Commission Definition of Internal Control over Financial Reporting
A process designed by, or under the supervision of, the registrant’s principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
Exchange Act Rule 13a-15(f)
Companies have been required to maintain a system of internal accounting controls since the enactment of the Foreign Corrupt Practices Act in 1977. However, the requirements arising out of Section 404 have caused companies and their auditors to focus additional attention on the effectiveness of companies’ internal controls and, in most cases, report publicly on those controls for the first time.
Originally the new internal control reports of management and the company’s external auditor that are required by the Commission’s rules and AS No. 2 were due for fiscal years ending after June 15, 2004, for accelerated filers,1 and after April 15, 2005, for smaller companies and foreign private issuers. Recognizing the importance of these provisions and the time necessary to implement them properly, the Commission later extended these deadlines to November 15, 2004, and July 15, 2006, respectively. In addition, the Commission issued an exemptive order to grant accelerated filers with a public equity float of less than $700 million an additional 45 days to include in the current year’s annual report management’s report on internal control over financial reporting and the related auditor’s report. The Commission also extended for one more year the complete phase-in of the new accelerated filer reporting deadlines, in part because of the need for companies to focus on implementing the Section 404 rules.
Given the November 15, 2004, fiscal year compliance date for accelerated filers, the first of management’s assessments and the accompanying audit reports were due in February. Now that a significant group of companies has completed the first Section 404 process, the Commission is seeking input to assess the impact of the Commission’s rules and AS No. 2 on companies and on their internal controls and financial reporting. The Commission is also seeking input on the impact of implementation of the internal control assessment, reporting and auditing requirements.
The Commission’s rules require that management’s report on internal control over financial reporting contain certain elements, including:
The Commission determined not to provide more specific management reporting requirements, or a template format for management’s report, to discourage management from using boilerplate language in the reports.
AS No. 2 requires the auditor’s report on the company’s internal controls to include, among other things:
AS No. 2 provides example reports for the auditor to consider when issuing its report. As a result, the majority of auditors’ reports to date closely followed the example reports issued by the PCAOB.
The Commission is seeking input on whether management’s and the auditor’s reports have generally been useful to the various users of a company’s financial statements. The Commission is also seeking input regarding what improvements in reporting or disclosure could be made in this area.
The Commission’s rules state that management must base its evaluation of the effectiveness of a company’s internal control over financial reporting on a suitable, recognized control framework. While neither the Commission’s rules nor AS No. 2 mandate the use of a particular framework that meets the stated criteria, both indicate that a suitable framework for U.S. companies is the framework developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.2
The foundation of the Commission’s rules and AS No. 2 is the determination of the scope of a company’s internal control over financial reporting, working within the chosen framework. Management must determine which processes are included as part of internal control over financial reporting as well as how much documentation and testing is required in order to complete an adequate assessment of internal control over financial reporting. The Commission’s adopting release for its rules stated that controls subject to assessment include, but are not limited to:
Both the Commission’s rules and AS No. 2 use the term “reasonable assurance” in the definition of internal control over financial reporting. Reasonable assurance includes the understanding that there is a remote likelihood that material misstatements will not be prevented or detected on a timely basis. AS No. 2 provides that reasonable assurance, both on the part of issuers and auditors, involves the use of professional judgment.4
The Commission is seeking input on the process of planning and design to determine the scope of companies’ controls as well as the scope of the review of those controls, including the extent to which registrants and auditors have used professional judgment in designing the scope of internal control and the review required under the Commission’s rules and AS No. 2.
Once a company and its auditor determine what is included within the assessment of internal control over financial reporting, they must determine, among other things, the extent of documentation and testing required to complete an adequate assessment. The Commission’s rules require that management base its evaluation of the effectiveness of a company’s internal control over financial reporting on a recognized control framework, but do not identify a required level of documentation and testing of those controls. Nor do the Commission’s rules specify the methods or procedures to be performed in completing an evaluation, other than indicating that the assessment must be based on procedures sufficient both to evaluate its design and to test its operating effectiveness within the overall controls standard of reasonable assurance.
The Commission’s rules do require that, in connection with management’s assessment, a company must maintain evidential matter, including documentation, to provide reasonable support for management’s assessment of the effectiveness of the company’s internal control over financial reporting. In particular, the Commission’s release adopting its rules explains that “[t]his evidential matter should provide reasonable support: for the evaluation of whether the control is designed to prevent or detect material misstatements or omissions; for the conclusion that the tests were appropriately planned and performed; and that the results of the tests were appropriately considered. The public accounting firm that is required to attest to, and report on, management’s assessment of the effectiveness of the company’s internal control over financial reporting also will require that the company develop and maintain such evidential matter to support management’s assessment.”5
Additionally, while the Commission’s release adopting its rules indicates certain types of controls that should be considered for testing by management in making this assessment, it acknowledges that the nature of the actual testing activities will depend largely on the circumstances of the company and the significance of the control, though inquiry alone generally will not be considered sufficient.
Further guidance regarding the level of documentation and testing required by the outside auditor is provided in AS No. 2. This standard includes detailed guidance regarding both the auditor’s evaluation of management’s assessment process (including whether management’s documentation provides reasonable support for its assessment), as well as documentation and testing required relating to the auditor’s own assessment of the company’s internal control over financial reporting. Audit documentation requirements are also addressed in the PCAOB’s Auditing Standard No. 3, Audit Documentation.
The Commission is seeking input about the level of documentation and testing that was performed by management and the outside auditor in completing their respective assessments of internal control over financial reporting.
Various aspects of the Commission’s rules and AS No. 2 require both management and the auditor to use professional judgment regarding the nature and extent of testing and in reaching conclusions regarding the effectiveness of internal control over financial reporting. Some areas impacted by professional judgment have already been discussed, such as the planning and design of the assessment of internal control over financial reporting, as well as the documentation and testing of the applicable processes. There are other areas, however, where the use of professional judgment by management and the auditor is an important part of assessing and auditing internal control over financial reporting.
One such area is the interaction between the auditor, management and audit committee and judgments made with respect to the implications of such interactions on the identification of control deficiencies. Historically, the external auditor has been available to provide management with certain accounting and reporting guidance, based on the auditor’s expertise in these matters. This advice has always, however, been subject to limitations imposed by the independence requirements with which auditors must comply. Recently, some have raised issues about the ability of the auditor to provide this type of advice without the auditor becoming, in essence, a part of management’s internal control over financial reporting, in addition to presenting the potential for impairing the auditor’s independence.
Another such area is the evaluation of any control deficiencies noted during the assessment of internal control over financial reporting. The Commission’s rules and AS No. 2 require management and the external auditor to arrive at an assessment of the effectiveness of internal control over financial reporting. In completing the assessment, management and the auditor may each identify control deficiencies, and they must evaluate and assess whether those deficiencies are significant deficiencies or material weaknesses. These two categories differ in the likelihood of misstatement and the materiality of the likely misstatement due to the identified deficiency. Ideally, both management and the auditor would arrive at the same conclusion regarding control deficiencies and the overall effectiveness of internal control over financial reporting. However, the evaluation of control deficiencies requires professional judgment, which incorporates both quantitative and qualitative factors.
An additional area that requires the use of judgment is communication regarding control deficiencies. AS No. 2 requires that the auditor communicate to management and the audit committee all significant deficiencies and material weaknesses in internal control over financial reporting identified during the audit. AS No. 2 further requires that the auditor communicate to management all deficiencies (that is, those deficiencies in internal control over financial reporting that are of a lesser magnitude than significant deficiencies) identified during its review. The auditor must also obtain a representation from management stating that it has disclosed to the auditor all deficiencies in the design or operation of internal control over financial reporting identified as part of management’s assessment, including separately disclosing those that are significant deficiencies or material weaknesses.
The Commission is seeking input about the level of professional judgment used in these areas by management, the audit committee and the auditor in their communications as well as in reaching conclusions about internal control over financial reporting.
In Panels 1 through 5, the Commission is seeking input on specific experiences in the first year of implementation of the Commission’s rules and AS No. 2. As the Commission noted when adopting the internal control reporting rules, it has long been the Commission’s intention to learn from the experience of the first year of implementation, and ask how the process might be improved without compromising its benefits. In this panel, the Commission is seeking input about future application and implementation of the rules and practices thereunder.
1 Generally, “accelerated filers” are U.S. companies that have equity market capitalization over $75 million and previously have filed an annual report with the Commission.
2 At the request of Commission staff, a task force of COSO has been established and anticipates publishing this Summer additional guidance in applying COSO’s framework to smaller companies. In addition, the Commission noted in its release adopting its rules that foreign issuers can look to widely accepted internal control frameworks outside the U.S., such as Guidance on Assessing Control published by the Canadian Institute of Chartered Accountants and The Turnbull Report published by the Institute of Chartered Accountants in England and Wales.
3 Final Rule: Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Release No. 34-47986, (June 5, 2003), at section II.B.3.d.
4 AS No. 2 ¶18 states “…there are limitations on the amount of assurance the auditor can obtain…Limitations arise because an audit is conducted on a test basis and requires the exercise of professional judgment…”
5 Final Rule: Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Release No. 34-47986, (June 5, 2003), at section II.B.3.d.
|Home | Previous Page||