I was acting chief accountant at the Securities and Exchange Commission in May 2003 when the Commission’s first set of rules implementing the provisions of Section 404 of the Sarbanes-Oxley Act—the section that requires management and auditor reporting on internal controls—were passed. No other part of SOX has generated nearly as much controversy, anger, frustration, or backlash. On the other hand, no part of SOX has as much potential to contribute to investor confidence and high-quality financial reporting over the long term as Section 404.
As evidenced by the cost estimates in the May 2003 rules, we didn’t have a good handle on just how much time and effort would go into internal control reporting. Now I see that part of the reason that our estimates were so bad is that we didn’t fully understand the scope of work that would be needed to opine on internal control effectiveness. It is also clear to me that the state of internal control systems in public companies was worse than we thought. But it is equally clear that substantially more work has been done than is needed.
