In its guidance, the statement noted that the SEC has decided not to issue a prescribed system for internal auditing specifically to allow companies to determine how to best monitor themselves.

Their staff guidance was issued today in response to concerns raised at a roundtable discussion held with interested parties last month. Beyond offering general ideas the SEC refrained from specifics on how companies could ensure their compliance with the controversial provision.

"An overarching principle of this guidance is the responsibility of management to determine the form and level of controls appropriate for each organization and to scope their assessment and testing accordingly," the staff statement said.

"One size does not fit all and control effectiveness is affected by many factors," it added.

Sarbanes-Oxley disclosure regulations were designed to combat the corporate misdeeds that led to the Enron and WorldCom scandals.

Accelerated filers with the SEC were required to be in compliance with these new rules for the fiscal year ending November 15, 2004. On April 13, the SEC held a roundtable discussion with interested parties to hear comments on how the process worked in its first year of implementation.

"The feedback made clear that companies have realized improvements to their internal controls as a result of implementing the requirements, and that the requirements have led to an improved focus on internal controls throughout the organization," the staff statement said.

"However, the feedback also identified implementation areas that need further attention or clarification to reduce any unnecessary costs and other burdens without jeopardizing the benefits of the new requirements."

"In adopting its rules implementing Section 404, the Commission expressly declined to prescribe the scope of assessment or the amount of testing and documentation required by management," the staff statement said.

The SEC said, "The scope and process of the assessment should be reasonable, and the assessment (including testing) should be supported by a reasonable level of evidential matter.

"Each company should also use informed judgment in documenting and testing its controls to fit its own operations, risks and procedures. Management should use its own experience and informed judgment in designing an assessment process that fits the needs of that company. Management should not allow the goal and purpose of the internal control over financial reporting provisions - the production of reliable financial statements - to be overshadowed by the process."

The theme of ensuring the spirit of Sarbanes-Oxley disclosure rather than adherence to a specific set of guidelines was also voiced in the staff statement's view of how companies are monitoring themselves. Rather than examining themselves using a risk-based approach, the staff statement noted, many companies began using a "mechanistic, check-the-box" system.

"This was not the goal of the Section 404 rules, and a better way to view the exercise emphasizes the particular risks of individual companies," the statement said.

An assessment of internal control that is "too formulaic and/or so detailed as to not allow for a focus on risk may not fulfill the underlying purpose of the requirements. The desired approach should devote resources to the areas of greatest risk and avoid giving all significant accounts and related controls equal attention without regard to risk," the statement said.

The evaluation of Sarbanes-Oxley implementation will continue, the staff said, adding that companies should also work to learn from each other which approach to use monitoring their financial data reporting.

"There is a desire for the sharing of best practices so that companies and auditors can benefit from the substantial learning that has taken place from the first year of implementation, and we strongly encourage those efforts," the staff statement said.

It noted also that the evaluation of Sarbanes-Oxley implementation after one year has also created a significant amount of data that could be studied by academics or others. "The staff desires that the benefits are achieved in a sensible and cost-effective manner. We will continue to consider whether there are other ways we can make the process more efficient and effective while preserving the benefits."