New Sarbanes-Oxley Act compliance guidelines issued by the U.S. Securities and Exchange Commission on Monday should provide IT departments at publicly held companies with some relief in terms of the number of IT controls they will be required to assess each year.

But the SEC will continue to require companies to assess the controls that are in place for any new systems or software upgrades -- particularly those that affect financial reporting.

The SEC guidelines are aimed at allowing auditors to reduce the number of checks they conduct on internal controls under Section 404 of the law. That should help lower the average cost of compliance, which Florham Park, N.J.-based Financial Executives International put at US$4.36 million per company, based on a survey of 217 companies that was released in March.

In the statement on Monday, the SEC said that its "staff does not believe it necessary for purposes of Section 404 for management to assess all general IT controls, and especially not those that primarily pertain to the efficiency or effectiveness of the operations of the organization but are not relevant to financial reporting."

Many IT managers had previously complained about the lack of clarity in terms of the IT controls that had to be assessed, said John Hagerty, an analyst at Boston-based AMR Research Inc.

By narrowing the scope of the IT controls that need to be annually reviewed, the SEC guidance "should lower the burden on IT," said Carter Priess, CEO of Pace Solutions Inc., an IT audit consultancy in Danvers, Ill.

While the SEC statements suggest that the original scope of the IT controls assessment work may have been overkill, Priess said the requirement marked the first time companies had been forced to conduct a full-blown assessment of IT controls, and the work that was done during the first year of Section 404 compliance "helped identify some of the risks," he said.

Still, the SEC guidance that IT departments conduct risk assessments on general IT controls such as those around information security may have introduced a new "level of ambiguity," said Sanjay Anand, chairman of he Sarbanes-Oxley Group of Auditors and Professionals, an online community of Sarbanes-Oxley practitioners based in Clifton, N.J.

"The approach has shifted from "test all controls" to "a risk-based approach to choosing which controls to review," " said Anand. Risk management frameworks, by definition, "are probabilistic in nature and therefore depend on judgment and are prone to corresponding errors in judgment."

The SEC guidance provides IT managers only with marginal relief in terms of assessing and auditing new systems or software upgrades, experts said. For instance, while the SEC said that new systems testing doesn"t have to be completed in time to coincide with year-end financial reporting, "management can plan, design and perform preliminary assessments of internal controls in advance of system implementations or upgrades," the agency said.

That means companies should conduct risk assessments on the systems during the planning stages "and focus on the high-risk areas," said Priess.

Todd Naughton, vice president and controller at Zebra Technologies Corp., a high-tech printing vendor in Vernon Hills, Ill., said he will need a few weeks to review the SEC"s guidance with IT and audit managers as well as external auditors to determine its implications. Still, he said he"s "guardedly optimistic" that the SEC"s latest guidance "will offer relief to our IT staff."

It will also depend on how external auditors interpret the guidance, said AMR"s Hagerty. "They are the ultimate arbiter of these regulations," he said.