July 05, 2007
To determine the evidence needed to support its assessment, management should evaluate the ICFR risk of the controls identified (see “Identifying Financial Reporting Risks and Controls” above) by conducting a risk assessment. The risk assessment should consider the impact of the characteristics of the financial reporting elements related to the controls identified as well as the characteristics of the controls themselves. This concept is demonstrated by the following diagram:
Determining the Sufficiency of Evidence Based on ICFR Risk:
Misstatement Risk of Financial Reporting Element | High | More Evidence* | ||
Medium | ||||
Low | Less Evidence* | |||
Low | Medium | High | ||
Risk of Control Failure |
Characteristics of the financial reporting element include both the materiality of the financial reporting element and the susceptibility of the underlying account balances, transactions or other supporting information to material misstatement. As the materiality of the financial reporting element increases in relation to the amount of misstatement that would be considered material to the financial statements, management’s assessment of risk generally would also increase. In addition, financial reporting elements would generally be assessed as higher risk when they include information that is prone to misstatement such as elements which involve judgment in determining recorded amounts, susceptibility to fraud, have complex underlying accounting requirements or are subject to environmental factors.
2. Implementing Procedures to Evaluate Evidence of the Operation of ICFR
The methods and procedures management uses to gather evidence about the effective operation of controls, including the timing of when they are performed, are a function of the evidence that management considers necessary to provide reasonable support for its assessment of ICFR based on the assessment of ICFR risk. The evidence relevant to the assessment may come from activities performed for other reasons (e.g., daily operation management activities) and activities performed to meet the monitoring objectives of the control framework will provide evidence to support the assessment. The evidence management evaluates may come from a combination of on-going monitoring (e.g., self-assessment procedures and the results of key performance indicators) as well as direct testing of controls performed periodically to provide evidence about the reliability of such on-going monitoring activities. Risk assessments discussed above can assist management in determining the evaluation procedures that provide reasonable support for the assessment and as assessed risk increases, management should adjust the nature of evidence obtained. When ICFR risk is assessed as high, management’s evaluation would ordinarily include evidence obtained from direct testing but for lower risk areas, management may conclude that evidence from on-going monitoring is sufficient.
3. Support for the Assessment- Operating Effectiveness of ICFR
The SEC expects reasonable support for an assessment to include the basis for management’s assessment, including documentation of the methods and procedures it utilizes to gather and evaluate evidence. The evidential matter may take many forms and will vary depending on the assessed level of risk for controls over each of its financial reporting elements. For example, management may document its overall strategy in a comprehensive memorandum that establishes the evaluation approach, the evaluation procedures, and the basis for conclusions for each financial reporting element. Documentation might include memoranda, e-mails and instructions or directions from management to employees of the company. If management believes that the operation of the entity-wide and other pervasive elements of its ICFR address the elements of internal control that its adopted framework describes as necessary for an effective system, then the evidential matter constituting reasonable support for management’s assessment would ordinarily include documentation of how management formed that belief.
4. Multiple Location Considerations
Management’s consideration of financial reporting risks should generally include consideration all of the company’s locations or business units, though in some cases risks are adequately addressed by controls which operate centrally. When performing its evaluation of risk characteristics of controls identified, management should consider location-specific risks that might impact the risk that a control will fail to operate effectively. Further, management should generally consider the risk characteristics of the controls for each financial reporting element, rather than making a single judgment for all controls at that location when deciding whether the nature and extent of evidence is sufficient.
1. Evaluation of Control Deficiencies
Under the guidance, to determine whether a control deficiency, or combination of control deficiencies, is a material weakness (which must be disclosed in management’s annual report), management must evaluate each control deficiency that comes to its attention. Management may not disclose that it has assessed ICFR as effective if there is one or more control deficiencies determined, individually or in combination, to be a material weakness in ICFR as of the end of the fiscal year. Multiple control deficiencies that affect the same financial statement account balance or disclosure increase the likelihood of misstatement and many, in combination, constitute a material weakness if there is a reasonable possibility that a material misstatement to the financial statements would not be prevented or detected in a timely manner, even though such deficiencies may be individually insignificant. Therefore, management should evaluate individual control deficiencies that affect the same account balance, disclosure, relevant assertion, or component of internal control, to determine whether they collectively result in a material weakness. Management should also evaluate the effect of compensating controls (i.e. separate controls accomplishing the same objective) when determining whether a control deficiency or combination of deficiencies is a material weakness.
- The nature of the financial statement elements, or components thereof, involved (e.g., suspense accounts and related party transactions involve greater risk);
- The susceptibility of the related asset or liability to loss or fraud (i.e., greater susceptibility increases risk);
- The subjectivity, complexity, or extent of judgment required to determine the amount involved (i.e., greater subjectivity, complexity, or judgment, like that related to an accounting estimate, increases risk);
- The interaction or relationship of the control with other controls (i.e., the interdependence or redundancy of the control);
- The interaction of the deficiencies (i.e., when evaluating a combination of two or more deficiencies, whether the deficiencies could affect the same financial statement accounts and assertions); and
- The possible future consequences of the deficiency.
Management should evaluate how the controls interact with other controls when evaluating the likelihood that a company’s controls will fail to prevent or detect on a timely basis a misstatement that is material to the company’s financial statements. Several factors affect the magnitude of the misstatement that might result from a deficiency or deficiencies in controls, including:
- The financial statement amounts or total of transactions exposed to the deficiency; and
- The volume of activity in the account balance or class of transactions exposed to the deficiency that has occurred in the current period or that is expected in future periods.
In evaluating the magnitude of the potential misstatement to the company’s financial statements as a whole, management should recognize that the maximum amount that an account balance or total of transactions can be overstated is the recorded amount, while understatements could be larger and the probability of a small misstatement will be greater than the probability of a large misstatement.
The following circumstances are strong indicators that a material weakness in ICFR exists:
- An ineffective control environment, which may be indicated by: identification of fraud of any magnitude on the part of senior management; significant deficiencies that have been identified and remain unaddressed after some reasonable period of time; or ineffective oversight of the company’s external financial reporting and ICFR by the company’s audit committee.
- Restatement of previously issued financial statements to reflect the correction of a material misstatement. However, note that the correction of a material misstatement includes misstatements due to error or fraud. It does not include retrospective application of a change in accounting principle to comply with a new accounting principle or a voluntary change from one generally accepted accounting principle to another generally accepted accounting principle.
- Identification by the auditor of a material misstatement in financial statements in the current period under circumstances that indicate the misstatement would not have been discovered by the company’s ICFR.
- For complex entities in highly regulated industries, an ineffective regulatory compliance function in which associated violations of laws and regulations could have a material effect on the reliability of financial reporting.
2. Expression of Assessment of Effectiveness of ICFR by Management and the Registered Public Accounting Firm
Management should disclose a clear expression of its assessment related to the effectiveness of ICFR and, therefore, should not qualify its assessment by saying that the company’s ICFR is effective subject to certain qualifications or exceptions. In addition, if a material weakness exists, management may not state that controls are effective. However, management may state that controls are ineffective due solely to, and only to the extent of, the identified material weakness(es). Management may disclose any remediation efforts to the identified material weakness(es) in Item 9A of Form 10-K, Item 15 of Form 20-F, or General Instruction B of Form 40-F.
3. Disclosures About Material Weakness
Because of the significance of the disclosure requirements surrounding material weaknesses beyond specifically stating that the material weaknesses exist, the SEC believes companies should also consider including in their disclosures the nature of any material weakness, its impact on financial reporting and the control environment, and management’s current plans, if any, for remediating the weakness.
When disclosing the existence of material weaknesses, companies should ensure enough information is provided to form a picture that is not misleading. While management is required to conclude and state in its report that ICFR is ineffective when there is one or more material weaknesses, companies should also consider providing disclosure that allows investors to understand the root cause of the control deficiency and to assess the potential impact of each particular material weakness. This disclosure will be more useful to investors if management differentiates the potential impact and importance to the financial statements of the identified material weaknesses, including distinguishing those material weaknesses that may have a pervasive impact on ICFR from those material weaknesses that do not. The goal underlying all disclosure in this area is to provide investors with contextual disclosure and analysis beyond the mere existence of a material weakness.
4. Impact of a Restatement of Previously Issued Financial Statements on Management’s Report on ICFR
The restatement of financial statements does not, by itself, necessitate that management consider the effect of the restatement on the company’s prior conclusion relating to the effectiveness of ICFR. However, though there is no requirement for management to reassess or revise its conclusion related to the effectiveness of ICFR, management should consider whether its original disclosures are still appropriate and should modify or supplement its original disclosure to include any other material information that is necessary for such disclosures not to be misleading in light of the restatement. Similarly, while there is no requirement that management reassess or revise its conclusion related to the effectiveness of its disclosure controls and procedures, management should consider whether its original disclosures regarding effectiveness of disclosure controls and procedures need to be modified or supplemented to include any other material information that is necessary for such disclosures not to be misleading.
5. Inability to Assess Certain Aspects of ICFR
In certain circumstances, management may encounter difficulty in assessing certain aspects of its ICFR. For example, management may outsource a significant process to a service organization and determine that evidence of the operating effectiveness of the controls over that process is necessary. However, the service organizations may be unwilling to provide either a Type 2 SAS 70 report or to provide management access to the controls in place at the service organization so that management could assess effectiveness. Finally, management may not have compensating controls in place that allow a determination of the effectiveness of the controls over the process in an alternative manner. The SEC’s disclosure requirements state that management’s annual report on ICFR must include a statement as to whether or not ICFR is effective and do not permit management to issue a report on ICFR with a scope limitation. Therefore, management must determine whether the inability to assess controls over a particular process is significant enough to conclude in its report that ICFR is not effective.
SEC Rule Amendments
In addition to the interpretative guidance outlined above, the SEC amended Rule 13a-15(c) and Rule 15d-15(c) to state that, although there are many different ways to conduct an evaluation of the effectiveness of ICFR to meet the requirement in the rule, an evaluation conducted in accordance with the interpretive guidance issued by the SEC would satisfy the annual management evaluation required by SEC rules. The amendment provides a non-exclusive safe-harbor for the purposes of satisfying obligations under Rules 13a-15(c) or 15d-15(c).
The SEC also revised Rule 2-02(f) of Regulation S-X, which requires that an auditor’s attestation report clearly state the “opinion of the accountant as to whether management’s assessment of the effectiveness of the registrant’s ICFR is fairly stated in all material respects.” Under the final rule, the auditor will express only a single opinion on the effectiveness of the company’s internal controls in its attestation report rather than expressing separate opinions directly on the effectiveness of the company’s ICFR and on the management’s assessment. In addition, the amendment clarifies the circumstances under which the SEC would expect that the accountant cannot express an opinion and highlights that disclaimers by the auditor would only be appropriate in the rare circumstance of a scope limitation.
Finally, the SEC adopted conforming revisions to the definition of attestation report in Rule 1-02(a)(2) of Regulation S-X. Under the definition, an attestation report is a report in which a registered public accounting firm expresses an opinion, either unqualified or adverse, as to whether the registrant maintained, in all material respects, effective internal control over financial reporting, except in the rare circumstance of a scope limitation that cannot be overcome by the registrant or the registered public accounting firm which would result in the accounting firm disclaiming an opinion.
The final guidance and rules described will become effective 30 days after publication in the Federal Register.