Say what you will about
Companies incorporated internal controls into their normal workflow and created cost-effective programs to improve the integrity of their financial reporting.
That said, smaller companies that have been exempt from audit attestation have often not produced such meaningful results. Instead of embracing the spirit of SOX 404, they have viewed the landmark legislation as a check-the-box exercise. One example is the use of lower standards of evidence (inquiry rather than performance), and then SOX testing is often neither meaningful nor insightful.
Now recent developments are sending conflicting messages about the direction of SOX rules.
The JOBS Act granted a five-year exemption from SOX audit attestation for newly public companies with less than $1 billion in revenue—a huge swing in the direction of more leniency, given what we’ve seen with smaller companies.
In the other direction, Public Company
And the Committee of Sponsoring Organizations of the Treadway Commission which publishes the most widely used framework for designing and assessing internal controls, has issued an exposure draft of an updated internal control framework intended to address changing
My question is this: Where are we heading? My sense is that we may be taking a big step backward. By exempting some companies from SOX audit attestation, we turn a blind eye to ineffective internal controls and erode investor confidence in financial statements.
At the same time, the updated COSO framework and PCAOB requirements for more robust SOX documentation seem to be pushing nonexempt companies back to a difficult, cumbersome and expensive path, without any increase in financial statement integrity. Neither of these directions seem to be in the best interest of companies or investors.