By: Cydney Posner

In a recent speech, SEC commissioner Cynthia Glassman included a number of comments on SOX 404 that may provide some indication of where some at the SEC are headed on this issue. After reminding her audience that internal controls are not a new requirement, she noted that she has "repeatedly heard, and I continue to hear, that the demands of 404 have caused companies and auditors to put business initiatives on hold and focus excessively on the details of financial systems -- missing the proverbial forest for the trees, so to speak....I have heard these messages loud and clear, and I can assure you that others at the Commission, including Don Nicolaisen, our Chief Accountant, and Alan Beller, the Director of our Division of Corporation Finance, have as well." Glassman asserts that, in addition to various actions taken to delay implementation, the SEC "ought to determine if there is a way to reduce the burden without reducing the effectiveness...."

She also expressed concern that investors and other market participants may overreact to reports of internal control problems: "Understandably, companies may be cautious and conservative in disclosing material weaknesses and significant deficiencies. While there have been reports of increasing disclosure in this regard, it is important to remember that significant deficiencies, or even material weaknesses, do not necessarily mean the financial statements are deficient -- mere disclosure should not necessarily result in an unwarranted regulatory, market or investor reaction. What is important is that management provides meaningful descriptions of the material weaknesses and their consequences, as well as the remedial actions that have, or will, occur to rectify the problem. Boilerplate disclosure that does not change from quarter to quarter or year to year is not sufficient."

Finally, Glassman reminded her audience of her oft-expressed concerns "that the reforms would be viewed as an expensive, check-the-box exercise, and I am troubled that my initial concerns may in fact be borne out. I am particularly concerned that management and Boards of Directors, due to the hurdles that have been put in front of them, may be missing an opportunity to incorporate the 404 requirements into a broader, enterprise-wide risk management system."

Enterprise risk management may just be the next big thing.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as "Cooley"). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction, and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. When advising companies, our attorney-client relationship is with the company, not with any individual. This content may have been generated with the assistance of artificial intelligence (Al) in accordance with our Al Principles, may be considered Attorney Advertising and is subject to our legal notices.