As internal control heartburn persists for many public companies, at least one member of the Securities and Exchange Commission would like to see changes to the Sarbanes-Oxley Act.

Speaking at the national conference of the Institute of Internal Auditors, Hester Peirce, a commissioner of the SEC, drew applause for saying she’s a critic of Section 404(b) of Sarbanes-Oxley, which requires public companies to have their management assessment of internal control over financial reporting subjected to an audit. “There’s been talk about this at the SEC,” she said, regarding the current environment with respect to internal control reporting and the continuing angst it produces for public companies.

Section 404(a) of Sarbanes-Oxley requires management to perform an assessment of their ICFR and report its findings to investors. Section 404(b) requires companies to have their assessments of internal control audited. Companies below $75 million in market capitalization are exempt from the audit requirement under Section 404(b), and SEC Chairman Jay Clayton has spoken of possibly extending the exemption to more companies, perhaps those up to $250 million in market cap.

The Public Company Accounting Oversight Board continues to identify high levels of audit deficiencies among the largest audit firms, with internal control deficiencies outnumbering all other audit issues in inspection reports. The PCAOB most often calls out problems with selecting controls for audit testing and testing the design and operating effectiveness of controls. That has prompted auditors to make changes to their audit procedures, including increasing their scrutiny of internal controls.

Peirce was clear that she’s a fan of internal control. “None of us would argue Sarbanes-Oxley hasn’t had a positive effect,” she said. But now that the requirement has been in place more than 15 years, it’s not too soon for a retrospective review, she said. “Do the benefits outweigh the costs? Maybe we need to make some adjustments.”

Peirce said she’s concerned about smaller companies that are paying a high cost for audit services to comply with the audit requirements. She’d prefer to see companies comply with Section 404(a) and then let the market determine where it will or will not reward good controls. “Let investors decide,” she said. “It would be factored into the cost of capital.”

The IIA says its annual study of the profession has determined internal auditors in the United States spend roughly twice as much time on general financial issues, including internal control, compared with auditors in Europe and Asia-Pacific.