Login | Store | Training | Contact Us  
 Latest News 
 Securities- Federal and State 
 Exchanges 
 Software/Tools 

   Home
    

(The news featured below is a selection from the news covered in SEC Today, which is distributed to subscribers of SEC Today.)

SEC Provides Guidance on Management's Internal Control Reporting

In the wake of a recent roundtable on the experience of company management in complying with the requirement that they annually report on the effectiveness of corporate internal control over financial reporting, the SEC staff has offered guidance on issues raised in the implementation of the reporting mandate of Sarbanes-Oxley section 404. In a separate statement, the Commission said that an overarching principle of the staff's guidance is the responsibility of management to determine the form and level of controls appropriate for each company and to scope their assessment and testing accordingly.

The SEC emphasized that accounting firms should be aware that there is a zone of reasonable conduct by companies that should be recognized as acceptable in the implementation of section 404. The staff guidance is designed to complement the guidance that the PCAOB has simultaneously provided with respect to the application of its Auditing Standard No. 2 on internal control audits.

The SEC staff advised management not to let process overshadow the purpose of internal control reporting, which is to ensure accurate financial statements. The staff also reminded that, while management must assess if the internal controls give reasonable assurance on the reliability of the financial statements, reasonable assurance does not mean absolute assurance. In making this assessment, the staff assured management that there is a zone of reasonable conduct. While that zone is not unlimited, the staff expects that it will be rare when there is only one acceptable choice in implementing section 404 in any given situation.

The staff emphasized that the assessment of internal controls must not become a mechanistic, check-the-box exercise. The SEC endorses a risk-based assessment under which resources are devoted to the areas of greatest risk most likely to have a material impact on the company's financial statements. This top-down approach will require management to apply its cumulative knowledge and judgment to the areas that present significant risk that the financial statements could be materially misstated, and then identify relevant controls and design appropriate procedures for documentation and testing of those controls.

In determining the scope of the internal control assessment, the staff advised management to consider both qualitative and quantitative factors. Qualitative factors include the risk associated with the various accounts and their related processes. As for the quantitative factors, the staff said management can establish thresholds to be used in identifying significant accounts subject to the scope of internal control testing. While the use of a percentage as a minimum threshold may provide a reasonable starting point for evaluating the significance of an account, the staff cautioned management to use good judgment, including qualitative factors, to determine if amounts above or below that threshold must be evaluated.

Although the SEC rules and section 404 require that management and auditor reports must be as of year-end, this does not mean that all testing must be done within the period immediately surrounding the year-end close. In fact, the staff believes that effective testing and assessment can and should be accomplished over a longer period of time.

Similar to the scope of the assessment, qualitative and quantitative factors should be used in evaluating the deficiencies in internal controls. For example, in doing a qualitative analysis, management should factor in the nature of the deficiency, its cause, the relevant financial statement assertion the control was designed to support, its effect on the broader control environment, and whether compensating controls are effective.

According to the staff, neither section 404 nor the SEC rules require that a material weakness in internal controls be found to exist in every case of restatement resulting from an error. Both management and the external auditor should use their judgment in assessing the reasons why a restatement was necessary and whether the need for the restatement resulted from a material weakness in controls. Such an evaluation should be based on all the facts and circumstances, including the probability of occurrence in light of the assessed effectiveness of the internal controls.

In the staff's view, the disclosure about material weakness should include the nature of the weakness, its impact on financial reporting and the control environment, and management's plans for remediating the weakness. Since there are many different types of material weaknesses, the staff strongly encouraged disclosure that would help investors assess the potential impact of each particular material weakness. The disclosure should differentiate the potential impact and importance to the financial statements of the identified material weaknesses, including distinguishing those material weaknesses that may have a pervasive impact on internal controls from those that do not. According to the staff, management's main goal in this exercise should be to provide investors with enough information so that they can treat the disclosure of the existence of a material weakness as the starting point for analysis rather than the only point available.

The SEC has received feedback indicating that an unintended consequence of section 404 and the PCAOB's Auditing Standard No. 2 is a chilling impact on communication between independent auditors and their client company management. The staff assured that a dialogue between the external auditor and management on accounting and financial reporting issues does not violate the SEC's auditor independence principles so long as management alone makes the final determination on the accounting treatment used and the auditor does not design accounting policies.

Management can provide its external auditor with draft financial statements, including drafts that may be incomplete in certain respects. In the staff's view, errors in draft financial statements in and of themselves should not be the basis for the determination by a company or an auditor of a deficiency in internal control over financial reporting. As with all cases of identifying deficiencies, management and auditors should determine whether a deficiency exists in the processes of financial statement preparation, the staff advised, and that identification is independent of whether an error exists in draft financial statements and who found it.

In establishing the scope of its information technology assessment, the staff urged management to apply reasonable judgment and to consider how the IT systems it chooses to employ impact the company's internal controls. Since section 404 does not embody a one-size-fits-all approach, the staff was unable to provide a list of the exact general IT controls that should be included in an internal control assessment. The staff advised, however, that management does not have to assess all general IT controls, and especially not those that primarily pertain to the effectiveness of the operations of the organization but are not relevant to financial reporting.

      
   
 

   ©2001-2024 CCH Incorporated or its affiliates 		Print this Page | About Us | Privacy Policy | Site Map