On June 20, 2007, the Securities and Exchange Commission issued interpretive guidance (the "Interpretive Guidance") and rule amendments regarding management's report on internal control over financial reporting ("ICFR"). The SEC's interpretive and rulemaking initiatives address the following:

  • providing guidance regarding management's evaluation and report on ICFR under the Exchange Act that utilizes a top-down, risk-based approach;
  • clarifying that an evaluation that complies with the Interpretive Guidance is one way to satisfy the requirement, although there are numerous ways for management to evaluate the effectiveness of the company's ICFR;
  • revising the SEC's rules to clarify that a company's auditor is required to express a single opinion directly on the effectiveness of ICFR in its attestation report but is not required to submit a separate opinion on management's process for evaluating ICFR, which was previously required; and
  • defining the term "material weakness."

Also, on June 20, 2007, the SEC issued a release proposing to define the term "significant deficiency."[1]

In addition, on May 24, 2007, the Public Company Accounting Oversight Board ("PCAOB") adopted Auditing Standard No. 5, which is intended to supersede the PCAOB's Auditing Standard No. 2 regarding internal control audits.[2] If approved by the SEC, Auditing Standard No. 5 would provide a principles-based approach to internal control audits intended to do the following:

  • provide a top-down, risk-based approach to focus internal control audits on high-risk areas;
  • eliminate unnecessary procedures, including the requirement to review management's evaluation process;
  • scale internal control audits based on the size and complexity of the company, reflecting the SEC's recognition that one size does not fit all companies in this regard; and
  • simplify and clarify the text of the standard, including providing definitions of "material weakness" and "significant deficiency."

These SEC and PCAOB rulemaking initiatives relating to ICFR are expected to reduce substantially the effort and expense required to be incurred by outside auditors and companies, particularly smaller companies, in complying with the ICFR requirements.


The Interpretive Guidance, rule amendments, and PCAOB Auditing Standard No. 5 are largely a response by the SEC and PCAOB to the following:

Uncertainty Associated with Section 404 Compliance

In connection with the passage of the Sarbanes-Oxley Act of 2002, Congress directed the SEC to adopt rules requiring a management internal control report on ICFR and a related auditor attestation report in each annual report required by Section 13(a) or 15(d) of the Exchange Act. Since the SEC issued its rules regarding these ICFR reports in June 2003,[3] many public companies have struggled to comply with the SEC's requirements. Absent interpretive guidance regarding the substance and scope of procedures necessary to meet these requirements, many companies have spent substantial time, effort, and expense in designing and implementing individual ICFR evaluation and reporting procedures.

Cost Associated with Section 404 Compliance

Many market participants, including public companies, practitioners, and the SEC's Advisory Committee on Smaller Public Companies, have raised concerns regarding the costs associated with the Sarbanes-Oxley Act, in general, and in particular about Section 404 of the Sarbanes-Oxley Act regarding ICFR.[4] The SEC's proposals are designed to assist companies that have already begun providing ICFR reports but would like to refine their procedures as well as provide guidance that will hopefully minimize the time required to comply with the rules and the costs for nonaccelerated filers that are scheduled to begin compliance in their annual reports for the first fiscal year ending on or after December 15, 2007.

Burdens on Auditors

Auditors have expressed similar concerns regarding the uncertainty and cost generated by PCAOB Auditing Standard No. 2. Since Auditing Standard No. 2 became effective, the PCAOB has monitored compliance with the standard and acknowledged that, although the audit of ICFR has produced significant benefits, these benefits have come at a significant cost.[5]

Avoiding Conflicting Standards

The joint proposals by the SEC and the PCAOB reflect an attempt to more closely align the SEC and PCAOB regulations relating to ICFR, thereby avoiding potentially inconsistent standards that would create additional work for companies and their auditors.


Interpretive Guidance[6]

Background. In implementing Section 404(a) of the Sarbanes-Oxley Act, the SEC amended Rules 13a-15 and 15d-15 of the Exchange Act to require a management evaluation and report on ICFR and an attestation report on ICFR by the company's registered public accounting firm.

The Guidance. The Interpretive Guidance addresses ICFR evaluation and reporting, setting forth a top-down, risk-based standard for management to conduct its internal control evaluation in a more effective and efficient manner.

The Evaluation Process

Overview. The SEC noted that the objective of ICFR is to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP. The purpose of the annual evaluation of ICFR is to provide management with a reasonable basis for its determination as to whether there exists a material weakness in ICFR. In general, the management evaluation process consists of identification of the most important risks to reliable financial reporting, a determination as to whether internal controls are in place to address those risks, and an assessment as to whether those controls are effective for their intended purpose. Under the SEC's rules, this evaluation process must be made in accordance with a suitable control framework.[7]

Identification of Risks. The Interpretive Guidance recommends that the process begin with management identifying financial reporting risks, which are risks that may result in a material misstatement of financial statements. Management should use its unique knowledge and understanding of the company's business and procedures to consider the elements of financial reporting. Management may also investigate "what could go wrong" within a financial reporting element to determine the sources and likelihood of misstatements and whether such misstatements could be material. The guidance notes that characteristics of companies, such as size, complexity, and organizational structure, vary among businesses and that such differences will alter the methods and procedures companies use for identifying financial reporting risks. Management's evaluation of the risk of misstatement should also consider the company's vulnerability to fraudulent activity and its potential effect on the financial statements.

Identification of Controls. Once financial reporting risks are identified, management should evaluate whether its current controls, which may consist of policies, procedures, or activities, are adequate to detect, prevent, and address financial reporting risks. An assessment of entity-level controls and a review of locations and business units are appropriate. In that process, management is not required to identify and evaluate all controls that may be in place to address a potential financial reporting risk, and, in fact, it may select the relevant controls that can be evaluated most efficiently. Further, management should consider that controls addressing financial reporting risks may be automatic (dependant on information technology), manual, or a combination of both. As a result, management's evaluation process must take into account automated systems and procedures. Finally, management must maintain documentary evidence (such as policy manuals, process models, flowcharts, job descriptions, documents, internal memoranda, forms, etc.) for its assessment. The form and extent of the documentation will vary based on the characteristics of the company.

Evaluation of Operating Effectiveness of Controls. The Interpretive Guidance provides recommendations for management's evaluation of the operating effectiveness of ICFR. Management should evaluate whether the internal control process is functioning as intended and whether the individuals overseeing the process are competent and have the appropriate level of authority. Management's consideration of the misstatement risk of a financial reporting element includes "both the materiality of the financial reporting element and the susceptibility of the underlying account balances, transactions or other supporting information to a misstatement that could be material to the financial statements." The guidance recommends increasing management's assessment of misstatement risk for a financial reporting element as the materiality of the financial reporting element increases and as the financial reporting element becomes more prone to material misstatement.

Management should also focus the evaluation on high-risk areas, including related party transactions, critical accounting policies, and related critical accounting estimates. In considering whether a control might fail, management should consider:

  • the type of control and how frequently it operates;
  • the complexity of the control;
  • the risk of management override;
  • the judgment required to operate the control;
  • the competence of the personnel who perform the control or monitor its performance;
  • whether there have been changes in key personnel who either perform the control or monitor its performance;
  • the nature and materiality of misstatements that the control is intended to prevent or detect;
  • the degree to which the control relies on the effectiveness of other controls; and
  • the evidence of the operation of the control from prior year(s).

Evaluation methods and procedures will vary from company to company and, depending on the facts and circumstances, could consist of direct testing; ongoing monitoring, including self-assessment; or a combination of both. As ICFR risk increases, the evidence obtained usually will be adjusted to reflect that risk. If the evaluation uncovers a deficiency, management must determine whether that deficiency constitutes a material weakness.

Reporting Considerations

Management is required to report control deficiencies, or a combination of control deficiencies, that rise to the level of a material weakness in its annual report on the effectiveness of ICFR. Additionally, management must disclose control deficiencies that are considered significant deficiencies to the company's audit committee and its external auditors. The Interpretive Guidance indicates that an evaluation of the severity of a control deficiency should include quantitative and qualitative factors. The guidance provides risk factors that affect whether there is a reasonable probability that a deficiency will result in a misstatement and factors that affect the magnitude of the misstatement that might result from a deficiency. The guidance also outlines specific situations that should be evaluated to determine if a deficiency exists, such as the identification of fraud, restatement of previously issued financial statements, and ineffective oversight over financial reporting and internal control by the company's audit committee.

Additionally, the guidance indicates that management should clearly disclose its assessment of the effectiveness of ICFR without qualification or exception. If a material weakness exists, management may not state that ICFR is effective overall but may identify controls that are ineffective for specific reasons. This is clearly intended to limit the spin companies may use in presenting negative information to the market. The guidance adds that companies should consider including the following in their disclosure:

  • the nature of any material weakness;
  • its impact on the company's financial reporting and its ICFR; and
  • management's current plans, if any, or actions already undertaken, for remediating the material weakness.

Companies should also consider disclosing the cause of the control deficiency and the potential impact of each particular material weakness.

Finally, although no SEC regulation requires management to reassess or revise its conclusion on ICFR in the event of a restatement of financial statements, the guidance recommends an assessment of whether the original disclosures remains appropriate and whether modification of or supplement to the original disclosure is required. Management should also determine whether an inability to access certain controls as part of the evaluation process is significant enough to conclude that ICFR is ineffective.


Safe Harbor for a Management Evaluation that Complies with the SEC's Interpretive Guidance

The SEC has adopted an amendment to Rules 13a-15(c) and 15d-15(c) of the Exchange Act to clarify that a management evaluation conducted in accordance with the Interpretive Guidance satisfies the evaluation requirement in the rules. The effect of the amendment is to provide a safe harbor for companies that conduct their evaluation in accordance with the Interpretive Guidance. The SEC recognized that many companies have already implemented management evaluation procedures and commented that choosing to follow the Interpretive Guidance is voluntary. The SEC noted specifically that companies that have already implemented evaluation procedures do not need to alter those procedures to align them with the Interpretive Guidance.

Definition of "Material Weakness"

Background. Until now, the SEC chose to refer to accounting literature to provide a definition regarding the term "material weakness," rather than include a definition of the term in its rules. As a result of the importance of the term "material weaknesses" relating to ICFR, the SEC decided to provide a definition of the term.

The Amendment. The SEC has amended Rule 12b-2 of the Exchange Act and Rule 1-02 of Regulation S-X to define "material weakness" as "a deficiency, or a combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the registrant's annual or interim financial statements will not be prevented or detected on a timely basis."[9] Significantly, the probability standard in the definition is a "reasonable possibility," a higher standard than the previous "more than a remote likelihood."

Auditor Attestation Report Amendments

Background. Under Rule 2-02(f) of Regulation S-X, a company's registered public accounting firm must provide an attestation report on management's assessment of ICFR. Specifically, the rule requires an opinion of the accountant as to whether management's assessment of the effectiveness of the registrant's ICFR is fairly stated in all material respects. The required assessment is an appraisal of management's disclosure regarding the effectiveness of the company's ICFR, rather than an assessment of management's evaluation process. As a result of confusion among accountants about whether they are required to provide a report on management's conclusion, evaluation process, or both, the SEC has amended Rule 2-02(f) of Regulation S-X to clarify the rule.

The Amendment. The Amendment does the following:

  • modifies Rule 2-02(f) to clarify that a company's auditor is required to express a single opinion directly on the effectiveness of ICFR in its attestation report but is not required to submit a separate opinion on management's process for evaluating ICFR;
  • revises Rule 2-02(f) to clarify the rare circumstances in which the accountant would be unable to express an opinion; and
  • revises the definition of "attestation report" in Rule 1-02(a)(2) of Regulation S-X to conform the definition to the clarification of Rule 2-02(f) of Regulation S-X.

Although auditors are no longer required to provide a separate opinion on management's evaluation procedures, PCAOB Auditing Standard No. 5 requires auditors to evaluate whether management included all the required disclosures it its assessment report.


Background. The SEC's rules implementing the requirements of the Sarbanes-Oxley Act require management to disclose all "significant deficiencies" to the audit committee and external auditors, but the SEC did not define that term. Instead, the SEC relied on interpretations under generally accepted auditing standards and interpretations of the PCAOB.

The Proposal. Because the term appears in Sections 302 and 404 of the Sarbanes-Oxley Act, and to enable management to refer to SEC rules and guidance rather than auditing standards, the SEC has proposed defining "significant deficiency." The proposal would amend Exchange Act Rule 12b-2 and Rule 1-02 of Regulation S-X to define the term "significant deficiency" as "a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of a registrant's financial reporting."[10]

Unlike the definition of "material weakness," the definition of "significant deficiency" would not specifically include a likelihood component but would instead rely on the sufficient and appropriate judgment of management in deciding what deficiencies should be reported to the auditors and the audit committee.


The Standard

Auditing Standard No. 5 provides a principles-based approach to internal control audits, which the PCAOB views as refinements, rather than significant shifts in approach. The standard is intended to:

  • provide a top-down, risk-based approach to focus internal control audits on high-risk areas;
  • eliminate unnecessary procedures, including the requirement to review management's evaluation process;
  • scale internal control audits based on the size and complexity of the company reflecting the SEC's recognition that one size does not fit all companies in this regard; and
  • simplify the text of the standard, including providing definitions of "material weakness" and "significant deficiency."

Auditing Standard No. 5 is subject to review, comment, and final rulemaking action by the SEC.

Differences from Auditing Standard No. 2

Alignment of PCAOB and SEC Guidance. One of the concerns expressed by market participants regarding the ICFR requirements has been the lack of consistency between the regulations of the SEC and PCAOB. With the issuance of the Interpretive Guidance and Auditing Standard No. 5, the two regulatory bodies attempted to eliminate a number of significant differences. For example, Auditing Standard No. 5 utilizes the same definition of "material weakness" as adopted by the SEC and employs the same definition of "significant deficiency" proposed by the SEC.

Top-Down Approach and Emphasis on Fraud Controls. As mentioned above, Auditing Standard No. 5 provides a top-down, risk-based approach to focus internal control audits on high-risk areas. According to the PCAOB, this approach utilizes the same principles that apply to financial statement audits—"the auditor determines the areas of focus through the identification of significant accounts and disclosures and relevant assertions." The PCAOB chose this method over a specific requirements approach, which the PCAOB feared would lead to a checklist approach. In focusing on high-risk areas, Auditing Standard No. 5 also emphasizes the importance of fraud controls in preventing misstatements.

Elimination of Unnecessary Procedures. Auditing Standard No. 5 eliminates procedures the PCAOB views as unnecessary. Specifically, Auditing Standard No. 5 removes the requirement to review management's evaluation process and indicates that an opinion on management's evaluation is not required. Auditing Standard No. 5 also permits auditors to utilize knowledge gained in previous years' audits and use the work of others to evaluate the effectiveness of controls. Although Auditing Standard No. 5 removes the requirement of a walkthrough, the PCAOB stresses that in many cases a walkthrough is appropriate to focus auditors on objectives and not mechanics. Finally, Auditing Standard No. 5 emphasizes a risk-based approach to multiple location evaluations by requiring auditors to correlate the amount of audit attention devoted to the location or business unit with the degree of risk.[11]

Scaled Internal Control Audits. In Auditing Standard No. 5, the PCAOB recognized that "[t]he size and complexity of the company, its business processes, and business units, may affect the way in which the company achieves many of its control objectives" and "might affect the risks of misstatement and the controls necessary to address those risks."[12] Accordingly, Auditing Standard No. 5 incorporates scaling concepts throughout the standard.

Simplified Standard. Auditing Standard No. 5 provides a plain-English, principles-based approach to audits on ICFR that should be easier for auditors and companies to interpret and implement.