U.S. Securities & Exchange Commission
SEC Seal
Home | Previous Page
U.S. Securities and Exchange Commission

Speech by SEC Staff:
Risk Based Evaluations of ICFR


Michael Gaynor

Professional Accounting Fellow, Office of the Chief Accountant
U.S. Securities and Exchange Commission

2006 AICPA National Conference on Current SEC and PCAOB Developments
Washington, D.C.
December 11, 2006

The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. Therefore, the views expressed today are my own, and do not necessarily reflect the views of the Commission or the other members of the staff of the Commission.

Recognizing that reliable financial reporting is best achieved when provided by a sound system of internal controls, Section 404(a) of the Sarbanes-Oxley Act directed the Commission to prescribe rules that would result in management providing investors a report on the company's internal control. Notwithstanding that this year end will be the third time many accelerated filers have provided investors with this report — much attention and discussion — both within and outside the profession — persists about how well these rules have been implemented in practice. As you might expect, the staff in the Office of the Chief Accountant and other divisions and offices of the Commission have been busy analyzing feedback from issuers, investors, auditors and others on what is and is not working. Since this conference last year, a number of important 404 related events have provided the staff with useful information. These include the issuance of reports from the SEC's Advisory Committee on Smaller Public Companies and the US Government Accountability Office. We also saw the issuance of additional guidance from COSO, and we received many comment letters and much feedback from a public roundtable on second year experiences with 404.

In July, the Commission issued a concept release soliciting feedback on the nature and extent of guidance that would help management more effectively and efficiently implement our rules. Approximately 170 comment letters were received in response — the vast majority of which expressed support for the development of scalable, principles-based guidance that emphasizes the role of management judgment in tailoring an evaluation to a company's individual circumstances. Commenters also re-affirmed the appropriateness of the staff's previous guidance that a top-down, risk-based evaluation is the best approach for achieving both effectiveness and efficiency. Because on Wednesday of this week, the Commission plans to vote on whether to propose interpretive guidance for management, I will not go further into the concept release or the contents of the proposed interpretive guidance. Instead, I plan to share with you a few ideas related to a risk-based evaluation approach.

For those of you who haven't heard the statistics, the percentage of companies reporting material weaknesses has decreased from approximately 16% in year one to approximately 9% in year two. The staff is encouraged by this trend — as it should indicate improvement in the overall reliability of financial reporting. However, the reason I highlight the material weakness disclosures — is because the information they contain underscores the importance of a risk-based evaluation approach. In many respects, the financial reporting areas highlighted in the disclosures are the usual suspects when it comes to restatements and audit adjustments — areas such as revenue recognition, income taxes, significant liabilities and estimates, valuation reserve accounts, etc — areas for which the judgment of professional accountants — preparers and auditors alike — would ordinarily involve an assessment of higher risk.

The disclosures often indicate that appropriately designed controls were not in place — particularly when accounting estimates or complex accounting standards were involved. Many times the disclosures would lead one to believe that the control deficiencies came to light — not from management's evaluation process, but rather, they were identified as a result of audit adjustments or restatements. This may suggest, that in some cases, the effectiveness of the evaluation process could be improved — and that this improvement may involve ensuring that adequate diligence is brought to bear in high-risk areas — or said differently — a risk based evaluation approach. In such an approach, it may be important to recognize that while understanding the requirements of GAAP are the starting point, an effective evaluation will require careful analysis and informed judgment about whether the design and operation of controls are adequate to prevent or detect material misstatements. While this may sound simple, it would appear from the disclosures we've seen, and the comment letters we've analyzed, that it is, — in fact — , not so simple. As such, unless you have unlimited resources, ensuring that evaluations are properly risk focused — and not tedious compliance exercises — may be the best way to achieve the goal of Section 404 — which is reliable financial reporting for investors.

Because many of the material weaknesses we see relate to significant accounting estimates, I wanted to highlight a few matters to consider in evaluating controls related to this area. It has been long recognized in the profession that accounts consisting of amounts derived from accounting estimates pose greater risks to reliable financial reporting, than do accounts consisting of relatively routine, factual data. They often involve management judgments or assumptions to determine account balances in the absence of a precise means of measurement.

In evaluating the adequacy of its internal controls, companies may find useful guidance in SAS No. 57 on accounting estimates and SAS No. 101 on fair value estimates, as they describe they types of internal control that may relevant to reducing the risk of a material misstatement. The controls described in these SAS's include many useful examples, including matters such as:

  • whether management's "tone-at-the-top" communicates the need for proper accounting estimates throughout the organization,
  • whether adequate controls exist over the accumulation of relevant, sufficient, and reliable data on which to base an accounting estimate, and
  • whether controls exist to ensure that the accounting estimates are prepared by appropriately qualified and competent personnel — including, when applicable, whether controls exist over the selection of appropriately qualified third party specialists.

Companies may find that a well controlled and documented process for formulating accounting estimates will not only lead to improvements in the quality and reliability of estimates themselves, but will also be useful in facilitating the effective and efficient oversight of the company's financial reporting and the auditing of the estimates by the external auditor.

Some have suggested that focus on controls in these areas is futile because they are often subject to the risk of management override — but this risk does not undercut the importance of controls in these areas or the benefits of 404 generally. Rather the risk of improper management override — and other inherent limitations of internal control — are known aspects of the financial reporting process. And, importantly, because they are known, management can implement controls to reduce, though not eliminate, the risk of a material misstatement not being prevented or detected.

Which brings me to the last topic I want to discuss — the consideration of the risk of fraud in an evaluation of internal control over financial reporting. Some have observed that even though fraud — and its impact on financial reporting — may have lead to Section 404 in the first place, few material weaknesses appear to involve controls implemented to address fraud risks. While this may be because Section 404 has, as intended, led companies to

  • conduct robust fraud risk assessments and
  • implement controls to address those risks,

I thought, nevertheless, I might take this opportunity to highlight a few sources of guidance that companies may find useful and to remind everyone that — in a risk based evaluation process — the risk of fraud would ordinarily get its due consideration.

Given the large number of issuers that use the COSO framework, I wanted to first highlight COSO's recently issued guidance for smaller public companies. For those of you not familiar with this guidance — there is a free executive summary on the COSO website — which you may find provides useful guidance — not the least of which is an articulation of 20 principles that further clarify the objectives of the five COSO components. One of these principles is that management's risk assessments explicitly include the potential for material misstatement due to fraud. The guidance explains the considerations that are relevant to these risk assessments and further explains that the implementation of control activities should be integrated with these risk assessments. The staff believes that considerations like these would be important to a risk based evaluation approach — regardless of the framework used or the company's size. And to underscore their importance, the release accompanying the Commissions rules implementing 404, specifically mentioned that the controls related to the prevention, identification and detection of fraud were subject to the evaluation. And just to be clear, I am not referring to the misappropriation of paper clips from the supply room, but rather those risks that could lead to a material misstatement of the financial statements.

In addition to COSO, there are other sources of management guidance for considering fraud. An example that companies may find useful is a November 2001 document commissioned by the Fraud Task Force of the AICPA's auditing standards board and issued by a group of seven professional associations — which included FEI, IMA and others. This document can be found on the AICPA website and gives direction on how companies can address fraud risks. To effectively prevent or deter fraud, this document suggests that an entity should have an appropriate oversight function in place. Moreover, while recognizing that an entity's management has both the responsibility and the means to implement measures to reduce fraud, this guidance suggests that the audit committee evaluate management's efforts in this area. This is intended to not only help make sure that senior management fulfills its responsibility, but also to serve as a deterrent to senior management engaging in fraudulent activity. Other sources of useful guidance exist as well, including the Achillees' Heel document issued by the AICPA in 2005 — which provides guidance on how audit committees can address the risk of fraud arising from management override of internal control. And by considering the guidance in these and other documents, companies may be able to improve the risk focus of their evaluations and thereby improve their effectiveness.

In closing, I wanted to remind everyone that compliance with our rules related to internal control reporting — requires the exercise of significant professional judgment about the sources and likelihood of a misstatement, its potential materiality and whether controls are designed adequately. An effective and efficient evaluation approach is one that critically assesses these matters and implements evaluation procedures that are appropriately responsive. Over time, I firmly believe that issuers will be successful in refining the efficiency and effectiveness of their evaluations. And in the coming weeks you will likely see more guidance on internal control evaluations from the Commission and others — but I suspect none will eliminate the role of sound professional judgment. That is the end of my remarks. Thank you for you time.


Modified: 12/14/2006