A Test of Controls

By Robert N. Waxman

E-mail Story Print Story

The SEC, in its Release 33-8238 (issued June 5, 2003, and revised by Release 33-8392), adopted final rules to carry out the requirements of section 404 of the Sarbanes-Oxley Act. Section 404, “Management Assessment of Internal Controls,” directs the SEC to adopt rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 to contain an internal control report. That report must state the responsibility of management for setting up and maintaining an adequate internal control structure and procedures for financial reporting; it must also contain an assessment, at the end of the most recent fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

The following requirements apply to this internal control assessment:

• Each public accounting firm registered with the PCAOB that prepares or issues the audit report must attest to, and report on, management’s assessment.
• The attestation must be made in accordance with standards for attestation engagements issued or adopted by the PCAOB. On March 9, 2004, the PCAOB issued Auditing Standard 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, which the SEC approved on June 17 (34-49884).
• The attestation must not be the subject of a separate engagement.

Overview of the Release

SEC rules and the Sarbanes-Oxley Act require every issuer to maintain two types of controls: “disclosure controls and procedures” and “internal control over financial reporting” (or simply “internal control”). Its other objective is to improve both the disclosure and the financial controls of every public company worldwide and on a real-time basis (every 90 days).

The hope here is to substantially upgrade the disclosure system, reprogram management, and upgrade the performance of the auditors. The ultimate goal is to improve business performance and investor confidence in financial statements and capital markets, and as a by-product to strengthen investor confidence in the accounting profession.

Regulations S-K and S-B, Item 308, “Internal Control over Financial Reporting”

Management’s report on internal control. The SEC’s recently issued Item 308 closely follows the requirements of section 404. It requires the annual report (Form 10-K or 10-KSB) of almost every company filing periodic reports under either section 13(a) or 15(d) of the 1934 Act to include an internal control report. This report must state the following [Item 308(c)]:

(1) Management’s responsibility for setting up and maintaining adequate internal control;
(2) The framework used to evaluate the effectiveness of internal control;
(3) Management’s assessment of the effectiveness of the internal control at the end of the year, and the disclosure of any material weakness in internal control. Management cannot say that the internal controls are effective if there are one or more material weaknesses, or if there is a combination of reportable conditions that result in a material weakness; and
(4) That the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment.

The evaluation framework must be based on a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including public comment. In the United States, the Committee of Sponsoring Organizations (COSO) framework clearly satisfies the SEC criteria and for now is the framework that should be followed. The rules do, however, recognize that other evaluation standards exist outside of the United States and that other frameworks may be developed in the future, and do not require the use of any one framework [Rule 13a-15(c)/15d-15(c)].

1934 Act Rule 13a-15(f)/15d-15(f) and PCAOB Standard 2 define internal control over financial reporting as follows:

• A process designed by or under the supervision of the issuer’s CEO and CFO, or persons performing similar functions;
• Carried out by the issuer’s board of directors, management, and other personnel;
• Designed to provide reasonable assurance on the reliability of financial reporting and the preparation of GAAP financial statements for external purposes; and
• Including policies and procedures that—
• relate to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets (Sarbanes-Oxley Act section 103);
• provide reasonable assurance that transactions are recorded to allow the preparation of GAAP financial statements, and that receipts and disbursements are authorized by management and directors (Sarbanes-Oxley Act section 103); and
• provide reasonable assurance about the prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements (the “safeguarding of assets”).

The “reasonable assurance” concept is integral to the definition of internal control and the auditor’s opinion. Reasonable assurance equates to a remote likelihood that material misstatements will not be prevented or not be detected on a timely basis. There is a perceptible margin of difference between reasonable assurance and absolute assurance, and what is reasonable will depend on the issuer’s facts and circumstances.

This definition focuses on the reliability of financial reporting but does not include the other two objectives of internal control found in SAS 55, Consideration of Internal Control in a Financial Statement Audit, and the COSO report. The first is the “effectiveness and efficiency of a company’s operations,” which translates into a company’s basic business objectives, including profitability and performance goals. The second is “compliance with applicable laws and regulations,” excepting those laws directly related to the preparation of financial statements and the SEC’s financial reporting requirements.

This definition of internal control is essentially consistent with the description of internal accounting controls in 1934 Act section 13(b)(2), “Periodical and Other Reports.” It requires that issuers make and keep books, records, and accounts in reasonable detail to accurately and fairly reflect transactions and dispositions of assets. It also requires public companies to maintain a system of internal controls that permits the preparation of GAAP financial statements.

Quarterly reporting of changes in internal control. 1934 Act Rule 13a-15(d)/15d-15(d) requires management to evaluate all material changes in internal controls every quarter. Item 308(c) requires the reporting of any change in the company’s internal control that occurred during the quarter that materially affected, or is reasonably likely to materially affect, the company’s internal control.

The challenge here is that management must decide what is material to the quarter and to future quarters. The safest course may be to disclose every internal control change after eliminating those changes that are clearly immaterial. Accordingly, if, during a quarter, a significant deficiency or material weakness is corrected that does or will materially affect internal control, the change must be disclosed. If the control is not corrected at the end of the quarter and it is viewed as material, then Item 307 disclosures must discuss the deficiency or weakness, and the company must then report the change in the later quarter when it is corrected.

The rules do not require the company to disclose the reasons for the change, but the SEC warns that management must decide whether the reason for the change, or any other information about the change, is material information that investors should have. Information is generally considered material if there is a substantial likelihood that a reasonable investor would consider it important in deciding whether to buy, sell, or retain a security.

Because foreign private issuers are not required to file quarterly, the management of a foreign private issuer that files Exchange Act reports needs to disclose in its annual Form 20-F or Form 40-F only those material changes to its internal control that occurred during the year.

Regulations S-K and S-B, Item 307, Disclosure Controls and Procedures

Item 307 was added to the integrated disclosure rules by Release 33-8124 (August 2002). It originally called for management’s evaluation of disclosure controls and procedures within 90 days of the filing date and the disclosure of any significant changes in internal controls after the date of the evaluation, including any corrective action the company took relating to significant deficiencies and material weaknesses. The SEC release revised Item 307 to require that the company’s principal executive and financial officers (or persons performing similar functions) disclose their conclusions about the effectiveness of the disclosure controls and procedures at the end of every quarter. Their conclusion must be based upon their evaluation of these controls and procedures, as required by 1934 Act Rule 13a-15(b)/15d-15(b).

While the rules do not require it, the evaluation date should be near the end of the period, and if not at the end, it should involve a roll-forward of the information to allow the CEO and CFO to conclude on the effectiveness at the end of the quarter.

Definition of disclosure controls and procedures. The SEC states that “disclosure controls and procedures” [Rule 13a-15(e)/15d-15(e)] have the following characteristics:

• Designed to ensure disclosure of information that is required to be disclosed in the reports that the issuer files or submits under the Exchange Act;
• Recorded, processed, summarized, and reported within the time periods required by the SEC’s rules and forms; and
• Accumulated and communicated to management to allow them to make timely decisions about the required disclosures.

Disclosure controls and procedures are intended to capture all information required to be disclosed in Exchange Act reports. The company’s procedures should ensure that the control system will produce Form 10-Ks and 10-Qs that are timely, reliable, and accurate. This includes both the financial statements and all of the nonfinancial information disclosed. Therefore, all the other non–financial statement disclosures on a Form 10-K/SB or 10-Q/SB are covered by “disclosure controls and procedures”: for example, MD&A, legal proceedings, disclosure of market risk, the business, properties, and executive compensation.

The SEC’s objective in requiring these controls and procedures was to extend auditors’ concepts about internal controls over financial information to controls over all the other information required to be included in Exchange Act reports. It extends the internal control concepts in SAS 55, Consideration of Internal Control in a Financial Statement Audit, and SAS 78 (amending SAS 55) from financial statements to all other disclosures.

Management’s evaluation of effectiveness of disclosure controls and procedures. Because the auditor will be required to express an opinion of management’s assessment process and an opinion on the effectiveness of internal control, management should document both the process and its effectiveness. PCAOB Standard 2, in paragraphs 162–166, provides guidance on management’s report.

This release does not give management specific procedures to follow in evaluating the effectiveness of disclosure controls; therefore, every issuer will need documentation and a process that is unique to its business and its management. Inadequate documentation is a deficiency in internal control that, if significant, would impair the auditor’s opinion, and PCAOB Standard 2 offers guidance for auditors evaluating management’s assessment process and documentation (paragraphs 40–46).

Examples of Item 307 disclosure. The SEC has no particular format for the Item 307 disclosures, so it can be brief or long (see the Sidebar). Both examples assume no changes in internal control or any material weaknesses.

Disclosure controls and procedures versus internal control over financial reporting. The 1934 Act Rule 13a-15(a)/15d-15(a) says that every issuer must maintain both “disclosure controls and procedures” and “internal control over financial reporting.” These two types of controls are different, but overlap in some important areas and do not overlap in others:

• Some “disclosure controls” are not part of “internal control over financial reporting”—namely, all controls related to nonfinancial information.
• Both types of controls include controls over transactions that are needed to prepare GAAP financial statements.
• The release says that some “internal controls” are not part of “disclosure controls,” such as the safeguarding of assets (e.g., limiting the signature authority on checks).

Accountant’s Attestation Report

Rule 1-02(a)(2), “Accountants’ Reports and Attestation Reports on Management’s Assessment of Internal Control over Financial Reporting,” was added to Regulation S-X in the SEC release. Item 308(b) requires that the accounting firm’s attestation report be filed in the annual report. Furthermore, according to new Regulation S-X Rule 2-02(f), “Attestation Report on Management’s Assessment of Internal Control over Financial Reporting,” every public accounting firm registered with the PCAOB that prepares or issues an audit report on the annual financial statements must attest to and report on management’s assessment. The rule gives detailed instructions for preparing and filing this attestation report.

The SEC recommends that management’s report be located near the accounting firm’s attestation report, and that both reports be either near the MD&A disclosure or immediately before the financial statements. Because the attestation report may be combined with the auditor’s opinion on the financial statements, it would seem that both management’s report and the auditor’s opinion (whether a separate or a combined opinion) would be best placed just before the financial statements.

Independence. The release provides a reminder that companies and their auditors should refer to the SEC’s independence rules. Auditors may help management in documenting internal controls, but only if management is actively involved in the process. Management must exercise their own judgment in performing the various analyses; they must be in charge of all the work done and make all the final decisions. The design, documentation, testing, and ultimate evaluations are the responsibilities of management. They cannot delegate any of these tasks to their accounting firm.

The client can use the accounting firm’s internal control questionnaire or software product as a standardized tool to evaluate its internal controls or perform statistical sampling. Thus, while the auditor may give management a mechanism to document and assess the controls, the audit firm itself would not actually document the controls or draw any conclusions about their effectiveness. The rule also permits the auditors to point out areas where management can improve controls, and make suggestions about the testing of controls without violating their independence. Appendix E101–104 of PCAOB Standard 2 also addresses independence issues.

Other guidance. The release amended certain rules and items of the periodic reporting forms under the 1934 and 1940 Acts. The release also revises 1934 Act Rule 12b-15, “Amendments,” requiring that any amendment to a report that is required to contain section 302 and 906 certifications must include new certifications by the CEO and the CFO.

Entities Covered

The Sarbanes-Oxley Act and the SEC’s new rules will affect almost every public company and its auditor. An estimated 13,700 filing companies and some 1,000 firms registered with the PCAOB will be affected.

Section 404 makes no distinction between domestic and foreign private issuers. All rules in the SEC release apply to foreign companies filing periodic reports under either section 13(a) or 15(d) of the 1934 Act. In addition, section 404 makes no distinctions between large and small issuers filing reports with the SEC and therefore they are not exempt from the rules.

For a number of years, section 36 of the Federal Deposit Insurance Act has required federally insured depository institutions with total assets of $500 million or more to file an annual management report on internal controls. The act also requires auditors to examine and attest to management’s assertions about the internal control structure. These requirements for banks are very similar to the requirements of Sarbanes-Oxley section 404 and the SEC rules, but the SEC decided not to grant these entities any relief. These financial institutions are subject to both the FDIC’s requirements and all of the SEC’s internal control reporting rules. Release 33-8238 lets these institutions choose between two reporting options: They can prepare two separate reports, or prepare a single report that satisfies both the FDIC and the SEC requirements.

Entities Not Covered

Section 404 does not apply to registered investment companies; however, these companies are not exempt from the section 302 certification requirements. The SEC release contains a number of technical changes to various rules and forms implementing section 302 for registered investment companies in order to conform them to the changes made for all other operating companies.

Because asset-backed issuers are usually passive pools of assets without boards of directors and are generally not required to file the same types of financial statements that other companies must file, they are not subject to the SEC’s internal control rules.

Implementation Dates

Accelerated filers. A company that is an “accelerated filer” at the end of its first fiscal year ending on or after November 15, 2004, must file the Item 308 internal control report in its annual report for that fiscal year. In Release 33-8128, “Acceleration of Periodic Report Filing Dates” (September 2002), the SEC accelerated the filing of quarterly and annual reports under Rule 12b-2 by domestic reporting companies that—

• have a common equity public float of at least $75 million on the last business day of the company’s second fiscal quarter;
• have been subject to the 1934 Act’s periodic reporting requirements for at least 12 months;
• have previously filed at least one annual report under the 1934 Act; and
• are ineligible to use the small business issuer Forms 10-KSB and 10-QSB.

Due dates for these “accelerated filers” are being phased-in over three years (Exhibit), meaning that, for calendar-year companies, the effective date of Release 33-8238 is December 31, 2004, and the Form 10-K is due March 1, 2005.

Nonaccelerated filers and foreign private issuers. The SEC recognizes that small businesses may not have as formal or well structured a system of internal control as larger companies and may initially have difficulty evaluating their internal controls. As a result, small business issuers and other companies that are not “accelerated filers” have a later implementation date. Such entities must file their internal control report in their annual report for the first year ending on or after July 15, 2005. This means December 31, 2005, for calendar-year companies whose Form 10-K must be filed no later than March 31, 2006.

Regulation S-K and S-B Item 307. Item 307 requires disclosure about the effectiveness of disclosure controls and procedures beginning with the Form 10-Q/SB filed for June 30, 2003 (which was due August 14, 2003).

Changes in internal controls. A company must begin to disclose any material change to its internal control over financial reporting in its first periodic report due after the first annual report that is required to include the management report on internal control. This means a calendar-year accelerated filer must begin to comply with the disclosure about changes in internal control beginning with the Form 10-Q for the quarter ended March 31, 2005 (form due May 10, 2005). Nonaccelerated filers must begin to comply with the Form 10-Q/SB filed for the quarter ended March 31, 2006 (form due May 15, 2006).

Nevertheless, section 302 requires the CEO and the CFO to certify that they have disclosed in the Form 10-K/SB or 10-Q/SB any material change in internal control over financial reporting. This is similar to the information required by the old Item 307(b), so these changes should continue to be included in the Item 307 disclosures.

Certifications. Beginning with reports due on or after August 14, 2003 (due date for June 30, 2003, quarterly filings), issuers must file the section 302 and 906 certifications as exhibits, and they must follow certain of the text changes in the 302 certification. To account for the differences between the compliance date of the rules relating to the internal control reports and the effective date of changes to the text of the section 302 certification, the SEC allows the certifying officers to temporarily eliminate some of the text until the Item 308 internal control report requirements are effective (see discussion above).

Registered investment companies. Registered investment companies must comply with the rules and form amendments that apply to them on and after August 14, 2003.

Early adoption. The SEC will allow companies to voluntarily comply with the new disclosure requirements before any of the mandated compliance dates.

Control Deficiencies, Significant Deficiencies, and Material Weaknesses

The SEC rules clearly state that management has the primary obligation to determine whether there are material weaknesses in internal control, whether a deficiency is significant, and whether an aggregation of significant deficiencies is a material weakness.

The auditing literature and the SEC provide no implementation guidance or examples on how to determine if a deficiency is significant, a weakness is material, or when a combination of significant deficiencies becomes a material weakness. PCAOB Standard 2 defines these critical terms as follows:

• A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
• A deficiency in design exists when a control necessary to meet the control objective is missing or an existing control is not properly designed, such that, even if the control operates as designed, the control objective is not always met.
• A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.

A significant deficiency is a control deficiency (or combination of control deficiencies) that adversely affects the company's ability to initiate, authorize, record, process, or report external financial data reliably in accordance with GAAP such that there is more than a remote likelihood that a misstatement of the company’s annual or interim financial statements that is more than inconsequential will not be prevented or detected. The term “remote likelihood” is defined in paragraph 3(c) of SFAS 5 as when the “chance of the future events or events occurring is slight.” Thus, the likelihood of an event is “more than remote” when it is either reasonably possible or probable.

A material weakness is a significant deficiency, or a combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected. PCAOB Standard 2 points out that in evaluating whether a control deficiency exists and whether control deficiencies, either individually or in combination with other control deficiencies, are significant deficiencies or material weaknesses, the auditor should consider the definitions in paragraphs 8, 9, and 10 and the directions in paragraphs 130 through 137. The evaluation of the materiality (paragraph 23) of the control deficiency should include both quantitative and qualitative considerations. Qualitative factors might include the nature of the financial statement accounts and assertions involved and the reasonably possible future consequences of the deficiency. Furthermore, in determining whether a control deficiency or combination of deficiencies is a significant deficiency or a material weakness, the auditor should evaluate the effect of compensating controls.

Certifications in annual and quarterly reports. Section 302 and the related SEC rules require CEOs and CFOs to certify the company’s annual and quarterly reports. The certification requires management to sign a statement stating the following:

• They have reviewed the report.
  n Based on their knowledge, the report does not contain any untrue statement of a material fact or fail to state a material fact that is needed to make the statements not misleading.
• Based on their knowledge, the financial statements and other financial information fairly present in all material respects the financial condition, results of operations, and cash flows of the company. (Note that this certification goes beyond just saying that the financial statements and other financial information are presented in accordance with GAAP.)
• They are responsible for setting up and maintaining “disclosure controls and procedures” and “internal control over financial reporting.”
• They designed the “disclosure controls and procedures” to make sure that material information is communicated to management by others in the company.
• They designed the “internal control over financial reporting” to provide reasonable assurance about the reliability of financial reporting and the preparation of GAAP financial statements.
• They evaluated and reported on the effectiveness of the “disclosure controls and procedures” at the end of the period covered by the report (tying in to Item 307).
• They disclosed any change in internal control over financial reporting that occurred during the quarter that materially affected or is reasonably likely to materially affect, the internal control over financial reporting [corresponding to Item 308(c)].
• They disclosed to the auditors and the audit committee every quarter all significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the ability to record, process, summarize, and report financial information. Furthermore, they disclosed any fraud, whether or not material, that involves management or other employees who have a significant role in the company’s internal control over financial reporting.

It is clear that the certification and the requirements of section 404 as well as the SEC release must be a fully integrated activity of management. No single part of these rules can be complied with in isolation.

Before the SEC release, the section 302 certification was located immediately after the signature section in the report. Now these certifications must be filed as Exhibit 31 of Regulations S-K and S-B, Item 601 [Rules 13a-14(a)/15d-14(a)]. PCAOB Standard 2 (paragraphs 200–206) describes the work that auditors must perform regarding management’s certifications. Section 906 of the Sarbanes-Oxley Act requires a second certification for periodic reports containing financial statements that are filed with the SEC. Before the release, the section 906 certification had to “accompany” the SEC report, and it was usually filed as Exhibit 99. Now the certification is required as Exhibit 32 of Regulations S-K and S-B, Item 601 [Rules 13a-14(b)/15d-14(b)].

The certification says that the report fully complies with the requirements of section 13(a) or 15(d) of the 1934 Act and that the information contained in the report fairly presents, in all material respects, the financial condition and results of operations of the company. It should be noted that mere compliance with GAAP does not ensure that a periodic report meets the “fairly presents” standard.

Unlike the section 302 exhibit that is “filed” with the SEC, the section 906 exhibit is “furnished” to the SEC, which means that the section 906 certification does not subject signatories to any liability for material misstatements or omission of fact in connection with the filed report under section 18 of the 1934 Act. Nor is it automatically incorporated by reference into a registration statement under the 1933 Act, which would then subject the company to section 11 civil liabilities on account of a false registration statement, unless the company takes specific steps to include the certification in the registration statement.

Section 906 refers to “periodic reports containing financial statements”; however, the SEC’s final rules do not require section 906 certifications in Form 6-K (the report of a foreign issuer under Rules 13a-16 and 15d-16), Form 8-K [the current report under section 13 or 15(d)], or Form 11-K [annual reports of employee stock purchase, savings, and similar plans under Section 15(d)].

Nonetheless, a failure to furnish the section 906 certifications violates section 13(a) of the 1934 Act, and any periodic report filed without the certification is considered incomplete. Because section 906 is administered by the Department of Justice, management may be subject to criminal penalties for false certifications.

It is a federal crime, punishable by a fine of up to $1 million or imprisonment for up to 10 years, or both, for any officer to file a section 906 certificate “knowing” that the Form 10-Q/SB or 10-K/SB does not comply with the requirements of the 1934 Act. In addition, any officer convicted of “willfully” making a certification knowing that it is false (i.e., knowing that the report does not comply with the 1934 Act) would be subject to a fine of up to $5 million or imprisonment for up to 20 years, or both. Violations of section 302 are subject to civil penalties.

Start Now

Many accelerated filers have already worked through the planning, documentation, internal testing, and remediation phases of section 404 compliance. Through the balance of this year, auditors will continue, or begin to independently test the internal controls and both management and the auditors will form their opinions and write their reports. But for issuers that have not yet begun the process, there is one most important date: today. If issuers start preparing now, they will be able to identify their internal control processes and control deficiencies and, most important, will be able to correct them before having to report them. If management does not immediately begin the process of compliance, evaluation, and documentation, they may find themselves facing a huge mountain to climb and the embarrassment of having material weaknesses to report and a qualified auditor’s opinion.

Management has a lot of reading and work to do. They need to understand all the new rules; understand COSO and its components; apply COSO to their significant business units and understand the control environment; document, identify, and test the key controls; and fix all the problems they discover. Management also needs to plan ahead and get the help they need with all these activities without violating the independence of their auditors.

These new rules can also be viewed as a great opportunity. Management can direct their attention to a great variety of risks in the company in addition to those involving disclosures and financial information. They have an opportunity to determine what does not work in the company and institute best practices, and at the same time improve corporate governance. These new rules give management a much-needed push forward and a tool to gain control over the company’s future.