- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
NetworkWorld.com - Faced with a tidal wave of complaints about high costs and implementation difficulties, federal regulators say they will consider modifying rules and auditing standards related to the Sarbanes-Oxley Act.
Executives from companies including General Electric, Lockheed Martin and Emerson Electric spoke about the challenges of complying with the legislation during an all-day roundtable held Wednesday in Washington, D.C. Most participants agreed, two years of SOX compliance have shored up corporate accounting practices — but at a cost that’s lopsided compared with the benefits gained.
The U.S. Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) arranged the roundtable to solicit feedback about SOX Section 404, which requires companies to attest to the effectiveness of internal controls put in place to protect financial reporting systems and processes. Representatives from these bodies said they’re open to suggestions about how to relax the burden of Section 404 compliance.
“The Sarbanes-Oxley Act was a critical step in addressing an unprecedented string of corporate scandals that were rooted in very serious governance, accounting and audit failures,” said SEC Chairman Christopher Cox in his opening remarks. Section 404 has the potential to improve the accuracy and reliability of financial reporting, but only if it’s implemented properly, Cox said. “In practice, it hasn’t always worked out that way,” he acknowledged.
Bill Gradison, acting chairman of the PCAOB, added that guidance the SEC issued last year and PCAOB’s latest auditing standard may not be enough to clarify the rules that govern the reporting and auditing of internal controls. “Based on the information we already have, it would seem that some further changes may be in order,” Gradison said.
Among the changes panelists advocate is greater latitude for auditors to use their judgment in determining which controls are most significant.
Mary Bush, president of consulting firm Bush International, said there’s a need for guidance from the SEC and PCAOB around the areas that pose the greatest risk to accurate financial reporting: “There still seems to be as much emphasis placed on low-level process controls as there is on controls that really have a risk for incorrect financial reporting. That’s an issue that I think needs additional attention.”
Several panelists agreed that companies and audit firms need to pare back the number of controls that are tested.
Business managers at British Petroleum find it’s useful to identify, document and test the effectiveness of internal controls, but balk at the duplication of testing required by staff and internal and external auditors, said Keith Holmberg, vice president of financial control processes at the global energy company. All that testing starts to dilute the sense that it’s good business practice, he said. “For us that’s probably been the biggest area of frustration.”
The evaluation of IT-related controls, in particular, leaves a lot to be desired, said Susan Gordon, corporate controller and chief accounting officer at CBS. Audit firms today tend to use canned control questionnaires, not tailored for specific situations, in evaluating controls rather than taking a more relevant, risk-based approach to reviewing IT controls, she said.