The SEC introduced "internal control over financial reporting" as a new term of art under Section 404 of the Act and will require that management of a public company (small business issuers and foreign private issuers included) annually report on their responsibility for establishing and maintaining internal control over financial reporting and their evaluation of the effectiveness of such internal control. The report must also contain an attestation report of the company's independent auditor as to management's evaluation. Asset-backed securities issuers and registered investment companies do not have to comply with the new internal control reporting requirements.
In conjunction with adopting the new Section 404 internal control report requirements, the SEC also revised the quarterly and annual certification requirements of the chief executive officer and chief financial officer to more clearly reflect their role in overseeing the company's internal control over financial reporting. For information about those changes, please see our client alert SEC Adopts Changes to CEO/CFO Certifications, June 2003.Where is the internal control report required?
The internal control report is only required in annual reports.
When Will the Internal Control Report First Be Required?
The final rule gives public companies more time for compliance than had previously anticipated.
Public companies that are so-called "accelerated filers" (generally, U.S. public companies with a public float in excess of $75 million and that have filed at least one annual report with the SEC - which encompasses the vast majority of SEC registrants) and are not foreign private issuers must include management's internal control report in their Form 10-Ks covering fiscal years ending on or after June 15, 2004.
All other public companies, including foreign private issuers and small business issuers, must first include the internal control report in their annual reports covering fiscal years ending on or after April 15, 2005.
Therefore, an "accelerated filer" with a December 31st fiscal year-end will first have to include the internal control report in its Form 10-K for the fiscal year ending December 31, 2004 while all other public companies with calendar year fiscal year-ends will have to first include internal control reports in their annual reports for the fiscal year ending December 31, 2005.
Definition of "internal control over financial reporting"
The CEO and CFO certification requirements adopted in 2002 introduced the phrase "disclosure controls and procedures." The SEC defined disclosure controls and procedures as a company's processes for ensuring that information required to be disclosed by the company is recorded, processed, summarized and reported in a timely manner. For more information about "disclosure controls and procedures, please see our alert SEC Requires CEO and CFO Certification of Quarterly and Annual Reports, September 2002. The 2002 form of certification also refers to "internal controls," which the SEC did not define. Since the adoption of the certification requirements, there has been uncertainty about management's responsibilities with respect to their company's internal controls. The new rules replace the phrase "internal controls" with "internal control over financial reporting" and provide a definition of this new term of art.
"Internal control over financial reporting" is defined as a process designed by, or under the supervision of, the company's CEO and CFO, and effected by the company's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles ("GAAP") and includes those policies and procedures that:
While there is substantial overlap between a company's disclosure controls and procedures and internal control over financial reporting, both contain elements not necessarily covered by the other. For example, both are implicated in a company's procedures for ensuring that the publicly filed financial statements are prepared in accordance with GAAP. However, necessary components of those procedures, ensuring that transactions are properly recorded and that assets are safeguarded against unauthorized or improper use, are covered by a company's internal control over financial reporting but might not be included in its disclosure controls and procedures.
Only a company's annual report must contain management's evaluation of the effectiveness of internal control over financial reporting while every quarterly and annual report must contain management's evaluation of the effectiveness of disclosure controls and procedures and disclosure of any material changes to internal control over financial reporting occurring during the quarter. The requirement for management to report on material changes to internal control over financial reporting is effective for quarterly periods ending on or after June 30, 2003, more than one year prior to the internal control report first being required. Therefore, management may have to report as part of their certification obligation in upcoming quarterly reports on material changes to the company's internal control over financial reporting as the company implements changes to its internal control over financial reporting in preparation for the internal control report and attestation requirement under Section 404 of the Act.Content of the internal control report
A public company's annual report must include an internal control report of management that includes:
The annual report must also contain the attestation report of the independent auditor. The new rules do not specify where in an annual report the internal control report and attestation report must appear, but suggests that the internal control report and attestation report be included together in the annual report either near the company's Management's Discussion and Analysis of Financial Condition and Results of Operations disclosure or just before the audited financial statements. Regardless of where both reports are located, they should be located together in the annual report.
Framework for Management's Evaluation of Internal Control Over Financial Reporting
The SEC's proposing release did not reference specific criteria for management's assessment of internal control over financial reporting. The final rules require that management utilize an established control framework to evaluate the effectiveness of the company's internal control over financial reporting. A framework provides management with guidance about the documentation, review and testing necessary to satisfy their due diligence supporting their assessment of internal control over financial reporting. Although the new rules do not require the use of a specific control framework, the rules do identify as an acceptable framework the COSO Framework, a set of internal control evaluation procedures developed, beginning in 1992, by the Committee of Sponsoring Organizations of the Treadway Commission ("COSO").[fn2]. Companies may utilize other control frameworks as long as the frameworks meet specified guidelines set forth in the SEC's adopting release. The final rules require management to identify in the report the framework used to evaluate the effectiveness of internal control over financial reporting.Management's Evaluation of Internal Control Over Financial Reporting
Though the new rules suggest the COSO Framework as a framework for management's evaluation of internal control over financial reporting, no specific methods or procedures for conducting evaluations are recommended. The SEC indicates that the procedures for evaluating the design and testing the operational effectiveness of a company's internal control over financial reporting will vary from company to company. However, the instructions to the new rules direct management to carefully document their procedures. Management's conclusions in the internal control report must be clearly supported by documentation. In addition, the independent auditor providing the attestation will require management to keep such documentation. Management cannot delegate to the independent auditor the responsibility to design and document the company's internal control over financial reporting because of the auditor independence rules.
Management's Conclusion Regarding the Effectiveness of the Company's Internal Control Over Financial Reporting
The internal control report must contain management's assessment of its company's internal control over financial reporting. Management need not personally conduct the assessment but can delegate these activities to non-management personnel under their supervision. Management cannot conclude that the company's internal control over financial reporting is effective if it identifies one or more material weaknesses, and any material weaknesses must be disclosed in the report.Auditor attestation of internal control report
In support of the statement contained in the internal control report that a company's independent auditors have attested to, and reported on management's evaluation of internal control over financial reporting, the independent auditors must furnish its attestation report to the company for inclusion in the annual report. The independent auditor's attestation is not a separate engagement from the audit, but it is likely to require significant additional testing, review and documentation by the independent auditor.
The attestation report must contain the independent auditor's opinion concerning management's assertion about the effectiveness of its internal control over financial reporting in accordance with standards for attestation engagements. The Public Company Accounting Oversight Board ("PCAOB") has adopted as interim attestation standards those currently being used by independent auditors of financial institutions who are required to provide similar attestations under federal banking law. The adopting release indicates that the PCAOB may revise the interim attestation standards through additional rulemaking prior to the due date for the first attestation reports. The PCAOB plans to hold a roundtable discussion on whether to modify the interim standards at the end of the summer. Until there is certainty as to when and if the PCAOB will issue final rules, it may be difficult for independent auditors and their clients to prepare for the auditor attestation requirement.What Steps Should Be Taken Now?
Management should consider the following steps:
1: A "material weakness" is defined in the AICPA's Codification of Statements on Auditing Standards Section 325 as "a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by errors or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions."
2: In 1985, a private-sector initiative known as the Treadway Commission on Fraudulent Financial Reporting, also known as the Treadway Commission, was formed to study the financial reporting system in the United States. The Treadway Commission recommended that its sponsoring organizations work together to integrate the various internal control concepts and definitions existing in accounting literature to develop a common reference point. The sponsoring organizations of the Treadway Commission included the American Institute of Certified Public Accountants, The Institute of Internal Auditors, Financial Executives International, Institute of Management Accountants and American Accounting Association. The result of their collaboration was the COSO Framework. Banks subject to Federal Deposit Insurance Corporation oversight already use the COSO Framework in evaluating the effectiveness of their internal controls.