SEC, PCAOB Provide More Guidance On Internal Controls

Last week, the Securities and Exchange Commission and the Public Company Accounting Oversight Board provided additional guidance on internal control over financial reporting in the form of "frequently asked questions."

The PCAOB's 10-page FAQ covers a variety of issues, from the extent and scope of testing required by auditors, to the evaluation of deficiencies. The FAQ also provides a variety of examples to help illustrate certain scenarios.

The SEC's guidance comes in the form of a "revised" FAQ, addressing 23 questions on a variety of topics including

controls at consolidated entities and small business issues.

Regarding mergers, the Commission staff writes that it would typically expect management's report to cover controls at all consolidated entities; however, the staff acknowledges that that's not always possible. "In such instances," writes the staff, "we would not object to management referring in the report to a discussion in the registrant’s Form 10-K or 10-KSB regarding the scope of the assessment and to such disclosure noting that management excluded the acquired business from management’s report on internal control over financial reporting." If such a reference is made, however, management must identify the acquired business excluded and indicate the significance of the acquired business to the registrant’s consolidated financial statements. Additional conditions apply as well.

The FAQ also confirms other guidance that management can not qualify conclusions, ostensibly saying that the internal controls are effective subject to certain qualifications or exceptions. "Management may not state that the registrant’s controls and procedures are effective except to the extent that certain problems have been identified or express similar qualified conclusions," states the FAQ. Rather, management must take those problems into account when concluding whether the controls are effective.

The FAQ also addresses the issue of deficiency disclosures. Companies must identify and disclose all material weaknesses, but they are not obligated to disclose the existence of a significant deficiency. However, the SEC staff clarify that if management identifies a significant deficiency that, when combined with other significant deficiencies, is determined to be a material weakness, then "management must disclose the material weakness and, to the extent material to an understanding of the disclosure, the nature of the significant deficiencies."

In addition, the Commission clarifies that it will apply the PCAOB's revised definitions of “significant deficiency” and “material weakness.”

Regarding small companies, the SEC staff stopped short of stating that it would proposed unique rules or guidance for small business issuers, noting that SOX 404 "does not distinguish between large and small issuers." Instead, the FAQ pushed the responsibility over to organizations COSO, stating it would support efforts to develop an internal control framework specifically for smaller issuers.

And what happens if management is unable to assess certain aspects of their internal control over financial reporting, like controls at an outsourced service provider? The answer is basically, "too bad." The FAQ clarifies that "the disclosure requirement does not permit management to issue a report on internal control over financial reporting with a scope limitation."

That means that management must determine whether the inability to assess those controls is significant enough to conclude in their internal control report is not effective. "Further," notes the FAQ, "management is precluded from concluding that the registrant’s internal control over financial reporting is effective if there are one or more material weaknesses in the internal control over financial reporting."

Downloadable versions of the FAQs, as well as related regulatory contacts and resources, are available from the box above, right.