<body> <iframe src="http://www.blogger.com/navbar.g?blogID=27562087" height="30px" width="100%" marginwidth="0" marginheight="0" scrolling="no" id="navbar-iframe" frameborder="0"></iframe> <div id="space-for-ie"></div>

Blackbelt 404.

Compliance For The Sane

IIA vs. SEC

September 11, 2006

On July 18th, the SEC published their Concept Release on Section 404 Guidance, where they asked for comments to help shape their forthcoming 404 guidance. The IIA replied. In general, I thought their response was excellent. They even had a few zingers in there, but you'll have to read all the way to the last page if you want to see the best one:


SEC: How might guidance be helpful in addressing the flexibility and cost
containment needs of smaller companies?

IIA: The question appears to recognize that a reasonable level of internal
control assurance should take into account the cost of providing that control
... Unfortunately, cost is not a consideration in today's guidance and we
welcome a contribution in this area by the SEC.

Hehe.

The IIA's most salient points include:

  1. We need clarification in several areas, so that we not continue to be - quote - "forced ... to back into what is expected from ... external auditors who are in turn interpreting (inconsistently and perhaps not always accurately) PCAOB guidance." Well said.
  2. The PCAOB keeps using phrases such as "reasonable assurance", "reasonable likelihood" "remote likelihood," and "inconsequential", which are neither objective nor consistently interpreted. And - this is an exact quote - "reasonably possible or reasonably likely [are] not plain English."
  3. SEC should identify and address the root causes of the major financial scandals that triggered SOX, in other words, issues within the COSO controls Environment layer, as opposed to the current approach, which focuses primarily on risks within the Control Activities.
  4. The term "Key", as in "key control," needs to be understood in the same way by both management and the external auditor. (I don't understand why this is still an issue. See here).
  5. Especially regarding ITGC, the definition of a "key" control must be more clearly understood.
  6. The definition of "material", as in "material misstatement," must be more clearly defined.
  7. The judgment of a reasonable investor should be used, instead of the current criterion, which is the judgment of a reasonable official.
  8. Controls aren't omnipotent. Even if they are effective, errors and even fraud can occur, albeit with the odds of such occurrences greatly reduced. Therefore, if a company has to restate their financials, it does not necessarily mean - nor is it necessarily even a "strong indicator"- that the internal controls were broken. Especially when the external auditors reviewed those controls and found them effective.
  9. We need guidelines for testing automated controls.
  10. The requirement that tests must be performed during the year is a hold-over from financial statement auditing theory and makes no sense in context of 404. A control that is tested effective a few days after year end is more likely to have been in place than a control that was tested to be effective 2 months prior to year end.

There were also points that I disagree with. I'll discuss them in the next few posts.

posted timely by shapi, 12:24 PM

0 Comments:

Add a comment