Article for ExaProtect Newsletter
December 2007
SOX - Changing Compliance Requirements
In December 2006, the US Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) announced a series of changes to the requirements of Sarbanes-Oxley section 404.
The PCAOB, also in December, proposed a new auditing standard for Section 404 audits of internal control over financial reporting, with the objective of reporting the burdens and costs imposed by their original reporting requirements. This proposal was adopted and, in May 2007, the PCAOB replaced its Auditing Standard No 2 with what is known as AS 5, An Audit of Internal Control over Financial Reporting that is Integrated with and Audit of Financial Statements.
This is a principles-based auditing standard, and is designed to focus the auditor on the matters most important to an audit of internal control. This should increase the likelihood that material weaknesses will be found before they cause a material misstatement of the financial statements. It also eliminates audit requirements that are unnecessary to achieve the intended benefits, provides direction on how to scale the audit for a smaller and less-complex company, and simplifies and significantly shortens the text of the previous No 2 internal control standard.
The PCAOB has dropped its proposal to have a new auditing standard that would enable the use of the work performed by internal auditors, management and others in an integrated audit of financial statements and internal control, and included this in the new AS 5. This further clarifies how and to what extent an independent auditor may use or rely on that work to reduce the work the auditor otherwise would have to perform – and the cost of doing so.
In parallel, there has been a recognition that the COSO guidance, on which initial SOX internal compliance was generally built, may have been more than was required by smaller businesses. This small business guidance takes the concepts of the 1992 Internal Control - Integrated Framework and demonstrates their applicability for achieving financial reporting objectives of smaller publicly traded companies. A copy is available from http://www.coso.org/publications.htm.
What do these changes signify?
There has, for some time, been a concern from listed companies as to the expense of SOX compliance, combined with a growing belief that the onerous nature of SOX requirements has been driving existing companies away from US exchanges and also encouraging those seeking a new listing to choose a non-US exchange.
Regulators, though, are clearly not going to substantially relax the requirements on corporations, but they seem to be prepared to shift to a more principles-based approach, which allows an assessment of internal control to focus on the areas of highest risk and to scale the assessment to the organization's actual needs.
There is no indication, however, that SOX might disappear; indeed, there is still a strong and widely-held view that SOX requirements are, in the long run, making US-listed companies even more internationally competitive.
Further information on the governance implications of changing SOX requirements is available at http://www.itgovernance.co.uk/page.us
Alan Calder is chief executive of IT Governance Limited (www.itgovernance.co.uk), the one-stop-shop for information security books, tools, training and consultancy. He is co-author of the definitive guide to ISO 27001 compliance, ‘IT Governance: A Manager’s Guide to Data Security and BS7799/ISO17799’.