News

Speech by resigning SEC Commissioner Glassman with recommendations on SOX 404; COX says SEC to decide on extension in few months

News Brief
May 15, 2006

By:  Cydney Posner

Today, SEC Commissioner Cynthia Glassman announced that she intended to leave the SEC after completion of her current term, which ends in June 2006. She indicated that she would stay on until her replacement is named to ensure a smooth transition. Just a few days before submitting her resignation, Commissioner Glassman spoke at Twelfth Annual CFO Summit in Tampa, Florida on the topic of "Internal Controls Over Financial Reporting - Putting Sarbanes-Oxley Section 404 in Perspective." In her address, discussed below, Glassman expressed the view that SOX 404 presents the toughest challenge she has yet faced at the SEC.

Meanwhile, Chairman COX has reportedly told a Congressional Committee that the SEC expects to make a decision "in the next few months" on whether to extend the current exemption for smaller public companies beyond July 2007. More recently, Cox was reported to have told journalists that the SEC "was closing in on" a decision on whether to accept the SEC Advisory Committee's recommendation that certain small companies be exempted from SOX 404, but was "still a distance away from making a decision we can publicly announce."

In her speech, Glassman emphasized that effective internal controls are necessary to help ensure that companies provide investors with accurate financial statements; however, "the overarching question is, are the new rules and regulations moving us forward effectively and efficiently toward the goal of promoting high standards of corporate behavior, full and accurate disclosure, and ultimately investor protection? To answer this question, we should not look at just AS2 or Section 404. The goal is not controls for controls' sake. A more holistic perspective is needed." It is not yet clear whether the benefits of internal controls are "coming from the same place as the costs? What portion of the benefits and costs are generated by management's assessment versus by the auditor's attestation process?" Glassman reports that almost half of the cost of an audit is currently for the internal control attestation. In addition to the costs, she notes that there have been some negative unintended consequences, such as delayed acquisitions and new projects and substantial IT spending. Although some have attributed the large number of public company financial restatements (1,200 in 2005) to the rigors of SOX 404, less than half of the companies restating were accelerated filers. In addition, many have commented that the requirements of AS2 "are inflexible and overly prescriptive, and do not provide for enough auditor judgment and a tailored approach. In addition, auditors are confronted with a PCAOB inspection process which, I am told, has typically pushed them during the last year to do more testing and work in all facets of the audit, including the internal control portion, despite the SEC and PCAOB guidance issued last May."

Glassman makes four recommendations, some of which were reflected in her questions to the SOX 404 roundtable (see my email of 5/12/06):

  • First, provide companies with more practical guidance as to how to conduct their assessments and to evaluate and document their internal controls. While the SEC considers the COSO framework acceptable for management to use in conducting its assessments, COSO is a broad, general framework and provides only limited guidance on how to actually conduct an assessment and the types of controls that should be implemented. COSO is developing more specific guidance for smaller companies, but other alternatives that provide more practical guidance should be developed by the SEC, issuer groups, COSO and other constituents. Best practices should be developed and premised on a risk-based approach, be scalable for companies of all sizes, address how management should perform and document its assessment and more effectively use ongoing monitoring activities as opposed to separate evaluations. Guidance should also incorporate a materiality standard and be cost effective.
  • Second, revisit the role of the auditors, including the scope of the auditors; assessment, the extent of their testing and their attestation as to effectiveness. Glassman raises the question of whether the auditors' role should be limited to examining and attesting as to management's process and its assessment only, and not involve redundant testing of the controls. As is the case with the Federal Deposit Insurance Corporation Improvement Act (FDICIA), she suggests that the public accountant could attest to, and report separately on, the assertions of management contained in management's report. Alternatively, she proposes consideration of the model used by the FDA in the drug approval process, in which the drug developers conduct tests on their own drug candidates, opine on the design and scope of those tests and then examine the data; based upon that data, the FDA requests further information and ultimately makes an approval decision. The FDA does not test the drugs itself.
  • Third, in the absence of changes to the auditors' role, consider revisions to AS2, including, but not limited to, the following.
    • Incorporate a more risk-based approach;
    • Increase reliance on company-level controls to reduce low-level testing;
    • Permit reliance on prior audit work by eliminating the concept that each audit must "stand on its own";
    • Limit walkthroughs;
    • Promote consistent and cost-effective documentation standards;
    • Make the large-portion coverage requirement for multi-location entities less prescriptive and permit more judgment based on risk and materiality;
    • Refine the process for identifying significant accounts, which would materially affect the amount of work performed;
    • Minimize updating, especially where monitoring controls have been employed throughout the period;
    • Eliminate assessment of controls surrounding the effectiveness of IT functions that do not contribute to the accuracy of the financial statements; and
    • Encourage more reliance on the work of others, such as the internal audit function.
  • Fourth, tailor SOX 404 for smaller filers, based on company size and complexity. Glassman recommends that the SEC consider requiring smaller companies to perform the management assessment portion as soon as better guidance is available and clarifying the role of the auditor to promote efficiency and effectiveness for smaller as well as larger issuers.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction, and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may have been generated with the assistance of artificial intelligence (AI) in accordance with our AI Principles, may be considered Attorney Advertising and is subject to our legal notices.