U.S. Securities & Exchange Commission
SEC Seal
Home | Previous Page
U.S. Securities and Exchange Commission

Speech by SEC Staff:
2004 Thirty-Second AICPA National Conference on Current SEC and PCAOB Developments


Louise M. Dorsey

Associate Chief Accountant
U.S. Securities and Exchange Commission


Stephanie L. Hunsaker

Assistant Chief Accountant
U.S. Securities and Exchange Commission

Washington, D.C.
December 6, 2004

As a matter of policy, the Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author's views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the SEC staff.

Note: View the slides referenced in this speech.

Good afternoon. It is a pleasure to be here once again to speak at this conference. We are going to talk about two areas we have been dealing with recently.

First we will address some Sarbanes-Oxley Section 404 matters [Slide 9] and then some issues we have been seeing regarding the use of another auditor.

Section 404

As you well know, accelerated filers will have to provide their report on the evaluation of internal controls and the auditor's attestation to management's assessment in 10-Ks with fiscal years ending on or after November 15, 2004 [Slide 10]. The SEC on November 17, 2004 also postponed the final phase-in of the acceleration deadlines for this year only, to provide additional time to implement Section 404. The final phase in will resume for year-end 2005 accelerated filers, with the deadlines shown on this slide.

On November 30, 2004, the SEC and PCAOB granted a temporary 45 day extension of time to file the Section 404 reports for certain accelerated filers with a public float of less that $700 million [Slide 11]. Regarding the 45-day extension, the 10-K is still due March 16, 2005 for calendar year companies, but they may omit the Section 404 reports. Of course, a 12b-25 extension for the 10-K is still available. However, a company must provide all of the other 10-K items. A company must also disclose any material weaknesses that it or the company's auditors have identified prior to filing the 10-K. The 10-K also would still need to include the Section 302 and 906 certifications, as well as the Item 307 and 308 disclosures regarding disclosure controls and procedures and changes in internal controls over financial reporting.

The amendment must be filed within 45 days of the original 10-K due date, despite any 15 day extension filed for the original 10-K. No 12b-25 extension for the amendment is permitted [Slide 12]. So the amendment for a calendar year company is due on Monday May 2, 2005 (45th day is April 30, a Saturday). The amendment must include the two Section 404 reports, new Section 302 certifications, and the Item 307 and 308 disclosures, which would be revised as needed in the event that any significant deficiencies or material weaknesses in internal control over financial reporting are identified. A new consent would also be required in cases where the 10-K is incorporated by reference. A company will not be considered timely for purposes of S-2/S-3 eligibility until the amendment is filed within the extension period. A temporary untimeliness, if you will. [Please also refer to the FAQ document issued by the Division of Corporation Finance on January 21, 2005 related to the Exemptive Order on Management's Report on Internal Control over Financial Reporting - available at the following link: http://www.sec.gov/divisions/corpfin/faq012105.htm ]

This slide [Slide 13] provides a handy comparison of the Section 404 and 302 requirements.

It helps illustrate the substantial overlap between disclosure controls and procedures (DCP) and internal control over financial reporting (ICFR) [Slide 14]. DCP include the components of ICFR that provide reasonable assurance that transactions are recorded as necessary to permit preparation of the financial statements in accordance with GAAP. Reigning over this, DCP ensure that the financial statements and other information required to be filed are recorded, processed, summarized and reported in a timely manner to allow sufficient time for management to assess the information needed to be included and timely filed in public reports. However, there are differences. For example, DCP applies to material financial and non-financial information in a report while ICFR includes items that do not directly relate to disclosures.

To the extent ICFR impacts public disclosure, DCP are inclusive of such internal controls, as DCP apply to all material information to be included in a report, within and outside the financial statements [Slide 15].

Let's go to a question [Slide 16]. Could you have a situation where CFO/CEO reach a conclusion in their 302 certifications that DCP are effective at reasonable assurance level, even though there is a material weakness in ICFR?

The staff believes officers generally will not be able to conclude DCP are effective when material weaknesses have been identified in IFCR. But there may be some limited circumstances [Slide 17].

There also are some elements of ICFR that are not subsumed within the definition of DCP [Slide 18]. An example in the adopting release is the pure safeguarding of assets. If there were a material weakness over safeguarding assets, but a company still could determine if and when an asset is sold, retired, etc., it is possible to conclude a material weakness over DCF does not exist.

But it is likely impossible to conclude that DCP are effective when material ICFR weaknesses exist in certain areas [Slide 19]. Examples are a material weakness in fraud prevention or multiple material weaknesses, because the impact is reasonably possible to be pervasive.

What if a company has to restate its F/S because it or the auditor discovers a material weakness in ICFR that is also part of the company's DCP? [Slide 20]

We believe a company needs to consider whether the disclosures provided under Item 307 of Regulation S-K in the original filing need to be modified, supplemented or corrected in order to explain the relationship between failure of the DCP and restated financial statements [Slide 21].

We looked at approximately 135 Item 4.02 8-Ks that were filed since the new 8-K rules took effect August 23, 2004 through November 30, 2004. Item 4.02 8-Ks are required to be filed when previously issued financial statements can no longer be relied upon because of an error in the financial statements. Based on this review, it was clear that the disclosures surrounding the company's DCP we are seeing in the amendments to Form 10-K and Form 10-Q for the restatements could be improved. For example, we believe the principal executive and principal financial officers need to re-evaluate their original conclusions surrounding the effectiveness of their DCP as of the end of the period covered by the original report. At a minimum, we would expect disclosure explaining why the principal executive and principal financial officers continue to believe the DCP were effective, after considering the fact that the financial statements were required to be restated. In addition, the company should disclose pursuant to Item 308(c) of Regulation S-K and Exchange Act Rule 12b-20 what has been done to correct the internal control problems - this is consistent with our guidance in Question 22 of the November 2002 FAQs on the Sarbanes-Oxley Act available on our website.

If the officers have determined that their conclusions as to effectiveness are no longer correct based on the subsequent information about the failure of the DCP that has manifested itself as a material weakness, significant deficiency or other control problem, then that should be disclosed in the filing based on a duty to correct a misstatement when it becomes known and Rule 12b-20, which requires that "in addition to the information expressly required to be included in a statement or report, there shall be added such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made not misleading [Slide 22]." An amendment including this type of disclosure must include the Section 302 certifications with all applicable paragraphs without alteration.

Can the officers conclude DCP were not effective as of the end of the reporting period covered by the amended report, but conclude DCP are effective as of the date the amendment is filed [Slide 23]?

YES - In these cases we would expect that the registrant expand the disclosure to explain how management has determined that DCP are now effective given the material weaknesses and other matters identified [Slide 24].

One very important area for disclosures regarding Section 404 and 302 is, of course, MD&A [Slide 25]. A material weakness in ICFR or DCP may constitute a material trend or uncertainty that should be disclosed in MD&A. The staff will be looking for a detailed discussion of any material weakness, and quantification and analysis of associated uncertainties & trends related to a material weakness, as well as steps or procedures taken to remediate the weakness. If no corrections to a weakness have been implemented yet, a company should disclose this fact and the timetable for remediation. It generally would not be sufficient to simply disclose the material weakness in either Section 404 report. In addition, if a material weakness impacts DCP, we would also expect a detailed discussion in MD&A regarding any deficiencies in DCP. Also, to the extent more than one significant deficiency led to a material weakness, it is necessary to discuss the significant deficiencies to fully understand the material weakness.

The evaluation of ICFR will vary company by company [Slide 26]. There are no specified required methods or procedures. They however must be based on procedures sufficient to evaluate both the design and operating effectiveness of ICFR. We understand many companies will follow the COSO standards. Documentation and evidential matter is key and the core objective support for management's conclusion. Inquiry alone will not suffice.

Management must attain a level of "reasonable assurance" when making conclusions about the effectiveness of ICFR [Slide 27]. We understand there have been questions about the definition of "reasonable assurance". The concept of reasonable assurance is not new. The definition should follow the current guidance in AU 319. Management will have to use its best judgment. Inherent in judgment is the consideration of the cost of a control and the benefits of it in reducing a certain risk.

The rules do not specify the exact content of management's annual internal control report because we believe doing so would result in boilerplate responses of little value. We believe management should tailor the wording of the report to fit their company's particular circumstances. However, Management's internal control report must include the following the statements [Slide 28]:

  • Management's responsibilities for establishing and maintaining adequate ICFR for the company
  • The framework used by management as criteria for evaluating the effectiveness of ICFR
  • Management's conclusion on the effectiveness of the company's ICFR at year end, including an explicit statement as to whether the ICFR is effective
  • Disclosure of any material weaknesses in the company's internal control identified by management
  • The fact that company's independent public accountant, who audited the financial statements included in the annual report, has attested to and reported on management's evaluation of ICFR

If management discloses additional information in the report, for example, its plans to implement new controls, corrective actions taken after the date of assessment, or a statement that management believes the cost of correcting a material weakness would exceed the benefits to be derived from implementing new controls, the auditor is required to disclaim this information. Disclosure of this type may be best located in MD&A or in Item 307. The rules do not specify where management's internal control report must appear in the annual report, but it should be located in close proximity to the corresponding attestation report issued by the company's auditor [Slide 29]. We would expect that many companies will choose to place the internal control report and attestation report near the MD&A disclosure or in a portion of the document immediately preceding the financial statements. However, this would obviously not be the case in the 10-K amendment for companies relying on the exemptive order, because as previously noted, neither MD&A nor the audited financial statements are required in the 10-K amendment.

Management has two options for its evaluation of ICFR - ICFR could be either effective or not effective [Slide 30]. Management is not permitted to conclude that its ICFR is effective if there are one or more material weaknesses. Additionally, management cannot qualify its conclusion by stating that its ICFR is effective with certain qualifications or exceptions. Management must take into consideration those problems when concluding whether the ICFR is effective. However, management may state that controls are ineffective for specific reasons. You can refer to SEC FAQ 5 for additional information.

What if management does not have the ability to assess certain aspects of ICFR? [Slide 31] For example: A SAS 70 report is not available at the service organization and the company has no other ability to assess controls in place at the service organization.

In this case, management would be required to conclude whether ICFR is effective based on the extent of the scope limitation [Slide 32]. Scope limitations are not permitted in management's report, except for 3 limited exceptions [Slide 33]:

  1. Where an entity was in existence prior to December 15, 2003 and is consolidated pursuant to FIN 46 AND where the registrant does not have the right or authority to assess the internal controls of the consolidated entity and also lacks the ability, in practice, to make that assessment. SEC FAQ #1 provides a detailed discussion of what is required to be disclosed in this situation.
  2. Equity method investments
  3. In the case of an acquisition- FAQ 3 discusses that we would not object to the exclusion of an acquired business from the scope of management's report on ICFR but the exclusion may not extend beyond one year from the date of the acquisition nor may it be omitted from more than one annual management report on ICFR. We will discuss these 3 particular FAQs in a little more detail in a few minutes.

We would like to remind you that management must communicate all significant deficiencies and material weaknesses they detect to the audit committee and external auditor [Slide 34]. The 302 certifications include an affirmative statement to this effect. Management must also provide written representations to the auditor.

The staff has issued 23 FAQs to date, the latest update was October 6, 2004 [Slide 35]. See our website: www.sec.gov/info/accountants/controlfaq1004.htm The PCAOB also has issued 3 sets of Q&As encompassing 36 questions, the last of which was posted November 22, 2004. [The PCAOB issued additional staff guidance (question 37) on January 21, 2005 dealing with temporary transition rule 3201T.]

SEC FAQs 1-3 address scope limitations.

FAQ 1 addresses consolidated variable interest entities (VIEs) and proportionate consolidation, while FAQ 3 addresses recent business acquisitions [Slide 36]. In FAQ 1, facts and circumstances will dictate when management has the ability to assess ICFR. Management may well be able to assess ICFR of these entities without having the rights or ability to remediate any deficiencies. Regarding FAQ 2 [Slide 37], the relief is not intended to prohibit companies from assessing ICFR of investees under the equity method. For FAQ 3 [Slide 38], the staff will look to the definition of a business in either EITF 98-3 or Article 11 of S-X. The staff is not likely to object to the use of the relief provided in FAQ 3, but it should not be used to purposely delay an assessment that could be done absent the relief.

FAQ 4 discusses the fact that even if management, the accountant, or both conclude in a report included in a timely filed Form 10-K or 10-KSB that the registrant's ICFR is not effective, we would still consider the registrant timely and current for purposes of Rule 144, and Forms S-2, S-3 and S-8 eligibility [Slide 39]. However, for companies relying on the exemptive order, the Company would not be considered timely for purposes of S-2/S-3 eligibility until the 10-K amendment is filed. But, companies relying on the exemptive order would be eligible to use Form S-8 and rely on Rule 144 before the 10-K amendment including the internal control reports is filed.

FAQ 9 discusses the fact that we are giving relief for the 302 certification requirement to disclose material changes in ICFR [Slide 40]. This relief is only applicable in periodic reports filed in advance of the Section 404 compliance date. If the change is driven from a material weakness, notwithstanding the relief that is being given, registrants should carefully consider disclosing the material weakness and resulting changes. After the registrant's first management report on ICFR, pursuant to Item 308 of Regulations S-K or S-B, the registrant is required to identify and disclose any material changes in the registrant's ICFR in each quarterly and annual report. This would encompass disclosing a change, including an improvement, to ICFR that was not necessarily in response to an identified significant deficiency or material weakness if it materially affected the registrant's ICFR. For example, changes made in connection with the implementation of a new information system, acquisitions or divestitures, changes in management, centralization or decentralization of accounting functions.

Some of the other more commonly asked FAQs are [Slide 41]:

FAQ 8 - related to transition reports - states that transition reports on Form 10-K require management's report on ICFR as well as the related auditor attestation report

FAQ 9 - relates to SAS 70 reports - the PCAOB also has several Q&As related to SAS 70 reports

FAQ 21 - related to consents - states that a consent is required for the use of the auditor's report on management's assessment of ICFR.

FAQ 22 related to annual "glossy" reports - states that we encourage issuers to include both management's and the auditor's report in the annual report to shareholders when their audited financial statements are included. However, companies relying on the exemptive order should disregard the guidance in FAQ 22 until the exemptive order expires.

FAQ 23 relates to supplementary information and states that internal control over the preparation of supplementary information does not currently need to be encompassed in management's assessment of ICFR. However, this is an area that we are considering possible rule making.

Another area where we have received a significant number of questions is in the case of IPOs [Slide 42]. Management's report and the related auditors report would be required in the first annual report filed after the revised Section 404 effective date passes. For example, if a company went public in March 2005 and has a December 31 year end, management's report and the related auditors' attestation report would be required in the 10-K for the year ended December 31, 2005. [However, the Commission extended the compliance dates for non-accelerated filers and foreign private issuers on March 2, 2005 - see release No. 33-8545 available on our website at: http://www.sec.gov/rules/final/33-8545.htm. Given this extension for non-accelerated filers, if a company went public in March 2005 and has a December 31 year end, management's report and the related auditors' attestation report would not be required until the Form 10-K for the year ended December 31, 2006. ]

Finally, we have been asked whether the company is required to assess ICFR for discontinued operations that have not been finalized until after the end of the year. In this situation, there is no relief - the discontinued operations must be included within the scope of management's assessment of ICFR.

Registrants in Chapter 11 are not automatically exempt from Section 404 [Slide 43]. If a registrant qualifies for modified reporting under Staff Legal Bulletin No. 2, then a registrant would not need to comply with Section 404 if and only if it came in beforehand to get relief.

We note that companies are disclosing identified significant deficiencies and material weaknesses in Forms 8-K and 10-Q [Slide 44]. The typical areas where problems have been identified are personnel issues, financial systems, and restatements due to lack of controls.

We know there will be material weaknesses [Slide 45]. The key here is clear detailed upfront disclosure. Disclose what the problem is, what it impacts, how the company expects to remediate it, and the timetable for remediation.

Use of Other Auditors

Another area that we are increasingly receiving questions relates to the use of other auditors. For example, a domestic registrant may have a subsidiary in another country, (for example, China) that represents a significant portion of the registrant's business. In this case, a U.S. auditor may choose to use an audit firm in China to perform work on the Chinese subsidiary [Slide 46]. The U.S. firm may choose not to place reliance on the work of the Chinese audit firm (i.e. not make reference to the other auditor in their report), but the Chinese firm must still be registered with the PCAOB if the Chinese audit firm performs a "substantial portion of the audit" - which is defined in PCAOB rule 1001. In addition, the foreign firm must be recognized by the SEC [Slide 47].

Regarding recognition of a foreign firm, PCAOB registration of a foreign firm does not supercede existing means that a firm uses to demonstrate its knowledge and experience in applying US GAAP, PCAOB standards, and SEC rules and independence requirements [Slide 48]. We look to see if the foreign firm has a formal affiliation with a U.S. firm, and one way is if the firm is included on the US Firm's Appendix K policies and procedures. If the staff is not familiar with a foreign firm, we may ask a firm to consult with OCA and demonstrate their knowledge of US GAAP, PCAOB standards and SEC Rules and Regulations. We have ushered several firms through this process lately.

In other situations, a U.S. firm may choose simply to "hire" local personnel in a foreign country, such as China, to work as independent contractors for the U.S. audit firm [Slide 49]. In this case, the U.S. audit firm would be required to control all aspects of the work performed by the independent contractor. The independent contractor would report to the U.S. audit firm just like an employee of the U.S. firm, perform all procedures requested by the U.S. audit firm, have the work reviewed by members of the U.S. audit firm as if the independent contractor was an employee of the firm, etc.

We have seen instances where an auditor is not licensed in the state or country where the principal audit procedures were conducted [Slide 50]. This can prove problematic in certain instances. For example, it raises legal and state licensing issues. The staff is addressing these issues on a case-by-case basis. We would urge you to contact the Division of Corporation Finance with any questions on real life fact patterns.

Thank you for your time and attention today. Any questions you may have on the topics we discussed will be addressed in the Q&A session following this session.


Modified: 04/13/2005