Four years after the Securities and Exchange Commission first adopted rules to implement Section 404 of the Sarbanes-Oxley Act, Corporate America finally has what it wanted: guidance on how to assess and report on their internal controls over financial reporting as required by those rules.
The SEC published its interpretive guidance and related rule amendments last week. The full text of the 77-page management guidance, approved on May 23, was posted June 20 to the SEC’s Web site and takes effect upon publication in the Federal Register, which should happen shortly.
Exactly what effect, if any, the guidance will ultimately have for issuers struggling with high SOX compliance costs won’t be known until it’s tested in the market.
Hamilton
The SEC and Public Company Accounting Oversight Board “really tried to coordinate their efforts this time,” says James Hamilton, principal analyst at Wolters Kluwer Law & Business. Still, he adds, “Only time will tell how well they’ve succeeded.”
Hamilton says the “broad themes haven’t changed” from the proposed guidance that came out late last year. “It’s about taking a risk-based, principles-based approach,” he says. “It all flows from that.”
Jonathan Marks, a partner with the auditing firm Crowe Chizek & Co., says the SEC guidance could reduce or eliminate unnecessary procedures “if companies understand what is actually required.”
“But unless they know and understand how to apply a top-down, risk-based approach, assess entity-level controls, and understand materiality, they’re going to be in the same situation everyone else was in three years ago,” he adds.
Wander
Regardless, says Herb Wander, former chairman of the SEC Advisory Committee on Smaller Public Companies, “Management now has something they can point to, whereas in the past, the accounting firms had all the cards. That’s a big difference.”
But the Commission isn’t done with its Section 404 rulemaking saga quite yet. The agency is still seeking public comment on Auditing Standard No. 5, released by the PCAOB last month as guidance for auditors reviewing companies’ internal controls; AS5 still needs approval from the SEC before it goes into effect. The Commission has also asked for comment on its proposed definition of the term “significant deficiency.”
As Compliance Week has previously reported, the SEC posted notice on June 7 seeking input on seven questions related to AS5. A week later, the agency posted yet another notice seeking additional comment on the audit standard. Comments are due by July 12. The SEC has said it will act on the proposed standard by July 27.
THE GUIDANCE
Below is a brief excerpt of the SEC guidance on Section 404 compliance, from a section titled, "Identifying Financial Reporting Risks."
Management should identify those risks of misstatement that could, individually or in combination with others, result in a material misstatement of the financial statements (“financial reporting risks”). Ordinarily, the identification of financial reporting risks begins with evaluating how the requirements of GAAP apply to the company’s business, operations and transactions. Management must provide investors with financial statements that fairly present the company’s financial position, results of operations and cash flows in accordance with GAAP. A lack of fair presentation arises when one or more financial statement amounts or disclosures (“financial reporting elements”) contain misstatements (including omissions) that are material.
Management uses its knowledge and understanding of the business, and its organization, operations, and processes, to consider the sources and potential likelihood of misstatements in financial reporting elements. Internal and external risk factors that impact the business, including the nature and extent of any changes in those risks, may give rise to a risk of misstatement. Risks of misstatement may also arise from sources such as the initiation, authorization, processing and recording of transactions and other adjustments that are reflected in financial reporting elements. Management may find it useful to consider “what could go wrong” within a financial reporting element in order to identify the sources and the potential likelihood of misstatements and identify those that could result in a material misstatement of the financial statements.
The methods and procedures for identifying financial reporting risks will vary based on the characteristics of the company. These characteristics include, among others, the size, complexity, and organizational structure of the company and its processes and financial reporting environment, as well as the control framework used by management. For example, to identify financial reporting risks in a larger business or a complex business process, management’s methods and procedures may involve a variety of company personnel, including those with specialized knowledge. These individuals, collectively, may be necessary to have a sufficient understanding of GAAP, the underlying business transactions and the process activities, including the role of computer technology, that are required to initiate, authorize, record and process transactions. In contrast, in a small company that operates on a centralized basis with less complex business processes and with little change in the risks or processes, management’s daily involvement with the business may provide it with adequate knowledge to appropriately identify financial reporting risks.
Management’s evaluation of the risk of misstatement should include consideration of the vulnerability of the entity to fraudulent activity (for example, fraudulent financial reporting, misappropriation of assets and corruption), and whether any such exposure could result in a material misstatement of the financial statements. The extent of activities required for the evaluation of fraud risks is commensurate with the size and complexity of the company’s operations and financial reporting environment.
Management should recognize that the risk of material misstatement due to fraud ordinarily exists in any organization, regardless of size or type, and it may vary by specific location or segment and by individual financial reporting element. For example, one type of fraud risk that has resulted in fraudulent financial reporting in companies of all sizes and types is the risk of improper override of internal controls in the financial reporting process. While the identification of a fraud risk is not necessarily an indication that a fraud has occurred, the absence of an identified fraud is not an indication that no fraud risks exist. Rather, these risk assessments are used in evaluating whether adequate controls have been implemented.
Source
SEC (June 20, 2007)
The SEC also published a proposing release regarding the definition of a “significant deficiency.” While it sought comment on “significant deficiency” and “material weakness” in its July 2006 concept release, so far the Commission only adopted a definition for “material weakness.”
The SEC proposal would define a significant deficiency as “a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of a registrant’s financial reporting”—which is the same definition that appears in AS5. The release asks for input on five questions related to the definition, including its effect on smaller public companies. Comments are due July 23.
Getting Into Guidance Details
Meanwhile, corporate executives are free to pore over the management guidance, which explains how to vary evaluation approaches for gathering evidence based on risk assessments; the use of “daily interaction,” self-assessment and other monitoring activities as evidence in the evaluation; and the purpose of documentation and how management has flexibility in approaches to documenting support for its assessment.
The SEC says it also provides management “significant flexibility” in making judgments on what constitutes adequate evidence in low-risk areas and allows for management and the auditor to have different testing approaches.
Marks
Referring to a statement in the text that says the guidance “promotes efficiency by allowing management to focus on those controls that are needed to adequately address the risk of a material misstatement of its financial statements,” Marks says: “It’s like trying to hit a golf ball that is buried in the green side bunker with a driver instead of a wedge. You need the right club and a solid understanding of the game to be successful.”
Marks, who calls the guidance “a step in the right direction,” says he expects it to “evolve over time, much like all major acts.”
Currently, non-accelerated filers—those with a market capitalization of $75 million or less—are scheduled to comply with the management attestation requirement of Section 404 for fiscal years that end on or after Dec. 15, 2007, and with the auditor attestation requirement one year later.
There’s been a renewed push in recent weeks from committees in both chambers of Congress for the SEC to grant small companies additional time to comply, so management and outside auditors can digest the new guidance and the new auditing standard.
In addition, Rep. Scott Garrett, R-N.J., on June 14 introduced H.R. 2727, a bill to extend the 404 compliance deadline for non-accelerated filers to comply by one year. Leaders of the SEC and PCAOB, however, have said they don’t plan any further postponements unless AS5 isn’t approved as expected.
The guidance, which stresses a top-down, risk-based approach, is organized around two broad principles: First, management should evaluate whether it has implemented controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner. Second, management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk.
The final guidance also clarifies that fraud risks are expected to exist at every company and that the nature and extent of the fraud risk assessment activities should be commensurate with the size and complexity of the company.
The SEC amended its rules to clarify that a management evaluation of internal controls done in accordance with its guidance will satisfy Section 404. The SEC has repeatedly said, however, that the guidance is voluntary, and that companies that have already complied with Section 404 don’t need to change their procedures unless they choose to do so.
In addition, the rules now require only one opinion in the auditor’s attestation on effectiveness of internal controls over financial reporting, eliminating a current requirement for separate auditor opinion on management’s assessment process.
No comments yet