Careers
SubscribeTestimony on the PCAOB
Chairwoman Velazquez, Ranking Member Chabot, and Members of the Committee:
I am pleased to appear on behalf of the Public Company Accounting Oversight Board ("PCAOB" or the "Board") to speak about the impact of the Sarbanes-Oxley Act of 2002 (the “Act”) on small business, and, in particular, the PCAOB’s oversight of small audit firms and its auditing standard on internal control over financial reporting. I am also pleased to join Chairman Cox before you for today’s hearing on “Sarbanes-Oxley Section 404: Will the SEC’s and PCAOB’s New Standards Lower Compliance Costs for Small Companies?” The PCAOB works closely with the Securities and Exchange Commission (“SEC”) to achieve our shared goal of protecting the interests of the investing public in the preparation of informative, accurate and independent audit reports on public company financial statements.
I. Introduction and Background
This Committee’s focus on small business, and its particular focus today on the impact of the Act’s internal control provisions, are both appropriate and timely. Last month, the PCAOB replaced its auditing standard on internal control over financial reporting, which I will later describe in greater detail. A priority concern that triggered that action is the desire to assure that the audit mandated by the Act can be conducted in a manner consistent with the size and complexity of America’s small publicly traded companies. The market will bear out how the new standard affects overall audit costs, but in revising its standard, the PCAOB has been committed to providing for a sound audit that gives auditors of small companies the flexibility they need to design and perform cost-effective audits that are tailored to the unique attributes of small business while still achieving the important objectives of the audit.
Madam Chairwoman and Committee members, we see two important dimensions to the PCAOB focus on small business. First, of the 1,000 plus domestic audit firms that have registered with the PCAOB, the overwhelming majority are small firms. While our experience in inspecting these firms varies, we are reassured to discover that many very small firms provide high quality audits for their clients, many of whom are small businesses. The second dimension of our small business focus is our recognition that these small businesses constitute the largest segment of entities affected by our audit standards, and we need to be cognizant of their needs as we develop the standards.
With more than half of all American households invested in U.S. public companies,[1] the discoveries of financial reporting and auditing improprieties at numerous public companies earlier this decade swelled in 2002 to a national crisis of confidence in the integrity and reliability of public companies’ financial statements. Widespread investor risk aversion across markets adversely affected innovation and the economy more broadly.[2] This led to a predictably strong response on the part of the investing public, as well as public company boards, the accounting profession, regulators, and Congress. There was an increased recognition of the need to bolster controls over financial reporting and bring an enhanced focus to corporate governance. Congress reacted by passing the Act, which among other things established the PCAOB to replace the accounting profession’s self-regulatory model with an independent oversight system.
The PCAOB’s mandate is to oversee the auditors of public companies, in order to protect the interests of the investing public in the preparation of informative, accurate and independent audit reports on public company financial statements. The PCAOB does not set accounting standards or regulate disclosures by public companies; rather, its role is to improve the quality and reliability of public company audits, so that investors can have more confidence in audited financial statements. High quality financial disclosure by public companies is a cornerstone of U.S. capital markets and is necessary for the continued growth and competitiveness of the U.S. economy.
With that brief history as context, I would like to devote my time today to describing the PCAOB’s programs, with a particular focus on the PCAOB’s approach to small audit firms. In addition, I will describe the PCAOB’s efforts, together with the SEC, to implement the provisions of the Act related to internal control, again with a particular focus on preparations for small companies and their auditors to implement those provisions, according to the timetable established by the SEC.
II. The PCAOB’s Auditor Oversight Programs Foster a Dialogue with Small Audit Firms to Help Them to Improve Their Audits and Compete in the Market to Provide Public Company Audit Services.
Subject to the oversight authority of the SEC, the Board is responsible for:
- Registering audit firms that prepare audit reports for U.S. public companies;
- Establishing, by rule, auditing and related professional practice standards relating to the preparation of audit reports for U.S. public companies;
- Conducting inspections of registered firms;
- Conducting investigations of, and imposing appropriate sanctions where justified upon, registered firms and associated persons of such firms.
I will focus my remarks today on the PCAOB’s oversight and interaction with, small firms in particular.
A. More Than 1,700 Accounting Firms Have Registered with the PCAOB.
Early concerns that independent oversight might deter firms, particularly smaller firms, from continuing to audit public companies have not borne out. On the contrary, since the PCAOB opened its doors in January 2003, it has registered more than 1,700 accounting firms that audit, or wish to audit, U.S. public companies. Of these firms, about 1,000 are U.S. firms. The firms vary dramatically in size. Some are multi-office regional firms with several, and sometimes a great number of, partners and professional staff, and others are sole practitioners with no professional staff. Only about 150 of these firms had more than five public company clients at the time they registered. In addition, more than 450 of these firms registered even though they were not the auditor of record for a public company at the time they registered.[3]
The PCAOB has observed that the market is improving for small audit firms registered to audit U.S. public companies. The Big Four firms have reduced their public company audit client base by more than 1,000 clients since Arthur Andersen’s demise. In the same period, the next four and even smaller firms have increased the number of public companies that they audit: the next four have added more than 250 audit clients among them, and smaller firms have taken on more than 580 audit clients.[4] Indeed, within the last year, two registered firms have grown their audit practices to such an extent that they now issue audit reports for more than 100 public companies, which triggers the requirement under the Act and the Board’s rules that the Board conduct annual inspections of those firms. Ten U.S. firms and one non-U.S. firm are now subject to annual inspection.
Smaller firms are likely to continue to seize opportunities to expand their businesses by taking on new clients appropriate to the size and sophistication of the firms’ practices. At the same time, for their business growth to reach its full potential, the firms must understand and know what is expected of them within the Sarbanes-Oxley and PCAOB framework. For smaller firms, the adjustment to that framework can give rise to issues and questions different from those for the larger firms.
B. The PCAOB Uses Outreach to Small Firms and the Small Business Community to Provide Information About PCAOB Activities and Seek Insight on Small Business Concerns and Challenges.
The PCAOB has established an ambitious outreach effort directed toward small registered firms and their audit clients to address their unique issues and questions. These one- and two-day discussion sessions, called Forums on Auditing in the Small Business Environment, follow an in-depth curriculum on PCAOB activities and developments. They have provided an avenue for small registered firms and small public companies to obtain a better understanding of the workings of the PCAOB, and they have fostered a robust dialogue that has given the PCAOB valuable insights to apply in its programs. In addition, I believe the Forums have better equipped firms with information to address the challenges of the regulatory environment.
To date, the PCAOB has held 21 Forums in 14 metropolitan areas across the country. Nearly 2,000 people involved in the small business community have attended the Forums, including about 1,500 auditors from smaller public accounting firms. Based on positive feedback from participants, the PCAOB intends to continue to hold Forums to further the PCAOB’s dialogue with such firms and companies.
C. The PCAOB’s Supervisory Inspection Program Helps Small Firms Focus on Audit Quality Necessary to Compete in the Market to Provide Public Company Audit Services.
While the Forums reach small firm auditors in a group environment, PCAOB inspections foster an even deeper, one-on-one dialogue between the PCAOB and small registered firms. Under the Act and the Board’s rules, firms that audit the financial statements of 100 or fewer public companies are subject to inspection at least once every three years. The PCAOB has taken a supervisory approach toward implementing its inspection program. In these inspections, the PCAOB has observed first-hand how some small firms distinguish themselves professionally and competitively by performing high-quality audits. In other cases, PCAOB inspections identify areas in which firms should do better. For those firms that strive to improve the quality of their audits and their ability to compete for public company audit clients, the supervisory dialogue throughout the inspection process helps them to do so.
While the PCAOB’s inspections are the core of its supervision of registered firms, these inspections take place largely outside the public view. This is because the Act mandates a significant degree of confidentiality relating to inspection information. One particular provision relates to any portion of a PCAOB inspection report that describes criticisms of the firm's system of quality control. Under the Act, a firm has one year to show that it has satisfactorily addressed those criticisms, and if it does so those criticisms remain nonpublic. This remediation mechanism reflects Congress’s policy decision to use the possibility of public disclosure as an incentive to firms to address systemic problems.[5] It has proven to be a key tool to motivate firms to do better. When the PCAOB identifies problems, firms typically take those criticisms seriously and make substantial changes within a year.
Under the Board’s supervisory approach, it is able to use its inspection process to address most of the individual, or isolated, auditing problems identified, without the need to invoke its disciplinary authority to enforce applicable laws and standards. For example, when an individual audit is not up-to-grade, inspectors discuss with the firm precisely what the deficiency is. Sometimes this means a firm will perform additional audit procedures to shore up a weak audit. When the problem relates to an individual auditor, a firm may provide additional training to or supervision of the person involved or take other action the firm determines is appropriate. Thus, the PCAOB inspection process has been able to prompt and facilitate firms' achievement of significant real-time improvements, often even before an inspection is concluded.
D. The PCAOB Develops Auditing and Related Professional Practice Standards with the Needs and Challenges of Small Firms in Mind.
The Act directs the Board to establish certain standards for use by auditors of public companies. Those include standards for auditing and related attestation work, standards for quality controls, ethics standards, and independence standards. In order to ease firms’ transition to independent oversight, early in the Board’s first year of operation, in 2003, the Board adopted as interim standards certain auditing and related professional practice standards that had been developed and adopted by the auditing profession prior to the establishment of the PCAOB. These are standards with which audit firms large and small were already familiar, as they existed on April 16, 2003.[6]
Since adopting this body of pre-existing standards, the Board has adopted five new standards[7] as well as new ethics and independence rules relating to tax services and contingent fees. To develop new standards and rules, the Board uses a standards-setting process that provides for public input at a variety of stages. In particular, three times a year the Board holds a public meeting with its Standing Advisory Group.[8] The advisory group’s 31 members are drawn from a cross-section of the nation’s companies – small and large – as well as auditors from small and large accounting firms, investors and their advisors, academics, and others. These individuals share their informed opinions on how the Board, consistent with its mandate, can improve the quality of audits, including by advising on best practices and emerging issues. Many of the advisory group’s discussions have focused on matters related to small business and the audits of small registered firms. On occasion, they have also included dedicated panels of small firm auditors who can offer their insights on best practices and their experiences with the unique challenges the small business community faces.[9]
In addition to seeking the views of its advisory group members and other interested persons, the Board seeks public comment on proposed new standards and rules, makes those comments publicly available on its Web site, and considers them before adopting final standards or rules. Board standards are also subject to SEC review, and they do not go into effect unless they are approved by the SEC.[10]
III. The PCAOB’s Role in the Act’s Internal Control Requirements
I would like to devote the remainder of my time today to the PCAOB’s role in implementing, through its auditing standards, the provisions of the Act related to internal control over financial reporting. In particular, Section 404 of the Act requires public companies annually to provide investors an assessment of their internal control over financial reporting, accompanied by an auditor’s attestation on the same subject.
A. The Act’s Internal Control Reporting and Auditing Requirements
The term “internal control over financial reporting” refers to a company’s system of checks and processes designed to protect corporate assets, keep accurate records of those assets as well as its financial transactions and events, and prepare accurate periodic financial statements. Investors can have much more confidence in the reliability of a company’s financial statements if management demonstrates that it maintains adequate internal control over bookkeeping, the sufficiency of books and records for the preparation of accurate financial statements, adherence to rules about the use of company assets, and the safeguarding of company assets. Indeed, research shows that disclosures about the reliability of internal control have a significant effect on companies’ cost of capital.[11]
Companies have been required to have internal control over their accounting since Congress enacted the Foreign Corrupt Practices Act in 1977. There is no doubt, however, that the Sarbanes-Oxley Act’s requirement for annual assessments, and auditor attestations to those assessments, intensified scrutiny of companies’ internal control over financial reporting.
As directed by Section 404(a) of the Act, in June 2003 the SEC established rules describing companies’ required assessments. In March 2004, the PCAOB implemented Sections 103, requiring an auditing standard on internal control, and 404(b) of the Act by establishing a new auditing standard – Auditing Standard No. 2 – to provide for an audit of internal control over financial reporting integrated with the audit of the financial statements themselves. The SEC approved Auditing Standard No. 2 in June 2004.[12] For large, established companies – which the SEC calls accelerated filers – the initial assessments and attestations were required by SEC regulations to be included in their annual Form 10-K filings for fiscal years ending after November 14, 2004.[13]
The SEC has delayed implementation for smaller companies, i.e., non-accelerated filers. Such companies have until they file financial statements for a fiscal year ending on or after December 15, 2007, to file their first management assessments of internal control. In addition, the SEC will not require such companies to file audit reports on such assessments until they file financial statements for a fiscal year ending on or after December 15, 2008.[14]
B. Although the Act’s Internal Control Reporting Requirements are Not Yet Applicable to Small Companies, the PCAOB Has Used Its Experience Monitoring Large and Mid-Cap Company Implementation to Revise Its Auditing Standard and Develop Tailored Guidance with Small Companies In Mind.
Notwithstanding this delay, there is considerable concern among small public companies about implementing the Act’s internal control reporting requirements. For its part, the PCAOB has monitored implementation by companies that are subject to the requirements, among other things with a view toward easing implementation challenges smaller companies may face. To this end, based on that experience, the PCAOB recently revised its auditing standard on internal control and is developing specialized guidance and training for auditors of small companies.
1. The PCAOB Has Monitored Auditors’ Implementation of Auditing Standard No. 2 and, as Needed, Provided Guidance.
In the nearly three years since the SEC’s rule on management assessments of internal control and the Board’s related auditing standard went into effect for accelerated filers, the Board has closely monitored the challenges that those companies and their auditors have faced. As appropriate, the PCAOB has provided additional guidance to facilitate implementation. In this regard, the Board’s staff issued five sets of interpretive guidance that answer 55 frequently asked technical questions on the implementation of Auditing Standard No. 2.[15] In addition, on May 16, 2005, the Board issued a policy statement describing ways auditors can make their internal control audits as effective and efficient as possible.[16]
The PCAOB has also used its inspections of larger firms to monitor firms’ implementation of the Board’s auditing standard on internal control. To this end, the PCAOB has issued two reports on its inspections and other monitoring, on November 30, 2005, and April 17, 2007. Those reports describe best practices observed in the first and second years, respectively, as well as providing additional guidance on how auditors can make their work more efficient.[17]
The PCAOB's monitoring has also included participating, along with the SEC, in two roundtable discussions with representatives of public companies, auditors, investor groups, and others; meeting with its Standing Advisory Group; receiving feedback from participants in the Board's Forums on Auditing in the Small Business Environment; and reviewing academic, government, and other reports and studies, including the Government Accountability Office’s April 2006 report on Sarbanes-Oxley Act: Consideration of Key Principles Needed in Addressing Implementation for Smaller Public Companies, and the Final Report of the SEC’s Advisory Committee on Smaller Public Companies issued the same month.[18]
2. The Board Has Revised Its Standard, to Promote Efficiency and Eliminate Unnecessary Procedures.
The Board is determined to make internal control audits as cost-effective as possible for companies that are required by the SEC’s rules to obtain an audit report on internal control. Therefore, based on its experience monitoring implementation, on December 19, 2006, the Board proposed a revision of its auditing standard on internal control, along with related amendments and rules. The Board received 175 comment letters on the proposal. After considering these comments, as well as the input provided by the SEC at an Open Meeting on April 4, 2007, the Board adopted a new auditing standard – Auditing Standard No. 5 – on May 24, 2007. If approved by the SEC, the new standard will replace Auditing Standard No. 2 in its entirety.[19]
One of the primary goals of the new standard is to provide explicit guidance on scaling audits to reflect the attributes of smaller, less complex companies. In addition, the new standard has three other objectives. Specifically, the new standard –
- Focuses the audit on the matters most important to internal control – The new standard focuses auditors on those areas that present the greatest risk that a company’s internal control will fail to prevent or detect a material misstatement in the financial statements. It does so by incorporating certain best practices designed to focus the scope of the audit on identifying material weaknesses in internal control, before they result in material misstatements of financial statements, such as using a top-down approach to planning the audit. It also emphasizes the importance of auditing higher risk areas, such as the financial statement close process and controls designed to prevent fraud by management. At the same time, it provides auditors a range of alternatives for addressing lower risk areas, such as by more clearly demonstrating how to calibrate the nature, timing and extent of testing based on risk, as well as how to incorporate knowledge accumulated in previous years’ audits into the auditors’ assessment of risk and use the work performed by companies’ own personnel, when appropriate.
- Eliminates unnecessary procedures – The Board examined every area of the internal control audit to determine whether the previous standard encouraged auditors to perform procedures that are not necessary to achieve the intended benefits of the audit. As a result, among other things, the new standard does not include the previous standard’s detailed requirements to evaluate management’s own evaluation process and clarifies that an internal control audit does not require an opinion on the adequacy of management’s process.
- Simplifies the requirements – The Board’s new standard is shorter and easier to read. This is in part because it uses simpler terms to describe procedures and definitions. It is also because the standard has been streamlined and reorganized.
These steps are designed to provide for a sound audit that gives auditors of small companies the flexibility they need to design and perform cost-effective audits that are tailored to the unique attributes of small business.
3. The Board Plans Guidance for Auditors of Small Companies.
In 2006, even before the Board revised its auditing standard, it embarked on an initiative to develop tailored implementation guidance for audits of small companies, based on the experience and insights of small companies and auditors who have been and are currently going through the process of evaluating internal control as well as the Board’s inspection and other monitoring experience. The guidance is intended to emphasize the scalability of internal control audits at a practical level, by providing auditors with examples of how the internal control audit process can and should be scaled to fit the relative sizes of small companies, from those that are on the cusp of accelerated filer status to those that have merely a handful of employees.
This initiative has progressed on a parallel track to the revision of the Board’s auditing standard. Thus, beginning in January 2007, the PCAOB’s focus group of auditors and small companies began evaluating an early prototype of the planned guidance, based on the Board’s December 2006 proposal. The Board continues to develop this guidance in consultation with its focus group. The guidance will also be updated it in light of changes reflected in the standard as adopted. The PCAOB is targeting publication of the guidance later this year.
Finally, the Board is exploring various means of facilitating training for auditors of smaller public companies on auditing internal control. With constructive, practical guidance, the Board hopes that small companies and their investors will be able to reap the benefits of internal control reporting without unnecessary costs.
IV. Conclusion
The PCAOB works hard to achieve the objectives Congress set for it in the Act. The oversight program it has in place is reducing the risk of financial reporting failures and renewing confidence in the financial reports of public companies and, ultimately, in the U.S. securities markets. The Board continues to assess its oversight programs, however, and in doing so it takes into account the effect on, and perspective of, the small business community. As I have described, the Board has and will continue to make appropriate adjustments to assure that it achieves the objectives of the Act in the most effective and efficient manner possible. In particular, the Board is committed to ensuring that its standard on internal control lays the foundation for efficient audits that are cost-effective for small business and maintain the benefits intended by the Act.
Thank you. I will be pleased to answer any questions.
Endnotes
[1] Due to the expansion of defined contribution plans and other incentives, nearly 57 million U.S. households own stocks directly or through mutual funds, according to a study by the Investment Company Institute and the Securities Industry Association. See Equity Ownership in America: 2005 (November 2005), available at http://www.ici.org/pdf/rpt_05_equity_owners.pdf .
[2] By all measures, the forward risk premium for the S&P 500 swelled in October 2002 to nearly double the historical mean. The forward risk premium reflects the additional risk that investors perceive exists in the stock market, as compared to the bond market. See Monthly Earnings Report, Lehman Brothers, at p. 72 (April 7, 2004). The effect of this risk aversion was not limited to U.S. markets. For example, in 2002 it led to the collapse of Germany’s Neuer Markt, a young stock market designed to provide capital opportunities for small European companies and thus to compete with U.S. markets for shares of new "dotcoms" and other technology companies. See Benoit, B., Skorecki, A., and Stafford, P., "Deutsche Borse to Close Neuer Markt Next Year," Financial Times (September 27, 2002).
[3] Importantly, the PCAOB’s rules related to registration were designed with care not to impose unnecessary impediments for small firms. Thus, while a registering firm must demonstrate that the Board’s approval of its application is consistent with the Board’s responsibilities under the Act to protect the interests of investors and to further the public interest in the preparation of informative, accurate, and independent audit reports, firms need not have a current public company audit client in order to register.
[4] See Yellow Card Trend Alert, Glass, Lewis & Co., at 1 (Feb. 15, 2005). According to this study by Glass, Lewis & Co., in 2004, Big Four firms reduced their public company audit clients by 400, the next four firms added overall, net, 117 public company audit clients, and all other accounting firms had a net gain in public company audit clients of 217.
[5] In order to give the public an understanding of how this incentive works, last year the Board described its experiences in monitoring firms’ efforts to address problems identified in the first year of inspections. See PCAOB Release No. 104-2006-078 , Observations on the Initial Implementation of the Process for Addressing Quality Control Criticisms within 12 Months After an Inspection Report, March 21, 2006; see also PCAOB Release No. 104-2006-077 , The Process for Board Determinations Regarding Firms’ Efforts to Address Quality Control Criticisms in Inspection Reports, March 21, 2006.
[6] In summary, these are: Generally Accepted Auditing Standards (or, "GAAS") as previously established by the American Institute of CPAs ("AICPA"); Attestation Standards and related interpretations and Statements of Position as previously adopted by the AICPA; the AICPA’s Statements on Quality Control Standards and certain AICPA SEC Practice Section membership requirements; certain provisions of the AICPA’s Code of Professional Conduct on integrity and objectivity, and the standards and interpretations of the Independence Standards Board.
[7] Specifically, the Board’s Auditing Standard No. 1 relates to references in auditors’ reports to the standards of the PCAOB; Auditing Standard No. 2 relates to audits of internal control over financial reporting; Auditing Standard No. 3 relates to audit documentation, and Audit Standard No. 4 relates to auditors’ reporting on whether a previously reported material weakness continues to exist. They are available on the Board’s Web site, along with the Board’s new ethics and independence rules.
[8] The Board convened its Standing Advisory Group pursuant to Section 103(a)(4) of the Act. The Group consists of experts in auditing and financial reporting, including individuals with experience at institutional investors, accounting firms, and public companies.
[9] The Board also participates as an observer of other agencies’ initiatives to examine issues germane to the small business community, including the SEC’s Advisory Committee on Smaller Public Companies, the Committee of Sponsoring Organization’s Task Force on Guidance for Smaller Public Companies, and the Financial Accounting Standards Board’s Small Business Advisory Committee.
[10] In most cases, applicable securities laws and rules provide for the SEC to publish PCAOB rules and standards for public comment as part of the SEC’s consideration and approval process.
[11] See Ashbaugh-Skaife, Collins, Kinney and LaFond, The Effect of Internal Control Deficiencies on Firm Risk and Cost of Equity Capital (April 2006, updated February 2007). Specifically, the researchers found that when companies report they have corrected a previously reported material weakness in internal control, their cost of capital goes down on average 1.5 percent. Conversely, when companies report material weaknesses in audited financial reports after they had previously reported in unaudited statements that internal control was effective, their cost of capital goes up on average almost 1 percent (93 basis points).
[12] See SEC Release No. 34–49884, Order Approving Proposed Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (June 17, 2004).
[13] Accelerated filers (and large accelerated filers) generally include companies with an aggregate market value of voting and non–voting common equity held by non-affiliates of the issuer (referred to as "public float") of $75 million or more, as of the last business day of the issuer’s most recently completed second fiscal quarter. See SEC Exchange Act Rule 12b-2, 17 C.F.R. 240.12b–2; see also SEC Release 33–8644, Revisions to Accelerated Filer Definition and Accelerated Deadlines for Filing Period Reports (December 21, 2005) (amending definition of "accelerated filer" to distinguish between "accelerated filers" and "large accelerated filers," which have a public float of $700 million or more). According to the SEC, approximately 44% of domestic companies filing periodic reports are non-accelerated filers. See SEC Release No. 33–8760, Internal Control over Financial Reporting in Exchange Act Periodic Reports of Nonaccelerated Filers and Newly Public Companies (December 15, 2006), at 11.
[14] See SEC Release No. 33–8760, Internal Control over Financial Reporting in Exchange Act Periodic Reports of Non–accelerated Filers and Newly Public Companies (December 15, 2006).
[15] These questions and answers are available on the Board's Web site.
[16] See PCAOB Release No. 2005-009, Policy Statement Regarding Implementation of Auditing Standard No. 2 (May 16, 2005)
[17] See PCAOB Release No. 2005-023 , Report on the Initial Implementation of Auditing Standard No. 2 (November 30, 2005); PCAOB Release No. 2007-004 , Report on the Second-year Implementation of Auditing Standard No. 2 (April 18, 2007). Importantly, in the first of those reports, issued after the first year of implementation, the Board found that many auditors faced tight deadlines, staffing and other resource constraints, and significant training needs. Moreover, their clients faced similar hurdles that were, in many cases, exacerbated by having to make up for deferred maintenance on internal control systems that had not kept up with the company’s growth and development.
[18] See GAO, Sarbanes-Oxley Act: Consideration of Key Principles Needed in Addressing Implementation for Smaller Public Companies (April 2006, GAO-06-361); Final Report of the Advisory Committee on Smaller Public Companies (April 23, 2006), available at http://www.sec.gov/info/smallbus/acspc/acspc-finalreport.pdf .
[19] At the same time, the SEC has proposed guidance that can be used by management in making the assessment required by Section 404(a) of the Act. See SEC Release No. 33-8762, Management’s Report on Internal Control Over Financial Reporting (December 20, 2006).