On May 27, 2003, the SEC voted to adopt rules concerning management's report on "internal control over financial reporting" and certification of disclosures in Exchange Act periodic reports.
Key components of the rule are listed below:
Basic Concepts
Section 404 of Sarbanes-Oxley mandated that the SEC adopt rules requiring companies to disclose in annual reports two key items:
A statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
Management's assessment of the effectiveness of the company's internal control structure and procedures for financial reporting.
Section 404 also required that every public company's auditor would need to report on — and attest to — management's assessment of the effectiveness of those controls. The auditor's assessment would be done in accordance with standards to be established by the Public Company Accounting Oversight Board.
Management's "Internal Control Report"
Under the final rules, management's annual internal control report will have to contain the following:
A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;
A statement identifying the framework used by management to evaluate the effectiveness of this internal control;
Management's assessment of the effectiveness of this internal control as of the end of the company's most recent fiscal year; and
A statement that its auditor has issued an attestation report on management's assessment.
Click here for more on Management's Assessment (SEC final rules)
Disclosure of Weaknesses
Management must also disclose any "material weakness" in their internal controls.
The SEC has stated that a company "will be unable to conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses in such control."
Furthermore, the framework on which management's evaluation is based will have to be a "suitable, recognized control framework" (e.g., COSO) that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.
Click here for more on material weaknesses (SEC final rules)
Internal Control Over Financial Reporting
According to the new rules, "internal control over financial reporting" is defined as a process that provides reasonable assurance regarding the reliability of financial reporting in accordance with GAAP.
The process must be designed or supervised by the company's CEO and CFO (or persons performing similar functions), and must be "effected by the registrant's board of directors, management and other personnel."
The process must include policies and procedures that:
Pertain to the maintenance of records that "in reasonable detail" accurately and fairly reflect the transactions and dispositions of the company' assets;
Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with GAAP;
Provide reasonable assurance that receipts and expenditures are being made only in accordance with authorizations of management and directors; and
Provide reasonable assurance regarding prevention or timely detection of unauthorized use of assets that could have a material effect on financial statements.
Click here for more on the definition of Internal Controls (SEC final rules)
Quarterly Evaluations
Companies will need to perform quarterly evaluations of changes that have materially affected — or are likely to materially affect — the company's internal control over financial reporting.
Click here for more on quarterly evaluations (SEC final rules)
Compliance Dates
Compliance with the rules will be required as follows:
Accelerated Filers — Companies meeting the definition of "accelerated filers" (generally, firms with market caps exceeding $75 million ) will be required to comply with the new requirements for fiscal years ending on or after Nov. 15, 2004 (original compliance date was June 15, 2004);
Small Firms, Foreign Issuers — All other issuers, including small business issuers and foreign private issuers, will be required to comply for their fiscal years ending on or after April 15, 2005.
Companies must begin to comply with the requirements regarding evaluation of any "material change" to its internal control over financial reporting in its first periodic report due after the first annual report required to include a management report on internal control over financial reporting. Companies may voluntarily comply with the new disclosure requirements before the compliance dates.
Certifications
Section 302 and 906 certifications will need to be filed as exhibits to the periodic reports to which they relate.
Furthermore, companies will be able to "furnish" rather than "file" the 906 certifications, which means they "will not be subject to liability under Section 18 of the Exchange Act."
These exhibit requirements will become effective sixty days after their publication in the Federal Register.
Questions?
The Commission has listed the following individuals as contacts for further information:
N. Sean Harrison, Special Counsel, Division of Corporation Finance, (202) 942-2910
Andrew D. Thorpe, Special Counsel, Division of Corporation Finance, (202) 942-2910
If you have questions regarding attestation and auditing issues, the Commission recommends contacting any of the following individuals in the Office of the Chief Accountant:
Edmund Bailey, Assistant Chief Accountant, (202) 942-4400
Randolph P. Green, Professional Accounting Fellow, (202) 942-4400
Paul Munter, Academic Accounting Fellow, (202) 942-4400
NOTE: Please note that this is a summary of a proposed SEC rule, and should not be construed to be a complete or final rule, nor should it be construed to be legal guidance. Please refer to the SEC's Web site for updated and final rule information.
No comments yet