Yesterday the SEC issued a press release regarding a Public Company Accounting Oversight Board (PCAOB) proposal for a new auditing standard for Section 404 of the Sarbanes-Oxley (SOX) Act. The goal of the proposal will be to strengthen investor protection while getting rid of what is referenced as the “unduly expensive and inefficient auditing standard under Section 404.”
“Washington, D.C., Dec. 19, 2006 – The Public Company Accounting Oversight Board (PCAOB) today voted to propose a new auditing standard for the audits of registrants’ internal control over financial reporting under Section 404 of the Sarbanes-Oxley Act, which, if adopted by the PCAOB and approved by the Commission, would supersede the PCAOB’s Auditing Standard No. 2.
Christopher Cox, Chairman, U.S. Securities and Exchange Commission, said, “The PCAOB’s proposal to repeal the unduly expensive and inefficient auditing standard under Section 404 of Sarbanes-Oxley ‚Äî and to replace that standard with one that strengthens investor protection by refocusing resources on what truly matters to the integrity of financial statements ‚Äî is an exceptionally positive step for both investors and for America’s capital markets. The SEC and the PCAOB have worked together to ensure that the Commission’s proposed interpretative guidance for management and the PCAOB’s proposed new auditing standard are mutually reinforcing. Together, these proposals should significantly improve the implementation of Section 404, making it more efficient and effective. Smaller public companies should particularly benefit from the scalability built into these proposals. We look forward to considering the public comments on these proposals.”
Conrad Hewitt, Chief Accountant, U.S. Securities and Exchange Commission, added, “The PCAOB’s proposed auditing standard is a welcome development, and we look forward to reviewing it carefully. We encourage companies, audit firms, investors and any other interested parties to comment on both the PCAOB’s proposed auditing standard and the Commission’s proposed interpretative guidance for management during the proposals’ overlapping comment periods. We will consider all of these comments carefully before making any recommendations to the Commission.”
So, what is the PCAOB proposal? Take a look here to see all 131 pages of it.
The beginning of the proposal states:
“As described below, the proposals are designed primarily to ‚Äì
‚Ä¢ Focus the audit on the matters most important to internal control by, among other things, directing the auditor’s testing to the most important controls; emphasizing the importance of risk assessment; revising the definitions of significant deficiency and material weakness, as well as the “strong indicators” of a material weakness; and clarifying the role of
materiality, including interim materiality, in the audit;
‚Ä¢ Eliminate unnecessary procedures by, among other things, removing the requirement to evaluate management’s process; permitting consideration of knowledge obtained during previous audits; refocusing the multi-location testing requirements on risk rather than coverage; removing barriers to using the work of others; and recalibrating the walkthrough requirement;
• Scale the audit for smaller companies by, among other things, directing the auditor to tailor the audit to reflect the attributes of smaller, less complex companies; and
‚Ä¢ Simplify the requirements by, among other things, reducing detail and specificity; better reflecting the sequential flow of an audit of internal control; and improving readability.”
This certainly seems common sense, doesn’t it?
It probably warms the hearts of those chilled by jumping through all the audit hoops of SOX over the past couple of years to comply with Section 404 to see that changes of this sort are likely soon.
It is notable that this proposal would require consideration of applicable controls and review work that have already occurred to test and evaluate the controls. This alone should significantly impact and reduce the SOX compliance audit duration for most organizations.
Bottom line, it appears a stronger emphasis on risk-based controls specific to each organization. This is a positive step in aligning this regulation more closely with similar types of risk-based control requirements in other federal regulations such as HIPAA and GLBA.
Tags: awareness and training, corporate governance, Information Security, IT compliance, PCAOB, privacy, Sarbanes Oxley, Section 404, SOX