U.S. Securities & Exchange Commission
SEC Seal
Home | Previous Page
U.S. Securities and Exchange Commission

SEC Votes to Propose Interpretive Guidance for Management to Improve Sarbanes-Oxley 404 Implementation


Washington, D.C., Dec. 13, 2006 - The Securities and Exchange Commission today voted to propose for public comment interpretive guidance for managements regarding their evaluations of internal control over financial reporting. The Commission also proposed amendments to Rules 13a-15 and 15d-15 that would make it clear that a company choosing to perform an evaluation of internal control in accordance with the interpretive guidance would satisfy the annual evaluation required by those rules. Finally, the Commission proposed amendments to Regulation S-X to clarify the auditor's reporting requirement pursuant to Section 404(b) of the Sarbanes-Oxley Act.

"We are proposing this interpretative guidance to help management make their evaluation process more efficient and cost-effective," said SEC Chairman Christopher Cox. "In the absence of guidance, management has looked to the PCAOB's auditing standard to conduct their evaluations, which is not what was intended. With this guidance, management will be able to scale and tailor their evaluation procedures to fit their facts and circumstances, and investors will benefit from reduced compliance costs. While the guidance is intended to help public companies of all sizes, smaller companies should particularly benefit from its scalability and flexibility. We believe that today's proposed guidance, along with the Public Company Accounting Oversight Board's new auditing standard to be proposed next week, will result in significant improvements in the implementation of Sox 404."

"The guidance proposed today is an important step in the roadmap the Commission laid out in May for improving the implementation of Section 404 for all issuers," said John W. White, Director of the SEC's Division of Corporation Finance. "The proposed interpretive guidance should reduce uncertainty about what constitutes a reasonable approach to management's evaluation while maintaining flexibility for companies that have already developed their own assessment procedures and tools that serve the company and its investors well. Companies will be able to continue using their existing procedures if they choose, provided of course that those meet the standards of Section 404 and our rules. At the same time, the guidance maintains the important investor protection objectives of bringing information about material weaknesses into public view and fostering the preparation of reliable financial statements in an effective and efficient manner."

"Our proposed guidance is focused on risk and materiality. We have worked hard to ensure that the proposed guidance will not disrupt best practices already in place, or that may be evolving, while at the same time ensuring that it would be scalable to companies of all sizes," said Conrad Hewitt, Chief Accountant. "In particular, the top-down, risk-based guidance would allow for effective, and, importantly, efficient, methods and procedures for conducting evaluations at smaller companies. It is also intended to rebalance control over the process by providing management with its own guidance — without the need to look to auditing standards — for evaluating internal control over financial reporting. Although our guidance is directed to management and the expected proposal from the PCAOB is directed to auditors, we encourage respondents to take advantage of the proposals' overlapping comment periods to consider whether the proposals, if adopted, will ensure an appropriate balance between management's evaluation process and the audit process. We encourage feedback on all aspects of our proposal."


Section 404(a) of the Sarbanes-Oxley Act directed the Commission to adopt rules requiring each annual report of a company, other than a registered investment company, to contain (1) a statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) management's assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal controls structure and procedures for financial reporting.

On June 5, 2003, the Commission adopted such rules implementing Section 404(a) with regard to management's obligations to report on its internal control over financial reporting. The final rules did not prescribe any specific method or set of procedures for management to follow in performing its evaluation.

Today's proposal would amend the Commission's rules adopted in 2003 to state that an evaluation conducted in accordance with the interpretive guidance would satisfy the Commission's rules. However, in order to retain the flexibility that was desired by the 2003 rules, the amendments proposed today would afford management the latitude to either follow the interpretive guidance or to develop and use other methods that achieve the objectives of the Commission's 2003 rules.

Proposed Interpretive Guidance for Evaluating Effectiveness of Internal Control over Financial Reporting

The proposed guidance is principles-based guidance that is organized around two important principles:

  • First, management should evaluate the design of the controls that it has implemented to determine whether there is a reasonable possibility that a material misstatement in the financial statements would not be prevented or detected in a timely manner. This principle promotes efficiency by allowing management to focus on those controls that are needed to prevent or detect material misstatement in the financial statements.
  • Second, management should gather and analyze evidence about the operation of the controls being evaluated based on its assessment of the risk associated with those control. The principle allows management to align the nature and extent of its evaluation procedures with those areas of financial reporting that pose the greatest risks to reliable financial reporting.

By following these two principles, we believe that companies of all sizes and complexities will be able to implement our rules more effectively and efficiently. As smaller public companies often have less complex internal control systems than larger public companies, this proposed approach would enable smaller public companies in particular to scale and tailor their evaluation methods and procedures to fit their own facts and circumstances.

The proposed guidance describes a risk-based approach and addresses many of the concerns that have been raised to the Commission including: excessive testing of controls generally; excessive documentation of processes, controls, and testing; and the ability to scale the evaluation to smaller companies. The guidance addresses four specific areas including:

  1. Identification of risks to reliable financial reporting and the related controls that management has implemented to address those risks. The proposed guidance describes a risk-based approach that would require the use of judgment to determine those areas that are both material and which pose a risk to reliable financial reporting. Management then would identify the controls that address those risks, including the risk of material misstatement due to fraud. The guidance would not require that every control in a process be identified. Once those controls are identified that adequately address the risk of material misstatement in the financial statements, it would be unnecessary to include additional controls within management's evaluation.
  2. Evaluation of the operating effectiveness of controls. Once management has determined the controls within the scope of its evaluation, management would then gather and analyze evidence about the operation of those controls. The proposed guidance provides for a risk-based approach that would require the use of judgment to direct management's evaluation efforts towards those areas that pose greatest risk to reliable financial reporting based on the company's unique facts and circumstances. The proposed guidance would allow management to support its evaluation in a variety of ways and illustrates how management can consider and utilize its existing daily interaction with its business, self-assessment, and other ongoing monitoring activities to support its evaluation.
  3. Reporting the overall results of management's evaluation. Once management has completed its evaluation, management must decide if any identified control deficiencies are material weaknesses. The proposed guidance provides management with a framework, outside of the auditing literature, for making these judgments and includes situations that are considered strong indicators that a material weakness exists. The guidance describes the factors that management should consider to evaluate the severity of a deficiency. If the deficiency is a material weakness, consistent with the Commission's existing rules, management must conclude that internal control over financial reporting is not effective and management has reporting responsibilities surrounding that material weakness. In addition, the guidance addresses the disclosure requirements for internal control reports in situations such as scope limitations and restatements.
  4. Documentation. The proposed guidance explains the nature and extent of evidential matter that management must maintain in support of its assessment including how management has flexibility in approaches to documentation. The proposed guidance indicates that such documentation can take many forms, can be presented in a number of ways, and does not need to include all controls within a process that impacts financial reporting. The proposed guidance provides that the evidential matter maintained in support of the assessment would also include the methods and procedures it utilizes to gather and evaluate evidence and the basis for its conclusions about the controls related to individual financial reporting elements. The proposed guidance indicates that in those situations in which management is able to rely on its daily interaction with its controls as a basis for its assessment, management may have limited documentation created specifically for the evaluation beyond documentation regarding how its interaction provided it with sufficient evidence.

Coordination with the Public Company Accounting Oversight Board

Although today's issuance of the proposed interpretive release is a major milestone in the improvement of the implementation of Section 404, the Commission remains committed to all of the steps set forth in the roadmap that was released entitled "Next Steps for Sarbanes-Oxley Implementation" (SEC Press Release 2006-75, May 17, 2006). In that regard, the Commission and its staff have also been working closely with the Public Company Accounting Oversight Board over the past few months in their work to develop a new auditing standard that would supersede Auditing Standard No. 2, the Board's existing auditing standard on internal control over financial reporting. The proposed standard is expected to provide for more efficient, risk-based, scalable audits of internal control over financial reporting while retaining the important investor protection benefits. Today's proposed amendments to Regulation S-X are intended to clarify the auditor reporting requirement in a consistent manner with the anticipated proposed new auditing standard. The Board has announced that it intends to consider proposing the new auditing standard at the Board's open meeting to be held next week on Tuesday, Dec. 19, 2006.

Comments on the proposed interpretive guidance and rule amendments should be received by the Commission within 60 days of their publication in the Federal Register.

* * *

The full text of the proposed interpretive guidance and rules will be posted to the SEC Web site as soon as possible.



Modified: 12/13/2006