(The news featured below is a selection from the news covered in SEC Today, which is distributed to subscribers of SEC Today.)

SEC Seeks Input for Guidance on Management's Reports on Internal Control

The SEC has issued a concept release seeking views on the type of guidance it should provide to management in its assessment of the effectiveness of internal control over financial reporting (Rel. No. 34-54122, July 11, 2006). The guidance will most likely be issued in the form of a rule, according to the SEC, and will address the issues of risk and control identification, management's evaluation, and the documentation of internal controls. The comment period is open for 60 days. The SEC noted that any modifications to the PCAOB's Auditing Standard No. 2 will be consistent with the SEC's rule.

The SEC requires management to base its assessment of internal control over financial reporting on a suitable evaluation framework. The SEC did not mandate a particular framework, but identified the integrated framework developed by the Committee of Sponsoring Organizations of the Treadway Commission as one example of a suitable framework. The SEC advised that any additional management guidance that it issues is not intended to replace or modify the COSO framework or any other suitable framework.

The SEC is seeking the public's views on additional guidance for management with respect to its evaluation and assessment of internal control over financial reporting. The guidance will be scalable and responsive to individual circumstances, according to the SEC. Among the questions the SEC posed is whether additional guidance would be useful on how management should evaluate the effectiveness of internal control over financial reporting and whether the guidance would be useful for all reporting companies or only a subgroup of companies. For instance, the SEC is interested in whether there are special issues that apply to foreign private issuers that it should consider in developing guidance for management.

The SEC also asked for input on the appropriate role of outside auditors in connection with management's assessment and the manner in which the auditors should provide the required attestation. If there are alternative approaches, the SEC asked what they are and if they would provide similar benefits at a lower cost.

The SEC has received feedback suggesting that, in implementing section 404, many companies did not efficiently and effectively identify the risks to reliable financial reporting and relevant internal control functions which led to the identification, documentation and testing of an excessive number of controls. One cause was attributed to the overly conservative application of AS2 by auditors. The SEC proposes to issue additional guidance to management on identifying the controls to address the recognized risks, such as materiality considerations, multi-location issues and the concept of key controls.

COSO yesterday released its guidance for smaller public companies. The SEC is seeking views on whether COSO's guidance will adequately assist companies that have not yet complied with section 404 to efficiently and effectively conduct a risk assessment and identify the controls that will address those risks. If specific entity-level controls such as GAAP expertise and the role of the audit committee should be addressed, the SEC asked whether these issues are different for larger companies than for smaller companies.

The SEC advised that it continues to hear that management has difficulty applying a top-down, risk-based approach in its assessments. In addition to testing, the SEC noted that a key part of the assessment process is the evaluation of control deficiencies that are discovered. The SEC has also heard that companies are having difficulty assessing the impact of information technology processes. Controls that are not related to internal control over financial reporting should not be included in the assessment, according to the SEC.

The SEC noted that it would not be practical to provide a list of general IT controls that should be included in management's assessment. However, the SEC is interested in views on whether specific areas related to IT need additional guidance. The SEC believes that guidance on the evaluation process, along with revisions to AS2, may help reduce or eliminate the excessive testing of internal controls by improving the focus on risk and a better use of entity-level controls. The SEC asked if guidance would be helpful with respect to the definitions of "material weakness" and "significant deficiency."

The SEC has heard many complaints about excessive documentation demands, especially in relation to the costs that documentation may impose on smaller public companies. The SEC will likely provide additional guidance on the appropriate and required levels of documentation needed to support management's assertion on the effectiveness of internal controls. The SEC will attempt to determine what guidance is needed about the form, nature and extent of documentation and whether certain factors should be taken into account in making judgments about the nature and extent of documentation.

The SEC invited comment on any additional topics that are not addressed in its concept release and asked that commenters provide empirical data or other information to support or illustrate their views