Speech by SEC Commissioner:
Remarks at the SEC Open Meeting
Management Guidance on Internal Control over Financial Reporting
by
Commissioner Roel C. Campos
U.S. Securities and Exchange Commission
Washington, D.C.
May 23, 2007
First, let me add my congratulations and my sincere appreciation to our staffs of the Office of the Chief Accountant and the Division of Corporation Finance for all of their efforts. You've shown extraordinary creativity and insight, and have certainly done much thinking outside of the box. I am very appreciative, and I think investors in our public companies will be grateful.
In one respect, Section 404 is one of the toughest challenges for regulation in general. Everyone acknowledges the huge potential benefits for investor protection that Section 404 provides. Indeed, there is evidence of this every day from executives who have studied their internal controls. However, Section 404 also has brought unreasonably high costs in implementation.
So, the key question today is whether the SEC and our colleagues at the PCAOB have found a way to maintain the investor protections of Section 404 that Congress intended to provide and to also find a way to make Section 404 more efficient and reasonable in its costs. The approach recommended today essentially tries to find that elusive "sweet spot" that accomplishes both goals of investor protection, or effectiveness, and efficiency.
In one respect, the approach today is the ultimate application of principles over rules. It also tests whether a principles-based approach can actually work in this particular environment. There's been much talk today about efficiency and the risk-based approach to management guidance, so I won't deal with that much in my statement today. Instead, I'll focus on some concerns that investors may have, and I would focus the staff to provide assurances where they think appropriate.
Many investors worry that our management guidance has focused too much on efficiency over effectiveness. Ultimately, only time will prove what we have done to be correct. However, I know that our SEC staff has worked mightily with the PCAOB and its staff to find the right balance. I am confident that this balance has been struck. To those who worry about whether efficiency has been overplayed, I will point to a few items in management guidance that appropriately focus on investor protection.
First of all, we will have the vast majority of public companies - that is, the smaller companies - that will be fully subject to Section 404 for the first time in fiscal 2008 with the auditor's attestation report due in 2009. That will be a major milestone, which has not yet occurred. So, investors will have the benefit of having Section 404 apply to that huge sector of U.S. public companies. Let me also point to a few items in management guidance that should also provide some degree of comfort to investors.
Our management guidance states that the flexibility provided does not mean that evaluations for smaller public companies be conducted with less rigor to provide anything less than reasonable assurance as to the effectiveness of ICFR at such companies. I note that in management guidance, the term "professional skepticism" on the part of auditors is used, and that is expected to remain. So, the auditing profession is not being asked to be less substantive in their audits.
I would also point out that the definitions of "material weakness" and "significant deficiency" have been retained and clarified, and auditors are still required to pay attention to management's report to the audit committee and to note if there are inaccuracies stated therein.
Let me mention one other item dealing with investor concerns. Many believe that the most crucial and important risk to reliable financial reporting is the risk of a very specific type of breakdown in internal controls: namely, intentional fraud by senior management, who have overridden internal controls. As one commenter noted, "History has shown that senior management cooking the books has been the most costly of control failures." While no system of controls is perfect - indeed, our rules seek to compel "reasonable assurance" - internal controls should seek to substantially decrease the likelihood that intentional fraud by senior management will occur. Let's not forget that the Sarbanes-Oxley Act was passed in the wake of the massive frauds perpetrated by senior management at Enron, Worldcom, Adelphia and other companies. When the House passed SOX by a vote of 423-3 and the Senate by 99-0, I don't think they were too concerned with honest errors by lower-level accounts receivable clerks.
To that end, a number of very thoughtful commenters suggested that our guidance be revised to more strongly emphasize management's responsibility to identify and evaluate fraud risks and the controls that address those risks. I'm pleased to see that our final guidance has been improved in response. In keeping with its principles-based approach, the guidance does not contain a list of fraud risks expected to be present at companies. This should not be seen as suggesting that we view fraud risks as unimportant. To the contrary, they are too important to be relegated to a check-the-box type of approach. And the guidance - as requested by commenters - specifically cites the significant existing guidance for assessing fraud risks and controls.
Notably, however, what the guidance does do is state that management should recognize that fraud risks exist in every organization and that identification of a fraud risk does not mean that fraud has occurred. While in some respects this may be obvious, in other respects it is very important to be stated. It should give management the confidence to confront the risk of fraud, which is the biggest risk that management must consider. Management must ask itself: how are we going to design controls to prevent fraud by senior management? And how are we going to ensure that these controls operate effectively? I'm not suggesting that the answers to these questions are easy. Far from it. But if management spends less time worrying about whether their controls ensure that every receivable is reconciled, they should have more time to consider appropriate fraud controls and testing those fraud controls. If we take a step back and look at the forest instead of the trees, this is what management should be doing. And I believe that our particular management guidance goes a long way in encouraging and hopefully producing that result.
With that said, let me just ask a few questions: I've focused here on fraud controls, and the staff has indicated that one of the areas where the guidance has been modified was in that area. Can you highlight further the impact that you think those changes will have on management's evaluation? Specifically, it's obviously very important to establish controls regarding management override. Is it realistic to think that companies can establish effective controls in this area?
Our management guidance is not a guarantee. Instead, it gives guidance with respect to a very thoughtful framework that provides our public companies and our audit profession the very best opportunity for a system that continues to protect investors by having management's assessment and the auditor's attestation of internal controls. The success of our guidance will ultimately depend on the good faith and hard work of both management and auditors. It will also depend on the vigilance of investors. I am hopeful and optimistic that all of the parties and the professionals will use the new guidance and the new AS5 to accomplish the purposes and benefits of SOX 404 and will do so in a way that costs will be reasonable.
I've often stated that the attractiveness of the U.S. markets stems from our focus on reliability and transparency, which draws capital throughout the world. I'm told constantly by foreign investors that it is the U.S. system of protecting capital, including through Section 404, which attracts so much foreign capital. I'm confident that our guidance today will help provide both the reliability and transparency of the financial statements of U.S. issuers, while at the same time will help to reduce the costs so that foreign issuers and others will not let Section 404 be a determinative factor as to whether or not they seek to raise capital in the U.S. I'm very happy to support this proposal, and thank you for all of your hard work.
http://www.sec.gov/news/speech/2007/spch052307rcc.htm
