Statement by SEC Staff:
SEC's Proposed Interpretive Guidance to Management for Section 404 of Sarbanes-Oxley Act
Deputy Chief Accountant
U.S. Securities and Exchange Commission
SEC Open Meeting
May 23, 2007
Thank you Conrad.
The Commission received over 200 comment letters on its proposed interpretive guidance and related rule changes. The majority of the comment letters expressed overall support for the principles-based nature of the Commission's interpretive guidance. Based on the support expressed, the staff determined that wholesale changes to the proposed guidance were not warranted. However, commenters provided invaluable feedback on areas in which the interpretive guidance could be clarified or improved.
The Commission's proposed interpretive guidance was centered around two broad principles. These principles have not changed in the guidance we are presenting today. The first principle is that management should evaluate whether it has implemented controls that adequately address the risk that a material misstatement in the financial statements would not be prevented or detected in a timely manner. The second principle is that management's evaluation of evidence about the operation of its controls should be based on its assessment of risk. Under the guidance, management can align the nature and extent of its evaluation procedures with those areas of financial reporting that pose the highest risks to reliable financial reporting (that is, whether the financial statements are materially accurate). As a result, management may be able to use more efficient approaches to gathering evidence, such as self-assessments, in low-risk areas and perform more extensive testing in high-risk areas. By following these two principles, we believe companies of all sizes and complexities will be able to implement our rules effectively and efficiently.
While commenters expressed support for this principles-based approach, some requested that the proposal be revised to include additional guidance and illustrative examples in areas such as the identification of controls that address financial reporting risks, including IT general controls; the assessment of risk; and how risk impacts the nature, timing and extent of evidence needed to support the assessment. However, we believe additional specificity and examples in the areas requested would likely have the negative, unintended consequence of establishing "bright line" or "one-size fits all" evaluation approaches. We have seen that an overly prescriptive set of rules can lead to inefficiencies, and we want to avoid ending up with evaluations more concerned with form than substance and which are inefficient to implement, ineffective at detecting material weaknesses, or both. So, the guidance you are considering today maintains the view that effective and efficient evaluations require company management to make reasonable judgments that reflect each company's individual facts and circumstances.
Nonetheless, based on the comments received, we did make modifications to the proposed interpretive guidance in a number of areas. For example, we made revisions to better align it with the PCAOB's proposed auditing standard, to provide clarification on the role of entity-level controls, as well as on the nature of on-going monitoring activities in relation to management's evaluation, and to enhance the guidance on fraud risk considerations. I would like to briefly highlight the changes that we made in each of these areas as a result of the comment letter process.
Regarding alignment, as discussed at the open Commission meeting on April 4th, commenters expressed concern that confusion and inefficiencies may arise from differences between the Commission's proposed guidance for management's evaluation of ICFR and the PCAOB's proposed auditing standards. Commenters cited a lack of alignment in the terminology and definitions used, as well as differences in overall approaches. For example, some commenters, while supportive of our principles-based approach to the interpretive guidance, expressed concern that improvements in the efficiency of management's evaluation of ICFR would be limited by what they viewed as comparatively more prescriptive guidance for external auditors in the PCAOB's proposed auditing standards.
In response to the comment letters and the guidance provided by the Commission at the open meeting on April 4th, we have worked with the PCAOB staff to more closely align our respective documents. These revisions include aligning the definition of material weakness and the related guidance for evaluating deficiencies, including the indicators of a material weakness. We also considered differences and improved the alignment around guidance for evaluating whether controls adequately address financial reporting risks, the factors to consider when identifying financial reporting risks, and the factors for assessing the risk associated with individual financial reporting elements and controls. These represent areas of key judgment for both management and auditors in determining whether ICFR is effective and in determining the nature, timing and extent of evaluation and audit procedures.
Even so, some differences are expected to remain between our final interpretive guidance for management and the PCAOB's audit standard. These differences are not necessarily contradictions or misalignment — rather, they reflect the fact that management and the auditor have different roles and responsibilities with respect to evaluating and auditing ICFR. Management's daily involvement with its internal control system provides it with knowledge and information that may influence its judgments about how best to conduct the evaluation and the sufficiency of evidence it needs to assess ICFR effectiveness. Differences in the respective approaches are likely to exist because the auditor does not have the same information and understanding as management — and, because the auditor will integrate its tests of ICFR with the financial statement audit.
Role of Entity-Level Controls
Commenters requested further clarification of how entity-level controls can address financial reporting risks in a top-down, risk-based approach. Commenters also suggested that the guidance place more emphasis on entity-level controls given their pervasive impact on all other aspects of ICFR.
We revised the proposal to expand the discussion of entity-level controls and how they relate to financial reporting elements. This discussion further clarifies that some entity-level controls, such as controls within the control environment, have an important, but indirect effect on the likelihood that a misstatement will be prevented or detected on a timely basis. Further, the revised guidance clarifies that some entity-level controls may be designed to identify possible breakdowns in lower-level controls, but not in a manner that would, by themselves, adequately address financial reporting risks. In these cases, management would identify the additional controls needed to adequately address financial reporting risks, such as those that operate at the transaction or account balance level. However, management would consider both the entity-level and transaction level in designing the nature and extent of the evaluation procedures — including those for transaction level control.
We have also revised the guidance to further clarify that the controls management identifies should include the entity-level and pervasive elements of its ICFR that are necessary for reliable financial reporting. This revision is intended to emphasize that management's evaluation of ICFR should consider the control environment, and other entity level activities, that are necessary to have a system of internal control that is effective at providing reasonable assurance regarding the reliability of financial reporting.
Nature of On-Going Monitoring
Another area where we made modifications to the proposed guidance to reflect the comments received relates to how self assessment, including on-going monitoring activities, were addressed in the proposal. Commenters expressed concern that, as defined in the proposal, some on-going monitoring activities would not be deemed to provide sufficient evidence. Other commenters suggested that self-assessments can provide a significant source of evidence when their effective operation is verified by direct testing over varying periods of time based on the manner in which the self-assessments were conducted and based on the level of risk associated with the controls. Commenters also requested the guidance be revised to clarify how, based on the definitions provided in the proposed guidance, self-assessments differed from direct testing.
We agreed with a number of the comments received and, in response to those comment letters, we revised the guidance regarding on-going monitoring activities, including self-assessments, and direct testing to clarify how the evidence obtained from each of the activities can vary. These revisions are important, as they demonstrate that management's assessment can be supported by information management obtains from its normal monitoring activities — that will often times be "built-in" to the daily responsibilities of employees involved in its processes, rather than from consultants hired for testing purposes. These revisions include a discussion of how management should consider the objectivity of the individuals performing the activities when determining the evidence obtained from each of the activities. As part of this discussion, we clarified that when evaluating the objectivity of personnel, management is not required to make an absolute conclusion regarding objectivity, but rather should recognize that personnel will have varying degrees of objectivity based on, among other things, their job function, their relationship to the subject matter, and their status within the organization. Management should consider the risk to reliable financial reporting when determining whether the objectivity of the personnel involved in the monitoring activities results in sufficient evidence.
Fraud Risk Considerations
Commenters suggested that further guidance in the area of fraudulent financial reporting would improve the proposal. We agree and have revised the proposal accordingly. For example, while the proposal provided general direction to assess the risk of fraud and to focus evaluation procedures on controls that address such risks, we have enhanced the final guidance by explaining that the risk of fraudulent financial reporting will exist in virtually all companies. Rigorous evaluations require management to recognize that the existence of a fraud risk does not mean that fraud has occurred. Likewise, and importantly, it should not take an incident of fraudulent financial reporting to recognize the existence of fraud risk.
Further, the guidance clarifies that the risk of management override — particularly in the period-end financial reporting process — is something that virtually every company needs to consider. Effective control systems ought to take steps to manage this risk, and we believe that companies of all sizes, including smaller companies, can do so.
Clearly fraudulent financial reporting was a primary motivation for the Sarbanes-Oxley Act including section 404. So, from an investor protection standpoint, we agreed with commenters on the importance of emphasizing management's responsibility to identify and evaluate fraud risks and the related controls that address such risks.
Overall, these modifications to the proposed guidance are consistent with our objective of rationalizing the planning and conduct of the ICFR evaluation process for all companies, regardless of size, by allowing companies to focus their efforts on those areas that management has identified as posing the greatest risks of material misstatements in the financial statements, not being prevented or detected on a timely basis. This is what investors care about and what's important for achieving reliable financial reporting.
The key objectives of section 404 and the Commission's implementing rules are to foster more accurate financial reporting as well as provide investors with useful and important information about the adequacy of a company's internal controls. The interpretive guidance that we are recommending the Commission adopt today, we believe will assist management in meeting these objectives in a cost-efficient manner, while providing the intended investor protection benefits, for many years to come.
In closing, I would like to reinforce the appreciation expressed by others to the Commission, including for their guidance to the staff at the April 4th open Commission meeting, the PCAOB Board and staff, and the Office and Division staffs that have worked so long and hard on this project, including my staff, in particular, Mike Gaynor, Nancy Salisbury, Brian Croteau, Josh Jones, Kevin Stout, and Kathryn Scarborough. Mike Gaynor, who along with others has played a key role in developing and drafting the guidance, is with us at the table today to help answer your questions.
That concludes our opening remarks.
Chairman Cox, the staffs of OCA and the Division of Corporation Finance would be happy to discuss any questions that you and the Commissioners might have.