March 31, 2005
I have reviewed in detail each of the resources cited in your October 6, 2004 FAQ. Unfortunately, they do not provide sufficient detail for management to use to determine what specifically the statutory requirement is that needs to be met. The void left by this lack of guidance has caused companies to comply with audit standards viewed through the eyes of accounting firms. These firm interpretations are often times very conservative and unavailable for management to read, interpret, or challenge. As a result, in some cases, these firms rules are dictating how the controls of a company are being designed, documented and tested. I therefore strongly recommend that the SEC develop additional guidance for management to use in its evaluation. Without this guidance, management has limited ability to successfully prevail against comments like: this is the view of our national office.
The PCAOB should emphasize to the auditors that it is an audit of the system of internal control over financial reporting, not an audit over just the control activities, or IT systems.
The PCAOB should re-emphasize to the auditors that the objective of the audit is for the auditor to obtain reasonable, not absolute, assurance that no material weaknesses exist as of the date specified in managements assessment.
While I am the program manager for a Fortune 500 companys 404 effort, the views expressed above are my personal opinions.