At the same time, the regulators refused to support calls by powerful industry groups for the law to be repealed.

For example, William J. McDonough, chairman of the Public Company Accounting Oversight Board, said, “it is clear to us that the internal control assessment and audit process has the potential to improve significantly the quality and reliability of financial reporting.

“At the same time,” he added, “it is equally clear to us that the first round of internal control audits cost too much. Through the guidance we issue today, as well as our upcoming inspections, we are committed to seeing that [the regulation] is implemented in a manner that captures the benefits of the process without unnecessary and unsustainable costs.”

Mr. McDonough also said that the PCAOB and the SEC continue to work to “facilitate implementation” of Section 404 of SOX by the auditors of the smaller U.S. public companies and foreign firms–which, by SEC rule, need not comply until 2006.

What The Rule Says

Section 404 of the Sarbanes-Oxley Act and the SEC's related implementing rules require certain companies to include in their annual reports a section on management's assessment of the effectiveness of internal controls over financial reporting.

Section 404 also requires auditors to attest to and report on the internal control assessments made by management. PCAOB Auditing Standard No. 2–which refers to the auditor's attestation as an audit of internal control over financial reporting–is the standard auditors must use to satisfy their obligations under Section 404.

Effectively, staff guidance issued by the SEC and the policy statement by the PCAOB allows companies to comply with Section 404 by creating a system that works best for their own specific organization.

Phillip Carson, senior counsel for financial reporting at the American Insurance Association, said he believes the new regulatory guidance “is positive for all companies subject to Sarbanes-Oxley.”

He explained that it was issued by the two agencies in response to an April 13 roundtable with industry officials. Mr. Carson said the benefit of the new guidance is that it addresses some of the issues that drive the cost of internal control audits–specifically the issue of audit scope.

“It looks to the auditor to apply more judgment rather than rely simply on excessive transactions testing, which drives cost,” he said. “It emphasizes the need to develop the audit in terms of risk assessment–that is, focus on the higher risk areas, as opposed to making it apply equally to low-risk areas, as well.

“In other words, it is a quality vs. quantity issue, the agencies have said,” Mr. Carson explained.

New Guidelines

The new guidelines will allow external auditors to communicate directly with management and tailor audits to individual clients, explained Richard Whiting, executive director and general counsel for The Financial Services Roundtable. He said that external auditors also will be able to use the work of internal audit staff.

“Further, the new guidelines will allow for an integrated audit of internal controls and financial statements,” Mr. Whiting said.

“The guidance is a constructive step in providing greater clarity and focus on Sarbanes-Oxley requirements,” he added. “The PCAOB clearly has heard the message that there are aspects of Section 404 that are not working,”

The SEC staff statement explains that “an overarching principle of this guidance is the responsibility of management to determine the form and level of controls appropriate for each organization and to scope their assessment and testing accordingly. One size does not fit all, and control effectiveness is affected by many factors.”

Sarbanes-Oxley was designed to combat the corporate misdeeds that led to the Enron and WorldCom scandals.

Accelerated filers with the SEC were required to be in compliance with these new rules for the fiscal year ending Nov. 15, 2004. The guidance follows the April 13 roundtable discussion with industry officials, in which the agencies listened to comments from issuers on how the process worked in its first year of implementation.

“The feedback made clear that companies have realized improvements to their internal controls as a result of implementing the requirements and that the requirements have led to an improved focus on internal controls throughout the organization,” the staff statement said.

“However, the feedback also identified implementation areas that need further attention or clarification to reduce any unnecessary costs and other burdens without jeopardizing the benefits of the new requirements,” the agencies added.

Flexibility Offered

In its guidance, the statement noted that the SEC has decided not to issue a prescribed system for internal auditing specifically to allow companies to determine how to best monitor themselves.

“In adopting its rules implementing Section 404, the Commission expressly declined to prescribe the scope of assessment or the amount of testing and documentation required by management,” the staff statement said.

“The scope and process of the assessment should be reasonable, and the assessment [including testing] should be supported by a reasonable level of evidential matter,” the statement added.

“Each company also should use informed judgment in documenting and testing its controls to fit its own operations, risks and procedures,” the agencies went on to say. “Management should use its own experience and informed judgment in designing an assessment process that fits the needs of that company. Management should not allow the goal and purpose of the internal control over financial reporting provisions–the production of reliable financial statements– to be overshadowed by the process.”

The theme of ensuring the spirit of Sarbanes-Oxley rather than adherence to a specific set of guidelines also was apparent in the staff statement's view of how companies are monitoring themselves. Rather than examining their own firms using a risk-based approach, the staff statement noted, many companies began using a “mechanistic, check-the-box” system.

“This was not the goal of the Section 404 rules, and a better way to view the exercise emphasizes the particular risks of individual companies,” the statement said. “Indeed, an assessment of internal control that is too formulaic and/or so detailed as to not allow for a focus on risk may not fulfill the underlying purpose of the requirements. The desired approach should devote resources to the areas of greatest risk and avoid giving all significant accounts and related controls equal attention without regard to risk.”

The evaluation of Sarbanes-Oxley implementation will continue, the staff said, adding that companies also should work to learn from each other about which approaches to monitoring their financial data reporting work best.

“There is a desire for the sharing of best practices so that companies and auditors can benefit from the substantial learning that has taken place from the first year of implementation, and we strongly encourage those efforts,” the staff statement said, noting also that the evaluation of Sarbanes-Oxley implementation after one year also has created a significant amount of data that could be studied by academics or other experts.

“The staff desires that the benefits are achieved in a sensible and cost-effective manner,” the statement read. “We will continue to consider whether there are other ways we can make the process more efficient and effective while preserving the benefits.”

The PCAOB said that the guidance, in a question and answer format, “seeks to correct the misimpression that certain provisions of Auditing Standard No. 2 need to be applied in a rigid manner that discourages auditors from exercising the judgment necessary to conduct an internal control audit in a manner that is both effective and cost-efficient.”

“Through the guidance we issue today, as well as our upcoming inspections, we are committed to seeing that [the regulation] is implemented in a manner that captures the benefits of the process without unnecessary and unsustainable costs.”

William J. McDonough, Chairman

Public Company Accounting Oversight Board