The U.S. Securities and Exchange Commission wants to continue to be vague about compliance with Section 404 of the Sarbanes-Oxley Act.[@@]

SEC officials say they are skeptical even of companies’ own efforts to comply with the tough new financial reporting law by developing and following clear-cut guidelines for testing and reporting on their companies’ internal controls.

Too many companies have been using a “mechanistic, check-the-box” system to evaluate themselves rather than using a risk-based approach, officials write in a new report based on recent SOX roundtable discussion.

“An assessment of internal control that is too formulaic and/or so detailed as to not allow for a focus on risk may not fulfill the underlying purpose of the requirements,” officials write.

Because of the SEC’s concern about a formulaic approach to monitoring internal controls, the SEC has decided against giving any specific advice about how to comply with SOX 404.

“One size does not fit all and control effectiveness is affected by many factors,” officials write.

Instead of offering clear-cut rules, the officials are recommending that managers should design solutions for their own companies.

“The scope and process of the assessment should be reasonable, and the assessment (including testing) should be supported by a reasonable level of evidential matter,” officials write.

Officials add that the SEC would like to see companies and auditors shares ideas about ways to improve internal controls.