SEC Proposes Interpretive Guidance on Conducting Management's Evaluation of Internal Control Over Financial Reporting and Extends Compliance Dates for Certain Issuers; PCAOB Proposes New Auditing Standard
On December 13, 2006, the Securities and Exchange Commission (SEC) proposed interpretive guidance for management's use in conducting its annual evaluations of internal control over financial reporting, as required under Section 404 of the Sarbanes-Oxley Act of 2002. In related actions, the SEC proposed extending the deadline for compliance for certain companies, and the Public Company Accounting Oversight Board (PCAOB) proposed revisions to its auditing standards relating to Section 404.
At the SEC's open meeting, various SEC Commissioners acknowledged that the absence of prior SEC guidance to management had created confusion and contributed to high Section 404 implementation costs. In particular, they noted that, in the absence of such guidance, management often turned to PCAOB Auditing Standard No. 2 to determine the parameters of the required evaluation. Because the Auditing Standard is directed to auditors, not management, this may have resulted in management's implementing procedures beyond what the SEC intended. The Commissioners stated that the proposed guidance is intended to improve the effectiveness and cost-efficiency of the Section 404 evaluation process.
The SEC notes that the objective of the evaluation of Internal Control Over Financial Reporting (ICFR) is to provide management with a reasonable basis for its annual assessment as to whether any material weaknesses in ICFR exist as of the end of the fiscal year. To meet this objective, management must identify the risks to reliable financial reporting, evaluate whether the design of the controls which address those risks is such that there is a reasonable possibility that a material misstatement in the financial statements would not be prevented or detected in a timely manner, and evaluate evidence about the operation of the controls included in the evaluation based on management's assessment of risk. The Commissioners and the SEC Staff emphasized that the proposed guidance is scalable and can be applied by companies of all sizes and complexities. The proposed interpretive guidance is premised on a "top-down, risk-based" approach to evaluation and covers four key areas:
- Identification of Risks and Controls - The proposed Section 404 guidance describes a risk-based approach that would require management to focus on identifying areas of material risks to financial reporting and controls for addressing these risks. Management will be required to use its judgment to identify areas where there could be material misstatements and evaluate related controls to determine if they address these risks. Management need not evaluate all controls in a process; rather, management should focus on identifying and evaluating those controls that in its judgment minimize the risk of material misstatements in financial statements. Once those controls that adequately address the risks of material misstatements are identified, it would be unnecessary to include additional controls within management's evaluation (i.e., management can avoid identifying controls that are not important to achieving the objectives of ICFR).
- Evaluating Operating Effectiveness of Controls - The SEC suggests that management should evaluate evidence of the effective operation of ICFR and conclude that a control operates effectively when it is performed in a manner consistent with its design by individuals with the necessary authority and competency. Once the relevant controls are identified, management would design its evaluation methods so that they focus on analyzing those areas that present the highest risk to reliable financial reporting. The proposed guidance provides for a risk-based approach that requires the use of judgment to direct management's evaluation efforts toward those areas that present the greatest risks based on the firm's facts and circumstances. Evidence concerning the effective operation of controls may be obtained from direct testing of controls and ongoing monitoring activities. The proposed guidance would allow management to support its evaluation in a variety of ways and includes examples of ways that management can substantiate its evaluation; this aspect of the guidance is designed in part to limit the amount of testing that management is required to undertake.
- Reporting the Results of Management's Evaluation - The proposed guidance includes examples that are viewed as strong indicators of a material weakness. At the meeting, the SEC Staff noted that one such example occurs where a company is required to restate prior period financial statements. Commenting on this aspect of the guidance, however, the Staff noted that, where the restatement arises from an industry-wide change in accounting policy, such as the lease accounting changes in 2005, management should use its judgment as to whether such a change in fact represents a strong indicator of a material weakness. The evaluation of a control deficiency includes both quantitative and qualitative factors. Several factors affect the likelihood that a deficiency, or a combination of deficiencies, will result in a misstatement in a financial reporting element not being prevented or detected on a timely basis, including, but not limited to:
- The nature of the financial statement elements, or components thereof, involved (e.g., suspense accounts and related party transactions involve greater risk);
- The susceptibility of the related asset or liability to loss or fraud (i.e., greater susceptibility increases risk);
- The subjectivity, complexity, or extent of judgment required to determine the amount involved (i.e., greater subjectivity, complexity, or judgment, such as that related to an accounting estimate, increases risk);
- The interaction or relationship of the control with other controls (i.e., the interdependence or redundancy of the control);
- The interaction of the deficiencies (i.e., when evaluating a combination of two or more deficiencies, whether the deficiencies could affect the same financial statement accounts and assertions); and
- The possible future consequences of the deficiencies.
- Documentation - The proposed guidance explains the nature and extent of the evidential matters that management must maintain to document its assessment. While there is no prescribed form of documentation (such as paper, electronic or other media), management must use its reasonable judgment as to the form and extent of documentation maintained. The Staff noted that the proposed guidance is intended to avoid artificial documentation requirements. Where management is able to rely on its daily interactions with its controls as a basis for its assessments, management may be able to avoid creating documentation specifically for the evaluation. The guidance suggests that documentation can be focused on those controls that management concludes are adequate to address the financial reporting risks.
At the meeting, the SEC Staff emphasized that the proposed interpretive guidance is not intended to disrupt or change what companies already have done in terms of implementing Section 404. Rather, the SEC intends that companies that have already complied with the Section 404 requirements can determine whether to use any aspects of the interpretive guidance to make their own evaluation process more efficient. Thus, for companies that have already complied with the Section 404 requirements, the proposed guidance, if adopted, is optional, not prescriptive. Also, if adopted as proposed, the guidance will confirm that management can rely on this guidance, and not PCAOB Auditing Standard No. 2, for purposes of conducting an appropriate evaluation of the company's internal control over financial reporting. The Staff also noted that, while the proposed guidance does not include any direction that is tailored specifically toward the types of issues that foreign private issuers confront in implementing Section 404, the SEC is interested in receiving comments as to whether the guidance should include such discussion.
Proposed Amendments to Rules 13a-15 and 15d-15 of the Securities Exchange Act of 1934
The SEC's rules, adopted in June 2003, that implemented Section 404 of the Sarbanes-Oxley Act do not prescribe any specific methods or procedures for management to perform its evaluation. The SEC proposal would amend Rules 13a-15 and 15d-15 to state that an evaluation conducted in accordance with the interpretive guidance would satisfy the SEC's rules. However, to retain the flexibility that was desired by the 2003 rules, the proposed amendments would afford management the latitude either to follow the interpretive guidance and avail itself of this "safe harbor" or to develop and use other methods that achieve the objectives of the SEC's 2003 rules. As a result, larger companies that have already implemented procedures under the 2003 rules would be permitted to continue to follow such procedures (provided they are "effective") or to modify them to make them more efficient by adopting the proposed guidance in whole or in part.
Amendments to Regulation S-X and Coordination with the PCAOB
The SEC has worked with the PCAOB to develop a new auditing standard to supersede existing Auditing Standard No. 2. In connection therewith, the SEC proposed amendments to Regulation S-X that are intended to clarify the auditor reporting requirement in a manner consistent with the PCAOB's anticipated proposed new auditing standard. Specifically, Rule 2-02(f) of Regulation S-X would be amended so that auditors would no longer be required to follow a dual opinion approach, opining on both the effectiveness of internal controls and management's assessment. Instead, the auditors would render a single opinion on the effectiveness of internal control over financial reporting, which would subsume their opinion on management's assessment. This would mean that auditors would no longer evaluate the efficacy of the methods and procedures used by management in conducting their adequacy evaluation.
Proposed Replacement of PCAOB Auditing Standard No. 2
On December 19, 2006, the PCAOB proposed for public comment a new auditing standard on internal control to replace Auditing Standard No. 2, together with certain other related proposals. The proposal is guided by five goals:
- Focusing the audit on the matters that present the greatest risk that the company's internal controls will fail to detect or prevent a material misstatement in its financial statements. These include identifying control weaknesses before they result in material misstatements in the financial statements, using a top-down approach and focusing on company-level controls and higher-risk stages of financial statement preparation.
- Eliminating unnecessary procedures by enhancing the ability of auditors to use the work of others and experience gained in previous years' audits, and clarifying risk assessment by auditors. In this regard, the PCAOB indicated that it would consider changes that would "clarify that an internal control audit is limited to an evaluation of whether, in the auditor's opinion, the company's internal control is effective, and does not include an opinion on the adequacy of management's process to reach its conclusion."
- Icorporating prior PCAOB guidance on how to make audits more efficient.
- Providing explicit and practical guidance on scaling the audit to fit the size and complexity of the company so that auditors can tailor the audit for smaller companies.
- Proposing a revised auditing standard that is shorter, easier to understand, and more clearly scalable to audits of companies of all sizes and complexity by redefining key terms, clarifying the definition of materiality and consolidating the PCAOB's standard on using the work of others.
Extension of Deadlines
In a related action, on December 15, 2006, the SEC proposed further extending the compliance deadline for smaller public companies with the internal control reporting requirements mandated by Section 404 of the Sarbanes-Oxley Act of 2002. Under the extension, a non-accelerated filer is not required to provide management's report on internal control over financial reporting until it files an annual report for its first fiscal year ending on or after December 15, 2007. A non-accelerated filer is not required to file the auditor's attestation report on internal control over financial reporting until it files an annual report for its first fiscal year ending on or after December 15, 2008. The SEC noted that it would consider further postponing this date after it considers the proposed revisions to Auditing Standard No. 2. Management's report included in a non-accelerated filer's annual report during the filer's first year of compliance with the Section 404(a) requirements will be deemed "furnished" rather than filed. Management's report for foreign private issuers filing on Form 20-F or 40-F that are accelerated filers (but not large accelerated filers) also will be deemed furnished rather than filed for the year that such issuers are only required to provide management's report. Companies that only provide management's report during their first year of compliance must state in the annual report that the report does not include the auditor's attestation report and that the company's registered public accounting firm has not attested to management's report on the company's internal control over financial reporting.
The SEC also proposed adopting amendments that provide for a transition period for a newly public company before it becomes subject to the internal control over financial reporting requirements. Under the new amendments, a company will not become subject to these requirements until it either has been required to file an annual report for the prior fiscal year with the SEC or has filed an annual report with the Commission for the prior fiscal year. A newly public company is required to include a statement in its first annual report that the annual report does not include either management's assessment on the company's internal control over financial reporting or the auditor's attestation report.
This guidance is welcome relief to companies of all sizes, particularly smaller cap companies. The SEC is focused on a risk-based approach, applying well-known "materiality" standards. Specifically, the documentation guidance will reduce the cost and time involved in compliance. Public companies should meet with their auditing staff and then with their outside auditors to reassess their Section 404 compliance plans for 2007. We, of course, would be happy to assist in developing plans or review Section 404 plans.