As anticipated, the Securities and Exchange Commission (“SEC”) and the Public Company Accounting Oversight Board (“PCAOB”) each has acted unanimously on outstanding proposals to reform and harmonize their guidance to public companies and public company auditors on compliance with the mandates of Section 404 of the Sarbanes-Oxley Act of 2002 (“SOX”) for management assessments of internal control over financial reporting (“ICFR”) and ICFR audits. The SEC acted in two areas—adopting guidance and related rule changes on management’s evaluation of ICFR and declining to extend further compliance dates for smaller and newly public companies. In a coordinated action taken one day later, the PCAOB adopted new Auditing Standard No. 5 (“AS No. 5”) and rescinded Auditing Standard No. 2 (“AS No. 2”). The SEC guidance for the first time provides public company managements with instruction regarding SOX Section 404 compliance separate and apart from that provided by the PCAOB to auditors regarding the conduct of ICFR audits. At the same time, the PCAOB’s new auditing standard greatly simplifies guidance to auditors, while harmonizing it with the final SEC guidance. The absence of direction to public company managements, and the burdens imposed on both auditors and public companies by AS No. 2, had been the subject of widespread criticism and complaint.


A Substantive Standard for Management’s Evaluation of ICFR, Emphasizing a Risk-Based, Top- Down Approach Consistent with the PCAOB’s Auditing Standard No. 5

At its public meeting on May 23, 2007, the SEC finalized, substantially in the form originally proposed on December 13, 2006, its release providing interpretive guidance to public companies regarding management reports on ICFR. In its current release, the SEC for the first time sets out the substantive standard by which management should assess ICFR. Prior to the SEC’s action, company managements had been able to look only to the guidance provided to auditors by the PCAOB’s AS No. 2 to understand their own separate obligations under SOX Section 404.

The final guidance, like the proposal, takes a principles-based, top-down approach, organized around two core principles:

  • Management should evaluate whether the design of the controls it has implemented adequately addresses the risk that a material misstatement in the financial statements would not be prevented or detected in a timely manner; and 
  • Management’s evaluation should be based on its assessment of risk.

The final guidance, however, differs from the proposing release in a number of significant areas. The revisions:

  • Better align the SEC’s guidance and AS No. 5 in areas such as the definition of material weakness (the SEC and PCAOB have adopted a common definition) and related guidance for evaluating deficiencies, including indicators of material weaknesses; 
  • Clarify that management may rely on information gained in ongoing monitoring activities as part of its ICFR assessment;
  • Expand the discussion on how entity-level controls can address financial reporting risks; and
  • Enhance guidance with respect to fraudulent financial reporting.

A Substantive Definition of “Material Weakness” Keyed to “Control Deficiency” and “Reasonable Possibility” Rather Than “Significant Deficiency” and “More than a Remote Likelihood”

One of the most significant aspects of the SEC guidance is that it establishes a substantive definition of “material weakness” for use by company management in ICFR evaluations. Previously, that term had been defined for audit purposes by the PCAOB in AS No. 2, with management in effect required to use the accounting definition. Under the new construct, the SEC has provided a substantive standard to be used by management in ICFR evaluations, with the auditors conducting their audit to substantiate (or not) management’s application of that substantive standard. It is anticipated that this change in focus will significantly help to rein in the costs of ICFR audits.

The new “material weakness” definition both modifies and clarifies the AS No. 2 standard. As originally defined in AS No. 2, a “material weakness” was “a significant deficiency, or combination of significant deficiencies, resulting in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected.” The new definition, which is common to both the SEC guidance and AS No. 5, replaces the term “significant deficiency” with the term “deficiency” and the “more than remote likelihood” standard with a “reasonably possibility” standard. The elimination of the term “significant deficiency” from the definition is intended to uncouple the concepts of “material weaknesses”, which must be publicly disclosed, and “significant deficiencies”, which must be disclosed only to the issuer’s audit committee. The SEC, however, deferred adopting a definition of “significant deficiency” (in contrast to the PCAOB, which retained, with some modifications, its AS No. 2 definition), instead voting to issue a separate release seeking comment on its proposed definition. The new articulation of the probability standard—replacing “more than a remote likelihood” with “reasonable possibility” is designed to ensure that management and auditors will use an appropriately high threshold to determine whether a material weakness exists.

Related Rule Amendments to Streamline the Section 404 Process

In line with the goal of balancing the burdens on public companies of compliance with SOX Section 404 with the benefits to investors of such compliance, the SEC adopted a number of previously proposed correlative rule changes. These changes:

  • Provide a safe harbor under which a management evaluation conducted in accordance with the SEC’s interpretive guidance will presumptively satisfy the annual management evaluation requirements under Exchange Act rules implementing the internal control provisions of SOX Section 404. The safe harbor is non-exclusive and explicitly acknowledges that there are many acceptable ways to conduct an ICFR evaluation. 
  • Require that the auditor only issue one opinion, attesting to the effectiveness of the registrant’s ICFR. Under AS No. 2, the auditor was required to issue two opinions— one attesting to management’s assessment of ICFR and one attesting to the effectiveness of the company’s ICFR—and, therefore, to audit both the assessment process and the ultimate effectiveness of ICFR.

No Further Compliance Extensions for Smaller and Newly Public Companies

While the SEC’s adoption of its interpretive guidance was aimed at lessening the impact of Section 404 compliance, it did not take the added step of providing further relief to smaller and newly public companies by further extending SOX Section 404 compliance deadlines. (Two SEC commissioners did, however, indicate that they might reconsider the matter of another deferral for small businesses later in the year.) The final compliance schedule, as adopted in December 2006, is as follows:

  • A newly public company will have to “file” its management’s report and the auditor’s attestation report on ICFR for the first time as part of its second annual report as a public company. The company will have to make specific disclosure in its first public company annual report that the report does not include either management’s assessment or the auditor’s attestation report on the company’s ICFR. 
  • A non-accelerated filer will have to “furnish” (but not “file”) its first management’s report on ICFR for its first fiscal year ending on or after December 15, 2007 and “file” both management’s report and the auditor’s attestation report on ICFR for the next fiscal year. For calendar year companies, this schedule means that management review of ICFR will have to begin this year, with a furnished report included in the annual report for 2007 (filed in March 2008), and a filed management report and auditor’s attestation to follow in the 2009 filing. 
  • A foreign private issuer that is an accelerated filer (but not a large accelerated filer) will be treated in a manner similar to that of a non-accelerated filer, but only in respect to its annual report for a fiscal year ending on or after July 15, 2006 but before July 15, 2007.

The effective date of the interpretive guidance and rules amendments will be 30 days from their publication in the Federal Register. (The compliance deadlines are already effective.) As of the date of this article, the SEC had not published the actual text of its guidance and rules. The SEC staff is expected to publish “Frequently Asked Questions” relating to its guidance in the near future.


A Simplified, Risk-Based, Scalable Approach to ICFR Auditing

In a critical companion action, on May 24, 2007, the PCAOB adopted AS No. 5 and withdrew AS No. 2, which has been the standard for ICFR audits since 2004. Originally proposed on December 19, 2006, AS No. 5 represents a dramatic shift from AS No. 2, which was widely viewed as burdensome and overly prescriptive.

AS No. 5 streamlines the guidance for public company auditors by providing a more principles-based approach to the ICFR audit. The new standard seeks to:

Focus the internal control audit on the most important matters, including high risk areas and those that have a reasonable possibility of resulting in material misstatement;

Eliminate unnecessary procedures by identifying and dispensing with those that are not needed to achieve the intended benefits of the audit, focusing the multi-location testing requirements on risk rather than coverage and removing barriers to using the work of others; 

Make the audit scalable to the size and complexity of any public company; and 

Simplify the guidance by replacing detailed requirements with more general principles and using plain English to define key terms and concepts.

Harmony with the Definitions and Concepts of the SEC’s New Interpretive Guidance.

In addition, while largely conforming to the proposed standard, the final form of AS No. 5 contains significant modifications, most of which mirror changes in, or conform AS No. 5 to, the SEC’s interpretive guidance for public company managements. The revisions: 

  • Align key terms and concepts, such as the definition of “material weakness” and the emphasis on a top-down, risk-based approach, with those in the SEC guidance; 
  • Permit auditors to tailor their audit approach to the individual company by eliminating the requirement of identifying major classes of transactions and significant processes; 
  • Emphasize the importance of fraud risk and controls by expanding the discussion of this topic and moving it closer to the beginning of the standard; 
  • Explain how various entity-level controls that differ in nature and precision can affect the selection and testing of other controls; 
  • Refocus auditors on performing walkthroughs to achieve specific audit objectives, rather than merely because they are required under a prescriptive, checklist approach; 
  • Emphasize that auditors need not set the scope of the audit to find deficiencies that, individually or in the aggregate, do not constitute material weaknesses but must still evaluate all identified deficiencies and communicate them, in writing, to the audit committee; 
  • Integrate scalability guidance into the body of the standard, thereby expanding the scalability concept beyond smaller companies to include business units or processes within larger companies that may be less complex than others; and
  •  Retain the existing guidance regarding auditors’ use of the work of others contained in the interim standard, The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements (“AU sec. 322”) for both financial statement audits and audits of internal control. (The original AS No. 5 proposal would have created a new auditing standard superseding AU sec. 322 and replacing the direction on using the work of others in an audit of internal control in AS No. 2.)

As No. 5 is not effective until it is approved by the SEC. Subject to such approval, the standard will apply to all audits of internal control for fiscal years ending on or after November 15, 2007. Early implementation is permitted. Early adopters, however, will be required to use the AS No. 5 definition of “material weakness” rather than the definition contained in AS No. 2.