Original Intent?

Ever since its first year of required compliance in 2004, Sarbanes-Oxley and Section 404 in particular has been criticized for the excessive cost and disruption it created for companies. The public debate about whether its been worth the effort has at times reached a fever pitch, as recently noted by the former Chairman of the SEC, Harvey Pitt[1], “As costs mounted, and auditors became defensive in their audits of internal control, a crescendo of criticism and despair arose, ultimately persuading the PCAOB and the SEC to revisit their prior guidance to make the beneficial purposes of the SOX 404 more obtainable, with lower costs and more focused efforts”. In this regard, certain statements from both the SEC and PCAOB December releases especially stand out[2]. At the same time, greater use of a risk based approach seems to reflect a return to the original principles of SOX and certainly of the COSO Framework.

Key Levers

While the guidance has not yet been posted, the SEC’s May 23 press release indicates intent for three key levers:

1. A ‘top-down’ risk-based approach. The SEC highlights two broad principles:

• Risk-Based Design Evaluation: That management should evaluate the design of the controls to determine whether they adequately address the risk that a material misstatement would not be prevented or detected in a timely manner. There is no requirement to identify every control in a process or document the business processes impacting ICFR. For example, if management determines that the risks for a particular financial reporting element are adequately addressed by an entity-level control, no further evaluation of other controls is required.

• Risk-Based Testing Evaluation: That management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk (allowing) management to align the nature and extent of its evaluation procedures with those areas that pose the greatest risks. As a result, management may be able to use more efficient approaches to gathering evidence, such as self-assessments, in low-risk areas and perform more extensive testing in high-risk areas.

2. Refined Deficiency Evaluation: Revise the definitions of significant deficiency and material weakness, as well as the "strong indicators" of a material weakness; and clarify the role of materiality, including interim materiality, in the audit;

3. Reduce Management/Audit Redundancy: Remove the requirement to evaluate management's process; permit consideration of knowledge obtained during previous audits; allow for greater use and consideration of the Work of Others (and not just internal audit); provide a single framework for using the work of others based on the auditor's evaluation of the combined competence and objectivity of others and the subject matter being tested.