On December 13, 2006, the SEC voted to extend once again the deadline for non-accelerated filers to comply with Section 404 of the Sarbanes-Oxley Act, which requires managements of public companies to assess the effectiveness of their internal control over financial reporting and their independent auditors to attest to management’s assessment. Under the extension, a nonaccelerated filer will not be required to provide management’s report on internal control over financial reporting until it files an annual report for its first fiscal year ending on or after December 15, 2007 and will not be required to file the auditor’s attestation report until it files an annual report for its first fiscal year ending on or after December 15, 2008. The new rules also afford newly public companies a special transition period before they become subject to Section 404 reporting requirements. In addition, and perhaps of greater importance over the long term, the SEC has proposed interpretive guidance to assist the managements of public companies of all sizes in conducting their evaluation of internal accounting controls under Section 404.
The SEC published the deadline extension on December 15, 2006 in Release No. 34-54942 and the proposed interpretive guidance on December 20, 2006 in Release No. 34-54976, which indicated that the comment period for the proposed guidance will close on February 26, 2007. Subsequently, on December 19, 2006, the Public Company Accounting Oversight Board published a proposal in Release No. 2006-007 to replace Auditing Standard No. 2 with a new, less complex standard for auditing a company’s internal control over financial reporting. All of these actions are designed principally to respond to a groundswell of concern regarding the cost, particularly to smaller companies, of implementing Section 404.
Further SEC Extension for Non-Accelerated Filers
The extended filing deadlines apply solely to domestic and foreign non-accelerated filers, which generally are companies that have a worldwide public float of less than $75 million and accordingly do not meet the definitions of either an “accelerated filer” or a “large accelerated filer” under Exchange Act Rule 12b-2. The effect of the SEC’s actions is to extend for the fourth time the dates by which non-accelerated filers must comply with the internal control over financial reporting requirements. Before this latest extension, non-accelerated filers were scheduled to begin complying with these requirements for their fiscal years ending on or after July 15, 2007. The SEC has now extended the implementation of the management report requirement for another five months, so that a non-accelerated filer must begin to provide management’s report on financial control over financial reporting in the annual report it files for its first fiscal year ending on or after December 15, 2007. The management report will be considered “furnished” rather than “filed” and therefore will not be subject to certification by the CEO and CFO.
In a related action, the SEC extended the deadline for non-accelerated filers to comply with the auditor attestation requirement, which is intended to provide time for implementation of the PCAOB’s proposal to replace Auditing Standard No. 2. Under the new rules, a non-accelerated filer will not be required to provide the auditor attestation report until it files an annual report for its first fiscal year ending on or after December 15, 2008. Companies that provide only a management report, without an auditor attestation, before the attestation is required will have to state in their annual report that management’s report is not subject to auditor attestation and therefore that no attestation report is included.
Section 404 Transition Period for Newly Public Companies
The SEC also provided relief under Section 404 to companies undertaking an initial public offering, as well as to other companies subject to Exchange Act reporting requirements for the first time. Before the amendments, after the phase-in of Section 404 reporting has been completed for all Exchange Act reporting companies, any company completing an IPO or initially registering a class of securities under the Exchange Act would have been required to comply with those provisions as of the end of the fiscal year in which it became a public company. The new rules afford newly public companies a Section 404 transition period by amending Item 308 of Regulation S-K and (for small business issuers) Regulation S-B to provide that these companies need not provide either a report by management or an auditor attestation report on their internal control over financial reporting until the second annual report they are required to file with the SEC. This transition period applies to companies conducting an initial public offering of equity or debt securities or a registered exchange offer, or that otherwise become subject to the Exchange Act reporting requirements. Newly public companies covered by the transition rules will be required to disclose in their first annual report filed with the SEC that they are not then required to comply with the Section 404 reporting requirements.
Proposed SEC Interpretive Guidance
The interpretive guidance proposed by the SEC is intended to address the widespread concern that the cost to a public company of evaluating its internal control over financial reporting under Section 404 in many cases can be excessive, particularly for smaller companies. The proposed guidance would deal with this concern primarily by allowing companies to tailor their evaluation procedures to their facts and circumstances without regard to the auditing literature. This process should enable many companies to scale back their existing procedures and thereby reduce compliance costs. The SEC noted that although the Internal Control–Integrated Framework created by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) identifies the components and objectives of an effective system of internal control, it does not set forth an approach for management to follow in evaluating the effectiveness of a company’s internal control over financial reporting. The SEC emphasized that it does not intend for its proposed guidance to replace or modify the COSO framework, but rather to assist management in conducting its internal control evaluations for purposes of the SEC’s rules.
Under the proposed guidance, companies would make their internal control evaluations on the basis of an approach that would rely heavily on concepts of risk and materiality. The proposed approach, which is principles-based and therefore does not prescribe a single methodology for every public company, would operate as follows:
- Identification of Financial Reporting Risks and Related Controls. Companies would be required to identify (1) material areas that pose risks to reliable financial reporting and (2) internal accounting controls that adequately address those risks. The SEC acknowledged that the methods and procedures for identifying areas of material financial reporting risk would vary based on the size, complexity, organizational structure, control framework and other characteristics of the company. It emphasized that a company would have to identify only those internal accounting controls that adequately address the risk of a material misstatement in the company’s financial statements.
- Documentation. To provide reasonable support for its internal control assessment, management would have to document the design of the internal accounting controls intended to address the company’s financial reporting risks. The SEC indicated that the form and extent of the documentation would vary depending on the size, nature, and complexity of the company. Further, the documentation could be confined to those controls that management considers adequate to address the financial reporting risks. The documentation might take many forms, including paper documents and electronic media, and could be presented in various ways, such as in policy manuals, process models, and flowcharts. In those instances in which management can rely on its daily interaction with its controls as a basis for assessing their effectiveness, the documentation could be limited to how the interaction provides management with sufficient evidence of effectiveness.
- Evaluation of Operating Effectiveness of Controls. To provide a reasonable basis for the assessment of the effectiveness of the company’s internal control over financial reporting, management would have to gather and analyze evidence regarding the operation of those controls. It could obtain this evidence from direct testing of controls and ongoing monitoring activities. The nature, timing, and extent of the procedures and other evidence necessary for management’s assessment would depend on the risk of a material misstatement and the risk of a control failure, with greater evidence needed as the degree of risk of either factor increases. Different combinations of the nature, timing, and extent of the evaluation procedures could provide sufficient evidence with respect to any individual control. In considering the effectiveness of a control, management would have to consider both the quantity of evidence, such as the sample size and the qualitative characteristics of the evidence. Qualitative characteristics might include the nature of the evaluation procedures, the period of time to which the evidence relates, the objectivity of those evaluating the controls and, in the case of monitoring controls, the extent of validation through direct testing of the underlying controls.
- Reporting of Overall Results of Management’s Evaluation. After management has completed its evaluation of the internal accounting controls, it would have to determine if any identified control deficiencies are material weaknesses. Management would make determinations of this type in accordance with the framework provided by the SEC in its guidance, without regard to the auditing literature. The evaluation would be based on a consideration of whether the company’s controls will fail to prevent or detect a material misstatement on a timely basis. Management would have to consider both quantitative and qualitative factors in evaluating a control deficiency. These factors would include (1) the nature of the financial statement elements (or components of those elements) involved, (2) the susceptibility of the related asset or liability to loss or fraud, (3) the subjectivity, complexity, or extent of judgment required to determine the amount involved, (4) the interaction or relationship of the control with other controls, (5) the interaction of the deficiencies, and (6) the possible future consequences of the deficiency. Where a deficiency is determined to be a material weakness, management would have to state that the company’s internal control over financial reporting is not effective and would have to provide appropriate information regarding the nature of the weakness, its impact on financial reporting and the control environment, and management’s current plans (if any) for remediating the weakness.
Proposed PCAOB Replacement of Auditing Standard
The PCAOB has proposed for public comment a replacement for Auditing Standard No. 2 relating to the audit of a company’s internal control over financial reporting. The new standard will be principles-based and will seek to limit the auditor’s focus to the matters most important to internal control, thereby increasing the likelihood that material internal control weaknesses will be discovered before they cause material misstatements of the financial statements. In addition to simplifying and shortening the predecessor standard, the proposed new standard will be designed primarily to (1) eliminate audit requirements that are unnecessary to achieve the intended benefits and (2) provide direction on how to scale the audit for smaller, less complex companies.
The actions of the SEC and the PCAOB, when fully implemented, should reduce the concerns expressed about the time and cost required to comply with Section 404. Although it is too early to tell whether these measures in fact will keep timing and cost considerations within reasonable bounds, they will enable management to introduce efficiencies into the internal control evaluation process that are not possible under the existing system.