Good news on SOX? How proposals may make implementing section 404 more ‘right-sized’?

The U.S. Securities and Exchange Commission (SEC) has proposed changes to the current requirements imposed on management by the Sarbanes-Oxley Act (SOX) relating to the assessment, documentation and testing of a public company’s internal control over financial reporting. The Public Company Accounting Oversight Board (PCAOB), likewise, is reassessing the auditors’ responsibilities on auditing such information.

On Dec. 13, 2006, the SEC issued proposed interpretive management guidance relating to the internal control of financial reporting. A few days later, on Dec. 19, the PCAOB issued, for public comment, a proposed revised auditing standard relating to the auditing internal controls over financial reporting. Each item is open for public comment for 60 days.

“Staying informed on the latest developments in corporate governance is vitally important to CEOs,” says John Poth, partner in the Audit and Business Advisory Services Department with Haskell & White LLP.

Smart Business spoke with Poth about why these changes are good news for CEOs.

What are the purposes of the new proposals?

The desire is to ‘right-size’ both requirements to obtain the intended benefits of each without requiring unnecessary work or costs. The SEC and PCAOB hope to establish new requirements for each that are less time-consuming and are scalable to smaller public companies, as well as large accelerated filers.

Why are these changes occurring now?

These proposals are in response to the first two years of the SOX requirement that public company management document the internal controls over financial reporting and the requirement that auditors audit this information and feedback received by the SEC and PCAOB relating to the requirements.

Can you briefly summarize each of these lengthy proposals?

The new SEC-proposed guidance to management is based upon two key principles. First, management should evaluate the design of the implemented controls and determine if there is a reasonable possibility of a material misstatement in the financial statements that would not be prevented or detected in a timely manner. Second, management should collect and test evidence that the controls in place are indeed working, based on the company’s assessment of the risk associated with those controls.

It emphasizes that management should use a top-down, risk-based, principles-based, flexible approach. Smaller public companies can tailor their evaluation of internal controls to fit their size and complexity while also meeting the needs of larger accelerated filers.

The SEC proposal provides guidance in four key areas: identification of financial reporting risk and controls implemented to address those risks; evaluating the operational effectiveness of those controls; reporting the overall results of management’s evaluation; and necessary documentation.

The PCAOB-proposed new auditing standard would focus the auditor on matters that are most important to internal control, eliminate unnecessary procedures, and make the audit more suited for smaller and less complex companies.

Some of the proposal’s key elements are emphasizing the risk assessment process; directing the auditor to the most important controls; clarifying the role of materiality; removing the audit requirement to evaluate management’s process; and permitting the consideration of knowledge obtained during previous audits.

What are the intended benefits to public companies from these changes?

If these proposals are approved, they should have the impact of focusing both management and auditors on material items rather than time and expense on items considered not reasonably possible of resulting in a material error in the financial statements. In addition, it is intended to help smaller public companies implement SOX without such a strong perception of an unfair burden. The intent is to reduce time and cost.

How much time and expense will be saved?

The answer to this depends on where a company is in the process.

For smaller companies that are not yet subject to the 404 requirement, it merely defines what needs to be accomplished in the process — which will still likely be costly, but less than it would have been before the proposed revision to the requirements.

For companies already subject to SOX 404, this is going to depend on the approach taken in the past by both management and the auditor and the new requirement that only certain key controls need now be considered. Once these proposals pass, assuming they do, key management personnel need to meet and determine what is needed and then consider appropriate meetings with auditors and other outside advisers to discuss the issue.

JOHN POTH is a partner in the Audit and Business Advisory Services Department with Haskell & White LLP. Reach him at (949) 450-6390 or