SEC Not Easing Section 404 – empowering management & laying framework for risk-based testing, By James J DeLuccia IV

The SEC posted a release relating to a much anticipated release on the Sarbanes Oxley Act requirements for section 404, internal controls over financial reporting.  Below are my comments on the press release, and the available information.

John W. White, Director of the SEC’s Division of Corporation Finance stated “The proposed interpretive guidance should reduce uncertainty about what constitutes a reasonable approach to management’s evaluation while maintaining flexibility for companies that have already developed their own assessment procedures and tools that serve the company and its investors well. Companies will be able to continue using their existing procedures if they choose, provided of course that those meet the standards of Section 404 and our rules. At the same time, the guidance maintains the important investor protection objectives of bringing information about material weaknesses into public view and fostering the preparation of reliable financial statements in an effective and efficient manner.”

All quoted exerts in this article were extracted from  The recent guidance provided by the SEC focuses on section 404 and specifically addresses:

“(1) a statement of management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) management’s assessment, as of the end of the company’s most recent fiscal year, of the effectiveness of the company’s internal controls structure and procedures for financial reporting.”

The new guidance as amended after the comment period is flexible and will not reduce the groundwork already in place at most organizations.  Specifically the SEC states:

“…afford management the latitude to either follow the interpretive guidance or to develop and use other methods that achieve the objectives of the Commission’s 2003 rules.”

While the proposed guidance-interpretative document is not yet available, the principles that directed the development have been made available.  These principles bring the decision making on what risks exist for the business.  This entails the management evaluating their controls to determine if material misstatements may exist, and the assessment of these controls.

“…management should evaluate the design of the controls that it has implemented to determine whether there is a reasonable possibility that a material misstatement in the financial statements would not be prevented or detected in a timely manner.”

“management should gather and analyze evidence about the operation of the controls being evaluated based on its assessment of the risk associated with those control”

In all the principles aim to allow management to determine the appropriate controls to address the relevant risks that the organization faces.  This is meant to allow for complete scalability for all levels of companies.

The to-be-released guidance document will lay out a clear risk-based approach to use when meeting the 404 requirements.  The high level points were released, but nothing much more.  The good news is that these are very similar to previously posted NIST risk standards, and independent groups.

Top Level Risk-Based SOX Approach proposed by SEC

  1. Identification of risks to reliable financial reporting and the related controls that management has implemented to address those risks.
  2. Evaluation of the operating effectiveness of controls
  3. Reporting the overall results of management’s evaluation
  4. Documentation

All in all, the initial guidance does not eliminate or excuse poor controls as some popular press medias are implying, but placing a bit more authority in management to identify risk and evaluate their own controls.  December is becoming quite heated, as an SEC roundtable is being webcast discussing Section 404, and the PCAOB is set to release an update to AS2.

More posts to follow as the world of controls becomes more mature…

James DeLuccia IV


One response to “SEC Not Easing Section 404 – empowering management & laying framework for risk-based testing, By James J DeLuccia IV

  1. Pingback: SOX 404 Deadline extended for Small Biz, By James DeLuccia IV « Payment Card Security & IT Controls Explained

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s