(The news
featured below is a selection from the news covered in the Federal Securities
Report Letter, which is distributed to subscribers of the Federal
Securities Law Reports.)
Deputy Chief Accountant
Addresses Internal Control Issues
Scott A. Taub, the SEC's deputy
chief accountant, discussed the agency's new internal controls rules at the SEC
and Financial Reporting Conference conducted by the University of Southern
California's Leventhal School of Accounting in Pasadena, California. According
to the deputy chief accountant," the potential impact of the requirements
for both management and auditors to issue reports related to issuers' internal
controls cannot be understated."
The Commission adopted the
internal control rules pursuant to Section 404 of the Sarbanes-Oxley Act. This
section required the SEC to adopt rules requiring each annual report filed by a
company, other than a registered investment company, pursuant to Section 13(a)
or 15(d) of the Exchange Act to include an internal control report from
management containing: 1) a statement of management's responsibility for
establishing and maintaining an adequate internal control structure and
procedures for financial reporting; and 2) management's assessment, as of the
end of the fiscal year, of the effectiveness of the company's internal control
structure and procedures for financial reporting. Section 404(b) requires the
registered public accounting firm that prepares the company's audit report to
attest to, and report on, management's assessment of the effectiveness of the
company's internal controls in accordance with standards established by the
Public Company Accounting Oversight Board.
Mr. Taub stated that the
Commission believes "the increased attention to internal controls on the
part of the management will reduce the potential for errors in the financial
statements, including those due to fraud." The attestation by the auditor
will provide additional assurance in this regard, he added, and should also
increase the quality of audits.
He noted that while the statute
required the SEC to implement rules requiring management to assess the
effectiveness of the company's internal controls over financial reporting,
Congress did not specify a particular framework for making such an assessment.
He described the rules as originally proposed by the SEC as "fairly
open-ended" and observed that the rules as proposed "would have
allowed management significant latitude in determining an appropriate framework
to evaluate its internal controls." In response to commenter concerns,
however, the SEC revised the rules to specify that the framework on which
management's assessment of the issuer's internal control over financial
reporting is based must be a suitable, recognized control framework that is
established by a body or group that has followed due-process procedures,
including the distribution of the framework for public comment. He suggested
that the best-known framework that meets that definition is the framework
designed by the Committee of Sponsoring Organizations of the Treadway
Commission, otherwise known as the COSO report, which was published in 1992.
He stressed that management must
perform some actual testing of their controls. In this area, he suggested that
the nature of a company's testing activities will largely depend on the
company's circumstances, the type of control involved and the significance of
such control to the company's financial reporting. These tests should be
accompanied by appropriate supporting documentation, he added.
Mr. Taub also noted that the final
rule requires only an annual evaluation of control effectiveness, as compared to
the quarterly review originally proposed. The Commission changed the frequency
of such required evaluations in response to commenter concerns about the
relative costs and benefits of quarterly reviews.
He strongly advised companies to
prepare for the internal control evaluation before compliance is mandatory. He
observed that the need to document the existing internal controls, consider
whether other controls should be added and to design and perform tests of
controls can involve significant time and urged all parties "not to take
your eye off the ball."
The deputy chief accountant
emphasized that public companies have long been required to implement and
document a system of internal controls. The new rules add the requirement of
management evaluation of and reporting on the effectiveness of those controls.
Accordingly, the company cannot forgo the work to evaluate the effectiveness of
controls under the theory that the auditors will do it anyway. He observed that
the SEC's independence rules would also prohibit the company from relying on its
auditors to perform the evaluation of the effectiveness of internal controls.
External auditors are, however,
required to attest to management's assertion about the effectiveness of those
controls. To do so, Mr. Taub noted, the auditing firm must perform enough work
on internal controls to assure itself that: 1) management has designed
sufficient controls and put such controls in place; 2) management has performed
sufficient testing to evaluate the effectiveness of those controls; and 3)
management's conclusion about the effectiveness of those controls is
appropriate.
He concluded by stating that the
new rules "should do a lot of great things." According to Mr. Taub,
the rules "will cause improvements to internal control structures,
strengthen audits, provide important information to investors and reduce the
chances of material financial statement errors and irregularities." He
emphasized, however, that while the rules are a positive step, they will not
eliminate financial fraud because the Commission cannot "legislate
ethics."
|