SEC Approves Interpretive Guidance Regarding Management's Ecaluation of Internal Controls - Part 1Jane Storero
June 7, 2007 — 1,542 views
This is the first section of a 2-part series. Be sure to read the July issue of Lorman Accounting and Tax Update for the remainder of the article.
On May 23, 2007, the Securities and Exchange Commission (the “SEC”) approved interpretive guidance to assist management in planning and performing its annual assessment of internal control over financial reporting (“ICFR”) required by Section 404 of the Sarbanes-Oxley Act of 2002 (“SOX”). This interpretive guidance is intended to serve as one way for management to evaluate ICFR, and sets forth the approach by which management can conduct a top-down risk based evaluation over ICFR. It is intended that such guidance will provide management with certainty that it has satisfied its obligation to conduct an evaluation pursuant to SEC Rules 13a-15(c) and 15d-15(c). The final guidance and rules described below will become effective 30 days after publication in the Federal Register.
The SEC also amended its rules to provide that an evaluation conducted in accordance with the SEC’s interpretive guidance would satisfy the annual management evaluation required by those rules. In addition, the SEC amended its accounting rules to clarify the auditor’s attestation report expresses an opinion on internal controls only.
Since the SEC has not yet released the final release on the interpretive guidance and rule changes, the following discussion related to the previously released SEC proposal, which is substantially similar to the yet-to-be-released final rule.
The release provides a number of points of clarification and guidance to management related to implementation of the SOX requirements. The release clarifies that the central purpose of management’s evaluation is to assess whether there is a reasonable possibility of a material misstatement in the financial statements not being prevented or detected on a timely basis by the company’s ICFR. The SEC states that there is a reasonable possibility of an event when the likelihood of the event is either “reasonably possible” or “probable” as those terms are used in SFAS No. 5, “Accounting for Contingencies.” The release also provides that management should implement and conduct an evaluation that is sufficient to provide it with a reasonable basis for its annual assessment, using an informed judgment in designing an evaluation process that aligns with the operations, financial reporting risks and processes of the company.1 Management of foreign private issuers that reconcile their financial statements to US GAAP for purposes of their SEC filings should plan and conduct their evaluations based on their primary financial statements, not the US GAAP reconciliation. The release notes that “reasonable assurance” does not mean absolute assurance. The SEC states that it recognizes that while “reasonableness” is an objective standard, there is a range of judgments to be made as to what is “reasonable” in implementing Section 404 and notes that the terms “reasonable,” “reasonably” and “reasonableness” in the context of Section 404 implementation encompasses the full range of appropriate potential conduct, conclusions or methodologies upon which an issuer may reasonably base its decisions.
The release also clarifies that management’s assessment should be based on whether any material weaknesses exist as of the end of the fiscal year. A material weakness is a deficiency, or combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis by the company’s ICFR. The SEC explains that the use of the phrase “reasonable possibility” rather than “more than remote” to describe the likelihood of a material error is intended to more clearly communicate the likelihood element and that the definition is intended to be consistent with existing auditing literature and practice.
If the evaluation process identifies material weaknesses that exist as of the end of the fiscal year, such weaknesses must be disclosed in management’s annual report with a statement that ICFR is ineffective. If management’s evaluation process identifies material weaknesses, but all material weaknesses are remedied by the end of the fiscal year, management may exclude disclosure of those from its assessment and state that ICFR is effective as of the end of the fiscal year. However, management should consider whether disclosure of the remedied material weaknesses is appropriate or required under Item 307 or Item 308 of Regulation S-K or other SEC disclosure rules. If the evaluation identifies no internal control deficiencies that constitute a material weakness, management can assess ICFR to be effective.
The SEC intends this interpretative guidance to be a “top-down, risk based approach,” which allows management to exercise significant judgment and customize its evaluation based on the company’s individual circumstances. The objective of the ICFR evaluation is to provide management with a reasonable basis for its annual assessment as to whether any material weaknesses in ICFR exist as of the end of the fiscal year. To meet this objective management should:
- Identify the risks to reliable financial reporting;
- Evaluate whether the design of the controls addressing those risks provide a reasonable possibility that a material misstatement in the financial statements would not be prevented or detected in a timely manner; and
- Evaluate evidence about the operation of the controls included in the evaluation based on its assessment of risk.
The SEC’s ICFR guidance is organized around two broad principles. First, management should evaluate the design of the company’s ICFR to determine whether they adequately address the risk that a material misstatement in the financial statements would not be prevented or detected in a timely manner. There is no requirement to identify every control in a process or document the operating activities affecting ICFR. Rather, the guidance sets forth an approach which allows management to focus its evaluation process and the documentation supporting the assessment on those controls that it believes adequately address the risk of a material misstatement in the financial statements.
The second principle is that management’s evaluation of evidence about the operation of its controls should be based on its assessment of the risk associated with those controls. The guidance offers an approach for making risk-based judgments about the evidence needed for the evaluation, allowing management to align the nature and extent of its evaluation procedures with those areas of financial reporting that pose the greatest risks to the production of reliable financial statements. The intended result is efficiency on the part of management in gathering evidence, such as performing self-assessments in low-risk areas and performing more extensive testing in high-risk areas. The guidance also addresses reporting considerations described below.
A. Identifying Financial Reporting Risks and Controls
Under the guidance, management’s evaluation begins with identifying risks that could result in a material misstatement to the financial statements (“financial reporting risks”), including changes in those risks. Next, management identifies controls in place (including entity-level controls and information technology controls) and then assesses whether the controls in place are designed to adequately address the financial reporting risks identified.
1. Identifying Financial Reporting Risks
To identify financial reporting risks, management begins by evaluating how the requirements of generally accepted accounting principles (“GAAP”) apply to the company’s business, operations and transactions. Management should use its knowledge and understanding of the business, its organization, operations, and processes to consider the sources and potential likelihood of misstatements in financial reporting elements and identify those that could result in financial reporting risks. Internal and external risk factors that impact the business may give rise to financial reporting risks and should be considered by management, including the nature and extent of any changes in those risks. Financial reporting risks may also arise from sources such as initiation, authorization, processing and recording of transactions and other adjustments that are reflected in financial reporting elements. Management’s evaluation of financial reporting risks should also consider the vulnerability of the entity to fraudulent activity (e.g., fraudulent financial reporting, misappropriation of assets and corruption) and whether any of those exposures could result in a material misstatement of the financial statements. The methods and procedures for identifying financial reporting risks will vary based on the size, complexity, and organizational structure of the company and its processes and financial reporting environment. For example, in a large company, management may need to consult with employees possessing specialized knowledge and understanding of the company’s processes and the business in general. In a small company with less complex business processes operating on a centralized basis with little change in risks or processes, management’s daily involvement with the business may provide it with adequate knowledge to appropriately identify financial reporting risks.
2. Identifying Controls that Adequately Address Financial Reporting Risks
After identifying the company’s financial reporting risks, management should next evaluate whether controls are in place to adequately address those risks. As used in this guidance, controls are a specific set of policies, procedures, or activities designed to meet the objective of accurate financial reporting. Controls can be automated or manual and include, among other things: reconciliations; segregation of duties; review and approval authorizations; safeguarding and accountability of assets, error detection, fraud detection or disclosure.
Controls identified by management may be preventative (i.e., prevent the occurrence of errors or fraud), detective (i.e., detect errors or fraud that has already occurred) or a combination of both. Under the guidance, it is not necessary to identify all controls that exist. Management should keep in mind that the objective of this evaluation step is to identify controls that adequately address the risk of misstatement for the financial reporting element that could result in a material misstatement in the financial statements. By way of example, management may determine a control exists (e.g., a periodic reporting process) for a specific financial reporting element that is designed in a manner that adequately addresses a financial reporting risk identified (e.g., the risk that a misstatement in interest expense that could result in a material misstatement in the financials statements may occur without timely detection). In this example, management may not need to identify additional controls related to interest expense if it finds that the control identified adequately addresses the company’s related financial reporting risk.
Determining whether the controls in place adequately address the company’s financial reporting risks requires management’s judgment about both the likelihood of error in reporting as well as potential magnitude of misstatements arising from the financial reporting risk. For the purposes of management’s evaluation of ICFR, controls are inadequate when their design is such that there is a reasonable possibility that a material misstatement in the financial statements will not be prevented or detected on a timely basis.
Where redundant controls exist, management may decide to select controls for which evidence of the control’s operating effectiveness can be more easily tested or monitored. At the end of this controls identification process, management will have identified for testing only those controls which are necessary to adequately address the risk of a material misstatement in the company’s financial statements and those for which evidence about their operation can be obtained most efficiently. The controls that management identifies as adequately addressing the financial reporting risks are then subject to procedures to evaluate evidence of the operating effectiveness, as determined as described under “Evaluating Evidence of the Operating Effectiveness of ICFR” below.
The SEC anticipates that, for most companies, management’s effort in subsequent years should be significantly reduced because the subsequent evaluations should be more focused on changes in risks and controls rather than identification of all financial reporting risks and the related controls. Further, in each subsequent year, the evidence necessary to reasonably support the assessment will only need to be updated from the prior year(s), not recreated anew.
3. Consideration of Entity-level Controls
Under the guidance, management considers the company’s entity-level controls both when identifying financial reporting risks and when identifying and assessing which controls adequately address the risk. In doing so, it is important for management to consider the nature of the relationship of the control to the financial reporting element (i.e., whether a control is directly or indirectly related to the financial reporting element). Some entity-level controls are designed to operate at the process, transaction or application level and on their own might adequately prevent or detect on a timely basis misstatements in one or more financial reporting elements that could result in a material misstatement to the financial statements. On the other hand, an entity-level control may be designed to identify possible breakdowns in lower-level controls, but not in a manner that would, by itself, sufficiently address the risk that misstatements to financial reporting elements that could result in a material misstatement to the financial statements will be prevented or detected on a timely basis. For example, controls established to ensure that personnel are properly counting and recording the annual physical inventory relate directly to the existence of inventory, whereas entity-wide programs such as codes of conduct and fraud prevention are indirectly related to a financial reporting element. The more indirect the relationship to a financial reporting element, the less effective a control may be in preventing or detecting a misstatement and the more unlikely that management will identify only this type of entity-level control as adequately addressing a financial reporting risk identified for a financial reporting element.
4. Role of General Information Technology Controls
Controls that management identifies as addressing financial reporting risks may be automated (e.g., application controls that update accounts in the general ledger for subledger activity) or dependent upon information technology (“IT”) functionality (e.g., a control that manually investigates items contained in computer generated exception report). While general IT controls ordinarily do not directly prevent or detect material misstatements in the financial statements, the proper and consistent operation of automated or IT dependent controls depends upon effective general IT controls.
Management’s evaluation should generally consider the design and operation of the automated or IT dependent controls and the relevant general IT controls over the applications providing the IT functionality. Aspects of general IT controls that may be relevant to the evaluation of ICFR will vary depending upon a company’s facts and circumstances. Ordinarily, management should consider whether, and the extent to which, general IT control objectives related to program development, program changes, computer operations, and access to programs and data apply to its facts and circumstances. For purposes of the evaluation of ICFR, management need only evaluate general IT controls that are necessary to adequately address financial reporting risk.
5. Support for the Assessment- Financial Reporting Risks and Controls Identified
As part of its evaluation of ICFR, management must maintain reasonable support for its assessment. Documentation of the design of the controls management has placed in operation to adequately address the financial reporting risks is an integral part of this support. The form (e.g., paper documents, electronic or other media) and extent of the documentation will vary depending on the size, nature and complexity of the company. This support can be presented in a number of ways (e.g., policy manuals, process models, flow charts, job descriptions, internal memoranda or forms). The documentation can be focused on those controls that management concludes are adequate to address the financial reporting risks and does not need to include all controls existing within a process.
Watch for Part 2 in the next issue of Lorman Accounting and Tax Update.
1Management is not required by the ICFR requirements to assess other internal controls unrelated to financial reporting, such as controls solely implemented to meet a company's operational objectives.
Blank Rome LLP