07.18.2007

|

Updates

The SEC recently published an interpretive release providing guidance on compliance with Section 404 of the Sarbanes-Oxley Act of 2002. The SEC separately finalized rule amendments relating to internal control over financial reporting and defining the term “material weakness.” The guidance became effective on June 27, 2007, and the amendments to the rules will be effective August 27, 2007. The SEC also proposed a new definition for the term “significant deficiency.”

This Update summarizes key highlights of the SEC's interpretive guidance, the SEC's new and proposed rules and PCAOB Auditing Standard No. 5.

Highlights of the SEC's 404 Guidance

SEC Adopts Top-Down, Risk-Based Approach to Evaluating Internal Control Over Financial Reporting. The SEC opted to take a top-down, principles-based approach based on risk assessment and highlighted two principles underlying its guidance:

  • Management should evaluate whether it has implemented controls that adequately address timely prevention or detection of a material misstatement of the financial statements.
  • The form of evidence management maintains about the operation of its controls should be based on management's assessment of risk.

The guidance attempts to provide flexibility and scalability in light of a company's particular facts and circumstances -- a critical concern for many smaller public companies. Despite calls by some commentators for more concrete guidance, the SEC declined to provide specific illustrative examples. Instead, the SEC urged management to use its judgment when conducting an evaluation of the effectiveness of internal control over financial reporting. Companies may tailor their procedures according to their specific circumstances, size and nature.

Companies Should Vary Evaluation Approaches for Gathering Evidence Based on Risk Assessment. The SEC guidance emphasizes management's responsibility to identify and evaluate fraud risks and the related controls that address those risks before fraud occurs by conducting ongoing monitoring. Management should use reasonable judgment to identify and focus on evaluating controls to address the risk of material misstatements. For smaller public companies, daily interaction may be a more practical tool for evaluating internal control over financial reporting because managers are more directly involved with the company’s controls on a daily basis and fewer supervisory layers are present. In larger companies with multiple layers of management reporting, daily interaction will likely be more limited, and the SEC suggests that management use direct testing or ongoing monitoring for evaluation. Ongoing monitoring includes management’s normal, recurring activities, such as self-assessments, that provide information about the operation of controls.

Management must compile reasonable evidence for its assessment of internal control over financial reporting risk. The evidence can take many forms, depending on the size, nature and complexity of the particular company. More evidence is necessary if the risk of misstatement of a particular financial reporting element and/or the risk of a control failure is high. Conversely, if the risk of misstatement of a financial reporting element or the risk of a control failure is low, less evidence is required.

Management and External Auditors Will Likely Have Different Testing Approaches. As a result of the differences in the roles that management and external auditors play in evaluating internal control over financial reporting, the SEC’s guidance differs from the auditing standards articulated by the PCAOB. Management must design and maintain internal control over financial reporting and perform annual evaluations to provide a reasonable basis for its assessment as to whether its internal control over financial reporting is effective as of fiscal year-end. The auditor, on the other hand, has a different informational perspective than management and conducts a completely independent audit of internal control over financial reporting that will be integrated with its financial statement audit. Consequently, although there is a similarity between the work performed by management and the auditor, auditors will necessarily use a different approach.

SEC Declined to Further Extend Section 404 Compliance Deadline for Non-Accelerated Filers. Despite concerns voiced by smaller public companies, the SEC refused to further extend the Section 404 compliance deadline for non-accelerated filers. Therefore, non-accelerated filers will need to comply with the management assessment provisions of Section 404 for filings in 2008 and with the audit provisions of Section 404 by the spring of 2009.

Align SEC Rules and PCAOB Standards. The SEC also worked closely with the PCAOB to ensure that its guidance with respect to internal control over financial reporting is more closely aligned with the auditing standards promulgated by the PCAOB.

SEC's New Rules Clarify 404 Compliance Issues

SEC Adopts New Definition of “Material Weakness.” The SEC amended Exchange Act Rule 12b-2 and Rule 1-02 of Regulation S-X to define the term “material weakness” as a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. Previously, material weakness was defined only by reference to auditing literature.

Evaluation of the Effectiveness of Internal Control Over Financial Reporting Conducted in Accordance With SEC Guidance Satisfies SEC Evaluation Requirements. The SEC stressed that the guidance is voluntary and a nonexclusive means to comply. However, if management assessment of the effectiveness of internal control over financial reporting is conducted in accordance with the interpretive guidance, a company will satisfy its reporting obligations under the Sarbanes-Oxley Act Section 404 under Exchange Act Rules 13a-15(c) and 15d-15(c).

Auditor's Report Evaluates Internal Control Over Financial Reporting, Not Management's Process. External auditors may now opt to issue a single report containing both an opinion on internal control over financial reporting and an opinion on financial statements rather than issue two separate reports. Furthermore, the SEC now specifies that the auditor’s report under Rule 1-02(a)(2) and 2-02(f) of Regulation S-X is now an “attestation report on internal control over financial reporting” rather than an “attestation report on management’s assessment of internal control over financial reporting.”

SEC Proposes to Define “Significant Deficiency”

Concurrent with the release of the new guidance and adoption of the rules discussed above, the SEC also proposed a rule to define a “significant deficiency” as a deficiency that is less severe than material, but nevertheless should be brought to the attention of the audit committee. Comments to the proposed definition are due by July 18, 2007.

Trap for the Unwary

Stay Tuned! PCAOB Auditing Standard No. 5 Will Likely Apply for 2007 Audits. On May 24, 2007, the PCAOB voted to adopt Auditing Standard No. 5 relating to internal control auditing standards and replacing Auditing Standard No. 2. Auditing Standard No. 5, which remains subject to SEC approval, would apply to audits of any companies that are required by the SEC to obtain an external audit of internal control over financial reporting.

Auditing Standard No. 5:

  • streamlines auditing standards to better align with SEC guidance, including adoption of the same definitions of significant deficiency and material weakness;
  • requires external auditors to adopt the same top-down approach for internal control over financial reporting audits that applies to a financial statement audit and to focus testing on material misstatement risks;
  • requires external auditors to perform a fraud risk assessment;
  • requires external auditors to evaluate entity-level controls;
  • refocuses external auditor testing on objectives rather than mechanics to eliminate excessive work at low-risk locations;
  • requires external auditors to evaluate and communicate any identified significant deficiencies to the audit committee;
  • allows for flexibility and scaling of internal control over financial reporting audits based on the company's size and complexity; and
  • allows external auditors to rely on the work of management and others, including third parties working at the request of the company, based on risk, competency and objectivity.

Auditing Standard No. 5 remains subject to SEC approval. On June 7, 2007, the SEC posted for comment a notice regarding these new auditing standards on its website (Release No. 34-55876; File No. PCAOB-2007-02). Implementation will likely be swift, effective for audits for fiscal years ending on or after November 15, 2007.

Additional Information

You can find the full text of the new SEC interpretive guidance at http://www.sec.gov/rules/interp/2007/33-8810.pdf. The full text of the amendments to the rules regarding management's report on internal control over financial reporting is available at http://www.sec.gov/rules/final/2007/33-8809.pdf. The proposed amendment to define the term significant deficiency is available at http://www.sec.gov/rules/proposed/2007/33-8811.pdf.

You can read the SEC notice regarding Auditing Standard No. 5 at http://www.sec.gov/rules/pcaob/2007/34-55876.pdf

You can find discussions of other recent cases, laws, regulations and rule proposals of interest to public companies on our website.

 

Sign up for the latest legal news and insights  >