Overview of Reporting Results
During the initial year of reporting under the internal control reporting requirements (November 16, 2004 through November 15, 2005), approximately 3,900 companies reported on the effectiveness of their internal control over financial reporting, with almost 16% of those companies concluding that their internal control over financial reporting was not effective. A total of approximately 1,500 material weaknesses were reported, on a variety of control-related topics.
During the second year of reporting, through April 25, 2006, approximately 3,000 companies have reported, with almost 7% of those companies concluding that their internal control over financial reporting was not effective. A total of approximately 400 material weaknesses have been reported, again on a variety of control-related topics.
(Source: Audit Analytics)
Panel 1. Overview of the Second Year
The 2005 roundtable sought information to assess the overall impact of the first year of compliance with the rules. The Commission and the Board now are seeking information regarding second-year experiences with the assessment, reporting, and auditing requirements related to companies’ internal control over financial reporting. Specifically, the Commission and the Board are interested in the nature and extent of changes in the processes in the second year as companies and their auditors gained more experience; whether resources were allocated more efficiently and effectively in the second year; and whether progress has been made toward the goal of improving the integrity of financial reporting.
1. Do you believe that the requirements of Section 404 have helped improve the quality of companies’ annual and quarterly financial statements or resulted in other benefits? If so, what is the primary source of that improvement? What are the countervailing costs of Section 404 compliance?
2. Please provide your overall perspectives regarding your experiences with the second year of assessing, reporting, and auditing internal control over financial reporting. What was different about the process in the second year? Were substantial modifications made in management’s and the auditor’s approach to the assessment? If so, what were they?
3. What are your thoughts about the efforts and costs incurred this year as compared with the first year? What portion of these efforts and costs related to work by the outside auditor versus other efforts and costs to companies? Did you realize expected cost savings in the second year? If so, what is the primary source of cost savings (e.g. increased efficiency, reduced documentation, etc.)? What are your views regarding efforts and costs to be incurred in future years?
4. What implementation and/or ongoing issues have arisen or continued in the second year of assessing, reporting, and auditing internal control over financial reporting? How should such issues be addressed?
5. Was the level of effort required to complete the assessment in the second year substantially greater or less than in the first year? Are further modifications to management’s assessment and the auditor’s process anticipated in future years? Will the same level of effort expended in the second year be necessary or even increase in the third year and beyond?
Panel 2. Management’s Evaluation and Assessment
The Commission’s rules require that management assess, as of the end of each fiscal year, the company’s internal control over financial reporting and report on its assessment of the effectiveness of internal control. The methods for conducting evaluations and the nature of testing procedures will vary depending on the circumstances of the company and significance of any particular control. Therefore, in adopting its rules, the Commission expressly declined to prescribe the scope of the assessment or the amount of testing and documentation required by management. The Commission’s rules do require, however, that management base its assessment on a suitable, recognized control framework. The framework used by the vast majority of companies was the Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The COSO framework describes the elements required to be present for effective control, but provides limited guidance on the methods and procedures required to evaluate internal control over financial reporting.
At last year’s roundtable, several commenters questioned whether management’s approach to completing its assessment of internal control over financial reporting was appropriately top-down or risk-based. Moreover, several commenters suggested that too many controls and processes were documented and tested. In addition, feedback from some commenters indicated that they expected that much of the cost and effort involved in documenting internal control over financial reporting reflected one-time, start-up costs and efforts (including deferred maintenance costs) that were not expected to recur in subsequent years.
While PCAOB Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (AS No. 2) is intended for auditors, many companies indicated that the scope of their management’s evaluation process and the methods and procedures used for testing controls were modeled after its requirements. In its May 16, 2005, statement, the SEC emphasized, among other things, that management should use a top-down, risk-based approach to evaluating internal control that devotes resources to the areas of greatest risk and avoids giving all significant accounts and related controls equal attention without regard to risk. The PCAOB’s May 16, 2005, guidance also provided additional direction to auditors on how to appropriately evaluate management’s assessment process.
The Commission and the Board are seeking input on whether, and how, companies have improved the efficiency and effectiveness of their process for assessing internal control over financial reporting in the second year of compliance. The Commission and the Board are also soliciting views about the challenges in designing a sustainable assessment process that is both effective and efficient.
1. Was the guidance issued on May 16, 2005, by the SEC and PCAOB helpful in improving management’s process in the second year? Were processes for evaluating controls more risk-focused in the second year? What are the biggest challenges in implementing a risk-based approach? Would further guidance be helpful in any area?
2. How, if at all, would management have approached its assessment differently if it did not know that it would be the subject of an independent audit? Were there instances where management believed that it had taken an appropriate, risk-based approach to assessing internal control over financial reporting, but modified that approach based on auditor demands? Were these changes beneficial to the company’s system of internal control over financial reporting or to the effectiveness and efficiency of management’s assessment?
3. Is there sufficient information available to management concerning the appropriate internal control framework? Is there sufficient information available concerning how management should conduct an internal control assessment?
4. Did management’s evaluation process consider company-level controls in determining the scope and extent of testing of accounts and processes? What types of company-level controls have the greatest impact on the scope and extent of testing?
5. Are there issues or challenges that are specific to smaller accelerated filers in completing their assessments that might not apply to all accelerated filers? If so, what are those issues and challenges and how can they be addressed?
6. How did your evaluation of information technology general controls differ in the second year? Do you see additional areas for improvement? Were you able to implement a benchmarking strategy for computer application controls? If not, why not? Would additional guidance be useful?
7. Many companies indicated at last year’s roundtable that they incurred significant effort and cost documenting internal controls. What drove the level of documentation? How did the second year compare to the first year in terms of effort and cost spent on documentation? What modifications to existing requirements might make the process more efficient and effective? Are particular modifications desirable or necessary for smaller and less complex companies?
Panel 3. The Audit of Internal Control Over Financial Reporting
The PCAOB’s AS No. 2 describes an integrated audit of internal control over financial reporting and the financial statements. Feedback received in connection with the 2005 roundtable indicated that auditors generally had not performed a fully integrated audit of financial statements and internal control over financial reporting. Instead auditors essentially often had performed two separate engagements. Feedback received in the first year also indicated that there were other areas in which auditors’ initial performance of the audit of internal control could be improved.
After completing a limited number of inspections of audits of internal control over financial reporting, focused specifically on high-risk areas, the Board issued a report on November 30, 2005, detailing its observations of the first-year’s implementation of AS No. 2. This report includes observations gained during the Board’s inspections of registered firms, as well as observations gained through other activities of the Board. The November 30, 2005, report focused on areas in which the Board believes greater efficiencies are possible in future years. Specifically, the report noted that some auditors did not effectively apply a top-down approach, whereby they would have begun evaluating company-level controls and significant accounts at the financial statement level and then moved down to relevant individual controls. Taking the top-down approach would have allowed them to tailor the work as they moved toward evaluating more specific controls. Moreover, some auditors did not alter the nature, timing and extent of their testing to reflect the level of risk and did not use the work of others to the extent permitted by AS No. 2.
The Commission and the Board are seeking input on how the auditors’ process for evaluating internal control over financial reporting has changed in the second year compared to the first year. The Commission and the Board are also soliciting views on the challenges to achieving long-term efficiency, effectiveness, and sustainability in the internal control over financial reporting audit process.
1. Did auditors use any strategies to ensure that they appropriately altered the nature, timing, and extent of their testing in response to the assessed level of risk? If so, what were they? Are there additional improvements that could be made in the auditor’s performance of a risk-based audit?
2. What impact did the Board’s inspections of firms’ first year internal control audits have on the audit process? What effect did the Board’s November 30, 2005, report have on the second-year process? What impact did the Board’s inspection program generally have on the auditor’s approach to implementing the AS No. 2 audit process? How should the Board ensure that its inspection program is both rigorous and consistent with Board guidance concerning the implementation of AS No. 2?
3. Were fully integrated audits performed in the second year? If not, what barriers existed in the second year to prevent integration, and what can be done to reduce those barriers in the future? In what other ways could auditors increase the efficiency and effectiveness of the audit process without compromising the Act’s goals?
4. How do auditors gather and use evidence about company-level controls? Were there changes to the auditors’ approach to evaluating these controls, including control environment, in the second year? How do auditors evaluate the impact of compensating controls on control deficiencies? Do management’s and the auditor’s views differ in this area?
5. Did the process of identifying significant accounts, significant processes, and major classes of transactions worsen or improve in the second year? If not, what is the primary difficulty in this area? Do management’s and the auditor’s views differ in these areas?
6. Did auditors increase or decrease the degree to which the work of others was relied on in the second year? Was the May 16, 2005, guidance issued by the SEC and the PCAOB helpful in determining the extent to which the work of others could be used in the second-year assessment? Are there specific barriers that prevent auditors from using the work of internal auditors and others performing management’s assessment to the fullest extent appropriate?
7. Are auditors tailoring the internal control audit to the complexity of the company? Is there appropriate recognition from auditors that control objectives may be achieved via many different methods? Are auditors reluctant to scale their work in less complex environments? Would modification to AS No. 2, or to the auditors requirements as a whole, make the process more effective and efficient? Are particular modifications necessary for smaller and less complex companies?
Panel 4. The Effect on the Market
One of the main goals of Section 404 of the Sarbanes-Oxley Act was to enhance the quality of financial reporting by public companies and to thereby increase investor confidence in the securities markets. An effective system of internal control over financial reporting is important to public companies’ production of reliable financial statements and other financial information used by investors.
The requirements of Section 404 of Sarbanes-Oxley could result in at least two beneficial consequences: (1) the requirements could cause a company’s senior management to devote more attention to the maintenance of the company’s internal control over financial reporting; and (2) publicly available internal control reports prepared by management and the company’s auditor could allow investors better to evaluate management’s performance and the reliability of a company’s financial statements and other financial information.
The second year of compliance with the internal control reporting requirements provides another opportunity to gauge the effect of these requirements on the market and to weigh the market benefits of the requirements against the costs. The Commission and the Board are seeking input on whether management’s and the auditor’s reports and related disclosure have been useful to investors and other market participants who depend on the filing of accurate financial information by public companies. We also are seeking suggestions regarding any changes that the Commission or the Board could make to improve the usefulness of the information provided as a result of the reporting requirements related to internal control over financial reporting.
1. Do you believe that the goals of the Act are being met? If not, why not? If so, were the goals being met chiefly by management’s assessment, the independent audit, or both? Are these goals being met at a cost that is justified by the benefits delivered to shareholders? Is your view impacted by the size and/or complexity of the company?
2. Do investors benefit from internal control reporting? What is the source of any benefits? What are the countervailing costs? How could the internal control requirements be improved from an investor’s perspective?
3. How is the competitiveness of U.S. public companies impacted by the internal control requirements? How might the cost of capital for U.S. companies change as a result? What will be the effect on U.S. securities markets and, therefore, U.S. investors? Will companies seeking to go public be influenced by the costs associated with the internal control reporting and auditing requirements? If so, how?
4. Do investors and other market participants generally understand the existing definition of the term “material weakness”? Do companies’ public disclosures about the existence of material weaknesses adequately inform investors and the market about the material weaknesses internal control over financial reporting and the effect of those material weaknesses on financial reporting? Does the market react to material weakness disclosures?
5. In your opinion, have disclosures related to material weaknesses in companies’ internal control over financial reporting been helpful to investors? If so, how? Did such disclosure improve in the second year? If so, how?
6. Should other reporting and/or assessment options that are consistent with the goals of the Act be considered for management or the auditor? If so, how would these reporting options achieve the goals of the Act?
Panels 1 through 4 are intended to solicit feedback on broad and specific experiences and lessons learned from the second year of implementing the internal control over financial reporting requirements. In this panel, the Commission and Board are seeking feedback on any significant remaining concerns and recommendations on how the efficiency and effectiveness of the documentation, assessment, reporting, and auditing process might be improved.
1. What remaining concerns about the implementation of internal control over financial reporting should be addressed? Do you believe management could obtain a reasonable basis for its assessment with less work and cost in subsequent years? Could the auditor issue his or her opinion with less work? If so, what work could be reduced or eliminated? Should management or the auditor be permitted to rotate the controls tested in subsequent years?
2. Are there specific amendments that could be made to either the Commission’s rules or the PCAOB’s standards to improve the efficiency and effectiveness of management’s assessment and the auditor’s role?
3. Is there specific additional guidance regarding internal control over financial reporting that the Commission should provide to companies, including guidance with respect to management’s assessment? Is there specific additional guidance that the Board should provide to auditors regarding the audit of internal control?
4. Did costs related to internal control over financial reporting decrease as much as expected in the second year? Did total audit fees for the integrated audit decrease in the second year? Are costs expected to come down significantly in the third and subsequent years?
5. What other actions should the Commission and the Board consider to improve the process? What actions could other interested parties take to improve the process?
iSubmissions to the Commission may be provided electronically by using the Commission’s Internet submission form at www.sec.gov/news/press.shtml; or by sending an e-mail to email@example.com. Paper submissions should be send in triplicate to Nancy M. Morris, Secretary, Securities and Exchange Commission, 100 F Street, NE, Washington, DC 20549-1090. All submissions should refer to File Number 4-511. This file number should be included on the subject line if e-mail is used. The Commission will post all submissions on the Commission’s Internet Web site (http://www.sec.gov/news/press/4-511.shtml). All submissions received will be posted without change; we do not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly.
Submissions to the PCAOB may be provided electronically by use of the Board’s Internet submission form at http://www.pcaobus.org/News_and_Events/Events/2006/05-10.aspx. Comments must include “Internal Control Roundtable” in the subject line and may be in the body of the e-mail or included as an attachment. Paper submissions should be sent to Public Company Accounting Oversight Board, Attn Office of the Secretary, 1666 K Street, NW, Washington, DC 20006-2803. Indicate “Internal Control Roundtable” in the reference line or at the beginning of your comments.
|Home | Previous Page||