[Federal Register: December 27, 2006 (Volume 71, Number 248)]
[Proposed Rules]
[Page 77635-77653]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr27de06-25]
=======================================================================
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
17 CFR Parts 210, 240 and 241
[Release Nos. 33-8762; 34-54976; File No. S7-24-06]
RIN 3235-AJ58
Management's Report on Internal Control Over Financial Reporting
AGENCY: Securities and Exchange Commission.
ACTION: Proposed interpretation; Proposed rule.
-----------------------------------------------------------------------
SUMMARY: We are proposing interpretive guidance for management
regarding its evaluation of internal control over financial reporting.
The interpretive guidance sets forth an approach by which management
can conduct a top-down, risk-based evaluation of internal control over
financial reporting. The proposed guidance is intended to assist
companies of all sizes to complete their annual evaluation in an
effective and efficient manner and it provides guidance on a number of
areas commonly cited as concerns over the past two years. In addition,
we are proposing an amendment to our rules requiring management's
annual evaluation of internal control over financial reporting to make
it clear that an evaluation that complies with the interpretive
guidance is one way to satisfy those rules. Further, we are proposing
an amendment to our rules to revise the requirements regarding the
auditor's attestation report on the assessment of internal control over
financial reporting.
DATES: Comment Date: Comments should be received on or before February
26, 2007.
ADDRESSES: Comments may be submitted by any of the following methods:
Electronic Comments
Use the Commission's Internet comment form (http://www.sec.gov/rules/proposed.shtml.
); or Send an e-mail to rule-comments@sec.gov. Please include
File Number S7-24-06 on the subject line; or
Use the Federal eRulemaking Portal (http://www.regulations.gov
). Follow the instructions for submitting comments.
Paper Comments
Send paper comments in triplicate to Nancy M. Morris,
Secretary, Securities and Exchange Commission, 100 F Street, NE.,
Washington, DC 20549-1090.
All submissions should refer to File Number S7-24-06. This file
number should be included on the subject line if e-mail is used. To
help us process and review your comments more efficiently, please use
only one method. The Commission will post all comments on the
Commission's Internet Web site (http://www.sec.gov/rules/proposed.shtml
). Comments are also available for public inspection and
copying in the Commission's Public Reference Room, 100 F Street, NE.,
Washington, DC 20549. All comments received will be posted without
change; we do not edit personal identifying information from
submissions. You should submit only information that you wish to make
available publicly.
FOR FURTHER INFORMATION CONTACT: Michael G. Gaynor, Professional
Accounting Fellow, Office of the Chief Accountant, at (202) 551-5300,
or N. Sean Harrison, Special Counsel, Division of Corporation Finance,
at (202) 551-3430 U.S. Securities and Exchange Commission, 100 F
Street, NE., Washington, DC 20549.
SUPPLEMENTARY INFORMATION: We are proposing amendments to Rule 13a-
15(c),\1\ and Rule 15d-15(c) \2\ under the Securities Exchange Act of
1934 (the ``Exchange Act'');\ 3\ and Rules 1-02(a)(2) \4\ and 2-02(f)
\5\ of Regulation S-X.\6\
---------------------------------------------------------------------------
\1\ 17 CFR 240.13a-15(c).
\2\ 17 CFR 240.15d-15(c).
\3\ 15 U.S.C. 78a et seq.
\4\ 17 CFR 210.1-02.
\5\ 17 CFR 210.2-02(f).
\6\ 17 CFR 210.1-01 et seq.
---------------------------------------------------------------------------
I. Background
Section 404(a) of the Sarbanes-Oxley Act of 2002 \7\ (``Sarbanes-
Oxley'') directed the Commission to prescribe rules that require each
annual report that a company, other than a registered investment
company, files pursuant to Section 13(a) or 15(d) \8\ of the Exchange
Act to contain an internal control report: (1) Stating management's
responsibility for establishing and maintaining an adequate internal
control structure and procedures for financial reporting; and (2)
containing an assessment, as of the
[[Page 77636]]
end of the company's most recent fiscal year, of the effectiveness of
the company's internal control structure and procedures for financial
reporting. On June 5, 2003, the Commission adopted rules implementing
Section 404 with regard to management's obligations to report on its
internal control structure and procedures and, in so doing, created the
term ``internal control over financial reporting'' (``ICFR'').\9\
---------------------------------------------------------------------------
\7\ 15 U.S.C. 7262.
\8\ 15 U.S.C. 78m(a) or 78o(d).
\9\ See Release No. 33-8238 (June 5, 2003) [68 FR 36636]
(hereinafter the ``Adopting Release''). See Release No. 33-8392
(February 24, 2004) [69 FR 9722] for compliance dates applicable to
accelerated filers. See Release No. 33-8760 (December 15, 2006) for
compliance dates applicable to non-accelerated filers.
---------------------------------------------------------------------------
The establishment and maintenance of internal accounting controls
has been required of public companies since the enactment of the
Foreign Corrupt Practices Act of 1977 (``FCPA'').\10\ The significance
of Section 404 of Sarbanes-Oxley is that it re-emphasizes the important
relationship between the maintenance of effective ICFR and the
preparation of reliable financial statements. Effective ICFR can also
help companies deter fraudulent financial accounting practices or
detect them earlier and perhaps reduce their adverse effects. While
controls are susceptible to manipulation, especially in instances of
fraud involving the collusion of two or more people, including senior
management, these are known limitations of internal control systems.
Therefore, it is possible to design ICFR to reduce, though not
eliminate, instances of fraud.
---------------------------------------------------------------------------
\10\ Title I of Pub. L. 95-213 (1977). Under the FCPA, companies
that have a class of securities registered under Section 12 of the
Exchange Act, or that are required to file reports under Section
15(d) of the Exchange Act, are required to (a) make and keep books,
records, and accounts, which, in reasonable detail, accurately and
fairly reflect the transactions and dispositions of the assets of
the issuer; and (b) to devise and maintain a system of internal
accounting controls sufficient to provide reasonable assurances
that:
(i) transactions are executed in accordance with management's
general or specific authorization;
(ii) transactions are recorded as necessary (1) to permit
preparation of financial statements in conformity with generally
accepted accounting principles or any other criteria applicable to
such statements, and (2) to maintain accountability for assets;
(iii) access to assets is permitted only in accordance with
management's general or specific authorization; and
(iv) the recorded accountability for assets is compared with the
existing assets at reasonable intervals and appropriate action is
taken with respect to any differences.
The definition of internal control over financial reporting is
consistent with the description of internal accounting controls
under the FCPA.
---------------------------------------------------------------------------
When the Commission adopted rules in June 2003 to implement Section
404 of Sarbanes-Oxley, we emphasized two broad principles: (1) That the
evaluation must be based on procedures sufficient both to evaluate the
design and to test the operating effectiveness \11\ of ICFR; and (2)
that the assessment, including testing, must be supported by reasonable
evidential matter.\12\ Instead of providing specific guidance regarding
the evaluation, we expressed our belief that the methods of conducting
evaluations of ICFR will, and should, vary from company to company and
will depend on the circumstances of the company and the significance of
the controls.\13\ We continue to believe that it is impractical to
prescribe a single methodology that meets the needs of every company.
---------------------------------------------------------------------------
\11\ See Adopting Release at Section II.B.3.d.
\12\ Id.
\13\ Id.
---------------------------------------------------------------------------
Since the Commission first adopted the ICFR requirements, companies
and third parties have devoted considerable attention to the methods
that management may use to evaluate ICFR. Efforts to comply with the
Commission's rules have resulted in many public companies internally
developing their own evaluation processes, while other companies have
retained consultants or purchased commercial software and other
products to establish or improve their ICFR evaluation process.\14\
Management must bring its own experience and informed judgment to bear
in order to design an evaluation process that meets the needs of its
company and that provides reasonable assurance for its assessment. This
proposed guidance is intended to allow management the flexibility to
design such an evaluation process.
---------------------------------------------------------------------------
\14\ Exchange Act Rules 13a-15 and 15d-15 require management to
evaluate the effectiveness of ICFR as of the end of the fiscal year.
For purposes of this document, the term ``evaluation'' or
``evaluation process'' refers to the methods and procedures that
management implements to comply with these rules. The term
``assessment'' is used in this document to describe the disclosure
required by Item 308 of Regulations S-B and S-K [17 CFR 228.308 and
229.308]. This disclosure must include discussion of any material
weaknesses which exist as of the end of the most recent fiscal year
and management's assessment of the effectiveness of ICFR, including
a statement as to whether or not ICFR is effective. Management is
not permitted to conclude that ICFR is effective if there are one or
more material weaknesses in ICFR.
---------------------------------------------------------------------------
In order to facilitate the comparability of the assessment reports
among companies, our rules implementing Section 404 require management
to base its assessment of a company's internal control on a suitable
evaluation framework. While the establishment and maintenance of
internal accounting controls have been required since the enactment of
the FCPA, as discussed above, the Commission's rules implementing
Section 404 required management for the first time to use a framework
for evaluating ICFR. It is important to note that our rules do not
mandate the use of a particular framework, since multiple viable
frameworks exist and others may be developed in the future. However, in
the release adopting the Section 404 requirements, the Commission
identified the Internal Control--Integrated Framework created by the
Committee of Sponsoring Organizations of the Treadway Commission
(``COSO'') as an example of a suitable framework.15 16
---------------------------------------------------------------------------
\15\ See COSO, Internal Control-Integrated Framework (1992). In
1994, COSO published an addendum to the Reporting to External
Parties volume of the COSO Report. The addendum discusses the issue
of, and provides a vehicle for, expanding the scope of a public
management report on internal control to address additional controls
pertaining to safeguarding of assets. In 1996, COSO issued a
supplement to its original framework to address the application of
internal control over financial derivative activities.
The COSO framework is the result of an extensive study of
internal control to establish a common definition of internal
control that would serve the needs of companies, independent public
accountants, legislators, and regulatory agencies, and to provide a
broad framework of criteria against which companies could evaluate
and improve their control systems. The COSO framework divides
internal control into three broad objectives: effectiveness and
efficiency of operations, reliability of financial reporting, and
compliance with applicable laws and regulations. Our rules relate
only to reliability of financial reporting. Each of the objectives
in the COSO framework is further broken down into five interrelated
components: control environment, risk assessment, control
activities, information and communication, and monitoring.
\16\ In that release, we also cited the Guidance on Assessing
Control published by the Canadian Institute of Chartered Accountants
(``CoCo'') and the report published by the Institute of Chartered
Accountants in England & Wales Internal Control: Guidance for
Directors on the Combined Code (known as the Turnbull Report) as
examples of other suitable frameworks that issuers could choose in
evaluating the effectiveness of their internal control over
financial reporting. We encourage companies to examine and select a
framework that may be useful in their own circumstances; we also
encourage the further development of alternative frameworks.
---------------------------------------------------------------------------
While the COSO framework identifies the components and objectives
of an effective system of internal control, it does not set forth an
approach for management to follow in evaluating the effectiveness of a
company's ICFR.\17\ We, therefore, distinguish between the COSO
framework as a definition of what constitutes an effective system of
internal control and guidance on how to evaluate ICFR for purposes of
our rules. The guidance that we are proposing in
[[Page 77637]]
this release is not intended to replace or modify the COSO framework or
any other suitable framework.
---------------------------------------------------------------------------
\17\ On July 11, 2006, COSO issued guidance entitled ``Internal
Control Over Financial Reporting--Guidance for Smaller Public
Companies'' that was designed primarily to help management of
smaller public companies with establishing and maintaining effective
ICFR. The guidance includes evaluation tools; however, these tools
are intended only to be illustrative.
---------------------------------------------------------------------------
In determining the need for additional guidance to management on
how to conduct its evaluation, it is important to consider the steps
that have been taken by the Commission and others to provide guidance
to companies and audit firms. The Commission held its first roundtable
discussion about implementation of the internal control reporting
provisions on April 13, 2005. The 2005 roundtable sought input to
consider the impact of the implementation of the Section 404 reporting
requirements in view of the fact that Section 404 resulted in a major
change for management and auditors. A broad range of interested
parties, including representatives of managements and boards of
domestic and foreign public companies, auditors, investors, legal
counsel, and board members of the Public Company Accounting Oversight
Board (``PCAOB''), participated in the discussion. We also invited and
received written submissions from the public regarding Section 404 in
advance of the roundtable.
Feedback obtained from the 2005 roundtable indicated that the
internal control reporting requirements had led to an increased focus
by management on ICFR. However, the feedback also identified particular
areas which were in need of further clarification to reduce unnecessary
costs and burdens while at the same time not jeopardizing the benefits
of Section 404. In addition, feedback indicated that a number of the
implementation issues arose from an overly conservative application of
the Commission rules and PCAOB Auditing Standard No. 2, An Audit of
Internal Control Over Financial Reporting Performed in Conjunction With
an Audit of Financial Statements (``AS No. 2''), and the requirements
of AS No. 2 itself, as well as questions regarding the appropriate role
of the auditor in management's evaluation process.
In response to this feedback, the Commission and its staff issued
guidance on May 16, 2005,\18\ emphasizing that management, not the
auditor, is responsible for determining the appropriate nature and form
of internal controls for the company as well as their evaluation
methods and procedures. The May 2005 Staff Guidance emphasized and
clarified existing provisions of the rules and other Commission
guidance relating to the exercise of professional judgment, the concept
of reasonable assurance, and the permitted communications between
management and auditors. Feedback has indicated that the May 2005 Staff
Guidance was appropriate, and while we have incorporated certain
sections of that guidance into the proposed interpretive guidance set
forth in this release, the May 2005 Staff Guidance remains
relevant.\19\
---------------------------------------------------------------------------
\18\ Commission Statement on Implementation of Internal Control
Reporting Requirements, Press Release No. 2005-74 (May 16, 2005);
Division of Corporation Finance and Office of the Chief Accountant:
Staff Statement on Management's Report on Internal Control Over
Financial Reporting (May 16, 2005) (hereinafter ``May 2005 Staff
Guidance'') available at http://www.sec.gov/spotlight/soxcom/.htm.
Also on May 16, 2005, the PCAOB and its staff issued guidance to
auditors on their audits under AS No. 2. The PCAOB's guidance
focused on areas in which the efficiency of the audit could be
substantially improved. Topics included the importance of the
integrated audit, the role of risk assessment throughout the
process, the importance of taking a top-down approach, and auditors'
use of the work of others.
\19\ The incorporation of our May 16, 2005 guidance into this
guidance was generally supported in comments received in response to
the Concept Release Concerning Management's Reports on Internal
Control Over Financial Reporting, Release No. 34-54122 (July 11,
2006) [71 FR 40866] available at http://www.sec.gov/rules/concept/2006/34-54122.pdf
(hereinafter ``Concept Release'') . See, for
example, letters received from the American Electronics Association,
Computer Sciences Corporation, American Institute of Certified
Public Accountants, Institute of Management Accountants and Schering
AG (available at http://www.sec.gov/comments/s7-11-06/s71106.shtml).
---------------------------------------------------------------------------
In its Final Report to the Commission, issued on April 23, 2006,
the Commission's Advisory Committee on Smaller Public Companies
(``Advisory Committee'') raised a number of concerns regarding the
ability of smaller companies to comply cost-effectively with the
requirements of Section 404. The Advisory Committee identified as an
overarching concern the difference in how smaller and larger public
companies operate. The Advisory Committee focused in particular on
three characteristics: (1) The limited number of personnel in smaller
companies, which constrains the companies' ability to segregate
conflicting duties; (2) top management's wider span of control and more
direct channels of communication, which increase the risk of management
override; and (3) the dynamic and evolving nature of smaller companies,
which limits their ability to have static processes that are well-
documented.\20\
---------------------------------------------------------------------------
\20\ Final Report of the Advisory Committee on Smaller Public
Companies to the United States Securities and Exchange Commission
(April 23, 2006) at 35-36, available at http://www.sec.gov/info/smallbus/acspc/acspc-finalreport.pdf
(hereinafter ``Advisory
Committee Final Report'').
---------------------------------------------------------------------------
The Advisory Committee suggested that these characteristics create
unique differences in how smaller companies achieve effective ICFR that
may not be adequately accommodated in AS No. 2 or other implementation
guidance as currently applied in practice.\21\ In addition, the
Advisory Committee noted serious ramifications for smaller public
companies stemming from the cost of frequent documentation changes and
sustained review and testing of controls perceived to be necessary to
comply with the Section 404 requirements. Indeed, the Advisory
Committee noted that costs in relation to revenue have been
disproportionately borne by smaller public companies.\22\
---------------------------------------------------------------------------
\21\ Id. at 37.
\22\ Id. at 33.
---------------------------------------------------------------------------
The Advisory Committee Final Report sets forth several
recommendations for the Commission to consider regarding the
application of the Section 404 requirements to smaller public
companies. The Advisory Committee recommended partial or complete
exemptions from the internal control reporting requirements for
specified types of smaller public companies under certain conditions,
unless and until a framework is developed for assessing ICFR that
recognizes the characteristics and needs of those companies. The
Advisory Committee also recommended, among other things, that the
Commission, COSO and the PCAOB provide additional guidance to
management to help facilitate the design and evaluation of ICFR and
make processes related to internal control more cost-effective.\23\ In
addition, some commenters on the Advisory Committee's exposure draft of
its report suggested that the Commission reexamine the appropriate role
of outside auditors in connection with the management assessment
required by the rules implementing Section 404.\24\
---------------------------------------------------------------------------
\23\ Id. at 52.
\24\ See, e.g., letter from BDO Seidman, LLP (April 3, 2006),
available at http://www.sec.gov/rules/other/265-23/bdoseidman9239.pdf
.
---------------------------------------------------------------------------
Further, in April 2006, the U.S. Government Accountability Office
issued a Report to the Committee on Small Business and
Entrepreneurship, U.S. Senate, entitled Sarbanes-Oxley Act,
Consideration of Key Principles Needed in Addressing Implementation for
Smaller Public Companies, which recommended that in considering the
concerns of the Advisory Committee, the Commission should assess the
available guidance for management to determine whether it is sufficient
or whether additional action is needed. That report stated that
management's implementation and evaluation efforts were largely driven
by AS No. 2 because guidance was not available for
[[Page 77638]]
management.\25\ Further, the GAO Report recommended that the Commission
coordinate with the PCAOB to help ensure that the Section 404-related
audit standards and guidance are consistent with any additional
management guidance issued.\26\
---------------------------------------------------------------------------
\25\ United States Government Accountability Office Report to
the Committee on Small Business and Entrepreneurship, U.S. Senate:
Sarbanes-Oxley Act: Consideration of Key Principles Needed in
Addressing Implementation for Smaller Public Companies (April 2006)
at 52-53, available at http://www.gao.gov/new.items/d06361.pdf
(hereinafter ``GAO Report'').
\26\ Id. at 58.
---------------------------------------------------------------------------
On May 10, 2006, the Commission and PCAOB conducted a second
Roundtable on Internal Control Reporting and Auditing Provisions to
solicit feedback on accelerated filers' second year of compliance with
the Section 404 requirements. Several participants indicated that their
evaluation processes had improved from year one, but that additional
improvements were needed. Although some expressed concern about being
required to change the evaluation processes they have already
implemented, a number of the participants expressed, at the roundtable
and in their written comments, the view that additional management
guidance was needed.\27\
---------------------------------------------------------------------------
\27\ See transcript of Roundtable Discussion on Second Year
Experiences with Internal Control Reporting and Auditing Provisions,
May 10, 2006, Panels 1, 2, 3, and 5; letter from The Institute of
Internal Auditors (IIA) (May 1, 2006); letter from Institute of
Management Accountants (IMA) (May 4, 2006); letter from Canadian
Bankers Association (CBA) (April 28, 2006); letter from Deloitte &
Touche LLP (May 1, 2006); letter from Ernst & Young LLP (May 1,
2006); letter from KPMG LLP (May 1, 2006); letter from
PricewaterhouseCoopers LLP (May 1, 2006) and letter from Pfizer Inc.
(May 1, 2006), all available at http://www.sec.gov/news/press/4-511.shtml
.
---------------------------------------------------------------------------
On July 11, 2006, COSO published additional application guidance
for its control framework, Internal Control over Financial Reporting--
Guidance for Smaller Public Companies. This guidance is intended to
assist the management of smaller companies in understanding and
applying the COSO framework. It outlines principles fundamental to the
five components of internal control described in the COSO framework.
Further, this guidance defines each of these principles and describes
the attributes of each. It also lists a variety of approaches that
smaller companies can use to apply the principles and includes examples
of how smaller companies have applied the principles. The Commission
anticipates that the guidance will help organizations of all sizes that
use the COSO framework to better understand and apply it to ICFR.
On July 11, 2006, the Commission issued a Concept Release to seek
public feedback on the Commission's planned issuance of guidance
regarding management's evaluation and assessment of the effectiveness
of ICFR.\28\ The Concept Release sought specific feedback in three
areas described below, as well as inquired about whether there were
other areas where guidance should also be provided.
---------------------------------------------------------------------------
\28\ See footnote 19 above for reference.
---------------------------------------------------------------------------
Risk and control identification (such as how management
considers entity-level controls, financial statement account and
disclosure level considerations, as well as fraud risks); \29\
The methods or approaches available to management to
gather evidence to support its assessment, and factors management
should consider in determining the nature, timing and extent of its
evaluation procedures; and
Documentation requirements, including overall objectives
of the documentation and factors that might influence documentation
requirements.
---------------------------------------------------------------------------
\29\ The term ``entity-level controls'' as used in this document
describes aspects of a system of internal control that have a
pervasive effect on the entity's system of internal control such as
controls related to the control environment (e.g., management's
philosophy and operating style, integrity and ethical values, board
or audit committee oversight; and assignment of authority and
responsibility); controls over management override; the company's
risk assessment process; centralized processing and controls,
including shared service environments; controls to monitor results
of operations; controls to monitor other controls, including
activities of the internal audit function, the audit committee, and
self-assessment programs; controls over the period-end financial
reporting process; and policies that address significant business
control and risk management practices. The term ``company-level'' is
also commonly used to describe these controls.
The Commission received 167 comment letters in response to the Concept
Release, a majority of which supported additional Commission guidance
to management that is applicable to companies of all sizes and
complexities.\30\ The Commission considered the feedback received in
those comment letters in drafting this proposed interpretive guidance.
---------------------------------------------------------------------------
\30\ The public comments we received are available for
inspection in the Commission's Public Reference Room at 100 F
Street, NE., Washington DC 20549 in File No. S7-11-06. They are also
available on-line at http://www.sec.gov/comments/s7-11-06/s71106.shtml
.
---------------------------------------------------------------------------
Further, the Commission has also received feedback that its
guidance and ICFR rules have been interpreted as applying to non-profit
and non-public organizations. The Commission does not regulate such
organizations, and none of the Commission's guidance or rules is
intended to apply to such organizations.
II. Introduction
To implement Section 404(a) of the Sarbanes-Oxley Act, the
Commission adopted rules requiring that management annually issue a
report that contains an assessment of the effectiveness of ICFR.\31\ An
overall objective of ICFR is to foster the preparation of reliable
financial statements. Reliable financial statements must be materially
accurate. Therefore, the central purpose of the evaluation is to assess
whether there is a reasonable possibility of a material misstatement in
the financial statements not being prevented or detected on a timely
basis by the company's ICFR.\32\
---------------------------------------------------------------------------
\31\ Exchange Act Rules 13a-15(f) and 15d-15(f) [17 CFR 240.13a-
15(f) and 15d-15(b)] define internal control over financial
reporting as:
A process designed by, or under the supervision of, the issuer's
principal executive and principal financial officers, or persons
performing similar functions, and effected by the registrant's board
of directors, management and other personnel, to provide reasonable
assurance regarding the reliability of financial reporting and the
preparation of financial statements for external purposes in
accordance with generally accepted accounting principles and
includes those policies and procedures that:
(1) Pertain to the maintenance of records that in reasonable
detail accurately and fairly reflect the transactions and
dispositions of the assets of the registrant;
(2) Provide reasonable assurance that transactions are recorded
as necessary to permit preparation of financial statements in
accordance with generally accepted accounting principles, and that
receipts and expenditures of the registrant are being made only in
accordance with authorizations of management and directors of the
registrant; and
(3) Provide reasonable assurance regarding prevention or timely
detection of unauthorized acquisition, use or disposition of the
registrant's assets that could have a material effect on the
financial statements.
\32\ There is a reasonable possibility of an event when the
likelihood of the event is either ``reasonably possible'' or
``probable'' as those terms are used in Financial Accounting
Standards Board Statement No. 5, Accounting for Contingencies.
---------------------------------------------------------------------------
Management's assessment is based on whether any material weaknesses
exist as of the end of the fiscal year. A material weakness is a
deficiency, or combination of deficiencies, in ICFR such that there is
a reasonable possibility that a material misstatement of the company's
annual or interim financial statements will not be prevented or
detected on a timely basis by the company's ICFR.\33\
---------------------------------------------------------------------------
\33\ Existing PCAOB auditing literature describes a material
weakness as a control deficiency, or combination of control
deficiencies, that result in more than a remote likelihood that a
material misstatement of the company's annual or interim financial
statements will not be prevented or detected. Our use of the phrase
``reasonable possibility'' rather than ``more than remote'' to
describe the likelihood of a material error is intended to more
clearly communicate the likelihood element. We note that the PCAOB
has indicated that it intends to revise its definitions to use the
phrase ``reasonable possibility.'' AS No. 2 establishes that a
control is deficient when the design or operation of a control does
not allow management or employees, in the normal course of
performing their assigned functions, to prevent or detect
misstatements on a timely basis. The definition formulated here is
intended to be consistent with its use in existing auditing
literature and practice.
---------------------------------------------------------------------------
[[Page 77639]]
Management should implement and conduct an evaluation that is
sufficient to provide it with a reasonable basis for its annual
assessment. Management should use its own experience and informed
judgment in designing an evaluation process that aligns with the
operations, financial reporting risks and processes of the company.\34\
If the evaluation process identifies material weaknesses that exist as
of the end of the fiscal year, such weaknesses must be disclosed in
management's annual report with a statement that ICFR is
ineffective.\35\ If the evaluation identifies no internal control
deficiencies that constitute a material weakness, management assesses
ICFR as effective.\36\
---------------------------------------------------------------------------
\34\ This point also is made in one of the publicly available
and commonly used assessment tools--the third volume of the report
by COSO, Internal Control--Integrated Framework: Evaluation Tools.
That volume cautioned that ``because facts and circumstances vary
between entities and industries, evaluation methodologies and
documentation will also vary. Accordingly, entities may use
different evaluation tools, or use other methodologies utilizing
different evaluative techniques.''
\35\ This focus on material weaknesses will lead to a better
understanding by investors of internal control over financial
reporting, as well as its inherent limitations. Further, the
Commission's rules implementing Section 404, by providing for public
disclosure of material weaknesses, concentrate attention on the most
important internal control issues.
\36\ If management's evaluation process identifies material
weaknesses, but all material weaknesses are remediated by the end of
the fiscal year, management may exclude disclosure of those from its
assessment and state that ICFR is effective as of the end of the
fiscal year. However, management should consider whether disclosure
of the remediated material weaknesses is appropriate or required
under Item 307 or Item 308 of Regulations S-K or S-B or other
Commission disclosure rules.
---------------------------------------------------------------------------
Management is required to assess as of the end of the fiscal year
whether the company's ICFR is effective in providing reasonable
assurance regarding the reliability of financial reporting.\37\
Management is not required by Section 404 of Sarbanes-Oxley to assess
other internal controls, such as controls solely implemented to meet a
company's operational objectives. Further, ``reasonable assurance''
does not mean absolute assurance. ICFR cannot prevent or detect all
misstatements, whether unintentional errors or fraud. Rather, the
``reasonable assurance'' referred to in the Commission's implementing
rules relates to similar language in the FCPA. Exchange Act Section
13(b)(7) defines ``reasonable assurance'' and ``reasonable detail'' as
``such level of detail and degree of assurance as would satisfy prudent
officials in the conduct of their own affairs.'' \38\ The Commission
has long held that ``reasonableness'' is not an ``absolute standard of
exactitude for corporate records.'' \39\ In addition, the Commission
recognizes that while ``reasonableness'' is an objective standard,
there is a range of judgments that an issuer might make as to what is
``reasonable'' in implementing Section 404 and the Commission's rules.
Thus, the terms ``reasonable,'' ``reasonably'' and ``reasonableness''
in the context of Section 404 implementation do not imply a single
conclusion or methodology, but encompass the full range of appropriate
potential conduct, conclusions or methodologies upon which an issuer
may reasonably base its decisions.
---------------------------------------------------------------------------
\37\ See Exchange Act Rules 13a-15 and 15d-15.
\38\ 15 U.S.C. 78m(b)(7). The conference committee report on
amendments to the FCPA also noted that the standard ``does not
connote an unrealistic degree of exactitude or precision. The
concept of reasonableness of necessity contemplates the weighing of
a number of relevant factors, including the costs of compliance.''
Cong. Rec. H2116 (daily ed. April 20, 1988).
\39\ Release No. 34-17500 (January 29, 1981) [46 FR 11544].
---------------------------------------------------------------------------
This release proposes guidance regarding matters we believe will
help management design and conduct its evaluation and assess the
effectiveness of ICFR. The guidance assumes management has established
and maintains a system of internal accounting controls as required by
the FCPA. Further, it does not explain how management should design its
ICFR to comply with the control framework it has chosen. To allow
appropriate flexibility, the guidance does not provide a checklist of
steps management should perform in completing its evaluation. Rather,
it describes a top-down, risk-based approach that allows for the
exercise of significant judgment so that management can design and
conduct an evaluation that is tailored to its company's individual
circumstances.40 41
---------------------------------------------------------------------------
\40\ Because management is responsible for maintaining effective
internal control over financial reporting, this proposed
interpretive guidance does not specifically address the role of the
board of directors or audit committee in a company's evaluation and
assessment of ICFR. However, we would ordinarily expect a board of
directors or audit committee, as part of its oversight
responsibilities for the company's financial reporting, to be
knowledgeable and informed about the evaluation process and
management's assessment, as necessary in the circumstances.
\41\ See footnote 42 below.
---------------------------------------------------------------------------
The proposed guidance is organized around two broad principles. The
first principle is that management should evaluate the design of the
controls that it has implemented to determine whether they adequately
address the risk that a material misstatement in the financial
statements would not be prevented or detected in a timely manner. The
guidance describes a top-down, risk-based approach to this principle,
including the role of entity-level controls in assessing financial
reporting risks and the adequacy of controls. The proposed guidance
promotes efficiency by allowing management to focus on those controls
that are needed to adequately address the risk of a material
misstatement in its financial statements. There is no requirement in
our guidance to identify every control in a process or document the
business processes impacting ICFR. Rather, under the approach described
herein, management focuses its evaluation process and the documentation
supporting the assessment on those controls that it believes adequately
address the risk of a material misstatement in the financial
statements. For example, if management determines that the risks for a
particular financial reporting element are adequately addressed by an
entity-level control, no further evaluation of other controls is
required.
The second principle is that management's evaluation of evidence
about the operation of its controls should be based on its assessment
of risk. The proposed guidance provides an approach for making risk-
based judgments about the evidence needed for the evaluation. This
allows management to align the nature and extent of its evaluation
procedures with those areas of financial reporting that pose the
greatest risks to reliable financial reporting (i.e., whether the
financial statements are materially accurate). As a result, management
may be able to use more efficient approaches to gathering evidence,
such as self-assessments, in low-risk areas and perform more extensive
testing in high-risk areas.
By following these two principles, we believe companies of all
sizes and complexities will be able to implement our rules effectively
and efficiently.\42\ As smaller public companies generally have less
complex internal control systems than larger public companies, this
top-down, risk-based approach should enable smaller public companies in
particular to scale and tailor their
[[Page 77640]]
evaluation methods and procedures to fit their own facts and
circumstances.\43\ We encourage smaller public companies to take
advantage of the flexibility and scalability of this approach to
conduct an efficient evaluation of internal control over financial
reporting.\44\ Further, we believe the proposed guidance will assist
companies of all sizes in completing the annual evaluation of ICFR in
an effective and efficient manner by addressing a number of the common
areas of concern that have been identified over the past two years. For
example, the proposed guidance:
---------------------------------------------------------------------------
\42\ Commenters on the Concept Release were supportive of
principles-based guidance that applies to all companies. See for
example, letters regarding file number S7-11-06 of: Financial
Executives International, Metlife, and Siemens AG at http://www.sec.gov/comments/s7-11-06/s71106.shtml
.
\43\ See Advisory Committee Final Report at 35-38.
\44\ While a company's individual facts and circumstances should
be considered in determining whether a company is a smaller public
company, a company's market capitalization and annual revenues are
useful indicators of its size and complexity. In light of the
Advisory Committee Final Report and the SEC's rules defining
``accelerated filers'' and ``large accelerated filers,'' companies
with a market capitalization of approximately $700 million or less,
with reported annual revenues of approximately $250 million or less,
should be presumed to be ``smaller companies,'' with the smallest of
these companies, with a market capitalization of approximately $75
million or less, described as ``microcaps.''
---------------------------------------------------------------------------
Explains how to vary approaches for gathering evidence to
support the evaluation based on risk assessments;
Explains the use of ``daily interaction,'' self-
assessment, and other on-going monitoring activities as evidence in the
evaluation;
Explains the purpose of documentation and how management
has flexibility in approaches to documenting support for its
assessment;
Provides management significant flexibility in making
judgments regarding what constitutes adequate evidence in low-risk
areas; and
Allows for management and the auditor to have different
testing approaches.
The information management gathers and analyzes from its evaluation
process serves as the basis for its assessment on the effectiveness of
its ICFR. The extent of effort required for a reasonable evaluation
process will largely depend on the company's existing policies,
procedures and practices. For example, in some situations management
may determine that its existing activities, which may be undertaken for
other reasons, provide information that is relevant to the assessment.
In other situations, management may have to implement additional
procedures to gather and analyze the information needed to provide a
reasonable basis for its annual assessment.
III. Proposed Interpretive Guidance
The proposed interpretive guidance addresses the following topics:
A. The Evaluation Process
1. Identifying Financial Reporting Risks and Controls
a. Identifying Financial Reporting Risks
b. Identifying Controls that Adequately Address Financial Reporting
Risks
c. Consideration of Entity-level Controls
d. Role of General Information Technology Controls
e. Evidential Matter to Support the Assessment
2. Evaluating Evidence of the Operating Effectiveness of ICFR
a. Determining the Evidence Needed to Support the Assessment
b. Implementing Procedures to Evaluate Evidence of the Operation of
ICFR
c. Evidential Matter to Support the Assessment
3. Multiple Location Considerations
B. Reporting Considerations
1. Evaluation of Control Deficiencies
2. Expression of Assessment of Effectiveness of ICFR by Management
and the Registered Public Accounting Firm
3. Disclosures About Material Weaknesses
4. Impact of a Restatement of Previously Issued Financial
Statements on Management's Report on ICFR
5. Inability to Assess Certain Aspects of ICFR
A. The Evaluation Process
The objective of the evaluation of ICFR is to provide management
with a reasonable basis for its annual assessment as to whether any
material weaknesses in ICFR exist as of the end of the fiscal year. To
meet this objective, management identifies the risks to reliable
financial reporting, evaluates whether the design of the controls which
address those risks is such that there is a reasonable possibility that
a material misstatement in the financial statements would not be
prevented or detected in a timely manner, and evaluates evidence about
the operation of the controls included in the evaluation based on its
assessment of risk. The evaluation process will vary from company to
company; however, the approach we discuss is a top-down, risk-based
approach which we believe is typically most efficient and effective.
The evaluation process guidance is presented in two sections. The
first section explains an approach to identifying financial reporting
risks and evaluating whether the controls management has implemented
are designed to address those risks. The second section describes an
approach for making judgments about the methods and procedures for
evaluating whether the operation of ICFR is effective. Both sections
explain how entity-level controls \45\ impact the evaluation process as
well as how management focuses its evaluation efforts on the greatest
risks.
---------------------------------------------------------------------------
\45\ See footnote 29 above.
---------------------------------------------------------------------------
Under the Commission's rules, management's annual assessment must
be made in accordance with a suitable control framework's definition of
effective internal control.\46\ These control frameworks define
elements of internal control that are expected to be present and
functioning in an effective internal control system. In assessing
effectiveness, management evaluates whether its ICFR includes policies,
procedures and activities that address all of the elements of internal
control that the applicable control framework describes as necessary
for an internal control system to be effective. The framework elements
describe the characteristics of an internal control system that may be
relevant to individual areas of the company's ICFR, pervasive to many
areas, or entity-wide. Therefore, management's evaluation process
includes not only controls involving particular areas of financial
reporting, but also the entity-wide and other pervasive elements of
internal control that are defined by the control frameworks. This
guidance is not intended to replace the elements of an effective system
of internal control as defined within a control framework.
---------------------------------------------------------------------------
\46\ For example, both the COSO framework and the Turnbull
Report state that determining whether a system of internal control
is effective is a subjective judgment resulting from an assessment
of whether the five components (i.e., control environment, risk
assessment, control activities, monitoring, and information and
communication) are present and functioning effectively. Although
CoCo states that an assessment of effectiveness be made against
twenty specific criteria, it acknowledges that the criteria can be
regrouped into different structures, and includes a table showing
how the criteria can be regrouped into the five-component structure
of COSO. Thus, these five components are also criteria for effective
internal control.
---------------------------------------------------------------------------
1. Identifying Financial Reporting Risks and Controls
The approach described herein allows management to identify
controls and maintain supporting evidential matter for its controls in
a manner that is tailored to a company's financial reporting risks (as
defined below). Thus, management can avoid identifying and
[[Page 77641]]
documenting controls that are not important to achieving the objectives
of ICFR. Management should assess whether its controls are designed to
provide reasonable assurance regarding the reliability of financial
reporting and the preparation of financial statements for external
purposes in accordance with generally accepted accounting principles
(``GAAP'').\47\ The evaluation begins with the identification and
assessment of the risks to reliable financial reporting (i.e.,
materially accurate financial statements), including changes in those
risks. Management then evaluates whether it has controls placed in
operation that are designed to adequately address those risks.
Management ordinarily would consider the company's entity-level
controls in both its assessment of risk and in identifying which
controls adequately address the risk. The controls that management
identifies as adequately addressing the financial reporting risks are
then subject to procedures to evaluate evidence of the operating
effectiveness, as determined pursuant to Section III.A.2.
---------------------------------------------------------------------------
\47\ Management of foreign private issuers that file financial
statements prepared in accordance with home country generally
accepted accounting principles or International Financial Reporting
Standards with a reconciliation to U.S. GAAP should plan and conduct
their evaluation process based on their primary financial statements
(i.e., home country GAAP or IFRS) rather than the reconciliation to
U.S. GAAP.
---------------------------------------------------------------------------
The effort necessary to conduct an initial evaluation of financial
reporting risks (as defined below) and the related controls will vary
among companies, partly because this effort will depend on management's
existing financial reporting risk assessment and monitoring
activities.\48\ Even so, in subsequent years for most companies,
management's effort should ordinarily be significantly less because
subsequent evaluations should be more focused on changes in risks and
controls rather than identification of all financial reporting risks
and the related controls. Further, in each subsequent year, the
evidence necessary to reasonably support the assessment will only need
to be updated from the prior year(s), not recreated anew.
---------------------------------------------------------------------------
\48\ Monitoring activities are those that assess the quality of
internal control performance over time. These activities involve
assessing the design and operation of controls on a timely basis and
taking necessary corrective actions. This process is accomplished
through on-going monitoring activities, separate evaluations by
internal audit or personnel performing similar functions, or a
combination of the two. On-going monitoring activities are often
built into the normal recurring activities of an entity and include
regular management and supervisory review activities.
---------------------------------------------------------------------------
a. Identifying Financial Reporting Risks
Ordinarily, the identification of financial reporting risks begins
with evaluating how the requirements of GAAP apply to the company's
business, operations and transactions. Management must provide
investors with financial statements that fairly present the company's
financial position, results of operations and cash flows in accordance
with GAAP. A lack of fair presentation involves material misstatements
(including omissions) in one or more of the financial statement amounts
or disclosures (``financial reporting elements'').
Management uses its knowledge and understanding of the business,
its organization, operations, and processes to consider the sources and
potential likelihood of misstatements in financial reporting elements
and identifies those that could result in a material misstatement to
the financial statements (``financial reporting risks''). Internal and
external risk factors that impact the business, including the nature
and extent of any changes in those risks, may give rise to financial
reporting risks. Financial reporting risks may also arise from sources
such as the initiation, authorization, processing and recording of
transactions and other adjustments that are reflected in financial
reporting elements. Management's evaluation of financial reporting
risks should also consider the vulnerability of the entity to
fraudulent activity (e.g., fraudulent financial reporting,
misappropriation of assets and corruption) and whether any of those
exposures could result in a material misstatement of the financial
statements.\49\
---------------------------------------------------------------------------
\49\ See ``Management Antifraud Programs and Controls--Guidance
to Help Prevent, Deter, and Detect Fraud,'' which was issued jointly
by seven professional organizations and is included as an exhibit to
AU Sec. 316, Consideration of Fraud in a Financial Statement Audit
(as adopted on an interim basis by the PCAOB in PCAOB Rule 3200T).
---------------------------------------------------------------------------
The methods and procedures for identifying financial reporting
risks will vary based on the characteristics of the company.\50\ These
characteristics include, among others, the size, complexity, and
organizational structure of the company and its processes and financial
reporting environment, as well as the control framework used by
management. For example, to effectively identify financial reporting
risks in larger businesses or in situations involving complex business
processes, management's evaluation may need to involve employees with
specialized knowledge who collectively have the necessary understanding
of the requirements of GAAP, the underlying business transactions, the
process activities, including the role of computer technology, that are
required to initiate, authorize, record and process transactions, and
the points within the process at which a material misstatement,
including a misstatement due to fraud, may occur. In contrast, in a
small company with less complex business processes that operate on a
centralized basis and with little change in the risks or processes,
management's daily involvement with the business may provide it with
adequate knowledge to appropriately identify financial reporting risks.
---------------------------------------------------------------------------
\50\ To provide management the flexibility needed to implement
an evaluation process that best suits its particular circumstances;
the guidance in this proposed interpretative release does not
prescribe a particular methodology for the identification of risks
and controls. While the May 2005 Staff Guidance used the term
``significant account,'' which is used in AS No. 2, we are not
requiring that companies use the guidance in the auditing literature
to conduct their evaluation approach. The Commission encourages the
development of methodologies and tools that meet the objectives of
the ICFR evaluation.
---------------------------------------------------------------------------
b. Identifying Controls That Adequately Address Financial Reporting
Risks
Management should evaluate whether it has controls placed in
operation (i.e., in use) that are designed to address the company's
financial reporting risks.\51\ The determination of whether an
individual control, or a combination of controls, adequately addresses
a financial reporting risk involves judgments about both the likelihood
and potential magnitude of misstatements arising from the financial
reporting risk. For purposes of the evaluation of ICFR, the controls
are not adequate when their design is such that there is a reasonable
possibility that a misstatement in the related financial reporting
element that could result in a material misstatement of the financial
statements will not be prevented or detected on a timely basis.\52\ If
management determines that
[[Page 77642]]
its controls are not adequately designed, a deficiency exists that must
be evaluated to determine whether it is a material weakness. The
guidance in Section III.B.1. is designed to assist management with that
evaluation.\53\
---------------------------------------------------------------------------
\51\ A control consists of a specific set of policies,
procedures, and activities designed to meet an objective. A control
may exist within a designated function or activity in a process. A
control's impact on ICFR may be entity-wide or specific to a class
of transactions or application. Controls have unique
characteristics--they can be: automated or manual; reconciliations;
segregation of duties; review and approval authorizations;
safeguarding and accountability of assets, preventing error or fraud
detection, or disclosure. Controls within a process may consist of
financial reporting controls and operational controls (i.e., those
designed to achieve operational objectives).
\52\ The use of the phrase ``reasonable possibility that a
misstatement in the related financial reporting element that could
result in a material misstatement of the financial statements'' is
intended solely to assist management in identifying matters for
disclosure under Item 308 of Regulation S-K. It is not intended to
interpret or describe management's responsibility under FCPA or
modify a control framework's definition of what constitutes an
effective system of internal control.
\53\ A deficiency in the design of ICFR exists when (a)
necessary controls are missing or (b) existing controls are not
properly designed so that, even if the control operates as designed,
the financial reporting risks would not be addressed. AS No. 2
states that a deficiency in the design of ICFR exists when (a) a
control necessary to meet the control objective is missing or (b) an
existing control is not properly designed so that, even if the
control operates as designed, the control objective is not always
met. See AS No. 2 ] 8.
---------------------------------------------------------------------------
Management may identify controls for a financial reporting element
that are preventive, detective or a combination of both.\54\ It is not
necessary to identify all controls that exist. Rather, the objective of
this evaluation step is to identify controls that adequately address
the risk of misstatement for the financial reporting element that could
result in a material misstatement in the financial statements. To
illustrate, management may determine for a financial reporting element
that a control within the company's period-end financial reporting
process (i.e., an entity-level control) is designed in a manner that
adequately addresses the risk that a misstatement in interest expense,
that could result in a material misstatement in the financial
statements, may occur and not be detected. In such a case, management
may not need to identify any additional controls related to interest
expense.
---------------------------------------------------------------------------
\54\ Preventive controls have the objective of preventing the
occurrence of errors or fraud that could result in a misstatement of
the financial statements. Detective controls have the objective of
detecting errors or fraud that has already occurred that could
result in a misstatement of the financial statements. Preventive and
detective controls may be completely manual, involve some degree of
computer automation, or be completely automated.
---------------------------------------------------------------------------
Management may consider the efficiency with which evidence of the
operation of a control can be evaluated when identifying the controls
that adequately address the financial reporting risks. For example,
when more than one control exists that individually addresses a
particular risk (i.e., redundant controls), management may decide to
select the control for which evidence of operating effectiveness can be
obtained more efficiently. Moreover, when adequate general information
technology (``IT'') controls exist, and management has determined the
operation of such controls is effective, management may determine that
automated controls may be more efficient to evaluate than manual
controls. Considering the efficiency with which the operation of a
control can be evaluated will often enhance the overall efficiency of
the evaluation process.
When identifying the controls that address financial reporting
risks, management may learn information about the characteristics of
the controls, such as the judgment required to operate them or their
complexity, that are considered in its judgments about the risk that
the control will fail to operate as designed. Section III.A.2.
discusses how these characteristics are considered in determining the
nature and extent of evidence of the operation of the control that
management evaluates.
At the end of this identification process, management will have
identified for testing only those controls that are needed to
adequately address the risk of a material misstatement in its financial
statements and for which evidence about their operation can be obtained
most efficiently.
c. Consideration of Entity-level Controls
Management considers entity-level controls when identifying and
assessing financial reporting risks and related controls for a
financial reporting element. In doing so, it is important for
management to consider the nature of the entity-level controls and how
they relate to the financial reporting element.\55\ Some entity-level
controls are designed to operate at the process, transaction or
application level and might adequately prevent or detect on a timely
basis misstatements in one or more financial reporting elements that
could result in a material misstatement to the financial statements. On
the other hand, an entity-level control may be designed to identify
possible breakdowns in lower-level controls, but not in a manner that
would, by itself, sufficiently address the risk that misstatements to
financial reporting elements that could result in a material
misstatement to the financial statements will be prevented or detected
on a timely basis.
---------------------------------------------------------------------------
\55\ Controls can be either directly or indirectly related to a
financial reporting element. Controls that are designed to have a
specific effect on a financial reporting element are considered
directly related. For example, controls established to ensure that
personnel are properly counting and recording the annual physical
inventory relate directly to the existence of the inventory.
---------------------------------------------------------------------------
The more indirect the relationship to a financial reporting
element, the less effective a control may be in preventing or detecting
a misstatement. Some entity-level controls, such as the control
environment (e.g., tone at the top and entity-wide programs such as
codes of conduct and fraud prevention), are indirectly related to a
financial reporting element and may not, by themselves, be effective at
preventing or detecting a misstatement in a financial reporting
element. Therefore, while management ordinarily would consider entity-
level controls of this nature when assessing financial reporting risks
and evaluating the adequacy of controls, it is unlikely management will
identify only this type of entity-level control as adequately
addressing a financial reporting risk identified for a financial
reporting element.\56\
---------------------------------------------------------------------------
\56\ Many commenters on the Concept Release requested
clarification of the role of entity-level controls in management's
evaluation. See for example, letters regarding file number S7-11-06
of Aerospace Industries Association, Sprint Nextel Corporation, Unum
Provident, Dupont, Deutsche Telekom, Ernst & Young LLP, Deloitte &
Touche LLP, and Grant Thornton LLP at http://www.sec.gov/comments/s7-11-06/s71106.shtml.
See Section III.A.2.a. for additional
guidance on entity-level controls.
---------------------------------------------------------------------------
d. Role of General Information Technology Controls
Controls that management identifies as addressing financial
reporting risks may be automated (e.g., application controls that
update accounts in the general ledger for subledger activity) or
dependent upon IT functionality (e.g., a control that manually
investigates items contained in a computer generated exception report).
In these situations, management's evaluation process generally
considers the design and operation of the automated or IT dependent
controls management identifies and the relevant general IT controls
over the applications providing the IT functionality. While general IT
controls ordinarily do not directly prevent or detect material
misstatements in the financial statements, the proper and consistent
operation of automated or IT dependent controls depends upon effective
general IT controls.
Aspects of general IT controls that may be relevant to the
evaluation of ICFR will vary depending upon a company's facts and
circumstances. Ordinarily, management should consider whether, and the
extent to which, general IT control objectives related to program
development, program changes, computer operations, and access to
programs and data apply to its facts and circumstances. For purposes of
the evaluation of ICFR, management only needs to evaluate those general
IT controls that are necessary to adequately address financial
reporting risks.
[[Page 77643]]
e. Evidential Matter To Support the Assessment
As part of its evaluation of ICFR, management must maintain
reasonable support for its assessment.\57\ Documentation of the design
of the controls management has placed in operation to adequately
address the financial reporting risks is an integral part of the
reasonable support. The form and extent of the documentation will vary
depending on the size, nature, and complexity of the company. It can
take many forms (e.g., paper documents, electronic, or other media) and
it can be presented in a number of ways (e.g., policy manuals, process
models, flowcharts, job descriptions, documents, internal memorandums,
forms, etc). The documentation does not need to include all controls
that exist within a process that impacts financial reporting. Rather,
and more importantly, the documentation can be focused on those
controls that management concludes are adequate to address the
financial reporting risks.\58\
---------------------------------------------------------------------------
\57\ See instructions to Item 308 of Regulations S-K and S-B.
\58\ Commenters on the Concept Release were supportive of
guidance regarding the form, nature, and extent of documentation.
See for example letters regarding file number S7-11-06 of EDS,
Controllers' Leadership Roundtable, Sasol Group, New York State
Society of Certified Public Accountants, Grant Thornton LLP, and
Financial Executives International at http://www.sec.gov/comments/[fxsp0
]s7-11-06/s71106.shtml. Section III.A.2.c also provides
guidance with regard to the documentation required to support
management's evaluation of operating effectiveness.
---------------------------------------------------------------------------
In addition to providing support for the assessment of ICFR,
documentation of the design of controls also supports other objectives
of an effective system of internal control. For example, it serves as
evidence that controls within ICFR, including changes to those
controls, have been identified, are capable of being communicated to
those responsible for their performance, and are capable of being
monitored by the company. The documentation also provides the
foundation for appropriate communication concerning responsibilities
for performing controls and for the company's evaluation and monitoring
of the operation of controls.
Management should also consider the need to maintain evidential
matter, including documentation, of the entity-wide and other pervasive
elements of its ICFR that it believes address the elements of internal
control that its chosen control framework prescribes as necessary for
an effective system of internal control.\59\
---------------------------------------------------------------------------
\59\ Id.
---------------------------------------------------------------------------
2. Evaluating Evidence of the Operating Effectiveness of ICFR
Management should evaluate evidence of the effective operation of
ICFR. A control operates effectively when it is performed in a manner
consistent with its design by individuals with the necessary authority
and competency. Management ordinarily focuses its evaluation of the
operation of controls on those areas of ICFR that pose the highest risk
to reliable financial reporting. The evaluation procedures that
management uses to gather evidence about the effective operation of
ICFR should be tailored to its assessment of the risk characteristics
of both the individual financial reporting elements and the related
controls (collectively, ICFR risk). Management's assessment of ICFR
risk also considers the impact of entity-level controls, such as the
relative strengths and weaknesses of the control environment, which may
influence management's judgments about the risks of failure for
particular controls. Management varies the nature, timing and extent of
the evaluation methods it implements in response to its judgments about
ICFR risk.
Evidence about the effective operation of controls may be obtained
from direct-testing of controls and on-going monitoring activities. The
nature, timing and extent of evaluation procedures necessary for
management to obtain sufficient evidence of the effective operation of
a control depends on the assessed ICFR risk. In determining whether the
evidence obtained is sufficient to provide a reasonable basis for its
evaluation of the operation of ICFR, management should consider not
only the quantity of evidence (e.g., sample size) but also qualitative
characteristics of the evidence. The qualitative characteristics of the
evidence include the nature of the evaluation procedures performed, the
period of time to which the evidence relates, the objectivity of those
evaluating the controls, and, in the case of monitoring controls, the
extent of validation through direct testing of underlying controls. For
any individual control, different combinations of the nature, timing,
and extent of evaluation procedures may provide sufficient evidence.
The sufficiency of evidence is not determined by any of these
attributes individually.
a. Determining the Evidence Needed To Support the Assessment
Management should evaluate the ICFR risk of the controls identified
in Section III.A.1. to determine the evidence needed to support the
assessment. The risk assessment should consider the impact of the
characteristics of the financial reporting elements to which the
controls relate and the characteristics of the controls themselves.
This concept is demonstrated in the following diagram.
[[Page 77644]]
[GRAPHIC] [TIFF OMITTED] TP27DE06.115
Characteristics of the financial reporting element that management
considers include both the materiality of the financial reporting
element and the susceptibility of the underlying account balances,
transactions or other supporting information to material misstatement.
As the materiality of the financial reporting element increases in
relation to the amount of misstatement that would be considered
material to the financial statements, management's assessment of risk
generally would correspondingly increase. In addition, financial
reporting elements would generally have higher risk when they include
transactions, account balances or other supporting information that is
prone to misstatement. For example, elements which: (1) Involve
judgment in determining the recorded amounts; (2) are susceptible to
fraud; (3) have complexity in the underlying accounting requirements;
or (4) are subject to environmental factors, such as technological and/
or economic developments, would generally be assessed as higher risk.
Management also considers the likelihood that a control might fail
to operate effectively. That likelihood may depend on, among other
things, the type of control (i.e., manual or automated), the complexity
of the control, the risk of management override, the judgment required
to operate the control, the nature and materiality of misstatements
that the control is intended to prevent or detect, and the degree to
which the control relies on the effectiveness of other controls (e.g.,
general IT controls). For example, management's risk assessment would
be higher for a financial reporting element that involves controls
whose operation requires significant judgment than for a financial
reporting element that involves non-complex controls requiring little
judgment on behalf of management.
Certain financial reporting elements, such as those involving
significant accounting estimates,\60\ related party transactions, or
critical accounting policies \61\ generally would be assessed as having
higher risk for both the risk of material misstatement to the financial
reporting element and the risk of control failure. When the controls
related to these financial reporting elements are subject to the risk
of management override, involve significant judgment, or are complex,
they should generally be assessed as having higher ICFR risk.
---------------------------------------------------------------------------
\60\ ``Significant accounting estimates'' referred to here
relate to accounting estimates or assumptions where the nature of
the estimates or assumptions is material due to the levels of
subjectivity and judgment necessary to account for highly uncertain
matters or the susceptibility of such matters to change; and the
impact of the estimates and assumptions on financial condition or
operating performance is material. See Interpretation: Commission
Guidance Regarding Management's Discussion and Analysis of Financial
Condition and Results of Operations. Release No. 33-8350 (December
19, 2003).
\61\ ``Critical accounting policies'' are defined as those
policies that are most important to the financial statement
presentation, and require management's most difficult, subjective,
or complex judgments, often as the result of a need to make
estimates about the effect of matters that are inherently uncertain.
See Action: Cautionary Advice Regarding Disclosure About Critical
Accounting Policies. Release No. 33-8040 (December 12, 2001).
---------------------------------------------------------------------------
When a combination of controls is required to adequately address
the risks of a financial reporting element, management should analyze
the risk characteristics of each control. This is because the controls
associated with a given financial reporting element may not necessarily
share the same risk characteristics. For example, a financial reporting
element involving significant estimation may require a combination of
automated controls that accumulate source data and manual controls that
require highly judgmental determinations of assumptions. In this case,
the automated controls may be subject to a system that is stable (i.e.,
has not undergone significant change) and is supported by effective
general controls and are therefore assessed as lower risk, whereas the
manual controls would be assessed as higher risk.
The existence of entity-level controls (e.g., controls within the
control environment) may influence management's determination of the
evidence needed to sufficiently support its assessment. For example,
management's judgment about the likelihood that a control fails to
operate effectively may be influenced by a highly effective control
environment and thereby impact the evidence evaluated for that control.
However, a strong control environment would not eliminate the need for
evaluation procedures that consider the effective operation of the
control in some manner.\62\
---------------------------------------------------------------------------
\62\ See references at footnote 56 to comments received related
to the role of entity-level controls within management's evaluation.
---------------------------------------------------------------------------
b. Implementing Procedures To Evaluate Evidence of the Operation of
ICFR
The methods and procedures management uses to gather evidence about
the effective operation of controls are based on its assessment of the
ICFR risk. Therefore, the methods and procedures, including the timing
of when they are performed, are a function of the evidence that
management considers necessary to provide reasonable support for its
assessment of ICFR based on the assessment of ICFR risk. These
procedures may be integrated with the daily responsibilities
[[Page 77645]]
of its employees or implemented specifically for purposes of the ICFR
evaluation. Evidence that is relevant to the assessment may come from
activities that are performed for other reasons (e.g., day-to-day
activities to manage the operations of the business). Further,
activities performed to meet the monitoring objectives of the control
framework will provide evidence to support the assessment.\63\
---------------------------------------------------------------------------
\63\ Many commenters on the Concept Release requested guidance
clarifying that evidence relevant to supporting the evaluation may
come from activities that are integrated into management's daily
activities or performed for other reasons. See, for example, letters
regarding file number S7-11-06 of EDS, American Electric Power and
the Hundred Group of Finance Directors at http://www.sec.gov/comments/s7-11-06/s71106.shtml
.
---------------------------------------------------------------------------
The evidence management evaluates may come from a combination of
on-going monitoring and direct testing of controls. On-going monitoring
includes activities that provide information about the operation of
controls and may be obtained, for example, through self-assessment \64\
procedures and the analysis of performance measures designed to track
the operation of controls.\65\ Direct tests of controls are tests
performed periodically to provide evidence as of a point in time and
may provide information about the reliability of on-going monitoring
activities.
---------------------------------------------------------------------------
\64\ Self-assessment is a broad term that refers to different
types of procedures performed by various parties. It includes an
assessment made by the same personnel who are responsible for
performing the control. However, self-assessment may also be used to
refer to assessments and tests of controls performed by persons who
are members of management but are not the same personnel who are
responsible for performing the control. In this manner, an
assessment may be carried out with varying degrees of objectivity.
The sufficiency of the evidence derived from self-assessment depends
on how it is implemented and the objectivity of those performing the
assessment. COSO's 1992 framework defines self-assessments as
``evaluations where persons responsible for a particular unit or
function will determine the effectiveness of controls for their
activities.''
\65\ Management's evaluation process may also consider the
results of key performance indicators (``KPI's'') in which
management reconciles operating and financial information with its
knowledge of the business. While these KPI's may indicate a
potential misstatement in a financial reporting element and
therefore are relevant to meeting the objectives of ICFR, they
generally do not monitor the effective operation of other controls.
The procedures that management implements pursuant to this section
should evaluate the effective operation of these KPI type controls
when they are identified pursuant to Section III.A.1.b. as
addressing financial reporting risk.
---------------------------------------------------------------------------
The risk assessments discussed in Section III.A.2.a. can assist
management in determining the evaluation procedures that provide
reasonable support for the assessment. As the assessed risk increases,
management will ordinarily adjust the nature of the evidence that is
obtained. For example, management can vary the nature of evidence from
on-going monitoring by adjusting the extent of validation through
periodic direct testing of the underlying controls and/or adjusting the
objectivity of those performing the self-assessments. Management can
also vary the nature of evidence obtained by adjusting the period of
time covered by direct testing. When ICFR risk is assessed as high,
management's evaluation would ordinarily include evidence obtained from
direct testing. Further, management's evaluation would ordinarily
consider evidence from a reasonable period of time during the year,
including the fiscal year-end. For lower risk areas, management may
conclude that evidence from on-going monitoring is sufficient and that
no direct testing is required.\66\
---------------------------------------------------------------------------
\66\ Commenters on the Concept Release were supportive of
guidance on factors that should be considered in using a risk-based
evaluation. See, for example, letters regarding file number S7-11-06
of Aerospace Industries Association, American Institute of Certified
Public Accountants, American Electric Power, Edison Electric
Institute, and PricewaterhouseCoopers LLP at http://www.sec.gov/comments/s7-11-06/s71106.shtml.
Section III.A.2.a. also provides
guidance on a risked-based evaluation.
---------------------------------------------------------------------------
In smaller companies, management's daily interaction with its
controls may provide it with sufficient knowledge about their operation
to evaluate the operation of ICFR. Knowledge from daily interaction
includes information obtained by those responsible for evaluating the
effectiveness of ICFR through their on-going direct knowledge and
direct supervision of control operation. Management should consider its
particular facts and circumstances when determining whether or not its
daily interaction with controls provides sufficient evidence for the
evaluation. For example, daily interaction may provide sufficient
evidence when the operation of controls is centralized and the number
of personnel involved in their operation is limited. Conversely, daily
interaction in companies with multiple management reporting layers or
operating segments would generally not provide sufficient evidence
because those responsible for assessing the effectiveness of ICFR would
not ordinarily be sufficiently knowledgeable about the operation of the
controls. In these situations, management would ordinarily utilize
direct testing or on-going monitoring type evaluation procedures to
have reasonable support for the assessment.\67\
---------------------------------------------------------------------------
\67\ Commenters on the Concept Release were supportive of
guidance on how management's daily interaction can support the
evaluation. See, for example, letters regarding file number S7-11-06
of U.S. Oncology, Inc., EDS, American Electric Power, MetLife, Texas
Society of Certified Public Accountants, and the Controllers'
Leadership Roundtable at http://www.sec.gov/comments/s7-11-06/s71106.shtml
.
---------------------------------------------------------------------------
Management evaluates the evidence it gathers to determine whether
the operation of a control is effective. This evaluation considers
whether the control operated as designed and includes matters such as
how the control was applied, the consistency with which it was applied,
and whether the person performing the control possesses the necessary
authority and competence to perform the control effectively. If
management determines that the operation of the control is not
effective, a deficiency exists that must be evaluated to determine
whether it is a material weakness.
c. Evidential Matter To Support the Assessment
Management's assessment must be supported by evidential matter that
provides reasonable support for its assessment. The nature of the
evidential matter may vary based on the assessed level of risk of the
underlying controls and other circumstances, but we would expect
reasonable support for an assessment to include the basis for
management's assessment, including documentation of the methods and
procedures it utilizes to gather and evaluate evidence. The evidential
matter may take many forms and will vary depending on the assessed
level of risk for controls over each of its financial reporting
elements. For example, management may document its overall strategy in
a comprehensive memorandum that establishes the evaluation approach,
the evaluation procedures, and the basis for conclusions for each
financial reporting element. Management may determine that it is not
necessary to separately maintain copies of the evidence it evaluates;
however, the evidential matter within the company's books and records
should be sufficient to provide reasonable support for its assessment.
For example, in smaller companies, where management's daily interaction
with its controls provides the basis for its assessment, management may
have limited documentation created specifically for the evaluation of
ICFR. However, in these instances, management should consider whether
reasonable support for its assessment would include documentation of
how its interaction provided it with sufficient evidence. This
documentation might include memoranda, e-mails, and
[[Page 77646]]
instructions or directions from management to company employees.\68\
---------------------------------------------------------------------------
\68\ See footnote 58 for references to Concept Release comment
letters requesting guidance on documentation.
---------------------------------------------------------------------------
Further, management should also consider the degree of complexity
of the control, the level of judgment required to operate the control,
and the risk of misstatement in the financial reporting element that
could result in a material misstatement in the financial statements in
determining the nature of supporting evidential matter. As these
factors increase, management may determine that evidential matter
supporting the assessment should be separately maintained.\69\ For
example, management may decide that separately maintained documentation
will assist the audit committee in exercising its oversight of the
company's financial reporting.
---------------------------------------------------------------------------
\69\ Id.
---------------------------------------------------------------------------
If management believes that the operation of the entity-wide and
other pervasive elements of its ICFR address the elements of internal
control that its applicable framework describes as necessary for an
effective system, then the evidential matter constituting reasonable
support for management's assessment would ordinarily include
documentation of how management formed that belief.\70\
---------------------------------------------------------------------------
\70\ Id.
---------------------------------------------------------------------------
3. Multiple Location Considerations \71\
---------------------------------------------------------------------------
\71\ Guidance in this area was requested in numerous comments
received in response to the Concept Release. See, for example,
letters regarding file number S7-11-06 of Eli Lilly, Deloitte &
Touche LLP, Ernst & Young LLP, Sasol Group, and the Institute of
Management Accountants at http://www.sec.gov/comments/s7-11-06/s71106.shtml
.
---------------------------------------------------------------------------
Management's consideration of financial reporting risks generally
includes all of its locations or business units.\72\ Management may
determine that financial reporting risks are adequately addressed by
controls which operate centrally, in which case the evaluation approach
is similar to that of a business with a single location or business
unit. When the controls necessary to address financial reporting risks
operate at more than one location or business unit, management would
generally evaluate evidence of the operation of the controls at the
individual locations or business units.
---------------------------------------------------------------------------
\72\ Consistent with the guidance in Section III.A.1.,
management may determine when identifying financial reporting risks
that some locations are so insignificant that no further evaluation
procedures are needed.
---------------------------------------------------------------------------
In situations where management determines that the ICFR risk of the
controls (as determined through Section III.A.2.a) that operate at
individual locations or business units is low, management may determine
that evidence gathered through self-assessment routines or other on-
going monitoring activities, when combined with the evidence derived
from a centralized control that monitors the results of operations at
individual locations, may constitute sufficient evidence for the
evaluation. In other situations, management may determine that, because
of the complexity or judgment in the operation of the controls at the
individual location, the risks of the controls are high, and therefore
more evidence is needed about the effective operation of the controls
at the location.
When performing its evaluation of the risk characteristics of the
controls identified, management should consider whether there are
location-specific risks that might impact the risk that a control might
fail to operate effectively. Additionally, there may be pervasive
factors at a given location that cause all controls, or a majority of
controls, at that location to be considered higher risk. Management
should generally consider the risk characteristics of the controls for
each financial reporting element, rather than making a single judgment
for all controls at that location when deciding whether the nature and
extent of evidence is sufficient.
B. Reporting Considerations
1. Evaluation of Control Deficiencies
In order to determine whether a control deficiency, or combination
of control deficiencies, is a material weakness, management evaluates
each control deficiency that comes to its attention.\73\ Control
deficiencies that are determined to be a material weakness must be
disclosed in management's annual report on its assessment of the
effectiveness of ICFR.\74\ Management may not disclose that it has
assessed ICFR as effective if there is one or more control deficiencies
determined to be a material weakness in ICFR. As part of the evaluation
of ICFR, management considers whether the deficiencies, individually or
in combination, are material weaknesses as of the end of the fiscal
year. Multiple control deficiencies that affect the same financial
statement account balance or disclosure increase the likelihood of
misstatement and may, in combination, constitute a material weakness if
there is a reasonable possibility \75\ that a material misstatement to
the financial statements would not be prevented or detected in a timely
manner, even though such deficiencies may be individually
insignificant. Therefore, management should evaluate individual control
deficiencies that affect the same account balance, disclosure, relevant
assertion, or component of internal control, to determine whether they
collectively result in a material weakness.\76\
---------------------------------------------------------------------------
\73\ Because of the importance to investors of the
reconciliation to U.S. GAAP, when management of foreign private
issuers that file in home country GAAP or IFRS determine the
severity of an identified control deficiency, management should
consider the impact of the control deficiency to the U.S. GAAP
reconciliation disclosure. Hence, management should take into
consideration both the amounts reported in the primary financial
statements and the amounts reported in the reconciliation to U.S.
GAAP in evaluating the severity of the control deficiency. For
example, it would be inappropriate to determine, without further
consideration, that a control deficiency associated with an item
included in the reconciliation to U.S. GAAP, is not material to the
primary financial statements, and therefore cannot be, by
definition, a material weakness.
\74\ Pursuant to Rules 13a-14 and 15d-14 management discloses to
the auditors and to the audit committee of the board of directors
(or persons fulfilling the equivalent function) all significant
deficiencies in the design or operation of internal controls which
could adversely affect the issuer's ability to record, process,
summarize and report financial data and have identified for the
issuer's auditors any material weaknesses in internal controls. The
interaction of qualitative considerations that affect ICFR with
quantitative considerations ordinarily results in deficiencies in
the following areas being at least significant deficiencies in
internal control over financial reporting: Controls over the
selection and application of accounting policies that are in
conformity with generally accepted accounting principles; antifraud
programs and controls; controls over non-routine and non-systematic
transactions; and controls over the period-end financial reporting
process. If management determines that the deficiency would prevent
prudent officials in the conduct of their own affairs from
concluding that they have reasonable assurance that transactions are
recorded as necessary to permit the preparation of financial
statements in conformity with generally accepted accounting
principles, then management should deem the deficiency to be at
least a significant deficiency.
\75\ See footnote 32.
\76\ A similar approach to aggregating individually
insignificant control deficiencies was used by the AICPA in
Statement on Auditing Standard No. 112.
---------------------------------------------------------------------------
The evaluation of a control deficiency should include both
quantitative and qualitative factors. Management can evaluate a
deficiency in ICFR by considering the likelihood that the company's
ICFR will fail to prevent or detect a misstatement of a financial
statement element, or component thereof, on a timely basis; and the
magnitude of the potential misstatement resulting from the deficiency
or deficiencies. This evaluation is based on whether the company's
controls will fail to prevent or detect a misstatement on a timely
basis, not necessarily on whether a misstatement actually has occurred.
Several factors affect the likelihood that a deficiency, or a
combination of deficiencies, will result in a misstatement in a
financial reporting element not being prevented or detected on a timely
basis. The factors include, but are not limited to, the following:
[[Page 77647]]
The nature of the financial statement elements, or
components thereof, involved (e.g., suspense accounts and related party
transactions involve greater risk);
The susceptibility of the related asset or liability to
loss or fraud (i.e., greater susceptibility increases risk);
The subjectivity, complexity, or extent of judgment
required to determine the amount involved (i.e., greater subjectivity,
complexity, or judgment, like that related to an accounting estimate,
increases risk);
The interaction or relationship of the control with other
controls (i.e., the interdependence or redundancy of the control);
The interaction of the deficiencies (i.e., when evaluating
a combination of two or more deficiencies, whether the deficiencies
could affect the same financial statement accounts and assertions); and
The possible future consequences of the deficiency.
Management should evaluate how the controls interact with other
controls when evaluating the likelihood that the company's controls
will fail to prevent or detect on a timely basis a misstatement that is
material to the company's financial statements. There are controls,
such as general IT controls, on which other controls depend. Some
controls function together as a group of controls. Other controls
overlap, in the sense that more than one control may individually
achieve the same objective.
Several factors affect the magnitude of the misstatement that might
result from a deficiency or deficiencies in controls. The factors
include, but are not limited to, the following:
The financial statement amounts or total of transactions
exposed to the deficiency; and
The volume of activity in the account balance or class of
transactions exposed to the deficiency that has occurred in the current
period or that is expected in future periods.
In evaluating the magnitude of the potential misstatement to the
company's financial statements as a whole, management should recognize
that the maximum amount that an account balance or total of
transactions can be overstated is the recorded amount, while
understatements could be larger. Moreover, in many cases, the
probability of a small misstatement will be greater than the
probability of a large misstatement. For example, if the deficiency is
that errors identified during an account reconciliation are not being
investigated in a timely manner, management should consider the
possibility that larger errors are more likely to be investigated or
identified through other controls than smaller ones.
Management should evaluate the effect of compensating controls \77\
when determining whether a control deficiency or combination of
deficiencies is a material weakness. When evaluating a deficiency in
ICFR, management also should determine the level of detail and degree
of assurance that would satisfy prudent officials in the conduct of
their own affairs that they have reasonable assurance that transactions
are recorded as necessary to permit the preparation of financial
statements in conformity with GAAP.
---------------------------------------------------------------------------
\77\ Compensating controls are controls that serve to accomplish
the objective of another control that did not function properly,
helping to reduce risk to an acceptable level. To have a mitigating
effect, the compensating control should operate at a level of
precision that would prevent or detect a misstatement that was
material.
---------------------------------------------------------------------------
The following circumstances are strong indicators that a material
weakness in ICFR exists:
An ineffective control environment. Circumstances that may
indicate that the company's control environment is ineffective include,
but are not limited to:
--Identification of fraud of any magnitude on the part of senior
management.
--Significant deficiencies that have been identified and remain
unaddressed after some reasonable period of time.
--Ineffective oversight of the company's external financial reporting
and ICFR by the company's audit committee.\78\
---------------------------------------------------------------------------
\78\ If no audit committee exists, all references to the audit
committee apply to the entire board of directors of the company.
When a company is not required by law or applicable listing
standards to have independent directors on its audit committee, the
lack of independent directors at these companies is not indicative,
by itself, of a control deficiency. In all cases, management should
interpret the terms ``board of directors'' and ``audit committee''
as being consistent with provisions for the use of those terms as
defined in relevant SEC rules.
---------------------------------------------------------------------------
Restatement of previously issued financial statements to
reflect the correction of a material misstatement.
Note: The correction of a material misstatement includes
misstatements due to error or fraud; it does not include
retrospective application of a change in accounting principle to
comply with a new accounting principle or a voluntary change from
one generally accepted accounting principle to another generally
accepted accounting principle.
Identification by the auditor of a material misstatement
in financial statements in the current period under circumstances that
indicate the misstatement would not have been discovered by the
company's ICFR.
For complex entities in highly regulated industries, an
ineffective regulatory compliance function. This relates solely to
those aspects of the ineffective regulatory compliance function in
which associated violations of laws and regulations could have a
material effect on the reliability of financial reporting.
2. Expression of Assessment of Effectiveness of ICFR by Management and
the Registered Public Accounting Firm
Management should disclose a clear expression of its assessment
related to the effectiveness of ICFR and, therefore, should not qualify
its assessment by saying that the company's ICFR is effective subject
to certain qualifications or exceptions or express similar positions.
For example, management should not state that the company's controls
and procedures are effective except to the extent that certain material
weakness(es) have been identified. In addition, if a material weakness
exists, management may not state that the company's ICFR is effective.
However, management may state that controls are ineffective due solely
to, and only to the extent of, the identified material weakness(es).
Prior to making this statement, however, management should consider the
nature and pervasiveness of the material weakness. In addition,
management may disclose any remediation efforts to the identified
material weakness(es) in Item 9A of Form 10-K, Item 15 of Form 20-F, or
General Instruction B of Form 40-F.
3. Disclosures About Material Weaknesses
The Commission's rule implementing Section 404 was intended to
bring information about material weaknesses in ICFR into public view.
Because of the significance of the disclosure requirements surrounding
material weaknesses beyond specifically stating that the material
weaknesses exist, companies should also consider including the
following in their disclosures: \79\
---------------------------------------------------------------------------
\79\ Significant deficiencies in ICFR are not required to be
disclosed in management's annual report on its evaluation of ICFR
required by Item 308(a).
---------------------------------------------------------------------------
The nature of any material weakness,
Its impact on financial reporting and the control
environment, and
Management's current plans, if any, for remediating the
weakness.
Disclosure of the existence of a material weakness is important,
but there is other information that also may be material and necessary
to form an
[[Page 77648]]
overall picture that is not misleading.\80\ There are many different
types of material weaknesses and many different factors that may be
important to the assessment of the potential effect of any particular
material weakness. While management is required to conclude and state
in its report that ICFR is ineffective when there is one or more
material weaknesses, companies should also consider providing
disclosure that allows investors to understand the root cause of the
control deficiency and to assess the potential impact of each
particular material weakness. This disclosure will be more useful to
investors if management differentiates the potential impact and
importance to the financial statements of the identified material
weaknesses, including distinguishing those material weaknesses that may
have a pervasive impact on ICFR from those material weaknesses that do
not. The goal underlying all disclosure in this area is to provide an
investor with disclosure and analysis beyond the mere existence of a
material weakness.
---------------------------------------------------------------------------
\80\ See Exchange Act Rule 12b-20 [17 CFR 240.12b-20].
---------------------------------------------------------------------------
4. Impact of a Restatement of Previously Issued Financial Statements on
Management's Report on ICFR
Item 308 of Regulation S-K requires disclosure of management's
assessment of the effectiveness of the company's ICFR as of the end of
the company's most recent fiscal year. When a material misstatement in
previously issued financial statements is discovered, a company is
required to restate those financial statements. However, the
restatement of financial statements does not, by itself, necessitate
that management consider the effect of the restatement on the company's
prior conclusion related to the effectiveness of ICFR.
While there is no requirement for management to reassess or revise
its conclusion related to the effectiveness of ICFR, management should
consider whether its original disclosures are still appropriate and
should modify or supplement its original disclosure to include any
other material information that is necessary for such disclosures not
to be misleading in light of the restatement. The company should also
disclose any material changes to ICFR, as required by Item 308(c) of
Regulation S-K.
Similarly, while there is no requirement that management reassess
or revise its conclusion related to the effectiveness of its disclosure
controls and procedures, management should consider whether its
original disclosures regarding effectiveness of disclosure controls and
procedures need to be modified or supplemented to include any other
material information that is necessary for such disclosures not to be
misleading. With respect to the disclosures concerning ICFR and
disclosure controls and procedures, the company may need to disclose in
this context what impact, if any, the restatement has on its original
conclusions regarding effectiveness of ICFR and disclosure controls and
procedures.
5. Inability To Assess Certain Aspects of ICFR
In certain circumstances, management may encounter difficulty in
assessing certain aspects of its ICFR. For example, management may
outsource a significant process to a service organization and determine
that evidence of the operating effectiveness of the controls over that
process is necessary. However, the service organization may be
unwilling to provide either a Type 2 SAS 70 report or to provide
management access to the controls in place at the service organization
so that management could assess effectiveness.\81\ Finally, management
may not have compensating controls in place that allow a determination
of the effectiveness of the controls over the process in an alternative
manner. The Commission's disclosure requirements state that
management's annual report on ICFR must include a statement as to
whether or not ICFR is effective and do not permit management to issue
a report on ICFR with a scope limitation.\82\ Therefore, management
must determine whether the inability to assess controls over a
particular process is significant enough to conclude in its report that
ICFR is not effective.
---------------------------------------------------------------------------
\81\ AU Sec. 324, Service Organizations (as adopted on an
interim basis by the PCAOB in PCAOB Rule 3200T), defines a report on
controls placed in operation and test of operating effectiveness,
commonly referred to as a ``Type 2 SAS 70 report.'' This report is a
service auditor's report on a service organization's description of
the controls that may be relevant to a user organization's internal
control as it relates to an audit of financial statements, on
whether such controls were suitably designed to achieve specified
control objectives, on whether they had been placed in operation as
of a specific date, and on whether the controls that were tested
were operating with sufficient effectiveness to provide reasonable,
but not absolute, assurance that the related control objectives were
achieved during the period specified.
\82\ See Item 308 of Regulations S-K and S-B [17 CFR
229.308(a)(3) and 228.308(a)(3)].
---------------------------------------------------------------------------
Request for Comment
We request and encourage any interested parties to submit comments
on the proposed interpretive guidance. In addition to seeking general
feedback on the proposed interpretive guidance, the Commission seeks
comments on the following:
Will the proposed interpretive guidance be helpful to
management in completing its annual evaluation process? Does the
proposed guidance allow for management to conduct an efficient and
effective evaluation? If not, why not?
Are there particular areas within the proposed
interpretive guidance where further clarification is needed? If yes,
what clarification is necessary?
Are there aspects of management's annual evaluation
process that have not been addressed by the proposed interpretive
guidance that commenters believe should be addressed by the Commission?
If so, what are those areas and what type of guidance would be
beneficial?
Do the topics addressed in the existing staff guidance
(May 2005 Staff Guidance and Frequently Asked Questions (revised
October 6, 2004)) continue to be relevant or should such guidance be
retracted? If yes, which topics should be kept or retracted?
Will the proposed guidance require unnecessary changes to
evaluation processes that companies have already established? If yes,
please describe.
Considering the PCAOB's proposed new auditing standards,
An Audit of Internal Control Over Financial Reporting that is
Integrated with an Audit of Financial Statements and Considering and
Using the Work of Others In an Audit, are there any areas of
incompatibility that limit the effectiveness or efficiency of an
evaluation conducted in accordance with the proposed guidance? If so,
what are those areas and how would you propose to resolve the
incompatibility?
Are there any definitions included in the proposed
interpretive guidance that are confusing or inappropriate and how would
you change the definitions so identified?
Will the guidance for disclosures about material
weaknesses result in sufficient information to investors and if not,
how would you change the guidance?
Should the guidance be issued as an interpretation or
should it, or any part, be codified as a Commission rule?
Are there any considerations unique to the evaluation of
ICFR by a foreign private issuer that should be addressed in the
guidance? If yes, what are they?
[[Page 77649]]
IV. Proposed Rule Amendments
Exchange Act Rules 13a-15(c) and 15d-15(c) require the management
of each issuer subject to the Exchange Act reporting requirements,
other than a registered investment company, to evaluate, with the
participation of the issuer's principal executive and principal
financial officers, or persons performing similar functions, the
effectiveness, as of the end of each fiscal year, of the issuer's
ICFR.\83\ We are proposing to amend these rules to state that, although
there are many different ways to conduct an evaluation of the
effectiveness of ICFR to meet the requirement in the rule, an
evaluation conducted in accordance with the interpretive guidance
issued by the Commission, if the Commission adopts the interpretive
guidance in final form, would satisfy the annual management evaluation
required by those rules.\84\ The proposed amendments would not limit
the ability of management to use its judgment to determine a method of
evaluation that is appropriate for its company. The proposed amendments
would be similar to a non-exclusive safe-harbor in that they would not
require management to conduct the evaluation in accordance with the
interpretive guidance, but would provide certainty to management that
chooses to follow the guidance that it has satisfied its obligation to
conduct an evaluation for purposes of the requirements in Rules 13a-
15(c) and 15d-15(c).
---------------------------------------------------------------------------
\83\ We recently adopted amendments that, among other things,
provide a transition period for newly public companies before they
become subject to the ICFR requirements. Under the new amendments, a
newly public company will not become subject to the ICFR
requirements until it either had been required to file an annual
report for the prior fiscal year with the Commission or had filed an
annual report with the Commission for the prior fiscal year. See
Release No. 33-8760 (December 15, 2006) available at http://www.sec.gov/rules/final.shtml
.
\84\ See proposed revisions to Rules 13a-15(c) and 15d-15(c).
---------------------------------------------------------------------------
Our rules implementing Section 404(b) of Sarbanes-Oxley require
every registered public accounting firm that issues or prepares an
audit report on a company's financial statements for inclusion in an
annual report that contains an assessment by management of the
effectiveness of the registrant's ICFR to attest to, and report on,
such assessment. Pursuant to Rule 2-02(f), the accountant's attestation
report must clearly state the ``opinion of the accountant as to whether
management's assessment of the effectiveness of the registrant's ICFR
is fairly stated in all material respects.'' Over the past three years
we have received feedback that the current form of the auditor's
opinion may not effectively communicate the auditor's responsibility in
relation to management's evaluation process. Therefore, we are
proposing to revise Rule 2-02(f) to require the auditor to express an
opinion directly on the effectiveness of ICFR. In addition, we are
proposing revisions to Rule 2-02(f) to clarify the circumstances in
which we would expect that the accountant cannot express an opinion.
We are also proposing conforming revisions to the definition of
attestation report in Rule 1-02(a)(2) of Regulation S-X. We believe
this opinion necessarily conveys whether management's assessment is
fairly stated. We understand the PCAOB will be proposing a conforming
revision to its auditing standard to reflect this revision as well.
Request for Comment
We request and encourage any interested person to submit comments
on the proposed revision to Exchange Act Rules 13a-15(c) and 15d-15(c)
and Rules 1-02 and 2-02 of Regulation S-X. In addition to seeking
general feedback on the proposed rule revision, the Commission seeks
comments on the following:
Should compliance with the interpretive guidance, if
issued in final form, be voluntary, as proposed, or mandatory?
Is it necessary or useful to amend the rules if the
proposed interpretive guidance is issued in final form, or are rule
revisions unnecessary?
Should the rules be amended in a different manner in view
of the proposed interpretive guidance?
Is it appropriate to provide the proposed assurance in
Rules 13a-15 and 15d-15 that an evaluation conducted in accordance with
the interpretive guidance will satisfy the evaluation requirement in
the rules?
Does the proposed revision offer too much or too little
assurance to management that it is conducting a satisfactory evaluation
if it complies with the interpretive guidance?
Are the proposed revisions to Exchange Act Rules 13a-15(c)
and 15d-15(c) sufficiently clear that management can conduct its
evaluation using methods that differ from our interpretive guidance?
Do the proposed revisions to Rules 1-02(a)(2) and 2-02(f)
of Regulation S-X effectively communicate the auditor's responsibility?
Would another formulation better convey the auditor's role with respect
to management's assessment and/or the auditor's reporting obligation?
Should we consider changes to other definitions or rules
in light of these proposed revisions?
The proposed revision to Rule 2-02(f) highlights that
disclaimers by the auditor would only be appropriate in the rare
circumstance of a scope limitation. Does this adequately convey the
narrow circumstances under which an auditor may disclaim an opinion
under our proposed rule? Would another formulation provide better
guidance to auditors?
V. Paperwork Reduction Act
Certain provisions of our ICFR requirements contain ``collection of
information'' requirements within the meaning of the Paperwork
Reduction Act of 1995 (``PRA''). We submitted these collections of
information to the Office of Management and Budget (``OMB'') for review
in accordance with the PRA and received approval for the collections of
information. We do not believe the rule amendments that we are
proposing in this release will impose any new recordkeeping or
information collection requirements, or other collections of
information requiring OMB's approval.
VI. Cost-Benefit Analysis
A. Background
Section 404(a) of Sarbanes-Oxley directed the Commission to
prescribe rules to require each annual report that a company, other
than a registered investment company, files pursuant to Exchange Act
Section 13(a) or 15(d) to contain an internal control report: (1)
Stating management's responsibilities for establishing and maintaining
an adequate internal control structure and procedures for financial
reporting; and (2) containing an assessment, as of the end of the
company's most recent fiscal year, of the effectiveness of the
company's internal control structure and procedures for financial
reporting. On June 5, 2003, the Commission adopted final rules
implementing the requirements of Section 404(a).\85\
---------------------------------------------------------------------------
\85\ See footnote 9 above for reference.
---------------------------------------------------------------------------
The final rules did not prescribe any specific method or set of
procedures for management to follow in performing its evaluation of
ICFR. This gave managers some flexibility, while leaving it to
management's judgment about what constitutes ``reasonable support'' for
its assessment of internal controls. In the absence of specific
guidance, managers of many companies have relied upon AS No. 2. This
choice reflected the pressure on managers to meet the expectations of
the auditors who were charged with
[[Page 77650]]
attesting to the effectiveness of the company's ICFR and management's
annual assessment of ICFR. The limited alternative guidance available
to management has not given it the information that is necessary to
assuage its concerns about the risk of being unable to satisfy the
expectations of its auditor under AS No. 2.
The proposed interpretive guidance is intended to enable management
to conduct a more effective and efficient evaluation of ICFR. Further,
under the proposed rule amendments, the auditor would express only a
single opinion on the effectiveness of the company's internal controls
in its attestation report rather than expressing separate opinions
directly on the effectiveness of the company's ICFR and on management's
assessment.
Managers may choose to rely on the interpretive guidance, as an
alternative to what is provided in existing auditing standards or
elsewhere, for two key reasons. First, we are proposing a rule that
would give managers who follow the interpretive guidance comfort that
they have conducted a sufficient ICFR evaluation. Second, elimination
of the auditor's opinion on management's assessment of ICFR in the
auditor's attestation report should significantly lessen, if not
eliminate, the pressures that managers have felt to look to auditing
standards for guidance in performing those evaluations.
While the focus of the Cost-Benefit Analysis in this release is on
the costs and benefits related to the rule amendments that we are
proposing in this release, rather than the costs and benefits of the
proposed interpretive guidance that we describe in this release,\86\ in
view of the fact that the effect of the proposed rule amendments will
be to endorse the interpretive guidance as one approach to compliance,
we also have considered the effect that the proposed guidance may have
on evaluation costs.
---------------------------------------------------------------------------
\86\ To reduce the costs of implementation, we developed
proposed interpretive guidance to aid management in the planning and
performance of an evaluation of ICFR. In connection with this
interpretive guidance, we are proposing an amendment to Exchange Act
Rules 13a-15(c) and 15d-15(c) that would make it clear that an
evaluation that is conducted in accordance with the interpretive
guidance is one way to satisfy the annual management evaluation
requirement in those rules and forms. In addition, we are proposing
revisions