(The news featured
below is a selection from the news covered in SEC Today, which is distributed to
subscribers of SEC
Today.)
SEC Seeks Input for Guidance on Management's Reports on Internal Control
The SEC has issued a concept release seeking views on the
type of guidance it should provide to management in its assessment of the
effectiveness of internal control over financial reporting (Rel. No. 34-54122, July 11, 2006). The guidance will
most likely be issued in the form of a rule, according to the SEC, and will
address the issues of risk and control identification, management's evaluation,
and the documentation of internal controls. The comment period is open for 60
days. The SEC noted that any modifications to the PCAOB's Auditing Standard No.
2 will be consistent with the SEC's rule.
The SEC requires management to base its assessment of
internal control over financial reporting on a suitable evaluation framework.
The SEC did not mandate a particular framework, but identified the integrated
framework developed by the Committee of Sponsoring Organizations of the Treadway
Commission as one example of a suitable framework. The SEC advised that any
additional management guidance that it issues is not intended to replace or
modify the COSO framework or any other suitable framework.
The SEC is seeking the public's views on additional
guidance for management with respect to its evaluation and assessment of
internal control over financial reporting. The guidance will be scalable and
responsive to individual circumstances, according to the SEC. Among the
questions the SEC posed is whether additional guidance would be useful on how
management should evaluate the effectiveness of internal control over financial
reporting and whether the guidance would be useful for all reporting companies
or only a subgroup of companies. For instance, the SEC is interested in whether
there are special issues that apply to foreign private issuers that it should
consider in developing guidance for management.
The SEC also asked for input on the appropriate role of
outside auditors in connection with management's assessment and the manner in
which the auditors should provide the required attestation. If there are
alternative approaches, the SEC asked what they are and if they would provide
similar benefits at a lower cost.
The SEC has received feedback suggesting that, in
implementing section 404, many companies did not efficiently and effectively
identify the risks to reliable financial reporting and relevant internal control
functions which led to the identification, documentation and testing of an
excessive number of controls. One cause was attributed to the overly
conservative application of AS2 by auditors. The SEC proposes to issue
additional guidance to management on identifying the controls to address the
recognized risks, such as materiality considerations, multi-location issues and
the concept of key controls.
COSO yesterday released its guidance for smaller public
companies. The SEC is seeking views on whether COSO's guidance will adequately
assist companies that have not yet complied with section 404 to efficiently and
effectively conduct a risk assessment and identify the controls that will
address those risks. If specific entity-level controls such as GAAP expertise
and the role of the audit committee should be addressed, the SEC asked whether
these issues are different for larger companies than for smaller companies.
The SEC advised that it continues to hear that management
has difficulty applying a top-down, risk-based approach in its assessments. In
addition to testing, the SEC noted that a key part of the assessment process is
the evaluation of control deficiencies that are discovered. The SEC has also
heard that companies are having difficulty assessing the impact of information
technology processes. Controls that are not related to internal control over
financial reporting should not be included in the assessment, according to the
SEC.
The SEC noted that it would not be practical to provide a
list of general IT controls that should be included in management's assessment.
However, the SEC is interested in views on whether specific areas related to IT
need additional guidance. The SEC believes that guidance on the evaluation
process, along with revisions to AS2, may help reduce or eliminate the excessive
testing of internal controls by improving the focus on risk and a better use of
entity-level controls. The SEC asked if guidance would be helpful with respect
to the definitions of "material weakness" and "significant
deficiency."
The SEC has heard many complaints about excessive
documentation demands, especially in relation to the costs that documentation
may impose on smaller public companies. The SEC will likely provide additional
guidance on the appropriate and required levels of documentation needed to
support management's assertion on the effectiveness of internal controls. The
SEC will attempt to determine what guidance is needed about the form, nature and
extent of documentation and whether certain factors should be taken into account
in making judgments about the nature and extent of documentation.
The SEC invited comment on any additional topics that
are not addressed in its concept release and asked that commenters provide
empirical data or other information to support or illustrate their views
|