Speech by SEC Staff:
The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. The views expressed herein are those of the author and do not necessarily reflect those of the Commission or of the author's colleagues upon the Staff of the Commission.
Observations from annual reviews of registrants' disclosures of material weaknesses make me wonder whether registrants and auditors are identifying and reporting all material weaknesses. In an attempt to assist registrants and their auditors improve ICFR reporting, I would like to share some observations and provide suggestions where improvements might be possible. Specifically, I will discuss material weakness disclosure observations and test of control design considerations. In addition, I will address one specific issue related to the inclusion of consolidated variable interest entities (VIEs) in managements' reports on ICFR.
The first topic I would like to discuss relates to observations about reported material weaknesses. The left axis of the chart above indicates that despite what has arguably been one of the most challenging financial reporting environments of recent times, the number of registrants reporting material weaknesses continues to decline. This decline could be due to registrants, on average, having addressed previously reported material weaknesses, while also having controlled all of the unique financial reporting risks introduced by recent economic conditions. Although this is possible given the focus and significant attention by registrants on managing financial reporting risks, another skeptical view is this trend could also be due to material weaknesses not being identified or reported.
A review of other information, such as the October report of the Senior Supervisors Group to the Financial Stability Board, could also indicate that not all material weaknesses are identified or reported.1 Although this report focused primarily on operational risk management in the financial services industry, it identified certain internal control deficiencies that appear to be related to ICFR, including "inadequate and often fragmented technological infrastructures that hindered effective risk identification and measurement."2 Specifically, the report indicated inadequate IT infrastructures affected firms' abilities to consistently value complex products throughout the organization.3 A possible extension of these findings is that other financial institutions beyond those surveyed for the report could have experienced similar results, and findings like these may indicate material weaknesses that were not identified and reported. Despite this, only three U.S. financial institution registrants with assets in excess of $50 billion reported ineffective ICFR in 2008.4
Another observation that I would like to share is depicted on the right axis of the chart above. This indicates that the correlation between the reporting of a material weakness and the existence of a material adjustment continues to increase over time. One possible reason is that registrants and auditors may not conclude deficiencies in ICFR are material weaknesses unless they identify material adjustments. If this is true, other questions are raised, such as whether the material weakness existed in a prior period, whether all material weaknesses were disclosed in the current period, whether material weaknesses in monitoring and/or risk assessment should have been reported, and whether previously identified deficiencies were appropriately evaluated for severity. These matters were addressed at this conference in 2007, and I refer you to the staff remarks made at that time for further insights in this regard.5
However, the progression of this trend since 2007 may indicate that more attention on evaluating "what could go wrong" when testing the design of controls could be appropriate. Therefore, I now want to move to my second topic and discuss test of control design considerations.
Registrants and auditors have a responsibility to evaluate the ICFR implications of changes to accounting requirements. A few areas that warrant special attention are changes to the requirements for business combinations and changes to revenue recognition for multiple-deliverable arrangements.6 Although not all inclusive, a critical assessment of the design of controls in these areas might raise questions such as the following:
Have risk assessment or other controls been implemented throughout the entity to identify transactions that could require business combination accounting in the future as a result of the change in the definition of a business combination, such as the acquisition of a development stage entity or gaining control through contractual rights or the lapse of veto rights?
Do personnel responsible for reviewing significant accounting conclusions and authorizing or reviewing manual journal entries continue to possess the knowledge necessary to detect material misstatements given the changes in business combinations accounting?
Do controls exist to mitigate the risk that the registrant may not identify all of the effects that the changed definition of a business may have on other areas of accounting, such as components that were not previously considered reporting units because they were not considered businesses as previously defined in EITF 98-3?
Do controls exist to address the risk that estimated selling price is inappropriately used to determine the value for each deliverable when vendor-specific objective evidence or third-party evidence exists?
Are risk assessment and monitoring controls designed to identify circumstances that require updates to estimates of vendor-specific objective evidence, third-party evidence of fair value, or estimated selling prices for each similar type of arrangement?
Have processes and controls been implemented to identify and accumulate the required quantitative and qualitative disclosure information, particularly those requiring the accumulation of information not typically contained within the accounting system, such as the general timing of delivery or performance of service and performance, cancellation, termination, and refund provisions?
These questions are brief examples of test of design considerations that are intended to demonstrate the types of questions registrants and auditors should think about when evaluating the design of controls to assess whether ICFR is effective.
The third and final topic I will address today relates to the inclusion of variable interest entities consolidated upon adoption of FASB Statement 167 in managements' reports on ICFR. Registrants that consolidate VIEs upon adoption of Statement 167 will do so because they control these entities, and therefore, registrants will be expected to include those entities in managements' reports on ICFR. Further, the consolidation of VIEs under the transition provisions in Statement 167 does not constitute a business combination transaction for the purpose of determining whether the newly consolidated entity may be excluded from managements' reports on ICFR. The guidance contained in questions one and three of the September 2007 SEC staff frequently asked questions describe situations where the staff would not object to registrants excluding certain VIEs and material business combinations from their reports on ICFR.7 However, with one exception, registrants will not be able to justify excluding VIEs consolidated upon adoption of Statement 167 from their reports on ICFR using this guidance. This is because the staff believes registrants that consolidate VIEs under Statement 167 will likely have the right or authority to assess the internal controls of the consolidated entity, and since the consolidation will occur as of the first day of the fiscal year, registrants will have sufficient time to perform that assessment. The one exception, which the staff expects to rarely occur, relates to registrants consolidating VIEs that were in existence prior to December 15, 2003 for which the registrant, despite having control, does not possess the right or authority to assess the consolidated entity's internal controls and also lacks the ability, in practice, to make that assessment.
In closing, trends in material weakness disclosures and other information can raise interesting questions about whether all material weaknesses are identified and reported. Although various regulatory actions encourage registrants and auditors to make these disclosures, actions such as the increased focus on ICFR compliance in the Division of Corporation Finance filing reviews and the focus by the PCAOB on inspecting auditors' performance in conducting ICFR audits are backward-looking. Registrants and auditors add credibility to the profession and improve the overall confidence of investors by fulfilling their responsibilities to provide the increased transparency about ICFR that the Sarbanes-Oxley Act of 2002 and related SEC rules demand. Accordingly, I encourage the profession to continue focusing on internal control over financial reporting to ensure the design of controls is evaluated appropriately and all material weaknesses are identified and reported. Thank you.
1 Risk Management Lessons from the Global Banking Crises of 2008, Senior Supervisors Group, October 21, 2009.
2 Ibid, transmittal letter.
3 Ibid, p. 5.
4 A query of information reported by Audit Analytics for registrants with SIC codes of 60XX-67XX was performed on October 22, 2009. The results of that query indicated that three of the 101 registrants with assets in excess of $50 billion reported ineffective ICFR in their 2008 fiscal year.
5 See Remarks Before the 2007 AICPA National Conference on Current SEC and PCAOB Developments by Josh Jones, December 10, 2007, available at http://www.sec.gov/news/speech/2007/spch121007jj.htm.
6 Refer to the following for the relevant accounting requirements:
7 Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports Frequently Asked Questions, U.S. Securities and Exchange Commission, September 27, 2007, available at http://www.sec.gov/
|Home | Previous Page||