Executives anxiously awaiting guidance from the Securities and Exchange Commission on how to assess their internal control over financial reporting will apparently have to wait a while longer.
The SEC did last week issue a concept release, asking for comment on what should be included in whatever guidance it ultimately issues for companies struggling with Section 404 of the Sarbanes-Oxley Act. But the 28-page release runs long on questions—35 of them—and short on answers about what the final guidance might look like.
The concept release comes 11 weeks after a May 10 roundtable on Section 404 hosted by the SEC and Public Company Accounting Oversight Board, where participants said that while Section 404 has produced some benefits, implementation has been painfully expensive. A chief complaint was that executives don’t have any clear advice on what they must do to demonstrate that they have faithfully tried to assess their internal controls.
On May 17, the SEC announced plans to improve the implementation of Section 404. In addition to developing guidance for companies, the SEC pledged to work with the PCAOB on revisions to its internal control auditing standard for auditing firms, to inspect PCAOB efforts to improve Section 404 oversight, and to postpone again the compliance deadline for non-accelerated filers (see related resources and coverage at right). The SEC has said it expects all filers to comply with Section 404’s management assessment requirement starting with fiscal years that begin on or after Dec. 16, 2006.
Issuers have been hoping the SEC would act quickly to issue its promised guidance; in 2005, the SEC and PCAOB held a similar roundtable meeting of financial reporting executives, and issued new guidance just one month later. This time, however, the SEC billed the concept release as “a prelude to forthcoming guidance for management”—portending a long summer of waiting for more details.
Cox
“Our goal is to develop practical guidance for companies to help improve the reliability of financial reporting and to make Section 404 implementation more efficient and cost effective for investors,” SEC Chairman Christopher Cox said in a statement. Public feedback on the concept release, he continued, will help the SEC write “meaningful” guidance for all public companies “for the benefit of all of their shareholders.”
The guidance will cover at least these areas:
Risks—Identifying risks to financial statement account and disclosure accuracy and the related internal controls that address the risks, including how management might use company-level controls to address the risks.
Assessment—Objectives of the evaluation procedures and methods or approaches available to management to gather evidence to support its assessment.
Evaluation—Factors management should consider to determine the nature, timing and extent of its evaluation procedures.
Documentation—Documentation requirements, including overall objectives of the documentation and factors that might influence documentation requirements.
QUESTIONS AND COMMENTS
The Securities and Exchange Commission is actively seeking feedback on the provision of additional internal control guidance, and "to assist the Commission so that any guidance it ultimately develops addresses the needs and concerns of all public companies." Among the questions raised by the SEC in its concept release:
Sample Questions
Should additional guidance be limited to articulation of broad principles or should it be more detailed?
We also seek input on the appropriate role of outside auditors in connection with ... the manner in which outside auditors provide the attestation required by Section 404(b). Should possible alternatives to the current approach be considered and if so, what?
What guidance is needed to help management implement a “top-down, risk-based” approach to identifying risks to reliable financial reporting and the related internal controls?
What type of guidance would help explain how entity-level controls can reduce or eliminate the need for testing at the individual account or transaction level?
What considerations are appropriate to ensure that the guidance is responsive to the special characteristics of entity-level controls and management at smaller public companies?
Is guidance needed to help companies determine which IT general controls should be tested?
Click Here To Submit Comments And Feedback On The SEC's Concept Release (Please Reference File Number S7-11-06)
The SEC also said the guidance will be “sensitive to the fact that many companies have already invested substantial resources” to establish compliance programs in the last several years. And while the SEC expects the guidance to be issued in the form of a rule, the Commission appears to have left the question open, asking in the concept release for comment on whether a rule would be preferable to interpretive guidance.
Dow
Robert Dow, a partner at Arnall Golden Gregory, says he expects the SEC to make additional changes in the implementation of Sarbanes-Oxley. “The SEC will have to do so for micro-caps to have any relief, because I don’t think the new COSO guidance helps them enough on the cost-benefit problem,” he says. COSO also released guidance last week, a framework for small companies to implement and assess internal controls over financial reporting (see related coverage in box above, right).
Herb Wander, co-chair of the SEC’s Advisory Committee on Smaller Public Companies, which recommended in April that the SEC exempt some smaller companies from part or all of Section 404, applauds the SEC for “the thoroughness of their questions.”
“I think they’ve identified the central problem areas,” Wander tells Compliance Week. “The crucial questions that should be asked, have been asked. While a lot of what gets done will depend on feedback they get, I think this is the right way to approach it.”
Wander
Wander also says he favors revising Auditing Standard No. 2 (the PCAOB’s guidance for auditing firms on how to assess internal controls) and the SEC’s related Section 404 rules, rather than issuing more guidance. “We used guidance too much as a crutch,” Wander says; comments and guidance “tend to water things down so no one knows what they’re doing.”
He also notes that based on some decisions, the SEC may have to revise its rules. For example, the concept release poses a question about the appropriate role of the external auditor in connection with the management assessment required by Section 404, and on the manner in which outside auditors provide the required attestation. “If they decide different role, they’ll have to change some rules,” Wander says.
The SEC also noted last week that the feedback it has received indicates that many companies didn’t “efficiently and effectively identify risks to reliable financial reporting and relevant internal control functions” when they tackled Section 404, leading companies to identify and assess far too many controls than necessary. “While there were likely numerous contributing factors to these implementation issues, one cause may have been the overly conservative application of AS No. 2 by auditors in the initial years,” the SEC said.
Comments on the concept release are due 60 days after the date of publication in the Federal Register. For details on how to comment on the guidance, see box at right.
No comments yet