After years of vigorous lobbying by business groups and lawmakers for softening the rules under Section 404 of the Sarbanes-Oxley Act of 2002 (SOX), the Securities and Exchange Commission (SEC) unanimously approved interpretive guidance on May 23, 2007 designed to ease the burden of complying with Section 404 by allowing public companies to tailor their internal inspections to the scale of the business, thereby reducing the cost of compliance with SOX.

Implemented to discourage fraud and financial manipulation in the wake of high profile corporate scandals, Section 404 requires that management of a public company establish, maintain and assess adequate internal control structures and procedures for financial reporting. It also requires the independent auditor who prepares or issues the audit report on the company's financial statements to sign off on management's assessment of such structure and procedures. The lack of specific guidance from the SEC has caused many companies to err on the side of caution and expend significant amounts of time and money in order to ensure compliance with Section 404. Section 404 was criticized by many business groups, especially smaller public companies, which claimed to be at a significant disadvantage when competing in world markets.

In response to numerous comments and complaints from public companies regarding the costs and difficulties associated with compliance with Section 404, the SEC hosted a roundtable discussion on April 13, 2005 to discuss the costs, benefits and extraordinary efforts associated with the implementation of Section 404. The SEC followed that roundtable discussion with a release dated May 16, 2005 (the 2005 Release), which addressed many of the comments and complaints raised at the roundtable discussion. The contents of the 2005 Release were highlighted in our previous bulletin " Concerns Over the Implementation of Sox 404 Draw Comments from the SEC and PCAOB" from May 2005 which can be found on our website.

The SEC also issued a second release on December 20, 2006 (the 2006 Release) which reiterated many of the suggestions set forth in the 2005 Release. One of the key recommendations found in both the 2005 and 2006 Releases was to implement a top-down, risk-based evaluation of internal control over financial reporting. Companies and auditors were encouraged to focus first on corporate-level controls, then significant accounts, then significant processes and finally on individual controls at the process, transactions or application levels rather than on controls and processes for accounts that have only a remote likelihood of containing a material misstatement.

Consistent with the 2005 and 2006 Releases, the new guidance from the SEC encourages a top-down, risk-based approach to auditing internal controls. This approach is based on two principles: (1) that management should evaluate the design of the controls that it has implemented to determine whether they adequately address the risk that a material misstatement in the financial statements would not be prevented or detected in a timely manner and (2) that management's evaluation of evidence about the operation of its controls should be based on its assessment of risk. The new guidance also eliminates the Section 404 requirement that the independent auditor who prepares or issues the audit report on the company's financial statements sign off on management's assessment of such structure and procedures, but does require the auditor to deliver a formal opinion on whether the company's financial controls are effective. The SEC is hopeful that the new guidance will allow public companies to scale and tailor their evaluation procedures to the size of the business without creating unnecessary compliance burdens, thereby benefiting investors by reducing compliance costs.

To coincide with the new guidance issued by the SEC, the Public Company Accounting Oversight Board (PCAOB) unanimously approved the adoption of a new auditing standard on May 24, 2007 which allows accountants to focus on the aspects of a company that present the biggest financial risk. It is hoped that this new approach, together with the SEC's new guidance on Section 404, will allow management and auditors to eliminate duplication when complying with SOX by focusing on the critical risk areas and will result in lower audit fees and greater efficiencies in the conduct of future audits.

The effective date of the new guidance and adopted rules will be 30 days following their publication in the Federal Register. The full text of the new guidance and rules are not yet posted to the SEC's website, but will be made available as soon as possible.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.