Division of Corporation Finance
Staff Statement on Management's Report on Internal Control Over Financial Reporting
This statement provides the staff's views on certain issues raised in the implementation of Section 404 of the Sarbanes-Oxley Act of 2002.1 For further information, please contact Jonathan Ingram in the Office of Chief Counsel in the Division of Corporation Finance at (202) 551-3500 or Esmeralda Rodriguez or Nancy Salisbury in the Office of the Chief Accountant at (202) 551-5300.
A. Feedback Received on the Implementation of the Internal Control Reporting Provisions
Section 404 of the Sarbanes-Oxley Act of 20022 directed the Commission to adopt rules requiring each reporting company, other than a registered investment company, to include in its annual report a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting, as well as an assessment of the effectiveness of those internal controls. Section 404, and the rules and standard promulgated relating to the Act, also specifies that each registered public accounting firm that prepares or issues an audit report on a company's annual financial statements must attest to, and report on, management's assessment of internal control over the financial reporting in accordance with standards set by the Public Company Accounting Oversight Board (PCAOB).
Accelerated filers3 were required to comply with the internal control reporting provisions for the first time in connection with their fiscal years ending on or after November 15, 2004. The Section 404 reporting requirements represent a major change for management and auditors and, during and after this initial year of implementation, the Commission has actively sought input to assess the impact of these new reporting requirements.
On April 13, 2005, the Commission hosted an all day roundtable discussion about the implementation of the internal control reporting provisions. A broad range of interested persons, including representatives of public companies (domestic and foreign), auditors, investors, members of the legal community, and the board members of the PCAOB, participated in the discussion. The Commission also invited written submissions from the public regarding Section 404.4 The staff wishes to express its appreciation for the efforts expended by so many in providing their views and other information on this subject, which significantly contributed to the Commission's and staff's understanding of first year implementation.
The feedback made clear that companies have realized improvements to their internal controls as a result of implementing the requirements, and that the requirements have led to an improved focus on internal controls throughout the organization.5 However, the feedback also identified implementation areas that need further attention or clarification to reduce any unnecessary costs and other burdens without jeopardizing the benefits of the new requirements.6
The staff is providing this guidance to help address those areas. In general, this statement addresses the following areas:
An overarching principle of this guidance is the responsibility of management to determine the form and level of controls appropriate for each organization and to scope their assessment and testing accordingly. One size does not fit all and control effectiveness is affected by many factors.
B. The Purpose of Internal Control Over Financial Reporting
An overall purpose of internal control over financial reporting is to foster the preparation of reliable financial statements. Reliable financial statements must be materially accurate. Therefore, a central purpose of the assessment of internal control over financial reporting is to identify material weaknesses that have, as indicated by their very definition, more than a remote likelihood of leading to a material misstatement in the financial statements. While identifying control deficiencies and significant deficiencies represents an important component of management's assessment, the overall focus of internal control reporting should be on those items that could result in material errors in the financial statements.7
The establishment and maintenance of internal accounting controls has been required of public companies since the enactment of the Foreign Corrupt Practices Act of 1977 (FCPA).8 The significance of Section 404 of the Act is that it re-emphasizes the important relationship between the maintenance of effective internal control over financial reporting and the preparation of reliable financial statements. Effective internal control over financial reporting can also help companies deter fraudulent financial accounting practices or detect them earlier and perhaps reduce their adverse effects. However, due to their inherent limitations, internal controls cannot prevent or detect every instance of fraud. Controls are susceptible to manipulation, especially in instances of fraud caused by the collusion of two or more people including senior management. Nonetheless, that limitation does not undercut the need for Section 404 and the improvements it has engendered and will continue to engender.
In adopting its rules implementing Section 404, the Commission expressly declined to prescribe the scope of assessment or the amount of testing and documentation required by management.9 The scope and process of the assessment should be reasonable, and the assessment (including testing) should be supported by a reasonable level of evidential matter. Each company should also use informed judgment in documenting and testing its controls to fit its own operations, risks and procedures. Management should use its own experience and informed judgment in designing an assessment process that fits the needs of that company.10 Management should not allow the goal and purpose of the internal control over financial reporting provisions - the production of reliable financial statements - to be overshadowed by the process.
C. Reasonable Assurance, Risk-based Approach and Scope of Testing and Assessment
In the feedback received, many questions were raised about the judgment and processes used to determine the appropriate level of identification and testing of controls necessary in order to achieve reasonable assurance regarding the reliability of the financial statements.
The Concept of Reasonable Assurance
Management is required to assess whether the company's internal control over financial reporting is effective in providing reasonable assurance regarding the reliability of financial reporting.11 Management is not required by Section 404 of the Act to assess other internal controls. Further, while "reasonable assurance" is a high level of assurance, it does not mean absolute assurance. As noted earlier, internal control over financial reporting cannot prevent or detect all errors, misstatements, or fraud. Rather, the "reasonable assurance" referred to in the Commission's implementing rules relates back to similar language in the FCPA. Exchange Act Section 13(b)(7) defines "reasonable assurance" and "reasonable detail" as "such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.12 The Commission has long held that "reasonableness" is not an "absolute standard of exactitude for corporate records."13
In addition, the staff recognizes that while "reasonableness" is an objective standard, there is a range of judgments that an issuer might make as to what is "reasonable" in implementing Section 404 and the Commission's rules. Thus, the terms "reasonable," "reasonably" and "reasonableness" in the context of Section 404 implementation do not imply a single conclusion or methodology, but encompass the full range of potential conduct, conclusions or methodologies upon which an issuer may reasonably base its decisions. Different conduct, conclusions and methodologies by different issuers in a given situation do not by themselves mean that implementation by any of those issuers is unreasonable. This also suggests that registered public accounting firms should recognize that there is a zone of reasonable conduct by issuers that should be recognized as acceptable in the implementation of Section 404. While that zone is not unlimited, the staff expects that it will be rare when there is only one acceptable choice in implementing Section 404 in any given situation.
Top-Down / Risk-Based Assessments
The feedback indicated that one reason why too many controls and processes were identified, documented and tested was that in many cases neither a top-down nor a risk-based approach was effectively used. Rather, the assessment became a mechanistic, check-the-box exercise. This was not the goal of the Section 404 rules, and a better way to view the exercise emphasizes the particular risks of individual companies. Indeed, an assessment of internal control that is too formulaic and/or so detailed as to not allow for a focus on risk may not fulfill the underlying purpose of the requirements. The desired approach should devote resources to the areas of greatest risk and avoid giving all significant accounts and related controls equal attention without regard to risk.
The assessment of internal control over financial reporting will be more effective if it focuses on controls related to those processes and classes of transactions for financial statement accounts and disclosures that are most likely to have a material impact on the company's financial statements. Employing such a top-down approach requires that management apply in a reasonable manner its cumulative knowledge, experience and judgment to identify the areas of the financial statements that present significant risk that the financial statements could be materially misstated and then proceed to identify relevant controls and design appropriate procedures for documentation and testing of those controls. For instance, the application of judgment by management and the auditor will typically impact the nature, extent and timing of control testing such that the level of testing performed for a low risk account will likely be different than it will be for a high risk account. In performing these steps, management and auditors should keep the "reasonable assurance" standard in mind.
Scope of Assessment
An issue frequently cited in the comments concerned the determination of the appropriate scope of management's assessment. Many felt that overly conservative interpretations of the applicable requirements and a hesitancy by the independent auditor to use professional judgment in evaluating management's assessment resulted in many cases in too many controls being identified, documented and tested.
As previously discussed, the staff believes that management should use a top-down, risk-based approach in determining significant accounts and related significant processes and relevant assertions. The natural result of such an approach is that management would devote greater attention and resources to the areas of greater risk.
When identifying significant accounts and related significant processes in order to determine the scope of its assessment, management generally will consider both qualitative and quantitative factors. Qualitative factors include the risk associated with the various accounts and their related processes, as discussed previously. In addition to considering qualitative factors, the staff understands that management generally establishes quantitative thresholds to be used in identifying significant accounts subject to the scope of internal control testing. The use of a percentage as a minimum threshold may provide a reasonable starting point for evaluating the significance of an account or process; however, judgment, including a review of qualitative factors, must be exercised to determine if amounts above or below that threshold must be evaluated.
Once the significant accounts and their related significant processes are identified, management must focus on the controls to be tested that are relevant to those processes. We believe that some of the large numbers of controls identified for testing during the first year of implementation may, in part, represent individual steps within what may constitute a broader control. In performing future assessments, management may wish to step back from focusing on the detail to consider whether combinations of controls previously identified individually constitute the actual control that contributes to financial statement assurance. Rather than identifying, documenting, and testing each individual step involved in a broader control definition, management's focus should be on the objective of controls, and testing the effectiveness of the combination of detailed steps that meet the broader control objective. Management may determine that not every individual step comprising a control is required to be tested in order to determine that the overall control is operating effectively.
The staff also expects that through the natural learning process management will achieve efficiencies as they complete future assessments of internal control. For example, as discussed above, management's knowledge of the prior year's assessment results will impact its current year risk-based analysis of the significant accounts and the related required documentation and testing that may be necessary. Management may determine that certain controls require more extensive testing, while other controls require little testing in a given year. Additionally, in reaching its conclusion of reasonable assurance, management may find it appropriate to adjust the nature, extent and timing of testing from year to year - in some years delving deeply into selected internal control areas while performing less extensive testing in other areas and changing that focus from year to year.
The staff believes that efficient and effective assessments depend on internal audit and other company personnel and external auditors who are "on the ground" closest to the assessment. It is at that level where the unique circumstances of any particular situation can best be evaluated. It is thus critically important that company and auditor personnel have the requisite skills, training, and judgment to make reasonable assessments. The staff believes that the ability to make such assessments in a consistent and sound manner will improve with experience and that it is the exercise of judgment which makes the audit a professional responsibility.14
Financial Periods Used to Assess Account Significance versus Periods Used to Assess Significance of a Deficiency
When management uses a top-down approach that begins with the financial statements, it will necessarily use qualitative and quantitative assessments to identify significant accounts and plan the scope of management's testing. Companies generally should determine the accounts included within their Section 404 assessment by focusing on annual and company measures rather than interim or segment measures.15 If management identifies a deficiency when it tests a control, however, at that point it must measure the significance of the deficiency by using both quarterly and annual measures, also considering segment measures where applicable.
Timing of Management's Testing
The feedback also indicated that some auditors have been unwilling to accept management's testing and other procedures performed during the year as evidence that management's assessment of the effectiveness of internal control over financial reporting is fairly stated.16 While Section 404 of the Act and the Commission's rules require that management's and auditor's reports must be "as of" year-end, this does not mean that all testing must be done within the period immediately surrounding the year-end close. In fact, we believe that effective testing and assessment may, and in most cases preferably would, be accomplished over a longer period of time. In its adopting release, the Commission expressly noted that testing may be done over a period of time.17
Management's daily interaction with its internal control system provides it with a broad array of opportunities to evaluate its controls during the year and, in many cases, to use that work as its basis, at least in part, to reasonably conclude that its controls are in place and operating effectively as of the end of its fiscal year. For example, management might determine that controls operate effectively through direct and ongoing monitoring of the operation of controls. This might be accomplished through regular management and supervisory activities, monitoring adherence to policies and procedures, and other actions. As a result, management may be able to test a substantial number of controls at a point in time prior to its fiscal year-end, and determine through its direct and ongoing monitoring of the operation of the controls that they also function effectively as of the fiscal year-end date, without performing further detailed testing.
D. Evaluating Internal Control Deficiencies
If control deficiencies are identified, an important part of the assessment of internal control over financial reporting is the consideration of the significance of those deficiencies and whether the risk is mitigated by compensating controls. As with determining the scope of the assessment, management must exercise judgment in a reasonable manner in the evaluation of deficiencies in internal control over financial reporting, and such evaluations may appropriately consider both qualitative and quantitative analyses. Among other things, the qualitative analysis should factor in the nature of the deficiency, its cause, the relevant financial statement assertion the control was designed to support, its effect on the broader control environment and whether other compensating controls are effective.
One particular area brought to the staff's attention involved financial statement restatements due to errors. Neither Section 404 nor the Commission's implementing rules require that a material weakness in internal control over financial reporting must be found to exist in every case of restatement resulting from an error. Rather, both management and the external auditor should use their judgment in assessing the reasons why a restatement was necessary and whether the need for restatement resulted from a material weakness in controls. Such an evaluation should be based on all the facts and circumstances, including the probability of occurrence in light of the assessed effectiveness of the company's internal control, keeping in mind that internal control over financial reporting is defined as operating at the level of "reasonable assurance."
E. Disclosures about Material Weaknesses
A number of companies have reported material weaknesses in their internal control over financial reporting in this first year of implementation. When a company identifies a material weakness, and such material weakness has not been remediated prior to its fiscal year-end, it must conclude that its internal control over financial reporting is ineffective. The Commission's rule implementing Section 404 was thus intended to bring information about material weaknesses in internal control over financial reporting into public view. The staff believes that, as a result, companies should consider including in their disclosures:
Disclosure of the existence of a material weakness is important, but there is other information that also may be material and necessary for an overall picture that is not misleading.18 There are many different types of material weaknesses and many different factors that may be important to the assessment of the potential effect of any particular material weakness. We received feedback suggesting that some companies believe that they are not permitted to distinguish among reported material weaknesses.19 While management is required to conclude and state in its report that internal control over financial reporting is ineffective when there is one or more material weakness, companies may, and are strongly encouraged to, provide disclosure that allows investors to assess the potential impact of each particular material weakness. The disclosure will likely be more useful to investors if management differentiates the potential impact and importance to the financial statements of the identified material weaknesses, including distinguishing those material weaknesses that may have a pervasive impact on internal control over financial reporting from those material weaknesses that do not. The goal underlying all disclosure in this area is to provide increased investor information so that an investor who chooses to do so can treat the disclosure of the existence of a material weakness as the starting point for analysis rather than the only point available.
F. Information Technology Issues
Information Technology Internal Controls
The feedback revealed different views that may have developed as to the appropriate extent of required documentation and testing necessary for information technology, or IT, internal controls, particularly with respect to general IT controls (e.g. controls over program development, program changes, computer operations, and access to programs and data). While the extent of documentation and testing requires the use of judgment, the staff expects management to document and test relevant general IT controls in addition to appropriate application-level controls that are designed to ensure that financial information generated from a company's application systems can reasonably be relied upon. For purposes of the Section 404 assessment, the staff would not expect testing of general IT controls that do not pertain to financial reporting. A company's finance and IT departments should interact closely to ensure that the proper IT controls are identified.
We have also been asked whether those companies that decide to use proprietary IT frameworks20 as a guide in conducting the IT portion of their overall COSO framework assessment are required to apply all of the components related to general IT controls that may be included in such frameworks. While the use of a separate, specific IT framework is not required, the staff understands that management of some companies has found certain parts of available frameworks to be useful. In establishing the scope of its IT assessment, management should apply reasonable judgment and consider how the IT systems impact internal control over financial reporting. Because Section 404 is not a one-size-fits-all approach to assessing controls, it is not possible for us to provide a list of the exact general IT controls that should be included in an assessment for Section 404 purposes. However, the staff does not believe it necessary for purposes of Section 404 for management to assess all general IT controls, and especially not those that primarily pertain to the efficiency or effectiveness of the operations of the organization but are not relevant to financial reporting.
Information Technology System Implementations and Upgrades
We received considerable feedback regarding the impact of the Section 404 assessment on the implementation of new IT systems and upgrades to existing systems. The feedback indicated that some companies have delayed installations of new IT systems or upgrades due to time limitations for installing, testing, and remediating control deficiencies before the company's fiscal year-end.
The staff understands the importance of new IT systems and upgrades and that they are often introduced to improve internal control. Registrants should continue to make appropriate improvements in IT systems. Of course, and notwithstanding the internal control reporting requirements, companies are required to prepare reliable financial statements following the implementation of the new information systems. In that sense, the goals of Section 404 align with management's existing responsibilities when undertaking an IT conversion or implementation project.
Some of the feedback requested that management be allowed to exclude new IT systems and upgrades implemented in the later part of a fiscal year from the scope of management's assessment for that year, suggesting an analogy be made to new business acquisitions and the guidance issued by the staff in Question 3 of its Frequently Asked Questions.21 However, with respect to system changes, management can plan, design, and perform preliminary assessments of internal controls in advance of system implementations or upgrades. As noted elsewhere in this statement, not all testing must occur at year end. As a result, the staff does not believe it is appropriate to provide an exclusion by management of new IT systems and upgrades from the scope of its assessment of internal control over financial reporting.
G. Communications with Auditors
Feedback from both auditors and registrants revealed that one potential unintended consequence of implementing Section 404 and Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements, has been a chilling effect in the level and extent of communications between auditors and management regarding accounting and financial reporting issues. Historically, the external auditor may have provided management with advice, based on the auditor's knowledge, experience and judgment in accounting, auditing, and financial reporting matters. Since introduction of the Act and the new auditing requirements, the staff understands that management at times has hesitated to ask auditors technical accounting, auditing, and financial reporting questions or to provide auditors with early drafts of the financial statements (which, due to their draft nature, may contain errors), because of a concern that these actions could result in the unwarranted identification of internal control deficiencies by the auditors. Additionally, the staff understands that auditors also have a heightened concern that providing management with advice might impair the auditor's independence.
The Commission's auditor independence requirements with respect to services provided by auditors are largely predicated on four basic principles.22 In addition to these four basic principles, the Commission's rules also specifically identified nine categories of prohibited services.23 The auditor's discussing and exchanging views with management does not in itself violate the independence principles, nor does it fall into one of those nine prohibited categories of services. The staff supports a strong audit profession where a hallmark of its professionalism is to exercise sound judgment in both the audit and in ongoing dialogue with management.
The staff recognizes that questions arise in certain circumstances as to the proper application of accounting standards. Investors benefit when auditors and management engage in dialogue, including regarding new accounting standards and the appropriate accounting treatment for complex or unusual transactions. The staff believes that as long as management, and not the auditor, makes the final determination as to the accounting used, including determination of estimates and assumptions, and the auditor does not design or implement accounting policies, such auditor involvement is appropriate and is not of itself indicative of a deficiency in the registrant's internal control over financial reporting. Further, timely dialogue between management and the auditor may positively impact audit quality and the quality of financial reporting.
The staff believes that management should not be discouraged from providing its auditors with draft financial statements (including drafts that may be incomplete in certain respects). Providing draft financial statements promotes communication between the auditor and management, and all parties should recognize the draft nature of the information. In the staff's view, errors in draft financial statements in and of themselves should not be the basis for the determination by a company or an auditor of a deficiency in internal control over financial reporting. Rather, as with all cases of identifying deficiencies, management and auditors should determine whether a deficiency exists in the processes of financial statement preparation. That identification is essentially independent of whether an error exists in draft financial statements and who found it.
H. Small Business Issuers
Some have complained that the costs and burdens of assessment and reporting requirements on internal control over financial reporting may fall disproportionately on smaller businesses. The staff will continue to assess the effects of the internal control reporting rules on smaller public companies who have not yet been required to comply with the Act's provisions. To do so, the Commission established the Securities and Exchange Commission Advisory Committee on Smaller Public Companies, which will consider, among other things, the effect of the internal control provisions on smaller public companies. Also, at the request of the Commission staff, a task force of COSO has been established to develop additional guidance on applying COSO's framework for internal control over financial reporting to smaller companies.
I. Foreign Private Issuers
The staff is also continuing to assess the effects of the internal control reporting requirements on foreign private issuers, who are not yet required to comply with Section 404, although a number have done so. Representatives of several foreign private issuers participated in the Commission's roundtable discussion, and a number of other foreign private issuers and other interested parties have provided feedback in response to the Commission's request.
The staff will continue to evaluate the implementation of Section 404. There is a desire for the sharing of best practices so that companies and auditors can benefit from the substantial learning that has taken place from the first year of implementation, and we strongly encourage those efforts. The staff desires that the benefits are achieved in a sensible and cost-effective manner. We will continue to consider whether there are other ways we can make the process more efficient and effective while preserving the benefits.24
|Home | Previous Page||