A few other revisions have transpired; to name one, the revision of rules on management reporting on internal financial controls. In this document, the SEC’s approach to compliance is remarkable. With the ambiguity that has plagued SOX from the beginning, corporate commentators looked and exhorted upon the SEC a substantive interpretive guidance that would give a safe harbor—a course of action presumptive in pursuance with the law. The SEC expressly rejected this approach, saying that “the sufficiency of an evaluation will be determined based on each issuer’s particular facts and circumstances” (Montana, 2007, n. p. ).
In its attempt to promulgate a course of conduct it sees reasonable, which apparently constitutes a course of action that conforms with the requirements of substantive regulations, the SEC has likewise issued several instances of “interpretative guidance” without adopting a rule or mandatory requirement. As required by other guidance for several years, it at last defined the “evidential matter” necessitated to support internal financial controls reporting in this way:
as part of its evaluation of Internal Control over Financial Reporting (ICFR), management must maintain reasonable support for its assessment. Documentation of the Design of the controls management has placed in operation to adequately address the financial reporting risks, including the entity – level and other pervasive elements necessary for effective ICFR, is an integral part of the reasonable support. The form and extent of the documentation will vary depending on the size, nature, and complexity of the company.
It can take many forms (for example, paper documents, electronic, or other media). Also, the documentation can be presented in a number of ways (for example, policy manuals, process models, flowcharts, job descriptions, documents, internal memorandums, forms, etc). The documentation does not need to include all controls that exist within a process that impacts financial reporting. Rather, the documentation should be focused on those controls that management concludes are adequate to address the financial reporting risks.
In addition to providing support for the assessment of ICFR, documentation of the design of controls also supports other objectives of an effective system of internal control. For example, it serves as evidence that controls within ICFR, including changes to those controls have been identified, are capable of being communicated to those responsible for their performance, and are capable of being monitored by the company (SEC, 2008). This particular guidance is embodied in terms of giving corporations freedom to formulate methods of compliance that are applicable to their own resources and situation.
Still, many corporations have the belief that they are given no real assurance as to what makes up compliance with SOX and what records might substantiate that compliance. These corporations should instead watch the SEC’s rendering of its judgment on their “particular facts and circumstances” in separate and undeniably adversarial proceeding (Montana, 2007, n. p. ). Even today, the SOX Act’s corporate commentators have a common theme—that is, to demand for a more detailed guidance and rulemaking which would furnish some certainty.
The SOX nevertheless is never all unfavorable. Section 404 “Management’s Report on Internal Control over Financial Reporting” are beneficial. Most corporate commentators do not disagree with that, but most of them also complain of high cost. This, however, does not come as a surprise. The absence of certainty warrants overkill. Corporations have no idea where the line is being drawn, and as a consequence, they should make sure that they are well within the spot where they believe it to be.