New SEC approach for Sox compliance 2048

  • Hello,
    does anybody have an update about the finalisation of the new risk based approach proposed by the SEC? Do you think, it will affect the testing programs for 2007?
    Maybe you already have made experiences, unfortunately I do not see any update on the SEC homepage.
    Thank for your answers

  • The SEC has not yet released its new guidance. They have promised that it will be released next month, at the latest.
    The SEC and PCAOB are still working hand-in-hand in an effort to make their releases as complementary as possible.

  • It depends, both on the approach you took last year and the flexibility of your external auditor.
    The SEC has not yet finalised its guidance however you can get a good flavour of what they are thinking with the proposed guidance. In truth this had no impact on my methodology as it just confirmed what I was already doing but for some it may encourage a more agressive approach as you risk assess your balances and processes and decide what should be inscope.
    The PCAOB guidance is also not finalised but if you work with your external auditors they may be willing to review their approach for 2007. The big 4 all seem open to taking on board the spirit of the proposed guidance even if it has not yet been finalised. I am planning my 2007 compliance with them myself and the key impacts seem to be:

    • possible further reduction in the number of inscope processes as focus moves towards materiality rather than significance. Also whether it is reasonable to expect a material error as opposed to the ‘more than remote likelihood’ measure.
    • less test of operating effectiveness eg if a process is deemed to be low risk a simple but thorough walkthrough may be sufficient rather than testing each control against agreed sample sizes (thus reducing your sample sizes to effectively ‘1’.). Instead operating effectiveness teseting is left for the medium or high risk processes but even here the emphasis on testing can be focused onto the more important of the key controls (based on risk).
      This does appear to be making our testing more manageable however the anticpated cost savings in terms of audit fees is not at present coming through.

  • While subject to further approvals, the SEC has just approved some changes to SOX 404 , as shared here:

  • More importantly I understand that the PCAOB will approve their standards today (24 May).

  • Yes, PCAOB approval should be a done deal. Although Congressional approval seems certain, that’s where I’m a little concerned (as I hope that they will avoid trying to tweek or politicize the committee recommendations).
    As a golden rule, we should avoid talking about politics in forum areas, so I’ll conclude by saying that ‘I’m keeping my fingers crossed’ 😉

  • Congressional support? The SOX Act empowered the PCAOB to set the standards. I didn’t think they needed to ratify any of the Audit Standards as proposed and adopted by the PCAOB. I don’t remember seeing any similar Congressional input when the first four Audit Standards were released. Am I missing the boat here? Do we need to hold off implementing both AS 5 and the SEC’s guidance on SOX until Congress gets involved?
    I can’t afford to wait much longer before we dig into 2007.

  • I may have misread one of the articles which seemed to indicate the Commerce Committee had to also approve these changes. It appears the next step is for the SEC to approve the final version (and this is expected). It will be pertinent to Fiscal year 2008.
    More here:

  • As an update for members following this thread, the full text of the PCAOB recommendations have now been posted at their website. While these are still subject to SEC approval, that action is anticipated with an effective date for implementation around Nov 2007 (effective for fiscal year 2008 from an accounting perspective)
    New 2007 changes for SOX 404 - Full Text now available

  • Having read the guidance - I may be being dense but I’m not actually sure what it means.
    I gather we are supposed to concentrate on items the could materially affect the numbers as opposed to ‘management controls’
    Can someone see if I have got the right end of the stock here:
    i.e. Fixed Assets - we have none that are material - we are a distributor and lease our buildings/ forklifts etc - so does that mean we can ignore this cycle apart from the walkthroughs.
    Also with the entity wide controls - if the parent body does a full reconcilliation of the accounts - can we just concentrate on the journals rather than the local reconcilliations. Sorry if this seems rambling but I am approaching this from an ops audit view - and though qualified as an auditor am new to accounting…

  • Andy - who is subject to SOX 404 - your entity or the parent (i.e., who files with the SEC?)? If your parent, then you need to coordinate with them what and how to test.
    As for the SEC guidance, they want us to focus our efforts on those areas where a material error in the FS could occur if controls are not effective. This would also include material fraud. Just because you lease your major assets does not mean that you could not have errors in your FS in that area. Are you treating your leases correctly between capital and operating? Are you depreciating your LHI over the proper lives (i.e., generally not to exceed your guaranteed lease terms)? Are you treating any rent-free periods correctly when recording rent expense?

  • I am having difficulties seeing what is new with AS5, as compared to AS2. It seems that AS5 more like clarified or emphasized certain key points rather than introduce new ideas.
    Does anyone know of a good key-point comparison that is published out there? Or can someone do a quick compare and contrast?
    Many thanks.

  • Go back to the PCAOB’s release in December, 2006. This was the proposed AS5 guidance. The document did list the significant changes from AS2.

  • Thanks Kymike.
    Another question: In terms of the use of work of others, the published AS5 seems to allow auditors to use work performed by objective and competent personnel, and it does not mention whether that has to be under direct supervision from the auditors. At some point, did they have it worded so that the auditors could only use work of others only if the work is to be under direct supervision of the auditors’?

  • I looked back at AS2. It did not require the work of others to be supervised by the external (or internal) auditors.
    There was a proposed rule on using the work of others, but it was ultimately not adopted. This may have been where you read this restriction.

  • Another place you may have come across it is the auditors own writings. Depending on your local circumstances the auditors may quote other guidance/standards that restrict reliance on others. I know that earlier in 2007 E-and-Y presented to a european conference where they applied audit standards to the proposed revised guidance and stated that to achieve reliance the work would have to be under their direct supervision.
    I think it depends on the risk appetite for each external audit partner.

Log in to reply