Speech by SEC Commissioner:
Section 404: Proposed Management Guidance

by

Commissioner Roel C. Campos

U.S. Securities and Exchange Commission

SEC Open Meeting
Washington, D.C.
December 13, 2006

I, too, would like to congratulate the staffs of our Office of the Chief Accountant and the Division of Corporation Finance for all of their efforts, as well as our valued colleagues at the PCAOB. The result of all your hard work is a clear and scalable risk-based management guidance proposal that, if adopted, should help management conduct meaningful assessments of internal controls over financial reporting in a highly efficient and tailored manner. I believe that the proposed guidance can help make Section 404 implementation simultaneously more effective and less costly, and therefore, I am proud to support the proposal that is before us today.

It has been a long road getting here. Although the implementation costs and burdens of Section 404 have been higher than we originally anticipated, nearly three years of experience with Section 404 also have made it clear to us and the investing public that the benefits gained from improved internal controls are significant ones that we absolutely can not afford to lose.

And yet, we continue to hear from our issuers — particularly smaller issuers — that the costs of Section 404 compliance are extremely onerous — in some cases, to the detriment of their business objectives.

I remain firm in my belief that the costs of accessing the safest and most liquid markets in the world are repaid many times over by the premium that investors pay to invest in U.S. listed companies with strong financial reporting controls. At least one study — finding that companies that reported effective internal controls in 2004 and 2005 enjoyed market-beating gains in their share price, while companies that reported ineffective Section 404 controls underperformed the market — supports this view. However, I also recognize that excessive regulatory costs can and should be reduced, particularly when such costs may inhibit business development, growth, and capital formation in the U.S.

Thus, the challenge to both us at the SEC and our colleagues at the PCAOB has been to try and find a way to modify the overall Section 404 framework so that it remains robust and meaningful, yet cost-efficient and flexible enough to accommodate significant differences in companies and their internal reporting and control structures.

I'm happy to say that the "package of 404-related improvements" prepared by us and the PCAOB does just that. That's right — I believe that the combination of our proposed management guidance, together with the PCAOB's anticipated major revisions to AS2, will significantly reduce, and in many cases wholly eliminate, the inefficiencies and excessive costs behind Section 404, while retaining all of the good.

Although the PCAOB's new auditing standard that will supersede AS2 has not yet been made public, what has already been "previewed" by PCAOB Chairman Mark Olson and his staff in various testimonies and speeches has made it clear that the benefits of the upcoming changes to AS2 will be enormous. Among other improvements, the new standard will be (1) scalable for smaller companies; (2) streamlined and re-organized into a clear top-down, risk-based standard; (3) one-third the length of current AS2; and (4) drafted in Plain English. In addition, the removal of the requirement for an auditor to evaluate management's assessment process will effectively "de-couple" it from an auditor's attestation, such that management will now be able to exercise more flexibility in tailoring its approach.

I know that many of you here today are eagerly anticipating the unveiling of this "new and improved" AS2; however, I think it is appropriate and timely that the SEC's proposed management guidance be considered by the Commission and made public first. Given that several studies have shown that the management assessment portion comprises the majority of an issuer's total Section 404 cost, it makes perfect sense that the first line of action in fixing Section 404 be in the area of current greatest cost and least formal guidance. In addition, we have heard from countless issuers that, in the absence of specific management guidance, they have had to refer to and apply the principles and requirements of AS2 to guide their own management assessments. The substance and consideration of our proposed guidance today — independent of and preceding AS2 — should make it clear that management's assessment is to be conducted without the need to consult the auditing standards.

The new, more flexible approach proposed in today's guidance is crucial to the effectiveness of our revised Section 404 framework because — as years one through three of Sarbanes-Oxley implementation have taught us — it is impossible for companies and their auditors to efficiently comply with a one-size-fits-all requirement when the companies themselves vary tremendously in complexity and size. Companies that are smaller and less complex are likely to have fewer financial transactions, fewer business products, and fewer layers of management or staff between the controller or CFO and the individuals actually doing the accounting and financial reporting. In contrast, large, multi-national organizations are much more likely to enter into and report on extremely complex financial transactions, have multiple business locations and divisions, and have decentralized reporting structures. While the goal of a Section 404 management assessment and audit attestation are the same for both large and small companies — to foster the preparation of reliable financial statements — we must recognize that the procedures, evaluative techniques, and evidentiary material gathered to reach this goal are going to be very different from company to company.

Our proposed management guidance contemplates these differences and successfully accommodates them by providing a logical principles- and judgment-based approach to evaluating the effectiveness of internal controls. It provides an approach for evaluating the effectiveness of a company's internal controls over financial reporting that is not prescriptive, but rather based around two broad principles — design and operating effectiveness. Beginning with identification of financial reporting risks and controls and ending with management's assessment report, the proposed guidance walks management very clearly through the steps necessary to satisfy these two principles, while also clarifying that management's reasonable judgment in applying these steps is paramount. Specifically, the proposed guidance notes that the assessment process can and should be tailored by management in a manner that appropriately recognizes the specific characteristics of the company being evaluated.

For example, the proposed guidance clarifies that while large, complex companies may need to use individuals with specialized accounting or business knowledge to appropriately identify and assess risks, smaller, less complex companies may be able to rely on managements' daily involvement with the business. Similarly, the proposed guidance states that management's assessment must be supported by evidential matter that provides "reasonable support," but clarifies that management can exercise significant judgment and maximize efficiencies in determining what documentation is necessary.

Notwithstanding this tremendous flexibility and discretion, I believe that a management evaluation conducted in compliance with this proposed guidance will be highly effective because any judgment exercised by management pursuant to this guidance will be centered on risks to financial reporting. This focus on "risk" provides an appropriate counterbalance and investor protection floor to management's exercise of judgment and discretion. Risk underlies our entire Section 404 structure, and is the single-most critical factor in assessing the adequacy of an issuer's financial reporting controls framework.

Risk plays a key role in our proposed guidance in determining what procedures and level of detail management should obtain in order to adequately support its assessment. Thus, while low risk financial reporting elements may require only "ongoing monitoring" for management to be able to obtain evidence of the effective operation of controls, higher risk elements generally would require some degree of direct testing covering a reasonable period of time. By looking to risk, management can effectively identify and focus on those areas of greatest vulnerability in the financial reporting framework, without expending unnecessary resources and time on areas that are unlikely to impact the quality or accuracy of the company's financial reports in a material way.

This careful weighing and consideration of both company risk and management judgment makes me very comfortable that we have struck the right balances here — the proposed guidance will, if adopted, preserve the important investor protections that have been gained through Section 404, while eliminating or reducing many of the burdens. It also will meaningfully reduce compliance costs while allowing management to exercise reasonable judgment and focus on those areas of greatest importance and highest risk. By empowering management in this way and putting them effectively in the "driver's seat," we are well on our way to making Section 404 one of our country's most laudable and valuable assets, rather than one of its most maligned.

Finally, I may be accused of being overly enthusiastic here, but I predict that the total "package" of management guidance and a re-worked AS2 will be deemed by thoughtful and interested parties as finally "fixing" Section 404. There was never any disagreement with the principles behind Section 404; rather, all of the problems derived from its difficult implementation. Thus, while there certainly may be refinements and suggestions raised by commenters — all of which I am keenly interested in analyzing — I am optimistic that our package of Section 404-related improvements, together with the planned guidance on auditing smaller company internal controls that will soon be prepared by the PCAOB in consult with a task force made up of smaller company auditors and companies, will result in reasonable and proportionate management assessment and audit attestation costs.

I also believe that these improvements will preserve and strengthen the traditional status of the U.S. markets as the preeminent "gold standard" — providing the most transparency to its investors, and producing the most reliable, albeit not perfect, financial reports in the global capital markets. Such reliability and transparency will, in turn, attract enormous amounts of capital from investors, validating the view that there is absolutely no better place in the world to raise money, attract investors, or innovate, than in the U.S.

Not surprisingly, I am very happy to support this proposal.