Is the SEC revising internal controls reporting?

Apropos of my recent statement that reform of SOX, particularly including AS2, will come from the SEC (which I discussed in my presentation to the U of I Department of Accountancy yesterday) there comes this report from today's WSJ:

Regulators have said they will propose guidance next month to help companies and auditors interpret Section 404 in a way likely to save them time and money.* * * The SEC says it will unveil its changes next month. The agency, along with the Public Company Accounting Oversight Board, the auditing industry's overseer, said it will propose a revision to the auditing standard known as AS2 that auditors follow when testing management's assessment of company controls. SEC Chairman Christopher Cox wrote to the oversight board this week, urging it to include in its changes some of the recommendations made by the SEC's small-business advisory group, including one that the auditing rule be adapted to companies based on their size. In his Nov. 6 letter, Mr. Cox said the SEC agreed that the standard needed to be focused on matters that are material, or relevant, to a company's financial results.

This is an improvement over the much more tepid SEC response last May. But it's unclear exactly what the SEC is planning to do – particularly whether it will go beyond "guidance" to actual amendment of AS2. Drastic action is necessary because the current standards are becoming entrenched, as Grundfest observes in the WSJ story. Moreover, as the Grundfest article notes, the auditors' incentives favor reducing their risk of liability and censure by putting extra costs on clients (where else are clients going to go?), while funneling more business to their consulting arms. As a result, mere "guidance" is unlikely to have much effect.

The SEC should look closely at a study co-authored by former SEC Commissioner Joe Grundfest, Fixing SOX. The study proposes redefining "significant deficiency" and "material weakness" in AS2 to help ensure auditors "don't dig into the weeds" to find insignificant control problems. They show that AS2 now requires just that by, among other things, forcing examination of any "combination of control deficiencies" that might lead to "more than a remote likelihood" of non-detection of a "more than inconsequential" disclosure problem. This language means that auditors must examine individual inconsequential" deficiencies in order to determine whether they aggregate into even a marginally consequential problem. The authors also propose PCAOB scrutiny of unnecessary audit procedures, making it easier for firms to go private or dark, and a "404-lite" for small firms.

Though I applaud this effort, I still think more fundamental reform or elimination of SOX is necessary, as Henry Butler and I have suggested. And in any event, I sure hope (but doubt) that Congress has learned some kind of a lesson from the SOX debacle.