(The news featured
below is a selection from the news covered in Federal Securities Law Reporter,
which is distributed to subscribers of Federal
Securities Law Reporter.)
Commission Seeks Input on Section 404, Internal Control
The SEC issued a comment release regarding the issuance of
additional guidance for management on its assessment of the effectiveness of
internal control over financial reporting. The Commission seeks comments on
several topics, including 1) the identification of risks to financial statement
accounting and disclosure accuracy and the related internal controls that
address the risks, 2) the objectives of the evaluation procedures and methods or
approaches available to management to gather evidence to support its assessment,
3) the factors management should consider to determine the nature, timing, and
extent of its evaluation procedures and 4) documentation requirements, including
overall objectives of the documentation and factors that might influence
documentation requirements.
The SEC requires management to base its assessment of
internal control over financial reporting on a suitable evaluation framework.
The SEC did not mandate a particular framework, but identified the integrated
framework developed by the Committee of Sponsoring Organizations of the Treadway
Commission as one example of a suitable framework. The SEC advised that any
additional management guidance that it issues is not intended to replace or
modify the COSO framework or any other suitable framework.
The SEC is seeking the public's views on additional
guidance for management with respect to its evaluation and assessment of
internal control over financial reporting. The guidance will be scalable and
responsive to individual circumstances, according to the SEC. Among the
questions the SEC posed is whether additional guidance would be useful on how
management should evaluate the effectiveness of internal control over financial
reporting and whether the guidance would be useful for all reporting companies
or only a subgroup of companies. For instance, the SEC is interested in whether
there are special issues that apply to foreign private issuers that it should
consider in developing guidance for management.
The SEC also asked for input on the appropriate role of
outside auditors in connection with management's assessment and the manner in
which the auditors should provide the required attestation. If there are
alternative approaches, the SEC asked what they are and if they would provide
similar benefits at a lower cost.
The SEC has received feedback suggesting that, in
implementing Section 404, many companies did not efficiently and effectively
identify the risks to reliable financial reporting and relevant internal control
functions which led to the identification, documentation and testing of an
excessive number of controls. One cause was attributed to the overly
conservative application of the Public Company Accounting Oversight Board's
Auditing Standard No. 2 by auditors. The SEC proposes to issue additional
guidance to management on identifying the controls to address the recognized
risks, such as materiality considerations, multi-location issues and the concept
of key controls.
COSO also released its guidance for smaller public
companies. The SEC is seeking views on whether COSO's guidance will adequately
assist companies that have not yet complied with Section 404 to efficiently and
effectively conduct a risk assessment and identify the controls that will
address those risks. If specific entity-level controls such as GAAP expertise
and the role of the audit committee should be addressed, the SEC asked whether
these issues are different for larger companies than for smaller companies.
The SEC advised that it continues to hear that management
has difficulty applying a top-down, risk-based approach in its assessments. In
addition to testing, the SEC noted that a key part of the assessment process is
the evaluation of control deficiencies that are discovered. The SEC has also
heard that companies are having difficulty assessing the impact of information
technology processes. Controls that are not related to internal control over
financial reporting should not be included in the assessment, according to the
SEC.
The SEC noted that it would not be practical to provide a
list of general information technology controls that should be included in
management's assessment. However, the SEC is interested in views on whether
specific areas related to information technology need additional guidance. The
SEC believes that guidance on the evaluation process, along with revisions to
Auditing Standard No. 2, may help reduce or eliminate the excessive testing of
internal controls by improving the focus on risk and a better use of
entity-level controls. The SEC asked if guidance would be helpful with respect
to the definitions of "material weakness" and "significant
deficiency."
The SEC has heard many complaints about excessive
documentation demands, especially in relation to the costs that documentation
may impose on smaller public companies. The SEC will likely provide additional
guidance on the appropriate and required levels of documentation needed to
support management's assertion on the effectiveness of internal controls. The
SEC will attempt to determine what guidance is needed about the form, nature and
extent of documentation and whether certain factors should be taken into account
in making judgments about the nature and extent of documentation.
The SEC invited comment on any additional topics that
are not addressed in its concept release and asked that commenters provide
empirical data or other information to support or illustrate their views.
|