Securities and Exchange Commission Historical Society

Auditing the Auditors: Creating the Public Company Accounting Oversight Board

A Political Hotbed: Crafting the Internal Control Over Financial Reporting Standard

“You need a good standard, but it’s worthless if the implementation is not appropriate.”

~Douglas R. Carmichael, PCAOB Chief Auditor and Director of Professional Standards

“I found out that when you go to Washington and you want to get something done, you almost immediately meet the people who don't want you to do it.”

~Thomas Ray, PCAOB Deputy and Chief Auditor

“I completely underestimated the attention, politicization, and polarization that would happen around the implementation of 404.”

~Laura J. Phillips, PCAOB Deputy Chief Auditor

“I thought going into standard setting meant doing research all day in a think-tank environment. Instead I landed in the middle of a political hotbed.”

~Sharon Virag, PCAOB Project Lead

A Challenging Process

The implementation of SOX Section 404, the internal control over financial reporting provision, inaugurated a nearly four-year saga during which the PCAOB introduced a detailed prescriptive standard and then, in the face of massive corporate criticism, struggled to modulate the standard without losing its core requirements. At odds were issuers confronting deferred maintenance on their internal controls and sharply increasing audit costs, auditors doing substantially more work to comply with the new PCAOB audit standard, and a new SEC chairman promoting a deregulatory agenda.

Thomas Ray headshot.
In 2006, Deputy Chief Auditor Thomas Ray succeeded Douglas R. Carmichael to become Chief Auditor. Ray served until 2009.

“It was a very challenging process,” said then-Deputy Chief Auditor Thomas Ray. (He would later succeed Douglas Carmichael as PCAOB Chief Auditor and Director of Professional Standards.) “We got a lot of pressure from all sides, to both make the standard more efficient but not lose the essence of it.”

For more than 20 years, observers of the auditing profession had put forth proposals to require internal control reporting to be part of issuers’ financial reporting. The 1978 Cohen Commission report, 1987 Treadway Commission study, and a 1993 special report by the Public Oversight Board all recommended it. However, these recommendations were always shelved over concerns that the cost of documentation, testing, assessment, and public reporting were too high.

One of the primary champions for including internal control provisions in SOX was Charles A. Bowsher, former GAO Comptroller General who had served on the 1999 Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees. Bowsher led the GAO in addressing the savings and loan crisis and helped convince Congress to include a provision in the 1991 Federal Deposit Insurance Corporation Improvement Act (FDICIA) requiring auditors of large financial institutions to examine the effectiveness of, and attest to management’s assessment of, internal control over financial reporting. SOX Section 404 was patterned after this requirement and contained two subsections. Under Section 404(a) management discloses its responsibility for and assessment of the company’s internal control structure over financial reporting. Section 404(b) requires the company’s independent auditor to attest to management’s assessment.

Auditing Standard No. 2 (AS 2), the PCAOB’s first audit standard that set forth procedural requirements, was developed to meet the SEC’s deadline for large accelerated filers to file the audit reports required under Section 404(a) and (b) with their audited financial statements for fiscal years ending on or after November 15, 2004. Standards staff culled advice and ideas from numerous sources including a public roundtable, meetings with federal bank regulators to review FDICIA compliance, and an Auditing Standards Board internal control exposure draft.

Several factors impeded its smooth implementation. Accustomed to having a more hands-on role in the development of standards under the AICPA’s Auditing Standards Board, the audit firms felt they were missing a nuanced understanding of the first consequential standard written by the PCAOB.

“Our rigorous standard-setting procedure was not meant to put the firms at a disadvantage, but it left out a lot of debate that would have been happening at the Auditing Standards Board of  ‘What does that really mean?’” said Laura J. Phillips, PCAOB Deputy Chief Auditor.

Immediately, implementation questions came pouring in. The Office of the Chief Auditor (OCA) set up two working groups to handle the inquiries (one for auditors, one for issuers) and produced four sets of Staff Questions and Answers within the first six months. At the same time, OCA staff juggled hectic speaking schedules to publicize the new standard with constant meetings to hear from stakeholders.

“We were working six or seven days a week, very long hours,” said Tom Ray. People were very dedicated and committed a lot of themselves to these projects.” 

Deferred Maintenance and Manpower Challenges

Companies faced a major backlog in bringing their internal control over financial reporting - including documentation and testing - up to date. Although public companies had been required to maintain a system of internal accounting controls since the 1977 passage of the Foreign Corrupt Practices Act, many needed to make dramatic improvements to be ready for AS 2 audits. (1) Most issuers assessed their internal control using the principles-based framework introduced by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. However auditors, under the requirements of AS 2, were seeking more documentation and testing procedures. Many companies were also facing a multitude of deferred maintenance issues, including a lack of integration between new and legacy technology systems, flawed electronic security, and jury-rigged Y2K patches. Issuers in general balked at the effort and cost to document, test, and assess internal control over financial reporting and remediate deficiencies. (2) In addition, management teams and boards found it disconcerting to publicly report on material weaknesses in internal control.

Left to right: Bill Gradison, William J. McDonough, Kayla J. Gillan, Charles D. Niemeier, Daniel L. Goelzer
PCAOB Founding Board Members. Left to right: Bill Gradison, William J. McDonough, Kayla J. Gillan, Charles D. Niemeier, Daniel L. Goelzer

“Prior to the enactment of 404 and despite the existence of the Foreign Corrupt Practices Act, internal control over financial reporting (ICFR) was not a high priority of either companies or their auditors,” said Board Member Kayla Gillan in a 2006 speech. “As a result, much of the first year costs, over and above the ‘learning curve’ costs, were the direct result of documenting ICFR systems and correcting ICFR flaws that had long existed – the so-called ‘deferred maintenance’ costs.”

Audit firms faced massive training, manpower, and time challenges to get their auditors up to speed to take on the additional, substantial work to assess internal control in public companies within the 2004 reporting period. (3)

“As I recall, that first year of AS 2, we used heat maps of our public companies to track the teams’ progress and see who was struggling and who needed resources,” said Sam Ranzilla, KPMG’s former National Managing Partner for Audit Quality and Professional Practice. “If an audit team encountered a particular issue, they had to come to the national office to get one of our black belts to help guide them along.”

Given the increased workload, large audit firms actively hired new personnel, but shortages persisted. In some cases, Big Four firms had to “discontinue” serving some of their smaller public company clients, which created resource pressure for the next tier of audit firms who were suddenly trying to accommodate new, smaller issuer clients.

“It was a major staffing issue because the whole profession was going absolutely nuts with the demands that were being placed on us, to get all this done,” said James S. Turley, then Chairman and CEO of Ernst & Young. “I can remember in some places we literally were resigning from a number of accounts because the practice just didn’t have enough bodies to do quality work.”

To make sure they were satisfying the PCAOB standard, some audit teams tried to identify and test as many controls as possible. With the increased work, audit fees escalated and restatements shot up. Issuers up in arms at hefty audit bills and reports of material weaknesses complained loudly to the SEC and their congressional representatives.

“A lot of detailed work was being done that wouldn’t have been required to identify material weaknesses,” said Douglas R. Carmichael, the PCAOB’s Chief Auditor. “We were hearing horror stories about the things auditors were requiring issuers to do.”

First-Year Feedback

On April 13, 2005, the SEC and PCAOB hosted a joint roundtable to get feedback about first-year experiences under AS 2. The SEC was roundly chided for not having released guidance for issuers, who felt their auditors and the PCAOB auditing standard were driving their companies’ efforts.

Less than a week later, the Wall Street Journal printed a blistering editorial criticizing Section 404 as a costly, antibusiness measure that disproportionately affected smaller businesses. It also claimed that auditors, who had been blamed for causing the accounting scandals, were now the main beneficiaries of Section 404. (4)

In response to the cascade of concerns presented, the PCAOB and the SEC released additional guidance (PCAOB Board Policy Statement, SEC Staff Views) a month later to encourage auditors to work more efficiently. The PCAOB also dedicated its June Standing Advisory Group meeting to internal control. Then in November, the PCAOB released its first Board public report, known as a 4010 report after the PCAOB rule authorizing it, that described inspections results of the first year of AS 2 implementation.

“The 4010 report was a big milestone in terms of realizing the PCAOB's potential of having standard setting, inspections, and enforcement all under one roof and being able to provide fast feedback to the firms on the application of AS 2,” said Laura Phillips.

The 4010 report revealed that in too many cases the audits were “bottom up” looking carefully at low-level controls instead of “top down” and first focusing on significant overarching controls at the top. (5) The report also cited a shortage of trained staff, the limited timeframe in year one, and the backlog of deferred issuer maintenance for the high audit costs. The report predicted that auditors would get more effective and efficient as their learning curve flattened.

In December 2005, retiring PCAOB Chairman William J. McDonough told reporters he was optimistic that the second-year implementation of AS 2 was going much better and that there was no need to amend the standard, but that adjustments could be made through additional guidance. (6)

A Divided Issue

A noisy backlash continued to flow from corporate boardrooms. At one public meeting an executive from a pharmaceutical company developing childhood vaccines accused AS 2 of “killing babies,” because the company’s scarce resources were being directed away from research to pay auditing costs.

“The voices of opposition just got louder and louder over time,” said Sharon Virag, a PCAOB project lead.

Critics blamed the costs of Section 404 for causing American companies to delist and go private and for discouraging foreign companies from listing their securities in the United States. Proponents maintained that the cost of raising capital decreases when companies maintain adequate internal controls.

President George W. Bush with Rep. Christopher Cox in the oval office.
President George W. Bush announces Rep. Christopher Cox, (R-Ca) as his choice for Chairman of the Securities and Exchange Commission, June 2, 2005.

The SEC, under new Chairman Christopher Cox, who had been appointed in August 2005, actively began to seek a reduction in the effort and cost of compliance with the SOX 404 requirements and AS 2. The SEC also delayed the deadline for compliance with Section 404 for foreign companies and smaller U.S. companies with under $75 million market capitalization.

The SEC pressed the PCAOB to consider changes to the standard. In a press release announcing another joint PCAOB/SEC roundtable, Acting PCAOB Chairman Bill Gradison indicated that he was “very much open to suggestions to make the internal control assessment process more efficient, including modification of the PCAOB’s auditing standard.” (7)

President George W. Bush with Rep. Christopher Cox in the oval office.
Willis (Bill) Gradison. Founding PCAOB Board Member.

“It was very much a divided issue—not all the voices were on one side,” said PCAOB Board Member Daniel L. Goelzer. “But it became clear to us, with some help from the SEC, that we had to make some kind of a change.”

Believing that firms’ bottom-up methods were both inefficient and ineffective, the PCAOB developed guidance laying out a top-down, risk-based approach that would address both problems. On May 1, 2006, the PCAOB set forth a new framework for second-year inspections, stating that it would assess how well the firms followed the new top-down guidance.

Behind the scenes, a fierce lobbying battle was being waged, pitting investor advocates and the largest accounting firms who didn’t want regulations watered down against a coalition of business advocates, public companies, and trade associations who sought relief from Section 404.

While admittedly generating higher audit fees from the increased work required by the implementation of Section 404, the major audit firms could see benefits beginning to emerge. By then they and their clients had already made major investments in documenting and creating procedures to test controls. The firms could see the advantages of improved documentation, increased audit committee involvement, standardizing practices, and the benefits that were accruing to many of their clients. As well, they believed the heightened audit costs and fees would reduce over time. Meanwhile, smart chief financial officers at many companies were leveraging their Section 404 compliance work to enhance their overall business processes.

“We didn't want the PCAOB to throw out the baby with the bathwater,” said Robert J. Kueppers, Deputy Chief Executive Officer at Deloitte. “Fortunately, the PCAOB stood its ground and passed a very workable standard.”

Political Pressure to Fix 404

The formal plan to revise AS 2 was made public at the May 17, 2006, joint roundtable between the SEC and PCAOB. They announced a four-point plan to improve implementation of internal control reporting, which would include changing AS 2 and providing SEC guidance to companies. Drawing on two reports on smaller public companies released in April 2006, the SEC again postponed Section 404 compliance for smaller public companies.

In an SEC press release issued that day, the SEC said it would “work closely with the PCAOB to ensure that the proposed revisions to AS 2 are in the public interest and consistent with the protection of investors.” Yet behind closed doors, the majority of the SEC Commissioners seemed more intent on rolling back the regulation.

The PCAOB OCA staff members charged with rewriting the standard were invited to multiple briefings with SEC Commissioners, White House officials, and congressional staff, many of who were interested in making Section 404 less expensive for small and midsize companies. At the same time, investor advocates and a few vocal former government officials complained that regulators were favoring business at the expense of average investors.  

“I had never seen or felt the kind of political pressure that we were under at that time,” said Sharon Virag.

Zoe-Vonna Palmrose, accounting professor and SEC Deputy Chief Accountant, understood that President Bush told Chairman Cox to make fixing Section 404 the SEC’s highest priority. “It’s pretty rare that you get an accounting and auditing topic elevated to the Oval Office,” said Palmrose. She heard concerns that Section 404 was contributing to a general questioning of the costs versus benefits of SOX and was putting U.S. businesses at a competitive disadvantage. (8)

Mark Olson in an office by a window, with the PBAOB clock in the background.
PCAOB Chairman Mark W. Olson, 2006.

Mark W. Olson, a former banker and Federal Reserve Governor, who was appointed PCAOB Chairman in June 2006, embraced the effort to amend AS 2. “The Board encouraged the staff to re-challenge every provision within the current standard and retain the necessary principles of the audit of internal control,” he said at an Open Board Meeting. (Chairman Olson passed away on September 12, 2018, before the SEC Historical Society could conduct interviews with him.)

Laura Phillips and Sharon Virag undertook the rewriting of the standard with help from Tom Ray. Board Member Kayla Gillan and her Special Advisor Joanne O’Rourke Hindman offered creative advice that helped the team streamline several provisions, while the entire Board was intensely focused on the project’s success. In the end, the 180-page AS 2 was rewritten into just 65 pages, and introduced as a brand new standard, Auditing Standard No. 5 (AS 5).

“In terms of the magnitude of change that we were looking to drive, it became very clear that the right thing to do was a new standard with a new number, a new title, and completely new branding,” said Phillips.

Core Principles Retained

AS 5 was initially proposed Dec. 19, 2006, and, after additional negotiations with the SEC to ensure alignment between management guidance and the audit standard, the final standard was adopted May 24, 2007.

PCAOB Inspection leaders Bill Powers and Greg Wilson had these buttons made for their AS 5 training sessions.
PCAOB Board Members, 2006. Left to right: Bill Gradison, Mark W. Olson, Kayla J. Gillan, Daniel L. Goelzer, Charles D. Niemeier.

The Board also developed an implementation plan to support the new standard. Sharon Virag became the AS 5 point person, training PCAOB inspectors on how to inspect against it.  Her fellow PCAOB Inspection trainers William J. Powers and Gregory S. Wilson printed up “I heart AS 5” buttons to pass out after the training. Virag also met with the largest audit firms to make sure they updated both their guidance and their instructions for their staff.

“The PCAOB was under extreme pressure to get fees down, but it was a bit ironic that for the first three years they were telling us we weren’t doing enough work, then when we went to AS 5, they were telling us we were doing too much work. Eventually, we got to where we needed to be,” said Sam Ranzilla of KPMG.

Section 404 proved to be one of the earliest and most controversial skirmishes of the Board’s standard setting, provoking a swift and ferocious reaction from companies and critics. Despite having made significant changes to the standard, all the Board members maintain the foundation of Section 404 remained unscathed.

PCAOB buttons made for AS-5 training sessions
PCAOB buttons made for AS-5 training sessions

As Board Member Charley Niemeier put it: “It was a distinction without a difference. The marketing changed, but, fundamentally, we did not change the standard as the core principles essential to an effective internal control audit were retained.”

Although the Board undertook the revision largely to address concerns about cost, many Board members believed the resounding benefits of internal control reporting outweighed the associated costs. Those benefits include the reduced cost of capital, the important warnings that some companies’ internal control might not detect or prevent material misstatement, and the unprecedented numbers of companies that identified and fixed problems in their internal control and actual reporting.

AS 2 had given ammunition to detractors complaining about onerous and anticompetitive regulation. The dispute over the scope of Section 404 had become a clarion call for a resurgent deregulation campaign by industry groups who had temporarily lost their voice after the fraud at Enron and WorldCom. Yet, even while AS 5 was being drafted, some critics launched an even bigger strike against the fledging regulator, when two anti-tax, pro-business groups mounted a constitutional challenge against the PCAOB.

Previous Next


(1) Report on the Initial Implementation of Auditing Standard No. 2, PCAOB Release No, 2005, Nov 30, 2005, page 5.

(2) Harvard Business Review, “The Unexpected Benefits of Sarbanes-Oxley,” by Stephen Wagner and Lee Dittmar, April 2006.

(3) Report on the Initial Implementation of Auditing Standard No. 2, PCAOB Release No. 2005, Nov. 30, 2005, page 1.

(4) Wall Street Journal, “SOX and Stocks” April 19, 2005.

(5) New York Times, “Top Regulator Says Sarbanes-Oxley Act Audits are Too Costly and Inefficient,” by Floyd Norris, Dec. 1, 2005.

(6) Ibid.

(7) SEC Press Release, “Commission and PCAOB Announce Roundtable on Internal Control Reporting Requirements,” 2006-22, Feb. 16, 2006.

(8) Accounting Horizons, “Balancing the Costs and Benefits of Auditing and Financial Reporting Regulation Post-Sox, Part I: Perspectives from the Nexus at the SEC,” Commentary by Zoe-Vonna Palmrose, p. 314.

Related Museum Resources


April 7, 2005
image pdf
May 16, 2005
image pdf
May 16, 2005
image pdf
November 30, 2005
image pdf
May 1, 2006
image pdf
May 10, 2006
image pdf


June 2005
Paul Atkins, Cynthia Glassman, William Donaldson, Harvey Goldschmid and Roel Campos
(Courtesy of Andrew Glickman )
(seated) Roel Campos, Cynthia Glassman, Christopher Cox, Paul Atkins and Annette Nazareth
June 6, 2006
June 6, 2006
October 22, 2009
October 1, 2020

Oral Histories

December 11, 2019

Laura Phillips

Video: 36:57

Laura Phillips served as the Deputy Chief Auditor of the Public Company Accounting Oversight Board (PCAOB) from 2003 – 2007 during which time she was instrumental in developing the PCAOB’s standards that implement the internal control audit requirement established by the Sarbanes-Oxley Act of 2002. She began her career in 1991 as an auditor with Ernst and Young LLP in Cleveland. After her stint at the PCAOB, she joined General Motors Company as its Assistant Corporate Controller, then Brown-Forman Corporation as its Corporate Controller. She completed her undergraduate work at Miami University majoring in accounting and finance.


16 October 2007

Fireside Chat - Sarbanes-Oxley Section 404

Moderator: Theresa Gabaldon
Presenter(s): Kurt Schacht, Herbert Wander

Permission for Use

The virtual museum and archive is copyrighted by the SEC Historical Society. The Society reserves the right to restrict access to or use of the museum by any user at any time.

Users are prohibited from sharing or downloading any material for publication or commercial purposes without written permission from the Executive Director. Requests for permission must be submitted by email and specify the material requested and for what purpose.

Material used with the Society's permission should be credited to: