By Cydney Posner
The SEC has posted its interpretive soporific, I mean release, providing principles-based guidance for management in conducting a top-down, risk-based evaluation of internal control over financial reporting ("ICFR") under SOX 404.
Management is responsible for maintaining a system of ICFR that provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP and must annually evaluate, and disclose in a management's report, whether ICFR is effective. The guidance makes clear that "reasonableness" is not an "absolute standard of exactitude" and does "not imply a single conclusion or methodology, but encompass[es] the full range of appropriate potential conduct, conclusions or methodologies upon which an issuer may reasonably base its decisions." New amendments to Rules 13a-15(c) and 15d-15(c) make clear that an evaluation of ICFR that complies with this interpretive guidance is one way to satisfy those rules. To avoid creating a checklist mentality, however, the guidance does not include many lists or examples (e.g., a list of fraud risks) that some commenters requested. Given the lack of specificity in the guidance, that "safe harbor" may not provide much comfort for some companies that may be concerned about being second-guessed. The guidance will become effective upon publication in the Federal Register.
The interpretive guidance:
- Explains how to vary evaluation approaches for gathering evidence based on risk assessments;
- Explains the use of "daily interaction," self-assessment and other on-going monitoring activities as evidence in the evaluation;
- Explains the purpose of documentation and how management has flexibility in approaches to documenting support for its assessment;
- Provides management significant flexibility in making judgments regarding what constitutes adequate evidence in low-risk areas; and
- Allows management and the auditor to have different testing approaches.
The interpretive guidance is organized around two broad principles: first, that management should evaluate whether it has implemented controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner and second, that management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk..
The SEC believes that management should bring its own experience and informed judgment to bear to design an evaluation process that meets the needs of its company, allowing smaller companies to scale and tailor their efforts. After the first year, once the material financial elements, risks and controls have been identified and the approach, methods and processes established, subsequent evaluations can focus more on changes and updating of documentation. The guidance assumes management has established and maintains a system of internal accounting controls as required by the FCPA and is not intended to replace the elements of an effective system of internal control as defined within a recognized control framework, such as the COSO framework.
The guidance recognizes that systems, methods and procedures may be different in smaller public companies than in larger companies, but is not meant to imply that evaluations for smaller public companies be conducted with less rigor or to provide anything less than reasonable assurance as to the effectiveness of ICFR. Rather, smaller public companies are advised to use the flexibility of the guidance to cost-effectively tailor and scale their methods and approaches for identifying, documenting and evaluating.
Internal Control Over Financial Reporting
Rules 13a-15(f) and 15d-15(f) define ICFR as:
"A process designed by, or under the supervision of, the issuer’s principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;
(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the registrant; and
(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer’s assets that could have a material effect on the financial statements."
The Evaluation Process
The purpose of the evaluation of ICFR is to provide management with a reasonable basis for its annual assessment as to whether any material weaknesses in ICFR exist as of the end of the fiscal year. To that end, management's evaluation process includes identification of the risks to reliable financial reporting, evaluation of whether controls exist to address those risks and evaluation of evidence about the operation of the controls included in the evaluation based on its assessment of risk.
Identifying Financial Reporting Risks and Controls
The evaluation begins with the identification and assessment of the risks to reliable financial reporting (that is, materially accurate financial statements), including changes in those risks. Management then evaluates whether it has controls placed in operation that are designed to adequately address those risks. Management ordinarily would consider the company’s entity-level controls in both its assessment of risks and in identifying which controls adequately address the risks.
Identifying Financial Reporting Risks. Generally, the identification of financial reporting risks (that is, those risks of misstatement that could, individually or in combination with others, result in a material misstatement of the financial statements) begins with an evaluation of how the requirements of GAAP apply to the company’s business, operations and transactions. Then, using its knowledge of the business and related risks, including risks from sources such as the initiation, authorization, processing and recording of transactions and other adjustments, management should consider "what could go wrong" to identify the sources and likelihood of potential problems. (Now there's an insight that took 13 pages.)
The methods and procedures for identifying financial reporting risks will vary based on the size and complexity of the company. For example, for a larger business or a complex business process, management’s methods and procedures may involve a variety of company personnel, including those with specialized knowledge of GAAP or computer technology, while in a small centralized company, management’s daily involvement with the business may enable it to appropriately identify financial reporting risks. Management must consider the vulnerability of the entity to fraudulent activity, which ordinarily exists at some level in any organization. For example, the risk of improper override of internal controls in the financial reporting process is one type of fraud risk that affects companies of all sizes and types.
Identifying Controls that Adequately Address Financial Reporting Risks. Management should evaluate whether it has controls in operation that adequately address the company’s financial reporting risks. This determination involves judgments about whether the controls, if operating properly, can effectively prevent or detect misstatements that could result in material misstatements. Controls consist of a "specific set of policies, procedures, and activities designed to meet an objective," and may exist within a designated function or activity, may be entity-wide or have a specific application, may be automated or manual, may relate to financial reporting or operations, and may be preventive or detective or a combination of both. Examples include reconciliations, segregation of duties, review and approval authorizations, safeguarding and accountability of assets and preventing or detecting error or fraud. One control may address multiple risks and one risk may have or require multiple controls; it is not necessary to identify all controls that may exist or to identify redundant controls unless redundancy itself is required to address the financial reporting risks. Management may also consider the efficiency with which evidence of the operation of a control can be evaluated when identifying controls. For example, when adequate IT general controls exist and management has determined that the operation of those controls is effective, management may determine that automated controls are more efficient to evaluate than manual controls.
In addition to controls related to individual financial reporting elements, management must also evaluate controls to address necessary (per the applicable framework) entity-level and other pervasive elements, such as controls related to the control environment, controls over management override, the entity-level risk assessment process and monitoring activities, controls over the period-end financial reporting process and the policies that address significant business control and risk management practices.
Consideration of Entity-Level Controls. Management must consider how entity-level controls relate to the financial reporting elements--the more indirect the relationship, the less effective a control may be in preventing or detecting a misstatement. Some entity-level controls, such as certain control environment controls or controls designed to identify possible breakdowns in lower-level controls, may have an important, but indirect, effect, but are unlikely, by themselves, to adequately address a financial reporting risk. However, some entity-level controls may be designed to operate at the process, application, transaction or account level and at a level of precision that would adequately address the risk by themselves.
Role of Information Technology General Controls. While IT general controls alone ordinarily do not adequately address financial reporting risks, the proper and consistent operation of automated controls or IT functionality often depends upon effective IT general controls. The identification of risks and controls within IT should not be a separate evaluation, but rather should be an integral part of the whole evaluation. For purposes of the evaluation of ICFR, management needs to evaluate only those IT general controls that are necessary for the proper and consistent operation of other controls designed to adequately address financial reporting risks. Specifically, it is unnecessary to evaluate IT general controls that primarily pertain to efficiency or effectiveness of a company’s operations, but which are not relevant to addressing financial reporting risks.
Evidential Matter to Support the Assessment. As part of its evaluation of ICFR, management must maintain reasonable support for its assessment, including documentation, which may be on paper or electronic or other media and could include, for example, policy manuals, process models, flowcharts, job descriptions, documents, internal memoranda or forms. The only controls that must be documented are those that management concludes are "adequate" to address the financial reporting risks. Documentation not only provides support for management's assessment, but also serves as evidence that controls have been identified, may be communicated to those responsible for their performance and maybe monitored by the company.
Evaluating Evidence of the Operating Effectiveness of ICFR
Evaluation of the operating effectiveness of a control involves consideration of whether the control is operating as designed, how the control was applied, the consistency with which it was applied and whether the person performing the control possesses the necessary authority and competence to perform the control effectively. Management should ordinarily focus its evaluation of the operation of controls on areas posing the highest ICFR risk, but also take into account the impact of entity-level controls, such as the relative strengths and weaknesses of the control environment, which may influence management’s judgments about the risks of failure for particular controls. Evidence about the effective operation of controls may be obtained from direct testing and on-going monitoring activities, with the nature, timing and extent of evaluation procedures dependent on the assessed risk. In determining the sufficiency of the evidence, management should consider not only the quantity of evidence (for example, sample size), but also the qualitative characteristics, such as the nature of the evaluation procedures performed, the period of time to which the evidence relates, the objectivity of those evaluating the controls and, in the case of ongoing monitoring activities, the extent of validation through direct testing of underlying controls. To the dismay of some commenters, the SEC elected not to introduce a rotational approach. However, the SEC did clarify that management’s experience with a control’s operation both during the year and as part of its prior year assessments may influence its decisions regarding the risk that controls will fail to operate as designed. This, in turn, may have a corresponding impact on the evidence needed to support management’s conclusion that controls operated effectively as of the date of management’s assessment.
Determining the Evidence Needed to Support the Assessment. Management should evaluate the risks related to the identified controls to determine the evidence needed to support the assessment, taking into account both the materiality of the financial reporting element and the susceptibility to material misstatement of the underlying account balances, transactions or other supporting information.. As materiality increases, management’s assessment of misstatement risk generally would correspondingly increase. This concept is illustrated in the SEC's diagram below.
To the extent that a financial reporting element (1) involves judgment in determining the recorded amounts, (2) is susceptible to fraud, (3) has complex accounting requirements, (4) experiences change in the nature or volume of the underlying transactions, or (5) is sensitive to changes in environmental factors, such as technological and/or economic developments, it would generally have a higher risk of misstatement.
Management’s consideration of the likelihood that a control might fail to operate effectively includes, among other things:
- The type of control (that is, manual or automated) and the frequency with which it operates;
- The complexity of the control;
- The risk of management override;
- The judgment required to operate the control;
- The competence of the personnel who perform the control or monitor its performance;
- Whether there have been changes in key personnel who either perform the control or monitor its performance;
- The nature and materiality of misstatements that the control is intended to prevent or detect;
- The degree to which the control relies on the effectiveness of other controls (for example, IT general controls); and
- The evidence of the operation of the control from prior years.
Financial reporting elements that involve related-person transactions or critical accounting policies and estimates generally would be assessed as having a higher misstatement risk. Further, when the controls related to these financial reporting elements are subject to the risk of management override, involve significant judgment or are complex, they should generally be assessed as having higher ICFR risk.
When more than one control in required for a given element, management should analyze the risk characteristics of the various controls because they may not necessarily share the same risk characteristics. Entity-level controls may also be taken into account; however, a strong control environment would not eliminate the need to evaluate the operation of the control in some manner.
Implementing Procedures to Evaluate Evidence of the Operation of ICFR. Management uses its risk assessment to determine evaluation procedures, which may involve direct tests of controls, ongoing monitoring or a combination of both. Direct tests of controls are tests ordinarily performed on a periodic basis by individuals with a high degree of objectivity with respect to the controls being tested. The evaluation methods and procedures may be integrated with the daily responsibilities of employees or implemented specifically for purposes of the ICFR evaluation. Activities that are performed for other reasons (for example, day-to-day activities to manage the operations of the business) or activities performed to meet the monitoring objectives of the control framework may also provide relevant evidence. Ongoing monitoring can include management’s normal, recurring activities that provide information about the operation of controls, such as self-assessment procedures (the value of which may depend upon the objectivity of person conducting the assessment) and procedures to analyze performance measures designed to track the operation of controls. The value of evidence from ongoing monitoring activities can be increased by using personnel who are more objective and/or increasing the extent of validation through periodic direct testing of the underlying controls or by extending the time period of direct testing. When ICFR risk is assessed as high, the evidence management obtains would ordinarily consist of direct testing or ongoing monitoring activities performed by individuals who have a higher degree of objectivity. If personnel are not objective, direct testing of controls corroborates evidence from ongoing monitoring activities as well as evaluates the operation of the underlying controls and whether they continue to adequately address financial reporting risks. When ICFR risk is assessed as low, management may conclude that evidence from ongoing monitoring is sufficient and that no direct testing is required. Further, management’s evaluation would ordinarily consider evidence from a reasonable period of time during the year, including the fiscal year-end. In smaller companies, management’s daily interaction with controls (ongoing direct involvement and supervision) may provide sufficient knowledge to evaluate the operation of ICFR. Daily interaction may suffice when the operation of controls is centralized and the number of personnel involved is limited, but not for companies with layers of management and multiple operating segments.
Evidential Matter to Support the Assessment. The nature of the "evidential matter" may vary based on the assessed level of ICFR risk. Reasonable support for an assessment would include the basis for management’s assessment, including documentation of the methods and procedures it used to gather and evaluate evidence. In addition, the evidence should include the design of the controls that adequately address the financial reporting risks as well as how its interaction provides an adequate basis for its assessment of the effectiveness of ICFR. Evidence would ordinarily include documentation of how management formed its conclusion about the effectiveness of the company’s entity-level and other necessary pervasive elements of ICFR. This documentation might include a comprehensive memorandum that establishes the overall strategy, evaluation approach, the evaluation procedures, the basis for management’s conclusion about the effectiveness of controls related to the financial reporting elements and the entity-level and other pervasive elements, or it could include other types of individual memoranda, emails and instructions or directions to and from management to company employees. As controls become more complex, more evidence may be required.
Multiple Location Considerations
Generally, the evaluation includes all locations or business units. If the risk is low at the other non-central locations or units. management may determine that self-assessment routines or other ongoing monitoring activities, together with centralized controls that monitor the results of operations at individual locations, constitute sufficient evidence. Where the risk is higher, more evidence is needed about the effective operation of the controls at the location. Management should generally consider the risk characteristics of the controls for each financial reporting element, rather than making a single judgment for all controls at that location, taking into account location-specific risks that might impact the risk that a control might fail to operate effectively. Additionally, there may be pervasive risk factors that exist at a location that cause all controls, or a majority of controls, at that location to be considered higher risk.
Evaluation of Control Deficiencies
Control deficiencies that are determined to be a material weakness must be disclosed in management’s annual report on its assessment of the effectiveness of ICFR. If there is a material weakness, then ICFR is not effective. A material weakness exists if there is a reasonable possibility that a material misstatement of the financial statements would not be prevented or detected in a timely manner. There is a reasonable possibility of an event when the likelihood of the event is either "reasonably possible" or "probable" as those terms are used in FASB No. 5, Accounting for Contingencies. Control deficiencies that are considered to be significant deficiencies are reported to the company’s audit committee and the external auditor as reflected in the certification requirements of Rule 13a-14. Control deficiencies that affect the same financial statement amount or disclosure or component of internal control may be individually less severe than a material weakness, but together could constitute a material weakness. The evaluation of the severity of a control deficiency should include both quantitative and qualitative factors, but does not require quantification of the probability.
Risk factors to consider include:
- The nature of the financial reporting elements involved (for example, suspense accounts and related-person transactions involve greater risk);
- The susceptibility of the related asset or liability to loss or fraud;
- The subjectivity, complexity or extent of judgment required to determine the amount involved;
- The interaction or relationship of the control with other controls, including whether they are interdependent or redundant;
- The interaction of the deficiencies (that is, when evaluating a combination of two or more deficiencies, whether the deficiencies could affect the same financial statement amounts or disclosures); and
- The possible future consequences of the deficiency.
Factors that could affect the magnitude of the misstatement that might result from a deficiency or deficiencies in ICFR include:
- The financial statement amounts or total of transactions exposed to the deficiency; and
- The volume of activity in the account balance or class of transactions exposed to the deficiency that has occurred in the current period or that is expected in future periods.
In evaluating the magnitude of the potential misstatement, the maximum amount that an account balance or total of transactions can be overstated is generally the recorded amount, while understatements could be larger. Also, in many cases, the probability of a small misstatement will be greater than the probability of a large misstatement.
When determining whether a control deficiency is a material weakness, management should consider whether compensating controls (i.e., controls that accomplish the objective of another non-functioning control) have a mitigating effect by operating at a level of precision that would prevent or detect a material misstatement.
The SEC did not want to provide an overly detailed list of "strong indicators" of a material weakness because of concerns that it may create a list of de facto material weaknesses or inappropriately suggest that identified control deficiencies not included in the list were of lesser importance. Any of the following situations could "indicate" a deficiency in ICFR and could represent a material weakness, although the list is not exhaustive:
- Identification of fraud, whether or not material, on the part of senior management;
- Restatement of previously issued financial statements to reflect the correction of a material misstatement;
- Identification of a material misstatement of the financial statements in the current period in circumstances that indicate the misstatement would not have been detected by the company's ICFR; and
- Ineffective oversight of the company’s external financial reporting and ICFR by the audit committee.
The change to "indicate" was intended to emphasize that the presence of one of the indicators "does not mandate a conclusion that a material weakness exists. Rather management should apply professional judgment in this area. "
When evaluating the severity of a deficiency, if management determines that the deficiency might prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with GAAP, then management should treat the deficiency, or combination of deficiencies, as an indicator of a material weakness.
Expression of Assessment of Effectiveness of ICFR by Management
Management should not qualify its assessment by stating that the company’s ICFR is effective subject to certain qualifications or exceptions.
However, management may state that controls are ineffective for specific reasons.
Disclosures about Material Weaknesses
In disclosures regarding material weaknesses, companies should also consider disclosing:
- The nature of any material weakness,
- Its impact on the company’s financial reporting and its ICFR, and
- Management’s current plans, if any, or actions already undertaken, for remediating the material weakness.
Companies should consider providing disclosure that allows investors to understand the cause of the control deficiency and to assess the potential impact of each particular material weakness, including distinguishing those material weaknesses that may have a pervasive impact on ICFR from those material weaknesses that do not.
Impact of a Restatement of Previously Issued Financial Statements on Management’s Report on ICFR
A restatement of financial statements does not, by itself, necessitate that management reassess or revise its prior conclusion related to the effectiveness of ICFR. Nevertheless, in light of the restatement, the prior disclosures concerning ICFR and disclosure controls and procedures could be misleading, and the company may need to disclose the impact, if any, of the restatement on its original conclusions regarding effectiveness of ICFR and disclosure controls and procedures and management may need to modify or supplement the disclosures.
Inability to Assess Certain Aspects of ICFR
In certain circumstances (i.e., outsourcing of a significant process), management may encounter difficulty in assessing certain aspects of its ICFR. For example, the service organization may be unwilling to provide either a Type 2 SAS 70 report or to allow management access to the controls in place, and management may not have compensating controls in place. Management’s annual report on ICFR must include a statement as to whether or not ICFR is effective, and there is no latitude to include a scope limitation. Therefore, management must determine whether the inability to assess controls over a particular process is significant enough to conclude in its report that ICFR is not effective.