The SEC has published interpretive guidance and adopted rule amendments to clarify that management of a reporting company has significant flexibility in designing a system to evaluate the effectiveness of internal financial controls. Part one of this article provides an overview of this new paradigm which, if followed, provides a nonexclusive safe harbor related to management’s SOX section 404 annual evaluation and reporting requirements. Part two summarizes the new Exchange Act rules which streamline the deregistration process for foreign private issuers whose securities meet certain trading parameters in the U.S. Part three of this article addresses recent proposals by the SEC that would ease capital raising and simplify reporting requirements for smaller public companies.

I. SEC Approves New Interpretive Guidance and Auditing Standards for Compliance with Section 404 of Sarbanes- Oxley1

The Securities and Exchange Commission (SEC) has amended Rules 13a-15(c) and 15d-15(c) under the Securities Exchange Act of 1934 (the Exchange Act ) to clarify that, although management can evaluate the effectiveness of a reporting company’s internal controls over financial reporting (ICFR) in many different ways, an evaluation conducted in accordance with the SEC’s Interpretive Guidance will satisfy the annual management evaluation requirement. The amended rules also require auditors to give, in their attestation report, a single opinion on the effectiveness of the company’s internal controls. Previously, the rules required auditors to express separate opinions on the effectiveness of the company’s ICFR and on management’s assessment thereof.2

The aim of the Commission’s new guidance is to enable smaller public companies to customize their methods for evaluating ICFR in order to reduce the amount of time and cost associated with designing and conducting the evaluation. This can be done because the top-down, risk-based approach that is the centerpiece of the guidelines is particularly suitable for less complex control systems, which are commonly used by smaller companies. Thus, the new guidelines are relatively flexible and easy to tailor to the specific facts and circumstances of smaller public reporting companies.3

History and Development of Section 404(a) of Sarbanes-Oxley 

Under section 404(a) of the Sarbanes-Oxley Act of 2002 (SOX), the SEC adopted rules which require each annual report of an Exchange Act reporting company (other than a registered investment company) to include an internal control report (1) stating management’s responsibilities for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and (2) providing an assessment, as of the end of the company’s most recent fiscal year, of the effectiveness of the company’s ICFR.4 The rules implementing the requirements of section 404(a) did not prescribe any specific methodology or set of procedures for management to follow in performing its evaluation of ICFR. Managers had flexibility to determine what constituted “reasonable support” for their assessment of ICFR, but significant uncertainty remained as to what procedures would satisfy the new rules.5

Public companies have been required to establish and maintain internal accounting controls since the enactment of the Foreign Corrupt Practices Act of 1977 (FCPA). Section 404(a) was a significant development, however, since it heavily emphasized the importance of the relationship between the maintenance of effective ICFR and the preparation of reliable financial statements. The SEC recognizes that ICFR cannot provide absolute assurance due to its inherent limitations. Evaluation of ICFR is a process that involves human input which is subject to lapses in judgment and breakdowns resulting from human failures. As well, it can also can be circumvented by collusion or improper management override. However, because these inherent limitations are known features of the financial reporting process, the SEC believes that it is possible to design safeguards into the ICFR process to reduce this risk. Unlike the FCPA, section 404(a) requires companies to use a framework for evaluating ICFR, although the SEC acknowledges that several viable frameworks exist or could be developed in the future and “one size does not fit all.” With the adoption of the rule amendments, the SEC has reaffirmed its view that effective ICFR can help companies to detect and deter fraudulent accounting practices.6

The original rules adopted by the SEC in June 2003 were based on two broad principles: (1) management’s evaluation would be based on procedures sufficient both to evaluate the design and to test the operating effectiveness of ICFR; and (2) the assessment, including testing, would be supported by reasonable evidentiary support. The SEC chose not to impose specific guidelines regarding management’s evaluation on the basis of its view that the methods of assessing ICFR should vary from company to company. As a result, many public companies developed their own internal evaluation processes, hired consultants or purchased commercial software to create or improve their ICFR evaluation processes. In short, there appeared to be no proper roadmap to satisfy the new management evaluation requirements.7

Over the next few years it became clear that particular areas of the IFCR evaluation requirements needed further clarification to reduce unnecessary burdens and costs on reporting companies. For example, the SEC learned that a number of implementation issues had arisen from an overly conservative application of the its rules as well as questions regarding the appropriate role of the independent auditor in management’s evaluation process. Another major concern that surfaced is the inability of smaller companies to comply in a cost-effective manner with the requirements of section 404(a), including (1) the limited number of personnel in smaller companies, which constrain their ability to isolate conflicting duties, (2) top management’s wider span of control and more direct channels of communication, which increase the risk of management override, and (3) the dynamic and evolving nature of smaller companies, which limit their ability to have static processes that are well-documented.8

The Interpretive Guidance, which provides a non-exclusive safe harbor, is intended to resolve and reduce the concerns raised by the current rule requirements and to provide comfort to management that by following the Interpretive Guidance, the company will satisfy its obligations under Rules 13a-15(c) and 15d-15(c). In addressing a number of the commonly identified areas of concerns, the Interpretive Guidance: 

  • Explains how to vary evaluation approaches for gathering evidence based on risk assessments; 
  • Explains the importance of “daily interaction,” self-assessment, and other on-going monitoring activities as evidence in the evaluation; 
  • Explains the purpose of documentation and how management has flexibility in approaches to documenting support for its assessment;
  • Provides management significant flexibility in making judgments regarding what constitutes adequate evidence in low-risk areas; and
  •  Provides a nonexclusive safe harbor for management relying on the guidance in conducting their evaluation.9

Interpretive Guidance and Rule Amendments

The guidance is organized around two broad principles. The first principle is that management should evaluate whether it has implemented controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner. The guidance describes a top-down, risk-based approach to this principle, including the role of entity-level controls in assessing financial reporting risks and the adequacy of controls. The guidance promotes efficiency by allowing management to focus on those controls that are needed to adequately address the risk of a material misstatement of its financial statements. The guidance does not require management to identify every control in a process or document the business processes affecting ICFR. Rather, management can focus its evaluation process and the documentation supporting the assessment on those controls that it determines adequately address the risk of a material misstatement of the financial statements. For example, if management determines that a risk of a material misstatement is adequately addressed by an entity-level control, no further evaluation of other controls is required.10

The second principle is that management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk. The guidance provides an approach for making risk-based judgments about the evidence needed for the evaluation. This allows management to align the nature and extent of its evaluation procedures with those areas of financial reporting that pose the highest risks to reliable financial reporting (that is, whether the financial statements are materially accurate). As a result, management may be able to use more efficient approaches to gathering evidence, such as self-assessments, in low-risk areas and perform more extensive testing in high-risk areas. The SEC believes that by following these two principles, companies of all sizes and complexities will be able to implement the rules effectively and efficiently.11

The first step of the process should begin with an evaluation of whether (1) the ICFR includes policies, procedures and activities that effectively consider all of the elements of an internal control system, and (2) the internal controls are properly designed to provide reasonable assurance of the reliability of the company’s financial statements. The SEC suggests that management may, under the proposed guidelines, meet its obligations to conduct the evaluation process in the following manner: (a) identify risks to reliable financial reporting (i.e., materially accurate financial statements), including changes in those risks; (b) identify whether the company has controls in place that adequately reduce any financial reporting risks; (c) consider entity-level controls when identifying and assessing financial reporting risks and related controls for a financial reporting element; (d) evaluate the role of general information technology controls, such as the use of automated controls (like application controls that update accounts in the general ledger for subledger activity) or controls that depend upon IT functionality (like a control that manually investigates items contained in a computer-generated exception report); and (e) maintain reasonable evidentiary support for its assessment through documentation of the design of the controls that management has placed in operation to adequately reduce the financial reporting risks. The evaluation process will, of course, vary according to a company’s particular facts and circumstances.

The second step of the evaluation process is for management to evaluate the evidence of the effective operation of ICFR. Evidence about the effective operation of controls may be obtained, for example, from direct testing of controls and on-going monitoring activities. The nature, timing and extent of evaluation procedures necessary for management to obtain sufficient evidence of the effective operation of a control depends on the nature of the assessed ICFR risk. Management should consider not only the quantity of evidence but also qualitative characteristics of the evidence. The SEC states that management can accomplish this step of the process by (1) determining the evidence needed to support the assessment, (2) implementing procedures to evaluate evidence of the operation of ICFR, and (3) gathering documentation to support the assessment.

After the evaluation process is completed, the SEC suggests that management should consider its reporting considerations, which include: (1) evaluating control deficiencies and whether a deficiency constitutes a material weakness; (2) clearly expressing its assessment related to the effectiveness of ICFR; (3) fully disclosing any material weaknesses; (4) considering the impact of a restatement of previously issued financial statements on management’s report on ICFR; and (5) determining whether the inability to assess controls over a particular process is significant enough to conclude in its report that ICFR is not effective. This last step acknowledges that management may encounter difficulty in assessing certain aspects of ICFR where, for example, compensating controls may not be in place to determine the effectiveness of the controls over the process. 12

In conjunction with the issuance of the Interpretive Guidance, the SEC adopted amendments to the existing requirements of Exchange Act Rules 13a-15(c) and 15d-15(c) for management of each company subject to the Exchange Act periodic reporting requirements to evaluate, as of the end of each fiscal year, the effectiveness of the company’s ICFR. The amendments state that an evaluation that complies with the Interpretive Guidance will satisfy the annual evaluation requirement in Rules 13a-15(c) and 15d-15(c).13 The SEC also adopted amendments to Rules 1-02 and 2-02 of Regulation S-X, and Item 308 of Regulations S-B and S-K, to require the company’s independent auditors to provide only one opinion on the effectiveness of the company’s ICFR. Prior to adoption of these amendments, a company’s independent auditors were required to express two separate opinions: one on the effectiveness of a company’s ICFR, and a second opinion on management’s assessment of the effectiveness of the company’s ICFR.14

Finally, the SEC adopted an amendment to Exchange Act Rule 12b-2, and a corresponding amendment to Rule 1-02 of Regulation S-X, to define the term “material weakness.” Under the amended rule, a “material weakness” is defined as a deficiency (or a combination of deficiencies) in ICFR which raises a reasonable possibility that a material misstatement of the company’s financial statements will not be prevented or detected on a timely basis. This amendment is significant, according to the SEC, because companies now will be able to refer to Commission rules rather than to the audit standard.15

New Auditing Standard No. 5

On July 25, 2007 the Public Company Accounting Oversight Board (PCAOB) adopted new Auditing Standard No. 5, “An Audit of Internal Control Over Financial Reporting That is Integrated With An Audit of Financial Statements” (AS No. 5), which supersedes the unduly expensive and inefficient AS No. 2, and is complementary to the new Section 404 rules and Interpretive Guidance. The SEC expects the new standard to increase the accuracy of financial reports while reducing unnecessary costs, especially for smaller public companies. Together with the Interpretative Guidance, AS No. 5 should allow Section 404 audits and management evaluations to become more risk-based and scalable to a company’s size and complexity. The SEC also approved a related independence rule and conforming amendments (File No. PCAOB-2007-02), and adopted a definition of the term “significant deficiency.” 16

AS No. 5 provides the new professional standards and related performance guidance for independent auditors to attest to, and report on, management’s assessment of the effectiveness of ICFR under Section 404(b). Some of the improvements that have been made in the new auditing standard include: 

  • AS No. 5 is less prescriptive. The mandatory requirements set forth in AS No. 2 have been significantly reduced in AS No. 5, which means the auditor has more latitude to perform tests that it deems to be necessary. This should encourage management and audit committees to engage in a more meaningful dialogue with their outside auditors about risks and materiality.
  •  AS No. 5 provides that the audit should be designed to fit the size and complexity of each company. The new standard explains how to apply the principles to smaller or less complex companies so that, under the new standard, a company’s control systems will not have to be designed to fit the audit standard. Rather, the aim is to encourage a company to design its ICFR to improve the quality of its financial statements. For a smaller or less complex company, the auditor can consider, for example, whether management’s ability to segregate duties is limited. The auditor also can use inquiry combined with other procedures when the operation of controls by management results in limited or no documentation trail. 
  •  AS No. 5 directs auditors to focus on what matters most and eliminates unnecessary audit procedures. It clarifies that management’s process is not the focus of the audit. Rather, the audit is focused on the effectiveness of a company’s ICFR. It directs auditors to look at highest risk areas, such as the financial statement close process and controls designed to prevent fraud by management. It also emphasizes that the auditor is not required to design the audit to find deficiencies that do not constitute material weaknesses. Significantly, it allows auditors to use knowledge accumulated in previous years’ audits. 
  • AS No. 5 encourages auditors to use a principles-based approach to determine when and to what extent the auditor can rely on the work of others. The new standard expressly permits auditors to use, in the internal control audit, testing and other internal control work performed by persons other than internal auditors. This principles-based approach is based on the auditor’s consideration of the objectivity and competence of those performing the work. 17

The SEC’s goal in approving the Interpretive Guidance and AS No. 5 is to replace the prior inefficient system of Section 404 implementation with an approach that allows for tailoring and scaling of ICFR evaluations and audits according to the relevant facts and circumstances. AS No. 5, PCAOB Rule 3525, and the conforming amendments will become effective and required for integrated audits conducted for fiscal years ending on or after November 15, 2007. However, the SEC encourages companies and auditors to adopt the new rules earlier. The Commission’s recent amendments to Regulation S-X became effective on August 27, 2007, and the Commission will begin accepting the single auditor’s attestation report on the effectiveness of ICFR prescribed in AS No. 5 in filings received on that date.

The SEC also adopted a definition of “significant deficiency” which includes a deficiency, or a combination of deficiencies, in ICFR that is less severe than a “material weakness,” but important enough to merit attention by those responsible for oversight of a reporting company’s financial reporting. This definition is used in the context of evaluating the required communications under both Sections 302 and 404 of SOX as well as in the SEC’s implementing rules.

II. SEC Approves Streamlined Deregistration for Foreign Private Issuers18

Over the last several years, foreign private issuers (fpi’s) have become increasingly disenchanted with the significant costs of SOX compliance under the federal securities laws. Even an fpi which has a relatively small following of U.S. investors must comply with section 404 and other burdensome SOX requirements. For example, foreign private issuers are required to publish information in their annual reports relating to the scope and adequacy of their internal control systems and their procedures for financial reporting. These fpi’s also are required to assess the effectiveness of their system of ICFR. To make matters worse, an fpi has, in the past, faced challenges in terminating its registration and reporting obligations under the Exchange Act.19 On March 27, 2007, however, the SEC amended existing rules that will make it easier for foreign private issuers to withdraw from U.S. securities markets. Henceforth, fpi’s should more easily be able to meet the test for deregistration under the Exchange Act. By eliminating conditions that had been considered a barrier to entry, the amended rules should encourage participation in U.S. markets by fpi’s.20

Termination of Registration and Reporting Obligations Before the Amendment

Under the previous rules, a foreign private issuer had difficulty meeting the requirements to terminate registration under the Exchange Act’s reporting regime. An fpi could terminate its registration of a class of securities only if there were fewer than 300 holders resident in the United States. Alternatively, a foreign private insurer could terminate if fewer than 500 U.S. residents held the class of securities and the issuer’s total assets did not exceed $10 million on the last day of its most recent three fiscal years.

The 300 U.S. resident shareholder threshold requirement for termination of registration created a roadblock for many fpi’s, who criticized the rule as being outdated and too burdensome, especially when they had engaged in very little or no recent selling activity in the United States. Within a few years of listing securities in the United States, many foreign private issuers discovered that, despite the lack of interest in their securities in the U.S., they had to continue to incur the cost of being an Exchange Act reporting company because the number of their U.S. shareholders exceeded 300. This antiquated system, according to Commissioner Paul Atkins at the SEC’s open meeting on March 21, has been likened at times to a “roach motel.” 21

Deregistration Under the New Amendment

In conjunction with the SEC’s evolving perception of its role in the global marketplace, Atkins noted that with new Exchange Act Rule 12h-6, the Commission has adopted much more “flexible, realistic, and forward-looking rules.”22 The new Exchange Act Rule 12h-6 permits the termination of Exchange Act reporting regarding a class of equity securities under either Section 12(g) or Section 15(d) of the Exchange Act by a foreign private issuer that meets a quantitative benchmark designed to measure relative U.S. market interest for that class of securities. Instead of counting the number of the issuer’s U.S. security holders, the new benchmark focuses on a comparison of the average daily trading volume of an issuer’s securities in the United States with its worldwide average daily trading volume.

Specifically, Rule 12h-6 takes a “volume-based” approach to determine whether an fpi can deregister a class of securities, rather than the previous approach of counting the number of U.S. investors who own shares. Under the amended rules, a foreign private issuer will be able to deregister a class of securities if the average daily trading volume of the securities in the United States has been no greater than 5 percent of the average daily trading volume on a worldwide basis during a recent 12-month period. This approach appropriately weighs the relative U.S. investor interest in the securities of a foreign private issuer, recognizing that U.S. laws should not be applied to purely or predominately foreign transactions.

Under new Rule 12h-6, an fpi which meets the volume-based requirements will be permitted to terminate its registration and reporting obligations under the Exchange Act if it satisfies the following additional conditions: (1) the foreign private issuer has been a reporting company under the Exchange Act for at least one year, is current in its reporting, and has filed at least one Exchange Act annual report; (2) the fpi has not sold its securities in a registered offering in the U.S. during the preceding 12 months (except for exempted securities offerings), and (3) the foreign private issuer has maintained a listing on one or more exchanges for at least a year in a foreign jurisdiction that, either singly or together with one other foreign jurisdiction, constitutes the primary trading market for the securities.

The SEC also amended Rule 12g3-2(b) to permit a foreign private issuer to claim the Rule 12g3-2(b) exemption immediately upon its termination of Exchange Act reporting under Rule 12h-6, rather than waiting 18 months as was previously required. This exemption requires an fpi to publish information required by Rule 12g3-2(b) in English in its home country on its Internet website or through an electronic information delivery system that is generally available to the public in its primary trading market.

III. SEC Proposes Rule Amendments to Ease Capital Raising and Simplify Disclosure for Smaller Companies

In late June, the SEC proposed the following six measures to modernize and improve its capital raising and reporting requirements for smaller companies: 

  • A new system of securities regulation for smaller public companies that would make scaled regulation available to a much larger group of smaller public companies;
  • Modified eligibility requirements so companies with a public float below $75 million can take advantage of the benefits of shelf registration; 
  • A new exemption from Securities Act of 1933 (Securities Act) registration requirements for sales of securities to a newly defined category of “qualified purchasers” in which limited advertising would be permitted; 
  • Shortened holding periods under Securities Act Rule 144 for restricted securities to reduce the cost of capital and to increase access to capital; 
  • New exemptions for compensatory employee stock options so Exchange Act registration requirements would not be triggered solely by a company’s compensation decisions; and 
  • Electronic filing of the form filed by companies making private or limited offerings to ease burdens for filers and make the information filed more readily available.23

Since the federal securities laws were first enacted, the Commission has made special efforts to provide relief to smaller companies and their investors from unduly burdensome federal securities regulation. This concern for small business reflects the SEC’s recognition of the role of small business as an engine of economic activity and job creation in the United States. In March 2005, the SEC created the Advisory Committee on Smaller Public Companies and asked the panel to evaluate the current regulatory system for smaller companies under the federal securities laws and to recommend changes. The proposed rule changes are based primarily upon the Advisory Committee’s recommendations. 24

The SEC proposals include a new system of securities regulation for “smaller reporting companies” that would expand eligibility for the Commission’s scaled disclosure and reporting requirements for smaller companies by making the scaled requirements available to most companies with up to $75 million in public float, or revenues below $50 million if their public float cannot be calculated. The proposals also would simplify the Commission’s disclosure and reporting requirements for a greater number of smaller companies by combining for most purposes the current two categories - “small business issuers” and “non-accelerated filers” - into one category called “smaller reporting companies.” If the proposals are adopted, approximately 42% of Exchange Act reporting companies in 2006 would become eligible to use the scaled disclosure requirements. Current Regulation S-B disclosure requirements for smaller companies would also be integrated into the disclosure requirements of Regulation S-K. 25

Under the current rules, foreign issuers (except those organized in Canada), investment companies, and asset-backed issuers are excluded from the definition of “small business issuer.” The proposed amendments would permit all foreign companies which otherwise qualify as “small reporting companies” to file a form that permits disclosure on the same standards as small U.S. issuers. Fpi’s who qualify for “small reporting company” status could elect whether to use the domestic forms and provide reports under the new standards or continue to comply with the “F” forms. Investment companies and asset-backed issuers would continue to be excluded from the “small reporting company” disclosure rules under the proposed rule amendments.

Proposed amendments to Form S-3 and Form F-3 would revise the eligibility requirements of those forms to allow companies that do not meet the current public float requirements to register primary offerings of their securities, subject to a restriction on the amount of securities those companies may sell pursuant to the expanded eligibility standard in any one-year period. The amendments are intended to allow “smaller reporting companies” that have timely filed their Exchange Act reports for at least one year to benefit from the flexible disclosure and filing process attendant to using Form S-3 and Form F-3. Specifically, companies with less than $75 million in public float would be able to register primary offerings of their securities on Form S-3 or Form F-3; provided, that such companies (i) do not sell more than the equivalent of 20 percent of their public float in primary offerings registered on Form S-3 or Form F-3 over any one-year period, (ii) meet the other eligibility conditions for the use of Form S-3 or Form F-3, as applicable, and (iii) are not “shell companies” and have not been shell companies for at least 12 months before filing the registration statement. Significantly, the proposed rule filing amendments would thus permit most companies with less than $75 million in public float to avail themselves of the relatively streamlined shelf registration regime.26

The Commission’s proposals would provide an exemption from Exchange Act Section 12(g) registration for certain compensatory employee stock options. Thus, two proposed amendments to Exchange Act Rule 12h-1 would provide an exemption from registration under the Exchange Act for (i) private non-reporting issuers of compensatory employee stock options issued under employee stock option plans, and (ii) compensatory employee stock options issued by issuers that previously have registered under Section 12 of the Exchange Act the class of securities underlying the compensatory stock options. 27

The Commission’s proposals also would provide a new exemption from registration under new Rule 507 of Regulation D under the Securities Act for sales of securities to a new category of “qualified purchasers” in which limited advertising would be permitted. In addition, the proposals would add an “investments-owned” standard to the current total assets and net worth standards under which investors can qualify as “accredited” in other Regulation D offerings. Other adjustments to the definition of “accredited investor” in Regulation D are proposed to account for inflation, with the first adjustments to occur in five years.28

The integration safe harbor in Regulation D would be shortened from six months to 90 days. In addition, uniform, updated disqualification provisions would apply to all offerings under Regulation D. The proposals also would simplify and restructure Form D and revise the Form D information required to be filed with the Commission. Finally, the proposed rule changes would require the electronic filing of Form D information using a new online filing system. This new system would be accessible using the Internet and would capture and tag data.29

The proposed rule changes would shorten the holding periods under Securities Act Rules 144 and 145 for restricted securities to six months to reduce the cost of capital and to increase access to capital. In addition, the holding period for restricted securities of reporting companies would be shortened to six months, except that the holding period would be tolled for up to six months while the security holder is engaged in certain hedging transactions. Thus, the proposal would substantially simplify compliance by allowing resale of restricted securities by non-affiliates of reporting companies after satisfying a six-month holding period (or up to 12 months if there is hedging) and by non-affiliates of non-reporting companies after satisfying a 12-month holding period, and, in either case, with no additional requirements. For sales by affiliates of the issuer, the proposals would raise the thresholds that trigger Form 144 filing requirements and eliminate the manner of sale limitations with respect to debt securities. The proposed rule changes also would codify certain staff interpretations related to Rule 144. Proposed amendments to Rule 145 would eliminate the presumptive underwriter provision for transactions that do not involve blank check or shell companies as well as revise the resale provisions of Rule 145(d).30

V. Conclusion

The SEC continues to believe that it is inappropriate to prescribe a single methodology for management evaluation of ICFR for reporting companies without regard to their respective size and complexity. Management can now rely, however, on a nonexclusive safe harbor with respect to the sufficiency of its annual ICFR evaluation. Foreign private insurers who are overwhelmed by SOX requirements and who meet certain U.S. market volume-based and other requirements will henceforth have an easier time terminating their registration and reporting obligations under the Exchange Act. The SEC has advanced a set of new measures that would update and streamline capital raising and reporting requirements for smaller reporting companies.