From the Commission's April 13th Roundtable on Implementation of Internal Control Reporting Provisions - as well as from the extensive materials submitted in response to our request for feedback - we believe two messages came through clearly: First, compliance with Section 404 is producing benefits, including a heightened focus on internal controls at the top levels of public companies. We hope that this focus will produce better financial reporting. Second, implementation in the first year also resulted in significant costs. While a portion of the costs likely reflect start-up expenses from this new requirement, it also appears that some non-trivial costs may have been unnecessary, due to excessive, duplicative or misfocused efforts. As a result, we heard the implementation process needs to be improved going forward, so that it is more effective and efficient.
In response to those concerns, we asked the SEC staff, at the end of the roundtable, to consider whether additional guidance and clarification of certain issues was appropriate. Today the staff released a Staff Statement on Management's Report on Internal Control Over Financial Reporting to provide such guidance. An overarching principle of this guidance is the responsibility of management to determine the form and level of controls appropriate for each company and to scope their assessment and the testing accordingly. Registered public accounting firms should recognize that there is a zone of reasonable conduct by companies that should be recognized as acceptable in the implementation of Section 404. The SEC staff guidance complements the guidance that the PCAOB will provide with respect to the application of its Auditing Standard No. 2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of the Financial Statements.
We wish to make clear that these actions are not the end of the process. The Commission staff will continue to monitor the implementation of the internal control reporting requirements, particularly for smaller public companies and foreign private issuers. In addition, because of the importance we place on effective and efficient implementation of Section 404, we believe the following broad concepts bear mention at this time.
- Although it is not surprising that first-year implementation of Section 404 was challenging, almost all of the significant complaints we heard related not to the Sarbanes-Oxley Act or to the rules and auditing standards implementing Section 404, but rather to a mechanical, and even overly cautious, way in which those rules and standards apparently have been applied in many cases. Both management and external auditors must bring reasoned judgment and a top-down, risk-based approach to the 404 compliance process. A one-size fits all, bottom-up, check-the-box approach that treats all controls equally is less likely to improve internal controls and financial reporting than reasoned, good faith exercise of professional judgment focused on reasonable, as opposed to absolute, assurance.
- In future years we expect the internal control audit to be better integrated with the audit of a company's financial statements. If management and auditors can achieve the goal of integrating the two audits, we expect that both internal and external costs of Section 404 compliance will fall for most companies.
- Internal controls over financial reporting should reflect the nature and size of the company to which they relate. Particular attention should be paid to making sure that implementation of Section 404 is appropriately tailored to the operations of smaller companies. Again, this is an area where reasoned judgment and a risk-based approach must be brought to bear. We continue to be actively engaged in projects to evaluate and assess the effects of the internal control reporting rules on smaller companies. In addition to delaying the implementation of those rules for smaller companies, we have encouraged the Committee of Sponsoring Organizations (COSO) of the Treadway Commission to develop additional guidance in applying its internal control framework to smaller companies. We have established the Commission Advisory Committee on Smaller Public Companies to consider the impact of Commission rules - including the internal control reporting rules - on smaller companies.
- We encourage frequent and frank dialogue among management, auditors and audit committees with the goal of improving internal controls and the financial reports upon which investors rely. Management of all companies - large and small - should not fear that a discussion of internal controls with, or a request for assistance or clarification from, the auditor will, itself, be deemed a deficiency in internal control. Moreover, as long as management determines the accounting to be used and does not rely on the auditor to design or implement the controls, we do not believe that the auditor's providing advice or assistance, in itself, constitutes a violation of our independence rules. Both common sense and sound policy dictate that communications must be ongoing and open in order to create the best environment for producing high quality financial reporting and auditing; communications must not be so restricted or formalized that their value is lost.
The entire financial reporting community, including investors, auditors, management, and regulators, shares the common goal of improving the reliability of financial reporting and the information available to the market. With the experience of the first round of Section 404 implementation, we should continue to focus on the lessons learned and ways to improve the process going forward. Section 404 is too important not to get right, but getting it right requires both effective and efficient implementation.