SEC and PCAOB Issue Important Guidance Designed to Lower the Cost of Internal Control Reviews

Client Alert

On May 16, 2005, the Securities and Exchange Commission ("SEC") issued a press release announcing that the staff (the "Staff") of the Division of Corporation Finance, together with the Office of the Chief Accountant, had issued a Staff Statement on Management’s Report on Internal Control Over Financial Reporting (the "Staff Statement").[1]  On the same day, the Public Company Accounting Oversight Board (the "PCAOB") issued a press release and issued guidance in the form of a Board Policy Statement and FAQ (the "Guidance") directed to independent accounting firms.  The Staff Statement and the Guidance provide interpretive advice and guidance to public companies and their auditors encouraging more flexibility by auditors, and their company clients, in implementing Section 404 of the Sarbanes Oxley Act of 2002 ("SOX") in order to reduce company costs. 

PCAOB Chairman William J. McDonough stated, "It is clear to us that the internal control assessment and audit process has the potential to significantly improve the quality and reliability of financial reporting.  At the same time, it is equally clear to us that the first round of internal control audits cost too much."  Chairman McDonough also said, "[t]hrough the guidance we issue today, as well as our upcoming inspections, we are committed to seeing that AS No. 2 is implemented in a manner that captures the benefits of the process without unnecessary and unsustainable costs."  The Staff Statement indicated that "[m]anagement should not allow the goal and purpose of the internal control over financial reporting provisions - the production of reliable financial statements - to be overshadowed by the process."

In particular, the Staff Statement and the Guidance provided relief in the following areas of recent tension between companies and their auditing firms:

  • Concept of Reasonable Assurance:  The Staff Statement provided interpretive gloss to what it means for internal control over financial reporting to provide reasonable assurance regarding the reliability of financial statements.  According to the Staff Statement, reasonable assurance connotes "such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs."
  • One Size Does Not Fit All:  Managements of companies and their outside auditors should use their respective knowledge of the companies and their industries, their professional experience and their business judgment in designing the appropriate scope of a SOX Section 404 evaluation process.[2]  According to the Staff Statement, "registered public accounting firms should recognize that there is a zone of reasonable conduct by issuers that should be recognized as acceptable in the implementation of Section 404."  The Staff and the PCAOB suggest the use of more subjective judgments to determine the appropriate levels of testing and levels of documentation involved in a company’s internal control review.  In particular, the Staff Statement and the Guidance provide that to effect a more efficient and cost-effective method of conducting a SOX Section 404 evaluation, auditors and their company clients should implement a "top-down assessment," which would more narrowly focus attention on those areas of the financial reporting processes that pose the greatest risks to that company’s financial statements.  In other words, companies and their auditors are encouraged to focus their efforts on those internal controls whose failure would most likely result in material errors, concomitantly reducing the amount of work related to lower-risk areas.[3]
  • Reduce the Amount of Testing:  Various suggestions are made in the Staff Statement and Guidance to reduce the amount of testing and documentation associated with the internal control reviews.  The Staff Statement suggests taking a step back from individual control activities and viewing a group of activities as a single control.  By viewing a group of individual control activities as a single control, management can thereby not only reduce the amount of testing of the controls within the group, but can also ensure that the overall control is designed and operates effectively.[4]  The Staff Statement suggests that a company may also reduce its workload by alternating the testing of different controls from year‑to‑year, and that it would actually be preferable to test controls at different points during a fiscal year.  The Guidance suggests that auditors could reduce the amount of testing they have to do if they were to better integrate their internal control audit with the financial statement audit and were to rely more heavily on the work product of others in evaluating lower-risk controls.
  • Material Weaknesses are Not All Created Equal:  The Staff Statement dispels the common perception that a company is not permitted to distinguish the significance of its material weaknesses.  To the contrary, the Staff Statement encourages disclosures that highlight those weaknesses that may have a pervasive impact and that are of greatest concern to management.  While all material weaknesses that remain as of the end of the fiscal year must be disclosed, the stated goal is to provide investors with enough information to understand the potential impact of the material weaknesses. 
  • Auditors and Companies are Encouraged to Talk to Each Other:  The Staff Statement, in an effort to alleviate the "chilling effect" that SOX Section 404 has had on the level of company-auditor communications, clarifies that outside auditors and company management can and should engage in constructive communications that would ultimately improve the company’s financial statements.  As long as company management, and not the outside auditor, makes the ultimate decision regarding the company’s financial reporting and as long as the auditor does not independently design or implement accounting policies, companies and their outside auditors should feel free to engage in conversations about technical accounting, auditing and financial reporting matters.  Importantly, the Staff Statement states that "the auditor’s discussing and exchanging views with management does not in itself violate the independence principles, nor does it fall into one of [the] nine prohibited categories of services."
  • Providing Draft Financial Statements to Auditors is Not Prohibited:  The Staff Statement provides comfort to companies who have worried that providing draft financial statements to outside auditors increases the risk that the auditors will find a control deficiency.  The Staff Statement indicates that draft financial statements are, by their very nature, incomplete and that an error in draft financial statements, in and of itself, should not be the basis for the determination of a control deficiency.  According to the Staff Statement, an auditor’s finding of a control deficiency based on communications or draft financial statements could be "unwarranted."  The PCAOB Guidance confirms this by clarifying that auditors should not rush to premature judgment about a control deficiency until the company has completed its financial statements.

Both the SEC and the PCAOB indicate that they will continue to monitor and evaluate developments in the implementation of Section 404 with a view to improving and lowering the cost of the process. 

For further information, you may contact Eric Roberts, the Head of Morrison & Foerster’s Forensic Accounting Group, or any of the other corporate partners in our worldwide offices. 


[1] While a "staff statement" provides the views of the Staff, and has not been officially approved by the Commission itself, it is generally regarded as an authoritative pronouncement. 

[2] According to the Staff Statement, "The scope and process of the assessment should be reasonable, and the assessment (including testing) should be supported by a reasonable level of evidential matter."

[3] For instance, rather than testing all of the detail controls relating to the cash disbursement process, management and auditors should first consider company-level controls, which might include centralized processing of accounts payable, the recent or planned review of the disbursement function by internal audit, detailed budgetary reviews, and a financial reporting process that historically has not revealed any end of period accounting errors.  The review of company-level controls will assist managements and auditors in distinguishing the accounts and processes that have a significant impact on the financial statements from those that do not.  Throughout this evaluation process, managements and auditors should conduct risk assessments to determine the appropriate level of detail testing for the significant controls over the cash disbursement function.

[4] For example, the overall control to provide financial statement assurance for accounts payable may consist of a number of steps, such as approvals, authorizations, verifications, reconciliations, and reviews.  The Staff suggests that it may not be necessary to conduct detailed testing of all of the constituent items, but instead test the effectiveness of a combination of steps. 

Email Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

©1996-2019 Morrison & Foerster LLP. All rights reserved.