On December 20, 2006, the SEC proposed interpretive guidance for management to use in its evaluation of internal control over financial reporting (“ICFR”) as required by Section 404 of the Sarbanes-Oxley Act of 2002, and proposed various rule changes to supplement the guidance. The proposals are subject to a 60-day comment period.
The proposed interpretive guidance is intended to assist management of companies of all sizes to complete their annual evaluation in an effective and efficient manner and references a number of areas commonly cited as concerns over the past two years. For example, the proposed interpretive guidance:
- explains how to vary approaches for gathering evidence to support the evaluation based on risk assessments;
- explains the use of “daily interaction,” self-assessment, and other on-going monitoring activities as evidence in the evaluation;
- explains the purpose of documentation and how management has flexibility in documenting support for its assessment;
- provides management significant flexibility in making judgments regarding what constitutes adequate evidence in low-risk areas; and
- allows for management and the auditor to have different testing approaches.
The SEC further proposed amending Exchange Act Rules 13a-15(c) and 15d-15(c), which require management to evaluate the effectiveness of the issuer’s ICFR, to provide that an evaluation conducted in accordance with the SEC’s interpretive guidance would satisfy the annual management evaluation required by those rules. The guidance in effect provides a non-exclusive safe-harbor for purposes of satisfying obligations under Rules 13a-15(c) or 15d-15(c).
The SEC also proposed a revision to S-X Rule 2-02(f), which requires that an auditor’s attestation report clearly state the “opinion of the accountant as to whether management’s assessment of the effectiveness of the registrant’s ICFR is fairly stated in all material respects.” The amendment would require an auditor to express an opinion directly on the effectiveness of the ICFR, and would clarify the circumstances in which the SEC would expect that the accountant cannot express an opinion. Finally, the SEC proposed conforming revisions to the definition of attestation report in S-X Rule 1-02(a)(2).
A Few Key Points
The introduction to the proposing release sets forth a few key points of emphasis; some are restatements of existing interpretations, some are clarifications and some are new:
- The central purpose of management’s evaluation is to assess whether there is a reasonable possibility of a material misstatement in the financial statements not being prevented or detected on a timely basis by the company’s ICFR. There is a reasonable possibility of an event when the likelihood of the event is either “reasonably possible” or “probable” as those terms are used in SFAS No. 5, Accounting for Contingencies.
- Management’s assessment is to be based on whether any material weaknesses exist as of the end of the fiscal year.
- A material weakness is a deficiency, or combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis by the company’s ICFR. Use of the phrase “reasonable possibility” rather than “more than remote” to describe the likelihood of a material error is intended to more clearly communicate the likelihood element. The PCAOB has indicated that it also intends to revise its definitions to use the phrase “reasonable possibility.”
- Management should implement and conduct an evaluation that is sufficient to provide it with a reasonable basis for its annual assessment. Management should use its own experience and informed judgment in designing an evaluation process that aligns with the operations, financial reporting risks and processes of the company.
- If the evaluation process identifies material weaknesses that exist as of the end of the fiscal year, such weaknesses must be disclosed in management’s annual report with a statement that ICFR is ineffective.
- If management’s evaluation process identifies material weaknesses, but all material weaknesses are remedied by the end of the fiscal year, management may exclude disclosure of those from its assessment and state that ICFR is effective as of the end of the fiscal year. However, management should consider whether disclosure of the remedied material weaknesses is appropriate or required under Item 307 or Item 308 of Regulation S-K or other SEC disclosure rules.
- If the evaluation identifies no internal control deficiencies that constitute a weakness, management can assess ICFR to be effective.
- Management is not required by the ICFR requirements to assess other internal controls, such as controls solely implemented to meet a company’s operational objectives.
- “Reasonable assurance” does not mean absolute assurance.
- The SEC has long held that “reasonableness” is not an “absolute standard of exactitude for corporate records.” The SEC recognizes that while “reasonableness” is an objective standard, there is a range of judgments that an issuer might make as to what is “reasonable” in implementing Section 404. Thus, the terms “reasonable,” “reasonably” and “reasonableness” in the context of Section 404 implementation do not imply a single conclusion or methodology, but encompass the full range of appropriate potential conduct, conclusions or methodologies upon which an issuer may reasonably base its decisions.
- Although management is responsible for the Section 404 process, the SEC would expect a board, or its audit committee, as part of its oversight responsibilities for the company’s financial reporting, to be “knowledgeable and informed about the evaluation process and management’s assessment, as necessary in the circumstances.”
- Management of foreign private issuers that reconcile their financial statements to US GAAP for purposes of their SEC filings should plan and conduct their evaluations based on their primary financial statements, not the US GAAP reconciliation.
The Guiding Principles
The proposed interpretive guidance describes a top-down, risk-based approach that allows for the exercise of significant judgment so that management can design and conduct an evaluation that is tailored to the company’s individual circumstances. It is organized around two broad principles, but to allow appropriate flexibility, it does not provide a checklist of steps management should perform in completing its evaluation.
First, management should evaluate the design of the controls that it has implemented to determine whether they adequately address the risk that a material misstatement in the financial statements would not be prevented or detected in a timely manner. There is no requirement that management identify every control in a process or document the business processes impacting ICFR. Rather, the proposed interpretive guidance sets forth an approach allowing management to focus its evaluation process and the documentation supporting the assessment on those controls that it believes adequately address the risk of a material misstatement in the financial statements. If an entity-level control addresses a risk for a particular element, no further evaluation of other controls is needed.
Second, management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk. The proposed interpretive guidance provides an approach for making risk-based judgments about the evidence needed for the evaluation, allowing management to align the nature and extent of its evaluation procedures with those areas of financial reporting that pose the greatest risks to the production of reliable financial statements. The intended result is that management is able to use more efficient approaches to gathering evidence, such as self-assessments, in low-risk areas and perform more extensive testing in high-risk areas.
The Evaluation Process
A. Identifying Financial Reporting Risks and Controls
The evaluation begins with the identification and assessment of the risks to reliable financial reporting (i.e., materially accurate financial statements), including changes in those risks. Management then evaluates whether it has controls in place that are designed to adequately address those risks. Management ordinarily would consider the company’s entity-level controls in both its assessment of risk and in identifying which controls adequately address the risk. The controls that management identifies as adequately addressing the financial reporting risks are then subject to procedures to evaluate evidence of the operating effectiveness, as determined as described under “Evaluating Evidence of the Operating Effectiveness of ICFR.”
In subsequent years for most companies, management’s effort should ordinarily be significantly less because subsequent evaluations should be more focused on changes in risks and controls rather than identification of all financial reporting risks and the related controls. Further, in each subsequent year, the evidence necessary to reasonably support the assessment will only need to be updated from the prior year(s), not recreated anew.
1. Identifying Financial Reporting Risks
Ordinarily, the identification of financial reporting risks begins with evaluating how the requirements of GAAP apply to the company’s business, operations and transactions.
Management uses its knowledge and understanding of the business, its organization, operations, and processes to consider the sources and potential likelihood of misstatements in financial reporting elements and identifies those that could result in a material misstatement to the financial statements (“financial reporting risks”). Internal and external risk factors that impact the business, including the nature and extent of any changes in those risks, may give rise to financial reporting risks. Financial reporting risks may also arise from sources such as initiation, authorization, processing and recording of transactions and other adjustments that are reflected in financial reporting elements. Management’s evaluation of financial reporting risks should also consider the vulnerability of the entity to fraudulent activity (e.g., fraudulent financial reporting, misappropriation of assets and corruption) and whether any of those exposures could result in a material misstatement of the financial statements.
The methods and procedures for identifying financial reporting risks will vary based on the size, complexity, and organizational structure of the company and its processes and financial reporting environment. In contrast to a large company, in which management may need to involve employees with specialized knowledge and understanding of company processes and the business in general, in a small company with less complex business processes that operate on a centralized basis and with little change in the risks or processes, management’s daily involvement with the business may provide it with adequate knowledge to appropriately identify financial reporting risks.
2. Identifying Controls that Adequately Address Financial Reporting Risks
Management should evaluate whether it has in place controls that are designed to adequately address the company’s financial reporting risks. This determination involves judgments about both the likelihood and potential magnitude of misstatements arising from the financial reporting risk. A control consists of a specific set of policies, procedures and activities designed to meet the objective of accurate financial reporting, and it can be automated or manual, reconciliations, segregation of duties, review and approval authorizations, safeguarding, fraud detection or disclosure.
For purposes of the evaluation of ICFR, controls are inadequate when their design would allow a reasonable possibility that a misstatement in the related financial statements will not be prevented or detected on a timely basis. That said, once a control is identified as adequately identifying or addressing a particular risk, in the interest of efficiency, management need not identify additional controls related to that risk.
3. Consideration of Entity-level Controls
Some entity-level controls are designed to operate at the process, transaction or application level and on their own might adequately prevent or detect possible misstatements on a timely basis. On the other hand, an entity-level control may be designed to identify possible breakdowns in lower-level controls, but not in a manner that would, by itself, sufficiently address the risk that possible misstatements will be prevented or detected on a timely basis.
It is important to consider the nature of the relationship of the control to the financial reporting element, that is, whether it is direct or indirect. The more indirect the relationship to a financial reporting element, the less effective a control may be in preventing or detecting a misstatement and the more unlikely that management will identify only this type of entitylevel control to adequately identify the risk of a misstatement.
4. Role of General Information Technology Controls
Aspects of general IT controls that may be relevant to the evaluation of ICFR will vary depending upon a company’s facts and circumstances. Ordinarily, management should consider whether, and the extent to which, general IT control objectives related to program development, program changes, computer operations, and access to programs and data apply to its facts and circumstances.
5. Evidential Matter to Support the Assessment
As part of its evaluation of ICFR, management must maintain reasonable support for its assessment. The form and extent of the evidence will vary depending on the size, nature and complexity of the company. It can take many forms, including paper documents, electronic or other media, and can be presented in a number of ways, including policy manuals, process models, flow charts, job descriptions, internal memoranda or forms.
B. Evaluating Evidence of the Operating Effectiveness of ICFR
Management should evaluate evidence of the effective operation of ICFR and will ordinarily focus its evaluation of the operation of controls on those areas of ICFR that pose the highest risk to reliable financial reporting. A control operates effectively when it is performed in a manner consistent with its design by individuals with the necessary authority and competency. The evaluation procedures that management uses to gather evidence about the effective operation of ICFR should be tailored to its assessment of the risk characteristics of both the individual financial reporting elements and the related controls (collectively, ICFR risk). Evidence about the effective operation of controls may be obtained from direct testing of controls and on-going monitoring activities.
In determining whether the evidence obtained is sufficient to provide a reasonable basis for its evaluation of the operation of ICFR, management should consider not only the quantity of evidence (e.g., sample size) but also qualitative characteristics of the evidence, and for any individual control, different combinations of the nature, timing and extent of their evaluation procedures may provide sufficient evidence.
1. Determining the Evidence Needed to Support the Assessment
Characteristics of the financial reporting element that management considers include both the materiality of the financial reporting element and the susceptibility of the underlying account balances, transactions or other supporting information to material misstatement.
Management also considers the likelihood that a control might fail to operate effectively. That likelihood may depend on, among other things, the type of control (i.e., manual or automated), the complexity of the control, the risk of management override, the judgment required to operate the control, the nature and materiality of misstatements that the control is intended to prevent or detect, and the degree to which the control relies on the effectiveness of other controls (e.g., general IT controls). When a combination of controls is required to adequately address the risks of a financial reporting element, management should analyze the risk characteristics of each control.
Certain financial reporting elements, such as those involving significant accounting estimates, related party transactions, or critical accounting policies generally, would be assessed as having higher risk for both the possibility of material misstatement to the financial reporting element and the risk of control failure.
2. Implementing Procedures to Evaluate Evidence of the Operation of ICFR
The methods and procedures management uses to gather evidence about the effective operation of controls, including the timing of when they are performed, are a function of the evidence that management considers necessary to provide reasonable support for its assessment of ICFR based on the assessment of ICFR risk. The evidence may come from a combination of on-going monitoring, for example through self-assessment procedures and the results of key performance indicators, and direct testing of controls performed periodically to provide evidence about the reliability of such on-going monitoring activities.
In smaller companies, management’s daily interaction with its controls may provide it with sufficient knowledge about their operation to evaluate the operation of ICFR, but management should consider its particular facts and circumstances when determining whether or not such daily interaction with controls provides sufficient evidence for the evaluation. Daily interaction in companies with multiple management reporting layers or operating segments would generally not provide sufficient evidence because those responsible for assessing the effectiveness of ICFR ordinarily would not be sufficiently knowledgeable about the operation of the controls. In these situations, management would ordinarily utilize direct testing or on-going monitoring type evaluation procedures to have reasonable support for the assessment.
Management’s evaluation of evidence considers whether the control operated as designed and includes matters such as how the control was applied, the consistency with which it was applied, and whether the person performing the control possesses the necessary authority and competence to perform the control effectively.
3. Evidential Matter to Support the Assessment
The SEC would expect reasonable support for an assessment to include the basis for management’s assessment, including documentation of the methods and procedures it utilizes to gather and evaluate evidence.
The evidential matter may take many forms and will vary depending on the assessed level of risk for controls over each of its financial reporting elements. For example, management may document its overall strategy in a comprehensive memorandum that establishes the evaluation approach, the evaluation procedures, and the basis for conclusions for each financial reporting element. Documentation might include memoranda, e-mails, and instructions or directions from management to company employees.
C. Multiple Location Considerations
Management’s consideration of financial reporting risks generally includes all of its locations or business units, though in some cases risks are adequately addressed by controls which operate centrally. When performing its evaluation of risk characteristics of controls identified, management should consider location-specific risks that might impact the risk that a control will fail to operate effectively.
A. Evaluation of Control Deficiencies
In order to determine whether a control deficiency, or combination of control deficiencies, is a material weakness, management evaluates each control deficiency that comes to its attention.
Multiple control deficiencies that affect the same financial statement account balance or disclosure increase the likelihood of misstatement and many, in combination, constitute a material weakness if there is a reasonable possibility that a material misstatement to the financial statements would not be prevented or detected in a timely manner, even though such deficiencies may be individually insignificant. Therefore, management should evaluate individual control deficiencies that affect the same account balance, disclosure, relevant assertion, or component of internal control, to determine whether they collectively result in a material weakness. Management should also evaluate the effect of compensating controls when determining whether a control deficiency or combination of deficiencies is a material weakness.
Several factors affect the likelihood that a deficiency, or a combination of deficiencies, will result in a misstatement in a financial reporting element not being prevented or detected on a timely basis, including: • the nature of the financial statement elements, or components thereof, involved (e.g., suspense accounts and related party transactions involve greater risk);
- the susceptibility of the related asset or liability to loss or fraud (i.e., greater susceptibility increases risk);
- the subjectivity, complexity, or extent of judgment required to determine the amount involved (i.e., greater subjectivity, complexity, or judgment, like that related to an accounting estimate, increases risk);
- the interaction or relationship of the control with other controls (i.e., the interdependence or redundancy of the control);
- the interaction of the deficiencies (i.e., when evaluating a combination of two or more deficiencies, whether the deficiencies could affect the same financial statement accounts and assertions); and
- the possible future consequences of the deficiency.
Several factors affect the magnitude of the misstatement that might result from a deficiency or deficiencies in controls, including:
- the financial statement amounts or total of transactions exposed to the deficiency; and
- the volume of activity in the account balance or class of transactions exposed to the deficiency that has occurred in the current period or that is expected in future periods. In evaluating the magnitude of the potential misstatement to the company’s financial statements as a whole, management should recognize that the maximum amount that an account balance or total of transactions can be overstated is the recorded amount, while understatements could be larger.
The following circumstances are strong indicators that a material weakness in ICFR exists:
- An ineffective control environment, which may be indicated by: identification of fraud of any magnitude on the part of senior management; significant deficiencies that have been identified and remain unaddressed after some reasonable period of time; or ineffective oversight of the company’s external financial reporting and ICFR by the company’s audit committee.
- Restatement of previously issued financial statements to reflect the correction of a material misstatement. Though note that the correction of a material misstatement includes misstatements due to error or fraud. It does not include retrospective application of a change in accounting principle to comply with a new accounting principle or a voluntary change from one generally accepted accounting principle to another generally accepted accounting principle.
- Identification by the auditor of a material misstatement in financial statements in the current period under circumstances that indicate the misstatement would not have been discovered by the company’s ICFR.
- For complex entities in highly regulated industries, an ineffective regulatory compliance function in which associated violations of laws and regulations could have a material effect on the reliability of financial reporting.
B. Expression of Assessment of Effectiveness of ICFR by Management and the Registered Public Accounting Firm
Management may disclose any remediation efforts to the identified material weakness(es) in Item 9A of Form 10-K, Item 15 of Form 20-F, or General Instruction B of Form 40-F.
C. Disclosures About Material Weakness Because of the significance of the disclosure requirements surrounding material weaknesses beyond specifically stating that the material weaknesses exist, companies should also consider including the following in their disclosures:
- its impact on financial reporting and the control environment, and
- management’s current plans, if any, for remediating the weakness.
While management is required to conclude and state in its report that ICFR is ineffective when there is one or more material weaknesses, companies should also consider providing disclosure that allows investors to understand the root cause of the control deficiency and to assess the potential impact of each particular material weakness. This disclosure will be more useful to investors if management differentiates the potential impact and importance to the financial statements of the identified material weaknesses, including distinguishing those material weaknesses that may have a pervasive impact on ICFR from those material weaknesses that do not. The goal underlying all disclosure in this area is to provide investors with contextual disclosure and analysis which goes beyond the mere existence of a material weakness.
D. Impact of a Restatement of Previously Issued Financial Statements on Management’s Report on ICFR
The restatement of financial statements does not, by itself, necessitate that management consider the effect of the restatement on the company’s prior conclusion relating to the effectiveness of ICFR.
While there is no requirement for management to reassess or revise its conclusion related to the effectiveness of ICFR, management should consider whether its original disclosures are still appropriate and should modify or supplement its original disclosure to include any other material information that is necessary for such disclosures not to be misleading in light of the restatement.
Similarly, while there is no requirement that management reassess or revise its conclusion related to the effectiveness of its disclosure controls and procedures, management should consider whether its original disclosures regarding effectiveness of disclosure controls and procedures need to be modified or supplemented to include any other material information that is necessary for such disclosures not to be misleading.
E. Inability to Assess Certain Aspects of ICFR
In certain circumstances, management may encounter difficulty in assessing certain aspects of its ICFR. For example, management may outsource a significant process to a service organization and determine that evidence of the operating effectiveness of the controls over that process is necessary. However, the service organizations may be unwilling to provide either a Type 2 SAS 70 report or to provide management access to the controls in place at the service organization so that management could assess effectiveness. Finally, management may not have compensating controls in place that allow a determination of the effectiveness of the controls over the process in an alternative manner. The SEC’s disclosure requirements state that management’s annual report on ICFR must include a statement as to whether or not ICFR is effective and do not permit management to issue a report on ICFR with a scope limitation. Therefore, management must determine whether the inability to assess controls over a particular process is significant enough to conclude in its report that ICFR is not effective.
Management should disclose a clear expression of its assessment related to the effectiveness of ICFR and, therefore, should not qualify its assessment by saying that the company’s ICFR is effective subject to certain qualifications or exceptions. In addition, if a material weakness exists, management may not state that controls are effective. However, management may state that controls are ineffective due solely to, and only to the extent of, the identified material weakness(es).