(The news featured below is a selection from the news covered in the Federal Securities Report Letter, which is distributed to subscribers of the Federal Securities Law Reports.)

Deputy Chief Accountant Addresses Internal Control Issues

Scott A. Taub, the SEC's deputy chief accountant, discussed the agency's new internal controls rules at the SEC and Financial Reporting Conference conducted by the University of Southern California's Leventhal School of Accounting in Pasadena, California. According to the deputy chief accountant," the potential impact of the requirements for both management and auditors to issue reports related to issuers' internal controls cannot be understated."

The Commission adopted the internal control rules pursuant to Section 404 of the Sarbanes-Oxley Act. This section required the SEC to adopt rules requiring each annual report filed by a company, other than a registered investment company, pursuant to Section 13(a) or 15(d) of the Exchange Act to include an internal control report from management containing: 1) a statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and 2) management's assessment, as of the end of the fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting. Section 404(b) requires the registered public accounting firm that prepares the company's audit report to attest to, and report on, management's assessment of the effectiveness of the company's internal controls in accordance with standards established by the Public Company Accounting Oversight Board.

Mr. Taub stated that the Commission believes "the increased attention to internal controls on the part of the management will reduce the potential for errors in the financial statements, including those due to fraud." The attestation by the auditor will provide additional assurance in this regard, he added, and should also increase the quality of audits.

He noted that while the statute required the SEC to implement rules requiring management to assess the effectiveness of the company's internal controls over financial reporting, Congress did not specify a particular framework for making such an assessment. He described the rules as originally proposed by the SEC as "fairly open-ended" and observed that the rules as proposed "would have allowed management significant latitude in determining an appropriate framework to evaluate its internal controls." In response to commenter concerns, however, the SEC revised the rules to specify that the framework on which management's assessment of the issuer's internal control over financial reporting is based must be a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the distribution of the framework for public comment. He suggested that the best-known framework that meets that definition is the framework designed by the Committee of Sponsoring Organizations of the Treadway Commission, otherwise known as the COSO report, which was published in 1992.

He stressed that management must perform some actual testing of their controls. In this area, he suggested that the nature of a company's testing activities will largely depend on the company's circumstances, the type of control involved and the significance of such control to the company's financial reporting. These tests should be accompanied by appropriate supporting documentation, he added.

Mr. Taub also noted that the final rule requires only an annual evaluation of control effectiveness, as compared to the quarterly review originally proposed. The Commission changed the frequency of such required evaluations in response to commenter concerns about the relative costs and benefits of quarterly reviews.

He strongly advised companies to prepare for the internal control evaluation before compliance is mandatory. He observed that the need to document the existing internal controls, consider whether other controls should be added and to design and perform tests of controls can involve significant time and urged all parties "not to take your eye off the ball."

The deputy chief accountant emphasized that public companies have long been required to implement and document a system of internal controls. The new rules add the requirement of management evaluation of and reporting on the effectiveness of those controls. Accordingly, the company cannot forgo the work to evaluate the effectiveness of controls under the theory that the auditors will do it anyway. He observed that the SEC's independence rules would also prohibit the company from relying on its auditors to perform the evaluation of the effectiveness of internal controls.

External auditors are, however, required to attest to management's assertion about the effectiveness of those controls. To do so, Mr. Taub noted, the auditing firm must perform enough work on internal controls to assure itself that: 1) management has designed sufficient controls and put such controls in place; 2) management has performed sufficient testing to evaluate the effectiveness of those controls; and 3) management's conclusion about the effectiveness of those controls is appropriate.

He concluded by stating that the new rules "should do a lot of great things." According to Mr. Taub, the rules "will cause improvements to internal control structures, strengthen audits, provide important information to investors and reduce the chances of material financial statement errors and irregularities." He emphasized, however, that while the rules are a positive step, they will not eliminate financial fraud because the Commission cannot "legislate ethics."