Statement by SEC Staff:
Remarks Before the 2005 AICPA National Conference on Current SEC and PCAOB Developments
Jennifer M. Burns
Professional Accounting Fellow
Office of the Chief Accountant
U.S. Securities and Exchange Commission
December 5, 2005
As a matter of policy, the Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author's views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the staff.
Good Afternoon. My time in OCA is spent focusing on audit related issues. As a result, over the last year much of my time has been spent on 404 related activities. Some of these activities will be the focus of my remarks today.
As you know, on May 16th the staff issued a Statement on Management's Report on Internal Control Over Financial Reporting (the"Staff Statement"). I'd like to talk about a few of the areas in the Staff Statement that continue to produce questions, specifically, the scope and process of management's assessment, information system implementations and upgrades, and communications between registrants and auditors. In addition, I will comment on 404 as it relates to smaller businesses and the recently published COSO draft guidance for smaller businesses.
May 16th Staff Statement: Selected Issues
The Scope and Process of Management's Assessment
Let me first turn to the scope and process of management's 404 assessments.
In the May 16th Staff Statement, we emphasized that, given the wide diversity of internal control structures, management is in the best position to determine, based on their own judgment, how to perform their 404 assessments. Still, many continue to ask the Commission to provide additional guidance in this area. The staff understands this request; however, the Commission has expressly declined to prescribe the scope, testing, and documentation required by management, and instead has stressed that the scope and process of management's assessment should be reasonable, and that the assessment (including the testing) should be supported by a reasonable level of evidential matter.
The May 16th Staff Statement provides high level suggestions as to what may be a reasonable and efficient approach for management. For instance, an approach that starts at the financial statement level and identifies the accounts and disclosures that may have a material impact on the financial statements may be a way to design an effective and efficient assessment. Additionally, the Staff Statement suggests companies may generally determine the accounts included within their Section 404 assessment by focusing on annual and company level measures. It also suggests that management's testing can be focused on the controls that are important to addressing the risks of material misstatement in significant accounts or disclosures, and that the nature, timing, and extent of management's testing should be influenced by management's judgments about the level of risk associated with a significant account.1
Concepts such as those discussed in the May 16th Staff Statement could be developed with further specificity through community efforts to create best practice suggestions. The staff would be supportive of such efforts.
Information System Implementations and Upgrades
With respect to information system implementations and upgrades, the staff continues to receive suggestions for guidance that would allow management to exclude new financial systems and upgrades implemented in the current fiscal year from the scope of management's 404 assessment.
As explained in the May 16th Staff Statement, management has always been, and continues to be, responsible for the reliability of the financial statements prepared subsequent to information system implementations and upgrades. Prior to Sarbanes-Oxley and 404, the implementation of new financial systems and upgrades involved appropriate testing of the system or the use of appropriate compensating controls to ensure that the financial information produced by the system was accurate. This is still the case. Accordingly, there does not appear to be a basis for excluding newly implemented information systems or recent upgrades that have an impact on financial reporting from current year 404 assessments.
Communications between Registrants and Auditors
Moving on to communications between registrants and auditors. In the beginning of the year, the staff received extensive feedback that one of the unintended consequences of implementing Section 404 was a "chilling effect" on the level and extent of communications between auditors and management. Since the issuance of the May 16th guidance, we have heard from both registrants and auditors that communications have improved. Still I'd like to emphasize that frequent and open dialogue between registrants and auditors is absolutely appropriate and is an essential element of the audit process. For instance, exchanging views and sharing information about new accounting pronouncements, issues with respect to unique transactions, and internal control risk assessments related to these and other matters, just to name a few, is appropriate and improves the quality of financial reporting. Everyone benefits when management and the auditor engage in discussions regarding accounting and reporting issues.
404 Applicability to Smaller Businesses
Another question has arisen related to 404 and smaller businesses. Concerns have been expressed about the ability to apply 404 to smaller public companies in a cost-effective manner. In September, the Commission decided to extend the 404 compliance date for non-accelerated filers in part due to these concerns and in part to provide time for the activities of COSO and the SEC's Advisory Committee on Smaller Public Companies to be completed. At the same time, the Commission sought specific input regarding the application of 404 to smaller public companies. Various points of view have been expressed in the comments we have received.
Some are of the view that smaller public companies should be exempt from 404 and believe the following:
- The costs of 404 present too great of a burden for smaller companies, and these costs may result in fewer smaller companies entering the capital markets.
- They also contend that even the best internal control systems may not detect or deter all fraud and that there is an absence of a clear link between fraud prevention and internal control audits.
- Additionally, those in favor of exemption point out that smaller companies (even when defined as those companies below $700 million in market capitalization) represent a small portion of the total U.S. market capitalization (roughly 6%2); therefore, because these companies represent minimal risk to total U.S. market capitalization, they suggest the costs of 404 may not be commensurate with the relative benefits.
Others are of the view that 404 should apply to all public companies and believe the following:
- Management of every company uses a system of internal control to manage and run its business,3 and should be able to, in some manner, assess and report on that system of internal control in a cost effective way.
- They also refer to studies that indicate smaller public companies may have greater incidence of fraud and restatements4 which some have taken as evidence that investors in smaller public companies may benefit the most from compliance with 404.
- Those in favor of 404 for all companies also point to the first year reporting results to support their view. For instance,
- almost 15% of first year 404 filers reported material weaknesses, and
- based on filings to date, the percentage of companies reporting a material weakness appears to increase as market capitalization decreases.
- Proponents of 404 believe that, based on such statistics, disclosure of material weaknesses by all companies should be required.
Still, others believe that there may be some middle ground between complete exemption and full applicability of 404 to smaller public companies.
The staff is evaluating the available evidence in light of these questions about trade-offs between costs and benefits. To help analyze these, as well as other, considerations, the Advisory Committee on Smaller Public Companies was formed by the SEC and is in the process of developing recommendations. The Committee plans to expose its proposed recommendations for public comment early next year, and they are scheduled to submit their final recommendations to the Commission in April 2006. So stay tuned.
As I alluded to earlier, COSO has been working on a project that is also very important to smaller businesses. During the early stages of 404 implementation, it became clear that smaller companies were experiencing challenges in applying the COSO Framework. In light of these difficulties, COSO took on a project to provide practical guidance to smaller businesses in the use of their Framework. Although the Commission's rules do not mandate the use of COSO in performing 404 assessments, COSO is the most widely used internal control framework.
On October 26th, COSO issued its proposed guidance for public comment. As Don Nicolaisen stated at the time, the proposed guidance is an important step forward in helping smaller businesses understand and apply COSO's internal control framework.5
There are a number of key concepts in the COSO document that I would like to highlight.
First, the guidance articulates twenty-six principles that should be present within an organization to achieve effective internal control over financial reporting, regardless of the organization's size. These principles are derived from the original 1992 COSO Framework, and bring a good deal of clarity to the five components of internal control. Attributes of each principle are identified to further assist users in implementing the concepts. The guidance then presents approaches and examples that illustrate how the principles can be achieved.
The guidance also explains that because the COSO Framework is an integrated model, all components of the COSO Framework6 should be in place to achieve effective internal control over financial reporting. Some have suggested, in the context of smaller businesses, removing the control activities component in favor of a stronger control environment; however, as articulated in the draft guidance, to remove one of the control components would result in an incomplete internal control system. Rather than eliminating certain components of the Framework, the guidance focuses on the distinction in scale, depth, and formalization of approaches that are used by small versus large companies to achieve the principles. For instance, a whistleblower program by necessity will have greater depth, scale, and formalization at a multinational company with locations around the world than it will at a small public company with one location.
With respect to the risk of management override of controls, the document explains that through effective corporate governance, companies can address (although not eliminate) the risk of management override. Effective corporate governance can be achieved through a commitment to integrity and ethical values, which can be strengthened by an independent board, an informed and active audit committee, and an effective whistleblower program.
The document also provides guidance with respect to establishing segregation of duties and alternative compensating controls that may be used when segregation of duties cannot be achieved. The guidance does not conclude that a lack of segregation of duties always represents a control deficiency. Rather, the company and auditor are encouraged to determine whether the company has sufficient compensating controls that would effectively reduce the risk of material misstatement to an acceptable level.
Regarding monitoring: under the COSO Framework, ongoing monitoring activities can be a useful and effective tool for management to assess the operating effectiveness of internal control. As stated in the original 1992 COSO Framework, "usually some combination of ongoing monitoring and separate evaluations will ensure that the internal control system maintains its effectiveness over time."7 The draft document explains that the "use of separate evaluations of controls may be partly offset by highly effective ongoing monitoring activities."8 Under the COSO model, effective monitoring includes a process for supervisors to affirmatively communicate with management regarding the operation of control procedures, as well as a process to capture and report identified control deficiencies. The extent to which management is comfortable basing its assessment on monitoring activities and other separate evaluations may depend upon the risks associated with a significant account, the relevant assertions involved, and whether there have been changes in the underlying process-level controls. In some situations management may decide they have a reasonable basis for relying on monitoring activities; and in those same situations, auditors may decide, through their own judgment, to test the underlying process-level control activities. Auditors and management may use different approaches to arrive at their respective conclusions about the effectiveness of controls.
With respect to documentation of controls, the draft guidance explains that when third party attestation is involved, adequate documentation needs to exist so a third party can review and evaluate the evidence of the design and operation of a control. As a reminder, it also may be helpful for management to refer to the Commission's original 404 rule release which discusses evidential matter (including documentation) and points out that "evidential matter should provide reasonable support: for the evaluation of whether the control is designed to prevent or detect material misstatements or omissions; for the conclusion that the tests were appropriately planned and performed; and that the results of the tests were appropriately considered."9
After highlighting some of the key concepts, it is clear that although COSO's draft guidance is geared toward smaller businesses, it will be useful to organizations of all sizes. I encourage you to read the exposure draft and provide your input. Comments are due to COSO by December 31st, and we continue to be supportive of their process.
The Future of 404
In closing, let me say I think it is difficult to speculate as to the Advisory Committee's final recommendations and as to the Commission's potential decisions with respect to 404 and smaller public companies. However, I believe it would be prudent for management of non-accelerated filers to continue their work with respect to internal control. After all, public companies of all sizes can benefit from an increased focus on controls.
We have all climbed the learning curve through the process of implementing 404, and as we gain more experience, we will continue to improve the process. Speaking only for myself and not for the Commission, areas where I think improvements could be made include: effective consideration of ongoing monitoring and compensating controls, better use of IT driven controls as well as other ways to reduce management's costs while still achieving the objectives of 404, and designing effective internal control systems that help reduce the number of restatements. In the long run, we are all aiming to enhance the integrity of financial reporting. Our collective efforts to improve the 404 assessment process will help us do that.
|1 || For further discussion, refer to the Staff Statement on Management's Report on Internal Control Over Financial Reporting, May 16, 2005.
|2 || Record Of Proceedings, Meeting of the Securities and Exchange Commission Advisory Committee on Smaller Public Companies, August 10, 2005, p. 79.
|3 || The establishment and maintenance of internal accounting controls has been required of public companies since the enactment of the Foreign Corrupt Practices Act of 1977 ("FCPA"). Title I of Pub. L. 95-213 (1977).
|4 || Fraudulent Financial Reporting: 1987-1997, An Anaylsis of U.S. Public Companies, Mark S. Beasley, Joseph V. Carcello, and Dana R. Hermanson, March 1999; Restatements-Traversing Shaky Ground, Glass Lewis & Co. Trend Alert, June 2, 2005.
|5 || Statements of SEC Chief Accountant Donald Nicolaisen and Corporation Finance Division Director Alan Beller Regarding New COSO Guidance On Section 404 Compliance, October 26, 2005.
|6 || The components of the COSO Framework are as follows: control environment, risk assessment, control activities, information and communication, and monitoring.
|7 || Committee of Sponsoring Organizations of the Treadway Commission, Internal Control-Integrated Framework, September 1992, p. 69.
|8 || Committee of Sponsoring Organizations of the Treadway Commission, Internal Control-Integrated Framework Draft Guidance for Smaller Public Companies Reporting on Internal Control Over Financial Reporting, October 2005, p. 107.
|9 || SEC Final Rule: Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, June 2003. Release Nos. 33-8238; 34-47986; IC-26068;File Nos. S7-40-02; S7-06-03.