05/17/06 SOX 404 relief?


The SEC announced today a series of actions designed to improve the "implementation" of the internal control requirements under Section 404 of Sarbanes-Oxley. Among other things, the SEC intends to:

  • further postpone the Section 404 requirements for the smallest company filers (although ultimately all public companies will still be required to comply with the internal control reporting requirements of Section 404). In order to permit non-accelerated filers and their auditors to have the benefit of the management guidance that the SEC intends to issue (see below), and to have the opportunity to evaluate and implement the revisions that the PCAOB plans to make, the SEC expects to issue a short postponement of the effective date of the SEC's rules implementing Section 404 for non-accelerated filers. It is anticipated that any such postponement would nonetheless require all filers to comply with the management assessment required by Section 404 for fiscal years beginning on or after Dec. 16, 2006. For a calendar fiscal year company, this does not mean any change, since the current time table is for the rules to be effective for fiscal years ending on or after July 15, 2007 - in other words, at least as of now, small companies still need to comply by the end of 2007. However, the wording of the SEC statement seems to be limited to management's assessment, so it is conceivable the deadline for auditor review of internal controls may be pushed out further.
  • issue further guidance for companies, including

    • a "concept release" to solicit views on the management assessment process to ensure that the guidance the SEC ultimately proposes addresses the needs and concerns of all public companies. The SEC will also seek input on the appropriate role of outside auditors in connection with the management assessment required by SOX 404 and on the manner in which outside auditors provide the required attestation, to assist in the SEC's consideration of possible alternatives to the current approach;
    • consideration of additional guidance from COSO. The SEC anticipates that forthcoming guidance will help organizations of all sizes to better understand and apply the COSO control framework as it relates to internal control over financial reporting. As the SEC develops guidance for management on how to assess its internal control over financial reporting, it will consider the extent to which the additional guidance that COSO provides is useful to smaller public companies in completing their SOX 404 assessments.
    • further guidance on how management assessments under SOX 404 can better reflect the top-down, risk-based approach the SEC intended. Building from the information gathered in response to the concept release, and from the anticipated COSO guidance, the SEC anticipates that it will issue guidance to management to assist in its performance of a top-down, risk-based assessment of internal control over financial reporting. To ensure that this guidance is of help to non-accelerated filers and smaller public companies, the SEC intends that this future guidance will be scalable and responsive to their individual circumstances. The guidance will also be sensitive to the fact that many companies have already invested substantial resources to establish and document programs and procedures to perform their assessments over the last few years. The form of the guidance has yet to be determined.
    • work with the Public Company Accounting Oversight Board (PCAOB) on revisions of its internal control auditing standard. The PCAOB announced today that it intends to propose revisions to its Auditing Standard No. 2, "An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements." The proposed revisions would (i) seek to ensure that auditors focus during integrated audits on areas that pose higher risk of fraud or material error; (ii) incorporate key concepts contained in the guidance issued by the PCAOB on May 16, 2005; and (iii) revisit and clarify what, if any, role the auditor should play in evaluating the company's process of assessing internal control effectiveness.
  • conduct SEC inspections of PCAOB efforts to improve SOX 404 oversight. The PCAOB announced on May 1, 2006, that it would focus its 2006 inspections on whether auditors have achieved cost-saving efficiencies in the audits they have performed under AS No. 2, and on whether auditors have followed the guidance that the PCAOB issued in May and November 2005 urging them to do so. As part of the SEC's oversight of the PCAOB, the SEC staff inspects aspects of the PCAOB's operations, including its inspection program. Among other things, upon completion of the PCAOB's 2006 inspections, the staff will examine whether the PCAOB inspections of audit firms have been effective in encouraging implementation of the principles outlined in the PCAOB's May 1, 2006 statement.

    The full press release can be found at: http://www.sec.gov/news/press/2006/2006-75.htm