11.14.2005

|

Updates

The new compliance and disclosure requirements for internal control over financial reporting enacted by the SEC under Section 404 of the Sarbanes-Oxley Act of 2002 disproportionately burden smaller public companies because of the relatively fixed cost of designing effective controls and demonstrating they are in place. Recognizing this disparity, the SEC has sought guidance on how smaller companies can effectively implement and test their internal controls and on whether and how Section 404 requirements and deadlines should be revised for smaller companies. Several recent developments bring these efforts to fruition.

    • Proposed Guidance for Smaller Public Companies Reporting on Internal Control Over Financial Reporting. In October the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published for comment new guidance on the use of its framework to address the needs of smaller businesses in fulfilling the requirements of Section 404 of the Sarbanes-Oxley Act.
    • Further Delay for Section 404 Compliance and Relief for Smaller Public Companies From Accelerated Reporting Deadlines. Based on recommendations from its Advisory Committee on Smaller Public Companies, the SEC has also recently provided additional relief.
      • Section 404 Requirements Again Delayed for Non-Accelerated Filers. The SEC has further delayed the effective dates for Section 404 compliance for non-accelerated filers (and foreign private issuers) — creating an additional one-year delay for most companies.
      • Proposed Relief From Accelerated Filing Deadlines for Smaller Accelerated Filers. The SEC has proposed creating a new class of "large accelerated filers" and providing relief from existing accelerated periodic reporting deadlines for other accelerated filers.

This Update summarizes key highlights of COSO's proposed guidance for smaller public companies and the SEC's further delay of Section 404 requirements and its proposal to relieve smaller accelerated filers from existing periodic reporting deadlines.

COSO Proposes Internal Controls Framework for Small Businesses

Background on Section 404, Management's Report and the COSO Framework. Of the many detailed features of Sarbanes-Oxley and its implementing rules, few strike non-accountants as more technical and obscure than those relating to "internal controls."

    • Sarbanes-Oxley Section 404 Requirements for Internal Control Over Financial Reporting. SEC rules under Sarbanes-Oxley Section 404 require management to evaluate, based on a recognized control framework, the effectiveness of the company's internal control over financial reporting and disclose its conclusions, and any material weakness identified, in a report on internal control over financial reporting included in the company's annual report filed with the SEC. Section 404 also requires the company's outside auditor to report on its assessment of management's evaluation and report.
    • COSO Framework. Since the adoption of the Foreign Corrupt Practices Act in 1977, U.S. public companies have been required to adopt and maintain certain levels of internal controls. In 1985, the Treadway Commission was formed to study financial reporting in the United States. In 1992, the Treadway Commission's Committee of Sponsoring Organizations gave the concept its most systematic treatment when it published its "Internal Control – Integrated Framework." This "COSO framework" is a currently well-recognized standard for evaluating "internal control over financial reporting" in the financial institution industry.
    • Management needs to base its evaluation of the company's internal control over financial reporting on some "recognized control framework" in order to have a widely accepted standard of comparison. This evaluation "framework" must be "recognized" and "established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment." In its rule-making release on June 5, 2003, the SEC acknowledged that the original COSO framework satisfies that criteria. The COSO internal control framework has been widely used by management and auditors in fulfilling the requirements of Section 404 for companies for which Section 404 is already effective.

Existing COSO Framework Not Appropriate for Small Business Control Environment. In the adopting rules under Section 404, the SEC and others expressed concerns that existing internal control frameworks, including the COSO framework, are not appropriately tailored to a small business control environment and that, as a result, the costs and burdens of internal control assessments may fall disproportionately on smaller businesses. Due to these concerns, SEC staff encouraged COSO to develop guidance on the use of their framework to address the needs of smaller businesses.

The COSO Board created an Advisory Task Force to assist in the development of this guidance, consisting of approximately 20 members with a variety of experience in smaller businesses. The Advisory Task Force also solicited input from financial officers and senior management of smaller businesses, regulators, investors, external auditors, internal auditors, consultants, lawyers and academicians.

New Guidance for Smaller Public Companies Reporting on Internal Control Over Financial Reporting. COSO's proposed guidance recognizes that while the 26 fundamental principles summarized in the guidance as constituting effective internal control over financial reporting are equally applicable to larger and smaller businesses, smaller companies differ from their larger counterparts and may implement effective internal control in a different manner. Specifically, COSO noted that smaller companies' management tends to have a hands-on approach, wider spans of control and the ability to provide ongoing monitoring through direct relationships with key personnel, customers, vendors and capital providers that can create opportunities for controls to be effective while being less formal. COSO identifies six themes for smaller businesses:

    • Control Environment. The control environment sets the tone. In a smaller company, management's actions and demonstrated commitment to effective governance and control are more transparent.
    • Risks. Smaller companies should consider risks to reliable financial reporting and identify controls required to mitigate risks related to financial statement assertions and account balances, rather than focusing on mandating specific controls.
    • Control Activities. Even in smaller companies, control activities require a minimal level of formalization so that everyone understands their responsibilities, how the controls operate and the importance of the control process.
    • Information Technology. Smaller businesses can use information technology to promote more effective control.
    • Monitoring. For smaller companies, monitoring may be ongoing, and executives who have direct and explicit knowledge of the activities of the business can monitor the effectiveness of internal control.
    • Personal Responsibility for Controls. Employees of smaller businesses can and should understand objectives related to financial reporting, risks and their personal responsibility for controls. Smaller companies can implement effective procedures that lead employees to note control problems or deviations from accounting practices and report them to the right place before they become a significant issue for the company.

Controls Need to Be Cost-Effective for Smaller Businesses. The COSO proposal suggests that smaller companies can reduce the costs of internal control and provides guidance.

    • Risk-Based Approach. Smaller companies can reduce costs by building controls into the culture and focusing the internal control process on areas that represent significant risks to the achievement of reliable financial reporting.
    • Use Software Tools. Companies can use readily available software templates or tools that can facilitate the design and evaluation of controls and accounting software (information technology) to implement consistent controls and enhance segregation of duties.
    • Leverage Management's Knowledge and Outsource. As noted in the guidance's themes, a smaller company’s management can provide effective monitoring of the financial reporting process, and smaller companies may find it more cost-effective to outsource some activities, like parts of monitoring or internal audit.
    • View Controls as a Whole Within Risk Framework. Overall, COSO recommends that smaller companies organize the evaluation around principles and view internal control as a whole within a risk framework and not as separate components.
    • Develop Systemic Approach to Review and Documentation. COSO's proposal recommends that smaller companies develop a systemic approach to internal control review and documentation, and notes that Exhibit 1.1 to the proposed Guidance and the chapter overviews can be used as a checklist of principles to consider in developing effective internal control over financial reporting.

SEC Again Delays Section 404 Internal Control Requirements for Non-Accelerated Filers (and Foreign Private Issuers)

Earlier in 2005 the SEC formed an Advisory Committee on Smaller Public Companies to assess the effect of the Sarbanes-Oxley Act and other securities regulations on smaller public companies and recommend appropriate changes to the SEC to vary the regulatory treatment of public companies based on size. In response to Advisory Committee recommendations, the SEC recently issued final rules again extending the compliance dates for its "internal control" regulations implementing Section 404 of the Sarbanes-Oxley Act as they apply to non-accelerated filers and foreign private issuers. Such companies now are not required to comply with Section 404 requirements until their first fiscal year ending on or after July 15, 2007.

The SEC continues to examine how its regulations, including Section 404 compliance, affect smaller public companies.

Practical Effect — A One-Year Extension for Most Affected Companies. For non-accelerated filers (including foreign private issuers who are also non-accelerated filers) whose fiscal years end on or after July 15, 2006 and before July 15, 2007, the practical effect of this extension is a one-year delay on the deadline by which they must first include management's evaluation of and report on internal control over financial reporting and the related auditor attestation report in annual reports filed with the SEC.

    • Calendar Year-End Companies Benefit. Non-accelerated filers that have fiscal years ending December 31 would previously have had to comply with these requirements for the first time in their annual report filed with the SEC for the year ending December 31, 2006. Such filers will now have until the filing of their annual report for the year ending December 31, 2007 to comply with the requirements.

Which Specific Requirements Are Delayed? The SEC's action delays when companies must first include:

    • Management's Report on Internal Control Over Financial Reporting in an annual report filed with the SEC (required by Regulation S-K Item 308(a));
    • The related auditor's attestation (required by Regulation S-K Item 308(b)); and
    • Revised CEO/CFO certifications including certain representations regarding internal control over financial reporting (required by Exchange Act Rule 13a-14 (and Rule 15d-14)).

The SEC's action also delays when companies must first evaluate whether changes in the company's internal control over financial reporting that occurred during the evaluation period have materially affected, or are reasonably likely to materially affect, the company's internal control over financial reporting (required by Regulation S-K Item 308(c)).

SEC Proposes Relief for Smaller "Accelerated Filers"

In light of various comments and a recommendation from the SEC Advisory Committee on Smaller Public Companies, the SEC recently recommended amending periodic report filing deadlines for various categories of filers. In connection with its proposal to modify periodic reporting deadlines, the SEC has proposed creating a new category of "large accelerated filers."

    • Modified Definition of Accelerated Filers. Under the SEC's proposal, accelerated filers will be companies that:
      • have a public equity float of at least $75 million but less than $700 million (based on the market value of outstanding shares held by non-affiliates on the last business day of the second fiscal quarter);
      • have been subject to the Exchange Act's reporting requirements for at least 12 calendar months;
      • previously have filed at least one annual report; and
      • are not eligible to file their quarterly and annual reports on Forms 10-QSB and 10-KSB.
    • New Category of Large Accelerated Filers. Under the SEC's proposal, large accelerated filers will be companies that have a minimum public equity float of $700 million and otherwise meet the definition of "accelerated filers."

Under the proposed rules, "non-accelerated filers" will be issuers that do not otherwise meet the definition of "accelerated filers" or "large accelerated filers."

Proposed Changes in Periodic Reporting Deadlines. The SEC is proposing that only large accelerated filers be required to file their annual reports on Form 10-K within 60 days after fiscal year end, beginning with fiscal years ending on or after December 15, 2005. Under existing rules, all accelerated filers would be subject to the 60-day filing requirement for fiscal years ending on or after December 15, 2005. The SEC is also proposing to maintain the current requirement for accelerated filers (and large accelerated filers) that quarterly reports on Form 10-Q be filed within 40 days after quarter end, rather then implementing the final acceleration to a 35-day filing requirement slated to take effect under current rules. The table below summarizes current deadlines and the SEC's proposal:

Category of Filer

 

Current Deadlines

 

Deadlines for Reports Beginning with the Annual Report
for Fiscal Years Ending on or after December 15, 2005

 

Under the Current Rules

 

Under the Proposed Rules

 

Form
10-K
Deadline

 

Form
10-Q
Deadline

 

Form
10-K
Deadline

 

Form
10-Q
Deadline

 

Form
10-K
Deadline

 

Form
10-Q
Deadline

 

Large Accelerated Filer ($700+ MM)

 

N/A

 

N/A

 

N/A

 

N/A

 

60

 

40

 

Accelerated Filer (between $75 MM and $700 MM)

 

75

 

40

 

60

 

35

 

75

 

40

 

Non-accelerated Filer (less than $75 MM)

 

90

 

45

 

90

 

45

 

90

 

45

 

Moving Between Categories. The SEC also proposed easing current restrictions, so that an accelerated filer may more quickly become a non-accelerated filer if its public float drops, as well as permitting a large accelerated filer to become an accelerated filer. The proposal would allow an accelerated filer with a public float less than $25 million to file its Form 10-K (and subsequent Form 10-Qs) on a non-accelerated basis for the same fiscal year that the public float determination is made. A large accelerated filer with a public float that dropped below $75 million would become subject to the accelerated filer Form 10-K (and subsequent Form 10-Q) deadlines for the same fiscal year that the public float determination is made.

Additional Information

You can find the full text of COSO's proposed Guidance for Smaller Public Companies Reporting on Internal Control Over Financial Reporting at www.coso.org. You can find the full text of the final rules implementing the SEC's further extension of Section 404 compliance for non-accelerated filers at http://www.sec.gov/rules/final/33-8618.pdf. You can find the SEC's proposed amendments to periodic report filing deadlines at http://www.sec.gov/rules/proposed/33-8617.pdf. You can find discussion of other recent laws, regulations and rule proposals of interest to public companies on our website.

 

Sign up for the latest legal news and insights  >