After the Securities and Exchange Commission’s latest public meeting, the media widely reported that the commission was preparing significant regulatory relief for the smaller public corporations on which Sarbanes-Oxley imposes significant costs. On close examination, however, the SEC's guidance-based approach is unlikley to provide significant relief.
At present, the smallest public corporations are exempt from complying with Section 404, although they must comply with the rest of Sarbanes-Oxley’s numerous requirements. Many observers have recommended that the SEC permanently exempt smaller firms from Section 404 and consider making other SOX provisions less onerous for such firms.
At its recent meeting, however, the SEC confirmed that no such exemption will be forthcoming. Instead, the deadline by which smaller firms must be fully compliant with Section 404 was extended by about a year. In addition, the SEC promised to release “guidance” on which managers can rely in complying with Section 404 that will reduce costs.
The proposed content of that guidance is now available (here).
The core problem is the SEC's continued insistence that "it is impractical to prescribe a single methodology that meets the needs of every company." As a result, the SEC declined to create safeharbors by which compliant firms are insulated from liability. Indeed, the SEC decided not even to "provide a checklist of steps management should perform in completing its evaluation" of the company's internal controls.
Instead, the SEC offered the following guidance:
Management should implement and conduct an evaluation that is sufficient to provide it with a reasonable basis for its annual assessment. Management should use its own experience and informed judgment in designing an evaluation process that aligns with the operations, financial reporting risks and processes of the company. If the evaluation process identifies material weaknesses that exist as of the end of the fiscal year, such weaknesses must be disclosed in management’s annual report with a statement that ICFR is ineffective. If the evaluation identifies no internal control deficiencies that constitute a material weakness, management assesses ICFR as effective.
Management is required to assess as of the end of the fiscal year whether the company’s ICFR is effective in providing reasonable assurance regarding the reliability of financial reporting.
The SEC's guidance is inherently vague and ambiguous, leaving plenty of room for interpretation and disagreement. Terms like "reasonable" and "material" are standards, which by their very nature fail to offer brightlines between lawful and unlawful consequence. Indeed, even the SEC admits that "there is a range of judgments that an issuer might make as to what is 'reasonable' in implementing Section 404 and the Commission’s rules." As a result, determination of whether a particular firm has complied with its SOX obligations is highly fact-specific and contextual. In addition, in securities litigation cases, such as those brought under Sarbanes-Oxley, courts have stated that issues of reasonableness and materiality are issues properly left for determination at trial by the jury. Accordingly, the company and its management cannot be certain that they've fully complied with Section 404 until the SEC or a court decides that they've done so.
Turning to the substance of the 2007 guidance, the SEC continues to recommend "a top-down, risk-based approach" to internal controls. Purportedly, this will allow management to cotain costs by focusing on those controls and areas as to which there is a particular risk of a material misstatement occuring in the company's financial statements.
One way in which the 2007 guidance may prove helpful in cost-containment is by reminding management that, while the section 404 assessment must be undertaken annually, "subsequent evaluations should be more focused on changes in risks and controls rather than identification of all financial reporting risks and the related controls. Further, in each subsequent year, the evidence necessary to reasonably support the assessment will only need to be updated from the prior year(s), not recreated anew." In implementing this guidance, firms should develop process creating an institutional memory so that changes in personnel at either the firm or its auditor do not require reinventing the wheel.