Mixed Reactions On Final 404 Guidance

While the unveiling of the Securities and Exchange Commission’s final management guidance on evaluating and assessing internal control over financial reporting held few surprises, observers had mixed reactions to some of the revisions, particularly the decision not to extend the filing deadline for non-accelerated filers.

As expected, the SEC voted last week to approve the guidance with few changes from its December proposal, beyond clarifications and revisions to better align it with the related auditing standard from the Public Company Accounting Oversight Board. While most observers said they’d reserve judgment on the changes until the text of the guidance and rule amendments becomes available in coming weeks, views were mixed on the decision not to grant smaller companies an additional delay.

Under the current deadline, those companies will comply with the management requirements beginning with fiscal years ending on or after Dec. 15, 2007, and with the external auditor provisions for their fiscal year ended on or after Dec.15, 2008. For calendar-year companies, those reports are due in March of 2008 and 2009, respectively.

During last week’s meeting, SEC staffer Zoe-Vonna Palmrose said: “We think the guidance is doable and doable in 2007 for companies of all sizes … They essentially have the information they need to go forward.”

Roper

Some, such as Barbara Roper, director of investor protection at the Consumer Federation of America, called the decision not to seek further delay “a positive one.” Others, including Senators John Kerry, D-Mass., and Olympia Snowe, R-Maine, chair and ranking member respectively of the Committee on Small Business and Entrepreneurship, were “disappointed” the SEC didn’t grant an extension.

The senators twice this year wrote the SEC to request that smaller companies get more time. In a statement, Kerry said smaller companies “need more time to fully digest and execute the changes,” while Snowe noted that the SEC “has provided no assurances that the new internal controls rules will actually reduce costs for small public companies” because they haven’t yet completed the required Regulatory Flexibility Act review of the rule.

DeLoach

The compliance date of Dec. 15, 2007, has been in place since last year, so smaller companies should already have been preparing and shouldn’t have much difficulty with the deadline, says Jim DeLoach, managing director at consulting firm Protiviti.

“Companies that have waited until last minute will have significant challenges with this, but if they’ve done the preparatory work like they should, they should have no problem,” DeLoach says.

Still, Commissioner Paul Atkins noted that the SEC could reverse course if it deemed a further delay necessary, and said the SEC should “play it by ear.”

Hinchman

Noting that “the devil is always in the details,” Grace Hinchman, spokeswoman for Financial Executives International, said that generally FEI is “very supportive of what we heard at the SEC meeting” and is “confident” that the SEC responded to calls by FEI and others to better align the guidance with the Public Company Accounting Oversight Board. The SEC actions came a day before the PCAOB adopted a new standard for accounting firms on auditing internal control over financial reporting. Still, like most observers, Hinchman said the group would reserve further judgment “until we read what they ruled on.”

Palmrose said the regulators worked to get their respective proposals in step, and both will use the same terminology and definitions. However, she said, some differences will remain, reflecting the fact that “management and auditors have different roles and responsibilities” related to internal controls.

Jeff Mahoney, general counsel for the Council of Institutional Investors, said the final guidance “is largely responsive” to its recommendations. With the approval by the SEC and the revised PCAOB auditing standard, “the Council believes that all public companies including non-accelerated filers should begin fulfilling their responsibilities to investors and other market participants by complying with the requirements of Section 404.”

Investor Protection?

Still, Roper—who was highly critical of the proposed guidance—argues that the actions taken last week won’t do much to protect investors. Despite use of the frequent use of the term “investor protection” in discussions of the guidance, Roper says such protections are “essentially non-existent.”

Rather, she says the drive to make the compliance process more efficient has been dictated by corporate interests and that complaints from companies have driven the SEC to focus on reducing costs.

Roper says the management assessments under 404 thus far have shown “remarkable ineffectiveness at providing investors information about material weaknesses in internal controls.”

“Almost all of the information that has been brought to light about those weaknesses has come not from management, but from the independent auditors,” she says. “We should see what we can do to produce management assessments that identify a material weakness before the auditor does once in a while.”

The guidance will be issued as a stand-alone release; exact rule amendments will be issued separately. John White, the Commission’s Division of Corporation Finance director, said the SEC wanted to issue interpretive guidance so it can update or modify the material as necessary in the future.

The SEC also approved a rule change to make clear that a management evaluation of internal controls done in accordance with the Commission guidance will satisfy Section 404. White, however, reiterated that larger companies—which have complied with Section 404 for three years—do not need to change their procedures “unless they choose to do so.”

Another amendment will require a single opinion in the auditor’s attestation on effectiveness of internal controls over financial reporting, eliminating a current requirement for a separate opinion on management’s assessment.

While it voted to adopt the definition of the term “material weakness” substantially as proposed, the SEC voted to publish a separate release seeking comment on a proposed definition of “significant deficiency,” which doesn’t include a probability threshold.

The SEC’s Palmrose said the Commission included the definitions in its rules so management won’t need the PCAOB’s auditing standard to define those terms, eliminating a source of some complaints from companies.

Other revisions include clarification on the role of entity-level controls and the nature of on-going monitoring activities in relation to management’s evaluation, and enhanced guidance on fraud risk considerations.

Noting that the SEC “turned the volume up on fraud,” DeLoach calls the added guidance on fraudulent financial reporting “spot on.”

The guidance emphasizes management’s responsibility to identify and evaluate fraud risks and the related controls that address such risks. Palmrose said the risk of management override, particularly in the period-end financial reporting process, is “something that virtually every company needs to consider,” and added that companies of all sizes should take steps to manage that risk with effective control systems.

One thing the guidance will not include: illustrative examples, something requested by a number of commenters. Palmrose said including such examples “would likely have the negative unintended consequence of establishing bright-line, or one-size-fits-all evaluation approaches. We’ve seen that an overly prescriptive set of rules can lead to inefficiencies, and we want to avoid ending up with evaluations that are more concerned with form than substance.”