Skip to main content

Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports
Frequently Asked Questions (revised October 6, 2004)1

May 12, 2017

The answers to these frequently asked questions represent the views of the staffs of the Office of the Chief Accountant and the Division of Corporation Finance. They are not rules, regulations or statements of the Securities and Exchange Commission. Further, the Commission has neither approved nor disapproved them.

Note: Since the adoption of the Commission's Rules on Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports (Release No. 34-47986, June 5, 2003), we have received questions regarding the implementation and interpretation of the rules. The Commission staff continues to entertain these questions, and where appropriate, will continue to answer publicly the more frequently asked questions. The staff understands that registrants, investors, auditors and others seek definitive answers to their questions and concerns in this initial assessment of internal control over financial reporting. Registrants, investors, auditors and others should keep in mind, however, that one of the main goals of the Sarbanes-Oxley Act of 2002 is to enhance the quality and accuracy of financial reporting and increase investor confidence in the financial markets. The Commission's Rules adopted in Release 34-47986 were intended to accomplish the Act's goals by improving public company disclosure to investors about the extent of management's responsibilities for the company's internal control over financial reporting and the means by which management discharges those responsibilities. We encourage management to keep these goals in mind as they confront and consider questions of judgment and interpretation with respect to internal control over financial reporting.

Questions on accounting matters related to management’s report on internal control over financial reporting should be directed to Nancy Salisbury (salisburyn@sec.gov) or Esmeralda Rodriguez (rodrigueze@sec.gov) in the Office of the Chief Accountant, Mail Stop 1103, 450 Fifth Street, NW, Washington, DC 20549; telephone: (202) 942-4400. Other disclosure and filing questions should be directed to Sean Harrison at (202) 942-2910, or Jonathan Ingram at (202) 942-2900 in the Division of Corporation Finance.

Question 1

Q: Financial Accounting Standards Board (FASB) Interpretation No. 46 (revised December 2003), Consolidation of Variable Interest Entities – An Interpretation of ARB No. 51, requires that registrants apply that guidance and, if applicable, consolidate entities based on characteristics other than voting control no later than the period ending March 15, 2004, or December 15, 2004 for small business issuers. In instances where the registrant lacks the ability to dictate or modify the internal controls of an entity consolidated pursuant to Interpretation No. 46, it may not have legal or contractual rights or authority to assess the internal controls of the consolidated entity even though that entity’s financial information is included in the registrant’s financial statements. Similarly, for entities accounted for via proportionate consolidation in accordance with Emerging Issues Task Force Issue No. 00-1 (EITF 00-1), management may not have the ability to assess the internal controls. How should management’s report on internal control over financial reporting address these situations?

A: We would typically expect management’s report on internal control over financial reporting to include controls at all consolidated entities, irrespective of the basis for consolidation. However, in a situation where the entity was in existence prior to December 15, 2003 and is consolidated by virtue of Interpretation No. 46 (i.e., would not have been consolidated in the absence of application of that guidance) and where the registrant does not have the right or authority to assess the internal controls of the consolidated entity and also lacks the ability, in practice, to make that assessment, we believe management’s report on internal control over financial reporting should provide disclosure in the body of its Form 10-K or 10-KSB regarding such entities. For example, a registrant could refer readers to a discussion of the scope of management’s report on internal control over financial reporting in a section of the annual report entitled "Scope of Management's Report on Internal Control Over Financial Reporting." The registrant should disclose in the body of the Form 10-K or 10-KSB that it has not evaluated the internal controls of the entity and should also note that the registrant’s conclusion regarding the effectiveness of its internal control over financial reporting does not extend to the internal controls of the entity. The registrant should also disclose any key sub-totals, such as total and net assets, revenues and net income that result from consolidation of entities whose internal controls have not been assessed. The disclosure should note that the financial statements include the accounts of certain entities consolidated pursuant to FIN 46 or accounted for via proportionate consolidation in accordance with EITF 00-1 but that management has been unable to assess the effectiveness of internal control at those entities due to the fact that the registrant does not have the ability to dictate or modify the controls of the entities and does not have the ability, in practice, to assess those controls.

Question 2

Q: Is a registrant required to evaluate the internal control over financial reporting of an equity method investment?

A: The accounts of an equity method investee are not consolidated on a line-by-line basis in the financial statements of the investor, and as such, controls over the recording of transactions into the investee’s accounts are not part of the registrant’s internal control structure. However, the registrant must have controls over the recording of amounts related to its investment that are recorded in the consolidated financial statements. Accordingly, a registrant would have to consider, among other things, the controls over: the selection of accounting methods for its investments, the recognition of equity method earnings and losses, its investment account balance, etc. For example, a registrant might require that, at least annually, its equity method investees provide audited financial statements as a control over the recognition of equity method earnings and losses. However, nothing precludes a registrant from evaluating the control over financial reporting of an equity method investment, and there may be circumstances where it is not only appropriate but also may be the most effective form of evaluation. For purposes of applying this guidance, we make no distinction between those equity method investments for which the registrant is required to file audited financial statements pursuant to Rule 3-09 of Regulation S-X and those where no such requirement is triggered.

Question 3

Q: If a registrant consummates a material purchase business2 combination during its fiscal year, must the internal control over financial reporting of the acquired business be included in management’s report on internal control over financial reporting for that fiscal year?

A: As discussed above, we would typically expect management’s report on internal control over financial reporting to include controls at all consolidated entities. However, we acknowledge that it might not always be possible to conduct an assessment of an acquired business’s internal control over financial reporting in the period between the consummation date and the date of management’s assessment. In such instances, we would not object to management referring in the report to a discussion in the registrant’s Form 10-K or 10-KSB regarding the scope of the assessment and to such disclosure noting that management excluded the acquired business from management’s report on internal control over financial reporting. If such a reference is made, however, management must identify the acquired business excluded and indicate the significance of the acquired business to the registrant’s consolidated financial statements. Notwithstanding management’s exclusion of an acquired business’s internal controls from its annual assessment, a registrant must disclose any material change to its internal control over financial reporting due to the acquisition pursuant to Exchange Act Rule 13a-15(d) or 15d-15(d), whichever applies (also refer to the last two sentences in the answer to question 9). In addition, the period in which management may omit an assessment of an acquired business’s internal control over financial reporting from its assessment of the registrant’s internal control may not extend beyond one year from the date of acquisition, nor may such assessment be omitted from more than one annual management report on internal control over financial reporting.

Question 4

Q: If management, the accountant, or both conclude in a report included in a timely filed Form 10-K or 10-KSB that the registrant’s internal control over financial reporting is not effective, would the registrant still be considered timely and current for purposes of Rule 144 and Forms S-2, S-3, and S-8 eligibility?

A: Yes, as long as the registrant’s other reporting obligations are timely satisfied. As has previously been the case, the auditor’s report on the audit of the financial statements must be unqualified.

Question 5

Q: May management qualify its conclusions by saying that the registrant’s internal control over financial reporting are effective subject to certain qualifications or exceptions or express similar positions?

A: No. Management may not state that the registrant’s controls and procedures are effective except to the extent that certain problems have been identified or express similar qualified conclusions. Rather, management must take those problems into account when concluding whether the registrant’s internal control over financial reporting is effective. Management may state that controls are ineffective for specific reasons. In addition, management may not conclude that the registrant’s internal control over financial reporting is effective if a material weakness exists in the registrant’s internal control over financial reporting.

Question 6

Q: If management’s report on internal control over financial reporting does not identify a material weakness but the accountant’s attestation report does, or vice versa, does this constitute a disagreement between the registrant and the auditor that must be reported pursuant to Item 304 of Regulation S-K or S-B?

A: No, unless the situation results in a change in auditor that would require disclosure under Item 304 of Regulation S-K or S-B. However, such differences in identification of material weaknesses could trigger other disclosure obligations.

Question 7

Q: When should a registrant determine whether it is an accelerated filer for purposes of determining when it must comply with Items 308(a) and (b) of Regulations S-K and S-B?

A: As provided in Exchange Act Rule 12b-2, a registrant that is not already subject to accelerated filing should determine whether it is an accelerated filer at the end of its fiscal year, based on the market value of its public float of its common equity as of the last business day of its most recently completed second fiscal quarter. Consideration should also be given to the other components of the Rule 12b-2 definition (i.e. the registrant has been subject to Exchange Act reporting for at least 12 months, has filed at least one annual report, and is not eligible to use Forms 10-KSB and 10-QSB).

Question 8

Q: Is a registrant required to provide management’s report on internal control over financial reporting, and the related auditor attestation report, when filing a transition report on Form 10-K or 10-KSB?

A: Yes. Because transition reports filed on Forms 10-K or 10-KSB (whether by rule or by election) must contain audited financial statements, they must also include management’s report on internal control, subject to the transition provisions specified in Release No. 34-47986. The transition provisions relating to management’s report on internal control should be applied to the transition period as if it were a fiscal year. Transition reports on Form 10-Q or 10-QSB are not required to include a management report on internal control.

Question 9

Q: Is a registrant required to disclose changes or improvements to controls made as a result of preparing for the registrant’s first management report on internal control over financial reporting?

A: Generally we expect a registrant to make periodic improvements to internal controls and would welcome disclosure of all material changes to controls, whether or not made in advance of the compliance date of the rules under Section 404 of the Sarbanes-Oxley Act. However, we would not object if a registrant did not disclose changes made in preparation for the registrant’s first management report on internal control over financial reporting. However, if the registrant were to identify a material weakness, it should carefully consider whether that fact should be disclosed, as well as changes made in response to the material weakness.

After the registrant’s first management report on internal control over financial reporting, pursuant to Item 308 of Regulations S-K or S-B, the registrant is required to identify and disclose any material changes in the registrant’s internal control over financial reporting in each quarterly and annual report. This would encompass disclosing a change (including an improvement) to internal control over financial reporting that was not necessarily in response to an identified significant deficiency or material weakness (i.e. the implementation of a new information system) if it materially affected the registrant’s internal control over financial reporting. Materiality, as with all materiality judgments in this area, would be determined upon the basis of the impact on internal control over financial reporting and the materiality standard articulated in TSC Industries, Inc. v. Northway, Inc. 426 U.S. 438 (1976) and Basic Inc. v. Levinson, 485 U.S. 224 (1988). This would also include disclosing a change to internal control over financial reporting related to a business combination for which the acquired entity that has been or will be excluded from an annual management report on internal control over financial reporting as contemplated in Question 3 above. As an alternative to ongoing disclosure for such changes in internal control over financial reporting, a registrant may choose to disclose all such changes to internal control over financial reporting in the annual report in which its assessment that encompasses the acquired business is included.

Question 10

Q: The definition of the term "internal control over financial reporting" does not encompass a registrant's compliance with applicable laws and regulations, with the exception of compliance with the applicable laws and regulations directly related to the preparation of financial statements, such as the Commission's financial reporting requirements. Are all aspects of the rules promulgated under the Sarbanes-Oxley Act, for example, within that definition?

A: No. While, it may be possible to connect the violation of any law, rule or regulation to the financial statements by observing that if the violation is significant enough it will have a material impact on the registrant’s financial statements, we do not believe that compliance with all laws fits within the definition. The Commission's financial reporting requirements and the Internal Revenue Code are examples of regulations that are directly related to the preparation of the financial statements. Conversely, rules requiring disclosure as to the existence of a code of ethics or disclosure as to the existence of an audit committee financial expert are examples of rules promulgated under the Sarbanes-Oxley Act that are not directly related to the preparation of financial statements.

However, as part of management’s evaluation of a registrant’s disclosure controls and procedures, management must appropriately consider the registrant’s compliance with other laws, rules and regulations. Such consideration should include assessing whether the registrant (1) adequately monitors such compliance, and (2) has appropriate disclosure controls and procedures to ensure that required disclosure of legal or regulatory matters is provided. Evaluation of disclosure controls and procedures and internal control over financial reporting in respect of compliance with applicable laws or regulations does intersect at certain points, including, for example, whether the registrant has controls to ensure that the effects of non-compliance with laws, rules and regulations are recorded in the registrant’s financial statements, including the recognition of probable losses under FASB Statement No. 5, Accounting for Contingencies.

Question 11

Q: Must identified significant deficiencies be disclosed either as part of management’s report on internal control over financial reporting or elsewhere in a registrant’s periodic reports?

A: A registrant is obligated to identify and publicly disclose all material weaknesses. If management identifies a significant deficiency it is not obligated by virtue of that fact to publicly disclose the existence or nature of the significant deficiency. However, if management identifies a significant deficiency that, when combined with other significant deficiencies, is determined to be a material weakness, management must disclose the material weakness and, to the extent material to an understanding of the disclosure, the nature of the significant deficiencies. In addition, if a material change is made to either disclosure controls and procedures or to internal control over financial reporting in response to a significant deficiency, the registrant is required to disclose such change and should consider whether it is necessary to discuss further the nature of the significant deficiency in order to render the disclosure not misleading. A registrant’s auditor that is aware of a significant deficiency is required to communicate the significant deficiency to the audit committee as required by PCAOB Auditing Standard No. 2.

Question 12

Q: Many registrants with global operations have a lag in reporting the financial results of certain foreign subsidiaries for financial reporting purposes. For example, a registrant with a December 31 year-end may consolidate the operations of certain foreign subsidiaries with a November 30 year-end. Is this difference in period ends also acceptable in relation to the assessment of internal control over financial reporting?

A: Yes.

Question 13

Q: The Commission’s adopting release for its rules pursuant to Section 404 of the Sarbanes-Oxley Act (Release No. 34-47986) provides that the terms “significant deficiency” and “material weakness” have the same meaning for purposes of those rules as they do under generally accepted auditing standards and attestation standards. PCAOB Auditing Standard No. 2 modified the definitions of the terms
”significant deficiency” and “material weakness.” Does the Commission staff intend to look to the definitions as they existed when the adopting release was issued or as they have been revised by the PCAOB?

A: When the Commission published its adopting release, the Commission expressed an intention to incorporate the definitions of “significant deficiency” and “material weakness” as they exist in the standards used by auditors of public companies. Looking to the definitions as revised by the PCAOB is consistent with this intention and, accordingly, the SEC staff will apply the PCAOB definitions in interpreting the Commission rules in this area.

Question 14

Q: In many situations, a registrant relies on a third party service provider to perform certain functions where the outsourced activity affects the initiation, authorization, recording, processing or reporting of transactions in the registrant’s financial statements, such as payroll. In assessing internal controls over financial reporting, management may rely on a Type 2 SAS 70 report3 performed by the auditors of the third party service providers. If the auditors of the third party service provider are the same as the auditors of the registrant, may management still rely on that report? Additionally, may management rely on a Type 2 SAS 70 report on the third party based on a different year-end?

A: In situations where management has outsourced certain functions to third party service provider(s), management maintains a responsibility to assess the controls over the outsourced operations. However, management would be able to rely on the Type 2 SAS 70 report even if the auditors for both companies were the same. On the other hand, if management were to engage the registrant’s audit firm to also prepare the Type 2 SAS 70 report on the service organization, management would not be able to rely on that report for purposes of assessing internal control over financial reporting. Management would be able to rely on a Type 2 SAS 70 report on the service provider that is as of a different year-end. Note, however, that management is still responsible for maintaining and evaluating, as appropriate, controls over the flow of information to and from the service organization.

Question 15

Q: What is the impact of combining the auditor’s attestation report on management’s assessment of internal controls over financial reporting with the audit report on the financial statements?

A: Item 2-02 of Regulation S-X permits the auditor to combine the attestation report on management’s assessment on internal control with the auditor’s report on the financial statements. However, in determining whether to combine the reports, the auditor should take into account any issues that may arise if its audit report on the financial statements is expected to be reissued or incorporated by reference into a filing under the Securities Act.

Question 16

Q: Will the SEC be providing guidance on specific considerations relating to internal control over financial reporting for small business issuers?

A: Although the Commission’s final rule implementing Section 404 of the Act does not distinguish between large and small issuers, the Commission, as noted in the release accompanying the final rule, recognized that many smaller issuers might encounter difficulties in evaluating their internal control over financial reporting. The SEC staff would support efforts by bodies such as COSO to develop an internal control framework specifically for smaller issuers.

Question 17

Q: To what extent may management rely on the registrant’s auditor to assist in its development of an assessment process and documentation process in preparation of issuing management’s report on internal control over financial reporting?

A: The auditor is allowed to provide limited assistance to management in documenting internal controls and making recommendations for changes to internal controls. However, management has the ultimate responsibility for the assessment, documentation and testing of the registrant’s internal controls over financial reporting.

Question 18

Q: What sources of guidance are available to management to assist them in fulfilling their responsibilities regarding management’s assessment and documentation of the internal control over financial reporting?

A: Several sources of guidance are available on the topic of management’s assessment of internal control including, for example: the existing books and records requirements; the Commission’s final rule on Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports (Release No. 34-47986); and, as referenced in the release on the final rule, the reports published by the Committee of Sponsoring Organizations of the Treadway Commission on internal control.

Question 19

Q: How should management treat an inability to assess certain aspects of their internal control over financial reporting in their written report? For example, management has outsourced a significant process to a service organization and it has determined that evidence of the operating effectiveness of the controls over that process is necessary. In addition, the service organization is unwilling to provide either a Type 2 SAS 70 report or access to assess the controls in place at the service organization. Finally, management does not have compensating controls in place within the registrant’s internal control over financial reporting that allow them to determine the effectiveness of the controls over the process in an alternative manner.

A: Item 308 of Regulations S-K and S-B, 17 CFR 229.308(a)(3) and 228.308(a)(3), states that management’s annual report on internal control over financial reporting must include a statement as to whether or not internal control over financial reporting is effective. While the staff will allow the exceptions outlined in Questions 1, 2, and 3 above, the disclosure requirement does not permit management to issue a report on internal control over financial reporting with a scope limitation. Therefore, management must determine whether the inability to assess controls over a particular process is significant enough to conclude in their report that internal control over financial reporting is not effective. Further, management is precluded from concluding that the registrant’s internal control over financial reporting is effective if there are one or more material weaknesses in the internal control over financial reporting.

Question 20

Q: The Commission’s rules specify that management’s report must include disclosure of any material weakness in the registrant’s internal control over financial reporting identified by management in the course of its evaluation. Must management’s report specifically use the term “material weakness”?

A: While the Commission’s rule does not require management to use any specific language in their report, the staff would generally expect that, in order for management to provide full disclosure relating to any material weakness identified by management, management would use the term “material weakness” in their disclosures.

Question 21

Q: If a Form 10-K or Form 10-KSB is incorporated into a 1933 Securities Act filing, is a consent required related to the auditor’s report on management’s assessment of internal control over financial reporting?

A: Yes. Securities Act Rule 436 (17 CFR 230.436) requires filings under the 1933 Act to include a consent for all accountants’ reports included or incorporated into that filing. This includes a consent for the auditor’s report on management’s assessment of internal control over financial reporting as well as the auditor’s report on the financial statements. A new consent for the auditor’s report on management’s assessment of internal control over financial reporting is required in an amendment to the registration statement (a) whenever a change, other than typographical is made to the audited annual financial statements and (b) when facts are discovered that may impact the auditor’s report on management’s assessment of internal control over financial reporting.

Question 22

Q: Is an annual report to shareholders that meets the requirements of Exchange Act Rules 14a-3(b) or 14c-3(a) required to include management’s report on internal control over financial reporting and the auditor’s report on management’s assessment of internal control over financial reporting?

A: We believe that the intent of Section 404 of the Sarbanes-Oxley Act and the Commission’s rules is that a registrant’s audited financial statements with an accompanying audit report that are contained in or accompany a proxy statement or consent solicitation statement also be accompanied by management’s report on internal control over financial reporting and the auditor’s report on management’s assessment of internal control over financial reporting. We intend to recommend to the Commission that amendments be made to Rules 14a-3 and 14c-3(a) and Item 13 of Schedule 14A to include such a requirement. In the interim, we encourage issuers to include both management’s report on internal control over financial reporting and the auditor’s report on management’s assessment of internal control over financial reporting in the annual report to shareholders when their audited financial statements are included. If management states in their report that internal control over financial reporting is ineffective or the auditor’s report takes any form other than an unqualified opinion and these reports are not included in the annual report to shareholders, our view is that an issuer would have to consider whether the annual report to shareholders contained a material omission that made the disclosures in the annual report misleading.

Question 23

Q: The Commission’s rules implementing Section 404, announced in Release No. 34-47986, require management to perform an assessment of internal control over financial reporting which includes the “preparation of financial statements for external purposes in accordance with generally accepted accounting principles.” Does management’s assessment under the Commission’s rule specifically require management to assess internal control over financial reporting of required supplementary information? Supplementary information includes the financial statement schedules required by Regulation S-X as well as any supplementary disclosures required by the FASB. One of the most common examples of such supplementary information is certain disclosures required by the FASB Standard No. 69, Disclosures about Oil and Gas Producing Activities.

A: Adequate internal controls over the preparation of supplementary information are required and therefore should be in place and assessed regularly by management. The Commission’s rules in Release No. 34-47986 did not specifically address whether the supplementary information should be included in management’s assessment of internal control over financial reporting under Section 404. A question has been raised as to whether the supplementary information included in the financial statements should be encompassed in the scope of management’s report on their assessment of internal control over financial reporting.

The Commission staff is considering this question for possible rule making. Additionally, the Commission staff is evaluating broader issues relating to oil and gas disclosures and will include in its evaluation whether rulemaking in this area may be appropriate. Should there be any proposed changes to the current requirements in this area, they will be subject to the Commission’s standard rulemaking procedures, including a public notice and comment period in advance of rulemaking. As a result, internal control over the preparation of this supplementary information need not be encompassed in management’s assessment of internal control over financial reporting until such time that the Commission has completed its evaluation of this area and issues new rules addressing such requirements.

Until then, registrants are reminded that they must fulfill their responsibilities under current requirements including Section 13(b)(2) of the Exchange Act and Exchange Act Rules 13a-14, 13a-15, 15d-14, and 15d-15.


1 On October 6, 2004, changes were made to clarify the answer to Question 3 (see footnote 2 of this document and a cross reference added to Question 3 to reference the answer to Question 9), to describe a Type 2 SAS 70 report (see footnote 3 of this document) and to address new frequently asked questions (see Questions 19 through 23 of this document).

2 The staff intends the term business to include those acquisitions that would constitute a business based upon the facts and circumstances as outlined in Article 11-01(d) of Regulation S-X. An acquisition may not meet the definition of a business in EITF 98-3, Determining Whether a Nonmonetary Transaction Involves Receipt of Productive Assets or of a Business, and would not be accounted for under SFAS No. 141, Business Combinations, but nevertheless may be a business under the definition in Article 11 used for SEC reporting purposes. This guidance applies irrespective of whether the acquisition is significant under Rule 1-02(w) of Regulation S-X.

3 AU sec 324 defines a report on controls placed in operation and test of operating effectiveness, commonly referred to as a “Type 2 SAS 70 report”. This report is a service auditor's report on a service organization's description of the controls that may be relevant to a user organization's internal control as it relates to an audit of financial statements, on whether such controls were suitably designed to achieve specified control objectives, on whether they had been placed in operation as of a specific date, and on whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related control objectives were achieved during the period specified.