SEC OKs Risk-Based SOX Compliance

May 23, 2007 ( - New guidance approved Wednesday by the U.S. Securities and Exchange Commission (SEC) on implementing Sarbanes-Oxley allows managers to identify the highest risks to their books as they audit their internal fiscal controls.

The change eases the burden on companies in dealing with the corporate reform law since, at present, officials have to test a long list of fiscal controls, according to Reuters.

SEC commissioners voted 5-0 to endorse the more risk-based approach when companies are complying with Section 404. That regulation requires companies to assess their internal controls over financial reporting and calls for external auditors to report on management’s assessment and on the controls.

“Congress never intended that the 404 process should become inflexible, burdensome and wasteful,” SEC Chairman Christopher Cox said at the agency’s open meeting, according to the Reuters report.

Companies and business lobbyists have complained for a long time that Section 404 was too expensive and the SEC has conceded that, in some cases, overly cautious companies caused the costs of complying with the law to exceed its benefits.

The U.S. Chamber of Commerce applauded the changes Wednesday. “This major rewrite is a clear step forward and recognizes how seriously off-track Section 404 implementation has become,” Michael Ryan, executive director of the Chamber’s center for capital markets competitiveness, told Reuters.

At the open SEC meeting, Cox said the SEC and Public Company Accounting Oversight Board (PCAOB) have made excellent progress in addressing small companies’ need to appropriately scale Section 404 requirements and it “would not appear any additional postponement is necessary.”

Small companies with less than $75 million in market capitalization are not scheduled to comply with the management guidance part of Section 404 until the 2007 audit cycle (See  SEC Panel Formally Recommends Small Co SOX Exemption ).