On June 5, 2003, the Securities and Exchange Commission (SEC) posted its final rules for management's report on "internal control over financial reporting" and the related "attestation" by the issuer's outside auditors. Of the many detailed features of Sarbanes-Oxley and its implementing rules, few strike non-accountants as more technical and obscure than those relating to "internal controls." Yet establishing and implementing a COSO framework (as we discuss below) as soon as possible in 2003 will allow companies to meet these internal control requirements when they are required in 2004-2005.

The final rules, which amend Regulation S-K as well as other 1934 Act rules and implement Section 404 of the Sarbanes-Oxley Act, require a management report and related outside auditor attestation to be included in an issuer's annual report to the SEC on Form 10-K (Form 20-F or 40-F for foreign private issuers).

The rules also require management to evaluate any "material" change in the issuer's internal control that occurs during a fiscal quarter and to certify in the applicable Section 302 certification that such change has been disclosed in the issuer's Form 10-Q or Form 10-K (for the fourth quarter).

When Do Issuers Need to Comply? (A hint: not until 2004 or later)

The SEC extended the compliance deadline for management's report on internal control over financial reporting from the deadline included in the proposed rules. Under the final rules:

• accelerated filers (generally issuers with a market capitalization in excess of $75 million) will be required to comply with these requirements for fiscal years ending on or after June 15, 2004.

• all other issuers (including small business issuers and foreign private issuers) will be required to comply for fiscal years ending on or after April 15, 2005.

For calendar year accelerated filers, this effectively represents a one-year extension from the deadlines originally proposed by the SEC. For a calendar year accelerated filer, the first "management's internal control report" and auditor attestation must appear in the Form 10-K filed in 2005. For all other calendar-year issuers, it will be in the Form 10-K (or appropriate foreign private issuer form) filed in 2006.

What Is the Basis for "Internal Control Over Financial Reporting"?

The basis for "internal control over financial reporting" evolved from the concept of "internal controls" that developed over the years in accounting literature. Since the adoption of the Foreign Corrupt Practices Act in 1977, U.S. public companies have been required to adopt and maintain certain levels of internal controls. In 1985, the Treadway Commission was formed to study financial reporting in the United States. In 1992, the Treadway Commission's "Committee of Sponsoring Organizations" (COSO) gave the concept its most systematic treatment when it published its "Internal Control – Integrated Framework." This "COSO framework" is a currently well-recognized standard for evaluating "internal control over financial reporting" in the financial institution industry and is likely to become the de facto sole standard as a result of the SEC's heavy reliance on the COSO report in framing the new Section 404 rules.

Newly revised Exchange Act Rules 13a-15 and 15d-15 define an "internal control over financial reporting" as a process designed by, or under the supervision of, the CEO and CFO to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP. Internal control over financial reporting includes policies and procedures that:

• Track Assets—relate to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of assets;

• Record Transactions—provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with GAAP, and that receipts and expenditures are being made only in accordance with authorizations of management and directors; and
• Protect Assets—provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of assets that could have a material effect on the financial statements.

• What Needs to Be Included in Management's Annual Internal Control Report?

  Management's annual internal control report will include four elements:

  • Responsibility. A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting;

• Framework. A statement identifying the framework management used to evaluate the effectiveness of the issuer's internal control over financial reporting;
• Management's Assessment. Management's assessment of the effectiveness of the internal control as of the end of the most recent fiscal year; and
• Internal Auditor's Attestation. A statement that the issuer's outside auditor has issued an attestation report on management's assessment.

• Management's Report: What Evaluation Framework Is Required?

  Management needs to base its evaluation on some "recognized control framework" in order to have a widely accepted standard of comparison. This evaluation "framework" must be "recognized" and "established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment." The SEC identified the COSO framework as the evaluation framework of choice in the final rules.

  The SEC was careful to point out that the rules do not mandate any particular framework, in recognition of foreign standards and qualifying frameworks other than COSO that may be developed in the future, but stated that the COSO framework satisfies its criteria. The implication seems to be that the COSO framework may represent the only realistic standard currently available for domestic issuers, and many companies are already using COSO as their framework.

  For additional information regarding the COSO framework, please see http://www.coso.org.

  Management's Report: How Do We Determine Effectiveness of Internal Control?

  Evaluation Process

  Management's report in the Form 10-K (or appropriate foreign private issuer form) must include its evaluation of the effectiveness of the issuer's internal control over financial reporting and disclose any material weakness identified by management. The SEC acknowledges that the methods of conducting evaluations of internal control will vary from issuer to issuer. Not surprisingly, the rules do not specify the method or procedures to be used. The SEC, however, makes several observations:

  • Procedures and Testing. Management must base its assessment on procedures to evaluate the design of the issuer's internal controls over financial reporting and to actively test their operating effectiveness. The SEC expects active testing to not be limited to inquiry alone.

• Results of Tests. Management must base its assessment of effectiveness on evidential matter and documentation of the design of internal controls and on the process and results of testing.
• Keep Records. The company will develop documentation and other evidence providing support for the assessment and maintain this as part of the issuer's records.
• Outside Auditors Can Help—Within Limits. The issuer's outside auditors may assist management in documenting internal controls. The SEC recognizes the need for coordination between management and auditors, but management must be actively involved in the process and cannot delegate its responsibility to assess internal control to the auditor. The auditor may make recommendations for improvements to internal controls but may not design them. To do so would place the auditor in the position of auditing its own work and violate the SEC's recently adopted auditor independence rules.

• Danger—One "Material Weakness" Can Be Fatal to Effective Internal Control

  The SEC did not adopt any specific standard on which management would base its conclusion of effectiveness but instead establishes a materiality test to conclude whether the issuer's internal control over financial reporting is effective. If management identifies one or more material weaknesses in the internal control, it may not conclude that the issuer's internal control over financial reporting is effective. "Material weakness" has the same meaning in this context as in generally accepted auditing standards and attestation standards. The SEC also observes that in certain circumstances a series of weaknesses that are not individually "material" may, in the aggregate, be deemed a material weakness.

  Where Should Management's Report Appear?

  The rules do not specify where the report should appear in the issuer's Form 10-K (or appropriate foreign private issuer form). The SEC observes, however, that it is important that the report appear in close proximity to the corresponding auditor attestation and suggests placing it near the MD&A or just preceding the financial statements.

  What Evaluation Is Required for Quarterly Reports?

  Commencing with the first quarter following the fiscal year for which the initial annual management report and auditor attestation are due, management must evaluate any changes in the issuer's internal control that occur during any fiscal quarter and that have materially affected, or are reasonably likely to materially affect, internal control. This represents a departure from the SEC's proposed rules, which required a full evaluation of internal controls each fiscal quarter.

  In a companion change, management's Section 302 certification now includes a statement to the effect that any such material change in internal control has been disclosed in the related report. For more information see our Update entitled "Practical Guidance on Section 302 and Section 906 Certifications From the SEC Final Rules Release."

  Text of the Final Rules

  This Update is intended only as a summary of the SEC's final rules. You are encouraged to review the full text of the rules at www.sec.gov/rules/final/33-8238.htm. You can find further discussion of the Sarbanes-Oxley Act and of other recent laws, regulations and rule proposals of interest to public companies on our website.