Speech by SEC Staff:
As a matter of policy, the Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author's views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the SEC staff.
The overall objective of the requirement for management to evaluate the effectiveness of its internal control over financial reporting ("ICFR") under Section 404 of the Sarbanes-Oxley Act (the "Act") is to disclose to investors information about the quality of a company's internal controls to utilize when making investment decisions. Earlier this year the Commission issued interpretive guidance (the "guidance") and adopted certain amendments to Regulation S-X to help management comply with Section 404 more cost effectively.
While clearly one of our objectives was to improve the efficiency of the evaluation, I thought I would spend my time today discussing four aspects of the guidance that were intended to improve the effectiveness of the evaluation as well. These four aspects are:
Evaluation of Design
During the first phase of the evaluation, the guidance directs management to identify financial reporting risks. Once management has identified these risks, it must ask itself two questions:
Reliable and informative disclosures to investors about ICFR require thoughtful and critical consideration of these questions early in the evaluation process. This often takes judgment, but the answers have a significant impact on both the amount of effort needed to conduct the evaluation and the quality of management's conclusion. For example, if the answer to either of these two questions is "no," a deficiency exists in the design of its controls that management must evaluate to determine if it is a material weakness. If management concludes the deficiency in design is a material weakness, then no further testing of operating effectiveness is necessary for the purposes of deciding whether it should be disclosed. This illustrates how the early identification of a design deficiency should impact the number of controls subject to management's evaluation procedures, which should also have a direct correlation to the effort required.
The evaluation of design is fundamental to the quality of the assessment process as well. For example, the early identification of design deficiencies can provide management with information about control weaknesses before they result in a material misstatement in the financial statements. Also, the guidance directs companies to specifically consider the risks of fraudulent financial reporting and whether it has controls in place to adequately address those risks. This emphasis is consistent with the notion that addressing the risk of fraud is important to achieving reliable financial reporting and that such controls are integral to an effective system of internal control. Investors are entitled to know when a company's controls are not adequate to address material fraud risks, and companies should recognize that the identification of fraud risks does not mean that a fraud has occurred just as it should not take an incident of fraudulent financial reporting to recognize that fraud risks exist. These examples hopefully illustrate how a critical review of the design of the controls implemented to address financial reporting risks, which includes the proper involvement of senior management, plays an integral role in management's annual assessment process.
Focus Effort on Areas of Higher Risk
After management has determined that its controls are designed effectively, during the next phase of the evaluation, the guidance directs management to evaluate whether the controls identified actually operated in a manner consistent with their design. It is important to note, however, that the objective of the guidance wasn't on simply gathering less evidence, but on focusing management's methods and procedures on the areas most critical to ensuring reliable financial reporting. A review of assessment reports from the first three years of ICFR reporting show that a majority of material weaknesses related to areas — such as revenue recognition, income tax accounting, liabilities and reserves1 — that are generally considered higher risk because they are typically subject to significant judgment or complex accounting requirements, and are common sources of restatements. Given the importance of areas such as these to a company's financial reporting, the framework provided in the guidance requires management to gather more evidence in higher risk areas, while at the same time provides flexibility in the evidence needed to support the effective operation of controls in lower risk areas. I should highlight that the guidance in this area is supplemented with a diagram that we believe is helpful to illustrate how this framework is intended to be applied. Focusing management in this manner should help foster the earlier identification and remediation of deficiencies in internal control, and ultimately, provide more timely and reliable information for investors.
Evaluation of Deficiencies
A third aspect of the guidance that was intended to improve the effectiveness of the evaluation relates to the evaluation of deficiencies. A review of material weakness disclosures has indicated that a majority were the direct result of the identification by either management or its external auditor of material or numerous adjustments associated with the preparation of the year-end financial statements.2 Two questions arising from this information are: 1) whether the weakness, in fact, resulted in a control breakdown during the fourth quarter of the year or if a weakness existed in the company's internal control prior to then that should have been identified and 2) whether other material weaknesses existed at year-end that were not reported because they did not result in a material adjustment to the financial statements? These are critical questions in determining whether investors are provided with appropriate disclosures.
With regards to the first question, management should consider the root causes of each material weakness and whether its internal control system is designed to identify material weaknesses prior to the identification of an adjustment in the financial statements. When evaluating these situations, management should be mindful of the need to consider the effectiveness of its entity-level controls, including its risk assessment and monitoring activities, and how those programs inform its process for identifying and evaluating changes in its ICFR for the purposes of making its quarterly certifications. This will help it determine if its internal control system is designed to provide it with timely information about control weaknesses and if not, why this fact doesn't represent a material weakness that should be disclosed to investors. While control deficiencies cannot ever be completely eliminated, a control system's ability to provide timely identification of control breakdowns — that is, before they result in errors in the financial statements — is an important component of effective internal control systems as prescribed by control frameworks such as COSO.
With regards to the second question regarding the existence of other material weaknesses, the data indicates that management, as well as auditors, may often be placing primary reliance on the occurrence of a material adjustment and/or misstatement as the decisive factor in its evaluation of whether or not a deficiency represents a material weakness. However, it is important to remember that this is not a pre-condition to the determination that a material weakness exists. Said differently, it does not take an error in the financial statements to have a material weakness. Instead, management is expected to use all of the facts and circumstances surrounding the deficiency, or combination of deficiencies, when evaluating whether or not a reasonable possibility exists that a material misstatement could occur in the company's annual or interim financial statements.
In addition, if a deficiency exists, but a compensating control leads management to conclude that a deficiency represents only a significant deficiency, then the company's evaluation process will need to have evaluated the design and operation of such compensating controls and have support for the effectiveness of those controls as well. The guidance includes a number of considerations to assist management in making all of these determinations, and while these decisions are complex and require management to utilize significant judgment, they are critical to providing investors with the information envisioned by the Act. Companies should understand that, in certain situations, the staff may request information about management's evaluation of deficiencies in order to gain an understanding of how a company evaluated those deficiencies that were determined to be less severe than a material weakness.
Material Weakness Disclosures
The last area I would like to discuss relates to management's disclosure of the results of its evaluation. The disclosure of material weaknesses in management's assessment report was intended to provide investors with robust information about their actual (if any) and potential effect on a company's financial reporting. However, a common criticism of the disclosures is that the descriptions provided makes it difficult for investors to understand their impact. The interpretive guidance contains a number of items management should consider including in its disclosures to help provide investors with sufficient information to use in their assessment of the risks to the reliability of the company's financial reporting.
For example, the guidance explains that the description of material weaknesses would be more helpful if it allows investors to distinguish between those that may have a pervasive impact and those that do not. An example of a pervasive impact could be one that impacts an entire division, an entire process, or all of ICFR. Again, a review of material weakness disclosures illustrates that companies with ineffective ICFR disclose, on average, two or more material weaknesses.3 In addition, greater than 50% of the disclosures included a weakness due to a lack of resources in personnel or technical expertise.4 Disclosures of these weaknesses often conclude that the cause was isolated to the specific area where the issue was discovered. However, given that these weaknesses are generally accompanied by others, a question arises as to whether other problems exist within the company's system of internal control, such as in its risk assessment or monitoring programs, that were the underlying cause of the deficiency. Said differently, is the material weakness disclosed representative of the issue resident in the company's control system or is there another, more pervasive material weakness that should have been identified and disclosed. While the discovery of multiple material weaknesses does not automatically indicate deficiencies in these areas of entity-level control, such deficiencies may be important to investors given their pervasive impact on ICFR, and management should be mindful of this when evaluating and communicating the results of its assessment. As part of our review of material weakness disclosures, the OCA staff provide input into the Division of Corporation Finance's review of filings to the extent these disclosures can be improved along the lines suggested in the interpretive guidance.
In closing, I hope the examples provided help illustrate how the Commission's interpretive guidance was intended to improve both the efficiency and effectiveness of the evaluation. On another quick note, the Commission has created a brochure as a complement to the interpretive guidance that provides an easy-to-use summary of the requirements for management's assessment and reporting. It was intended to help make management's first assessment easier and is available on the Commission's website. This concludes my remarks. Thank you.
|Home | Previous Page||