SEC Approves Interpretive Guidance Regarding Management's Evaluation of Internal Controls - Part 2

Jane Storero
July 5, 2007 — 1,462 views  
Become a Bronze Member for monthly eNewsletter, articles, and white papers.
This is the second section of a 2-part series. Be sure to read the June issue of Lorman Accounting and Tax Update for the first section of the article.

 
B. Evaluating Evidence of the Operating Effectiveness of ICFR
After identifying the company’s financial reporting risks and concluding controls are in place designed to adequately address those risks, management should evaluate evidence of the effective operation of ICFR. This evaluation should focus on those areas of ICFR that pose the highest risk to reliable financial reporting. A control operates effectively when it is performed in a manner consistent with its design by individuals with the necessary authority and competency. The evaluation procedures that management uses to gather evidence about the effective operation of ICFR should be tailored to its assessment of the risk characteristics of both the individual financial reporting elements and the related controls (collectively, ICFR risk).  Management should consider the impact of entity-level controls (which may influence management’s judgments about the risks of failure for particular controls), and vary the nature, timing and extent of the evaluation methods it implements in response to its judgments about ICFR risk.
Evidence about the effective operation of controls may be obtained from direct testing of controls and on-going monitoring activities. In determining whether the evidence obtained is sufficient to provide a reasonable basis for its evaluation of the operation of ICFR, management should consider not only the quantity of evidence (e.g., sample size) but also qualitative characteristics of the evidence. Qualitative characteristics include the nature of the evaluation procedures performed, the period of time to which the evidence relates, the objectivity of those evaluating the controls, and for monitoring controls, the extent of validation through direct testing of underlying controls. For any individual control, different combinations of the nature, timing and extent of evaluation procedures may provide sufficient evidence although sufficiency of evidence is not determined by any of these attributes individually.

 
1. Determining the Evidence Needed to Support the Assessment

To determine the evidence needed to support its assessment, management should evaluate the ICFR risk of the controls identified (see “Identifying Financial Reporting Risks and Controls” above) by conducting a risk assessment. The risk assessment should consider the impact of the characteristics of the financial reporting elements related to the controls identified as well as the characteristics of the controls themselves. This concept is demonstrated by the following diagram:
To determine the evidence needed to support its assessment, management should evaluate the ICFR risk of the controls identified (see above) by conducting a risk assessment. The risk assessment should consider the impact of the characteristics of the financial reporting elements related to the controls identified as well as the characteristics of the controls themselves. This concept is demonstrated by the following diagram:

Determining the Sufficiency of Evidence Based on ICFR Risk:

 
Misstatement Risk of Financial Reporting Element
High
  More Evidence*
Medium
   
Low
Less Evidence*
  
  Low
Medium
High
  Risk of Control Failure
* The references to “more” or “less” include both the quantitative and qualitative characteristics of the evidence (i.e., its sufficiency).

Characteristics of the financial reporting element include both the materiality of the financial reporting element and the susceptibility of the underlying account balances, transactions or other supporting information to material misstatement. As the materiality of the financial reporting element increases in relation to the amount of misstatement that would be considered material to the financial statements, management’s assessment of risk generally would also increase. In addition, financial reporting elements would generally be assessed as higher risk when they include information that is prone to misstatement such as elements which involve judgment in determining recorded amounts, susceptibility to fraud, have complex underlying accounting requirements or are subject to environmental factors.
Management should also consider the likelihood that a control might fail to operate effectively. The likelihood that a control might fail may depend on, among other things, the type of control (i.e., manual or automated), the complexity of the control, the risk of management override, the judgment required to operate the control, the nature and materiality of misstatements that the control is intended to prevent or detect, and the degree to which the control relies on the effectiveness of other controls (e.g., general IT controls). When a combination of controls is required to adequately address the risks of a financial reporting element, management should analyze the risk characteristics of each control. Certain financial reporting elements, such as those involving significant accounting estimates, related party transactions or critical accounting policies generally, would be assessed as having higher risk for both the possibility of material misstatement to the financial reporting element and the risk of control failure.


2. Implementing Procedures to Evaluate Evidence of the Operation of ICFR

The methods and procedures management uses to gather evidence about the effective operation of controls, including the timing of when they are performed, are a function of the evidence that management considers necessary to provide reasonable support for its assessment of ICFR based on the assessment of ICFR risk. The evidence relevant to the assessment may come from activities performed for other reasons (e.g., daily operation management activities) and activities performed to meet the monitoring objectives of the control framework will provide evidence to support the assessment. The evidence management evaluates may come from a combination of on-going monitoring (e.g., self-assessment procedures and the results of key performance indicators) as well as direct testing of controls performed periodically to provide evidence about the reliability of such on-going monitoring activities. Risk assessments discussed above can assist management in determining the evaluation procedures that provide reasonable support for the assessment and as assessed risk increases, management should adjust the nature of evidence obtained.  When ICFR risk is assessed as high, management’s evaluation would ordinarily include evidence obtained from direct testing but for lower risk areas, management may conclude that evidence from on-going monitoring is sufficient.
In smaller companies, management’s daily interaction with its controls may provide it with sufficient knowledge about their operation to evaluate the operation of ICFR, but management should consider its particular facts and circumstances when determining whether or not such daily interaction with controls provides sufficient evidence for the evaluation. Daily interaction in companies with multiple management reporting layers or operating segments would generally not provide sufficient evidence because those responsible for assessing the effectiveness of ICFR ordinarily would not be sufficiently knowledgeable about the operation of the controls.  In these situations, management would ordinarily utilize direct testing or on-going monitoring type evaluation procedures to have reasonable support for the assessment. Management’s evaluation of evidence should consider whether the control operated as designed and include matters such as how the control was applied, the consistency with which it was applied, and whether the person performing the control possesses the necessary authority and competence to perform the control effectively.

3. Support for the Assessment- Operating Effectiveness of ICFR

The SEC expects reasonable support for an assessment to include the basis for management’s assessment, including documentation of the methods and procedures it utilizes to gather and evaluate evidence. The evidential matter may take many forms and will vary depending on the assessed level of risk for controls over each of its financial reporting elements. For example, management may document its overall strategy in a comprehensive memorandum that establishes the evaluation approach, the evaluation procedures, and the basis for conclusions for each financial reporting element. Documentation might include memoranda, e-mails and instructions or directions from management to employees of the company. If management believes that the operation of the entity-wide and other pervasive elements of its ICFR address the elements of internal control that its adopted framework describes as necessary for an effective system, then the evidential matter constituting reasonable support for management’s assessment would ordinarily include documentation of how management formed that belief.

4. Multiple Location Considerations

Management’s consideration of financial reporting risks should generally include consideration all of the company’s locations or business units, though in some cases risks are adequately addressed by controls which operate centrally.  When performing its evaluation of risk characteristics of controls identified, management should consider location-specific risks that might impact the risk that a control will fail to operate effectively.  Further, management should generally consider the risk characteristics of the controls for each financial reporting element, rather than making a single judgment for all controls at that location when deciding whether the nature and extent of evidence is sufficient.

C. Reporting Considerations

1. Evaluation of Control Deficiencies

Under the guidance, to determine whether a control deficiency, or combination of control deficiencies, is a material weakness (which must be disclosed in management’s annual report), management must evaluate each control deficiency that comes to its attention. Management may not disclose that it has assessed ICFR as effective if there is one or more control deficiencies determined, individually or in combination, to be a material weakness in ICFR as of the end of the fiscal year.  Multiple control deficiencies that affect the same financial statement account balance or disclosure increase the likelihood of misstatement and many, in combination, constitute a material weakness if there is a reasonable possibility that a material misstatement to the financial statements would not be prevented or detected in a timely manner, even though such deficiencies may be individually insignificant.  Therefore, management should evaluate individual control deficiencies that affect the same account balance, disclosure, relevant assertion, or component of internal control, to determine whether they collectively result in a material weakness.  Management should also evaluate the effect of compensating controls (i.e. separate controls accomplishing the same objective) when determining whether a control deficiency or combination of deficiencies is a material weakness.
Several factors affect the likelihood that a deficiency, or a combination of deficiencies, will result in a misstatement in a financial reporting element not being prevented or detected on a timely basis, including:
  • The nature of the financial statement elements, or components thereof, involved (e.g., suspense accounts and related party transactions involve greater risk);
  • The susceptibility of the related asset or liability to loss or fraud (i.e., greater susceptibility increases risk);
  • The subjectivity, complexity, or extent of judgment required to determine the amount involved (i.e., greater subjectivity, complexity, or judgment, like that related to an accounting estimate, increases risk);
  • The interaction or relationship of the control with other controls (i.e., the interdependence or redundancy of the control);
  • The interaction of the deficiencies (i.e., when evaluating a combination of two or more deficiencies, whether the deficiencies could affect the same financial statement accounts and assertions); and
  • The possible future consequences of the deficiency.

Management should evaluate how the controls interact with other controls when evaluating the likelihood that a company’s controls will fail to prevent or detect on a timely basis a misstatement that is material to the company’s financial statements.  Several factors affect the magnitude of the misstatement that might result from a deficiency or deficiencies in controls, including:

  • The financial statement amounts or total of transactions exposed to the deficiency; and
  • The volume of activity in the account balance or class of transactions exposed to the deficiency that has occurred in the current period or that is expected in future periods.

In evaluating the magnitude of the potential misstatement to the company’s financial statements as a whole, management should recognize that the maximum amount that an account balance or total of transactions can be overstated is the recorded amount, while understatements could be larger and the probability of a small misstatement will be greater than the probability of a large misstatement.

The following circumstances are strong indicators that a material weakness in ICFR exists:

  • An ineffective control environment, which may be indicated by: identification of fraud of any magnitude on the part of senior management; significant deficiencies that have been identified and remain unaddressed after some reasonable period of time; or ineffective oversight of the company’s external financial reporting and ICFR by the company’s audit committee.
  • Restatement of previously issued financial statements to reflect the correction of a material misstatement.  However, note that the correction of a material misstatement includes misstatements due to error or fraud.  It does not include retrospective application of a change in accounting principle to comply with a new accounting principle or a voluntary change from one generally accepted accounting principle to another generally accepted accounting principle.
  • Identification by the auditor of a material misstatement in financial statements in the current period under circumstances that indicate the misstatement would not have been discovered by the company’s ICFR.
  • For complex entities in highly regulated industries, an ineffective regulatory compliance function in which associated violations of laws and regulations could have a material effect on the reliability of financial reporting.

2. Expression of Assessment of Effectiveness of ICFR by Management and the Registered Public Accounting Firm

Management should disclose a clear expression of its assessment related to the effectiveness of ICFR and, therefore, should not qualify its assessment by saying that the company’s ICFR is effective subject to certain qualifications or exceptions. In addition, if a material weakness exists, management may not state that controls are effective. However, management may state that controls are ineffective due solely to, and only to the extent of, the identified material weakness(es). Management may disclose any remediation efforts to the identified material weakness(es) in Item 9A of Form 10-K, Item 15 of Form 20-F, or General Instruction B of Form 40-F.

Management should disclose a clear expression of its assessment related to the effectiveness of ICFR and, therefore, should not qualify its assessment by saying that the company’s ICFR is effective subject to certain qualifications or exceptions. In addition, if a material weakness exists, management may not state that controls are effective. However, management may state that controls are ineffective due solely to, and only to the extent of, the identified material weakness(es). Management may disclose any remediation efforts to the identified material weakness(es) in Item 9A of Form 10-K, Item 15 of Form 20-F, or General Instruction B of Form 40-F.

3. Disclosures About Material Weakness

Because of the significance of the disclosure requirements surrounding material weaknesses beyond specifically stating that the material weaknesses exist, the SEC believes companies should also consider including in their disclosures the nature of any material weakness, its impact on financial reporting and the control environment, and management’s current plans, if any, for remediating the weakness.

When disclosing the existence of material weaknesses, companies should ensure enough information is provided to form a picture that is not misleading.  While management is required to conclude and state in its report that ICFR is ineffective when there is one or more material weaknesses, companies should also consider providing disclosure that allows investors to understand the root cause of the control deficiency and to assess the potential impact of each particular material weakness.  This disclosure will be more useful to investors if management differentiates the potential impact and importance to the financial statements of the identified material weaknesses, including distinguishing those material weaknesses that may have a pervasive impact on ICFR from those material weaknesses that do not. The goal underlying all disclosure in this area is to provide investors with contextual disclosure and analysis beyond the mere existence of a material weakness.

4. Impact of a Restatement of Previously Issued Financial Statements on Management’s Report on ICFR

The restatement of financial statements does not, by itself, necessitate that management consider the effect of the restatement on the company’s prior conclusion relating to the effectiveness of ICFR. However, though there is no requirement for management to reassess or revise its conclusion related to the effectiveness of ICFR, management should consider whether its original disclosures are still appropriate and should modify or supplement its original disclosure to include any other material information that is necessary for such disclosures not to be misleading in light of the restatement. Similarly, while there is no requirement that management reassess or revise its conclusion related to the effectiveness of its disclosure controls and procedures, management should consider whether its original disclosures regarding effectiveness of disclosure controls and procedures need to be modified or supplemented to include any other material information that is necessary for such disclosures not to be misleading.

5. Inability to Assess Certain Aspects of ICFR

In certain circumstances, management may encounter difficulty in assessing certain aspects of its ICFR. For example, management may outsource a significant process to a service organization and determine that evidence of the operating effectiveness of the controls over that process is necessary.  However, the service organizations may be unwilling to provide either a Type 2 SAS 70 report or to provide management access to the controls in place at the service organization so that management could assess effectiveness. Finally, management may not have compensating controls in place that allow a determination of the effectiveness of the controls over the process in an alternative manner.  The SEC’s disclosure requirements state that management’s annual report on ICFR must include a statement as to whether or not ICFR is effective and do not permit management to issue a report on ICFR with a scope limitation. Therefore, management must determine whether the inability to assess controls over a particular process is significant enough to conclude in its report that ICFR is not effective.

SEC Rule Amendments

In addition to the interpretative guidance outlined above, the SEC amended Rule 13a-15(c) and Rule 15d-15(c) to state that, although there are many different ways to conduct an evaluation of the effectiveness of ICFR to meet the requirement in the rule, an evaluation conducted in accordance with the interpretive guidance issued by the SEC would satisfy the annual management evaluation required by SEC rules.  The amendment provides a non-exclusive safe-harbor for the purposes of satisfying obligations under Rules 13a-15(c) or 15d-15(c).

The SEC also revised Rule 2-02(f) of Regulation S-X, which requires that an auditor’s attestation report clearly state the “opinion of the accountant as to whether management’s assessment of the effectiveness of the registrant’s ICFR is fairly stated in all material respects.” Under the final rule, the auditor will express only a single opinion on the effectiveness of the company’s internal controls in its attestation report rather than expressing separate opinions directly on the effectiveness of the company’s ICFR and on the management’s assessment. In addition, the amendment clarifies the circumstances under which the SEC would expect that the accountant cannot express an opinion and highlights that disclaimers by the auditor would only be appropriate in the rare circumstance of a scope limitation.

Finally, the SEC adopted conforming revisions to the definition of attestation report in Rule 1-02(a)(2) of Regulation S-X.  Under the definition, an attestation report is a report in which a registered public accounting firm expresses an opinion, either unqualified or adverse, as to whether the registrant maintained, in all material respects, effective internal control over financial reporting, except in the rare circumstance of a scope limitation that cannot be overcome by the registrant or the registered public accounting firm which would result in the accounting firm disclaiming an opinion.

The final guidance and rules described will become effective 30 days after publication in the Federal Register.

Jane Storero

Blank Rome LLP