Say what you will about Sarbanes-Oxley, but most public companies have ended up with meaningful SOX results.
Companies incorporated internal controls into their normal workflow and created cost-effective programs to improve the integrity of their financial reporting.
That said, smaller companies that have been exempt from audit attestation have often not produced such meaningful results. Instead of embracing the spirit of SOX 404, they have viewed the landmark legislation as a check-the-box exercise. One example is the use of lower standards of evidence (inquiry rather than performance), and then SOX testing is often neither meaningful nor insightful.
Now recent developments are sending conflicting messages about the direction of SOX rules.
The JOBS Act granted a five-year exemption from SOX audit attestation for newly public companies with less than $1 billion in revenue—a huge swing in the direction of more leniency, given what we’ve seen with smaller companies.
In the other direction, Public Company Accounting Oversight Board reviews of Big Four audit firms have led auditors to ask for more robust documentation of internal controls and more thorough testing of the data used to support the effectiveness of controls.
And the Committee of Sponsoring Organizations of the Treadway Commission which publishes the most widely used framework for designing and assessing internal controls, has issued an exposure draft of an updated internal control framework intended to address changing technology and globalization, as well as to provide greater clarity on designing and maintaining an effective system of internal controls. Given that the draft runs to more than 500 pages, reviewing, revising and implementing the guidance from the new framework is no small undertaking.
My question is this: Where are we heading? My sense is that we may be taking a big step backward. By exempting some companies from SOX audit attestation, we turn a blind eye to ineffective internal controls and erode investor confidence in financial statements.
At the same time, the updated COSO framework and PCAOB requirements for more robust SOX documentation seem to be pushing nonexempt companies back to a difficult, cumbersome and expensive path, without any increase in financial statement integrity. Neither of these directions seem to be in the best interest of companies or investors.