SEC Guidance On SOX Hailed By Insurers

Actions by a federal accounting regulator and a private sector overseer last week will reduce the cost of compliance with the controversial Section 404 of the Sarbanes-Oxley Act of 2002 by providing companies and their auditors with greater flexibility, several industry trade groups assert.

The new guidance from the Securities and Exchange Commission and the Public Company Accounting Oversight Board also shows the willingness of the agencies to be responsive to industry concerns about the cost of compliance with the provision as well as determining precisely how the agencies are interpreting the provision, the trade groups say.

At the same time, both bodies refused to support calls by powerful industry groups that the law should be repealed.

“It is clear to us that the internal control assessment and audit process has the potential to significantly improve the quality and reliability of financial reporting,” notes William J. McDonough, PCAOB chairman. “It is equally clear to us that the first round of internal control audits cost too much. Through the guidance we issue today, as well as our upcoming inspections, we are committed to seeing that AS No. 2 is implemented in a manner that captures the benefits of the process without unnecessary and unsustainable costs.”

Auditing Standard No. 2, which refers to the auditor’s attestation as an audit of internal control over financial reporting, is the standard auditors must use to satisfy their obligations under Section 404.

Mr. McDonough also says that the PCAOB and the SEC continue to work to “facilitate implementation” of Section 404 of SOX by the auditors of the smaller U.S. public companies and foreign companies, that, by SEC rule, need not comply with Section 404 until 2006.

Section 404 of the SOX and the SEC’s related implementing rules require certain companies to include in their annual reports filed with the SEC a report on management’s assessment of the effectiveness of those companies’ internal control over financial reporting.

Section 404 also requires these companies’ auditors to attest to and report on the internal control assessments made by management.

Effectively, staff guidance issued by the SEC and the policy statement by the PCAOB allows companies to comply with Sec 404 of Sarbanes-Oxley by creating a system that works best for their own specific organization.

Phillip Carson, senior counsel, financial reporting at the American Insurance Association, Washington, says he believes the new regulatory guidance “is positive for all companies subject to Sarbanes-Oxley.”

He explains that it was issued by the two agencies in response to an April 13 roundtable with industry. Mr. Carson says the benefit of the new guidance is that it addresses some of the issues that drive the cost of internal control audits, specifically the issue of audit scope. “It looks to the auditor to apply more judgment rather than rely simply on excessive transactions testing, which drives cost,” he says. “It emphasizes the need to develop the audit in terms of risk assessment, that is, focus on the higher risk areas, as opposed to making it apply equally to low risk areas as well.

“In other words, it is a quality-vs.-quantity issue, the agencies have said,” Mr. Carson explains.

The new guidelines will allow external auditors to directly communicate with management and tailor audits to individual clients, explained Richard Whiting, executive director and general counsel for The Financial Services Roundtable, Washington. He says that external auditors will also be able to use the work of internal audit staff. “Further, the new guidelines will allow for an integrated audit of internal controls and financial statements,” Mr. Whiting says.

“The guidance is a constructive step in providing greater clarity and focus on Sarbanes-Oxley requirements,” Mr. Whiting adds. “The PCAOB has clearly heard the message that there are aspects of Section 404 that are not working.”

The SEC staff statement explains that “An overarching principle of this guidance is the responsibility of management to determine the form and level of controls appropriate for each organization and to scope their assessment and testing accordingly. One size does not fit all and control effectiveness is affected by many factors.”

Sarbanes-Oxley was designed to combat the corporate misdeeds that led to the Enron and WorldCom scandals.

Accelerated filers with the SEC were required to be in compliance with these new rules for the fiscal year ending November 15, 2004. The guidance follows the April 13 roundtable with industry, in which the agencies listened to comments from issuers on how the process worked in its first year of implementation.

“The feedback made clear that companies have realized improvements to their internal controls as a result of implementing the requirements, and that the requirements have led to an improved focus on internal controls throughout the organization,” the staff statement said. “However, the feedback also identified implementation areas that need further attention or clarification to reduce any unnecessary costs and other burdens without jeopardizing the benefits of the new requirements.”

In its guidance, the statement noted that the SEC has decided not to issue a prescribed system for internal auditing specifically to allow companies to determine how to best monitor themselves.

“In adopting its rules implementing Section 404, the Commission expressly declined to prescribe the scope of assessment or the amount of testing and documentation required by management,” the staff statement says. “The scope and process of the assessment should be reasonable, and the assessment (including testing) should be supported by a reasonable level of evidential matter. Each company should also use informed judgment in documenting and testing its controls to fit its own operations, risks and procedures. Management should use its own experience and informed judgment in designing an assessment process that fits the needs of that company. Management should not allow the goal and purpose of the internal control over financial reporting provisions – the production of reliable financial statements – to be overshadowed by the process.”

The theme of ensuring the spirit of Sarbanes-Oxley rather than adherence to a specific set of guidelines was also apparent in the staff statement’s view of how companies are monitoring themselves. Rather than examining themselves using a risk-based approach, the staff statement noted, many companies began using a “mechanistic, check-the-box” system.

“This was not the goal of the Section 404 rules, and a better way to view the exercise emphasizes the particular risks of individual companies,” the statement says. “Indeed, an assessment of internal control that is too formulaic and/or so detailed as to not allow for a focus on risk may not fulfill the underlying purpose of the requirements. The desired approach should devote resources to the areas of greatest risk and avoid giving all significant accounts and related controls equal attention without regard to risk.”