(The news featured below is a selection from the news covered in Federal Securities Law Reporter, which is distributed to subscribers of Federal Securities Law Reporter.)

Commission Seeks Input on Section 404, Internal Control

The SEC issued a comment release regarding the issuance of additional guidance for management on its assessment of the effectiveness of internal control over financial reporting. The Commission seeks comments on several topics, including 1) the identification of risks to financial statement accounting and disclosure accuracy and the related internal controls that address the risks, 2) the objectives of the evaluation procedures and methods or approaches available to management to gather evidence to support its assessment, 3) the factors management should consider to determine the nature, timing, and extent of its evaluation procedures and 4) documentation requirements, including overall objectives of the documentation and factors that might influence documentation requirements.

The SEC requires management to base its assessment of internal control over financial reporting on a suitable evaluation framework. The SEC did not mandate a particular framework, but identified the integrated framework developed by the Committee of Sponsoring Organizations of the Treadway Commission as one example of a suitable framework. The SEC advised that any additional management guidance that it issues is not intended to replace or modify the COSO framework or any other suitable framework.

The SEC is seeking the public's views on additional guidance for management with respect to its evaluation and assessment of internal control over financial reporting. The guidance will be scalable and responsive to individual circumstances, according to the SEC. Among the questions the SEC posed is whether additional guidance would be useful on how management should evaluate the effectiveness of internal control over financial reporting and whether the guidance would be useful for all reporting companies or only a subgroup of companies. For instance, the SEC is interested in whether there are special issues that apply to foreign private issuers that it should consider in developing guidance for management.

The SEC also asked for input on the appropriate role of outside auditors in connection with management's assessment and the manner in which the auditors should provide the required attestation. If there are alternative approaches, the SEC asked what they are and if they would provide similar benefits at a lower cost.

The SEC has received feedback suggesting that, in implementing Section 404, many companies did not efficiently and effectively identify the risks to reliable financial reporting and relevant internal control functions which led to the identification, documentation and testing of an excessive number of controls. One cause was attributed to the overly conservative application of the Public Company Accounting Oversight Board's Auditing Standard No. 2 by auditors. The SEC proposes to issue additional guidance to management on identifying the controls to address the recognized risks, such as materiality considerations, multi-location issues and the concept of key controls.

COSO also released its guidance for smaller public companies. The SEC is seeking views on whether COSO's guidance will adequately assist companies that have not yet complied with Section 404 to efficiently and effectively conduct a risk assessment and identify the controls that will address those risks. If specific entity-level controls such as GAAP expertise and the role of the audit committee should be addressed, the SEC asked whether these issues are different for larger companies than for smaller companies.

The SEC advised that it continues to hear that management has difficulty applying a top-down, risk-based approach in its assessments. In addition to testing, the SEC noted that a key part of the assessment process is the evaluation of control deficiencies that are discovered. The SEC has also heard that companies are having difficulty assessing the impact of information technology processes. Controls that are not related to internal control over financial reporting should not be included in the assessment, according to the SEC.

The SEC noted that it would not be practical to provide a list of general information technology controls that should be included in management's assessment. However, the SEC is interested in views on whether specific areas related to information technology need additional guidance. The SEC believes that guidance on the evaluation process, along with revisions to Auditing Standard No. 2, may help reduce or eliminate the excessive testing of internal controls by improving the focus on risk and a better use of entity-level controls. The SEC asked if guidance would be helpful with respect to the definitions of "material weakness" and "significant deficiency."

The SEC has heard many complaints about excessive documentation demands, especially in relation to the costs that documentation may impose on smaller public companies. The SEC will likely provide additional guidance on the appropriate and required levels of documentation needed to support management's assertion on the effectiveness of internal controls. The SEC will attempt to determine what guidance is needed about the form, nature and extent of documentation and whether certain factors should be taken into account in making judgments about the nature and extent of documentation.

The SEC invited comment on any additional topics that are not addressed in its concept release and asked that commenters provide empirical data or other information to support or illustrate their views.