August 03, 2007
On May 23, 2007, the Securities and Exchange Commission (the “SEC”) unanimously adopted interpretive guidance (the “Guidance”) to assist management when planning for and performing its annual assessment of internal control over financial reporting (“ICFR”) required by Section 404 of the Sarbanes-Oxley Act of 2002 (“SOX”). This Guidance is intended to serve as one way for management to evaluate and assess ICFR, and sets forth an approach by which management can conduct a “top-down, risk-based” evaluation of ICFR. An evaluation that complies with this Guidance will satisfy the evaluation requirements of SEC Rules 13a-15© and 15d-15© and provide management with certainty that it has satisfied its obligation to conduct an evaluation pursuant to those rules. The Guidance described herein is effective June 27, 2007.
On May 24, 2007, the Public Company Accounting Oversight Board (PCAOB) adopted Auditing Standard No. 5, which codified previously issued auditing guidance on the “topdown, risk-based approach” to evaluating ICFR and revised the definition of “material weakness.” The PCAOB guidance is the companion guidance to the SEC Guidance described above and was amended to align the auditing standard with the Guidance. The new auditing standard is subject to SEC approval and anticipated to be effective in calendar year 2007.
In companion release, the SEC also amended its rules to provide that an evaluation conducted in accordance with the SEC’s Guidance would satisfy the annual management evaluation required by Section 404 of SOX. In addition, the SEC amended its accounting rules regarding the auditor’s attestation report requirements and revised its rules to include a definition of the term “material weakness.” The revised SEC rules described herein are effective on August 27, 2007.
In another release, the SEC requested additional comment on the definition of the term “significant deficiency.” Because this term is used in the SEC’s rules implementing SOX Section 404 and Section 302(a), which requires management to communicate all significant deficiencies in the design or operation of internal controls to the company’s external auditors and the audit committee of the board of directors, the SEC believes that a definition of this term should also be included in its rules, in addition to being defined in the auditing standards promulgated by the PCAOB. Comments on the definition of “significant deficiency” should be received by the SEC on or before July 18, 2007.
Pursuant to the SEC’s rules, management is responsible for maintaining a system of ICFR that provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. The rules implementing Section 404 of SOX require that management annually evaluate whether ICFR is effective at providing such reasonable assurance and disclose its assessment in the company’s annual report. Management is responsible for maintaining documentation that provides reasonable support for its assessment. This evidence will also allow a third party, such as the company’s external auditor, to consider the work performed by management. The SEC recognizes that while “reasonableness” is an objective standard, there is a range of judgments that an issuer might make as to what is “reasonable” in implementing Section 404 of SOX and the SEC’s rules. Thus, the terms “reasonable,” “reasonably,” and “reasonableness” in the context of Section 404 implementation do not imply a single conclusion or methodology, but encompass the full range of appropriate potential conduct, conclusions, or methodologies upon which a public company may reasonably base its decisions.
The Guidance is organized around two broad principles. First, management should evaluate whether it has implemented controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner. The Guidance describes a “top-down, riskbased approach” to this principle and promotes efficiency by allowing management to focus on those controls that are needed to adequately address the risk of a material misstatement of its financial statements. The Guidance does not require management to identify every control in a process, or document the business processes impacting ICFR. Rather, management can focus its evaluation process and the documentation supporting the assessment on those controls that it determines adequately address the risk of a material misstatement of the financial statements. For example, if management determines that a risk of a material misstatement is adequately addressed by an entity-level control, no further evaluation of other controls is required.
The second principle is that management’s evaluation of the evidence about the operation of its controls should be based on its assessment of risk associated with those controls. The Guidance provides an approach for making “risk-based judgments” about the evidence needed for the evaluation, and allows management to align the nature and extent of its evaluation procedures with those areas of financial reporting that pose the greatest risks to the production of reliable financial reporting (i.e., whether the financial statements are materially accurate). The intended result is efficiency on the part of management in gathering evidence, such as performing self-assessments in lowrisk areas and performing more extensive testing in high-risk areas.
The objective of the ICFR evaluation is to provide management with a reasonable basis for its annual assessment as to whether any material weaknesses in ICFR exist as of the end of the fiscal year. To meet this objective, the Guidance provides that management should:
- Identify the risks to reliable financial reporting;
- Evaluate whether the design of the controls addressing those risks provide a reasonable possibility that a material misstatement of the financial statements would not be prevented or detected in a timely
- Evaluate evidence about the operation of the controls included in the evaluation based on its assessment of risk.
The Guidance describes the evaluation process in two sections. The first section explains the identification of financial reporting risks and the evaluation of whether the controls that management has implemented adequately address those risks. The second section explains an approach for making judgments about the methods and procedures for evaluating whether the operation of ICFR is effective. The Guidance addresses reporting considerations in a third section.
For more detail regarding the interpretive guidelines click here to Read Full Article