February 19, 2007
Keith Kaplan, CPA
Saratoga Springs, NY
February 19, 2007
To Whom it May Concern- SEC Comments on File No. S7-24-06:
My reaction to this proposed interpretation is that it is very thin on actionable guidance for auditors, corporate process owners, or investors. It makes reference to previous statements on the use of a risk-driven approach. The PCAOB and SEC guidelines on using a risk-driven approach were released 2 years ago, yet we still have not seen any true reduction in the intensity of SOX's requirements, nor have we seen a correlation between SOX reports and investor decision-making.
The past two years has indeed seen a reduced number of key controls, and reduced cost of compliance, due to experience-driven culling out of redundancies in key controls, and the recycling of documentation. Those things are good, but not sufficient to optimize the cost-benefit of 404.
There is still a lot of wasted effort, needless compliance time, and stilted auditor-client relationships caused by an overly conservative interpretation to 404 by the outside auditors. That is the core of the issue. If the outside auditors can be given more explicit permission by the SEC and PCAOB to work with management on reducing the number of controls that are in SOX 404 scope, then and only then will the cost-benefit equation work for companies, auditors and investors.
Right now, I think auditors want to help companies assess this, but are concerned that independence rules and PCAOB guidelines will be used against them, and their judgments will be second-guessed to their disadvantage. There is still too much downside for auditors to provide the guidance their clients need, to really get SOX 404 to work the way the law's framers intended.