Sarbanes-Oxley Update: SEC Mandates Management Report on Internal Controls and Modifies Officer Certification Requirements



The Securities and Exchange Commission has adopted final rules requiring reporting companies annually to provide a report on internal controls prepared by their management and attested to by their independent auditors and quarterly to disclose any material changes in these controls. The SEC has also modified the existing CEO/CFO certification requirements under Sections 302 and 906 of the Sarbanes-Oxley Act of 2002. (See SEC Release No. 33-8238, available at http://www.sec.gov/rules/final/33-8238.htm.)

The SEC significantly extended the transition period for compliance with the new rules for management reports on internal controls. Accelerated filers (generally, U.S. companies with a market capitalization exceeding $75 million) must comply with the new internal control report requirements for fiscal years ending on or after June 15, 2004. All other reporting companies, including foreign private issuers but excluding asset-backed issuers and registered investment companies, have until their annual reports for fiscal years ending on or after April 15, 2005 to comply. Compliance with the modified certification requirements, however, will be required for applicable SEC reports due on or after August 14, 2003.

Management's Annual Report on Internal Control Over Financial Reporting

Implementing Section 404 of the Sarbanes-Oxley Act, the new rules require management to acknowledge its responsibility for the adequacy of the company's internal control structure and procedures for financial reporting and to assess the effectiveness of this internal control over financial reporting. The annual internal control report must contain:

  • A statement of management's responsibility for establishing and maintaining adequate "internal control over financial reporting";
  • Management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year, including a statement as to whether the company's internal control over financial reporting is effective;
  • A statement identifying the framework used by management to conduct the evaluation; and
  • A statement that the public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's assessment.

Management's report must affirmatively state whether the company's internal control over financial reporting is effective. Management is not permitted to provide solely a negative assurance that nothing has come to their attention to cause them to believe that such controls are not effective. In addition, management is not permitted to conclude that the company's internal control over financial reporting is effective if any material weaknesses are identified, and management must disclose any such material weaknesses.

Under Statement on Auditing Standards No. 60, a material weakness is a failure of the internal controls (or a component part) to "reduce to a relatively low level the risk that errors or irregularities in amounts that would be material in relation to the financial statements . . . may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions." A significant deficiency in internal controls that does not rise to the level of a "material weakness" need not be disclosed in the report, but the SEC has cautioned that the aggregate effect of a number of significant deficiencies may amount to a material weakness.

Definition of Internal Control Over Financial Reporting. The new rules define "internal control over financial reporting" as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external consumption in accordance with GAAP. Such internal controls must include policies and procedures that address:

  • the maintenance of records that accurately, fairly and in reasonable detail reflect transactions involving, and dispositions of, company assets;
  • reasonable assurance that transactions are recorded as needed to permit preparation of financial statements in accordance with GAAP and that receipts and expenditures are made only in accordance with management authorization;and
  • reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of company assets.

This definition focuses on the elements of internal control relating to financial reporting, and not on other elements of control, such as operational efficiency, risk management, corporate governance and compliance with law. The SEC provides little guidance on the extent of overlap between "internal control over financial reporting" addressed by the new rules and "disclosure controls and procedures" addressed by prior rulemaking. However, the adopting release states that internal controls do not entirely subsume disclosure controls and vice versa. The distinctions made in the adopting release between these two types of controls help to alleviate concern that management's quarterly report on disclosure controls and procedures (required by August 2002 SEC rules) could require a complete evaluation of all internal controls.

Recordkeeping Requirement. In evaluating internal control over financial reporting, a company must have a process for documenting reasonable support for management's assessment of the effectiveness of the company's internal control over financial reporting. The SEC also stressed the importance of maintaining proper records to back-up the evaluation of internal control over financial reporting. These back-up procedures should provide reasonable support:

  • for the evaluation of whether the internal control over financial reporting is designed to prevent or detect material misstatements or omissions in the financial statements;
  • for the conclusion that the tests of the effectiveness of the internal control over financial reporting were appropriately planned and performed; and
  • that the results of the tests of the effectiveness of the internal control over financial reporting were appropriately considered.

Framework for Internal Control. Management's evaluation and assessment must be based on a suitable, recognized framework of operating procedures that have been evaluated by a non-governmental entity of recognized standing. The framework must, at a minimum, (1) be unbiased, (2) permit consistent measurement of internal control over financial reporting, (3) include all factors relevant to evaluating the effectiveness of the company's internal controls, and (4) be relevant to an evaluation of internal control over financial reporting.

In its adopting release, the SEC specifically endorsed the Committee of Sponsoring Organizations of the Treadway Commission's Internal Control – Integrated Framework (the "COSO Framework"). The SEC also identified the Guidance on Assessing Control published by the Canadian Institute of Chartered Accountants and the Turnbull Report published by the Institute of Chartered Accountants in England and Wales as examples of other suitable frameworks. Non-U.S. companies should assess comparable frameworks promulgated in their home countries for compliance with the criteria established by the SEC.

Auditor Independence Concerns. A reporting company's independent auditors undoubtedly will be involved in the internal control process in order to attest to management's report. However, the SEC cautions that, to maintain their independence, auditors must refrain from engaging in prohibited non-audit services for their audit clients, such as maintaining or preparing accounting records, designing or implementing financial information systems or engaging in management functions. The SEC has emphasized that management must be actively involved in the internal control process and may not delegate its responsibility to the independent auditors.

Quarterly Evaluation of Changes in Internal Control Over Financial Reporting

The new rules do not require that management provide its internal control report on a quarterly basis. However, companies must perform quarterly evaluations, under the supervision of their CEO and CFO, of changes that have materially affected or are reasonably likely to materially affect the company's internal control over financial reporting.

Under the final rules, an SEC reporting company must evaluate and disclose in its periodic reports any change in internal control over financial reporting that has occurred during the most recent quarter covered by the report that is material or likely to be material. The rules do not require the company to disclose the reasons for any change, unless necessary to make the disclosure about the change not misleading.

Foreign private issuers that file annual reports on Form 20-F or Form 40-F must include in these reports disclosure of any material change in internal control over financial reporting. Because these companies are not required to file quarterly reports under the Securities Exchange Act of 1934, there is no requirement that they report and evaluate material changes to internal control over financial reporting on a quarterly basis.

Modification of Evaluation Date for Disclosure Controls and Procedures

The new rules change the evaluation date for disclosure controls and procedures (required by August 2002 SEC rules) to "as of the end of the period" covered by the quarterly or annual report as opposed to the previous requirement that the evaluation be made "as of a date within 90 days of filing." In addition, the SEC's release clarifies that management's quarterly evaluation of disclosure controls and procedures may focus on developments occurring or weaknesses identified during the quarter, and disclosure in an annual report that continues to be accurate need not be repeated in a quarterly report. For a detailed discussion of the evaluation of disclosure controls and procedures, please see our Corporate Update dated September 5, 2002 entitled "SEC Adopts Section 302 Certification Rules" available at www.Dorsey.com.

Modifications to Certification Requirements

The SEC modified the existing CEO/CFO certification requirements under Sections 302 and 906 of the Sarbanes-Oxley Act as follows:

  • Section 302 certification. This certification requirement has been modified (1) to provide new language consistent with the final rules for management's report on internal controls discussed above and (2) to require that the certification be filed as Exhibit 31 to the applicable report, rather than appearing in the body of the report following the signature page. The modified form of the Section 302 certification adopted by the new rules is attached as Schedule A to this memorandum and is effective for all periodic reports due on or after August 14, 2003. Because of the delayed compliance dates for internal control reports, however, those portions of the certificate relating to management's responsibility for establishing internal control over financial reporting (printed in bold on Schedule A) may be omitted in any report due prior to the date on which management's internal control report is required to be included.
  • Section 906 certification. This certification has been modified to require that it be provided as Exhibit 32 to the applicable report, rather than furnished as related correspondence as previously permitted. The final rules specifically provide that the Section 906 certification is deemed "furnished" to and not "filed" with the SEC. Thus, the Section 906 certifications will not be subject to liability under Section 18 of the Securities Exchange Act of 1934. Moreover, the certifications will not be subject to automatic incorporation by reference into a company's registration statements under the Securities Act of 1933, and thereby subject to liability under Section 11 of the Securities Act, unless the issuer takes steps to include the certifications in a registration statement.

If the EDGAR system cannot accept new Exhibits 31 and 32 at the time of filing, companies should file the certifications as Exhibit 99.

Uncertainty Regarding Application of Section 906 to Forms 6-K, 8-K and 11-K

In its adopting release, the SEC failed to clarify whether a Section 906 certification is required for an annual report on Form 11-K filed by certain employee benefit plans and raised a question whether the certification will be required for current reports on Forms 6-K (for foreign private issuers) and 8-K. While the exhibit requirements for Forms 6-K, 8-K and 11-K were not amended by the SEC to require Section 906 certifications, the SEC indicated that it is "considering, in consultation with the Department of Justice" the application of Section 906 to these forms in light of a statement made earlier this year by Senator Joseph Biden that such certifications were intended by Congress to be required and comments received in the rulemaking process. The confusion has been compounded by reports of informal SEC advice that the SEC staff believes Form 11-K should be accompanied by the Section 906 certification and that the language of the Section 906 certification may be modified to address the unique nature of annual reports on Form 11-K.

Until the SEC issues a clarification, issuers should consider providing a Section 906 certification with any annual report on Form11-K. Absent further SEC direction, however, we do not believe issuers are required to provide a Section 906 certification with current reports on Forms 6-K and 8-K.

Conclusion
Although the compliance date for inclusion of management's internal control report has been delayed, companies cannot defer their review of internal control structures and procedures for financial reporting. Evaluating, testing and documenting a company's internal control over financial reporting is a significant and time-consuming endeavor involving management, the board of directors, numerous employees and the independent auditor. Companies should begin this process immediately (if they have not already done so) and remedy any material weaknesses well before the compliance date for the new requirements.

______________________

Schedule A

Section 302 Certification for Reports Due On or After August 14, 2003

Note: Text printed in bold may be omitted until the registrant is required to comply with the reporting requirements concerning internal control over financial reporting

I, [identify the certifying individual], certify that:

1. I have reviewed this [specify report] of [identify registrant];

2. Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;

3. Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;

4. The registrant's other certifying officer(s) and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the registrantand have:

(a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;

(b) Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;

(c) Evaluated the effectiveness of the registrant's disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and

(d) Disclosed in this report any change in the registrant's internal control over financial reporting that occurred during the registrant's most recent fiscal quarter (the registrant's fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant's internal control over financial reporting; and

5. The registrant's other certifying officer(s) and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant's auditors and the audit committee of the registrant's board of directors (or persons performing the equivalent functions):

(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the registrant's ability to record, process, summarize and report financial information; and

(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal control over financial reporting.

Date: __________________

_______________________

[Signature]
[Title]

Disclaimer

©2003 Dorsey & Whitney LLP. This Corporate Update is intended for general information purposes only and should not be construed as legal advice or legal opinions on any specific facts or circumstances. Members of the Dorsey & Whitney LLP Corporate Group will be pleased to provide further information regarding the matters discussed in this Corporate Update.