From: João Costa
SEC Advisory Committee on Smaller Public Companies Meeting Suggestions
In order to satisfy 404 regulation, issuers implemented extensive procedures for analyses and formal documentation of the controls and tests, incurring high costs and having benefits as well. Reperforming this job in its full scope every year seems to be unnecessary and even ineffective because the process can eventually turn itself less rigorous.
With that in mind, I believe that the full scope of the regulation which encompasses Management's assessment and the Independent Auditors's attestation on Management's assessment, should be required only once every five years.
In the intermediate years, management should only state its responsibilities for the controls (as obliged by 404 a-1), and the Independent Auditors would perform the audit of the issuer's internal controls in the way they describe in the AICPA'S new SAS 104 to 111, that put much more emphasis in the evaluation of the internal controls, and in risk assessment. As a result of these audits, Independent Auditors would issue their opinion on the internal controls, in the same way they do for the financial statements, indicating in the specific report the deficiencies they found in the controls, not remediated (if significant deficiency or material weakness ), and their conclusion on the effectiveness of the controls and on the impact for the financial statements .
The adoption of these suggested provisions would do nothing more than reemphasize the historical roles regarding the financial statements and internal controls which are now regulated by SOX : Management is legally responsible for the preparation of the financial statements and for establishing internal controls over financial reporting, and the Independent Auditors are legally responsible for examining and certifying on both.
In the intermediate years, for the purposes of 302 section Certification, Management would state the changes in the controls ( if occurred or necessary to implement), caused by modifications in the business and or in the environment by the occurrence of acquisitions, mergers, new businesses, restructurings, new softwares, centralization or outsourcing of services, etc.
The fulfillment of the full scope ( encompassing management's assessment and auditor's certification on management's assessment) at every five years in the conditions suggested above, would also alternatively consider triggers for action or no action as follows:
a) If the company changes its Independent Auditors during the intermediate years, full scope would than be required in the year of the change.
b) Companies in very regulated markets (financial institutions, insurance company) would perform the full scope only when and if solicited by the Regulators, Authorities and the Independent Auditors as a consequence of their assessment of the company.