NU Online News Service, May 16, 10: 04 p.m. EDT,Washington--Companies seeking to comply with new federaldisclosure rules must develop procedures that fit their ownparticular circumstances, according to some fuzzy new guidance fromthe Securities and Exchange Commission.

The SEC directive was issued in connection with Section 404 ofSarbanes-Oxley federal disclosure law.

Section 404 of the legislation requires each company thatreports to the SEC to include with its annual report a statement ofresponsibility by the company's management for establishing andmaintaining control of financial reporting, and an assessment ofthe effectiveness of those internal controls.

According to the commission the most cost effective way ofcomplying is for companies to create a system that works best fortheir own specific organization.

In its guidance, the statement noted that the SEC has decidednot to issue a prescribed system for internal auditing specificallyto allow companies to determine how to best monitor themselves.

Their staff guidance was issued today in response to concernsraised at a roundtable discussion held with interested parties lastmonth. Beyond offering general ideas the SEC refrained fromspecifics on how companies could ensure their compliance with thecontroversial provision.

"An overarching principle of this guidance is the responsibilityof management to determine the form and level of controlsappropriate for each organization and to scope their assessment andtesting accordingly," the staff statement said.

"One size does not fit all and control effectiveness is affectedby many factors," it added.

Sarbanes-Oxley disclosure regulations were designed to combatthe corporate misdeeds that led to the Enron and WorldComscandals.

Accelerated filers with the SEC were required to be incompliance with these new rules for the fiscal year ending November15, 2004. On April 13, the SEC held a roundtable discussion withinterested parties to hear comments on how the process worked inits first year of implementation.

"The feedback made clear that companies have realizedimprovements to their internal controls as a result of implementingthe requirements, and that the requirements have led to an improvedfocus on internal controls throughout the organization," the staffstatement said.

"However, the feedback also identified implementation areas thatneed further attention or clarification to reduce any unnecessarycosts and other burdens without jeopardizing the benefits of thenew requirements."

"In adopting its rules implementing Section 404, the Commissionexpressly declined to prescribe the scope of assessment or theamount of testing and documentation required by management," thestaff statement said.

The SEC said, "The scope and process of the assessment should bereasonable, and the assessment (including testing) should besupported by a reasonable level of evidential matter.

"Each company should also use informed judgment in documentingand testing its controls to fit its own operations, risks andprocedures. Management should use its own experience and informedjudgment in designing an assessment process that fits the needs ofthat company. Management should not allow the goal and purpose ofthe internal control over financial reporting provisions - theproduction of reliable financial statements - to be overshadowed bythe process."

The theme of ensuring the spirit of Sarbanes-Oxley disclosurerather than adherence to a specific set of guidelines was alsovoiced in the staff statement's view of how companies aremonitoring themselves. Rather than examining themselves using arisk-based approach, the staff statement noted, many companiesbegan using a "mechanistic, check-the-box" system.

"This was not the goal of the Section 404 rules, and a betterway to view the exercise emphasizes the particular risks ofindividual companies," the statement said.

An assessment of internal control that is "too formulaic and/orso detailed as to not allow for a focus on risk may not fulfill theunderlying purpose of the requirements. The desired approach shoulddevote resources to the areas of greatest risk and avoid giving allsignificant accounts and related controls equal attention withoutregard to risk," the statement said.

The evaluation of Sarbanes-Oxley implementation will continue,the staff said, adding that companies should also work to learnfrom each other which approach to use monitoring their financialdata reporting.

"There is a desire for the sharing of best practices so thatcompanies and auditors can benefit from the substantial learningthat has taken place from the first year of implementation, and westrongly encourage those efforts," the staff statement said.

It noted also that the evaluation of Sarbanes-Oxleyimplementation after one year has also created a significant amountof data that could be studied by academics or others. "The staffdesires that the benefits are achieved in a sensible andcost-effective manner. We will continue to consider whether thereare other ways we can make the process more efficient and effectivewhile preserving the benefits."