ZoeVonna began her remarks by thanking USC and commenting on how the Trojan family is
alive and well at the SEC, with Chairman Cox, Chief Accountant Conrad Hewitt and Hewitt’s senior
advisor, Joe Ocuzoglu all having undergraduate or graduate experience at SC.
As Deputy Chief Accountant for Professional Practice, ZoeVonna works daily to maintain and
improve the quality of financial reporting and auditing and these issues very much apply to moving
forward with Sarbanes-Oxley (SOX), which has occupied a major portion of the Professional Practice
Group’s time and energy. The Group is the lead developer on the Commission’s guidance to help
management comply with SOX Section 404(a) and also plays a major role in coordinating the
Commission’s oversight of all the PCAOB’s activities.
As Chairman Cox has previously said, it is not SOX, but the implementation of SOX that has
been the problem. So, ZoeVonna focused on Section 404, the infamous internal control over financial
reporting (ICFR) section. SOX Section 404(a) adds a requirement for annual disclosures to investors
about the effectiveness of a company’s internal controls. Under the rules of 404, management must
disclose its assessment of whether the company’s internal control over financial reporting is effective at
the end of the fiscal year.
Initially, the SEC didn’t issue any overall guidance to management and the unfortunate result
was that auditors ended up driving the 404 process. The PCAOB issued Auditing Standard No. 2 (AS
2), which created indirect expectations management’s evaluations, and AS 2 became the de facto
guidance for management’s evaluations in the absence of SEC guidelines. To combat this, the SEC has
proposed several guidance measures that allow management to exercise significant and appropriate
judgment in designing and conducting evaluations that are suited to their individual companies. The
Commission also proposed rules that would provide for a single audit option on ICFR, a rule which
would shift discussions between auditors and management from a focus on the audit process to a focus
on the risk of potential misstatements.
The proposed guidance is organized around what ZoeVonna characterized as a three-phase
framework. Phase 1 involves identifying the financial reporting risks and then the controls that
adequately address these risks. Phase 2 involves evaluating the operating effectiveness of the controls
identified in Phase 1, and determining the evidence needed to support the assessment, using evaluation
procedures tailored to the risk assessment. Phase 3 involves reporting on the effectiveness of ICFR,
including disclosing any material weaknesses identified during the evaluation process.
With all of the efforts that the SEC has made to alleviate company concerns about the new
guidance measures, they realize that the filers who have not yet complied with their rules about SOX
Section 404 still feel a good deal of anxiety about the process because they have heard from others how
burdensome 404 has been and there have been groups against 404 who use catchy sound bites which are
then picked up by the press and reported to a wider audience. These anxieties should be alleviated,
however, by careful reading of the proposed guidance, which is meant to avoid unnecessary burdens on
shareholder resources. The SEC has also tried to help alleviate these anxieties by delaying
implementation of 404 until the guidance has achieved the right balance between reliability and
efficiency. One way they have done this is to extend the compliance date for filers to the end of the
fiscal year, on December 15, 2007. Also, COSO issued its ICFR guidance for smaller companies in July
2006 and all companies that choose COSO for their framework should find this guidance very helpful.
With this background on the guidance process, ZoeVonna moved to discussing the comment
process. The SEC has received over 200 comment letters from groups affected by the guidance
measures and PCAOB has received over 170. The first theme from these letters is that many groups
support our guidance. This support comes primarily from accelerated filers, while some non-accelerated
filers have expressed concerns and have asked to be exempt from 404. Another main theme from the
letters is that many groups are concerned that a more prescriptive auditing standard will force
management to either pay the auditor to test and document or do it themselves. To alleviate these
concerns, many groups have suggested that the SEC and PCAOB guidance measures should be more
clearly aligned, through the actual processes and the terminology that they use.
The SEC is still in the process of analyzing all of the comments they received and are still
deliberating on how to revise the guidance process. In accordance with SOX, the Commission must
vote whether or not to approve a standard, so PCAOB standards do not become final until the SEC has
approved them.
Now ZoeVonna discussed a bit more about PCAOB inspections. Through the comment process,
the SEC has been hearing concerns that regardless of revised guidance, unnecessary and inefficient audit
work will continue because of the PCAOB inspection process. Opposed to this concern are several
regulators who have placed great emphasis on the PCAOB inspection process. In establishing the
PCAOB, SOX sought to make inspections and standards the two key elements of the auditory regulatory
oversight process. While some view inspecting for efficiency to be the most important, ZoeVonna
believes that in the long run investors are best served if the 404 problem is solved by concentrating on
audit effectiveness. Instead of using efficiency inspections to find audit firm efficiencies, the SEC
should use the inspection process to as a mechanism to better inform audit standard-setting and auditor
performance.
In regards to auditing standards, the PCAOB made the decision, in implementing SOX, to set
auditing standards in-house. This decision can cause some problems - since currently practicing
auditors are not directly involved in the standard-setting process there is an increased likelihood of
ambiguity and misunderstanding in the PCAOB standards implementation. Another issue regarding
standards is that there are currently two audit standard-setting groups working within the U.S.: the
PCAOB for SEC registrants and the Auditing Standards Board for all others. ZoeVonna suggested that
auditing standards needs to be included in the discussion of the international convergence of accounting
standards. The convergence would make the implementation of SOX a much easier and more efficient
process.
The staff at the Commission has recognized the strengths of setting an international standard for
audit practices and is beginning to survey the international landscape for possible routes to undertake
such a convergence.
ZoeVonna concluded her speech by saying that, although the SEC faces a number of auditrelated public policy challenges as they attempt to go forward with SOX, facing these challenges
involves cooperation among regulators, investors, issuers, auditors and others. The goal for everyone is
simply improving the quality of financial reporting and auditing.