On June 20, 2007, the Securities and Exchange Commission ("SEC") issued interpretive guidance ("Guidance") to assist management of public companies in evaluating their internal control over financial reporting ("ICFR"), as required by Section 404 of the Sarbanes-Oxley Act of 2002 and Rules 13a-15(c) and 15d-15(c) of the Securities Exchange Act of 1934 ("Exchange Act"). The Guidance provides management with an approach to conduct a top-down, risk-based evaluation of ICFR. The same day, the SEC issued two rule releases. In one release, the SEC adopted final rules in which it:
- adopted amendments to its rules to facilitate management evaluations of ICFR by sanctioning the Guidance as a safe harbor;
- adopted amendments to its rules regarding the auditor's attestation report on the effectiveness of ICFR; and
- defined the term "material weakness."
In the other release, the SEC proposed a rule defining the term "significant deficiency." In a coordinated action, the Public Company Accounting Oversight Board ("PCAOB") adopted a new auditing standard for use by auditors in their audits of ICFR.
Management's Evaluation of the Effectiveness of the Issuer's ICFR - "Safe Harbor"
Exchange Act Rules 13a-15(c) and 15d-15(c) require management of reporting companies (other than registered investment companies) to evaluate the effectiveness of the company's ICFR as of the end of each fiscal year. In the final rule release, the SEC amended these rules to provide that, although there are different ways to conduct the required evaluation, an evaluation that complies with the Guidance will satisfy this requirement. The amendments in effect provide management with a safe harbor. The Guidance safe harbor, however, is different from most safe harbor provisions in the federal securities laws in that it does not establish clear compliance standards that must be met. Rather, to claim the safe harbor, a company must tailor its evaluation of the effectiveness of its ICFR to the Guidance, which is a principles-based, top-down, risk-based approach that by its nature does not prescribe specific, objective criteria.
Compliance with the Guidance is voluntary. Many companies have already established ICFR evaluation procedures that may differ from the approach in the Guidance. The SEC stated that these companies do not need to alter their procedures to align them with the Guidance. Smaller public companies (non-accelerated filers), which have not yet been required to conduct an evaluation of ICFR, may be more apt to make use of the Guidance and possibly avoid some of the initial compliance costs and efforts that were incurred by larger public companies during their early years of compliance with Section 404's requirements.
Guidance: A Road Map
Section 404 charges the management of public companies to maintain ICFR so as to provide "reasonable assurance" regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles ("GAAP"). The existing SEC rules implementing Section 404 require management to annually evaluate the effectiveness (as of the end of the fiscal year) of the company's ICFR and disclose the results of such evaluation in the company's annual report. Since the adoption of these rules, companies have clamored for guidance on how to perform such evaluation. The Guidance finally gives the management of public companies an approach by which to assess their ICFR.
The Guidance is organized around two broad principles: (i) that management should evaluate whether it has implemented controls that adequately address the risk that a material misstatement of the financial statements would not be timely prevented or detected, and (ii) that management's evaluation of evidence about the operation of its controls should be based on its assessment of risk. This principles-based approach is intended to allow management to tailor its assessment to the company's circumstances. For example, the Guidance does not require that management identify every control in a process or document the business processes affecting ICFR. Instead, management may focus on those controls that it determines adequately address the risk of a material misstatement of the financial statements. As a result, management may be able to use more efficient approaches to gathering evidence (i.e., self assessments) in low-risk areas and perform more extensive testing in high-risk areas.
Although the Guidance does not specifically address the role of the board of directors or audit committees in a company's evaluation and assessment of ICFR, the SEC stated that "a board of directors or audit committee, as part of its oversight responsibilities for a company's financial reporting, [would be expected] to be reasonably knowledgeable and informed about the evaluation process and management's assessment, as necessary in the circumstances."
As noted above, Section 404 requires an evaluation of the effectiveness of ICFR as well as disclosure of the results. The Guidance discusses both the evaluation process and reporting considerations.
The Evaluation Process
To accomplish its assessment of ICFR, management must identify the risks to reliable financial reporting, evaluate whether controls exist to address those risks, and evaluate evidence about the operation of the controls included in the evaluation based on its assessment of risk. While this evaluation process will vary from company to company, the SEC stated that the top-down, risk-based approach set forth in the Guidance will typically be the most efficient and effective way to conduct the evaluation.
What Could Go Wrong? Deciding Which Risks Are Within the Scope of the Assessment
The Guidance makes clear that not all controls bearing on the financial statements are within the scope of the assessment; rather, the Guidance narrows the task by focusing the scope (and related required documentation) to those controls that are needed to identify and ameliorate risks of a material misstatement. Accordingly, the first step in management's assessment should be to identify those risks that could, either alone or in combination with other risks, result in a material misstatement of the company's financial statements. Because the financial statements are presented in accordance with GAAP, this would ordinarily include an evaluation of how the requirements of GAAP apply to the company's business, operations and transactions.
Necessarily, the methods and procedures for identifying financial reporting risks are based on the characteristics (size, complexity, organizational structure) of the company and its financial reporting processes. In smaller companies, where the "awareness gap" between management and the day-to-day business transactions that underlie financial reporting is small, management may be able to adequately identify the risks to financial reporting by relying on its own daily involvement with the business. In contrast, management of larger companies may need to involve a variety of personnel with specialized knowledge of the business transaction processes underlying the financial reporting (and, where appropriate, a knowledge of the requirements of GAAP itself) in the ICFR risk identification process.
Mitigating the Identified Risks
When management identifies a risk that a material misstatement in the financial statements would not timely be prevented or detected, it must evaluate whether controls are in place that sufficiently address such risk. This evaluation requires management to determine whether the company's ICFR, if operating properly, will prevent or detect errors that could lead to material misstatements. Where a deficiency in the ICFR is found (such as where a needed control is missing, or where existing controls are so poorly designed such that, even if they operate as designed, the targeted financial reporting risk is not addressed thereby), management must then determine if a "material weakness" exists.
The Guidance states that it is not necessary to identify all controls that may exist or to identify redundant controls, so long as the controls management identifies adequately address the targeted financial reporting risks. In this identification process, management may consider the efficiency with which a control may be evaluated. In particular, the Guidance stated that certain entity-level controls may be designed to operate so as to adequately prevent or detect some targeted risks and, in such cases, management may not need to identify or evaluate additional controls relating to such risks. However, management must consider the relationship between such entity-level controls and the targeted risks; the more indirect the relationship, the less effective the control may be in preventing or detecting a misstatement.
Documentation of the design of controls is also required because management must maintain reasonable support for its assessments.
Evaluating Evidence of the Operating Effectiveness of ICFR
After management identifies risks and evaluates controls, it must next evaluate the evidence of the operating effectiveness of ICFR. The evaluation should consider if the control is operating as designed and if the person performing the control has the necessary authority and competence. Evaluation procedures should be tailored to management's assessment of the risk characteristics of the financial reporting elements and the related controls (jointly, "ICFR Risk"), focusing on areas posing the highest ICFR Risk.
Determining the Evidence Needed to Support the Assessment
Management's evaluation of the level of evidence needed to support its assessment of the ICFR Risk should consider both the characteristics of the financial reporting elements to which the controls relate and the characteristics of the controls, as illustrated below:
*The references to "more" or "less" include both the quantitative and qualitative characteristics of the evidence (that is, its sufficiency).
Management's consideration of the misstatement risk should include the materiality of the financial reporting element and the susceptibility of the underlying account balances, transactions or other supporting information to a misstatement that could be material to the financial statements. The SEC lists several control characteristics that may contribute to control failure, including:
- The type of control (manual, automated);
- The complexity of the control;
- Management override;
- The judgment required to operate the control;
- The competence of the personnel performing or monitoring the control;
- Any changes in key personnel performing or monitoring the control;
- Nature and materiality of misstatements that the control is intended to prevent or detect;
- The degree to which the control relies on the effectiveness of other controls; and
- The evidence of the operation of the control from prior years.
Financial reporting elements that involve related party transactions, critical accounting policies and critical accounting estimates generally have higher misstatement risks.
Implementing Procedures to Evaluate Evidence of the Operation of ICFR
The evaluation methods and procedures to obtain sufficient evidence either may be integrated with the daily responsibilities of a company's employees or implemented specifically for an ICFR evaluation.
Evidence may be obtained from either or both of the following:
- Direct testing. Tests performed on a periodic basis by individuals with a high degree of objectivity that provide evidence as of a point in time and may provide information about the reliability of on-going monitoring activities.
- On-going monitoring activities. Including management's normal, recurring activities that provide information about the operation controls such as self-assessment procedures, and procedures to analyze performance measures designed to track the operation of controls.
"Self-assessment" is a broad term that can refer to different types of procedures performed by individuals, either the personnel who operates the control or members of management who are not responsible for operating the control. The evidence from self-assessments performed by personnel responsible for operating the control generally provides less evidence due to the lower degree of objectivity.
As the ICFR Risk increases, management should adjust the nature of the evidence that is obtained, i.e., when ICFR Risk is assessed as high, the evidence should generally consist of direct testing or ongoing monitoring activities performed by individuals with a higher degree of objectivity. When ICFR Risk is assessed as low, the evidence from ongoing monitoring may be sufficient and no direct testing may be required.
Multiple Location Considerations
When the controls necessary to address financial reporting risks operate at more than one location or business unit, management should evaluate evidence of the operation of the controls at the individual location or business unit. If management determines that the ICFR Risk is low, it may determine that evidence gathered through self-assessment routines or ongoing monitoring combined with the evidence derived from centralized control activities constitutes sufficient evidence for the evaluation. The characteristics of the controls should be considered individually to decide whether the nature and the extent of evidence is sufficient at that location. Management should also consider if there are specific risks of that location that might affect the risk that a control might fail to operate effectively.
Evaluation of Control Deficiencies
Control deficiencies that are determined by management to be material weaknesses, either individually or when combined with other weaknesses, must be disclosed in management's annual report on its assessment of the effectiveness of ICFR. Control deficiencies that are considered by management to be significant deficiencies but are not sufficiently severe so as to constitute material weaknesses, in contrast, are reported to the company's audit committee and the external auditor. (As noted, the SEC has adopted a revised definition of the term "material weakness" and proposed a revised definition of the term "significant deficiency." These revised definitions are discussed further below.) The evaluation of the severity of a control deficiency should include quantitative and qualitative factors.
To determine whether there is a reasonable possibility that the company's ICFR will fail to prevent or detect a misstatement of a financial statement amount or disclosure, the Guidance suggests that management consider, without limitation, the following factors:
- The nature of the financial reporting elements involved (for example, suspense accounts and related party transactions involve greater risk);
- The susceptibility of the related asset or liability to loss or fraud;
- The subjectivity, complexity or extent of judgment required to determine the amount involved;
- The interaction or relationship of the control with other controls, including whether they are interdependent or redundant;
- The interaction of the deficiencies (that is, when evaluating a combination of two or more deficiencies, whether the deficiencies could affect the same financial statement amounts or disclosures); and
- The possible future consequences of the deficiency.
The Guidance also suggests that factors that affect the magnitude of the misstatement that might result from a deficiency or deficiencies in ICFR include, but are not limited to, the following:
- The financial statement amounts or total of transactions exposed to the deficiency; and
- The volume of activity in the account balance or class of transactions exposed to the deficiency that has occurred in the current period or that is expected in future periods.
The Guidance advises management to evaluate all of the relevant information as to whether a deficiency in ICFR exists and, if so, whether it represents a material weakness, and, in particular, in the following situations:
- Identification of fraud, whether or not material, on the part of senior management;
- Restatement of previously issued financial statements to reflect the correction of a material misstatement;
- Identification of a material misstatement of the financial statements in the current period in circumstances that indicate the misstatement would not have been detected by the company's ICFR; and
- Ineffective oversight of the company's external financial reporting and internal control over financial reporting by the company's audit committee.
If management determines that the deficiency, or combination of deficiencies, might prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with GAAP, then the Guidance suggests that management should treat the deficiency, or combination of deficiencies, as an indicator of a material weakness.
Expression of Assessment of Effectiveness of ICFR by Management
The Guidance advises management to clearly disclose its assessment of the effectiveness of ICFR and not qualify its assessment by stating that the company's ICFR is effective subject to certain qualifications or exceptions. If a material weakness exists, the Guidance states that management may not state that the company's ICFR is effective, but suggests that management may state that controls are ineffective for specific reasons. Where management encounters difficulty in assessing certain aspects of its ICFR (e.g., when a significant process is outsourced and the service provider is unwilling to provide management with evidence of effective controls over such process), it may not issue a report on ICFR with a scope limitation, but must determine whether the inability to assess controls over a particular process is significant enough to conclude in its report that ICFR is not effective.
Disclosures about Material Weaknesses
The Guidance suggests that in addition to stating that the material weaknesses exist, companies should also consider including the following in their disclosures:
- The nature of any material weakness;
- Its effect on the company's financial reporting and its ICFR; and
- Plans (or actions already taken) for remediation.
The Guidance suggests that management provide disclosure that allows investors to understand the cause of the control deficiency and to assess the potential effect of each particular material weakness.
The release also provides considerations for management with respect to the impact of restatements of previously-issued financing statements on management's assessment of ICFR.
Definition of "Material Weakness"
The final rules also amended Exchange Act Rule 12b-2 and Rule 1-02 of Regulation S-X to define the term "material weakness," consistent with the definition adopted by the PCAOB in Auditing Standard No. 5 ("AS No. 5"). As revised, a material weakness is defined as a "deficiency, or a combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the registrant's annual or interim financial statements will not be prevented or detected on a timely basis." Under the previous definition, which was contained in Auditing Standard No. 2 ("AS No. 2") but not in the SEC's rules, an ICFR deficiency was defined as a "material weakness" if the likelihood of a material financial misstatement is "more than remote." Critics of the Section 404 process had argued that the prior definition led to unnecessary searches for low-probability flaws.
Definition of "Significant Deficiency"
The SEC also requested additional comment on a proposed definition of the term "significant deficiency," a term used in the Guidance, Exchange Act Rule 12b-2 and Rule 1-02 of Regulation S-X. The proposal, which is consistent with the definition adopted by the PCAOB in AS No. 5, would define "significant deficiency" as "a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of a registrant's financial reporting."
In its request for comment, the release solicited comments addressing specific questions, including:
- Would the definition of a "significant deficiency" facilitate more effective and efficient certification of quarterly and annual reports if it were defined as discussed above?
- Conversely, should the definition of "significant deficiency" include a likelihood component or other specific criteria?
- Is there any special impact of the definition of "significant deficiency" on smaller public companies? If so, what is that impact and how should we address it?
Compliance Dates for Non-Accelerated Filers
Since the rules implementing Section 404 were first adopted by the SEC, the compliance date for non-accelerated filers has been extended several times. However, no further extension was included with these amendments. Accordingly, under the most recent extension of compliance dates, non-accelerated filers are scheduled to begin including a management report on ICFR in their annual reports filed for a fiscal year ending on or after December 15, 2007, and an auditor's report on ICFR for a fiscal year ending on or after December 15, 2008.
Rules 1-02 and 2-02 of Regulation S-X and Item 308 of Regulations S-B and S-K
The SEC amended Rules 1-02(a)(2) and 2-02(f) of Regulation S-X to require the expression of a single opinion directly on the effectiveness of ICFR by the auditor in its attestation report on ICFR. Previously, the attestation report was required to express two opinions: (i) whether ICFR is effective and (ii) whether management's assessment of ICFR is fairly stated. The amended rules eliminate the second opinion.
The SEC also made conforming revisions to refer to the auditor's report as an "attestation report on internal control over financial reporting" rather than an "attestation report on management's assessment of internal control over financial reporting."
Although the revised rules no longer require auditors to separately express an opinion concerning management's assessment of the effectiveness of the company's ICFR, audits conducted under the current auditing standard, PCAOB AS No. 2, will continue to result in a separate opinion on management's assessment of the effectiveness of the company's ICFR. The new auditing standard adopted by the PCAOB, AS No. 5, conforms to the amendments providing for a single opinion. However, while the PCAOB has adopted AS No. 5, it is not effective until approved by the SEC (the SEC has issued a request for comments on AS No. 5 with a deadline for receipt of comments of July 12, 2007). Until AS No. 5 is effective, companies may continue to file a report they receive from their independent auditor that contains both opinions required by AS No. 2.