The U.S. Securities and Exchange
Commission (SEC) has proposed
changes to the current requirements imposed on management by the Sarbanes-Oxley Act (SOX) relating to the assessment,
documentation and testing of a public company’s internal control over financial reporting. The Public Company Accounting
Oversight Board (PCAOB), likewise, is
reassessing the auditors’ responsibilities on
auditing such information.
On Dec. 13, 2006, the SEC issued proposed interpretive management guidance
relating to the internal control of financial
reporting. A few days later, on Dec. 19, the
PCAOB issued, for public comment, a proposed revised auditing standard relating to
the auditing internal controls over financial
reporting. Each item is open for public
comment for 60 days.
“Staying informed on the latest developments in corporate governance is vitally
important to CEOs,” says John Poth, partner
in the Audit and Business Advisory Services
Department with Haskell & White LLP.
Smart Business spoke with Poth about
why these changes are good news for CEOs.
What are the purposes of the new proposals?
The desire is to ‘right-size’ both requirements to obtain the intended benefits of
each without requiring unnecessary work
or costs. The SEC and PCAOB hope to
establish new requirements for each that
are less time-consuming and are scalable
to smaller public companies, as well as
large accelerated filers.
Why are these changes occurring now?
These proposals are in response to the first
two years of the SOX requirement that public
company management document the internal controls over financial reporting and the
requirement that auditors audit this information and feedback received by the SEC and
PCAOB relating to the requirements.
Can you briefly summarize each of these
lengthy proposals?
The new SEC-proposed guidance to management is based upon two key principles.
First, management should evaluate the
design of the implemented controls and
determine if there is a reasonable possibility of a material misstatement in the financial statements that would not be prevented or detected in a timely manner. Second,
management should collect and test evidence that the controls in place are indeed
working, based on the company’s assessment of the risk associated with those controls.
It emphasizes that management should
use a top-down, risk-based, principles-based, flexible approach. Smaller public
companies can tailor their evaluation of
internal controls to fit their size and complexity while also meeting the needs of
larger accelerated filers.
The SEC proposal provides guidance in
four key areas: identification of financial
reporting risk and controls implemented
to address those risks; evaluating the
operational effectiveness of those controls; reporting the overall results of
management’s evaluation; and necessary
documentation.
The PCAOB-proposed new auditing standard would focus the auditor on matters
that are most important to internal control,
eliminate unnecessary procedures, and make the audit more suited for smaller and
less complex companies.
Some of the proposal’s key elements are
emphasizing the risk assessment process;
directing the auditor to the most important
controls; clarifying the role of materiality;
removing the audit requirement to evaluate
management’s process; and permitting the
consideration of knowledge obtained during previous audits.
What are the intended benefits to public
companies from these changes?
If these proposals are approved, they
should have the impact of focusing both
management and auditors on material
items rather than time and expense on
items considered not reasonably possible
of resulting in a material error in the financial statements. In addition, it is intended
to help smaller public companies implement SOX without such a strong perception of an unfair burden. The intent is to
reduce time and cost.
How much time and expense will be saved?
The answer to this depends on where a
company is in the process.
For smaller companies that are not yet
subject to the 404 requirement, it merely
defines what needs to be accomplished in
the process — which will still likely be
costly, but less than it would have been
before the proposed revision to the
requirements.
For companies already subject to SOX
404, this is going to depend on the
approach taken in the past by both management and the auditor and the new
requirement that only certain key controls
need now be considered. Once these proposals pass, assuming they do, key management personnel need to meet and
determine what is needed and then consider appropriate meetings with auditors
and other outside advisers to discuss the
issue.
JOHN POTH is a partner in the Audit and Business Advisory
Services Department with Haskell & White LLP. Reach him at
(949) 450-6390 or [email protected].
