U.S. Securities & Exchange Commission
SEC Seal
Home | Previous Page
U.S. Securities and Exchange Commission

Speech by SEC Staff:
Management Reporting on Internal Control over Financial Reporting


Zoe-Vonna Palmrose

Deputy Chief Accountant for Professional Practice
U.S. Securities and Exchange Commission

SEC Speaks
Washington, D.C.
February 9, 2007

One of the important activities of our Professional Practice Group has been developing the Commission's proposed guidance for management reporting on internal control over financial reporting, which is what I decided to focus my remarks on this afternoon.

First, I will make some overarching comments. Then, I will talk about how a company might approach implementing our proposed management guidance. Finally, I will address some of the smaller company concerns we are hearing.

Of course, I do need to remind you that the views I express here today are solely my own. They do not necessarily reflect the views of the Securities and Exchange Commission, the Commissioners, or of any other members of the Commission's staff.

The importance of having adequate internal controls, which provide reasonable assurance regarding the reliability of financial reporting, is a given. This point was reinforced in 1977, under the Foreign Corrupt Practices Act, for companies of all sizes. The Sarbanes-Oxley Act of 2002 (SOX) Section 404(a) essentially adds a requirement for annual disclosures to investors about the effectiveness of a company's internal controls.

Under the SEC's implementation rules, management discloses its assessment, which is its conclusion on whether the company's internal control over financial reporting (ICFR) is effective, at fiscal year end. Management cannot disclose that ICFR is effective when material weaknesses exist, and the nature and extent of such material weaknesses then must be disclosed, too.

Management needs to have a reasonable basis for its ICFR disclosure. In December, the Commission proposed guidance to assist management in implementing and conducting an evaluation process to provide it with that basis. An overarching objective of the proposed guidance is to rationalize the planning and conduct of the ICFR evaluation process for all companies, regardless of size.

Evaluating the effectiveness of internal control over financial reporting is all about risk and materiality. The proposed guidance allows companies to focus their efforts on those areas that management has identified as posing the greatest risks of material misstatements in the financial statements, not being prevented or detected on a timely basis. This is what investors care about, and what is important for achieving reliable financial reporting.

Still, the tough challenge is to get the right balance between reliable financial reporting and efficiency in achieving it. We have developed the proposed guidance with this important balance in mind. The proposed guidance offers an approach that is intended to allow companies of all sizes and complexities to efficiently and effectively complete their annual evaluations. Moreover, the proposed guidance actually empowers companies to do so, in part because it means that companies can look to SEC guidance, and not the auditing literature as interpreted by the Public Company Accounting Oversight Board (PCAOB) and audit firms, in determining whether management has conducted an adequate evaluation of ICFR.

The Commission's proposed guidance does not provide detailed instructions to management on how to approach its evaluation. In other words, it is not prescriptive. Judgments about risk and materiality are not always simple. But, an overly prescriptive standard has contributed to the struggles many have experienced in implementing 404, and it is one reason for both the SEC and PCAOB's December proposals. In addition, if the guidance were to prescribe something more detailed, we very likely could end up with evaluations more concerned with form than substance, and which are inefficient to implement, ineffective at detecting material weaknesses, or both.

So instead, the Commission's guidance allows management to exercise significant and appropriate judgment in planning and conducting an evaluation that is tailored to its company's individual facts and circumstances. Essentially, the proposed guidance recognizes that management and auditors can and will have different strategies for evaluating the effectiveness of ICFR. Each of these strategies can be both effective and efficient given their different purposes, and considering that management's and auditor's respective knowledge bases about a company's ICFR do differ. Unlike an external auditor, management is responsible for and involved with the company's ICFR on an ongoing basis and, as such, has a good deal of knowledge about it.

In addition to the proposed interpretive release on management guidance, in December the Commission also proposed rules that provide for a single audit opinion on ICFR, consistent with the PCAOB's exposure draft for a new standard to supersede Auditing Standard No. 2 (AS 2). The proposed revisions further clarify that auditors are not opining on the efficacy of the methods and procedures management uses to evaluate its internal controls.

This revision reinforces what we believe will be one of the beneficial effects of our proposed guidance, namely shifting discussions between auditors and management away from management's process to focus on management's disclosure on the effectiveness of ICFR. This is an important shift, which should refocus discussions on what matters most when considering the fairness of the ICFR disclosure — namely risk and materiality in terms of potential misstatements. Discussions of this nature will facilitate auditors in planning and performing an audit that is not only more effective, but also more efficient.

The Commission's proposed guidance also gives management significant flexibility in determining the nature and extent of documentation needed to support its assessment. The feedback we received indicates that allowing management to make determinations about the required support for its evaluation, based on individual facts and circumstances, is a fundamental change to the way in which some companies are currently complying with our rules.

Nonetheless, the proposed guidance recognizes that accelerated filers have invested considerable effort and resources in their existing evaluation processes. And believe it or not, many of these companies are now happy with the results. We are mindful of this. As such, the proposed guidance is not intended to disrupt or require unnecessary changes to the evaluation processes that accelerated filers have already implemented, and are working well. Still, we do expect that a number of accelerated filers will find that the proposed guidance offers an opportunity for overall improvements in the effectiveness and efficiency of their existing evaluation processes.

The proposed guidance describes one (but not the only) method to comply with the requirement for an annual evaluation of ICFR. Management can certainly follow other reasonable approaches. That said, one of the proposed rule amendments that accompanies the proposed guidance would be similar to a non-exclusive safe harbor. No advanced statement or disclosure would be required to use the rule. The rule simply states the Commission's conclusion that an evaluation using the principles in its guidance satisfies the legal requirements, i.e., satisfies management's obligation to conduct an evaluation under the Commission's rules and Section 404(a). In other words, by showing it has followed the principles in the Commission's guidance, management could demonstrate (and would be assured) that it has conducted the required evaluation.

The proposed guidance is organized around what I will characterize as a three-phase framework.

  • Phase 1 involves identifying the financial reporting risks and then the controls that adequately address these risks.
  • Phase 2 involves evaluating the operating effectiveness of the controls identified in phase 1, and determining the evidence needed to support the assessment, using evaluation procedures tailored to the risk assessment.
  • Phase 3 involves reporting on the effectiveness of ICFR, including disclosing any material weaknesses identified during the evaluation process.

Let me provide a few specifics on phases 1 and 2. In phase 1, management uses its knowledge and understanding of the business and how GAAP applies to the business, to consider the sources and potential likelihood of material misstatements in the financial statements. Here management considers what could go wrong. And then, management identifies the controls that adequately address these financial reporting risks.

Controls adequately address financial reporting risks, if their design is such that there is not a reasonable possibility that misstatement, which could result in material misstatement in the financial statements, will not be prevented or detected on a timely basis. Importantly, there is no requirement to identify all controls within a process for inclusion in management's evaluation or the documentation of that evaluation. We received significant feedback that companies, for various reasons, may have gotten carried away with this aspect of the evaluation, which resulted in an excessive number of controls being identified for testing (in phase 2) that were not important to achieving the objective of ICFR. Much of the discussion around key controls and the need to rationalize the number of controls being included in the assessments were due to inefficient approaches in this area.

In phase 2, management evaluates the operating effectiveness of the controls identified in phase 1. Here the determination of the nature and type of evidence needed to support an assessment of operating effectiveness should consider the materiality of the financial reporting element, its inherent risk of misstatement, and the risk that controls identified in phase 1 related to that element would fail to operate effectively to prevent or detect a material misstatement.

Since the nature and type of evidence needed to support an evaluation of operating effectiveness varies based on these risk and materiality considerations, the proposed guidance also provides some discussion of how evidence might differ with materiality and with the degree of risk. For example, in lower risk areas, on-going monitoring may provide sufficient evidence for the ICFR evaluation (and direct testing might not be necessary). However, we would expect in higher risk areas that the evidence gathered would include some amount of direct testing, and cover a reasonable period of time, including the fiscal year-end.

This illustrates that the proposed guidance is not a free pass for management to sit on their hands and do nothing, so companies should not misread our intentions. General guidelines are provided about what evaluation procedures would ordinarily involve in those areas that management has assessed as higher risk. Further, the guidance highlights areas of ICFR that ordinarily would be considered higher risk, including significant accounting estimates, critical accounting policies, related party transactions, fraud risks, and the like. The proposed guidance also provides discussion of documentation considerations for phase 2.

The proposed guidance is scalable in that smaller, less complex companies can adjust the procedures they use and the documentation they keep. For example, for smaller companies that have less complex internal control systems, the proposed guidance recognizes circumstances where management may be able to rely on its daily interactions, and may need to create only limited documentation specifically for the evaluation.

The guidance also includes a new definition of material weaknesses — that is different from what is currently in AS 2 and used in practice. The new definition should help facilitate more reasoned judgment in all company contexts, whether large or small. AS 2 defined a material weakness as "a significant deficiency, or combination of significant deficiencies, that result in a more than remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected." The proposed definition of material weakness, which is included in both the PCAOB proposal and ours, changes this threshold description by replacing "more than remote likelihood" with "reasonably possible."

Another proposed revision excludes significant deficiency from the definition, to reinforce that material weaknesses are the focus for both management and the auditor alike. Even though the PCAOB has said that these revisions reflect what they meant all along, the revisions still represent an important psychological point. We have heard too much about unduly conservative judgments on what constitutes material weaknesses, for scoping decisions by management and auditors. The revised definition should help mitigate this problem, without compromising the ultimate disclosures to investors.

However, even with these revisions, we realize that non-accelerated filers, who have not yet complied with our rules implementing SOX Section 404, feel a good deal of anxiety. They are overwhelmed by the stories of how burdensome the implementation of 404 has been for others. To borrow a phrase from a former Chief Accountant — they are experiencing the fear of anticipatory multiplication.

Our proposed guidance should help alleviate these fears and anxieties. Meeting the requirements under Section 404, need not be a drain on company resources, especially those of smaller companies. We all agree that adequate internal controls are important for all companies. Section 404 simply asks companies to disclose to investors information about the effectiveness of their internal controls. And, the auditor attestation provisions of SOX help make the disclosed information more credible and reliable.

I would also like to note that the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its ICFR guidance for smaller companies in July 2006. Companies that choose COSO as the framework for their assessments should find this guidance helpful.

In addition, the Commission has tried to help non-accelerated filers by delaying implementation of 404 until guidance has achieved the right balance between reliability and efficiency. In a way, 404 has been "pilot tested" on accelerated filers. In this regard, in December 2006, the Commission also finalized a rule giving an additional extension to certain companies for compliance with the requirements of Section 404, to provide both management and auditors more time to consider and implement the new guidance to be issued by the Commission and the PCAOB.

Specifically, for non-accelerated filers, managements' assessments on ICFR are now required for fiscal years ending on or after December 15, 2007. Further, the Commission allowed management to forgo the auditor attestation requirement for the first year. That is, the Commission bi-furcated the initial reports by management and auditors by delaying the requirement for auditors' attestations under 404(b) for non-accelerated filers until the filing of their annual reports for fiscal years ending on or after December 15, 2008.

The intent of this staggered deferral is to enable management to establish a cost-effective evaluation process for its unique circumstances, before working in its auditor's reporting on ICFR in the second year. To avoid potential complications that might ensue from this bi-furcation, the Commission decided that management reports on ICFR, in annual reports for 2007 by non-accelerated filers, will be deemed furnished rather than filed for purposes of Section 18 of the Exchange Act, unless the issuer specifically states otherwise.

We think that non-accelerated filers will be able to comply with these requirements, and if all goes well, they should have adequate time to do so. But the December 2006 rule also reflects that the Commission is sensitive to the timing issue, and it will be something that will be considered as we get further into the comment letter process.

Overall, these actions help emphasize that the Commission and its staff do indeed recognize the concerns of smaller, less complex companies. And importantly, our proposed management guidance responds to and should help mitigate these concerns.

The comment period on the Commission's proposed rules and guidance for management ends on February 26, 2007. We certainly hope that you will consider sending us your comments. We would very much appreciate hearing from you. We assure you that we are listening.

In closing, let me reiterate that the objective of the ICFR evaluation is to provide a basis for reliable and meaningful disclosures to investors about the control systems companies are currently required to have — not create unnecessary overhead burdens that squander shareholder resources and destroy market cap. If your review of the proposals leaves you with concerns that we have not been successful in this regard, please let us know what aspects of the guidance you believe we should revise and how.

Thank you very much.


Modified: 02/15/2007