SOX 404, of course, is a provision of the Sarbanes-Oxley Act that mandates that the management of public companies not just provide investors with a statement about the strength of the company's internal controls (the systems the company uses to track how the company is spending its money and make sure managers are stealing it), but that the company's independent auditor attest to this management statement. Following the collapse of the accounting firm Arthur Andersen, auditors have been extremely reluctant to make such attestations without thorough (and expensive) testing of company internal controls.
The new AS5 (which has been in the works for some time -- see here) has two components. The first is a complete revision of AS2 that:
- Directs the auditor to the most important controls and emphasize the importance of risk assessment;
- Revise the definitions of significant deficiency and material weakness, as well as the "strong indicators" of a material weakness;
- Clarify the role of materiality, including interim materiality, in the audit;
- Remove the requirement to evaluate management's process;
- Permit consideration of knowledge obtained during previous audits;
- Direct the auditor to tailor the audit to reflect the attributes of smaller and less complex companies;
- Refocus the multi-location testing requirements on risk rather than coverage; and
- Recalibrate the walkthrough requirement.
- Allow the auditor to use the work of others, and not just internal audit, for both the internal control audit and the financial statement audit, eliminating a barrier to integration of the two audits;
- Encourage greater use of the work of others by requiring auditors to evaluate whether and how to use the work of others to reduce their testing;
- Require the auditor to understand the relevant activities of others and determine how the results of that work may affect the audit;
- Provide a single framework for using the work of others based on the auditor's evaluation of the combined competence and objectivity of others and the subject matter being tested; and
- Eliminate the principal evidence provision previously included in AS No. 2.
Despite what some had urged, the new AS5 does not exclude small companies from having to have auditors attest to their internal controls, but it does try to make the internal controls testing "scalable," so that audit firms will not have to apply exactly the same standards to small companies as they might for large issuers. This actually follows the (somewhat surprising) recommendations of the Committee for Capital Markets Regulation (see here).
The new AS5 proposal comes less than a week after the SEC also released "management guidance" designed to provide companies with cover should they not do everything audit firms would like them to in testing their internal controls. (See this post here. The SEC management guidance can be read here.)
The SEC also published a press release praising the PCAOB for its work, which you can read here.