05.24.2005

|

Updates

The Staff of the Securities and Exchange Commission, the SEC itself and the Public Company Accounting Oversight Board (PCAOB) each issued separate statements last week with guidance for companies implementing Section 404 of the Sarbanes-Oxley Act of 2002.

This Update highlights some of the key concepts emphasized by the SEC and the PCAOB in last week's guidance and provides practical advice.

Background

Section 404 of the Sarbanes-Oxley Act requires a public company to include in its annual report filed with the SEC:

    • a report of management assessing the effectiveness of the company's internal control over financial reporting; and

    • a separate statement from the company's independent auditors reporting on, and attesting to, management's assessment.

Large calendar year-end U.S. public companies were required to provide this disclosure for the first time in their annual reports on Form 10-K for the fiscal year ended December 31, 2004.

On April 13, 2005, the SEC held a roundtable discussion with representatives of the business, investor, legal and accounting communities to discuss issues arising from the first year's experience with the new rules and to solicit feedback. Last week's guidance was intended to address many of the issues raised at the roundtable discussion and in the related written feedback solicited by the SEC, including the criticism that compliance with the new rules is too expensive and overly burdensome. One survey cited by the PCAOB found that for public companies with average revenues of $5 billion, first year Section 404 compliance costs were, on average, $4.36 million and consumed an average of nearly 27,000 hours.

SEC and PCAOB Recommend Tailored Approach to Internal Controls Assessment and Testing

A principal theme of both the SEC's and the PCAOB's guidance is that one size does not fit all when it comes to designing an internal controls assessment process. According to the SEC, many companies and accountants took a "bottom-up, check-the-box" approach to Section 404 that treated all internal controls equally and failed to include the exercise of reasonable judgment, which led to excessive, duplicative and misfocused efforts. The SEC and the PCAOB recommend instead that management use its experience and informed judgment to tailor the scope of the company's assessment and testing process to the company's own unique risks and issues. They also urge independent auditors to respect a "zone of reasonable conduct" in evaluating management's implementation of Section 404.

Despite the costs and challenges of compliance, the SEC emphasized that it believes Section 404 is producing benefits in the form of improved internal controls, and the PCAOB stated that Section 404 is "one of the most promising" provisions of the Sarbanes-Oxley Act.

Other Key Concepts Highlighted by SEC and PCAOB

    • Use a Top-Down, Risk-Based Approach. The SEC believes that too many internal controls and processes were identified, documented and tested in the first year of Section 404. The purpose of internal controls is to provide reasonable assurance regarding the reliability of financial reporting. Reasonable assurance is a high level of assurance but does not mean absolute assurance. The SEC and PCAOB recommend a "top-down, risk-based" approach to compliance.

    • Top Down.
        • A "top down" approach is one where management and accountants focus on those processes and classes of transactions that are most likely to have a material impact on the company's financial statements, starting with company level controls and then driving down to significant accounts, which lead to significant processes and, finally, to individual controls.
      • Risk-Based. Management and auditors should also use a "risk-based" approach to devote available resources to the areas of greatest risk; for example they should give less attention to areas of the company's controls where there is a low risk that a material weakness could exist and more attention to areas where there is a high risk that a material weakness could exist. An example of not using a risk-based approach is the use of standardized checklists that do not address a company's unique risks and control issues.
    • Streamline Testing Through Ongoing Monitoring.  The SEC points out that not all testing needs to be done during the year-end close period just because the reports of management and the company's accountants speak "as of" the year end date. In fact, the SEC believes that in most cases it would be accomplished preferably over a longer period of time. Management may be able to complete the testing of a substantial number of controls through regular supervisory activities, monitoring adherence to company policies and other actions that take place on an ongoing basis throughout the fiscal year.
    • Restatements Are Not Necessarily Evidence of a Material Weakness. The SEC reminds companies and auditors that a restatement of financial results due to error does not necessarily mean a material weakness exists in the company's controls. Both management and the external auditor should use their judgment in assessing why a restatement was necessary and whether the need for a restatement resulted from a material weakness. Any analysis of control deficiencies should factor in qualitative factors, such as the nature of the deficiency, its cause, the relevant financial statement assertion related to the control, the broader control environment and whether the risk is mitigated by compensating controls.

Practical Tip

When Disclosing a Material Weakness, Also Disclose Its Effect and Any Remediation Plans.

If a company identifies a material weakness, it must disclose the existence of the material weakness, and management is not permitted to conclude that its internal control over financial reporting was effective for that period. In order for this information to be useful to investors, the SEC encourages companies to also provide disclosure that allows investors to assess the potential impact of the material weakness. In particular, the SEC asks companies to consider including in their disclosures:

    •  the nature of any material weakness;
    • its impact on financial reporting and the control environment; and
    • management's current plans, if any, for remediating the weakness.

 

    • Talk to Your Auditors.  A common misconception in the first year of Section 404 implementation led to increased errors and inefficiencies. Companies and auditors interpreted the Section 404 rules as effectively preventing the auditors from providing accounting advice to clients and from reviewing draft financial statements. Both the SEC and the PCAOB refute this interpretation, and reiterate that auditors may:
      • provide advice on accounting matters without violating the SEC's auditor independence requirements, so long as management, and not the auditor, makes the accounting decisions; and review draft financial statements without exposing the company to a risk that any misstatements or misapplication of GAAP principles would result in the identification of control deficiencies by the auditors. The PCAOB states that auditors should only identify a deficiency when the company has completed its financial statements and disclosures without recognizing a potential material misstatement.

    The SEC emphasized that "[i]nvestors benefit when auditors and management engage in dialogue."

    • Be Ready for the Integrated Audit.  An integrated audit combines an audit of internal control over financial reporting (the Section 404 audit) with the audit of the financial statements. Some, but not all, audits during the first year of Section 404 implementation were partially or fully integrated. The SEC and the PCAOB encourage the use of integrated audits because they view it as more cost-effective and they believe it leads to better financial reporting, since the auditor's evaluation of internal controls helps the auditor better plan and conduct the financial statement audit.

    • Auditors May Rely on the Work of Others.  The PCAOB points out that another misconception about the Section 404 process is that auditors may not rely on the work of a company's internal audit function and others in supporting their internal control opinion. The PCAOB makes it clear that auditors can rely on the work of others, especially in areas where there is a low risk that a material weakness could exist. Auditors should perform more of their direct work in high risk areas and use the work of others in areas of lower risk.
    • No Need to Test IT Controls Unrelated to Financial Reporting.  A significant amount of time, money and effort during the first year of Section 404 implementation was directed at documenting and testing information technology internal controls. The SEC notes that for purposes of the Section 404 assessment, companies do not need to test general IT controls that pertain to the efficiency or effectiveness of the company's operations, but do not pertain to financial reporting.

Trap for the Unwary

Internal Controls Testing Must Include Any New IT Systems or Upgrades. Many companies delayed purchases of new IT systems or upgrades during the first year of Section 404 implementation as a result of the requirements to document and test IT internal controls. While a number of companies have asked the SEC to allow management to exclude from the scope of management's assessment the testing of new systems or upgrades implemented in the later part of a fiscal year, the SEC has declined to do so. In light of this, companies should perform preliminary assessments of internal controls in advance of system implementations or upgrades.

Trap for the Unwary

Internal Controls Testing Must Include Any New IT Systems or Upgrades. Many companies delayed purchases of new IT systems or upgrades during the first year of Section 404 implementation as a result of the requirements to document and test IT internal controls. While a number of companies have asked the SEC to allow management to exclude from the scope of management's assessment the testing of new systems or upgrades implemented in the later part of a fiscal year, the SEC has declined to do so. In light of this, companies should perform preliminary assessments of internal controls in advance of system implementations or upgrades.

SEC Staff Still Assessing Effects on Small Businesses

The SEC notes that internal control over financial reporting should reflect the nature and size of the company and should be appropriately tailored to the operations of a small business. The Staff continues to assess the impact of the Section 404 on small businesses and emphasized its establishment of committees to continue that assessment. For more information about SEC and the PCAOB small business initiatives, please see our March 25, 2005 Update, "Help May Be on the Way for Smaller Public Companies" .

Additional Information

This Update only summarizes key statements made by the SEC and the PCAOB in their recent guidance. You can find the full text of the SEC Staff's statement on management's report on internal controls at http://www.sec.gov/info/accountants/stafficreporting.htm. You can find the full text of the SEC's Commission level statement at http://www.sec.gov/news/press/2005-74.htm. You can find discussion of other recent laws, regulations and rule proposals of interest to public companies on our website.