Sarbanes-Oxley Act implementation has turned into an auditor-driven, “check the box” exercise.[@@]
Cynthia Glassman, a GOP-appointed member of the U.S. Securities and Exchange Commission, gave that assessment Wednesday during a speech in Washington.
As a result of the misdirected implementation of Section 404 of SOX, which deals with internal controls documentation, “what was meant to be a top-down, risk-focused management exercise became a bottom-up, ‘check the box,’ auditor-driven exercise,” Glassman said, according to a written version of her remarks.
At roundtable discussion in April, participants noted that Section 404 had helped to raise awareness of the importance of the internal audit function, Glassman said.
But Glassman observed that most of the discussion focused on excessive cost. “One of the most worrisome statements I heard was that while many companies initially set the scope of internal controls review through a risk-based approach, their framework was scrapped for the coverage-based, all inclusive approach of the auditors,” she said.
As an example, she said, she heard reports of companies monitoring up to 60,000 “key” controls.
“How can 60,000 controls all be ‘key’ with a ‘material’ impact on financial statements?” she asked.
Glassman, who was named to the SEC in early 2002 by President Bush, also said that, despite SEC and Public Companies Accounting Oversight Board (Audit Standard Number 2) rules requiring merely “reasonable assurance” about the quality of financial reporting, the first-year 404 process often aimed for something approaching “absolute assurance.”
Regulators from the SEC and the accounting oversight board recently issued guidance for companies and their auditors to refocus their responsibility for the assessment and reporting of internal controls back to management and to adopt a risk-based approach to 404 compliance, Glassman said.
“We need to make sure our message is being heard,” she said. “If not I will strongly urge that we consider taking additional steps, including working with PCAOB to reconsider elements of Auditing Standard Number 2, if necessary.”