February 26, 2007
I appreciate the opportunity to comment on the proposed interpretive guidance. The Commission does a great job in setting the right tone in drafting this proposed interpretive guidance. It is well organized and contains illustrative examples that make it easy to follow. Here are my comments for your consideration.
(1) Management should find this guidance very useful as it provides companies with the flexibility to exercise greater judgment in the design and execution of a risk-based controls assessment plan, and allows companies to focus on risks and controls that are most critical to the integrity of financial reporting.
(2) The two overriding principles described in the proposed interpretive guidance are logical and consistent with the risk-based, top-down approach embraced by the Commission. Based on my experience, such principles should provide management with the flexibility to develop a scalable, risk-based assessment methodology that is not only cost-effective but also sustainable.
(3) This guidance should promote greater efficiency in the controls evaluation process as management is (a) not required to identify or document every control in a process, and (b) encouraged to focus on effective entity-level controls that are designed to mitigate the risk of a material misstatement.
(4) To ensure consistency in the application, I believe compliance with this guidance should be mandatory.
Specific Comments on Evaluation of Control Deficiencies:
(1) The Commission should consider providing specific guidance on how to aggregate and quantify control deficiencies. In the absence of such guidance and discussion of alternative methodologies, auditors often asked management to follow the guidance (and decision tree) described in the framework on evaluating control exceptions and deficiencies that was released in December 2004. As a result, significant amount of time and efforts have been dedicated to the quantification of each control deficiency.
(2) Management should not be required to quantify the control deficiency if the company has effective compensating controls that operate at a level of precision that would prevent or detect a material misstatement.
(3) To enhance the effectiveness of the controls evaluation process, management should be encouraged to first conduct a qualitative assessment and determine if effective compensating controls exist to mitigate the risk of a material misstatement. The quantification aspect should only be required if management believes that the risk of a material misstatement is not effectively mitigated. I believe such clarification by the Commission will significantly promote both the efficiency and effectiveness of the controls evaluation process.