U.S. Securities & Exchange Commission
SEC Seal
Home | Previous Page
U.S. Securities and Exchange Commission

Speech by SEC Staff:
SOX 404 — Moving Forward


John W. White

Director, Division of Corporation Finance
U.S. Securities and Exchange Commission

FAE/NYSSCPA Conference
New York, N.Y.
September 12, 2006

Thank you, George, for that gracious introduction. I am very pleased to be here today at your 2006 Current Developments conference. In planning this program, you've clearly identified some key issues and areas for public company accounting and financial reporting, and I am sure your audience will find their time well-spent today. I look forward to hearing from the speakers that follow.

As I remarked in a speech I gave last May at the SEC Institute,1 I find it very gratifying and valuable, as a lawyer, to speak to a group of accounting professionals. Of course, just to make sure I don't seem out of my depth, I brought with me one of the outstanding accountants from the Commission's Office of the Chief Accountant, Mike Gaynor, who is currently in the middle of his 2-year service as a Professional Accounting Fellow. I need to remind everyone before I speak any further, though, that the views Mike and I are going to express today are solely ours individually, and do not necessarily reflect the views of the Securities and Exchange Commission or of any other members of its staff, not even each other.

And I probably should go ahead and extend this so-called standard disclaimer on behalf of another leader among the accountants on the Commission staff who will be speaking right after Mike and me — Stephanie Hunsaker from my Division — who will be reviewing developments in Corporation Finance in the next segment of the conference.

As you all know, accurate and reliable financial reporting is critical to America's investors and to our capital markets. As auditors and financial reporting professionals, each of you in turn plays a key role in promoting the quality of financial reporting and safeguarding the investor confidence that depends on it. The SEC and its staff, of course, share your commitment in that regard.

In my time today, I would like to speak about an important tool in our collective efforts to improve the reliability of financial reporting: Section 404 of the Sarbanes-Oxley Act. Specifically, I would like to talk with you about recent steps the Commission has taken to improve the efficiency and effectiveness of compliance with Section 404's reporting requirements. Then I will turn to a more specific topic involving the proposed phase-in of Section 404's requirements for smaller public companies — that is, the role of auditors in the first year of Section 404 compliance if only a management assessment report is required.


The Sarbanes-Oxley Act became law four years ago, in July 2002. It was, of course, prompted in large measure by a succession of catastrophic financial failures and investor betrayals — Enron, Worldcom, Adelphia, and so on. Although Sarbanes-Oxley has numerous provisions that have been successfully implemented, one provision — Section 404 — seems to be commanding much of the attention, and complaints, today.

It is undoubtedly an oversimplification, but since I am certain that most, if not all, of you are well-versed in Section 404's requirements, I will just summarize that Section 404 requires issuers to include in their annual reports two reports as to the effectiveness of internal controls — one an assessment by management and the other an attestation by the independent auditor.

Compliance with the reporting requirements of Section 404 has been more costly than anticipated and has generated extensive controversy, but in my opinion it's also fair to say that it's proven to have a high value to investors and has shown a vast potential for improving the reliability of financial reporting. The Commission has repeatedly evidenced its commitment to doing what it can to make the system more efficient and continues to work diligently on additional steps to further that effort, some of which I'll speak more about shortly.

Unlike much of the Sarbanes-Oxley Act, Section 404 did not mandate any specific implementation deadlines for the Commission or compliance dates for public companies. Already sensitive to Section 404's importance, though, the Commission issued its first Release and rules implementing Section 404 back in June 2003. Larger domestic companies (those that are accelerated filers and large accelerated filers), generally with a public float of $75 million or more, have been required to comply with Section 404's reporting requirements for fiscal years ended on or after November 15, 2004, and thus have been complying fully for two reporting seasons already.

A series of compliance date extensions granted by the Commission has resulted in the largest foreign private issuers (those that are large accelerated filers) being required to comply fully for fiscal years ended on or after July 15, 2006. That is, for the first time this year for those issuers who are calendar-year companies. Foreign private issuers that are accelerated filers (generally with a public float between $75 million and $700 million) — but not large accelerated filers — are required to provide only management's assessment report with regard to years ended on or after July 15, 2006. Their first auditor attestation reports are not required until one year later. This differentiation between compliance dates for accelerated foreign private issuers and large accelerated foreign private issuers is the result of an additional extension granted by the Commission on August 9.

Similarly, a series of extensions for non-accelerated filers (those who have not been reporting for a year, or who have less than $75 million in public float) has moved out the compliance deadline for those issuers (whether domestic or foreign) to fiscal years ended on or after July 15, 2007. To further complicate any mental calendars you're trying to keep of those dates, the Commission issued another release on August 9 proposing an additional extension for non-accelerated filers and proposing that those issuers only be required to provide management's assessment report in their first year of compliance. Whew.

Although I wouldn't want to be the historian tasked with maintaining the archives of all those Commission releases and extensions over the past three years, we can pick up from that record that the Commission has remained very attentive throughout Section 404's implementation to the challenges that internal control reporting has posed and the particular burdens Section 404 has presented, or suggested, for specific types of issuers.

The Commission has also been fortunate to hear from a variety of sources as it has been monitoring Section 404 compliance efforts. In the past six months alone:

  • the Commission's Advisory Committee on Smaller Public Companies (ACSPC) issued its final report, which included an analysis of Section 404's impact on smaller companies, and made five recommendations to the Commission with regard to Section 404 and smaller public companies (out of 33 total recommendations);
  • the U.S. Government Accountability Office (GAO) published its report entitled "Sarbanes-Oxley Act, Consideration of Key Principles Needed in Addressing Implementation for Smaller Public Companies", which focused on Section 404;
  • the Commission and the Public Company Accounting Oversight Board (PCAOB) sponsored a roundtable on May 10 to hear about larger companies' second year experiences with the internal control reporting and auditing provisions; and
  • the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published new guidance on the use of its framework to address the needs of smaller businesses in fulfilling their Section 404 obligations, including many of the internal control related comments of the ACSPC.

After carefully evaluating all of the public commentary on Section 404's requirements, and considering what it had heard about larger companies' experience complying with the requirements, on May 17 of this year the Commission issued a press release laying out a roadmap for the next steps that we plan to take in our continuing efforts to improve Section 404 implementation for all issuers, including smaller public companies.2

A copy of the May 17 press release (with that roadmap) is included in your course materials, and I would encourage all of you to read it if you haven't already. Less than four months later, the Commission has already taken a number of steps previewed in the May 17 press release and intended to further the goal of making Section 404 implementation more effective and efficient. The roadmap continues to show the way. I referred earlier to one of those steps — the proposed extension on August 9 of compliance dates for non-accelerated filers. That same release includes a previously unannounced proposal to provide a one-year transition period for newly public companies, whether domestic or foreign. The comment period on the proposing release closes shortly, and I would encourage you to stay tuned for next steps as the fall progresses. We will come back to one other feature of this proposal in a few minutes.

Also, on July 11, the Commission issued its Concept Release on the topic of additional guidance for management on how to complete its assessment of internal control over financial reporting.3 The comment period on the Concept Release is also still open, and your comments and feedback on those matters are needed as we consider what that management guidance will look like. I will be talking shortly about the importance of an open dialogue among various participants in the Section 404 process. That certainly applies to the Commission as well — we depend on hearing from all of you, and others. Those of us on the Staff expect that the management guidance project, including the Commission's plan to issue a proposing release on the provision of such guidance, will continue to take up a significant amount of our time and make a substantial contribution to improving Section 404 implementation.

Finally, I should mention another important development — in recent months the Commission has filled some all-important vacancies and, as of this month, I believe all of the key members of the Section 404 team are now in place:

  • In July, Chairman Cox named Conrad Hewitt, a distinguished leader of the accounting profession and the former chief financial regulator for the State of California to be the Commission's new Chief Accountant.
  • In early August, Dr. Zoe-Vonna Palmrose, the PricewaterhouseCoopers Professor of Auditing at the University of Southern California's Leventhal School of Accounting and Marshall School of Business was named to be the Commission's Deputy Chief Accountant for Professional Practice.
  • And earlier, in June, the Commission appointed Federal Reserve Governor Mark Olson to be the next Chairman of the PCAOB.

Those positions are all critical for the successful implementation of the May 17 roadmap and the future of Section 404. Investors, the financial reporting community, and the Commission are fortunate that these very capable individuals have agreed to lend their considerable talents to those efforts. With the team members now all on board, I am looking forward to us all working together to fully implement Section 404, for all public companies, large and small, domestic and foreign, so that it operates in an efficient and effective manner to bring to America's investors the benefits that Congress intended.

So that's the history, and a quick status update, on Section 404 matters generally, which have been a particularly active area in the last year. In my remaining time, I would like now to look at one specific 404 matter that I believe will be of particular interest to auditors of non-accelerated filers — which I believe includes many of you in the audience today — and to your clients.

Keeping the Lines of Communication Open Between Companies and Auditors

The releases that the Commission issued on August 9 bifurcated for the first time the two reports required by Section 404.4 The proposal currently on the table for non-accelerated filers would require them to provide only management's assessment report during the initial year of compliance, for fiscal years ended on or after December 15, 2007 (so not this year, but next year). They would then not be required to provide the auditors' attestation report until their fiscal years ended on or after December 15, 2008 (so, two years from now). In explaining its thinking behind this proposal, the Commission noted, among other things, that the costs associated with the auditor attestation may be particularly high, relatively speaking, for smaller public companies and that delaying this cost until the second year of compliance for these issuers may offer significant benefits.

We have learned from companies that have already implemented the Section 404 requirements that there are often increased costs during their first year of compliance due to "deferred maintenance" issues (e.g., documentation, remediation). Postponing the cost of the audit until the second year may help minimize, for many smaller public companies, the cost spike that might otherwise result from combining both deferred maintenance costs and initial audit costs in the first year.

To further provide meaningful relief with the start up of Section 404 compliance for non-accelerated filers, the Commission has also proposed that the management assessment reports provided in the initial year of compliance would be furnished rather than filed. This step was proposed to reduce the liability that some might expect to stem from management being "second-guessed" — that is, if the auditor disagrees with management's conclusions when the auditor reports on internal control over financial reporting in the second year. Although the auditor in those circumstances would not be speaking to internal controls in the first year, some commentators have suggested it could place companies in a difficult position if the auditor concludes that internal control over financial reporting is "ineffective" in the second year whereas management had found it to be "effective" in the first year.

These proposals assume that the auditors need not be involved in non-accelerated filers' first year of compliance with Section 404's reporting requirements if the Commission were to adopt the proposals (with the corresponding benefit of not having to pay the auditor's fee in that year). I do not personally believe though that the absence of the auditor is obligatory, and for some companies, it may not be the right answer.

In the August 9 proposing release, the Commission stated that

Although the proposed extensions would permit non-accelerated filers to omit the auditor's attestation report from their annual reports in their initial year of compliance with the Section 404 requirements, we encourage frequent and frank dialogue among management, auditors and audit committees to improve internal controls and the financial reports upon which investors rely. In this regard, we repeat our assurance that management should not fear that a discussion of internal controls with, or a request for assistance or clarification from, the auditor will itself be deemed a deficiency in internal control or constitute a violation of our independence rules as long as management determines the accounting to be used and does not rely on the auditor to design or implement its controls.5

For my part, I would encourage companies, their management and their board members to think carefully about those words, and to take them seriously. For any company — your auditors can be a resource for you, whether you are subject to the Section 404 audit requirement in a particular year or not. For non-accelerated filers — the Commission has proposed that your initial year of compliance would not require a Section 404 attestation by your auditor, but of course that attestation would also not be prohibited. Moreover, you can still use that year to come to mutual understandings with your auditors about internal controls, about expectations, and about standards. If it's appropriate and beneficial for your company, use that time to develop your communications channels and to learn more, together with your auditors, about internal controls. This is true even if you will have no requirement to provide an auditor attestation report on internal controls that year, and you may have no formal engagement with your auditor related to internal control over financial reporting. Whether you are an auditor, management or a board member, be open to that "frequent and frank dialogue" that the Commission speaks of, and provide each other with constructive feedback about your processes and conclusions, or your intended processes. You may even find that doing so will make your second year of compliance, assuming that's when the auditor attestation report is first required, smoother and less burdensome.

Finally, it may have sounded in the last few minutes like I have been addressing my remarks to non-accelerated filers — and I have been. But I have also been speaking to their auditors as well. I understand the reality here — your clients listen to your counsel, your thoughts. If you suggest and encourage a learning partnership in this first year of compliance (even if an audit report is not required from you), I anticipate your clients will hear you and appreciate your advice.


In closing, let me just reiterate one point about open lines of communication. I have talked at various places about the Commission's openness to and need for public comments, and I want to remind everyone again that several components of the Commission's roadmap to improve the efficiency and effectiveness of Section 404 compliance are open for public comment right now. The comment period for the Concept Release on management guidance closes next Monday, on September 18. The Proposing Release, with the proposals on extending compliance for non-accelerated filers and providing transition relief to newly public companies, is open for comment until the day after tomorrow, September 14. These comment dates are fast approaching obviously, and I sincerely hope that many of you may have already prepared comment letters. Or will do so even in these final days of the comment periods if you have something you would like the Commission to hear and consider. As I emphasized in the speech I gave on May 25, I would urge all of you to please share with us your thoughts and ideas and reactions. Let us know what you think works and what misses the mark, what makes sense and what doesn't, what would move us forward and what wouldn't. We want to hear from you.

Thank you very much for sharing your time with me today. It's my pleasure now to turn this microphone over to my colleague, Mike Gaynor.



Modified: 09/12/2006