On May 27, 2003, the Securities and Exchange Commission (the "SEC") concluded its nearly one year rulemaking agenda relating to the implementation of the Sarbanes-Oxley Act of 2002 (the "Act") with the adoption of rules requiring internal control reports in annual reports of most public companies.
The SEC introduced "internal control over financial reporting" as a new term of art under Section 404 of the Act and will require that management of a public company (small business issuers and foreign private issuers included) annually report on their responsibility for establishing and maintaining internal control over financial reporting and their evaluation of the effectiveness of such internal control. The report must also contain an attestation report of the company's independent auditor as to management's evaluation. Asset-backed securities issuers and registered investment companies do not have to comply with the new internal control reporting requirements.
In conjunction with adopting the new Section 404 internal control report requirements, the SEC also revised the quarterly and annual certification requirements of the chief executive officer and chief financial officer to more clearly reflect their role in overseeing the company's internal control over financial reporting. For information about those changes, please see our client alert SEC Adopts Changes to CEO/CFO Certifications, June 2003.
Where is the internal control report required?
The internal control report is only required in annual reports.
When Will the Internal Control Report First Be Required?
- The final rule gives public companies more time for compliance than had previously anticipated.
- Public companies that are so-called "accelerated filers" (generally, U.S. public companies with a public float in excess of $75 million and that have filed at least one annual report with the SEC - which encompasses the vast majority of SEC registrants) and are not foreign private issuers must include management's internal control report in their Form 10-Ks covering fiscal years ending on or after June 15, 2004.
- All other public companies, including foreign private issuers and small business issuers, must first include the internal control report in their annual reports covering fiscal years ending on or after April 15, 2005.
Therefore, an "accelerated filer" with a December 31st fiscal year-end will first have to include the internal control report in its Form 10-K for the fiscal year ending December 31, 2004 while all other public companies with calendar year fiscal year-ends will have to first include internal control reports in their annual reports for the fiscal year ending December 31, 2005.
Definition of "internal control over financial reporting"
The CEO and CFO certification requirements adopted in 2002 introduced the phrase "disclosure controls and procedures." The SEC defined disclosure controls and procedures as a company's processes for ensuring that information required to be disclosed by the company is recorded, processed, summarized and reported in a timely manner. For more information about "disclosure controls and procedures, please see our alert SEC Requires CEO and CFO Certification of Quarterly and Annual Reports, September 2002. The 2002 form of certification also refers to "internal controls," which the SEC did not define. Since the adoption of the certification requirements, there has been uncertainty about management's responsibilities with respect to their company's internal controls. The new rules replace the phrase "internal controls" with "internal control over financial reporting" and provide a definition of this new term of art.
"Internal control over financial reporting" is defined as a process designed by, or under the supervision of, the company's CEO and CFO, and effected by the company's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles ("GAAP") and includes those policies and procedures that:
- pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the company's transactions and dispositions of assets;
- provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with GAAP, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and
- provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company's assets that could have a material effect on the financial statements.
The release indicates that this definition is consistent with the definition of "internal accounting controls" in existing accounting literature and in the Foreign Corrupt Practices Act.
Internal control over financial reporting versus disclosure controls and procedures
While there is substantial overlap between a company's disclosure controls and procedures and internal control over financial reporting, both contain elements not necessarily covered by the other. For example, both are implicated in a company's procedures for ensuring that the publicly filed financial statements are prepared in accordance with GAAP. However, necessary components of those procedures, ensuring that transactions are properly recorded and that assets are safeguarded against unauthorized or improper use, are covered by a company's internal control over financial reporting but might not be included in its disclosure controls and procedures.
Only a company's annual report must contain management's evaluation of the effectiveness of internal control over financial reporting while every quarterly and annual report must contain management's evaluation of the effectiveness of disclosure controls and procedures and disclosure of any material changes to internal control over financial reporting occurring during the quarter. The requirement for management to report on material changes to internal control over financial reporting is effective for quarterly periods ending on or after June 30, 2003, more than one year prior to the internal control report first being required. Therefore, management may have to report as part of their certification obligation in upcoming quarterly reports on material changes to the company's internal control over financial reporting as the company implements changes to its internal control over financial reporting in preparation for the internal control report and attestation requirement under Section 404 of the Act.
Content of the internal control report
A public company's annual report must include an internal control report of management that includes:
- A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting;
- A statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting;
- Management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year, including a statement as to whether or not the company's internal control over financial reporting is effective. The assessment must include disclosure of any "material weaknesses" [fn1] in the company's internal control over financial reporting identified by management; and
- A statement that the company's independent auditor has issued an attestation report on management's assessment.
The annual report must also contain the attestation report of the independent auditor. The new rules do not specify where in an annual report the internal control report and attestation report must appear, but suggests that the internal control report and attestation report be included together in the annual report either near the company's Management's Discussion and Analysis of Financial Condition and Results of Operations disclosure or just before the audited financial statements. Regardless of where both reports are located, they should be located together in the annual report.
Framework for Management's Evaluation of Internal Control Over Financial Reporting
The SEC's proposing release did not reference specific criteria for management's assessment of internal control over financial reporting. The final rules require that management utilize an established control framework to evaluate the effectiveness of the company's internal control over financial reporting. A framework provides management with guidance about the documentation, review and testing necessary to satisfy their due diligence supporting their assessment of internal control over financial reporting. Although the new rules do not require the use of a specific control framework, the rules do identify as an acceptable framework the COSO Framework, a set of internal control evaluation procedures developed, beginning in 1992, by the Committee of Sponsoring Organizations of the Treadway Commission ("COSO").[fn2] For more information about the COSO Framework, please go to the COSO website ( http://www.coso.org/Publications/index.html). Companies may utilize other control frameworks as long as the frameworks meet specified guidelines set forth in the SEC's adopting release. The final rules require management to identify in the report the framework used to evaluate the effectiveness of internal control over financial reporting.
Management's Evaluation of Internal Control Over Financial Reporting
Though the new rules suggest the COSO Framework as a framework for management's evaluation of internal control over financial reporting, no specific methods or procedures for conducting evaluations are recommended. The SEC indicates that the procedures for evaluating the design and testing the operational effectiveness of a company's internal control over financial reporting will vary from company to company. However, the instructions to the new rules direct management to carefully document their procedures. Management's conclusions in the internal control report must be clearly supported by documentation. In addition, the independent auditor providing the attestation will require management to keep such documentation. Management cannot delegate to the independent auditor the responsibility to design and document the company's internal control over financial reporting because of the auditor independence rules.
Management's Conclusion Regarding the Effectiveness of the Company's Internal Control Over Financial Reporting
The internal control report must contain management's assessment of its company's internal control over financial reporting. Management need not personally conduct the assessment but can delegate these activities to non-management personnel under their supervision. Management cannot conclude that the company's internal control over financial reporting is effective if it identifies one or more material weaknesses, and any material weaknesses must be disclosed in the report.
Auditor attestation of internal control report
In support of the statement contained in the internal control report that a company's independent auditors have attested to, and reported on management's evaluation of internal control over financial reporting, the independent auditors must furnish its attestation report to the company for inclusion in the annual report. The independent auditor's attestation is not a separate engagement from the audit, but it is likely to require significant additional testing, review and documentation by the independent auditor.
The attestation report must contain the independent auditor's opinion concerning management's assertion about the effectiveness of its internal control over financial reporting in accordance with standards for attestation engagements. The Public Company Accounting Oversight Board ("PCAOB") has adopted as interim attestation standards those currently being used by independent auditors of financial institutions who are required to provide similar attestations under federal banking law. The adopting release indicates that the PCAOB may revise the interim attestation standards through additional rulemaking prior to the due date for the first attestation reports. The PCAOB plans to hold a roundtable discussion on whether to modify the interim standards at the end of the summer. Until there is certainty as to when and if the PCAOB will issue final rules, it may be difficult for independent auditors and their clients to prepare for the auditor attestation requirement.
What Steps Should Be Taken Now?
Management should consider the following steps:
- Prepare now. Although it will be more than a year before the first internal control reports are required to be filed, management should consider beginning preparation now so that they can timely evaluate internal control over financial reporting and the independent auditors can attest to such evaluation. Documenting internal controls over financial reporting will take significant time, especially if changes must be implemented, and documentation must be done prior to management's evaluation and testing. Starting now gives companies time to put remedial actions in place before reporting starts.
- Select a framework. The COSO Framework will likely be the choice of most companies for evaluating the effectiveness of their internal control over financial reporting since it has been endorsed by the SEC. However, others companies, such as foreign private issuers, may find other frameworks better suited to their organizational structure.
- Get help. We expect that only in rare circumstances will management try to prepare its internal control report without outside assistance. Since the company's independent auditor must attest to management's conclusions in the internal control report, it may be advisable for management to coordinate closely with the independent auditors regarding the processes of documenting and testing internal control over financial reporting. The auditor independence requirements allow the independent auditor to assist management in documenting internal controls; however, management must be actively involved. The adopting release warns companies that management cannot delegate its responsibility to assess internal control over financial reporting. Management should define the role of its outside auditors and evaluate what its independent auditors can and cannot do to assist in the preparation. The internal audit department, in contrast, will typically be expected to play a very large role in the design of internal control over financial reporting. In many cases, third party consultants and/or counsel will also be invaluable in preparing the internal control report. Close coordination of the process with the company's outside audit firm would seem to be a wise part of early planning so as to avoid unexpected hiccups as the independent auditors move through their review process to deliver the required attestation.
- Budget the process. The costs to a company of documenting existing internal control over financial reporting, possibly adding additional control and the design and testing of existing internal control over financial reporting is expected to be significant and time consuming. For multi-national companies with extensive overseas operations the costs of compliance will be even greater. The more time that is given to the process, the greater the chance that the costs can be controlled.
- Review D&O Insurance. Reassess the company's D&O insurance coverage for management and the board of directors in light of the increased liability risks stemming from the inclusion of the internal control report. Review your D&O insurance policy with your carrier and your advisors to fully understand the exposure to management and the board of directors throughout the entire evaluation process. For more information on how to evaluate your D&O insurance coverage, please see our client alert D&O Insurance: What You Must Know to Minimize Your Potential Personal Liability, May 2003.
Footnotes
1: A "material weakness" is defined in the AICPA's Codification of Statements on Auditing Standards Section 325 as "a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by errors or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions."
2: In 1985, a private-sector initiative known as the Treadway Commission on Fraudulent Financial Reporting, also known as the Treadway Commission, was formed to study the financial reporting system in the United States. The Treadway Commission recommended that its sponsoring organizations work together to integrate the various internal control concepts and definitions existing in accounting literature to develop a common reference point. The sponsoring organizations of the Treadway Commission included the American Institute of Certified Public Accountants, The Institute of Internal Auditors, Financial Executives International, Institute of Management Accountants and American Accounting Association. The result of their collaboration was the COSO Framework. Banks subject to Federal Deposit Insurance Corporation oversight already use the COSO Framework in evaluating the effectiveness of their internal controls.