• PRESS ROOMRESOURCES
• STUDENTSCANDIDATES
• CONTACT USNEED A CPA?
• HELPADVERTISE/
  PLACE AD
  
• SEARCH

• What CPAs must know
• Your CPA license
• Areas of interest
• Books / reference materials
• Classifieds / Career Center
• Communications
• Join our Referral Bureau
• Legislation / regulation
• News / articles
  • 2008 headlines
  • 2007 headlines
  • 2006 headlines
• Peer review
• Products / services
• Promoting the CPA
• Tax resources
• Leadership

SEC proposes guidance to improve SOX 404 implementation

WASHINGTON, Dec. 14, 2006 — The Securities and Exchange Commission has voted to propose for public comment interpretive guidance for managements regarding their evaluations of internal control over financial reporting.

The SEC also proposed amendments to Rules 13a-15 and 15d-15 that would make it clear that a company choosing to perform an evaluation of internal control in accordance with the interpretive guidance would satisfy the annual evaluation required by those rules. In addition, the SEC proposed amendments to Regulation S-X to clarify the auditor's reporting requirement pursuant to Section 404(b) of the Sarbanes-Oxley Act.

"We are proposing this interpretative guidance to help management make their evaluation process more efficient and cost-effective," said SEC Chair Christopher Cox. "In the absence of guidance, management has looked to the PCAOB's auditing standard to conduct their evaluations, which is not what was intended. With this guidance, management will be able to scale and tailor their evaluation procedures to fit their facts and circumstances, and investors will benefit from reduced compliance costs. While the guidance is intended to help public companies of all sizes, smaller companies should particularly benefit from its scalability and flexibility. We believe that today's proposed guidance, along with the Public Company Accounting Oversight Board's new auditing standard to be proposed next week, will result in significant improvements in the implementation of Sox 404."

"The guidance is an important step in the roadmap the SEC laid out in May for improving the implementation of Section 404 for all issuers," said John W. White, director of the SEC's Division of Corporation Finance. "The proposed interpretive guidance should reduce uncertainty about what constitutes a reasonable approach to management's evaluation while maintaining flexibility for companies that have already developed their own assessment procedures and tools that serve the company and its investors well. Companies will be able to continue using their existing procedures if they choose, provided of course that those meet the standards of Section 404 and our rules. At the same time, the guidance maintains the important investor protection objectives of bringing information about material weaknesses into public view and fostering the preparation of reliable financial statements in an effective and efficient manner."

"Our proposed guidance is focused on risk and materiality. We have worked hard to ensure that the proposed guidance will not disrupt best practices already in place, or that may be evolving, while at the same time ensuring that it would be scalable to companies of all sizes," said SEC Chief Accountant Conrad Hewitt. "In particular, the top-down, risk-based guidance would allow for effective, and, importantly, efficient, methods and procedures for conducting evaluations at smaller companies. It is also intended to rebalance control over the process by providing management with its own guidance — without the need to look to auditing standards — for evaluating internal control over financial reporting. Although our guidance is directed to management and the expected proposal from the PCAOB is directed to auditors, we encourage respondents to take advantage of the proposals' overlapping comment periods to consider whether the proposals, if adopted, will ensure an appropriate balance between management's evaluation process and the audit process. We encourage feedback on all aspects of our proposal."

Introduction

Section 404(a) of the Sarbanes-Oxley Act directed the SEC to adopt rules requiring each annual report of a company, other than a registered investment company, to contain (1) a statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and (2) management's assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal controls structure and procedures for financial reporting.

On June 5, 2003, the SEC adopted such rules implementing Section 404(a) with regard to management's obligations to report on its internal control over financial reporting. The final rules did not prescribe any specific method or set of procedures for management to follow in performing its evaluation.

The proposal would amend the SEC's rules adopted in 2003 to state that an evaluation conducted in accordance with the interpretive guidance would satisfy the SEC's rules. However, in order to retain the flexibility that was desired by the 2003 rules, the amendments proposed today would afford management the latitude to either follow the interpretive guidance or to develop and use other methods that achieve the objectives of the SEC's 2003 rules.

Proposed interpretive guidance for evaluating effectiveness of internal control over financial reporting

The proposed guidance is principles-based and organized around two important principles:

• First, management should evaluate the design of the controls that it has implemented to determine whether there is a reasonable possibility that a material misstatement in the financial statements would not be prevented or detected in a timely manner. This principle promotes efficiency by allowing management to focus on those controls that are needed to prevent or detect material misstatement in the financial statements.
• Second, management should gather and analyze evidence about the operation of the controls being evaluated based on its assessment of the risk associated with those control. The principle allows management to align the nature and extent of its evaluation procedures with those areas of financial reporting that pose the greatest risks to reliable financial reporting.

By following these two principles, we believe that companies of all sizes and complexities will be able to implement our rules more effectively and efficiently. As smaller public companies often have less complex internal control systems than larger public companies, this proposed approach would enable smaller public companies in particular to scale and tailor their evaluation methods and procedures to fit their own facts and circumstances.

The proposed guidance describes a risk-based approach and addresses many of the concerns that have been raised to the SEC, including excessive testing of controls generally; excessive documentation of processes, controls and testing; and the ability to scale the evaluation to smaller companies. The guidance addresses four specific areas:

1. Identification of risks to reliable financial reporting and the related controls that management has implemented to address those risks. The proposed guidance describes a risk-based approach that would require the use of judgment to determine those areas that are both material and which pose a risk to reliable financial reporting. Management then would identify the controls that address those risks, including the risk of material misstatement due to fraud. The guidance would not require that every control in a process be identified. Once those controls are identified that adequately address the risk of material misstatement in the financial statements, it would be unnecessary to include additional controls within management's evaluation.
2. Evaluation of the operating effectiveness of controls. Once management has determined the controls within the scope of its evaluation, management would then gather and analyze evidence about the operation of those controls. The proposed guidance provides for a risk-based approach that would require the use of judgment to direct management's evaluation efforts towards those areas that pose greatest risk to reliable financial reporting based on the company's unique facts and circumstances. The proposed guidance would allow management to support its evaluation in a variety of ways and illustrates how management can consider and utilize its existing daily interaction with its business, self-assessment, and other ongoing monitoring activities to support its evaluation.
3. Reporting the overall results of management's evaluation. Once management has completed its evaluation, management must decide if any identified control deficiencies are material weaknesses. The proposed guidance provides management with a framework, outside of the auditing literature, for making these judgments and includes situations that are considered strong indicators that a material weakness exists. The guidance describes the factors that management should consider to evaluate the severity of a deficiency. If the deficiency is a material weakness, consistent with the SEC's existing rules, management must conclude that internal control over financial reporting is not effective and management has reporting responsibilities surrounding that material weakness. In addition, the guidance addresses the disclosure requirements for internal control reports in situations such as scope limitations and restatements.
4. Documentation. The proposed guidance explains the nature and extent of evidential matter that management must maintain in support of its assessment including how management has flexibility in approaches to documentation. The proposed guidance indicates that such documentation can take many forms, can be presented in a number of ways, and does not need to include all controls within a process that impacts financial reporting. The proposed guidance provides that the evidential matter maintained in support of the assessment would also include the methods and procedures it utilizes to gather and evaluate evidence and the basis for its conclusions about the controls related to individual financial reporting elements. The proposed guidance indicates that in those situations in which management is able to rely on its daily interaction with its controls as a basis for its assessment, management may have limited documentation created specifically for the evaluation beyond documentation regarding how its interaction provided it with sufficient evidence.

Coordination with the PCAOB

Although the issuance of the proposed interpretive release is a major milestone in the improvement of the implementation of Section 404, the SEC remains committed to all of the steps set forth in the roadmap that was released entitled "Next Steps for Sarbanes-Oxley Implementation."

In that regard, the SEC and its staff have also been working closely with the Public Company Accounting Oversight Board over the past few months in their work to develop a new auditing standard that would supersede Auditing Standard No. 2, the PCAOB's existing auditing standard on internal control over financial reporting. The proposed standard is expected to provide for more efficient, risk-based, scalable audits of internal control over financial reporting while retaining the important investor protection benefits. Today's proposed amendments to Regulation S-X are intended to clarify the auditor reporting requirement in a consistent manner with the anticipated proposed new auditing standard.

Comments on the proposed interpretive guidance and rule amendments should be received by the SEC within 60 days of their publication in the Federal Register.

HOME | HELP | RSS | DRIVING DIRECTIONS | SPONSOR | PRIVACY POLICY | SEARCH | SITE MAP
© Copyright 2008 Maryland Association of Certified Public Accountants, Inc. All Rights Reserved.