Speech by SEC Staff:
"Section 404: The Need for Input"
Remarks before the SEC Institute 21st Annual Mid-Year SEC Reporting Forum

by

John W. White

Director, Division of Corporation Finance
U.S. Securities and Exchange Commission

Washington, DC
May 25, 2006

Thank you, Andy, for that kind introduction and for including me at your Mid-Year SEC Reporting Forum. Although this is the first of your forums that I've attended, I have long known the SEC Institute and its programs as being among the best in the field, and I consider it a pleasure and privilege to be here this morning.

I have also shared for a long time your commitment to continuing education and to an open exchange of ideas among regulators and all the different professionals in the securities markets. As you can probably guess from my background, for me that commitment has tended to focus on CLE-continuing legal education-and to programs and discussions about the securities laws and the attorneys that live and breathe them. It's more than a little intimidating, as a lawyer, to stand before a group of accounting professionals. It's also very gratifying. Accurate and reliable financial reporting is central and critical to America's investors and to our capital markets. It stands as a priority for everyone who works in this area, regardless of professional title or training. The "numbers" matter. And getting the "numbers"-and the disclosures that accompany them-correct matters. That is what all of you do at your best, and it is why we are all here today.

And our commitment to accurate and reliable financial reporting is something we also all share with the famous Section 404. I know there is an entire panel tomorrow devoted to Section 404, but I'd like this morning to talk with you briefly about it and particularly the developments of last week. There is so much to discuss that I'm pretty confident I won't be stealing anyone's thunder. Before I speak any further, however, I need to be sure to remind you all that the views I'm going to express today are solely my own, and do not necessarily reflect the views of the Securities and Exchange Commission or of any members of its staff other than myself.

Introduction.

Passed as part of the comprehensive and broad-reaching reforms of the Sarbanes-Oxley Act in July 2002, Section 404 has received more attention, and more criticism, in the last two or three years than almost anything else at the intersection of public companies and the securities laws. I think that attention is appropriate, and directly corresponds to the importance and the vast potential of Section 404. It also points to the tremendous costs that Section 404 has brought with it. I believe it is fair to say that the Commission has shown a steadfast commitment to Section 404 and an appreciation of the benefits it imparts to investors and to public companies, while at the same time showing a constant sensitivity to Section 404's costs and the burdens they impose. Most recently, on May 10, 2006 the Commission sponsored with the Public Company Accounting Oversight Board (the PCAOB) a roundtable on Section 404, and last week the Commission issued a press release outlining steps it intends to take in its continuing efforts to make Section 404 work as well and as efficiently as it can.

Large Company or Small? Accelerated Filer or Not?

I was very happy to learn, when I was invited to speak here today, that the audience would include accounting and finance professionals from both large and small public companies. I believe that Section 404 offers many of the same benefits to investors in both types of companies, but obviously the two are in a very different place today with regard to their internal control reporting.

Accelerated filers-the "large" companies (and I realize some of them are not really that big)-have been required to comply with Section 404's reporting provisions for the past two years. In that regard, as you know, they have had to provide a report on management's assessment on internal control over financial reporting as of year-end and they have had to obtain and publicly disclose their independent auditor's opinion on that assessment. In the simplest terms, those two reports-management's assessment and the auditor's attestation-are the two elements of internal control reporting required by Section 404. And accelerated filers have already had to do both for two years.

Non-accelerated filers, on the other hand, have not yet had to comply with the internal control reporting provisions of Section 404. But their time is approaching. As the Commission said in its May 17 press release "ultimately all public companies will be required to comply with the internal control reporting requirements of Section 404." The Commission's very able Advisory Committee on Smaller Public Companies had recommended in its Final Report last month that, among other things, certain smaller companies be exempted entirely (or in part) from the requirement to publicly report on internal control over financial reporting, at least "unless and until" an internal control framework is developed that recognizes the characteristics and needs of smaller companies.

As I imagine many of you know, internal control assessments must be performed against a recognized framework, and the framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is the framework that has been used, thus far, by public companies that have been performing management assessments. At the urging of the Commission staff, early last year COSO began developing guidance for how that framework might be used by smaller public companies and released an exposure draft for that purpose in October 2005. The Advisory Committee, among others, had raised a number of issues about that exposure draft, and COSO has recently advised that, after considering the many comments and constructive input it's received, it expects to publish final guidance that is responsive to that feedback. The Commission anticipates that this forthcoming guidance will help organizations of all sizes to better understand and apply the control framework as it relates to internal control over financial reporting.

At the Commission's May 10 Roundtable, it was suggested by one panelist that the COSO framework, even with this additional guidance, would not meet the call of the Advisory Committee for a framework suitable for smaller public companies. That comment did not have the benefit of reflecting on the substantial revisions COSO has been making since its October exposure draft, and I would encourage everyone to look at the recent letter from Professor Larry Rittenberg, the chair of COSO, which is part of the public record from the May 10 Roundtable (and is thus available on the Commission's website). In my opinion, based on what we've heard to date, COSO will be able to be applied in a manner such that it is a suitable framework for smaller public companies.

In its press release that I just quoted, the Commission indicates that it does not intend to follow the route of permanent exemption. At the same time, I want to emphasize that we do share the Advisory Committee's concern about the particular burdens that Section 404 imposes on smaller companies. And we are determined to work toward the goal of minimizing the costs, while maintaining the benefits, of Section 404-both for those smaller companies and also, quite importantly, for their investors-as the internal control reporting requirements become applicable to them. The Commission's announcement last week provides the roadmap for how it's going to try to achieve that goal, among others. At the same time, I don't want to suggest that we've forgotten about the "larger public companies" because they are at the forefront of our thinking. If I could, in my remarks this morning I'd like to look at the Commission's May 17 announcement through the dual lenses of both the two internal control reports and these two types of companies.

The First Report Under Section 404: Management's Assessment.

I mentioned a moment ago the two reports that make up Section 404's internal control reporting requirements. Both were addressed in the Commission's May 17 announcement, and you should look for improvements in your experiences with both. The first is management's assessment. I assume that to the extent your companies have already had to provide these reports, many, if not all, of you have been deeply involved with that process.

When the Commission adopted its rules in June 2003 implementing Section 404, it chose not to dictate a specific manner or method by which companies would be required to perform the management assessment. It was important to the Commission that each company use informed judgment in documenting and testing its controls to fit its own operations, risks and procedures. The Commission did not see "just one right way" for management to perform its assessment. And I think that, three years later, most observers and commentators continue to believe that management must bring its own experience and informed judgment to bear in designing an assessment process that meets the particular needs of its company and that provides reasonable assurance as to whether the company's internal control over financial reporting is effective.

For some companies, however, the Commission's openness and its recognition of the need for flexibility and company-tailored procedures were overwhelmed by other forces (including often the independent auditor). Those forces have often insisted that certain things be included in every management's assessment-for example, that specific controls be tested in a specific way or at specific times. We have heard from many commentators (particularly at the May 10 Roundtable) that the lack of a Commission standard or broad guidance on how management should perform its assessment has made the task more challenging and more burdensome for companies because the fall-back position has been that companies have had to fit their management assessments within the structures of the PCAOB's Auditing Standard No. 2-even though the auditing standard should be understood only to provide the rules for how the auditor performs its work, not how management performs its own.

As the Commission has previously observed, whether because of the involvement of the external auditor and the language of AS 2 or for other reasons, management assessments have not, across the board, fully reflected the top-down, risk-based approach the Commission had envisioned. In response, the Commission has announced its intention to issue a Concept Release about management guidance and to follow that by issuing actual guidance on the topic. The subsequent guidance and its timing will depend on the feedback we get from the Concept Release. As to the timing of the Concept Release, I think you should look for it fairly soon, and I hope you will read it and think carefully about it when it comes out. A Concept Release, just like a Proposing Release, is an open invitation to input-please accept.

The Concept Release will solicit input broadly regarding Commission guidance on management's assessment as well as seeking comment on specific areas and more narrow topics. As one example, it has seemed to me that one topic that might benefit especially from guidance is IT controls. How should a quality management assessment address those? What is the place for ongoing monitoring that starts with the assessment results from the prior year's assessment, rather than a "brand new" assessment each year? How might the role and assessment techniques we should expect of management differ from the work of the independent auditor in this area? I would suggest-of course I am only a lawyer expressing my personal opinion-that those two need not be the same.

Smaller public companies-specifically, non-accelerated filers that have not yet complied with Section 404's internal control reporting requirements-have been especially vocal about their need or desire for Commission guidance. So that this guidance may be of help to non-accelerated filers and smaller public companies, the Commission intends for it to be scalable and responsive to their individual circumstances. But as I've said before, we need to hear directly from affected parties. How should the management assessment process be scaled for smaller companies? What do small companies in particular need from Commission guidance? What format would help them? What topics should we cover?

To date, as we know from the press, much of the energy of the smaller public company community has been spent pursuing an exemption from internal control reporting. Now that it looks as if the "unless and until" condition suggested by the Advisory Committee will be met, and the Commission has indicated that it does not intend at this time to extend a permanent exemption to smaller companies, I truly hope that we can harness and redirect the energy that has been spent seeking exemption into helping us craft a more efficient, scalable system. The Commission is headed in that direction; COSO will be helping mark the path. I challenge the smaller public company community to participate fully and provide input that allows us to proceed in a way that achieves the investor protection goals of improving the reliability of financial statements while still achieving cost reductions and efficiencies for smaller public companies.

To achieve its goal of scalable guidance that works well for companies of all sizes and to achieve the broader objective of providing guidance that will help companies perform top-down, risk-based, efficient and cost-effective management assessments, the Commission needs to hear from the entire spectrum of interested parties. So, please, make sure you're included in that group that tells us what they need, what makes sense and what they think would work best.

Before I move off management's assessment, I want to underscore something else that was said in the Commission's May 17 press release: that any guidance issued will be "sensitive to the fact that many companies have already invested substantial resources to establish and document programs and procedures to perform their assessments over the last few years." At the May 10 Roundtable, we heard from many accelerated filers that they had grown increasingly comfortable and confident over the past two years with the processes they had set up for their management assessments. Among others, I was struck particularly by the comment made by Keith Holmberg from British Petroleum about how internal controls and the goals of Section 404 had taken root among BP's business managers. Other commentators also indicated that Section 404 and its reporting processes were settling in at their organizations.

Although accelerated filers at the May 10 Roundtable did state that there was still room for some "tweaking," or specific, focused improvements, they also clearly expressed reservations about the Commission stepping in now and telling them how their management assessments should be done. Many seemed happy where they were. They obviously do not want to be boxed into a corner by Commission guidance, and certainly not a corner that's not otherwise useful to them. It's my personal opinion right now that there never will be "just one right way" to perform management's assessment. But I hope larger companies will not assume that Commission guidance on management assessments doesn't concern them just because smaller public companies have been receiving so much attention along these lines. I mentioned a moment ago that Commission guidance on assessing IT controls might be especially helpful. I could see, for example, this benefiting large as well as small companies. But the question is, what do you think? We sincerely need to know.

It's my personal hope that Commission guidance on management assessments can be helpful to all filers, not just non-accelerated ones or smaller companies. It should be available to everyone. At the same time, if you've already designed your own processes and procedures that are working well for you and are meeting the objectives of Section 404, then it's my personal opinion that you should be able to keep following those. Going back to my recurring point about our need for robust and thoughtful public input, I sincerely hope that accelerated filers will also engage in the comment process on the Concept Release and any subsequent guidance. Among other things, let us know how we can avoid boxing you into those corners that do you no good and provide no benefits to your investors.

The Second Report Under Section 404 : The Auditor's Attestation.

I would like to talk just briefly about the second report under Section 404-the auditor's attestation. As you all know, this audit is governed by AS 2 which became effective when it was approved by the Commission in June 2004. AS 2 was also the subject of considerable complaint, particularly at the Commission's first 404 Roundtable in April 2005. In response to that first Roundtable, the PCAOB came out with guidance last May that was intended to remind auditors that AS 2 audits require the use of judgment and should be risk-based and follow a top-down approach.

The PCAOB followed that up with its November 2005 "Report on the Initial Implementation of Auditing Standard No. 2," which confirmed the PCAOB's May 2005 guidance. After the second Roundtable earlier this month, and consideration of extensive public comments, the Commission and the PCAOB now agree that the PCAOB should amend AS 2, in part to fully reflect the earlier guidance in the standard itself. I expect that the PCAOB's amendments will also clarify that AS 2 is not intended to dictate how management must perform its assessment. The Commission will work closely with the PCAOB to ensure that the proposed revisions to AS 2 are in the public interest and consistent with the protection of investors. Further to those goals, I would again encourage all of you to pay attention when the amendments to AS 2 are proposed by the PCAOB, and to provide the Board with your comments and input as you feel appropriate. I am confident that the PCAOB will take seriously all comments it receives, and I know the Commission will be looking at them as well.

Importantly, the amendments to AS 2 should be in place and effective before non-accelerated filers have to provide their first auditor reports on their internal controls. I hope that these amendments will help reduce the costs that non-accelerated filers might otherwise have faced as AS 2 is positioned as a more risk-based and top-down standard. I've been talking this morning about two types of companies though-smaller, non-accelerated filers on the one hand, and larger and accelerated filers on the other. Let me talk for a moment about the latter. I want to point you to a statement the PCAOB made in its own press release with respect to companies that are already complying with Section 404 as further supporting the notion that the steps announced on May 17 should not hinder those companies, or diminish efficiencies they've already achieved. The release states that the PCAOB "will establish an effective date for any amendments that would minimize any unnecessary disruption to on-going audits of internal control and would not hinder auditors' current efforts to fully implement the May 16, 2005, guidance." At this point, we do not know when any amendments to AS 2 might be effective, but in my opinion, accelerated filers and their auditors need not fear that those amendments to AS 2, when they come out, will somehow override the efforts that those companies and their auditors have already made at that point under the existing standard. I do anticipate, though, that any benefits of the amended standard that would work well "in mid-stream" will be available at the earliest possible date.

In addition to the amendments that the PCAOB will be proposing to AS 2, I am very encouraged by the Board's announcement on May 1 that it will use its 2006 inspections process to focus on the efficiency of AS 2 audits. If any of you have ever had your audit selected by the PCAOB staff during its inspections process, or have talked with someone else who has, you know how seriously the audit firms take those inspections and the real ability of the PCAOB inspections process to affect future auditor behavior. I would encourage you to read the PCAOB's May 1, 2006 release about its auditor inspections. Be an active participant in your own audit, and use the message in the PCAOB release to help promote the efficiency of your audit.

As part of the Commission's oversight of the PCAOB, the Commission staff inspects aspects of the PCAOB's operations, including its inspection program. Among other things, upon completion of the PCAOB's 2006 inspections, the Commission staff will examine the PCAOB inspections of audit firms with regard to the implementation of the principles outlined in the PCAOB's May 1, 2006, statement. In other words, the SEC's inspectors will be inspecting the PCAOB inspectors. I am optimistic that all these inspections are going to lead to real benefits in how AS 2 audits are conducted. So stay tuned on that score as well.

Conclusion.

I hope you have been able to gather from my remarks that I sincerely and deeply believe in the importance of accurate and reliable financial reporting. It is at the core of what investors need, and is the least that they deserve. In some way, the fact that you are at a conference like this one-focused on understanding and improving financial reporting-indicates to me that you share my belief in those basic principles. Section 404 can help advance those principles and ensure their application for the protection of investors, but it needs to operate efficiently and effectively for all concerned.

In closing, I just want to urge you all again to please - as the Commission puts out the Concept Release and moves forward with the other steps it announced on May 17 - share with us your thoughts and ideas and reactions. We want to hear from you. Your perspectives and insights on financial reporting and on what your company needs in order to make that reporting as accurate and reliable, and efficient, as possible are an invaluable resource to the Commission and to the public that we serve.

Thank you very much for sharing your time with me today.