There are two major challenges to implementing the new guidelines.

First and foremost, they are not final yet, leaving companies with a difficult choice – 'wait and see' but spend more than needed or start implementing new guidelines that are 'moving targets'. Consideration for the latter issue is most critical in terms of bridging the gap between the SEC and the PCAOB guidelines when 'negotiating' with the auditor.

Second, while the new guidelines are sound in principle, the specifics are complex to define and time consuming to do in practice. To illustrate this point, a top-down risk-based approach means...

• ...consolidating all risk-control matrices (RCM), test plans, test results and deficiency remediation issues and...
• ...linking each required element to risk factors that can be evaluated and...
• ...figuring out how to address 'many-to-many- relationships that can lead to skewed aggregated assessment values and multiple counts of controls.

This is a challenge of "seeing the risk forest through the control trees"