From: James J. Finn
Subject: File No. 265-23
Date: January 13, 2005

ACSPC Comments 1/13/06

I have been working as a Financial /Accounting professional and CFO during the past 30 plus years; in addition, I have been consulting in SOX compliance for the past 18 months at various public companies of different sizes, and would like to share some of my observations resulting from hands-on work in this area. I am aware that you are discussing the issue of establishing a category of mid-range public companies (up to $250 million in annual sales), and exempting them from the external auditor attestation requirements of Sarbanes Oxley Sect. 404.

I believe this is an outstanding recommendation for the following reasons:

  1. There is more than one effective model for compliance with the COSO framework for effective internal controls, however a coherent argument to support a model (other than the external auditors) cannot be created, tested and put forth as SOX or AS2 compliant if the companies are blindly trying to follow someone elses standards and methodologies for internal control compliance. This is complicated by the knowledge that the company expects to be audited based on the external auditors standards and interpretations of what is necessary.

  2. This change will allow companies time to develop their own internal control systems, and provide the external auditors with a complete finished and integrated package that can be perused and commented on without either party feeling "its their way or the highway".

  3. The end result of this methodology can result in better, less "checklist" oriented internal control systems that result in a melting of the local companies interpretation of COSO, their consultants advise and experience, and the external auditors perception of what is required.

The argument that these Mid-Range companies need internal controls the most, is correct, however, this reality actually supports this exemption since it will allow the freedom to create higher levels of control automation using systems that can result in more reliable controls, and make human overrides and fraud less likely or at least more obvious since the transactions could be separated before processing. These automated controls can be developed because the environment is not one of strict adherence under a deadline, but, rather, an environment of developing what fits the company - within a time frame sufficient for capital investment and employee training in procedures. This development effort may not be as robust if a company is merely trying to conform to an outside auditors standard.

If this exemption can not be implemented without going back to the Legislature, I think the PCAOB or SEC can provide companies with a right to defer external attestation for 2 years as long as they provide a project or program status report that shows significant movement in the direction of compliant internal controls. This status report would be provided with each years request for the exception (filed with PCAOB??).

James J. Finn