SEC posts proposed guidance to management on assessing internal control

By: Cydney Posner

The SEC has posted its 71-page release  proposing interpretive guidance for management regarding its evaluation of internal control over financial reporting.The guidance, one of the SEC's more prolix efforts, provides an approach to conducting a top-down, risk-based evaluation. The release also includes two proposed rule amendments: the first providing that an evaluation performed in compliance with the interpretive guidance will satisfy the requirement for the evaluation and the second revising the auditor’s attestation report requirement.

The proposed guidance is intended to allow management the flexibility to design an evaluation process that provides reasonable assurance for management's assessment and is built upon management's own experience and informed judgment to meet the needs of its company. While the assessment must be based upon a recognized framework, such as COSO, the SEC's guidance is distinct from, and not intended to replace or modify, that framework. In particular, the guidance is intended to address the issues that have been raised concerning the application of the internal control requirements to small public companies. These companies often share three characteristics that make the application of AS2 problematic and disproportionately costly:

• the limited number of personnel in smaller companies, which constrains these companies’ abilities to segregate conflicting duties;
• top management’s wider span of control and more direct channels of communication, which increase the risk of management override; and
• the dynamic and evolving nature of smaller companies, which limits their ability to have static processes that are well-documented.

The SEC has organized its proposed guidance around two broad principles:

• that management should evaluate the design of the controls that it has implemented to determine whether they adequately address the risk that a material misstatement in the financial statements would not be prevented or detected in a timely manner; and
• that management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk.

• Explains how to vary approaches for gathering evidence to support the evaluation based on risk assessments;
• Explains the use of "daily interaction," self-assessment and other ongoing monitoring activities as evidence in the evaluation;
• Explains the purpose of documentation and how management has flexibility in approaches to documenting support for its assessment;
• Provides management significant flexibility in making judgments regarding what constitutes adequate evidence in low-risk areas; and
• Allows management and the auditor to have different testing approaches.

To provide a reasonable basis for its annual assessment, management identifies the risks to reliable financial reporting, evaluates whether the design of the controls addressing those risks results in a reasonable possibility that a material misstatement would not be timely prevented or detected and evaluates evidence about the operation of the controls included in the evaluation based on its assessment of risk. The assessment must be made in accordance with a recognized control framework, which defines elements of internal control that are expected to be present and functioning in an effective internal control system. The characteristics described in the framework, and therefore the policies, procedures andactivities that constitute the controls, may be relevant to individual areas, pervasive to many areas or entity-wide. Management ordinarily would consider the company’s entity-level controls in both its assessment of risk and in identifying which controls adequately address the risk.

Typically, in subsequent years, less effort will be required because subsequent evaluations "should be more focused on changes in risks and controls rather than identification of all financial reporting risks and the related controls. Further, in each subsequent year, the evidence necessary to reasonably support the assessment will only need to be updated from the prior year(s), not recreated anew."

Identifying Financial Reporting Risks and Controls

Identification of financial risks. The effort necessary to conduct an initial evaluation of financial reporting risks will depend, in part, upon management’s existing financial reporting risk assessment and monitoring activities. The proposed guidance provides that, ordinarily, the identification of financial reporting risks begins with an evaluation of how the requirements of GAAP apply to the company’s business, operations and transactions. Using its understanding of the business, management then identifies the sources that could result in a material misstatement to the financial statements, including internal and external risk factors that affect the business (and changes to those risks) and the initiation, authorization, processing and recording of transactions and other adjustments that are reflected in financial reporting elements. Management should also take into account the exposure of the entity to fraudulent activity (e.g., fraudulent financial reporting, misappropriation of assets and corruption). The methods and procedures for identifying financial reporting risks will vary based on the size, complexity, organizational structure and other characteristics of the company. For example, large companies may require the involvement of a number of employees with specialized knowledge about various aspects of the business, while, at a small company, management’s daily involvement with the business may provide it with adequate knowledge to identify these risks.

Identification of controls that adequately address risks. Once the financial reporting risks have been identified, management must evaluate whether it has controls in operation that are designed to address the identified risks. A control consists of a specific set of policies, procedures and activities--which may be preventive, detective or a combination of both--designed to meet an objective. A control may operate within a designated function or as an activity in a process, may be automated or manual and may have an impact that is entity-wide or specific to a class of transactions or applications. Controls may include reconciliations, segregation of duties, review and approval authorizations, safeguarding and accountability of assets, preventing error or fraud detection or disclosure.

Management's determination regarding whether an individual control, or a combination of controls, adequately addresses a financial reporting risk involves judgments about both the likelihood and potential magnitude of misstatements arising from the financial reporting risks. The proposed guidance states that controls are not adequate when "their design is such that there is a reasonable possibility that a misstatement in the related financial reporting element that could result in a material misstatement of the financial statements will not be prevented or detected on a timely basis." If controls are not adequately designed, the deficiency must be evaluated to determine if it constitutes a material weakness.

It is not necessary to identify all controls; rather, the evaluation step is risk-based. If there is one control that adequately addresses the identified risk, it is not necessary to identify other controls related to the same risk. Management may consider efficiency in identifying controls. For example, if there are redundant controls, management may decide to select the control that can be tested or evaluated for effectiveness more efficiently. Similarly, if there are adequate and effective general IT controls, management may determine that automated controls may be more efficient to evaluate than manual controls.

Entity-level Controls.Some entity-level controls are designed to operate at the process, transaction or application level and might be sufficient on their own to detect problems. However, some entity-level controls, such as control environment (e.g., tone at the top and entity-wide programs

such as codes of conduct and fraud prevention), that are designed to operate indirectly by identifying possible breakdowns in lower-level controls, are not sufficient by themselves. Therefore, it is unlikely management will identify this type of entity-level control as adequately addressing a financial reporting risk.

Role of General Information Technology Controls. Controls may be automated (e.g., application controls that update accounts in the general ledger for subledger activity) or dependent upon IT functionality (e.g., a control that manually investigates items contained in a computer-generated exception report). In this context, management’s generally would consider the design and operation of the automated or IT-dependent controls as well as the general IT controls over these applications. While general IT controls ordinarily do not directly prevent or detect material misstatements, the proper and consistent operation of automated or IT-dependent controls depends upon effective general IT controls. The proposed guidance states that typically, management should consider whether, and the extent to which, general IT control objectives related to program development, program changes, computer operations and access to programs and data are applicable and evaluate only those general IT controls that are necessary to adequately address financial reporting risks.

Evidential Matter to Support the Assessment. As part of its evaluation, management must maintain "evidential matter," a remarkable exercise in plain English by the Staff, meaning documentation of the design of the controls, such as policy manuals, process models, flowcharts, job descriptions, documents, internal memoranda and forms. Documentation is not required for every control, but rather should be focused on those controls that management concludes are adequate to address the financial reporting risks. Documentation also serves as evidence of changes and facilitates monitoring and communication of responsibilities.

Evaluating Evidence of Operating Effectiveness

The proposed guidance states that a control "operates effectively when it is performed in a manner consistent with its design by individuals with the necessary authority and competency." Management should focus on high risk areas, as well as entity-level controls, and should use procedures to gather evidence that are tailored to its assessment of the risk characteristics of both the individual financial reporting elements and the related controls. The relative strengths and weaknesses of the control environment and other entity-level controls may influence management’s judgments

about the risks of failure for particular controls. However, a strong control environment would not eliminate the need for evaluation procedures that consider the effective operation of the control in some manner.

Evidence of effective operation may be obtained from direct testing and ongoing monitoring activities, although the nature, timing and extent of

necessary procedures depends upon the assessed risk. Management will need to take into account both quantity and quality of the evidence, including qualitative characteristics such as the nature of the procedures, time period, objectivity of evaluators and, in the case of monitoring controls, the extent of validation through direct testing of underlying controls.

Determining the Necessary Evidence. To determine the necessary evidence, management will need to evaluate the control risk, considering "the impact of the characteristics of the financial reporting elements to which the controls relate and the characteristics of the controls themselves." In case you don't have a clue as to what that really means, the proposed guidance provides a handy (notice I did not say "helpful") diagram for you:

Management should consider both the materiality of the financial reporting element and the susceptibility of the underlying account balances, transactions or other supporting information to material misstatement. To summarize, the more material and more vulnerable to misstatement and the more prone the control to failure, the greater the risk and the more and better evidence you need. (Did that really require three pages to explain?) Examples of higher risk elements include those that:

• involve judgment in determining the recorded amounts;
• are susceptible to fraud;
• have complexity in the underlying accounting requirements; or
• are subject to environmental factors, such as technological and/or economic developments.

• the type of control (i.e., manual or automated);
• the complexity of the control;
• the risk of management override;
• the judgment required to operate the control;
• the nature and materiality of misstatements that the control is intended to prevent or detect; and
• the degree to which the control relies on the effectiveness of other controls (e.g., general IT controls).

Implementing Procedures to Evaluate Evidence.The methods and procedures, including the timing of performance, are a function of the type of evidence that is necessary. Methods and procedures are also risk-based, and may include ordinary, day-to-day or monitoring activities or direct-testing procedures that are specially implemented. Monitoring activities may include self-assessments and the analysis of performance measures designed to track the operation of controls. Direct tests of controls are tests performed periodically to provide evidence as of a point in time and may provide information about the reliability of ongoing monitoring activities. As the risk increases, management would adjust the nature of the evidence by, for example, increasing the amount of direct testing, making the test more objective or adjusting the period of testing. High risk controls would typically require direct testing and would likely be performed over a reasonable period, including year-end.

In smaller companies, where operation of controls is centralized and the number of personnel involved is limited, management’s daily interaction with controls through ongoing direct knowledge and direct supervision of control operation may provide sufficient knowledge for management's evaluation. Where there are multiple layers of management or multiple segments, these kinds of interaction would likely not suffice. In evaluating the evidence, management would consider whether the control operated as designed, including how the control was applied, consistency of application and whether the person performing the control possessed the necessary authority and competence to perform the control effectively. If management determines that the operation of the control is not effective, a deficiency exists that must be evaluated to determine whether it is a material weakness.

Evidential Matter to Support the Assessment. The nature and extent of the evidence will vary depending on the risk, but the SEC expects that it would include documentation of the methods and procedures management utilizes to gather and evaluate evidence. For example, management may document its overall strategy in a comprehensive memorandum that establishes the evaluation approach and procedures and the basis for conclusions for each financial reporting element. Separate copies of the evidence are not required, but the evidence memorialized in the company’s books and records should be sufficient to provide reasonable support. For smaller companies relying on daily interaction, management should document how its interaction provided it with sufficient evidence through, for example, memoranda, e-mails and instructions from management to company employees. Whether to maintain separate documentation may also depend upon the complexity of the control, the level of judgment required for its operation and the risk of misstatement, as well as whether separate documentation would assist the audit committee in its oversight function. If management believes that entity-wide and other pervasive controls are necessary for an effective system, the evidence should include documentation of how management formed that belief.

Multiple Location Considerations

If risks are not adequately addressed by controls that operate centrally, management would generally evaluate evidence of the operation of the controls at the individual locations or business units. If these risks are low, management may determine that evidence gathered through self-assessment or other ongoing monitoring activities, when combined with the evidence derived from a centralized control that monitors results at individual locations, is sufficient. Where risks are high, more evidence may be needed about the effective operation of the controls at the location. Management should consider whether there are location-specific risks or pervasive factors that might affect the risk that a control or all controls at the location might fail. Some locations may be so insignificant that no further evaluation procedures are needed.

Reporting Considerations

Evaluation of Control Deficiencies

To determine whether a control deficiency, or combination of control deficiencies, is a material weakness, management must evaluate each control deficiency that comes to its attention. Management should evaluate individual control deficiencies that affect the same account balance, disclosure, relevant assertion or component of internal control to determine whether they collectively result in a material weakness. Interaction of controls must also be evaluated. The evaluation of a control deficiency should include both quantitative and qualitative factors, considering both the likelihood that failure of the control will result in failure to prevent or detect a misstatement on a timely basis, as well as the magnitude of the potential misstatement. The proposed guidance makes clear that this evaluation is based upon "whether the company's controls will fail to prevent or detect a misstatement on a timely basis, not necessarily on whether a misstatement actually has occurred."

Factors that may affect the likelihood that deficiencies will result in a misstatement include:

• The nature of the financial statement elements, or components of those elements, involved (e.g., suspense accounts and related-party transactions involve greater risk);
• The susceptibility of the related asset or liability to loss or fraud (i.e., greater susceptibility increases risk);
• The subjectivity, complexity or extent of judgment required to determine the amount involved (i.e., greater subjectivity, complexity or judgment, such as that related to an accounting estimate, increases risk);
• The interaction or relationship of the control with other controls (i.e., the interdependence or redundancy of the control);
• The interaction of the deficiencies (i.e., when evaluating a combination of two or more deficiencies, whether the deficiencies could affect the same financial statement accounts and assertions); and
• The possible future consequences of the deficiency.

• The financial statement amounts or total of transactions exposed to the deficiency; and
• The volume of activity in the account balance or class of transactions exposed to the deficiency that has occurred in the current period or that is expected in future periods.

understatements could be larger. Moreover, in many cases, the probability of a small misstatement will be greater than the probability of a large misstatement (e.g., larger errors are more likely to be identified or investigated).

Management should consider the effect of compensating controls. Compensating controls are controls that help to reduce risk by addressing the objective of another control that did not function properly. To have a mitigating effect, the compensating control should operate at a level of precision that would prevent or detect a misstatement that was material.

When evaluating a deficiency, management should "determine the level of detail and degree of assurance that would satisfy prudent officials in the

conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with GAAP."

The proposed guidance cites the following circumstances as strong indicators of a material weakness:

• An ineffective control environment, which may be indicated by, among other things:
  • Identification of fraud of any magnitude on the part of senior management.
  • Significant deficiencies that have been identified and remain unaddressed after some reasonable period of time.
  • Ineffective oversight of the company's external financial reporting and internal control by the company's audit committee.
• Restatement of previously issued financial statements to reflect the correction of a material misstatement, including misstatements
• due to error or fraud, but not retrospective application of a change in accounting principle to comply with a new accounting principle or a voluntary change from one generally accepted accounting principle to another generally accepted accounting principle.
• Identification by the auditor of a material misstatement in financial statements in the current period under circumstances that indicate the misstatement would not have been discovered by the company's internal control.
• For complex entities in highly regulated industries, an ineffective regulatory compliance function in which associated violations of laws and regulations could have a material effect on the reliability of financial reporting.

An assessment of effectiveness should not be limited by qualifications or exceptions. If a material weakness exists, management may not state that the controls are effective; however, depending upon the nature and pervasiveness of the weakness, "management may state that controls are ineffective due solely to, and only to the extent of, the identified material weakness(es)." Management may also disclose remediation efforts.

Disclosures About Material Weaknesses

In disclosing a material weakness, management should also consider describing the nature of the material weakness, its impact on financial reporting and the control environment and management’s current remediation plans, if any. In describing the weakness, companies should also consider disclosure that would allow investors to understand the root cause of the control deficiency and to assess the potential impact of each particular material weakness, for example by identifying those material weaknesses that may have a pervasive impact.

Impact of a Restatement of Previously Issued Financial Statements on Management’s Report on Internal Control

A restatement does not, by itself, require management to consider the effect of the restatement on the company’s prior conclusion of effectiveness of internal controls and disclosure controls and procedures. However, management should consider whether its original disclosures are still appropriate and should modify or supplement its original disclosures to include any other material information necessary to make them not misleading in light of the restatement, including the impact, if any, that the restatement had on its original conclusions. The company will also need to disclose any material changes to internal control under Reg S-K, Item 308(c).

Inability to Assess Certain Aspects of Internal Control

Management may have difficulty assessing certain necessary aspects of internal control, for example, where a significant process is outsourced to a service organization, and the service organization is unwilling to provide either a Type 2 SAS 70 report or to provide management access to the controls at the service organization. Likewise, management may not have compensating controls. Because no scope limitation on effectiveness is permitted in management’s report, management must determine whether the inability to assess controls over a particular process is significant enough to conclude in its report that internal control is not effective.

Proposed Rule Amendments

The SEC is proposing to amend Exchange Act Rules 13a-15(c) and 15d-15(c) to provide a kind of non-exclusive safe-harbor, which would state that, although there are many different ways to conduct an evaluation of the effectiveness of internal control over financial reporting that would satisfy the requirements of the rule, an evaluation conducted in accordance with the SEC's interpretive guidance would satisfy the annual management evaluation required by those rules. Management will still be able to use its judgment to determine a method of evaluation that is appropriate for its company.

In another amendment, the SEC is prosing to change the auditor's report requirement. Currently, auditors are required to attest to, and report on, management's assessment of the effectiveness of the company's internal control.. Reg S-X Rule 2-02(f) requires the accountant’s attestation report to clearly state the opinion of the accountant as to whether management’s assessment of the effectiveness of internal control is fairly stated. This formulation has apparently caused some confusion with respect to the auditor's responsibility. As a result, the SEC is proposing to revise Rule 2-02(f) (with conforming changes to the definition of attestation report in Rule 1-02(a)(2)) to require the auditor to express an opinion directly on the effectiveness of internal control. In addition, the SEC is proposing revisions to Rule 2-02(f) to clarify the circumstances in which the accountant would not be able to express an opinion, "the rare circumstance of a scope limitation that cannot be overcome by the registrant or the registered public accounting firm which would result in the accounting firm disclaiming an opinion."