Speech by SEC Staff:
Opening Remarks at the SEC Open Meeting
Professional Accounting Fellow, Office of the Chief Accountant
U.S. Securities and Exchange Commission
December 13, 2006
Thank you, Zoe-Vonna
To best achieve the shared goals of effectiveness and efficiency, the proposed guidance sets forth a top-down, risk based evaluation approach and addresses four key areas. The first area is the identification of risks to reliable financial reporting and the controls that management has implemented to address those risks. The proposed guidance directs management to begin its evaluation by identifying those areas of its financial reporting that are material to investors and then considering both the sources and potential likelihood of a material misstatement in the company's financial statements. These steps will require management to use its informed judgment and knowledge to critically evaluate what could lead to a material misstatement. To assist management in making these judgments, the proposed guidance provides a number of important factors to consider and explicitly directs management to consider the risks arising from fraud. Once financial reporting risks have been identified, management then evaluates whether it has implemented controls to adequately address those risks. When identifying controls, management may determine that the risk of a material misstatement is adequately addressed by a company-level control or perhaps a single or only a few controls within a process. In such case, management is not required to proceed further and identify additional controls. Rather, the proposed guidance explicitly states that management is not required to identify all controls within a process. We expect this will allow management to focus on only the most important controls, thereby promoting both the efficiency and effectiveness of the evaluation.
In evaluating the design of controls, if management concludes that there is a reasonable possibility that a material misstatement in the financial statements would not be prevented or detected in a timely manner, controls would not be considered adequate. And in these cases, management must evaluate whether a material weakness exists that should be disclosed to investors.
Evaluation of Operating Effectiveness
The proposed guidance also requires management to gather and analyze evidence about the operation of its controls and prescribes an approach for doing so that considers both the risk of the financial reporting element and the risk of the controls themselves. This is intended to direct management's efforts towards those areas that pose the highest risk to reliable financial reporting - based on the company's individual facts and circumstances. While acknowledging that this evidence may come from many different sources and may be gathered in a variety of ways, the guidance directs management to align its methods and procedures for evaluating the operation of controls with its assessment of risks. And importantly, the guidance explicitly acknowledges that for some smaller companies, management's daily interaction with the business may provide it with an adequate basis for evaluating the operation of the controls and therefore significantly limit the need for additional testing. We believe this risk-based approach to evaluating evidence in support of the operation of controls, will be important to ensuring that companies of all sizes can implement our rules efficiently and, importantly, that the evaluations conducted pursuant to the guidance are effective at identifying material weaknesses that need to be disclosed to investors.
Next, I wanted to discuss the area of deficiency evaluation and disclosure. The proposed guidance directs management to assess whether any control deficiencies identified during the evaluation represent a material weakness in internal control over financial reporting. The guidance provides a framework for making these judgments and includes situations that are strong indicators that a material weakness exists. The staff believes that this guidance will improve the effectiveness of the implementation of our rules, by eliminating the current requirement that management look to PCAOB standards for reporting guidance. When management determines that a control deficiency represents a material weakness, it must disclose to investors that internal control over financial reporting is not effective and describe the material weakness in its annual internal control report. The proposed guidance also addresses the disclosure requirements in situations such as scope limitations, restatements and similar scenarios. Given the importance of the internal control reports in meeting the requirements of Section 404(a) of the Act and the importance to investors of the material weaknesses disclosures included therein, the staff believes that it is appropriate for Commission guidance to address these matters.
The fourth area I wanted to highlight is documentation requirements. The proposed guidance addresses the nature and extent of evidential matter, including documentation, management must maintain in support of its assessment. The proposed guidance establishes that reasonable documentation defining those controls that are the basis for management's assessment of effectiveness is an integral element of the evidential matter that companies must maintain. Additionally, supporting documentation would include the methods and procedures management utilized to gather and evaluate evidence and the basis for its conclusions about the effective operation of its controls. The proposed guidance does not prescribe a particular form for this documentation, but instead allows management to use its own judgment, in light of the size, nature, and complexity of the company, to determine the appropriate form and extent of documentation. We believe this guidance will effectively allow management to tailor the nature and extent of the evidence it maintains in support its assessment and will help ensure that management conducts an appropriately disciplined evaluation.
Amendment to Regulation S-X
Lastly, I wanted to highlight the amendments to Regulation S-X that we are proposing today. Over the past three years, we have received feedback that the form of the auditor's opinion may not have effectively communicated the auditor's responsibility in relation to management's evaluation process. Therefore, we are proposing that the Commission's rules regarding the requirements of the auditor attestation be revised to require that the auditor only express an opinion directly on the effectiveness internal control over financial reporting. We understand that in a forthcoming proposed auditing standard, the PCAOB will include a corresponding revision to the auditor attestation report to conform to this change.
As John and Conrad discussed, the key objectives of Section 404 of the Sarbanes-Oxley Act and the Commission's implementing rules were to foster more accurate financial reporting as well to provide investors with useful and important information about the adequacy of a company's internal controls. The interpretive guidance that we are recommending the Commission propose, we believe will assist management in meeting these objectives in a cost efficient manner, while preserving the intended investor protection benefits.
This concludes our prepared remarks. I will now turn it back to John.