Ernst & Young LLP
November 29, 2002
Mr. Jonathan Katz
Proposed Rules: Disclosure Required by Sections
Dear Mr. Katz:
We are pleased to comment on the proposed rules to implement the requirements of Sections 404, 406 and 407 of the Sarbanes-Oxley Act of 2002 ("the Act"). Overall, we support the proposed rules because we believe that generally they are consistent with the legislative intent of the Act. However, we suggest that the Commission modify certain aspects of the proposed rules so that they will be more effective and more easily implemented. Specifically, we believe that better guidance from the SEC would greatly facilitate the implementation of annual internal control reporting by companies and attestation by independent auditors. In addition, we recommend that the SEC modify the proposed definition of an audit committee financial expert and the related proposed disclosures.
Section 404 - Management and Auditor Reports on Internal Controls
Reporting separately on the effectiveness of internal controls will be a significant and time-consuming initiative for management and the issuer's independent auditors. In order to facilitate consistency and comparability in practice, we believe that the SEC's rules should clearly specify the relevant criteria for management's evaluation and the necessary assertions for management's report.
Criteria for Management's Assessment of Internal Control Over Financial Reporting
The final rules should require management to assess the effectiveness of internal controls and procedures over financial reporting using suitable criteria, established through due process. We believe that, without established criteria against which management may evaluate and report on the effectiveness of internal control, the reporting under the Commission's proposed rules will not achieve the objectives of the Act. In addition, without consistent reporting criteria, investors will not be able to compare the reports and conclusions of different companies. We are not advocating that the Commission adopt or endorse a single set of criteria. However, we suggest that the final rule prominently acknowledge that certain established criteria already exist for reporting on internal controls, and that management's use of those criteria in its report would be consistent with and would satisfy the requirements of Section 404. In addition, requiring the use of suitable criteria that have been appropriately established will increase the comparability of internal control assessments by limiting the acceptable sets of criteria to a relatively small number.
Under the AICPA's attestation standards, suitable criteria against which management may evaluate the effectiveness of internal control is a required condition for an independent accountant to examine and report on the effectiveness of internal controls. Section AT 101.25 of the AICPA Statements on Standards for Attestation Engagements further states:
The Committee of Sponsoring Organizations ("COSO") of the Treadway Commission's report, Internal Control - Integrated Framework, provides suitable criteria under which management may evaluate and report on the effectiveness of internal control. The COSO report was developed over several years, through due process procedures, and has been widely used and accepted over the past decade. In addition, the COSO report continues to be updated for recent developments. For example, in 1994 COSO amended its original report to incorporate guidance on controls pertaining to safeguarding of assets; in 1996, COSO issued Internal Control Issues in Derivatives Usage; and currently COSO has undertaken a study to provide guidance on assessing and managing enterprise risks. The United States General Accounting Office has endorsed and adopted the COSO report as the basis for internal control reporting by federal agencies.
Footnote 6 of AT 501, Reporting on an Entity's Internal Control Over Financial Reporting, supports the use of the COSO report:
The COSO report presents a comprehensive framework defining the objectives and components of internal control. The COSO report also identifies factors that may be considered in evaluating the effectiveness of each component of internal control, as well as related evaluation tools. The COSO report also includes guidance for management to report on the effectiveness of internal control.
While we believe that the COSO report is widely recognized and accepted, and provides the most complete and robust framework for evaluating and reporting on internal control, other countries or organizations may adopt frameworks on internal control reporting comparable to COSO. Accordingly, similar to the current attestation standards, we recommend that the SEC also specify that management should evaluate internal control using criteria that have been developed by groups composed of experts under due process procedures, such as the COSO report.
Auditor Attestation Requirements
We believe the Commission should acknowledge in proposed Rule 2-02(f), as well as proposed Rule 1-02(a), of Regulation S-X that the opinion expressed by the accountants based on their examination may either be a) unqualified, or b) qualified due to a material weakness. Unlike a qualified opinion on financial statements, we believe that the accountants' attestation report on internal control could be qualified, if necessary, and still meet the requirements of Regulation S-X. On the other hand, we disagree with the proposed amendments to Regulation S-X, which could be interpreted to suggest that a disclaimer of opinion on internal controls would satisfy the Exchange Act reporting requirements. We believe that a disclaimer of opinion should not be acceptable as fulfilling the proposed internal control attestation requirements, and the final rules should make that clear.
Material Weaknesses and Significant Deficiencies
The revised management certifications under Exchange Act Rules 13a-14 and 15d-14 require the CEO and CFO to certify that they have disclosed to the auditor and the audit committee all "significant deficiencies" and "material weaknesses" in the design and operation of internal controls and procedures for financial reporting, which could adversely affect the issuer's ability to record, process, summarize and report financial information required in SEC reports. In order the meet these reporting requirements, management will need to determine the threshold for control deficiencies that are of such a magnitude that they constitute "significant deficiencies" or "material weaknesses."
We believe that the final rule should specify thresholds for determining significant deficiencies or material weaknesses that trigger a reporting obligation to the audit committee and the auditor. We recommend that the SEC's final rules refer to AICPA Professional Standards, AU 325, for the meaning of the terms "significant deficiencies" (for which AU 325 uses the term "reportable conditions") and "material weaknesses" as is done in the Division of Corporation Finance's recently issued Sarbanes-Oxley Act of 2002 - Frequently Asked Questions. This would establish an objective, reliable standard by which the CEO and CFO could understand their obligations and issue their certifications. In addition, on an ongoing basis, the definition of these terms should remain consistent with any identical terms used in auditing and attestation standards adopted by the PCAOB.
Inconsistency Between Management and Auditor Attestation Reports
Consistent with Section 404(a)(1) of the Act, the proposed rules require that management disclose its conclusion about the effectiveness of internal controls and procedures for financial reporting as of the end of the fiscal year. However, the Commission has chosen not to specify the content of that report. In its release, the Commission stated that doing so "... likely would result in boilerplate responses of little value." We disagree with this approach. We are also concerned about inconsistencies between the proposed requirements for management's annual report on internal control over financial reporting, and the requirements under Section 103 of the Act for the related auditor's attestation report. Specifically, Section 103 requires the PCAOB to adopt standards under which the auditor would report on whether the issuer's internal control,
(aa) include(s) maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;
(bb) provide(s) reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer.
In order to provide symmetry between the internal control reporting requirements of management and the auditor, we recommend that the SEC's final rules require management's report on internal control to include assertions related to any matters to which the auditor is required to attest under the Act, including assertions to which the auditor will be required to attest under Section 103, or under standards adopted by the PCAOB.
Acknowledgement of Costs Associated with Reporting on Internal Controls
Other than insured financial institutions, few companies publicly report on the effectiveness of internal controls, and even fewer engage their independent auditor to render an attestation report. We believe that the level of effort involved in implementing the requirements of Section 404 (and Section 103's requirement for auditor attestation) should not be underestimated. Based on our experience, the level of additional effort necessary for companies to report on the effectiveness of internal control will be substantial. Likewise, independent auditors will incur significantly more time evaluating and testing internal controls in order to attest to management's report on the effectiveness of internal control. Annual reporting on internal control is likely to significantly increase the costs for public companies in complying with the SEC's reporting requirements, and the first year transition costs will be even greater.
Our experience with internal control reporting, specifically that required by the Federal Deposit Insurance Corporation Improvement Act of 1991 ("FDICIA"), suggests that reporting separately on internal controls, by both management and auditors, will involve a significant incremental cost and effort well beyond that of the current financial statement audit, due to the expanded documentation and testing required. Accordingly, we are concerned that the SEC's proposal appears to perpetuate the misperception that internal control reporting will not involve substantial costs or efforts to registrants. Specifically, in the proposing release, Section III, Paperwork Reduction Act, the Commission states:
Based on the SEC's estimates, companies will incur only 45 extra hours per year in assessing the effectiveness of disclosure controls and procedures, assessing the effectiveness of internal controls and procedures over financial reporting, and reporting annually on the effectiveness of internal controls and procedures over financial reporting. In our view, even for the smallest public companies, the Commission's estimates significantly understate the effort needed by management to prepare documentation to support management's internal control reporting, which would be sufficient for examination by the auditor in order to attest to management's report. For larger registrants (particularly those with multiple locations, multiple segments, or foreign operations), the SEC's estimates are grossly understated. Moreover, the SEC's cost analysis does not address the additional cost related to the auditor's attestation report, which is required under the Act.
We are concerned about a possible misperception of the level of testing of internal control that occurs in the normal course of auditing financial statements under generally accepted auditing standards. The current focus of most financial statement audits is to give an opinion on the annual financial statements and not to report on the system of internal control. Financial statement audit procedures are designed to be the most effective and efficient combination of substantive tests of balances and compliance tests of controls in order to conclude whether the financial statements are fairly presented in accordance with generally accepted accounting principles. Generally accepted auditing standards ("GAAS") require the auditor to obtain an understanding of the company's internal control sufficient to plan the audit and to determine the nature, timing, and extent of audit procedures. However, GAAS does not require the auditor to test any individual elements of internal control. Accordingly, an audit may include extensive substantive testing procedures and may not necessarily include tests of controls affecting all significant accounts. As a result, it is highly unlikely that the auditor is currently performing sufficient testing of internal controls in order to attest to management's evaluation of the effectiveness of internal controls over financial reporting. We would expect that the additional amount of work and associated fees necessary to attest to management's assessment of internal control will be quite substantial in many cases. In some cases, where internal controls are determined to be effective and reliable for the entire period being audited, the incremental effort might be offset in part by a reduction in the level of substantive testing required for the financial statement audit. However, some level of substantive testing, which will vary based on inherent risk factors, always will be required of all significant accounts as part of the financial statement audit.
The proposing release admits that the SEC's estimate of the incremental hours is not supported by any data. However, as the Commission notes in its release, the reporting under Section 404 is substantially the same as that required by FDICIA. Thus, there should be ample empirical data from experience under that earlier legislation on which to base a more realistic estimate of the costs of complying with the SEC's rules to implement Section 404 of the Act.
In their adoption of FDICIA, we observed that most banks incurred significant incremental time and costs to complete the documentation, evaluation, reporting and attestation of internal controls over financial reporting. In our view, non-financial institutions are likely to incur even greater costs in complying with internal control reporting under Section 404 of the Act. In general, federally insured depository institutions operate in a highly regulated environment, are organizations with a deeply rooted awareness of internal controls, rely heavily on the daily operation and effectiveness of internal control, and have significant internal audit resources devoted to testing and evaluating internal controls. For public companies without all of those attributes, the new internal control reporting requirements will pose a significantly higher challenge. For example, we expect that many other public companies do not have current, comprehensive documentation of their internal controls. Many companies may lack the internal resources necessary to prepare or update that documentation before the proposed effective date, much less develop a formal documented process for testing and evaluating the effectiveness of internal controls sufficient to satisfy appropriate reporting standards.
Accordingly, we recommend that the adopting release clearly acknowledge that the new internal control reporting requirements are likely to require substantial time and effort by issuers and an expansion of the independent auditor's present responsibilities, resulting in additional costs to registrants.
The Commission has proposed that reporting under Section 404 become effective for fiscal years ending after September 15, 2003. While we support the implementation of internal control reporting as expeditiously as reasonably possible, we are concerned that the SEC's proposed transition may impose an unfair burden on some companies. In order to prepare for the efficient implementation of the new reporting requirements, companies should be allowed sufficient time to understand the reporting standards and the extent of the evidential matter necessary to support management's report and the auditor's attestation. In addition to the SEC rules expected by late January, the Act requires the PCAOB to adopt standards governing the auditor's reporting on internal controls. Although the members of the PCAOB were recently appointed, the Commission has until April 26, 2003 to declare the PCAOB operational. Accordingly, the applicable auditor attestation standards may not be resolved until much later in 2003, particularly as it appears uncertain whether the PCAOB will endorse existing AICPA standards, at least initially.
Given the current expectations about when the PCAOB may resolve the question of the applicable attestation standards, we believe that the earliest effective date for internal control reporting should be fiscal years ending after December 15, 2003. This should allow issuers in the initial implementation group adequate time to assess the ultimate reporting standards, develop and execute necessary testing procedures, and report consistent with the Act's requirements with an appropriate balance of timeliness and efficiency.
Section 406 - Code of Ethics
We support the proposed rule under Section 406(a) of the Act requiring a company reporting under the Exchange Act to disclose whether it has adopted a qualifying code of ethics, and if not, the reasons why it has not done so. Although not required by the Act, we agree that the code of ethics should be filed as an exhibit to a registrant's annual report. We are hopeful that, through public disclosure of the code of ethics, there will be a flight to quality and companies will adopt codes of ethics that are best in class.
We also support the proposed rule under Section 406(b) of the Act requiring a company to publicly disclose changes in or waivers to its code of ethics either through Form 8-K or the company's website. We recommend that the final rule clarify that post-hoc waivers (i.e., waivers granted or agreed to after the violation) must be reported. We agree that the public interest would be best served by disclosure of all waivers of the code of ethics, not just those granted in advance.
We also support the proposed expansion of the scope of disclosures to cover the company's principal executive officer (in addition to the principal financial officer, controller and principal accounting officer, or equivalents, as required by the Act). However, we suggest that the SEC further expand the list of officers for which disclosure would be required. Specifically, we recommend that the disclosures include the chief legal officer and all other executive officers, as defined by Exchange Act Rule 3b-7. We note that the chief legal officer, among other things, plays an important role under rules the SEC has proposed under Section 307 of the Act, Rules for Professional Responsibilities of Attorneys. Accordingly, we believe that a company should be specifically required to disclose whether the code of ethics applies to its chief legal officer. Further, we believe that investors should be informed whether executive officers, who have important roles in establishing policies and managing business operations, are required to follow the company's code of ethics. In addition, we believe the SEC should encourage, but not require, companies to disclose the extent to which the code of ethics applies to others in the organization.
Section 407 - Financial Experts Serving on a Company's Audit Committee
We are concerned that the SEC's proposed definition of an audit committee financial expert is too restrictive and goes beyond the legislative intent of the Act. Further, we are concerned that certain of the SEC's proposed disclosures may be inappropriate and unnecessary and that those disclosures could lead to unintended consequences.
Disclosure of Number and Names of Financial Experts
We have supported initiatives over the past decade to strengthen audit committees. For example, we supported issuance by the Public Oversight Board of its September 1995 report Directors, Management, and Auditors: Allies in Protecting Shareholder Interests in response to the Kirk Commission Report, Strengthening the Professionalism of the Independent Auditor. In addition, our former Chairman Phil Laskawy served as a member of the Blue Ribbon Committee on Improving the Effectiveness of Audit Committees, whose February 1999 report led to a number of improvements in audit committee practices, many of which the Act has effectively mandated for listed companies (e.g., all audit committee members must be independent; the audit committee is directly responsible for the appointment, compensation and oversight of the independent auditor).
In response to the recommendations of the Blue Ribbon Committee, the NYSE and NASD adopted listing requirements for larger public companies that at least one member of the audit committee have accounting or related financial management expertise. Section 407 of the Act directs the SEC to adopt rules requiring a reporting company to disclose whether its audit committee has at least one financial expert. Consistent with the objectives of the Act, we expect that this disclosure requirement will prompt companies to ensure that at least one audit committee member has relevant, sophisticated financial expertise. We support this objective and believe that financial expertise strengthens the effectiveness of audit committees in discharging their important role in corporate governance.
In its rule proposal, the SEC has gone beyond the requirements of the Act. Specifically, the SEC has proposed to require disclosure of the names of each audit committee member whom the board of directors has determined is a "financial expert." We are concerned that the public designation of an audit committee member as a financial expert may have unfortunate and unintended consequences. For the reasons discussed below, we recommend that the SEC adopt a final rule that is consistent with the disclosure specified by the Act.
In its proposing release, the SEC stated its view that the designation of a financial expert should not impose a higher degree of individual responsibility or obligation on that member of the audit committee. Also, the SEC indicated that it does not intend the designation to diminish the duties and obligations of other audit committee members or the board of directors. Notwithstanding these views, we believe that publicly naming any member of the audit committee as a "financial expert" is likely to have the inevitable effect of increasing the responsibility, and potential liability, of the named audit committee member. As a consequence, companies may find it more difficult to attract and retain the most qualified financial experts to serve on audit committees, with the unfortunate consequence that the effectiveness of audit committees could be diminished.
Further, in our view, singling out one or more members of the audit committee as a financial expert could detract from the contributions and skills of other members of the audit committee. The entire audit committee performs oversight of the company's financial reporting and internal and external audit functions and relationships. While not a financial expert, as defined, other committee members are expected to be financially literate and actively participate in all of the committee's activities. We believe that it would be consistent with the public interest to make no public distinction among audit committee members, other than designating the chair as currently provided in proxy materials.
We believe that, consistent with Section 404 of the Act, it should be sufficient for a company to disclose whether at least one member of the audit committee is a financial expert, or if not, the reasons therefore. Consistent with that view, we do not believe that a company should be required to disclose the board's basis for the determination that a member of the audit committee is a financial expert. We believe that disclosure consistent with Section 404, together with the biographical material provided in proxy materials for all directors, should be sufficient for investors to assess whether the composition of the audit committee is appropriate and whether the members have relevant backgrounds and experience.
8-K Disclosure Requirements
The Commission requested comment on whether Form 8-K reports should be required regarding changes in audit committee financial experts. We do not believe that a company should be required to report a financial expert's addition to or departure from the audit committee or board of directors. Such disclosures would have the effect of identifying individual directors as financial experts, which we believe is unnecessary and inappropriate for the reasons discussed above. In addition, we believe that annual disclosure of the presence of at least one audit committee financial expert is sufficient to satisfy the objectives of the Act. For example, if a financial expert left the audit committee unexpectedly, the company should be allowed sufficient time to find an appropriate replacement. However, although the proposed disclosure could be provided in a subsequently filed proxy statement, we believe that the effective date of the required disclosure should be the filing date of the annual report. As the audit committee discharges a significant portion of its responsibilities as of the issuance of the company's annual audited financial statements, we believe it would be in the interests of investors to know whether the audit committee had a least one financial expert as of that date.
Framework for Identifying Financial Expert on Audit Committee
Section 407(b) of the Act specifies considerations for the Commission in defining the term "financial expert." However, we are concerned that the definition of a financial expert as proposed by the SEC may be overly restrictive. For example, unlike the considerations in Section 407(b), the SEC's proposed definition would require the individual to have experience preparing or auditing financial statements (including accounting for estimates, accruals and reserves) that are "generally comparable" to those of the registrant. Such provision could have the effect of significantly limiting individuals who could be financial experts to those with experience in a company's specific industry (or even all of the company's significant industry segments). We believe that it is best left to the discretion of the board of directors to determine whether an audit committee member has relevant experience or expertise to understand and address accounting matters that may be unusual or unique to the registrant and its business segments.
Similarly, we are concerned that, in practice, the pool of "financial experts" may be limited to former auditors, CFOs and controllers. We agree that the SEC's proposed list of considerations is appropriate for the board to evaluate in the aggregate. Moreover, we believe that a director's more recent experience, as opposed to experience in the more distant past, is more relevant to the ability of that director to serve as a financial expert. Similarly, we believe that the environment in which directors gained the relevant experience and expertise, as well as the scope of their responsibilities, is more important than their job title.
Accordingly, we urge the SEC to simplify the "decision tree" regarding determination of a "financial expert." As indicated above, we recommend that the "attributes" of a financial expert be defined consistent with Section 407(b) of the Act by removing the proposed requirement for experience with accounting and financial reporting that are "generally comparable" to those of the issuer. Also, we recommend that the skills and experience of an audit committee member should satisfy the predominance, rather than all, of the attributes. Further, we recommend that prior work experience in the named capacities (i.e., auditor, CFO, controller, and CAO) be deleted from the definition of a financial expert, because specific prior work experience should be a consideration, as opposed to a presumption, in assessing financial expertise. Finally, we recommend that the final rule make clear that the board's determination should be performed annually. Over time, a director's previous experience and expertise may become less relevant to the company's current circumstances. Accordingly, we believe that an annual assessment (re-assessment) would be consistent with the interests of investors.
We note that the proposed rules do not specify any anticipated effective date for the required disclosures. As the Commission notes in its proposing release, the current definitions of a financial expert of the NASD, NYSE, and other exchanges are different than that proposed by the SEC. If the SEC adopts final rules similar to those proposed, some companies that meet current listing requirements might be unable to disclose that they have at least one audit committee financial expert under the SEC definition. In addition, other reporting companies that are not listed nevertheless will be subject to the new disclosures about audit committee financial experts. Therefore, we believe that companies should have adequate time, if necessary, to recruit new audit committee members who would be considered a financial expert under the SEC's final rule. Accordingly, we recommend that the disclosures about audit committee financial experts become effective after an appropriate transition period (e.g., fiscal years ending after December 15, 2003).
* * * * *
We would be pleased to discuss our comments with the Commission or its staff at your convenience.