What the SEC has heard about Section 404

The SEC has been “listening” to complaints about the implementation of Sarbox, particularly including internal controls reporting under Section 404. Guess what they heard?  It’s not the fault of Section 404, or of the SEC, but of the accountants who are just being too strict.  Here's the SEC news release and "guidance," and the PCAOB news release and guidance.  Here's part of the SEC's news release:

[A]lmost all of the significant complaints we heard related not to the Sarbanes-Oxley Act or to the rules and auditing standards implementing Section 404, but rather to a mechanical, and even overly cautious, way in which those rules and standards apparently have been applied in many cases. Both management and external auditors must bring reasoned judgment and a top-down, risk-based approach to the 404 compliance process. A one-size fits all, bottom-up, check-the-box approach that treats all controls equally is less likely to improve internal controls and financial reporting than reasoned, good faith exercise of professional judgment focused on reasonable, as opposed to absolute, assurance. 

So SEC and Congress get off the political hook by being strict about corporate fraud.  If there are excessive regulatory costs – i.e., Type 1 error – it must be the accountants’ fault. Of course the accountants get nailed for Type 2 error if being “reasonable” means that that they let a risk get unaddressed that turns out, in hindsight, to have been serious. 

Needless to say, the accountants will ignore the SEC’s admonition, particularly since they get paid for being strict, and nailed if they’re not.  The reporting firms, who are stuck in the middle, pay the real costs. Except that they can adjust to some extent by simply withdrawing from the reporting process, as I’ve discussed, e.g., here.

In the end, we all pay for reduced entrepreneurial activity, and will continue to do so as long as we buy into the error that more fraud protection is always better.