Last month, the Public Company Accounting Oversight Board and the Securities and Exchange Commission attempted to clear up two of the most costly vagaries of the Sarbanes-Oxley Act.
The PCAOB released a new set of standards to help better define what constitutes a "material weakness" in SarbOx compliance, an issue that has been "driving up audit fees like crazy" as internal and external audit teams squabble over different interpretations of the law, says Paul Hamerman, vice president of enterprise applications at Forrester Research Inc.
Meanwhile, the SEC issued this Greenspan-esque clarification on the role of IT in complying with section 404 of SarbOx: "Both management and external auditors must bring reasoned judgment and a top-down, risk-based approach to the 404 compliance process.
A one-size-fits-all, bottom-up, check-the-box approach that treats all controls equally is less likely to improve internal controls and financial reporting than reasoned, good faith exercise of professional judgment focused on reasonable, as opposed to absolute, assurance." Huh?
While Hamerman thinks the moves by the two governing bodies will help in further clarifying SarbOx compliance, he concedes the language is less than direct. "It's possible a CIO might not get it," he notes.