Briefing Paper:
Roundtable on Implementation of
Internal Control Reporting Provisions

On Wednesday, April 13, 2005, the Securities and Exchange Commission will host a roundtable discussion on the implementation of the internal control reporting requirements for public companies. The roundtable will take place in the William O. Douglas Room at Commission headquarters at 450 Fifth Street, N.W., Washington, D.C., from 9 a.m. to 5:30 p.m. The roundtable will comprise six panels that are designed to address the subjects described below. The Commission has invited representatives of public companies, auditors, investors, members of the legal community and others to participate in the roundtable. The roundtable will be Web cast on the Commission’s Web site at www.sec.gov. Additionally, selected other materials related to the roundtable are available at http://www.sec.gov/spotlight/soxcomp.htm.

The Commission also is seeking written submissions from all interested persons, whether or not participating in the roundtable, about their experience with the internal control provisions. Electronic submissions may be provided by using the Commission’s Internet submission form at www.sec.gov/news/press/2005-20.htm; or by E-mail to rule-comments@sec.gov. Please include File Number 4-497 on the subject line. Paper submissions may be provided in triplicate to Jonathan G. Katz, Secretary, Securities and Exchange Commission, 450 Fifth Street, NW, Washington, DC 20549-0609. All submissions should refer to File Number 4-497. This file number should be included on the subject line if e-mail is used. To help us process and review your submissions more efficiently, please use only one method. The Commission will post all submissions on the Commission’s Internet Web site (http://www.sec.gov/news/press/4-497.shtml). All submissions received will be posted without change; we do not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly.

Overview

Section 404 of the Sarbanes-Oxley Act of 2002 directed the Commission to adopt rules requiring each company, other than a registered investment company, to include in its annual report filed with the Commission a statement of management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting, as well as an assessment of the effectiveness of those controls. Section 404 also directed that the independent accounting firm that audits the company’s financial statements report on management’s assessment and the effectiveness of the company’s controls, in accordance with standards to be established by the Public Company Accounting Oversight Board (PCAOB).

On June 5, 2003, the Commission adopted rules implementing Section 404 with regard to management’s obligations to report on internal control over financial reporting. On June 17, 2004, the Commission issued an order approving the PCAOB’s Auditing Standard No. 2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of the Financial Statements (AS No. 2), which established the requirements that apply when an independent auditor is engaged to audit and report on management’s assessment of and the effectiveness of a company’s internal control over financial reporting.

ROUNDTABLE AGENDA

Panel 1. The First Year

Companies have been required to maintain a system of internal accounting controls since the enactment of the Foreign Corrupt Practices Act in 1977. However, the requirements arising out of Section 404 have caused companies and their auditors to focus additional attention on the effectiveness of companies’ internal controls and, in most cases, report publicly on those controls for the first time.

Originally the new internal control reports of management and the company’s external auditor that are required by the Commission’s rules and AS No. 2 were due for fiscal years ending after June 15, 2004, for accelerated filers,¹ and after April 15, 2005, for smaller companies and foreign private issuers. Recognizing the importance of these provisions and the time necessary to implement them properly, the Commission later extended these deadlines to November 15, 2004, and July 15, 2006, respectively. In addition, the Commission issued an exemptive order to grant accelerated filers with a public equity float of less than $700 million an additional 45 days to include in the current year’s annual report management’s report on internal control over financial reporting and the related auditor’s report. The Commission also extended for one more year the complete phase-in of the new accelerated filer reporting deadlines, in part because of the need for companies to focus on implementing the Section 404 rules.

Given the November 15, 2004, fiscal year compliance date for accelerated filers, the first of management’s assessments and the accompanying audit reports were due in February. Now that a significant group of companies has completed the first Section 404 process, the Commission is seeking input to assess the impact of the Commission’s rules and AS No. 2 on companies and on their internal controls and financial reporting. The Commission is also seeking input on the impact of implementation of the internal control assessment, reporting and auditing requirements.

Discussion Questions

• What has been the overall impact of assessing, reporting and auditing internal control over financial reporting?
   
• What implementation and/or ongoing issues have arisen in the first year of assessing, reporting and auditing internal control over financial reporting?
   
• What benefits have companies experienced in the first year from the assessment, reporting and auditing process?
   
• Are there preliminary thoughts about how much of the efforts and costs incurred this year are first-year versus ongoing?
   
• Have the implementation efforts been impacted by issues regarding the availability of quality resources at companies and/or audit firms? If so, are these expected to recur in subsequent years?

Panel 2. Reporting to the Public

The Commission’s rules require that management’s report on internal control over financial reporting contain certain elements, including:

1. A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company;
    
2. A statement identifying the framework used by management to evaluate the effectiveness of the company’s internal control over financial reporting;
    
3. Management’s assessment of the effectiveness of the company’s internal control over financial reporting, as of the end of the most recent fiscal year (including disclosure of any material weakness identified by management); and
    
4. A statement that the company’s auditor issued a report on management’s evaluation of the company’s internal control over financial reporting.

The Commission determined not to provide more specific management reporting requirements, or a template format for management’s report, to discourage management from using boilerplate language in the reports.

AS No. 2 requires the auditor’s report on the company’s internal controls to include, among other things:

• A statement that the standards of the PCAOB require that the auditor plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects;
   
• A statement that an audit includes obtaining an understanding of internal control over financial reporting, evaluating management’s assessment, testing and evaluating the design and operating effectiveness of internal control, and performing such other procedures as the auditor considered necessary in the circumstances;
   
• A statement that the auditor believes the audit provides a reasonable basis for his or her opinions;
   
• The auditor’s opinion on whether management’s assessment of the effectiveness of the company’s internal control over financial reporting as of the specified date is fairly stated, in all material respects, based on the control criteria; and
   
• The auditor’s opinion on whether the company maintained, in all material respects, effective internal control over financial reporting as of the specified date, based on the control criteria.

AS No. 2 provides example reports for the auditor to consider when issuing its report. As a result, the majority of auditors’ reports to date closely followed the example reports issued by the PCAOB.

The Commission is seeking input on whether management’s and the auditor’s reports have generally been useful to the various users of a company’s financial statements. The Commission is also seeking input regarding what improvements in reporting or disclosure could be made in this area.

Discussion Questions:

1. Has the information reported by management been useful? Are there any suggestions for improving the usefulness of the disclosures?
    
2. Has the information reported by outside auditors been useful? Are there any suggestions for improving the usefulness of the disclosures?
    
3. Do the internal control reports give users a better understanding about the financial reporting strengths and weaknesses of companies?
    
4. Were disclosures about material weaknesses in internal control generally sufficient?
    
5. Is the marketplace reacting differently to different types of material weaknesses, in the context of other factors relating to a company that reports a material weakness?

Panel 3. Planning and Design

The Commission’s rules state that management must base its evaluation of the effectiveness of a company’s internal control over financial reporting on a suitable, recognized control framework. While neither the Commission’s rules nor AS No. 2 mandate the use of a particular framework that meets the stated criteria, both indicate that a suitable framework for U.S. companies is the framework developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.²

The foundation of the Commission’s rules and AS No. 2 is the determination of the scope of a company’s internal control over financial reporting, working within the chosen framework. Management must determine which processes are included as part of internal control over financial reporting as well as how much documentation and testing is required in order to complete an adequate assessment of internal control over financial reporting. The Commission’s adopting release for its rules stated that controls subject to assessment include, but are not limited to:

• controls over initiating, recording, processing, and reconciling account balances, classes of transactions and disclosure and related assertions included in the financial statements;
   
• controls related to the initiation and processing of non-routine and non-systematic transactions;
   
• controls related to the selection and application of appropriate accounting policies; and
   
• controls related to the prevention, identification, and detection of fraud.³

Both the Commission’s rules and AS No. 2 use the term “reasonable assurance” in the definition of internal control over financial reporting. Reasonable assurance includes the understanding that there is a remote likelihood that material misstatements will not be prevented or detected on a timely basis. AS No. 2 provides that reasonable assurance, both on the part of issuers and auditors, involves the use of professional judgment.⁴

The Commission is seeking input on the process of planning and design to determine the scope of companies’ controls as well as the scope of the review of those controls, including the extent to which registrants and auditors have used professional judgment in designing the scope of internal control and the review required under the Commission’s rules and AS No. 2.

Discussion Questions:

1. What roles have various parties played in determining the scope of internal control over financial reporting (e.g. management, internal audit, external auditor, audit committee) and the scope of review of internal control? How, if at all, should those roles be modified or changed?
    
2. Have management, auditors and audit committees allowed for a sufficient level of professional judgment in designing the audits of internal control over financial reporting?
    
3. Have the Commission rules and AS No. 2 adequately assisted companies and their auditors in determining the appropriate scope of internal control over financial reporting and the scope of review of internal control? What, if any, additional guidance is necessary?
    
4. How are decisions being made regarding using the work of others? To what degree is the work of others being used?
    
5. How are companies with de-centralized operations and multiple locations making decisions about the scope of internal control and its review?
    
6. Has there been agreement between management, auditors and audit committees in identifying the scope of internal control over financial reporting? The scope of the reviews of the internal controls? If not, what are the major disagreements/differences?

Panel 4. Documentation and Testing

Once a company and its auditor determine what is included within the assessment of internal control over financial reporting, they must determine, among other things, the extent of documentation and testing required to complete an adequate assessment. The Commission’s rules require that management base its evaluation of the effectiveness of a company’s internal control over financial reporting on a recognized control framework, but do not identify a required level of documentation and testing of those controls. Nor do the Commission’s rules specify the methods or procedures to be performed in completing an evaluation, other than indicating that the assessment must be based on procedures sufficient both to evaluate its design and to test its operating effectiveness within the overall controls standard of reasonable assurance.

The Commission’s rules do require that, in connection with management’s assessment, a company must maintain evidential matter, including documentation, to provide reasonable support for management’s assessment of the effectiveness of the company’s internal control over financial reporting. In particular, the Commission’s release adopting its rules explains that “[t]his evidential matter should provide reasonable support: for the evaluation of whether the control is designed to prevent or detect material misstatements or omissions; for the conclusion that the tests were appropriately planned and performed; and that the results of the tests were appropriately considered. The public accounting firm that is required to attest to, and report on, management’s assessment of the effectiveness of the company’s internal control over financial reporting also will require that the company develop and maintain such evidential matter to support management’s assessment.”⁵

Additionally, while the Commission’s release adopting its rules indicates certain types of controls that should be considered for testing by management in making this assessment, it acknowledges that the nature of the actual testing activities will depend largely on the circumstances of the company and the significance of the control, though inquiry alone generally will not be considered sufficient.

Further guidance regarding the level of documentation and testing required by the outside auditor is provided in AS No. 2. This standard includes detailed guidance regarding both the auditor’s evaluation of management’s assessment process (including whether management’s documentation provides reasonable support for its assessment), as well as documentation and testing required relating to the auditor’s own assessment of the company’s internal control over financial reporting. Audit documentation requirements are also addressed in the PCAOB’s Auditing Standard No. 3, Audit Documentation.

The Commission is seeking input about the level of documentation and testing that was performed by management and the outside auditor in completing their respective assessments of internal control over financial reporting.

Discussion Questions:

1. What were some of the most significant documentation and testing challenges for companies faced in the first year? For auditors? How were they resolved?
    
2. To what extent did the efforts and costs of documentation and testing drive the overall level of management’s and the auditor’s efforts and costs of implementation of the reporting requirements?
    
3. What was the dynamic that drove the determination of levels of documentation and testing by companies and auditors? Will there be a different level of effort to complete the documentation and testing in subsequent years?
    
4. What recommendations do you have for improving the documentation and testing process?
    
5. What, if any, additional guidance or other action from the Commission and/or the PCAOB may be useful to clarify documentation and testing requirements?

Panel 5. Using Judgment in Communications and Conclusions

Various aspects of the Commission’s rules and AS No. 2 require both management and the auditor to use professional judgment regarding the nature and extent of testing and in reaching conclusions regarding the effectiveness of internal control over financial reporting. Some areas impacted by professional judgment have already been discussed, such as the planning and design of the assessment of internal control over financial reporting, as well as the documentation and testing of the applicable processes. There are other areas, however, where the use of professional judgment by management and the auditor is an important part of assessing and auditing internal control over financial reporting.

One such area is the interaction between the auditor, management and audit committee and judgments made with respect to the implications of such interactions on the identification of control deficiencies. Historically, the external auditor has been available to provide management with certain accounting and reporting guidance, based on the auditor’s expertise in these matters. This advice has always, however, been subject to limitations imposed by the independence requirements with which auditors must comply. Recently, some have raised issues about the ability of the auditor to provide this type of advice without the auditor becoming, in essence, a part of management’s internal control over financial reporting, in addition to presenting the potential for impairing the auditor’s independence.

Another such area is the evaluation of any control deficiencies noted during the assessment of internal control over financial reporting. The Commission’s rules and AS No. 2 require management and the external auditor to arrive at an assessment of the effectiveness of internal control over financial reporting. In completing the assessment, management and the auditor may each identify control deficiencies, and they must evaluate and assess whether those deficiencies are significant deficiencies or material weaknesses. These two categories differ in the likelihood of misstatement and the materiality of the likely misstatement due to the identified deficiency. Ideally, both management and the auditor would arrive at the same conclusion regarding control deficiencies and the overall effectiveness of internal control over financial reporting. However, the evaluation of control deficiencies requires professional judgment, which incorporates both quantitative and qualitative factors.

An additional area that requires the use of judgment is communication regarding control deficiencies. AS No. 2 requires that the auditor communicate to management and the audit committee all significant deficiencies and material weaknesses in internal control over financial reporting identified during the audit. AS No. 2 further requires that the auditor communicate to management all deficiencies (that is, those deficiencies in internal control over financial reporting that are of a lesser magnitude than significant deficiencies) identified during its review. The auditor must also obtain a representation from management stating that it has disclosed to the auditor all deficiencies in the design or operation of internal control over financial reporting identified as part of management’s assessment, including separately disclosing those that are significant deficiencies or material weaknesses.

The Commission is seeking input about the level of professional judgment used in these areas by management, the audit committee and the auditor in their communications as well as in reaching conclusions about internal control over financial reporting.

Discussion Questions

1. Does management believe that it has the ability to seek input from the company’s auditor on internal control, accounting or reporting issues? To what extent? How has this ability evolved in the first year of internal control assessment and auditing?
    
2. Has there been any change in the level of communication between management and auditors on accounting issues? If so, to what extent and why, and what have been the implications of such changes?
    
3. What were the most significant challenges management and auditors faced in assessing and concluding on the significance of the control deficiencies identified?
    
4. What, if any, additional guidance or other action from the Commission or the PCAOB would be most helpful in assisting management and auditors in reaching appropriate conclusions?
    
5. Is the right level of communication about internal control deficiencies taking place between the auditors, management, and the audit committee? If not, what aspects could be improved and how?

Panel 6. Next Steps

In Panels 1 through 5, the Commission is seeking input on specific experiences in the first year of implementation of the Commission’s rules and AS No. 2. As the Commission noted when adopting the internal control reporting rules, it has long been the Commission’s intention to learn from the experience of the first year of implementation, and ask how the process might be improved without compromising its benefits. In this panel, the Commission is seeking input about future application and implementation of the rules and practices thereunder.

Discussion Questions

1. What lessons have been learned in the first year that can be used to improve future internal control assessments and audits over financial reporting and to gain more value from the process?
    
2. Will subsequent years require a different level of effort by management and/or the auditor than the first year?
    
3. What are the steps that the Commission and/or the PCAOB can take to improve the process?
    
4. What advice would you give the smaller companies and foreign private issuers as they plan for their first year of implementation?

¹ Generally, “accelerated filers” are U.S. companies that have equity market capitalization over $75 million and previously have filed an annual report with the Commission.

² At the request of Commission staff, a task force of COSO has been established and anticipates publishing this Summer additional guidance in applying COSO’s framework to smaller companies. In addition, the Commission noted in its release adopting its rules that foreign issuers can look to widely accepted internal control frameworks outside the U.S., such as Guidance on Assessing Control published by the Canadian Institute of Chartered Accountants and The Turnbull Report published by the Institute of Chartered Accountants in England and Wales.

³ Final Rule: Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Release No. 34-47986, (June 5, 2003), at section II.B.3.d.

⁴ AS No. 2 ¶18 states “…there are limitations on the amount of assurance the auditor can obtain…Limitations arise because an audit is conducted on a test basis and requires the exercise of professional judgment…”

⁵ Final Rule: Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Release No. 34-47986, (June 5, 2003), at section II.B.3.d.

http://www.sec.gov/spotlight/soxcomp/intcontreport0405.htm