Remarks before the 2018 AICPA Conference on Current SEC and PCAOB Developments
Emily L. Fitts
Professional Accounting Fellow, Office of the Chief Accountant
Dec. 10, 2018
The Securities and Exchange Commission disclaims responsibility for any private publication or statement by any SEC employee or Commissioner. The views expressed herein are those of the author and do not necessarily reflect the views of the Commission, the Commissioners, or other members of the staff.
Over time, members of the SEC staff have spoken about the importance of internal control over financial reporting (“ICFR”) and the value of communication among audit committees, auditors, and management regarding ICFR. We have also shared certain considerations to assist in the design of an effective system of internal control.  Today, I would like to continue the ICFR discussion by focusing on two topics: the evaluation of operating effectiveness of controls and preparation of material weakness disclosures.
Evaluating the Operating Effectiveness of ICFR
Management is required to design and implement controls that will achieve the objective of ICFR. Additionally, management is required to evaluate on an annual basis the effectiveness of these controls, i.e., whether the controls identified have been implemented and actually operate in a manner consistent with their design.
The assessment of ICFR is especially important this year-end, given the impact on companies internal controls related to the adoption of new accounting standards, such as revenue recognition. Well-reasoned and supported judgment is required in both the design of controls and evaluation of the operating effectiveness of internal controls. These judgments should be grounded in management’s assessment of the risk of control failure and the risk of material misstatement. In determining whether the evaluation of the operating effectiveness of controls is sufficient, the following two broad concepts are important. First, the foundation of the evaluation is to determine if the control is operating as designed. Second, the nature, timing, and extent of the evaluation procedures should be linked to the assessed risk of control failure and the risk of material misstatement. I find it helpful to consider these two concepts, among others, upfront in planning the evaluation of the operating effectiveness, as these concepts can aid in a determining whether controls operate effectively or not.
Design is the starting point for the evaluation of operating effectiveness
As a foundational point, controls should address the identified risks to reliable financial reporting, including the nature and extent of any changes in those risks. A vital step in management’s evaluation of whether the operation of the control is effective, is the consideration of whether the control has operated as it was designed. With this in mind, consideration of the following questions, among others, when planning the evaluation of operating effectiveness may assist in an effective and efficient evaluation.
- Did the operating effectiveness assessment include an evaluation of how the operation of the control mitigated the identified risks?
- When a control is designed to address multiple financial reporting risks or if the control is multi-faceted, does the assessment include an evaluation of the operating effectiveness of each aspect of the control?
- For controls that operate more than once per annual period, was the consistency of the execution of the control considered?
- When the control was designed with a threshold, was the threshold applied consistently to identify items and was further evaluation conducted when necessary?
- Was the competency and authority of the personnel who performed the control, or monitored its performance, evaluated and considered?
- In considering the competency and authority of the personnel, did the evaluation of the control’s operating effectiveness consider whether there had been any changes in the personnel who either perform the control or monitor its performance?
Evaluation procedures should be risk-based
The sufficiency of the evaluation of operating effectiveness is directly linked to the risk that the control fails to operate and the risk of material misstatement of the financial reporting element. As these risks increase, generally more persuasive evidence is needed in order to sufficiently evaluate whether the control operated effectively. In determining whether management has a reasonable basis for its assessment of the operating effectiveness of controls, management’s consideration regarding the sufficiency of the evaluation procedures is important. Again, I encourage you to consider the following questions when planning the evaluation, to potentially help gauge whether the evaluation procedures are sufficient to support the operating effectiveness assessment.
- Is the sample size to evaluate the effectiveness of the control sufficient in considering the number of instances in which the control operated during the assessment period?
- Were the risks considered in determining the appropriate level of persuasiveness needed for the evidence to be obtained?
- For controls related to financial reporting elements with a higher risk of material misstatement (resulting from the susceptibility to fraud, the significance of judgment, or the control’s complexity), did the nature, timing, and extent of the evaluation procedures appropriately reflect the level of risk?
- Was the type of control (whether it is, manual or automated) considered in determining the nature, timing, and extent of the evaluation procedures?
- Did the control rely on the completeness and accuracy of the information produced by the company? If so, were the controls over that information evaluated and found to be effective?
While these considerations for the evaluation of operating effectiveness are not all-inclusive, these questions can provide a good starting point for discussion among audit committees, auditors, and management in determining the sufficiency of the evaluation.
Material Weakness Disclosures
The last topic I would like to focus on is management’s annual report on ICFR. Management is required to conclude and state in its report whether ICFR is effective or ineffective. This report and the related material weakness disclosures, when ICFR has been deemed ineffective, should provide investors with meaningful information. For example, the goal of management’s material weakness disclosure is to go beyond describing the mere existence of a material weakness, but to allow for investors to understand the cause of the control deficiency and to assess its potential impact on the company’s financial reporting. While, I and my colleagues in OCA, have observed improvements in the disclosures of material weaknesses by companies, more could be done to make these disclosures more informative to investors. When disclosing a material weakness, I suggest considering the following questions to help determine if the disclosure would provide investors with the most meaningful information.
- Does the disclosure allow an investor to understand what went wrong in the control that resulted in a material weakness?
- Is it sufficiently clear from the disclosure what the impact of each material weakness is on the company’s financial statements? For example, is the material weakness pervasive or isolated to specific accounts or disclosures?
- Are management’s plans to remediate the material weakness sufficiently clear? For example, does disclosure of the remediation plans provide sufficient detail that an investor would understand what management’s plans are and how the remediation plans would address the identified material weakness?
These questions provide a starting point for audit committees, auditors, and management to take a step back and consider how the disclosure of material weaknesses can be enhanced to provide investors with the most meaningful useful information.
I want to thank you for taking the time to join me in discussing these two aspects of ICFR today. Management's ability to produce reliable financial information for investors depends significantly on the effectiveness of ICFR and I hope that the considerations I have outlined today will assist management with the assessment of ICFR. Thank you.
 See e.g., Wesley R. Bricker, Chief Accountant, Office of the Chief Accountant, U.S. Securities and Exchange Commission, Statement in Connection with the 2017 AICPA Conference on Current SEC and PCAOB Developments (Dec. 4, 2017), available at https://www.sec.gov/news/speech/bricker-2017-12-04.
See e.g., Michal P. Dusza, Professional Accounting Fellow, Office of the Chief Accountant, U.S. Securities and Exchange Commission, Remarks Before the 2017 AICPA Conference on Current SEC and PCAOB Developments (Dec. 4, 2017), available at https://www.sec.gov/news/speech/dusza-aicpa-2017-conference-sec-pcaob-developments.
 See Exchange Act Rules 13a-15 and 15d-15, which defines ICFR, in part, as a process designed “to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP.”
 See Exchange Act Rules 13a-15(c) and 15d-15(c).
 Accounting Standards Update (“ASU”) No. 2014-09, Revenue from Contracts with Customers (Topic 606) (May 2014), and subsequent amendments, available at http://www.fasb.org/cs/ContentServer?c=Page&pagename=FASB%2FPage%2FSectionPage&cid=1176156316498.
 See Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, Release No. 33-8810 (June 20, 2007) [72 FR 35324 (June 27, 2007)] (hereinafter “ICFR Release”). This release includes guidance stating that “the evaluation of the operating effectiveness of a control considers whether the control is operating a designed.” It also discusses that the nature, timing and extent of evaluation procedures necessary for management to obtain sufficient evidence of the effective operation of a control depend on the assessed ICFR risk.
 See ICFR Release discussion about the evidence that management evaluates to determine whether the operation of the control is effective. The ICFR Release indicates that not only is it important that management consider the design of the control in the evaluation of operating effectiveness, management should also consider the consistency with which the control operated and, for controls whose operation may include a greater degree of judgment, whether the person performing the control possesses the necessary authority and competence to perform the control effectively.
 See ICFR Release discussion about procedures that management uses to gather evidence about the operation of the controls it identifies as adequately addressing the financial reporting elements. [The ICFR Release indicates that] these procedures should be tailored to management’s assessment of the risk characteristics of both the individual financial reporting elements and the related controls (collectively, ICFR risk). This concept is further illustrated by the Determining the Sufficiency of Evidence Based on ICFR Risk diagram at 35330.
 See ICFR Release discussion about implementing procedures to evaluate evidence of the operation of ICFR. Additionally, evidence comes in many forms, as it can have both quantitative and qualitative characteristics. Qualitative characteristics includes considerations regarding the period of time to which the evidence relates to and the nature of the evaluation procedures performed, such as either through direct testing or on-going monitoring activities. Quantitative characteristics include sample size for the number of control operations included in the evaluation, among others.
 See Item 308 of Regulation S-K.
 See ICFR Release discussion about disclosures about material weaknesses.