. So I would like now 15 to turn to cost, which we have heard a lot about. And when 16 I'm talking about costs, I mean costs incurred by companies 17 in complying with 404. 18 There are two studies out there, and I would like 19 Ms. Cunningham and Mr. DiPiazza to talk about the two 20 studies. And then I guess I would like then to go to Mr. 21 Davis to give us the Chamber of Commerce's view on costs, but 22 why don't we start with Ms. Cunningham and the FEI study? 23 MS. CUNNINGHAM: Thank you. And thank you for 24 having us again this year. 25 A little bit about our study. We've done them 1 since 2003. Our last survey that we've done was in March of 2 2005. We did do a survey recently in March 2006 where we 3 asked our members' registrants to answer questions regarding 4 404 and their year two implementation efforts. 5 We had 274 companies respond, of which 238 were 6 accelerated filers. I think before I get into the specifics 7 of the results of our survey, I think, you know, it's 8 important to state that all of the surveys that have been 9 done recently note some -- there are a lot of similarities. 10 They all note similar benefits. 11 For example, in our survey, 56 percent of the 12 respondents stated that there's greater investor confidence 13 in the financial reporting. Forty-four percent felt that the 14 financial reports were more reliable. Thirty-eight percent 15 felt that they were more accurate, and 33 percent felt that 16 404 helped prevent or detect fraud. 17 And as one of the sponsoring organizations of COSO, 18 we've long supported the position that effective internal 19 controls are vital to the integrity of financial reporting. 20 That said, on the cost side, we still hear from our 21 members, and it's evidenced in the survey results, that the 22 costs still far outweigh the benefits. In fact, in our 23 survey, 85 percent of the respondents believe that the cost 24 outweigh the benefits. And this compares to 94 percent who 25 responded that way last year. 1 So it has come down a bit, and I will say we did 2 bifurcate our results based on size of companies. And I 3 think the large companies view it more favorably than the 4 smaller companies for good reason. 5 On the cost side, the respondents in our March '06 6 survey reported that their costs have come down about 16.3 7 percent compared with last year. The bulk of that was 8 internal time that they spent -- I'm sorry, it was the use of 9 external consultants and audit fees. the internal time that 10 staff spent did not go down as much as companies anticipated. 11 I think part of that is the consultant work moved to internal 12 resources. 13 On the audit fee side, our members responded that 14 audit fees declined about 13 percent, not as much as we 15 anticipated, but I think a piece of that relates to the 16 supply and demand issue associated with the resources needed 17 in the audit firms and the salaries that are now required to 18 be paid to maintain those resources. And clearly, 404 added 19 a lot of work to the auditors' staff. So, therefore, they 20 needed to make sure they retained staff. And also I think 21 the practice protection costs have also gone up, which caused 22 the audit fees to go up. 23 I think, you know, there has been discrepancies, a 24 lot of discussion about the discrepancy and the amount of 25 decline between the various surveys, and I think the point 1 here is that they did go down. Most surveys' respondents 2 state that they just didn't go down as much as we 3 anticipated, but I think that can be kind of explained. 4 Also, I should point out that because it's an 5 integrated audit, it might have been difficult for the 6 respondents to identify the pieces that relate to 404 versus 7 the financial statement audit. So studies that have been 8 done related to the overall audit fees based on proxies will 9 note that they've stayed relatively flat when you include 10 both the financial statements and the 404 audits. 11 MR. WHITE: Okay. I guess the other survey, Mr. 12 DiPiazza, is the one that was done, I guess commissioned by 13 the Big Four. And if you could comment on that one, that 14 would be useful. 15 MR. DiPIAZZA: I'm very happy to. And I agree with 16 Colleen. The surveys are all taking sort of a different 17 direction in terms of methodology and where they're coming 18 from. I mean, NASDAQ did a survey. The Institute of 19 Internal Auditors did a survey. And I think it's fair to say 20 that the averages are coming out where costs are down 21 somewhere between 15 and 25 percent. 22 Our survey, we looked at both small companies, 23 large companies. We looked at -- and it was done by CRA. It 24 was an independent survey. We basically gave them access to 25 information and let them accumulate it. The total cost for 1 large companies were down in the 40 percent range, and that 2 included external use of consultants and costing of internal 3 resources and auditor costs as well. And the specific 4 auditor cost for large companies went down about 20 percent. 5 Small companies, the cost went down a bit less, 30 percent in 6 total and 20 percent from the auditor's side. 7 So there is in fact, as I think everyone will say, 8 a scalability issue a bit with the smaller companies. The 9 reasons, and we probed to find out where is coming down, 10 where are we seeing the differences, and they're the obvious 11 ones. 12 Documentation, big savings in documentation. I do 13 think the risk-based approach and the reliance on management 14 testing had a big impact. Integrating the audit does provide 15 advantages, but it makes it a little more difficult, as 16 Colleen said, to figure out what really is the long-term 17 effect. 18 There's a learning curve going on. We don't think 19 in the profession that we're done yet by any means in 20 becoming more efficient. But I do think we would say that 21 the curve is not going to stay at the current rate, because 22 we are now reaching, over the next year or two, we will be 23 reaching what we hope a more steady state as we look at this. 24 MR. WHITE: Mr. Davis from the Chamber of Commerce 25 perspective. 1 MR. DAVIS: In a nutshell, the costs are too high. 2 But -- 3 MR. WHITE: How did I know that was coming? 4 MR. DAVIS: I'll be happy to elaborate a little 5 bit. I think the -- I think it's been a very healthy 6 dialogue. I appreciate the SEC and the PCAOB having us here 7 again this year. I do think the guidance that came out a 8 year ago as a result of that roundtable was helpful. Cost 9 improvements have been made. I do think shareholder 10 confidence is up. So, a lot of the original intents of 11 Sarbanes-Oxley have been achieved. 12 But the cost improvements that have been made to 13 date, particularly around 404, are nowhere near dramatic 14 enough. And I would tend to agree with Barbara's comments 15 about the only way that you could really propel that is to 16 amend or revise AS-2 and potentially have some guidance from 17 the SEC come out to management. 18 Because I think one of the things you're seeing 19 right now, too, is there's a lot of variance in practice. So 20 even if the Big Four may have, you know, one set of practices 21 they're trying to proliferate a lot of times I think -- at 22 least I hear anecdotally, there will be variances by local 23 offices. 24 And it's just that despite Ed's comment about 25 everybody wants to be principle-based and rule-based, until 1 AS-2 is revised, you keep going back to AS-2, and management 2 doesn't really have their version of AS-2, as the chairman 3 said. 4 So I think in this risk-adverse environment, as 5 Mary said, we're just continuing to test too many lower level 6 controls that are really to some degree missing the forest 7 for the trees. 8 And I think the only thing that the Chamber 9 specifically highlighted, which hasn't been addressed here, 10 is that I do also think there are a lot of soft costs 11 involved. There's a lot of time being spent by boards and 12 senior management, which I would probably argue, you know, 13 the audit committees, that's their job. That's the CFO's job 14 and the controller's job, but are we spending a 15 disproportionate amount of time having management so focused 16 on value protection that they're not creating value? I mean, 17 clearly, a few years ago the pendulum was way too far toward 18 value creation. It's now potentially, you know, in the other 19 direction. 20 And then the final thing that I will mention of the 21 Chamber that we brought up in the letter is that one of the 22 other things, too, I think in the risk-adverse environment is 23 there's been a big increase in restatements, that I think 24 most of the time if you actually look at what's driving the 25 restatements, most investors are, I think to some degree, 1 mystified as to the rationale or the reason for doing it. 2 And I tend to think that could be, while we're 3 trying to increase investor confidence with these control 4 opinions, having less judgment than you would expect by 5 auditors and management and being risk-adverse and doing 6 restatements, I think has a countervailing impact which is 7 not positive. 8 MR. WHITE: You had another question, Tom? 9 MR. RAY: Yes. I have a short follow-up question 10 for Mr. DiPiazza, and I think perhaps Mr. Nusbaum and maybe 11 others also might have a view on this point. In the CRA 12 survey, it does show a fairly substantial reduction in the 13 audit fees associated with 404. But on the other hand, other 14 increases in audit fees pretty much make up the difference, 15 so we had a fairly steady overall audit fee cost from year to 16 year. I wonder if you could comment on the reasons for those 17 other audit fee increases? 18 MR. DiPIAZZA: Happy to, Tom. There's no question 19 that the integrated audit, the financial audit, has a scope 20 increase going on. That's coming from demands from audit 21 committees and boards, and frankly, from our own sense of 22 responsibility of what proper coverage is for auditing. 23 So there's clearly scope that has been increased in 24 the pure financial audit. But there are other things. 25 They're the incorporation of new standards, changed standards 1 that we are having to deal with. There's more focus on the 2 detection of fraud, more involvement of forensics that we 3 three years ago didn't have as much as we have today. 4 There are changes going on inside the systems of 5 company, frankly, in part because of 404, where there's more 6 integration happening. There's the systems adjustments or 7 process adjustments as a result of 404, which means the basic 8 audit process is adapting to those things. 9 Over time, that ought to mitigate or reduce the 10 audit fee, but in a year of change, you've got to deal with 11 it. Transactions, a pick up in the transaction environment 12 over the last year, clearly meant that there were more audit 13 fees going on. 14 So, you know, from our perspective, it's a 15 balancing factor. Now we do think that after this year you 16 will see that mitigated as well. But this was another year 17 of change for increase in scope in the audit process. 18 MR. WHITE: Ms. Bush? 19 MS. BUSH: Yes. Thank you. I of course haven't 20 done surveys on costs. My information is anecdotal from the 21 companies where I serve on the boards and from others from 22 whom I talk who are on boards or who are on audit staffs. 23 But from that anecdotal evidence, there seems to be 24 a good deal of differentiation with regard to the cost 25 reductions that we have experienced, and that a lot more, 1 significantly more, of those cost reductions are coming from 2 inside the companies because there is less need for 3 documentation because a lot of what is needed was put in 4 place in the first year. 5 But that the cost reductions in terms of the 6 outside auditors are much, much lower. 7 MR. WHITE: Mr. Cohen? 8 MR. COHEN: Thank you, John. Chairman Cox I 9 thought raised a key question which has been commented on 10 briefly by several panelists and then made a key statement, 11 and I'd like to be presumptuous to try and bring those two 12 together. 13 The question was whether there should be some form 14 of standards or additional guidance for management. And the 15 statement was the distinction which needs to be drawn between 16 the role of management and the role of the outside auditors. 17 At the beginning, it was inevitable that the 18 process would involve duplication, that the outside auditors 19 would almost necessarily have to be highly intrusive and very 20 comprehensive. 21 One great virtue of having standards or guidance 22 for management would be to be able to draw that distinction 23 between the role management in the process and the role of 24 the outside accountants. And I think the bottom line of that 25 would be, once everybody recognizes the respective roles, 1 would be a reduction in costs. 2 MR. WHITE: Well, I guess that will actually leads 3 into our fourth topic, which is management assessment. I 4 think my principal question here was to get a view on the 5 need for guidance or not the need for guidance in the 6 management assessment area. 7 I think we've heard that expressed by several of 8 the panelists already. I don't know, does anyone else -- 9 would anyone else like to comment on the need for management 10 guidance? Mr. Nusbaum? 11 MR. NUSBAUM: Thank you. There were some comments 12 earlier about the need for guidance for management, but I 13 just want to caution that -- and I believe that that's 14 necessary, but that guidance, just to clarify my point about 15 principle-based, the overall guidance and standards should be 16 principle-based, whether they come from the SEC or others. 17 But the implementation really needs real life 18 examples and practical guidance that can be used on a day-to- 19 day basis by management and also used by the auditors and the 20 audit committee as they deal with real life situations. 21 And whether it's through a panel, as I mentioned 22 earlier, or through some other means, what we need is, is not 23 just a set of rules issued, but some examples and practical 24 guidance with real life examples that will make life easier 25 for management, and frankly, easier for the auditors as well. 1 MR. WHITE: Ms. Cunningham? 2 MS. CUNNINGHAM: Yeah. I know you said not to echo 3 would previous speakers said, but I think Ed's right. I 4 guess when I hear guidance, I get worried that we're going to 5 get another standard that will, you know, box management in 6 to some degree. 7 And I think it's very, very important. Every 8 company is run differently. Every company gets comfortable 9 with their internal controls perhaps in a different way. And 10 I think we need to make sure that it is principles-based and 11 the guidance focuses on, you know, the clarification of maybe 12 key terms and definitions, and clarify that management is not 13 expected to follow the same rules that the auditors are 14 required to do. 15 MR. WHITE: Boy, I'm almost afraid I asked this 16 question. 17 MR. DiPIAZZA: Actually, John, I wanted to be sure 18 that -- we are talking about management guidance, but there's 19 guidance that we need in the profession as well in AS-2. 20 And, frankly, that's what I wanted to make a comment on. 21 There's several areas, and I think someone earlier 22 actually made the reference to it. Restatements are a 23 problem. When a deficiency, first evaluating a deficiency 24 and the extent of a deficiency is hard enough. But then when 25 you have a situation where deficiencies are a strong 1 indicator, restatement is a strong indicator of a material 2 weakness and vice versa, then you've got very serious issues 3 about how a restatement, when a restatement leads to a 4 material weakness and an adverse opinion. And if there is 5 anything that's creating enormous stress in the system, it's 6 sitting right there. 7 You know, from the profession's viewpoint, every 8 restatement doesn't mean you have a material weakness. But 9 there is a default assumption that that's what you've got. 10 So we're going to need some help there. 11 We probably also need help with materiality. The 12 interim materiality, how it's judged, what are the impacts on 13 known errors, known misstatements on the interim basis versus 14 something that's not a known misstatement but a problem on an 15 interim basis. Those are things that we need some help with 16 in AS-2. I don't think you have to reopen AS-2 to do it, and 17 we can talk -- I know you'll get to that in a second. 18 We actually think that AS-2, the May 16th guidance 19 of last year has already been incorporated in our policies 20 and procedures. You're not going to get a big bang by 21 incorporating them into AS-2, because we're already treating 22 them as if they're part of the standard. 23 But I do think there are some things we need to -- 24 we need some help with. 25 MR. WHITE: Ms. Franklin? 1 MS. FRANKLIN: A footnote. I was going to raise 2 what Sam did about the materiality definition and those -- 3 I've had a bee in my bonnet about the definitions of 4 significant deficiency and material weakness for a long time 5 in the standard, that there ought to be some better way to 6 articulate what we're trying to do and to bring materiality 7 back. 8 With respect to the management guidance, where I 9 was really going with that is to emphasize that this would be 10 a way for the SEC to help with the small company dilemma 11 rather than granting a blanket exemption of some kind that 12 would hit 70 or 80 percent of micro small cap companies. I 13 think that's the way to handle that particular problem. 14 But the SEC I believe is the only one who can do 15 that. The Board cannot. 16 MR. WHITE: Okay. We're going to move in a moment 17 here to the audit experience side of this, but, Mr. Ameen, do 18 you have one more comment on the management side? 19 MR. AMEEN: Just a couple of observations. First 20 on the relationship between a restatement and a material 21 weakness. It seemed to us when we ran into our FAS-133 22 circumstance that the relationship between the two is almost 23 axiomatic and very difficult to escape, that having a 24 material error in financial statements that needed to be 25 corrected was evidence, prima facie, and almost irrefutable, 1 that there was a material weakness. 2 In fact, by the time we reported the restatement, 3 we had corrected the weakness, although it was nine months 4 later before our auditors could acknowledge that fact, itself 5 a problem. 6 But it doesn't seem to be a problem to me to relate 7 the two so long as -- and I think that ought to be 8 acknowledged. 9 Secondly, I have some concerns about standard 10 setting through examples, if case studies become the way that 11 we communicate the interpretations. The internal control 12 environments and the decisions that are made about what are 13 significant controls and significant weaknesses are very 14 complex and very specific to individual companies. I would 15 be concerned that we'd be able to capture that complexity in 16 a case study environment, and therefore I'd caution against 17 that approach. 18 MR. WHITE: Okay. So why don't we move to the 19 audit experience in the second year. Professor Grundfest, 20 you have been extraordinarily patient. So I think I'm going 21 to ask you a few questions. 22 MR. GRUNDFEST: It's early in the morning 23 California time. 24 MR. WHITE: Ah. I knew there was something. I'd 25 actually like to ask you about the PCAOB inspection process 1 and its effect on the audits of internal control. And there 2 have been a number of comments about that in different 3 places, and there was certainly the recent statement I guess 4 on May 1st that the PCAOB put out on how the inspection 5 process was going to be conducted in 2006. And I know you 6 have some thoughts on this, so I'll -- 7 MR. GRUNDFEST: Thank you very much, John. And I 8 think the inspection process is really going to be central to 9 the future of the operation of 404 because it is through the 10 inspection process that the audit firms are going to get very 11 clear messages from their proximate supervising body as to 12 whether they've gone too far in terms of the procedures that 13 they're following, whether they haven't gone far enough, and 14 too sloppy on the 404 front, or whether, in Goldilocks' 15 terms, you've got it just about right. All right. 16 For perfectly understandable reasons, society and 17 regulators don't have the greatest credibility when the 18 companies being audited complain about the audit process. 19 The greatest credibility in terms of being able to signal 20 that the process has gone too far will likely come from the 21 PCAOB and the inspections there. 22 Now, in that context, I think it's very important 23 for the PCAOB and the profession to understand that there are 24 some structural features of this process that push it towards 25 hyper aggressive enforcement of the 404 standards. And it 1 may be useful to take a step back and to understand that the 2 audit profession is not unique in this regard. 3 The phenomenon of defensive medicine is something 4 that all of us are aware of. We all know that the medical 5 profession is subject to great litigation pressure, and if, 6 for example, you're an oncologist, one of your great fears is 7 being sued because of the failure to diagnose lawsuit, a 8 diagnose situation. 9 So it is a natural tendency in the medical 10 profession to prescribe tests that you typically would not 11 prescribe but for the possibility of litigation. And then 12 there's some other incentives around the testing environment. 13 For example, the cost of the test is not borne by the 14 physician that prescribes the test. 15 Prescribing the test gives a benefit to the 16 physician because it reduces the probability that there will 17 be litigation against them. And in many situations, the 18 physician makes more money because they're also applying the 19 test. 20 If we have a look at the predicament that the audit 21 profession has been subject to, it's almost a direct parallel 22 to the situation we find in the medical profession where the 23 same natural economic forces push people with good intentions 24 to engage in hyper aggressive enforcement, and in the medical 25 context, to start applying controls that really are 1 suboptimal because of external social pressures. 2 We've got exactly the same situation at work here, 3 and in order to solve that situation, I really do think we 4 need, you know, a two-bullet approach. Number one, we've 5 been talking about strong improvement of the inspection 6 process. But I also think we need to change the substance of 7 what it is that's being inspected against. 8 Several of my colleagues have already mentioned the 9 importance of the term "materiality" and the role that the 10 phrase "significant deficiency" plays in the analysis of the 11 process. 12 Yes, we're all supposed to look for material 13 weaknesses, but the standard also cautions us that an 14 accumulation of a sufficient number of significant 15 deficiencies can itself constitute a material weakness. So 16 let's, as one of my colleagues likes to say, dilate on the 17 definition of the term "significant deficiency." 18 If you stop and think about it for a moment, it 19 makes your head spin, all right, because go back, read AS-2, 20 and it says that a significant deficiency will kick in -- and 21 here I paraphrase -- where you have more than a remote 22 probability of a more than inconsequential misstatement. 23 All right. Grab your breath and let's try to 24 quantify what these words mean, okay? Rough rule of thumb, 25 all right. And I know SAB-99, there's all sorts of other 1 literature that says, Joe, you can't make it this simple, but 2 let's make it real simple. 3 Materiality. If you've got a number that's at 5 4 percent of the revenues, you're at materiality, okay. That's 5 a common rule of thumb, okay. All right. I've even got the 6 auditors shaking their head, I'm with you. 7 MR. GRUNDFEST: You've got literature generated by 8 the audit profession itself saying that you are not 9 inconsequential if you are at less than 20 percent of the 10 materiality standard. Right, guys? Okay. Twenty percent of 11 5 percent. If somebody will correct my math, that's 1 12 percent, okay? 13 Then we're talking about a more than remote 14 probability of a more than inconsequential misstatement. 15 What does the word "remote" mean? Now the profession and the 16 PCAOB have been orthodox in taking the position that we're 17 not going to put a number to the word "remote." 18 Allow me to be unorthodox. Let's assume that the 19 probability is 5 percent or 10 percent. It really doesn't 20 make much of a difference. Let's say it's 5 percent. So, 21 what's the expected value of a -- of 20 percent of 5 percent 22 multiplied by 5 percent? That's five one-hundredths of one 23 percent. That's five basis points. So a very natural 24 quantification of the language contained in AS-2 drives you 25 to look at processes that have an effect of five basis 1 points. And we wonder why people are complaining about low 2 level process controls, because the very language is -- thank 3 you! 4 MR. GRUNDFEST: I was surprised it took that 5 long, Sam! 6 MR. DiPIAZZA: I really tried, Joe! 7 MR. GRUNDFEST: And you know, sure, the audit 8 standard is not supposed to look only for significant 9 deficiencies, but it's hard to ignore the language in the 10 rule itself that gives so much importance to that term. 11 MR. WHITE: I think we have to give Mr. DiPiazza a 12 response here. 13 MR. DiPIAZZA: I'm not going to go through the 14 standard because, Joe, I don't understand exactly what it 15 says, either, sometimes. But I will say, you can't do it the 16 way you just did it. 17 You can't take the multiplication of those two 18 numbers and say that is what we're measuring, because when it 19 hits, it's not five basis points. Okay? It's not. 20 That may be how you view the probability of remote. 21 But, in fact, if you have an event on a weakness in a 22 control, you are going to get bigger than that issue. 23 And so what we are looking for are places where 24 that might occur. So I just -- math is great. And I know at 25 Stanford you do a great job with it. But that's not the way 1 it actually works in the real world. 2 MR. WHITE: Mr. Nussbaum. You going to echo the 3 same thing? There are a lot of auditor comments going on up 4 here? 5 MR. NUSSBAUM: I agree, of course, with Sam. But I 6 do think we need to look at materiality. But it's not just 7 materiality over material weaknesses, as you point out, 8 Professor Grundfest. I think all of our heads are spinning 9 as a result of, not just the standard, but the various 10 interpretations of it. 11 But what we need to do is look at financial 12 statement materiality as well. Because that, as you 13 mentioned, SAM 99, does cause us to result in a significant 14 number of restatements that maybe don't need to be made, as 15 someone talked about earlier. 16 My being concerned about a financial statement 17 materiality issue when you are looking at it from a top-down, 18 risk-based approach, could result in a lot more testing than 19 needs to really be done. 20 But we are sort of stuck with that -- those 21 standards on financial statement materiality, both in the 22 guidance and SAM 99. But more importantly, in the way it is 23 being interpreted. So, I do think that there is some 24 validity to looking at materiality, but I would extend that 25 look to financial statements beyond. 1 And if I could just comment on another thing you 2 said, Professor Grundfest, and that is that the PCAOB 3 inspection process should make sure that we should do enough 4 auditing to ensure that there is good quality. And also make 5 sure that we don't over-audit so that we don't charge too 6 much. And I agree with that. And I think the inspection 7 processes here will clearly do that. 8 But I want to acknowledge that this perfect, just 9 about right, really probably is a fairy tale from Goldilocks. 10 There is so much judgment involved here in the course of an 11 audit, whether it's Grant Thornton or any other firm, that we 12 have to acknowledge that there is a range of acceptable 13 answers, and there's no single perfect answer, both in 14 management's documentation and the definition of material 15 weakness, or what the internal controls are, financial 16 statement materiality or what are the appropriate audit 17 procedures. 18 And we have to be willing to accept that auditor's 19 judgment and management's judgment in that process. 20 MR. WHITE: I see we have a few more cards up, but 21 actually, we only have about two minutes left. And I did 22 have one question that I wanted to put to Professor 23 Grundfest, on restatements. But you only have two minutes. 24 MR. GRUNDFEST: I'll take 30 seconds. On 25 restatements, there are two -- 1 MR. WHITE: Well, let me ask the question because - 2 - I told you I was going to need -- 3 MR. GRUNDFEST: You are going to get what I want to 4 say, anyway. So -- 5 MR. WHITE: The restatements went up a lot last 6 year, from 600 to 1200. And there are a lot of comments 7 about whether that was -- how that relates to 404. 8 Now say whatever you wanted to say. 9 MR. GRUNDFEST: There are two things. First, 10 let's -- so the question is, restatements, 404, what's the 11 connection. Does it prove that 404 is really working. Let's 12 divide the proposition into two parts. 13 First, let's assume that restatements are related 14 to 404. And then we are going to challenge that assumption, 15 because it's really incorrect. 16 The vast majority of restatements have no material 17 effect, if you measure materiality by stock price response. 18 This is going in, looking at a bunch of accounting issues, 19 cleaning up a bunch of accounting issues, and disclosing the 20 information to the stock market. 21 What did investors say? We could care less. 22 Well, if that's right, then what that suggests at 23 one level is that all the expenses that went into the 24 restatement process didn't lead to a restatement that was 25 material in the sense the stock market cared about. And that 1 would be consistent with the hypothesis that 404 is causing a 2 lot of wasteful expenditure that investors themselves do not 3 value, once the information is actually presented to them. 4 So, what is interesting about that argument is, if 5 you add the fact relating to stock market price response, it 6 actually is consistent with the hypothesis that 404 has gone 7 too far, and is imposing inefficient costs. 8 Now, take a step back, and say, well, gee, has 404 9 really led to all these restatements? The short answer to 10 that is, only a minority of them, if at all. 11 And there, I think Commissioner Glassman's recent 12 speech has a one-liner in it that explains -- wait a minute, 13 about half of these restatements came from companies that 14 were weren't subject to 404 requirements, anyway. So, 15 therefore, how could you say that 404 caused that? I think 16 that analysis is entirely correct. And you add that with the 17 observation that restatements have no material effect. And 18 then you get an entirely different picture of the situation. 19 MR. WHITE: It is 10:30, but the moderators have 20 made the executive decision to steal five minutes from the 21 next panel, so, Mr. Ameen? 22 MR. AMEEN: I just wanted to point out that five 23 basis points on my revenues is $75 million, about which I do 24 care. 25 MR. WHITE: Ms. Bush? 1 MS. BUSH: I would just say that the complexity of 2 the measuring or defining or figuring out significant 3 deficiencies, material weaknesses, what is really material, 4 what should cause a restatement. It's all shown up, shall we 5 say, by the conversation between Mr. Grundfest and Mr. 6 DiPiazza. 7 That, in my mind, also points out the costs, 8 because these kinds of conversations go on with companies, in 9 companies as well. Those costs also, I think, can lead to 10 less focus on the strategic and operational audits that 11 companies should be engaging in. Also, just in terms of the 12 business itself, the strategy, the operations, the business 13 to create value, as Mr. Davis alluded to earlier. 14 MR. WHITE: Okay. So, Ms. Franklin, you opened 15 this panel. We'll let you close it. 16 MS. FRANKLIN: With just a comment about 17 inspections. I think to really get the most out of the 18 inspection process, and to give feedback and guidance to the 19 auditors, they have got to be more timely. 20 I think you are all aware of the fact that there 21 were delays in when the auditors got the reports the last 22 time. And maybe that was a start-up issue, with respect to 23 the newness of the board, but I really think that that 24 process needs to be accelerated. 25 The substance of it needs to be right, but the 1 timeliness of it does, too. 2 MR. WHITE: Well, I would like to thank our 3 10 panelists. We very much appreciate your being here. We 4 are going to adjourn this panel, and the next one, which will 5 be on Management's Assessment, will resume at 10:45. 6 Thank you. 7 (A brief recess was taken.) 8 PANEL TWO - MANAGEMENT'S EVALUATION AND ASSESSMENT 9 MR. TAUB: Our first panel was very successful. We 10 certainly hope to continue the very high level of discussion 11 and discourse throughout the day. 12 This second panel is intended to focus in on 13 management's assessment process, and the evaluation work that 14 management does under 404 in order to render its opinion on 15 the effectiveness of internal controls. 16 My name is Scott Taub. I am the Acting Chief 17 Accountant at the Commission, and I will be the lead 18 moderator for this panel. 19 To my left is Laura Phillips, Deputy Chief Auditor 20 at the PCAOB. To my right is Carol Stacey. She is the Chief 21 Accountant in the Division of Corporation Finance, Office of 22 the Chief Accountant. We will be moderating this second 23 panel. 24 We have an excellent panel assembled in order to 25 have this discussion. 1 From my left to right, we have Bill Brunner, CFO, 2 Vice President and Treasurer of First Indiana Corporation, 3 and the Chairman of the ABA -- American Bankers Association, 4 have to specify which ABA -- Accounting Committee. 5 Then, Kimberly Parker Gavaletz, the Vice President 6 and Deputy of Global Sustainment at Lockheed Martin. Did I 7 get the title right? Okay. 8 Sue Gordon, Senior Vice President, 9 Corporate Controller and Chief Accounting Officer at CBS 10 Corporation, having survived the spin-off from Viacom. 11 Moving on. Keith Holmberg is the Vice President of 12 Finance and Control Processes at British Petroleum. 13 Lee Level, Corporate Vice President and Board 14 Member at Computer Sciences Corporation. He also serves on 15 several other boards of directors, and indeed, chairs audit 16 committees at some of those other boards. 17 Peter Minan, National Managing Partner of Audit at 18 KPMG, one of the Big Four firms. 19 Stephen Sherwin, is a doctor and the Chairman and 20 CEO of Cell Genesys, Inc. He also represents to some extent 21 the Biotechnology Industry Group. 22 Moving on. Dr. Albert Teplin, Audit Committee 23 Chair at Viad Corporation, and also an Audit Committee on 24 other boards of directors. 25 And, finally, Jim Turley, the Chairman and CEO of 1 Ernst & Young. 2 Thanks to all of our panelists for agreeing to be 3 here today. We look forward to a good conversation. I am not 4 going to repeat all of the rules of the road that John White 5 gave us this morning. 6 We will remind panelists, as well as commissioners 7 and board members, please turn up your tent cards and, as an 8 added reminder, once your turned-up tent card has worked, and 9 we have called on you, please turn down the tent card while 10 you speak. I understand that CNBC and MSNBC would like to 11 see everybody's faces clearly as you speak. 12 The Commission's rules require that management 13 assess, at the end of each fiscal year, the company's 14 internal controls over financial reporting and report on its 15 assessment of the effectiveness of those internal controls. 16 At last year's roundtable, several commenters 17 questioned whether management's approach to completing its 18 assessment of internal control over financial reporting was 19 appropriately top-down out, risk-based and focused. 20 Moreover, several commenters suggested that too 21 many controls and processes were documented and tested. 22 Feedback from some commenters indicated that they expected 23 that some of the cost and effort involved in documenting 24 internal controls over financial reporting did represent one- 25 time start-up costs that might not be repeated in subsequent 1 years. 2 The Commission and Board are now seeking input on 3 whether and how companies have improved the efficiency and 4 effectiveness of the process for assessing internal control 5 over financial report in the second year of compliance. 6 The Commission and Board are also soliciting views 7 about the challenges in designing a sustainable assessment 8 process that is both effective and efficient. 9 The first question I am going to first direct it at 10 Ms. Gavaletz, and then to Dr. Teplin. 11 The question is whether the guidance that the SEC 12 and PCAOB issued last May has been helpful in improving 13 management's assessment process, whether indeed the 14 management assessment was more risk-based and more focused in 15 the current year, and then perhaps a discussion of any 16 remaining challenges that you are aware of in management's 17 assessment process. 18 Ms. Gavaletz? 19 MS. GAVALETZ: Thank you for the opportunity to be 20 here today, and to be able to comment both to the PCAOB and 21 the SEC and to engage with the other panelists here. 22 I do want to say that yes, the guidance last year 23 from the May Roundtable was helpful to management but, I 24 believe, to everybody involved. I think it depended on where 25 you were in the maturation of your own internal control 1 environment, and how that was helpful to you. 2 First, for those that were very mature, I think it 3 reaffirmed the use of that top-down approach, and that risk- 4 based approach. For those that might have been just 5 inventing, it really helped them. It affected them and 6 changed them mid-course to make any corrections, maybe, to 7 further go that way. 8 And for those that were just starting, it certainly 9 helped them with a basis of how to start and get started. So 10 I think it was timely for that. 11 I think, as far as its overall effect, though, in 12 the first year, that after that guidance, it was probably 13 still just getting started being effective, because actually 14 the time of that to affect last year's activity, was probably 15 just at the tip of the iceberg as far as seeing the 16 effectiveness of that. 17 I think we'll see continued effectiveness this year 18 and as we go forward and as people mature across the curve 19 that guidance will be reaffirming. I think that was 20 illustrated by a lot of the surveys that have been commented 21 on in the first panel. 22 The Institute of Internal Auditors' survey said 23 that, in the first year, 42 percent of the chief auditor 24 surveyed believed the top-down approach was used, but in the 25 second year, 75 percent believed it. So I think that is 1 significant in itself. And so I think there is more to come. 2 The second part of the question, or processes for 3 evaluating control more risk-focused, I believe they were. 4 But of that 75 percent that said they had used more of a top- 5 down approach, there still was a perception by 58 percent of 6 that 75 percent that they saw the external auditors testing 7 things that were not, in their view -- and again I am not 8 sure how much of that was confirmed with the external 9 auditors -- based on a risk-based approach or that could 10 affect the company materially. 11 So I think some of that is some understanding, some 12 communication -- there was a lot of improvement in 13 communication across this last year, but I think there's 14 still some coming together on what is the risk-based 15 approached and top-down that needs to happen. 16 As far as what's left, I think part of our 17 challenge is staying course and keeping the faith. I look 18 back on this country, and any significant legislation, and 19 you go back all the way to the founding of the country on our 20 Constitution, our Declaration of Independence, some really 21 sound things in that first body. I think there are some very 22 sound things in the 404 on AS-2 that are there. 23 I think the other guidance and things coming out 24 are important, but I believe -- I would caution on 25 legislating, regulating too much there. I think we need to 1 really look at what are the questions being asked and satisfy 2 those questions. 3 And when people ask for guidance really understand 4 what they are asking for guidance about. In talking to 5 people getting ready for this panel, I have heard that. And 6 I have seen that in the comment letters. And I have surveyed 7 others. And what I have been hearing more, and I would like 8 to make sure we hit that a little bit, that the small company 9 side of it is definitely there. 10 But I hear some cry for relief, but I think there 11 is a lot more of a cry for how-to. And an easy way to 12 implement, which I am not sure is what the SEC and PCAOB is 13 supposed to necessarily be telling. 14 I think there are other providers for that. I think 15 they can utilize the COSO framework and hopefully the small 16 business framework that's coming out. And other providers 17 will be there to help them with some how-to's. I think that 18 is more what's being asked there. 19 I would welcome input from others. I know relief 20 would always want to be there, but I think the principles are 21 still there, and if you want to change something for the 22 small businesses, large businesses here would like to hear 23 about it as well, because I think, again, the soundness of 24 our internal controls apply to both. And I think investors 25 in small or large businesses are equally -- that's equally 1 important to both of them. So understanding and satisfying 2 the need. 3 I think the other thing that's out there for this 4 risk-based, top-down in other areas if really from the 5 management versus the external auditors. And it's kind of -- 6 well, the external auditors have this, and so it's driving 7 management. 8 I am not sure that something that is a competing or 9 leading effort won't cause us -- well, my books says this, 10 your book says that. I would rather foster the relationships 11 between the two to talk through these and work through the 12 issues than necessarily competing standards as we are going 13 forward. 14 And I do hear some standards versus informal 15 guidance. I would, again, just say go slowly in converting 16 things into standards. I think guidance -- as people have 17 said, the guidance that was issued last year has been hugely 18 helpful, as evidenced by people and their proceeding forward. 19 If we get too voluminous, if we do each year, and 20 add -- ten years from now where would we be from this. 21 I think it was important last year. I think it 22 will be important this year. And, again, I thank you for the 23 opportunity to be here. 24 MR. TAUB: Okay. Thank you. Dr. Teplin, do you 25 have anything to add on these questions? 1 DR. TEPLIN: Well, I don't know if I have something 2 entirely new to add, but I do have a different perspective. 3 I thought, first of all, to answer the question very 4 directly, the guidance last year was very helpful, 5 particularly, I believe, in reestablishing the useful 6 cooperative communication between management and the external 7 auditor. 8 There had been substantial confusion in that. And, 9 as an audit chair and audit committee member myself, I found 10 myself very much in the middle of that. And I think that the 11 guidance that was issued last year, there were a few 12 sentences in there that were extremely helpful in 13 reestablishing what has been, as we move through this 14 process, a much more efficient and better way of doing 15 things. 16 As far as going to more of a top-down, risk 17 assessment, in scoping the assessment and improving it, I 18 think that what is happening is a clear winnowing down 19 towards that. I am seeing now at least that -- I would argue 20 that 2006 is going to be the year that you are going to see 21 significant improvements. 22 Two thousand and four, we got through it. And 23 there was a lot of discomfort though the entire process. 24 Two thousand and five, at least we knew what to do. 25 Since we had already attained an assessment. And cost didn't 1 come down, as we had hoped, and so on. 2 But I think in 2006, management, the audit firms, 3 and the audit committee indirectly, are working towards 4 becoming much more efficient in this process. That's not to 5 say that things can't be improved more. I think that there 6 needs to be more clarity in what guidance that there is on 7 the use of the internal auditor in the firms. 8 You know, where management takes ownership and is 9 doing their job, and the internal auditor is doing their job 10 in testing and so on, and then you've got another auditor 11 coming in, if everybody is cooperating, and there is 12 oversight by the audit committee, and so on, I think that 13 tremendous efficiencies can be attained by using the internal 14 auditor. 15 I am not at all worried that corporations will find 16 -- will take out the inefficiencies. They have the 17 incentives to do so. But as we scope a project such as this, 18 and so on, there are different incentives for the public 19 auditor and the corporation. And they audit committee has to 20 make sure those are balanced correctly. 21 I think I'll leave it at that. 22 MR. TAUB: Mr. Brunner, the banking sector has long 23 had some reporting on internal controls under fiducia. 24 Nonetheless, I am aware of comments that the 404 process was 25 certainly different, or additive to, what had been happening 1 under fiducia. 2 Can you tell me, from your point of view, was the 3 guidance that we provided last year helpful in the process? 4 And are the audits of internal control becoming more risk- 5 focused? 6 MS. BRUNNER: First of all, I agree. It was very 7 helpful. But I would underscore that the largest portion of 8 the help was opening the gates to the more cooperative 9 relationship with the auditor. I just can't underscore that, 10 given that, given the working relationship, that positive 11 things will come out from all avenues. 12 Yes, there are a lot of tactical things. In 13 looking and comparing to how the banking industry has been, 14 which not only had fiducia, but by the sheer nature of the 15 industry, it has always been a very control-based 16 environment. Our products and services lend themselves to a 17 very, very strict control. We have always had a very risk- 18 sensitive model in the first place. 19 I think the difference between what we see in 404 20 and what we have seen in the past was the prescriptive nature 21 and the degree of focus on things that can be tested and 22 measured. 23 Now, maybe that's a hazard of our professions in 24 that we like things that we can see, observe, test and 25 measure. But one of the things that -- and it varied from 1 company to company -- but certainly we see that some 2 improvement can be made, and that opportunity exists. 3 We largely saw that entity-level controls were done 4 in one silo. And activity-level controls were done in 5 another silo. And, of course, we think a lot of energy went 6 into testing and pounding out and measuring and documenting 7 things with lots and lots of paper of doing it. 8 But I think the real lift is yet to come, because 9 when you get to the point you can step back and look at the 10 risks of your business, look at the tone at the top. Look at 11 the environment you are in, and be able to really integrate 12 the -- call it tone at the top, call it entity level, 13 whatever it might be -- and you can integrate that with how 14 much mathematical testing do I need to do. We can start 15 taking some of the burden. 16 Because certainly from the banking industry the 17 difference largely was the amount of documentation and way of 18 going about it. 19 MR. TAUB: Thank you. Move on to another set of 20 questions and start directing this set to Mr. Level and to 21 Ms. Gordon. 22 How would management's process have been different 23 if the auditors were not also going to be involved in 24 assessing internal controls? 25 Were there instances where management believed that 1 it had found and implemented an effective way to test 2 controls but the auditors made suggestions for additional 3 testing that management didn't necessarily think was 4 necessary? And, if so, in the end was that helpful to 5 management's assessment process, or did it merely add to the 6 burden? 7 Mr. Level? I'll start with you. 8 MR. LEVEL: Thank you. And we appreciate the 9 invitation to be back. And the interest of the Commission 10 and the PCAOB in considering again this year the 11 possibilities to make what we are doing better, quicker and 12 faster. And cheaper. 13 We would have, as you have already heard from the 14 first panel and a couple of the comments already from this 15 panel -- we would have committed more of our resources and 16 spent more time on the entity level tone at the top-type 17 controls if we had no audit of the management's assessment. 18 But the reality is, frankly, that our process in 19 the end was driven by the auditors' opinion of internal 20 controls and so we went about determining what they needed to 21 derive and to reach their conclusions and for their opinion, 22 and went down that path. 23 We also did what we felt we needed to do to make 24 them comfortable, of course, with our assessments supporting 25 our opinion. You all know about the typical differences 1 between COSO and AS-2, around an issue that I think is quite 2 important, and that is the ability to recognize that some 3 controls exist, even if they are not documented. 4 We spent a lot of time, frankly, in the last two 5 years, documenting controls that already existed in order to 6 support both the auditor's opinion and our opinion and their 7 own. 8 As you all know, we have been pen pals with the 9 Commission and have submitted comments for the last several 10 years about this topic. And we did again in connection with 11 this panel and this roundtable. And I would urge you to 12 refer back to that as to more specifics we have in that area. 13 But I would -- in thinking about -- on the way from 14 California out here, about this matter again, I feel that we 15 really need to deal with the three-opinion opinions. And we 16 need to integrate the auditor's opinion and make it one 17 opinion, both on internal controls and on fairness of 18 financial presentation. Remove them from the management's 19 opinion of controls and management should, of course, 20 continue doing that. 21 We would support some guidance from the Commission 22 around management's assessment. But we are fearful, frankly, 23 that we would end up with a whole new set of rules and an 24 approach to management's assessment, and we would have to go 25 ahead and expand on what we already do there. 1 And we would find, frankly, that we would have to 2 continue to do everything that we have done, including -- 3 unless you deal with AS-2 -- dealing with making our auditors 4 comfortable in the way in which their -- the standards that 5 apply to their opinion would mandate that they behave. 6 Now, having said all of that, I do want to close in 7 saying that your guidance last spring was quite helpful. It 8 was a little late, but helpful. 9 And I want to echo what I heard from both of the 10 previous panelists here, that the tone between the auditors 11 and management was probably the single most important result 12 of that guidance. 13 Thank you. 14 MR. TAUB: Thank you. Ms. Gordon, if you could 15 comment on how your auditors affected management's process. 16 MS. GORDON: Well, thank you. And once again thank 17 you for letting me come and speak in front of the group again 18 this year. What a difference a year makes. It's true for 19 the success of 404, in my mind. And also true in splitting a 20 company into two media companies now. 21 So, I have a lot to say also on the small. We were 22 large, and now we are two moderate size. So, I found that 23 question very interesting. 24 But first, to speak to what the guidance did for 25 us. The guidance was extremely helpful, echoing what the 1 people have said on the panel. But also it confirmed our 2 approach, that management is responsible for assessing risk. 3 And then we then take that risk assessment and coordinate it 4 with our internal audit, and then coordinate it with our 5 external auditors. So that is the approach that we had taken 6 from the beginning with this, the guidance confirmed that. 7 To the question of what would have -- how our 8 assessment would have been different had we not had an 9 independent audit, I have to truthfully say that I don't 10 think there would have been a difference. 11 And that maybe seems strange in some way, but I 12 think by taking the approach that management owns the 13 certification, and management is responsible for the