The issuance of auditor opinions on internal control effectiveness will mark a sea-change in the scope and nature of the responsibilities of public company auditors. For the past 27 years, the federal securities laws have required SEC-registered companies to maintain a system of internal accounting control that provides reasonable assurance that reliable financial reporting goals are met. The Sarbanes-Oxley Act gives teeth to this requirement. It mandates that management publicly report on whether its internal controls are effective and that the auditor opine on management's conclusions. Auditors have always considered the company's controls in planning the audit. This new responsibility will, however, compel them to look at controls in a different light and in greater depth.
I do not believe that Congress created these new duties lightly. Section 404 of the Sarbanes-Oxley Act is based on the common-sense idea that internal control is the bedrock on which reliable public company reporting rests. In the long run, effective internal controls are likely to do more to strengthen the credibility of financial statements and to bolster public confidence in financial disclosure than some of the other, more highly-publicized Sarbanes-Oxley innovations, such as CEO certification requirements and enhanced criminal penalties.
For these reasons, the internal control review standard that we are considering today is one of the most critical and far-reaching standards the Board will ever adopt. In a sense, we have been required to create, in a single standard, an entire parallel universe of internal control auditing — which must operate in tandem with traditional financial statement audits. Crafting this standard in a way that will require auditors to do the work necessary to reach meaningful conclusions about client company controls is perhaps the single Board action that will have the greatest effect on the nature of the auditor's work and on strengthening investor confidence in financial reporting.
While I believe there will be real benefits to internal control reporting, those benefits will not be free. This new auditor responsibility will add new complexity to the audit, and fees will almost certainly increase to some extent as a result. The Board has, in my view, tried to be sensitive in the final standard to avoid needlessly supplanting the auditor's professional judgment or requiring work that is not rationally related to determining whether or not there are material control weaknesses. Changes have been made in many areas where the comments suggested ways in which we could make the review process more efficient without compromising its quality. It would be impossible in a short statement to catalogue and describe all of these. However, I think it is fair to say that the final standard will be more workable and cost-effective, especially for mid- and smaller-sized businesses.
I would like to join in thanking the Chief Auditor and his staff for all of the hard work that they have put into this proposal. Doug Carmichael, Tom Ray, Laura Phillips and their colleagues have done a truly remarkable job on this critical project. At the meeting in October at which we proposed this standard, I compared their work, which is the Board's first substantive standard-setting effort, to forming a new football team and starting its schedule by playing in the Super Bowl. In light of the grueling effort and long hours involved, perhaps the Tour de France — or the Iditarod — would be a better analogy. In any event, thanks for a job well done.