By:  Cydney Posner

As promised when the SEC detailed its action plan for addressing SOX 404 (see my posting of 5/17/06), the SEC has just posted its concept release concerning management's report on internal control over financial reporting.

The concept release is being submitted for public comment for 60 days, with the goal of better understanding public interest in additional guidance for management and assisting the SEC in developing guidance that addresses the needs of companies, helps to make the requirements scalable for companies of all sizes and complexity and helps companies perform the evaluations in a practical and cost-efficient manner.

While the SEC does not plan to prescribe a single methodology for all companies, it has received much feedback regarding the paucity of management guidance available. Some of the feedback centered around the problem that AS2, which is designed for auditors, has, in the absence of other guidance, largely driven management's efforts to date. As a result, the SEC intends to issue additional management guidance and is using the concept release to solicit input. The guidance is expected to be a rule addressing risk and control identification, management’s evaluation and documentation requirements. If companies comply with the rule, they would be deemed to have complied with Rules 13a-15(c) and 15d-15(c) of the Exchange Act.

In particular, the release recognizes the special concerns expressed by the SEC Advisory Committee on Smaller Public Companies:

  • The limited number of personnel in smaller companies constrains the companies’ ability to segregate conflicting duties.
  • Management’s control and more direct communication increase the risk of management override.
  • The dynamic nature of smaller companies limits their ability to maintain well-documented static business processes.
The input solicited regarding general guidance relates to topics such as:

  • Whether the guidance should be detailed or stated in broad principles, in a rule format or solely interpretive;
  • The reasons most companies have elected to use the COSO framework and whether additional frameworks would be useful; and
  • The appropriate role of outside auditors in connection with the 404(a) management assessment and the manner in which outside auditors provide the 404(b) attestation.
Risk Control and Identification

Feedback to the SEC indicates that many companies did not efficiently and effectively identify risks and relevant internal control functions, which led to the identification, documentation and testing of an excessive number of controls. The release speculates that an "overly conservative application of AS No. 2 by auditors in the initial years" may have contributed to this result. The SEC also heard that companies had difficulty with respect to determining and assessing controls related to the prevention of fraud. The SEC expects that guidance would address how management should determine the overall objectives and identify the related risks, including fraud risks, and how to identify the controls to address the recognized risks, including materiality considerations, multi-location issues and "key" controls. The release solicits input regarding:

The appropriateness of and extent to which quantitative and qualitative factors, such as likelihood of an error, should be used when assessing risks and identifying controls;

  • Fraud controls;
  • Multiple locations;
  • Entity-level controls;
  • The effectiveness of the COSO guidance;
  • Identification of controls that address the risks of material misstatement; and
  • Implementation of a "top-down, risk-based" approach.

Management's Evaluation

As indicated in the SEC's previous guidance, management’s judgments about the significance and complexity of the risk areas it has identified should form the basis for determining which controls to evaluate, as well as the nature, timing and extent of the evaluation procedures. Although management’s assessment must be "as of" the company’s fiscal year end, the SEC observes that the rules do not preclude management from obtaining evidence to support its assessment through cumulative knowledge it acquires throughout the year and in prior years. The release notes that the SEC has heard that, in some cases, management may have "unnecessarily tested controls using separate evaluation-type testing in connection with its annual assessment, rather than relying on its ongoing monitoring activities, which may include, for example, cumulative knowledge and experiences from its daily interactions with controls." With respect to control deficiencies, the SEC emphasizes the importance, in exercising reasonable judgment, of having "a comprehensive understanding of the nature of the deficiency, its cause, the relevant financial statement assertion the control was designed to support, its effect on the broader control environment, and whether effective compensating controls exist." The SEC is also interested in understanding whether there are specific areas related to IT where additional guidance would be useful. In attempting to reduce or eliminate excessive testing by improving the focus on risk and use of entity-level controls, the SEC expects guidance to cover the overall objective of evaluation procedures, methods of gathering supportive evidence and factors in determining the nature, timing and extent of evaluation procedures, including whether and how entity-level controls may adequately address risk at the financial statement and disclosure level, extent of assessment of IT controls and assessment of the severity of an identified control deficiency. Input solicited relates to:

  • Reducing the need for testing at the individual account or transaction level though entity-level controls;
  • Sources of evidence;
  • Timing of management testing;
  • Definitions of "material weakness and "significant deficiency"; and
  • Factors to consider in determining whether no material weakness exists despite the discovery of a need to correct a financial statement error or to restate financial statements.
Documentation to Support Assessment

The SEC understands that many companies may have incurred significant documentation costs related to excessive documentation resultingfrom excessive testing. The SEC expects to provide guidance on the appropriate and required levels of documentation, including clarifying theoverall objectives of the documentation, factors that might influence documentation requirements, updating of previously created documentation, controls that do not result in documented evidence and smaller company concerns. Input solicited relates to:

  • Excessiveness of documentation;
  • Usefulness of guidance in determining documentation necessary; and
  • Nature of guidance necessary for smaller companies.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as "Cooley"). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction, and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. When advising companies, our attorney-client relationship is with the company, not with any individual. This content may have been generated with the assistance of artificial intelligence (Al) in accordance with our Al Principles, may be considered Attorney Advertising and is subject to our legal notices.