http://www.cfo.com/blogs/?f=blog_alerts#8435074

Two problems:

One big potential problem is in the SEC's statement that "management should evaluate the design of the controls that it has implemented to determine whether there is a reasonable possibility that a material misstatement in the financial statements would not be prevented or detected in a timely manner.

In a staff bulletin on the subject the SEC issued in 1999, it spelled out the definition in purposefully broad terms: An event is material "if there is a substantial likelihood that a reasonable person would consider it important." Such vagueness could make determining which controls to focus on an adventure for finance executives—and is bound to make risk-averse auditors go ballistic.

Another possible difficulty with the materiality concept, as reader Jean Marshall points out in a comment to my story, is that a material weakness might not just be defined as one thing.

Instead, "an aggregate of significant deficiencies could constititute a material weakness." Thus, controllers might have to sort through a bunch of gaps and tote them up. That could make the SEC's guidance harder to implement than it first may appear.

Problem No2:

Sarbox 404 says that an auditor "shall attest to, and report on, the assessment made by the management of the issuer" of internal controls. As Tim noted a while ago, it's one of the few places where the act actually spells out its intentions The SEC's proposal, however, would require auditors to deliver just one opinion on the effectiveness of controls that would also include the auditor's attestation to management's controls. Would implementing a single opinion actually violate the law the SEC's entrusted to support?