Ask the Scholar

Document scope · 1 page
doc
Scholar
Ask about this object, its catalog metadata, its source description, or the page inventory. For page-specific OCR and visual context, open one of the page chats.

Scholar Source Context

Document identity
localId
74615968
label
Sarbanes-Oxley
core
doc
dtoType
document
pageCount
1
Source metadata
Source extras
naId
74615968
levelOfDescription
fileUnit
otherTitles
t029-006-sarbox-20140373f
recordType
description
ocrSource
nara-archive
Single page context
seq
1
pageIndex
0
type
document
mediaId
67604ae7ae6d0dba
ocrText
2014-0373-F [ ] Wednesday, May 13, 2015 FOIA Marker This is not a textual record. This FOIA Marker indicates that material has been removed during FOIA processing by George W. Bush Presidential Library staff. National Economic Council Corbett, Bryan Location or NARA Number: FRC ID: OA Number: Stack: Row: Sect.: Shelf: Pos.: Hollinger ID: W 30 20 1 2 6716 19651 8937 9033 Folder Title: Sarbanes-Oxley CHAMBER OF COMMERCE OF THE UNITED STATES OF AMERICA DAVID CHAVERN 1615 H STREET, N.W. VICE PRESIDENT AND WASHINGTON, D.C. 20062-2000 CHIEF OF STAFF September 13, 2006 202-463-3101 202-463-5327 FAX [email protected] Ms. Nancy M. Morris Secretary U.S. Securities and Exchange Commission 100 F Street, NE Washington, DC 20549-1090 RE: Release No. 34-54122; File No. S7-11-06 Dear Ms. Morris: The U.S. Chamber of Commerce is the largest business federation in the world, representing the interests of some three million companies of every size and industry. We have been an advocate for the issuance of specific guidance by the U.S. Securities and Exchange Commission (the "SEC") for issuers under Section 404 of the Sarbanes-Oxley Act ("SOX"). In that regard, we very much appreciate the opportunity to provide comments in response to the SEC's Concept Release on such guidance. The Chamber has been very supportive of most provisions of SOX and, with respect to Section 404, strongly advocates for good systems of internal control in public companies. We agree that SOX has had positive effects in causing boards, management, and external auditors to be more thorough and attentive in fulfilling their responsibilities. However, we believe that Section 404 has been implemented in such a way as to create extraordinary and unnecessary burdens that are disproportionate to identified benefits. This has had an extremely negative effect on the overall health and competitiveness of the U.S. capital markets. Our overall comments regarding improvement in the implementation of Section 404 are set forth in our comment letters of April 12, 2005, October 24, 2005, April 3, 2006, and May 3, 2006. In addition, Chamber representatives participated in the SEC/Public Company Accounting Oversight Board (PCAOB) Roundtables on April 13, 2005, and May 10, 2006. We have been an active voice for the business community on this issue because it is critically important to a broad cross-section of domestic and foreign companies. Ms. Nancy M. Morris September 13, 2006 Page 2 Overview The implementation of Section 404 has, to date, failed for several interrelated reasons: Auditing Standard # 2 ("AS2") is a vague and difficult to apply standard - and, to date, there has been no formal standard for issuers. The auditing profession has legitimate concerns about being second guessed by the plaintiffs' trial bar and its new regulator, the PCAOB. The long-term risks to the profession are very significant¹, and there has been every incentive to apply AS2 (such as it is) in a conservative way. Issuers have been trapped between the uncertain demands of AS2 and their own concerns about diverting critical resources from research, development, investment, and employment. The result has been generally bad for any public companies with securities available in the United States - as well as any foreign or domestic companies who may have hoped to list here in the future. The implementation of SOX 404 has damaged our capital markets and there is an immediate need for corrective action. We are, therefore, hopeful about the dual undertakings of (i) the SEC to promulgate issuer guidance regarding internal controls, and (ii) the PCAOB to revise AS2. We are also encouraged that the SEC and PCAOB are seeking to align their activities to avoid unintentional confusion. There is now a real opportunity for regulatory action on SOX 404 that would obviate the need for any legislative adjustment to the Act. We trust that the SEC and PCAOB will seize the opportunity and drive real improvement in the system. 1 For further discussion of this issue, please see a U.S. Chamber of Commerce publication entitled Auditing: A Profession at Risk, dated January 2006. http://www.uschamber.com/publications/reports/0601auditing,htm Ms. Nancy M. Morris September 13, 2006 Page 3 With respect to the Concept Release, our specific comments below reflect three basic themes: There must be a risk-based focus on those controls that are most likely to have a material impact on the financial statements. This includes an emphasis on entity-level, rather than transaction-level, controls. The guidance for issuers should have as much specificity and clarity as possible. Where this is not achievable, issuers should have some ready means to seek and obtain on-going guidance from the SEC. It should be emphasized that the design, creation, and maintenance of good internal controls is a primary obligation of management. While auditors evaluate and determine the sufficiency of controls, they should not - and should not be expected to - decide how companies best manage their operations. Discussion Risk and Control Identification As mentioned, it is critical to employ a risk-based focus on those internal controls that are most likely to have a material impact on financial statements. We agree with the SEC that the evaluation framework of internal controls will vary depending on what is reasonable for the issuer. This framework, however, must be aligned with specific guidance that alleviates the implementation issues that caused the overly conservative application of SOX 404 and AS2. Specific Responses We would suggest that the SEC begin by clearly stating the goal of an appropriate examination of internal controls under SOX 404. We believe that an implicit expectation has evolved - supported by the plaintiffs' trial bar, among others - that the purpose of SOX 404 is to prevent every fraud and, in fact, every other possible type of business risk. Until the SEC is extremely clear that the purpose is to reach an appropriate level of assurance about controls - but not obviation of all risk - then the problems with overly conservative implementation will remain. Ms. Nancy M. Morris September 13, 2006 Page 4 We would suggest that the SEC identify those entity-level controls that it will always consider relevant. Further, it should provide examples of entity and transaction-level controls that it would not consider material. While no guidance can address every possible factual circumstance, it should be possible to establish guideposts that show the limits of the analysis. We would also ask that the SEC indicate what constitutes a test failure and when requirements on additional sampling are necessary. The Chamber supports the idea of placing greater reliance on assuring that issuers have a proper base control structure and good entity-level controls, along with management processes that assure broadly that these controls are effective. We would strongly encourage the SEC to specifically address fraud controls. As noted above, one of the most fundamental problems is a popular misunderstanding about the reasonable role of SOX 404 analysis - and auditing generally - in preventing fraud. Experienced accounting professionals know that there will be companies with excellent internal controls and superb audits that will, nonetheless, fall victim to collusive fraud. While it may not be easy or pleasant, the SEC has a core obligation to educate the public about this fact and provide issuers with guidance as to the reasoned limits on control evaluation under SOX 404. We also encourage the PCAOB to quickly and thoughtfully bring closure on the procedures that should be employed by external auditors to detect fraud. The Chamber supports the SEC's August 9, 2006, release proposing a one-year transition period for newly public companies. We believe that this will provide relief for start-up costs incurred during the first year. We continue to urge the SEC to delay implementation for non- accelerated filers and foreign private issuers until the new and revised standards have been tested by experience and proven to have been successful in alleviating key implementation issues. Ms. Nancy M. Morris September 13, 2006 Page 5 It is important that the SEC and PCAOB address smaller public companies as they are - in terms of personnel and resources - and not apply SOX 404 in a way that requires them to radically alter their operations or business objectives. Developing "scalable" guidelines means clearly defining what is "acceptable," even if that means something less than "perfect." As a clear example, appropriate span of control should - as a matter of logic - have a different application at a company with $1 million in revenues when compared to a company with $1 billion in revenues. "Scalable" doesn't mean two (or more) different standards or fundamental differences in levels of assurance. It does, however, mean acknowledging that what might be necessary at one type of company may not be required for assurance at another. We continue to believe that not all internal controls need to be evaluated annually. Appropriate analysis of entity-level controls can include (i) periodic testing, and (ii) the testing of controls that have changed from established baseline conditions. In addition, testing by external auditors should reflect the work of internal parties. This would reduce some of the unnecessary cost burdens while maintaining a structure that protects the validity of financial statements. One of the unintended consequences of SOX is that companies are forced to delay system implementations or business process changes planned for the second half of the year in order to obtain a clean attestation result from the audit firms. We encourage the SEC to consider solutions to avoid these unnecessary delays. We would encourage the PCAOB to unify the approach of its standard setters and investigators. While the standard setters are encouraging the use of judgment, the inspections appear to be far-reaching. Management's Evaluation In absence of direct guidance for issuers, management has been forced to rely on AS2 in its evaluation of internal controls. Unfortunately, AS2 was not well-designed for this purpose (nor was the PCAOB ever intended to be a regulator of issuers). Among other things, this has served to de-emphasize the importance and primacy of management's own assessment of its internal controls. Ms. Nancy M. Morris September 13, 2006 Page 6 Specific Responses Our members tell us that the application of AS2 to IT systems has been particularly problematic. Issuers do not have enough guidance to determine which systems - and which levels of systems - need to be evaluated in order to obtain a reasonable assurance as to the effectiveness of internal controls over financial reporting. As an example, excessive time, energy, and expense have been devoted to the evaluation of access controls without regard to whether the access points in question could pose a significant risk to the validity of the financial reporting of the company. This is certainly an area where SOX 404 has been presumed to be about eliminating all business risks, instead of simply assuring the reasonable validity of the financial statements. In addition, significant confusion exists on how to assign monetary exposure to IT deficiencies, especially when they have been mitigated by entity-level or business process controls. We would strongly urge the SEC to work with the issuer community and the IT industry to develop specific standards regarding the evaluation of IT systems that limit the analysis to the intent and purpose of SOX 404. As noted above, while no standard could comprehensively address every situation faced by every affected public company, we would encourage the SEC to provide as many illustrative examples as possible (including examples of overly conservative implementation) and also establish a system for the provision of on-going advice and guidance. It would be flatly inappropriate for the SEC to issue a standard and then make it "the issuer's problem" to figure out what it means. This comment most particularly applies to the meaning of critical but fundamentally hard-to- define terms, such as "material weakness," "significant deficiency," and "more than remote." We have received a number of complaints to the effect that asking for advice - from outside auditors or others - can itself be construed as a "material weakness." In short, if you need to ask then you don't know, and if you don't know then there must be a material weakness. This only creates a disincentive to seek expert advice on difficult issues. The SEC must make it clear that a request for guidance should not be used as evidence as to whether a "material weakness" does or does not exist. After all, the recognition by an issuer that a problem might exist should be seen as a strength on its part -- not a weakness. Ms. Nancy M. Morris September 13, 2006 Page 7 The SEC should issue guidance as to the appropriate application of the requirement that the management assessment be "as of" the year end. There is tremendous confusion about the timing of the examination of internal controls and the value - or, more appropriately - lack of value of the experience with controls that is obtained over the course of an entire year. There is currently an excessive number of restatements. Many are driven by "reinterpretations" of long-standing accounting treatments. Accounting is not an exact science and disagreements about appropriate application of complex accounting standards are not necessarily evidence of failure. In fact, the view that "change = failure" does a disservice to the investing public by implicitly communicating a false precision surrounding financial statements. The SEC has a basic obligation to educate investors about the limits of accounting and financial statements. In that regard, we believe that there are many circumstances when a restatement should not be construed as evidence of a "material weakness" in internal controls. Separately, we continue to support an overall review by the SEC and the PCAOB of the current standards for restatement, including an examination of the impact on investors of restatements that do not result in a material change in the overall financial performance or prospects of an issuer. Restatements can undermine investor confidence in an otherwise sound system of accounting principles. To that end, when the SEC considers the need for a new interpretation of GAAP that has previously been generally accepted in the marketplace, it should do so prospectively as opposed to retroactively so as not to undermine investor confidence. Ms. Nancy M. Morris September 13, 2006 Page 8 Documentation to Support the Assessment During the first two years of implementation, it is clear that accelerated filers often over-documented internal controls in absence of specific guidance. Non-accelerated filers do not have access to the same resources and therefore would be put at a significantly greater disadvantage by overzealous documentation requirements. Specific Responses A lack of documentation should not be confused with poor internal controls. Smaller public companies, in particular, often have good internal controls that are simply insufficiently documented. While documentation is important in order for systems to be auditable, we would urge the SEC to closely evaluate documentation alternatives and determine whether there are "low resource cost" solutions that might be acceptable for smaller compañies, even if they are not appropriate for larger companies with more complex control systems. We would encourage the SEC to further examine footnote level information, particularly as how to measure the materiality of a deficiency. Not all footnotes are created equally and those that merely give information on routine accounts such as the composition of inventory are demonstrably less important than others like the disclosures of off balance sheet contingencies. One solution would be to expressly rule some footnotes out of the 404 scope and develop bright lines test for inclusion/exclusion for all other footnotes. Conclusion In summary, the Chamber is very supportive of systems of good internal controls maintained by management. We look forward to the forthcoming guidance from the SEC and PCAOB providing clear and specific recommendations for issuers and auditors. In absence of specific guidance, we fear that the current ambiguity will continue to cause unintended consequences, including diverting management time away from valuable business operations. Ms. Nancy M. Morris September 13, 2006 Page 9 The Chamber commends your dedication to achieving a long-term solution that will benefit issuers, auditors, investors, and the health and competitiveness of our capital markets. Thank you for you consideration, and we would be happy to discuss our comments with the relevant staff. Sincerely, David C Chavern Vice President Capital Markets Programs CC: Christopher Cox, Chairman, U.S. Securities and Exchange Commission Paul S. Atkins, Commissioner, U.S. Securities and Exchange Commission Roel C. Campos, Commissioner, U.S. Securities and Exchange Commission Kathleen L. Casey, Commissioner, U.S. Securities and Exchange Commission Annette L. Nazareth, Commissioner, U.S. Securities and Exchange Commission Mark W. Olson, Chairman, Public Company Accounting Oversight Board Kayla J. Gillan, Member, Public Company Accounting Oversight Board Daniel L. Goelzer, Member, Public Company Accounting Oversight Board Bill Gradison, Member, Public Company Accounting Oversight Board Charles D. Niemeier, Member, Public Company Accounting Oversight Board BIOTECHNOLOGY INDUSTRY ORGANIZATION (BIO) TECHNET TELECOMMUNICATIONS INDUSTRY ASSOCIATION (TIA) ELECTRONIC INDUSTRIES ALLIANCE (EIA) SEMICONDUCTOR INDUSTRY ASSOCIATION (SIA) ADVANCED MEDICAL TECHNOLOGY ASSOCIATION (ADVAMED) MEDICAL DEVICE MANUFACTURERS ASSOCIATION (MDMA) ASSOCIATION OF BIOSCIENCE FINANCIAL OFFICERS (ABFO) CALIFORNIA HEALTHCARE INSTITUTE (CHI) September 12, 2006 Chairman Christopher Cox Commissioner Paul S. Atkins Commissioner Roel C. Campos Commissioner Annette L. Nazareth Commissioner Kathleen L. Casey U.S. Securities and Exchange Commission 100 F Street, NE Washington, DC 20549 Re: Concept Release Concerning Management's Reports on Internal Control Over Financial Reporting (File No. S7-11-06, Release No. 34-54122); Internal Control Over Financial Reporting In Exchange Act Periodic Reports Of Non-Accelerated Filers and Newly Public Companies (File No.S7-06-03, Release No. 33-8731). Dear Mr. Chairman and Commissioners: On behalf of the biotechnology, healthcare technology, high technology, information and communications technology, electronics, and semiconductor industries, we urge the Securities and Exchange Commission to expeditiously adopt Section 404 reforms, in the form of a rule, based on a reform framework that is cost effective, "scaled", and "proportional" to the size and complexity of corporate structures. Our member companies include the management of a majority of microcap and smallcap companies in the U.S. high-growth sectors. As we indicated in our letter to the Commission on April 3, 2006, we fully support the original goals of the Sarbanes-Oxley Act (SOX) and recognize the need for responsible internal control standards that create meaningful and transparent financial reporting for investors. The implementation of the SOX Section 404 requirements, however, continues to have a significant impact on smaller public companies that is disproportional to its benefits for the investors. The result has been a negative impact on America's ability to innovate and maintain its 1 global competitiveness in the high-growth sectors of our nation's economy. For these reasons, we urge the Commission to expeditiously adopt Section 404 reforms as described below. We welcome this opportunity to provide comments on the Concept Release and appreciate the Commission's recognition of the compliance challenges and costs faced by small businesses as detailed in the Final Report of the Advisory Committee for Smaller Public Companies (Advisory Committee) and the April 2006 report of the U.S. Government Accountability Office (GAO). It is our hope that the changes proposed by the Commission and the Public Company Accounting Oversight Board's (PCAOB) plans to provide further Auditing Standard #2 (AS2) reforms will be critical steps towards fundamental reform of Section 404 that addresses the significant compliance burdens on smaller public companies and supports innovation. The Reform Framework Should Be Principles-Based For the high-growth industries, the implementation of SOX Section 404 has had a significant impact on the long-term competitiveness of American companies and the U.S. capital markets. Section 404 has imposed cost burdens on high-growth companies and their management far beyond what Congress intended and what is needed to protect investors against corporate fraud. These disproportional compliance burdens have been described to the SEC and the PCAOB by participants in the Section 404 Year Two Roundtable discussions and were well documented in the Final Report by the Advisory Committee.¹ As currently implemented by the Commission and through the guidance provided by AS2, Section 404 places disproportional cost burdens on America's smaller companies, while specific benefits are difficult to identify. As the Advisory Committee recommended after its year-long review of Section 404 impacts, without a revised implementation framework, the current "one-size-fits-all" approach of Section 404 and AS2 will continue to hamper the ability of smaller public companies to invest in research and development and to gain access to public capital markets, thereby jeopardizing the competitiveness of smaller companies. To ensure the continued innovation and vitality of America's public companies, including the smaller companies engaged in the high-growth industries -- high technology, biotechnology, medical devices, electronics, telecommunications and semiconductors, as well as the American institutions that provide access to public capital -- a principles-based reform framework should be adopted in the form of a rule by the SEC to be implemented through AS2 revisions. The Reform Framework Should Be Based On The Following Principles: Reforms must reflect rational cost/benefit balance. Cost burdens imposed by increasing complexity of required internal controls must yield increased benefits in assuring greater investor confidence. 1 During the May 2006 SEC Roundtable on SOX Section 404 Year Two Compliance, the former SEC Commissioner Joe Grundfest also recommended fundamental Section 404 reforms for smaller public companies. Mr. Grundfest suggested that the Commission and PCAOB amend AS2 to incorporate many of the findings made by the Advisory Committee. He also recommended that AS2 reforms should redefine the objective of the control audit process so as to reduce auditors' incentive to examine controls that are unlikely to have material impact on smaller public companies. Fixing 404 by Joseph A. Grundfest, Stanford Law School, May 1, 2006. 2 Internal control requirements should be "scaled" and "proportional" to the size of product revenues and complexity of corporate structures. Scaled and proportional reform should be based on the principle that the level of risk and product revenues are intricately tied; product revenues drive the complexity of corporate structures and the corresponding need for more rigid and established internal control processes. Reforms should support management's incentive to màintain an effective and integrated system of internal controls to produce accurate financial reports, which are most important to investors. The internal controls necessary to meet Section 404 should be "integrated" and consistent with the level of controls necessary to meet the CEO and CFO certifications of company financials as required under Section 302 of SOX. Reforms should provide clear rules that are risk-based and material to the integrity of the financial statements. The rules must provide a clearly defined scope of required assessments with a focus on entity-level controls material to financial statements. Frequency of internal control testing should be determined by changes in established baseline controls and not merely by the calendar. 1) Reforms Must Achieve Cost/Benefit Balance. We fully appreciate the Congressional intent behind Section 404 - ensuring that companies have in place effective policies, procedures and controls to protect against material misstatements in financial statements, and to prevent fraud. However, as currently implemented, AS2 does not require a cost/benefit balance as part of its objectives. The majority of smaller public companies simply do not have the manpower or the resources to perform the requirements under AS2. As most do not have more than one or two dedicated staff to the internal audit function, these companies are forced to either hire additional internal audit personnel or engage external consultants to perform the management assessments necessary to meet the requirements of AS2. As a result, many of our companies are incurring additional consulting fees in addition to external auditing fees. Many smaller companies, in order to complete the mandated internal control processes and the "checklist" dictated by AS2, are required to increase their accounting staff by as much as 50% in addition to hiring additional consultants. Smaller public companies have limited resources, leaner staffs and tighter budgets. Given the disproportionately high cost of Section 404 compliance for smaller companies, it is our experience that many are forced to redirect funding from other investments, including R&D and the hiring of additional engineers or scientists, all of which are critical for continued innovation and survival of a company. For example, a small company with $150 million in market capitalization but no product revenues recently paid more than $1 million for costs associated with Section 404 compliance. Such costs are typical and often do not include a company's indirect costs of complying with Section 404, or the costs associated with non-accounting staff performing the internal control work due to the shortage of available resources. 3 Due to Section 404, audit firms now have a required audit process, entirely separate from the typical financial statement audit process, generating fees almost equal to or greater than the charges for a financial statement audit. This was clearly not the Congressional intent. The Senate Committee Report on Section 404 was specific: "The Committee does not intend that the auditor's evaluation be the subject of a separate engagement or the basis for increased charges or fees". Such windfall is attributable not only to the process imposed by the large accounting firms but also to AS2, as promulgated by the PCAOB. The current standards require very prescriptive procedures that auditors must follow to perform the separate attestation, with little room for an auditor's judgment. Investor confidence and trust in public companies has increased as a result of the passage of SOX as a whole in spite of Section 404 and not necessarily because of it. Important and effective provisions of SOX include whistleblower protections; increased enforcement powers, such as the SEC's increased ability to obtain officer and director bars; auditor independence requirements; and, perhaps most importantly, CEO and CFO certifications of company financial statements under Section 302. As we saw in the first and second years of Section 404 implementation, investors and the market generally had no market reaction when a company reported a "material weakness" in internal controls under Section 404. 2 Thus, we believe the costs of the implementation of Section 404, particularly for smaller public companies, clearly outweigh any benefits that are directly related to Section 404. 2) Reforms Must Be "Scaled" And "Proportional" To The Level of Product Revenues. In achieving scaled and proportional reforms that are risk based, it is critical that Section 404 reforms establish a concrete basis for the required levels of internal controls. As recognized by the Advisory Committee in its Final Report and strongly supported by our members, Section 404 reform should be based on a "revenue filter" or revenue metric, particularly product revenues. This approach reflects corporate reality in that product revenues drive the complexity of corporate structures and the corresponding need for increased internal controls to protect against financial fraud. Scaling Section 404 requirements, in part, on product revenues is critical to smaller companies in our industries. Biotech and other innovative start-up companies generally have very low revenues compared to their market capitalizations. For example, it is not uncommon for an early stage public biotech company with a market capitalization of $700 million to have product revenues of $1 million or less. For smaller public companies, as defined by the level of product revenues, the reform framework should focus on the internal controls necessary for CEO and CFO certifications of company financials as currently required under Section 302 of SOX. The proposed reform supports management's incentive to maintain effective systems of internal controls and produce accurate financial reports which are most important to financial markets and investors. Section 13(b)(2)(B) of the Exchange Act requires, as it has since 1977, that public companies maintain a system of internal controls that provide reasonable assurances as to the accuracy of financial reports. Under section 302, each CEO and CFO must certify that the financial statements fairly present in all material respects the financial condition of the company, and disclose all 2 See, e.g., Neil O'Hara, An Analysis of the (Non) Impact of SOX 404, Compliance Week, March 8, 2005. In addition, at the 2005 SEC and PCAOB Roundtable on Section 404, a representative of Moody's on one of the panels stated that, of the 71 companies disclosing material weaknesses they considered in detail, they ultimately issued a negative rating action on 12, or 20%, of the companies. Thus, credit rating agencies had no adverse reaction to approximately 80% of the companies. 4 weaknesses in the internal controls that could adversely affect the company's ability to record, process, summarize and report financial information, among other things. 3) Reforms Must Be Risk-Based. The prescriptive nature of AS2 in its current form deters both management and auditors from taking a risk-based approach to prioritizing key financial controls under Section 404. As currently implemented, for smaller companies, management has little say in determining the scope and identification of necessary internal controls. Often, management implements extensive assessment plans developed by their auditors. As currently required, AS2 provides limited opportunity for management or external auditors to take a risk-based approach. AS2 thereby limits the ability of management and auditors to focus on the necessary controls, especially at the entity-wide level, which ultimately could have a material impact on their financial statements as required under Section 302. In short, the management and auditors are compelled to focus on the breadth of controls rather than the depth of necessary controls. In fact, most small companies currently match their internal reviews to the requirements of the external reviews. They do not see how it could work any other way. If companies were truly performing their own internal audits for fraud and accuracy, they would not follow the current AS2 internal control requirements because many of these processes evaluate items that are immaterial for smaller companies. Just to provide two examples of processes lacking a rational basis: a biotech company's management was required to sign off on every page of its Controller's 150-page close book; and the same company also received a deficiency because its accounting software did not require passwords to be alpha-numeric. Additionally, for smaller public companies, cross-training and interchangeability of staff is often more valuable than the strict segregation of duty that is required under Section 404, sometimes to a point of dysfunction. Other examples include a lack of rationale in addressing certain information technology (IT) controls. The current external auditor-driven approach requires extensive testing of internal controls over IT as it relates to entire company and not just IT systems related to financial reporting. Under the current system, company management cannot rely on the capabilities of external service providers (i.e. payroll providers, tax firms and transfer agents) if no SAS 70 reports are in place. Thus, most companies are left to either pay for the external service provider to obtain the SAS 70 or put extensive controls in place surrounding the information that the service providers provide, including extensive manual recalculations. Under AS2, auditors are SO focused on the detail and the shear breadth of the internal controls and testing that there is little room for judgment and clear perspective over the overall process goals. Additionally, management has such extensive compliance requirements, including sign offs, recalculations and documentation, that many company managers have less time to evaluate the reasonableness of their disclosures. As previously discussed, the opportunity cost of time spent on complying with documentation, testing and review of internal controls is time that could be directed toward functions that add value to the company and its shareholders (i.e. training staff, forecasting, modeling, monitoring, bringing in-house tasks done by external parties). 5 4) Frequency Of Internal Control Assessments Should Be Determined By Material Changes In Key Financial Controls. Frequency of internal control testing should be determined by changes in established baseline entity-wide controls. As currently implemented, AS2 fails to recognize the value of cumulative knowledge and relevance of changes in key control areas that matter to the reporting of financial statements. Periodic testing or testing when a material change has occurred could alleviate the excessive duplication year after year that further adds to the high cost and burdens imposed by Section 404. 5) Additional Deferrals For Non-Accelerated Filers And Newly Public Companies Should Be Provided Until A New Reform Framework Is Implemented. We fully support the Commission's proposal to provide further implementation deferrals for non- accelerated filers (small companies under $75 million in market capitalization) and for newly public companies. In light of the current uncertainties due to the anticipated reforms by the Commission and the PCAOB and potential changes to AS2 requirements, we believe it is critical to further delay both the management assessment and external auditor attestation requirements for non-accelerated filers as well as newly public companies until a settled guidance can be provided and revised AS2 rules have been implemented for a reasonable time. In fact, non-accelerated filers and newly public companies should not be required to comply with Section 404 until a full assessment can be made by the GAO on the cost/burden impact of the newly revised AS2 rules. Conclusion As representatives of the high-growth sectors of the U.S. economy, we appreciate this opportunity to comment on the concept release. We believe that principles-based reforms that focus on cost effectiveness, that are risk based, and that are scaled and proportional to the level of product revenues and complexity of corporate structures will achieve the original intent of Section 404 - achieving internal controls that provide investors with the optimal level of confidence in the financial integrity of a public company. We thank you for your consideration of our views and we urge you to expeditiously adopt a reform framework that provides fundamental relief to smaller public companies and that supports innovation in the U.S. high-growth sectors. We look forward to working with you to achieve these important goals. Sincerely, James Commond Leylee 8 Westine James C. Greenwood Lezlee Westine President and CEO President and CEO Biotechnology Industry Organization TechNet 6 Dave ho Curdy Matthew J. Flanigan Dave McCurdy President President and CEO Telecommunications Industry Electronic Industries Alliance Association Serry M. Scabin Stople 9 Uap George M. Scalise Stephen J. Ubl President President and CEO Semiconductor Industry Association Advanced Medical Technology Association nal 1/2 Leby David Gallahen Mark B. Leahey David L. Gollaher, Ph.D. Executive Director President and CEO Medical Device Manufacturers Association California Healthcare Institute Alain Cappeluti Chairman Association of Bioscience Financial Officers (B/W Chapter) Past Chairman, ABFO International 7 WSJ .com THE WALL STREET JOURNAL. ONLINE November 1, 2006 COMMENTARY DOW JONES REPRINTS To Save New York, Learn From London By CHARLES E. SCHUMER and MICHAEL R. BLOOMBERG November 1, 2006; Page A18 In recent months, there has been a lot of media chatter about the possibility of London taking over New York's position as the world's financial capital. Such speculation, although overblown, has focused our attention on a broader and legitimate concern: Unless we improve our corporate climate, we risk allowing New York to lose its pre-eminence in the global financial-services sector. This would be devastating both for our city and nation. One of the engines of growth for the U.S. economy, the financial-services industry in New York has long possessed significant comparative advantages over London and all other cities. These advantages include the broadest, most efficient and liquid capital markets in the world, and a concentration of the world's biggest financial firms -- which have a much larger presence here than anywhere else. This city dominates global private-equity markets, secondary trading markets, and mergers and acquisitions. New York has unparalleled quality of life and cultural diversity, which global companies increasingly seek, as well as a dynamic labor market:-- our unemployment rate is lower than the nation's. Taken together, these advantages explain why New York's financial-sector employment numbers are greater than any other city's. Yet while New York remains the dominant global-exchange center, we have been losing ground as the leader in capital formation. In 2005 only one out of the top 24 IPOs was registered in the U.S., and four were registered in London. London is gaining ground in other areas too, but it is not only London we need to worry about. Next year, more money will be raised through IPOs in Hong Kong than in either London or New York. We cannot ignore these warning signs. That is why New York has hired a consulting firm, which will issue a report in November identifying the specific variables that are negatively impacting our financial-services industry and recommending an action plan to correct them. Based on the work completed so far, there are four factors that bear close attention: globalization of the capital markets, overregulation, frivolous litigation and incompatible accounting standards. The first factor is beyond our control; advances in technology and communication are allowing capital to flow more freely, making it much easier to locate financial activities anywhere in the world. But we can, and must, do something about the other three factors to maintain and expand our competitive edge. First, what lessons can we learn from other nations' regulatory systems? Currently, there are more than 10 federal, state and industry regulatory bodies in the U.S. The British have only one such body. Industry experts estimate that the gross financial regulatory costs to U.S. companies are 15 times higher than in Britain. Beyond cost savings, the British enjoy another advantage: While our regulatory bodies are often competing to be the toughest cop on the street, the British regulatory body seems to be more collaborative and solutions-oriented. With the benefit of hindsight, the Sarbanes-Oxley Act of 2002, which imposed a new regulatory framework on all public companies doing business in the U.S., also needs to be re-examined. Since its passage, auditing expenses for companies doing business in the U.S. have grown far beyond anything Congress had anticipated. Of course, we must not in any way diminish our ability to detect corporate fraud and protect investors. But there appears to be a worrisome trend of corporate leaders focusing inordinate time on compliance minutiae rather than innovative strategies for growth, for fear of facing personal financial penalties from overzealous regulators. Second, what lessons can we learn from other nations' legal environments? The total value of securities class-action lawsuits in the U.S. has skyrocketed in recent years, to $9.6 billion in 2005 from $150 million in 1997. The U.K. and other nations have laws that far more effectively discourage frivolous suits. It may be time to revisit the best way to reduce frivolous lawsuits without eliminating meritorious ones. Third, what lessons can we learn from other nations' experiences with international accounting standards? Most European and Asian countries have already begun to adopt international accounting standards, which businesses tend to prefer over the American system. Yet we have set no timetable for doing the same. In the last quarter of the 20th century, we achieved an almost exquisite balance between regulation and entrepreneurial vigor in American financial markets. We learned that too much regulation stifles entrepreneurship, competition and innovation; while too little regulation creates excessive risk to industry, investors and the overall system. This delicate balance has been upset by technological advances, making it much easier to locate financial-services activities anywhere in the world. As a result, foreign markets may be tempted to lower regulatory requirements to achieve a temporary competitive advantage. Though deregulation may help some countries gain more business in the short term, over the long term it could hurt the stability and reliability of the global marketplace. New York cannot afford to lose its place as the global leader in financial services. We have to carefully redefine this balance of innovation and regulation. That is what we seek to do over the next several months. Our ability to do that, and to answer these three questions, will determine the future of New York - - and, in many ways, the nation. If we do not rise to the challenge, the speculation that New York is losing its pre-eminence in the global marketplace will become more than just chatter. Mr. Schumer is a Democratic senator from New York. Mr. Bloomberg is mayor of New York City. URL for this article: http://online.wsj.com/article/SB116234404428809623.html Copyright 2006 Dow Jones & Company, Inc. All Rights Reserved This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our Subscriber Agreement and by copyright law. For non-personal use or to order multiple copies, please contact Dow Jones Reprints at 1-800-843- 0008 or visit www.djreprints.com. REGULATION SarbOx Setback EASIER COMPLIANCE FOR SMALL BIZ WAS WITHIN REACH, BUT THE SEC IS BACKPEDALING BY JEREMY QUITTNER SMALL COMPANIES that were hoping have until July 15, 2007, to file for some regulatory relief from the their first annual report. The most onerous provision of the Sar- best they can hope for, he says, is banes-Oxley Act are out of luck, at to see the date postponed. least in the short term. The idea of making 404 On Apr. 23, the 21-person Adviso- work more efficiently is likely to ry Committee on Smaller Public Com- be "a very lengthy process and panies handed the U.S. Securities & not an easy task," says Thomas Exchange Commission a list of 33 rec- Hartmann, a partner at Detroit ommendations on how to make Sarb- law firm Foley & Lardner, He says that's (R-Ohio) remains chair of the House Ox compliance easier for small public partly because there is no existing regula- Financial Services Committee. companies. The most striking proposal tory framework for small companies The SEC committee's recommen- would have exempted the smallest from around which to build such an approach. dations followed a 13-month review the burdensome Section 404 until the Some in Congress are trying to of the accounting and financial report- SEC can figure out a way to tailor it to keep the exemption idea afloat. On ing of smaller businesses, including them. Section 404 requires that compa- May 17, Representative Tom Feeney their audit procedures and the process nies complete an internal audit of con- (R-Fla.) introduced a bill that would of going public. The committee had trols they've already established. It's not amend 404 to exempt companies with a recommended that companies be uncommon for businesses to spend market cap of less than $700 million. "I grouped into tiers by market size and hundreds of thousands of dollars trying was disappointed by the SEC response." that those with less than $787 million to comply with it. says Feeney. "For now it seems they in market capitalization be exempted from 404. About 7,400 businesses CHEIN/NY ENTERPRISE REPORT But on May 17, SEC Chairman have not fully appreciated the enormity Christopher Cox signaled his opposi- of the problems with SarbOx, or they would have qualified. That's 79% of tion. "He and the other commissioners have appreciated the problems and are public companies but only about 6% of have indicated that they would rather not ready to act aggressively to reform the total public market capitalization. make 404 work more efficiently. than the implementation." Senator Jim The exemption would have remained [talk] about exempting smaller compa- Demint (R-S.C.) introduced a similar in place until a new set of internal audit nies," says SEC spokesman John Heine. bill in the Senate. Even so, Feeney says rules was established specifically for He adds that companies with less than the chances of his bill passing are slim smaller companies. Now it may not go $75 million of public stock outstanding while Representative Michael Oxley into place at all. SB SMALLBIZ EDITOR KIMBERLY WEISUL ASKS NAPOLEON BARRAGAN: WHAT'S THE ONE THING YOU WISH YOU KNEW BEFORE STARTING 1-800-MATTRESS? one " In 1998 we started asking all our customers five simple questions. Until we did that, it was hard to know if we were giving the customer what they wanted. We have to be measuring constantly. We have to look at last week and last ILLUSTRATION BY TIM year and be prepared for tomorrow and next month. And at that time they call you a visionary. " -NAPOLEON BARRAGAN founder and chief executive of 1-800-MATTRESS BusinessWeek SmallBiz Summer 2006 35 10 Leaders The Economis April 200 2006 Iran, Israel and Palestine Rejecting Israel, again The refusal to accept Israel's right to exist harms Palestinians too S E VERY so often, unpopular ous international undertakings. Worse still, Hamas this week H Muslim regimes on the pe- sent out an unambiguously wrong signal by justifying as "self riphery of the Palestine conflict defence" the deadly Passover suicide-bombing in Tel Aviv by a S find it expedient to propose smaller pro-Iranian Palestinian group, Islamic Jihad. p eliminating the Zionist entity. Right now it is Israel that has the better claim to be defend- Since his election last year, Mah- ing itself. Islamic Jihad makes ceaseless attempts to mount sui- moud Ahmadinejad, Iran's cide-bombings in Israel and, with other groups, has been fir- president and chief holocaust ing rockets at Israeli towns ever since Israel evacuate the Gaza C denier, has become a leading exponent of this familiar ruse. Strip last summer. Israel has killed many members of the p His promise last week that Israel would soon be wiped from rocket-launching teams-and, by accident, some innocent by- C the pages of history in accordance with the prophecy of the standers too. But the deliberate targeting of civilians is a war late Ayatollah Khomeini was therefore neither especially new crime in anyone's book, and under the agreements which Ha- nor-till Iran acquires nuclear weapons-especially frighten- mas refuses to honour, the Palestinian Authority (PA) under- T ing. And, of course, even with a bomb, even Mr Ahmadinejad took to make an effort to stop such attacks. Its president, Mah- might think twice about launching a nuclear attack that could moud Abbas, rightly denounced the Tel Aviv atrocity. lead to Iran's own swift destruction. By condoning the attack instead, Hamas will find it harder What is more depressing is the rise of a similarly atavistic to win broad international acceptance. That may be a price it is strain of Israel-destroying rhetoric among the Palestinians willing to pay. As Western countries give the PA less, Russia, themselves. It took the Palestine Liberation Organisation until Iran and the Arab states may give more. Moreover, any at- the late 1980s to abandon its self-defeating fantasy that it had tempt by Israel to force the collapse of Hamas's government is the power and the right to wipe Israel off the map. Now the liable to fail. For all Israel's power in the territories, it should be Palestinians are in danger of revisiting the same dead end. prevented by its own scruples and world opinion from starv- Like many successful Islamist movements, Hamas com- ing the Palestinians into reversing their democratic decision. bines strong ideology with a shrewd pragmatism. But win- By the same token, however, Hamas's efforts to establish a ning January's Palestinian elections has been discombobulat- free Palestine look doomed to fail unless it pays Israel the basic ing (see page 47). Since then its leaders have broadcast a price of admission to talks: recognition of its right to exist and blizzard of crossed and mixed signals about whether they an end to terrorism. On present showing, Hamas's leaders are would be content with a state in the West Bank and Gaza in- not willing to make that leap. It is to be hoped that they can still $ stead of all historic Palestine, and for how long. Yet they still change their mind. If they think Israel's offer of a decent two- seem unable to accept the request of America, Europe, Russia state solution is a bluff, let them call it. History suggests that al- and the United Nations to renounce terror and violence, ac- though both sides suffer when there is deadlock in this miser- cept Israel's right to exist and honour the Palestinians' previ- able conflict, the Palestinians tend to suffer more. Corporate regulation In search of better SOX What can be done to loosen America's burdensome post-Enron rules? O NLY yesterday companies and that their attraction to overseas companies was proof of the world over flocked to the fact. So what does it mean that many of those firms now America to list their shares. For opting to list elsewhere pin much of the blame on the burden bigger, more established firms, of America's corporate regulations-above all the Sarbanes- the razzmatazz of a listing on the Oxley act (sox) passed by Congress in 2002 after the scandal- New York Stock Exchange was ous collapse of Enron and WorldCom? the mark of blue-chip status. For To its defenders, and there are still many, sox has done just younger firms, a NASDAQ list- what was asked of it and raised the quality of corporate regu- ing was a crucial step on the way to becoming the next Micro- lation so as to minimise the risk of the next Enron or World- soft. Today, however, foreign listings have become a rarity, es- Com. If the price of that is for flakier Russian companies to pecially on NASDAQ. Even some of America's home-grown choose laxer jurisdictions overseas, SO much the better. would-be Microsofts now list not in New York, but overseas, That argument might wash were sox a well-crafted piece especially on London's Alternative Investment Market. of legislation, rather than a rush-job hurried through a Con- It used to be taken for granted in the United States that the gress with its eye on 2002's mid-term elections. sox's sceptics country's stockmarkets were the best-regulated in the world, are not restricted to fundamentalists who think that the legis- the Economist Leaders, 11 lation was always unnecessary or went after the wrong tar- bly be seen through by America's main markets regulator, the gets. Today, many people who supported SOX in principle- Securities and Exchange Commission (SEC) without troubling ranging from the boss of NASDAQ to the sainted former chair- Congress (see page 59). man of the Federal Reserve, Alan Greenspan-are increasingly A good start would be for the SEC to follow the likely advice disturbed by SOX in practice. of its own Advisory Committee on Smaller Public Companies and exempt companies with a stockmarket value below Strangled by red tape $128m and sales of less than $125m. That would still leave the How could SOX be improved? Divisions in Congress mean bigger firms that account for 94% of the value of America's that thorough reform is unlikely anytime soon, even though stockmarkets subject to Section 404. The SEC should also try to some parts of the legislation could do with a second look. The lighten the burden on them too. It could, for example, narrow priority is to modify the most hated part of SOX, the 20 lines of the scope of the internal-control review carried out by audi- text called Section 404, which regulates the internal controls tors so that they examine only the larger risks, not the size of used by firms in their financial reporting and extends scruti- people's lunch expenses. nising to such minutiae as travel expenses and petty cash. The Small technical changes, perhaps, but in SOX, the detail is cost of implementing Section 404 has been far higher than ex- what costs the money. At the least such reforms would help re- pected, especially in smaller firms. Happily, several changes store the reputation of America's stockmarkets. They might could lighten the burden of Section 404 and these can proba- even make America's own companies more competitive. The oilmarket Nostalgia for calmer days Uncertainty looks a bigger problem than high prices H OW high can the oil price plenty of black gold in the ground. go? It is striking that so The hitch is that the most promising territory for explora- many people are even asking tion lies in unstable places such as the Middle East and Russia. the question-let alone answer- What is more, the oil is controlled by state-owned firms, which ing it, in some cases, with fright- often seem blind to the signals sent by the market. While the ening triple-digit numbers. For supply remains tight any political or meteorological hiccup in most of the 1980s and 1990S, the a producing country (and there always seems to be at least oil price rarely strayed far from one) will resonate through the markets. $20 a barrel. With the exception of a brief interlude following Three other factors will add to the uncertainty. The first is Iraq's invasion of Kuwait in 1990, the world grew used to the the flood of new speculative investment in commodities, es- joys of cheap oil. But over the past four years, the price has pecially oil. Speculators are thought to have put more than more than tripled, to more than $70 a barrel. It is still climbing $100 billion into commodities markets in the past few years, and prices in the futures market imply that oil will remain dear helping to propel the price of oil ever higher. But this new hot for several years to come. Clearly, investors believe that some money could quit the oil market in an instant, causing prices to comfortable old certainties have gone out of the window. plunge (and throwing the energy industry's investment plans Chief among them is the idea that Saudi Arabia will always into disarray). act to cap prices. The Saudis have many decades-worth of oil The second unknown is how expensive oil will affect the left in the ground, and so have an incentive to keep the stuff world economy. Past surges in the oil price have led to rises in cheap enough to ward off conservation or substitution. To this inflation and interest rates that have triggered recessions. This end-and to help its protectors in Washington, DC-the king- time might be different, partly because growing demand, dom used to maintain spare pumping capacity of a few mil- rather than a reduction in supply, has underpinned the price lion barrels a day, enough to deal with an unexpected surge in rise. That means it has been steady and gradual, giving con- demand or a sudden cut in supply. During the first Gulf war, sumers more time to adjust. In addition, inflation remains low for example, Saudi Arabia turned on the taps to compensate and oil exporters are supporting consumption in the United for the loss of Iraq and Kuwait's normal output. But as demand States, the biggest importer (see page 74). Dearer oil will even- has grown over the past few years, particularly from booming tually curb demand-but at what price, and at what cost to the places like China, supply has not kept pace, so Saudi Arabia's world economy, nobody knows. buffer has gradually worn through. For the first time in more than two decades demand is straining at capacity. Making oil A freer oil market is no bad thing. In time, higher prices will In the long run, the biggest uncertainty is technology. Western lead to conservation-a bonus in a world worried about global oil firms are beginning to address their difficulty in finding oil warming (though one better achieved through taxes). In addi- by manufacturing fuel instead. Man-made fuels, such as etha- tion, oil firms should respond to higher prices by redoubling nol derived from plants, or diesel conjured from coal and gas, their efforts to procure more of the stuff. And so they are: by hold out the promise of secure and almost unlimited supply. one estimate, 15m barrels of new capacity should come on- But with today's technology these are much more expensive stream by 2010 (see page 65). Moreover, despite a lot of scare- to produce than oil pumped from the deserts of Arabia. Until mongering, the geological evidence suggests that there is still that changes, the oil market is set for an unnerving period. Business The Economist April 22nd 2006 59 Also in this section 60 The Enron trial 60 Software as a service 61 Executive pay 62 An Indian LBO 62 General Motors and Saturn 63 Biotechnology 64 Face value: Albert Frère, re-making corporate Europe aditic wenter Regulating business far utweighed by the costs. Messrs Butler and Ribstein would ide- The trial of Sarbanes-Oxley ally like SOX to be repealed. But even if a, court case challenging the constitutional- ity of the PCAOB (and by extension, sox) is successful, it is more likely that Congress NEW YORK will simply amend the law. The corporate regulation brought in after the Enron scandal stands accused of All SOX critics agree that the top prior- making matters worse ity for reform is Section 404 of the law, which regulates the internal controls that D OWN in Houston the Enron trial pro- nancial reports. Second, new measures to firms use to reduce the risk of fraud or error ceeds apace. But far more significant improve the monitoring of firms by rele- in their financial statements. The burdens for business, in America and beyond, than vant outside professionals, such as law- imposed by Section 404 are the main rea- the fate of the energy company's former yers and auditors, who got their own regu- son why formerly enthusiastic supporters bosses is the outcome of another "trial" latory body, the Public Company of sox, such as Mr Greenspan, are now de- that is now at a crucial stage-that of the Accounting Oversight Board (PCAOB). manding reform. legislation introduced by Congress in 2002 Third, more disclosure, including of a Section 404 has almost certainly im- in the wake of the Enron scandal. firm's internal-control structure. Fourth, proved the quality of internal controls at The act was named after its two main new rules on the conduct of corporate in- the firms where it has been implemented. sponsors, Senator Paul Sarbanes (pictured siders, such as a prohibition on loans to ex- But the question is not whether better con- right above) and Congressman Mike Ox- ecutives. Finally, new rules to ensure that trols lead to less risk-how could they ley (left). Sarbanes-Oxley, or SOX, as it has securities analysts at banks operate inde- not?-but whether that reduction in risk is become known, was unpopular with pendently from their firms' investment- worth the price. According to a recent business people from the start. In recent banking activities. study by CRA International, a research years it has been hard to find a chief execu- sox-bashers have found fault, to vary- firm, in the first year of SOX implementa- tive of a public company who does not ing degrees, with all five reforms. Henry tion, for larger companies (with a market complain vehemently about the burdens Butler, an economist, and Larry Ribstein, a capitalisation of at least $700m), the aver- imposed by the dreaded SOX. Indeed, law professor, set out the most compre- age direct cost of Section 404 was $8.5m; rather than diminish as the initial shock hensive critique yet in a recent paper, "The for smaller public companies ($75m- wore off, the complaints have only got Sarbanes-Oxley debacle: How to fix it and 700m), the average cost was around $1.2m. louder. The sox-bashers have been joined what we've learned", which was pre- The SEC has not yet asked the very small- by such luminaries as Alan Greenspan, the sented at the conservative American En- est public companies, with a value of less former head of the Federal Reserve and terprise Institute. Describing SOX as a "co- than $75m, to comply with Section 404. Bob. Greifeld, the boss of the NASDAQ lossal failure, poorly conceived and hastily The good news is that Section 404 costs stockmarket. And the critics are not just enacted during a regulatory panic", they are expected to fall by around 40% in the American. Because of SOX, says Mr Grei- argue (among other things) that the costs second year, says CRA, as the new system feld, "international business clearly per- of implementing SOX are far higher than beds in. Even so, the costs are still higher ceives a 'problem' with US markets today." expected, both in cash terms, and even than anyone expected them to be-the SEC SOX packaged together five different more so when they count the indirect initially forecast an average cost of $91,000 categories of reforms intended to protect costs-such as managers' reluctance to take per company-and the burden is dispro- investors from future Enrons. First, rules re- risks because of the new "climate of fear" portionately heavy for smaller companies. quiring better internal monitoring for po- in the boardroom, and the missed oppor- Much of the blame for this should be tential fraud by a company's board and ex- tunities of foregone investment. Although pinned on accounting firms, which, de- ecutives, including making the people at they admit that SOX may have reduced the spite being seen by the public as big of- the top certify the quality of their firm's fi- risk of fraud, they argue that this benefit is fenders in the Enron and WorldCom scan- 11 60 Business The Economist dals, have emerged as the big beneficiaries onerous the requirements of Section 404, to $788m, and revenues of under $250m from SOX. According to Joe Grundfest, a the more money the audit profession can would be partially exempted. former SEC commissioner, the audit in- earn" by selling its services. This proposal has run into strong oppo- dustry has several incentives to "push Sec- A couple of proposals could help tackle sition, not least from Mr Sarbanes himself, tion 404 compliance to a point of socially this problem, neither of which would re- who points out that it would "effectively inefficient hyper-vigilance." To avoid fur- quire a wholesale reform of SOX by Con- exempt four out of every five companies". ther damage to their reputations, and to gress. In a report due on April 23rd, the True, but it was failures at big firms that minimise the risk that they will be sued SEC'S Advisory Committee on Smaller gave rise to SOX, not at small ones, which over accounting irregularities, audit firms Public Companies was expected to recom- investors have always thought riskier. In are adopting the most prudent possible in- mend that companies be exempted from all, the exemption would cover firms ac- terpretation of the Section 404 rules-rules Section 404 if their market capitalisation is counting for only 6% of total American that are vague and open to argument. And, less than $128m and their revenues are un- stock market value, leaving 94% of public as Mr Grundfest points out, the "more der $125m. Firms with a market value of up companies by value still subject to Section 404. The Enron trial Rather than exempt companies, Sec- tion 404 should be refined to make it more The grilling of Skilling palatable for all firms, argues Robert Po- zen, the head of MFS, a fund-management firm. At the moment, audit companies are An ustrating week for Telfrey Skilling looking at far too many internal controls- some 669 on average at the biggest firms, = THIS the man who once there was no manipulati according to CRA-including items such as Gunled a licente place reading WEEE Mr Berkowitz also argued that ME travel expenses and the handling of petty 156 with del Leading Energy Company line kept BIE and trading cash that are highly unlikely to have any Critter cross commination this week, the Email: investors charge Mt serious impact on a company's financial brash Jeffrey Skilling were mostly skilling denied reporting. Mr Pozen reckons that the SEC their and respectful despite spasms of As the all recalls mounted MI has the authority to require a narrower fo- bhess The formerchiet executived Berkow III played 00 Salling have cus on those internal controls that look at bankrupt come memory He efilled inthrabout time material risks to a firm's financial reports. may dirisisted 1013 in Photote Yun by afor: Mr Grundfest goes further. As it stands, to that He had moll THE la event had tailing with the PCAOB can penalise auditors that are tax hyolying securities line estimate.of how too lax. He would like it to punish those the instdentraci false states michilt invested F Photolete was audit firms that are over-zealous in their in- DED site auditors truch How chatures show? Far terpretation of Section 404, too. What Belkow the squestions about could be fairer than that? THE and sproduced # 161 to seu of stilled accusation them that Entire on Septemberoth skuline had monipulated the com WORK the had resigne from the Software is earnings LO THE etianaly is targets, any too prestrial using reserves from a "conklejet" If-an- Thous the uppearsito be II fill Universal service? wanted cents persibline Ben of Entons harehbldings at 183 is what Entrin would said Mr the time, be claims not to tetne Mbet the DEI kowitz in the second quarter of Fansaction, which wastap Soon near the apex of Enton's fortunes, herethe he sold 500 dob shares which ME Skilling has he did tell Another attributes to September ith) Executive to "shoot for cents a share kowitz also questionedawhy Mr Skilline, Proponents of "software as a service" ex-stite and giffriend all sold sub say it will wipe out traditional software Thank stock in the autumh of 2000. OMETHING momentous is happening So how did he do? For self-con in the software business. Bill Gates of fessed "controls freak", Mr Skilling Microsoft calls it "the next sea change". Emerges, atibest, as oddly unaware of his Analysts call it a "tectonic shift" in the in- responsibilities and of the peculiar 89 dustry. Trade publications hail it as "the ings on at his company, which he claims next big thing". It is software-as-a-service to have left in its"best shape" in 2001. (saas)-the delivery of software as an in- You're out of town, the lights are out," ternet-based service via a web browser, said Mr Berkowitz sceptically of Mr Skil- rather than as a product that must be pur- ling's various explanations for why he chased, installed and maintained. The ap- was out of the loop. Mr Skilling will get peal is obvious: saas is quicker, easier and friendlier face next. His lawyer, Daniel cheaper to deploy than traditional soft- Petrocelli, will re-examine him: then ware, which means technology budgets comes another chance for Mr Berkowitz, can be focused on providing competitive and some other defence witnesses. After advantage, rather than maintenance. that, Kenneth Lay, Mr Skilling's defen- This has prompted an outbreak of icon- dant, could take the stand next week. oclasm. "Traditional software is dead," Then, the long-suffering jury-now in its says Jason Maynard, an analyst at Credit twelfth week of immersion in -bal- Suisse. Just as most firms do not own gen- lince sheet vehicles and hedging strate- erators, but buy electricity from the grid, so Controls freak gies-will decide their fates. in future they will buy software on the hoof, he says. "It's the end of software as " Tuesday, NATIONAL MANET SCRIPIA ARCHIVES AND RECORDS July 18, 2006 1985 Part IV Securities and Exchange Commission 17 CFR Part 240 Concept Release Concerning Management's Reports on Internal Control Over Financial Reporting; Proposed Rule 40866 Federal Register / Vol. 71, No. 137 / Tuesday, July 18, 2006 / Proposed Rules SECURITIES AND EXCHANGE we do not edit personal identifying accelerated filers. As announced in that COMMISSION information from submissions. You press release, the Commission expects should submit only information that to propose an additional extension of 17 CFR Part 240 you wish to make available publicly. the dates for complying with our [Release No. 34-54122; File No. S7-11-06] FOR FURTHER INFORMATION CONTACT: internal control over financial reporting Lillian Brown, Division of Corporation requirements for companies that are RIN 3235-AJ58 Finance or Michael Gaynor, Office of non-accelerated filers, including foreign Chief Accountant, Securities and private issuers that are non-accelerated Concept Release Concerning Exchange Commission, 100 F Street, filers. Management's Reports on Internal NE., Washington, DC 20549. Section 404(b) of Sarbanes-Oxley, as Control Over Financial Reporting SUPPLEMENTARY INFORMATION: well as the Commission's rules adopted AGENCY: Securities and Exchange to implement the requirements of that Table of Contents Commission section of the Act, require every I. Background registered public accounting firm that ACTION: Advance notice of proposed II. Introduction prepares or issues a financial statement rulemaking; Concept Release; request III. Risk and Control Identification audit report for a company also to attest for comment. IV. Management's Evaluation to and report on management's V. Documentation to Support the Assessment SUMMARY: The Commission is assessment of internal control over VI. Solicitation of Additional Comments publishing this Concept Release to financial reporting, in accordance with understand better the extent and nature I. Background standards to be established by the of public interest in the development of Section 404(a) of the Sarbanes-Oxley Public Company Accounting Oversight additional guidance for management Act of 2002 directed the Commission Board (PCAOB). On June 17, 2004, the regarding its evaluation and assessment to prescribe rules that require each Commission issued an order approving of internal control over financial annual report that a company, other PCAOB Auditing Standard No. 2, "An reporting so that any guidance the than a registered investment company, Audit of Internal Control over Financial Commission develops addresses the files pursuant to section 13(a) or 15(d) 2 Reporting Performed in Conjunction of the Securities Exchange Act of 1934 with an Audit of the Financial needs and concerns of public companies, consistent with the to contain an internal control report: (1) Statements" (AS No. 2), published at 69 protection of investors. Stating management's responsibilities FR 35083, June 23, 2004, which DATES: Comments should be submitted for establishing and maintaining established the requirements that apply on or before September 18, 2006. adequate internal control structure and when an independent auditor is procedures for financial reporting; and engaged to provide an attestation and ADDRESSES: Comments may be (2) containing an assessment, as of the report on management's assessment of submitted by any of the following end of the company's most recent fiscal the effectiveness of a company's internal methods: year, of the effectiveness of the control over financial reporting. Electronic Comments company's internal controls and In the release adopting the procedures for financial reporting. On Commission's rules implementing Use the Commission's Internet comment form (http://www.sec.gov/ June 5, 2003, the Commission adopted section 404, we expressed our belief that rules published at 68 FR 36636, June 18, the methods of conducting assessments rules/concept.shtml); or Send an e-mail to rule- 2003, implementing section 404 with of internal control over financial [email protected]. Please include File regard to management's obligations to reporting will, and should, vary from Number S7-11-06 on the subject line; report on internal control over financial company to company.4 We continue to reporting. believe that it is impractical to prescribe or Domestic reporting companies that a single methodology that meets the Use the Federal eRulemaking Portal meet the definition of "accelerated filer" needs of every company. However, we (http://www.regulations.gov). Follow the under the Commission's rules were have received feedback that the limited instructions for submitting comments. required to comply with the internal nature and extent of detailed Paper Comments control reporting provisions for the first management guidance available has time in connection with their fiscal resulted in management's Send paper submissions in triplicate to Nancy M. Morris, Secretary, years ending on or after November 15, implementation and assessment efforts 2004. Foreign private issuers that meet being driven largely by AS No. 2. Securities and Exchange Commission, the definition of accelerated filer must Therefore, we are planning to issue 100 F Street, NE., Washington, DC comply with those provisions for their additional guidance to assist 20549-1090. first fiscal year ending on or after July management its performance of its All submissions should refer to File 15, 2006. On September 22, 2005, in a assessment of internal control over Number S7-11-06. This file number document published at 70 FR 56825, financial reporting. On May 17, 2006, should be included on the subject line September 29, 2005, the Commission we announced, among other things, our if e-mail is used. To help us process and postponed the compliance date for intent to issue this Concept Release review your comments more efficiently, domestic and foreign non-accelerated seeking comment on a variety of issues please use only one method. The filers until their first fiscal years ending that might be the subject of Commission Commission will post all comments on on or after July 15, 2007. guidance for management. As we noted the Commission's Internet Web site On May 17, 2006, the Commission in that announcement, in writing any (http://www.sec.gov/rules/ announced through a press release its guidance we will be sensitive to the fact concept shtml). Comments also are intent to issue an additional available for public inspection and postponement for compliance for non- 4 See SEC Final Rule: Management's Reports on copying in the Commission's Public Internal Control over Financial Reporting and Reference Room, 100 F Street, NE., Certification of Disclosure in Exchange Act Periodic 1.75 U.S.C. 7262. Reports, Release No. 34-47986 (June 5, 2003) [68 FR Washington, DC 20549. All comments 2 15 U.S.C. 78m(a) or 78o(d) 36636, June 18, 2003] (hereinafter "Adopting received will be posted without change; 3 15 U.S.C. 78a et seq. Release") at Section II.B.3.d. Federal Register / 71, No. 137 Tuesday, July 18, 2006 Proposed Rules 40867 that many companies already have Since the Commission adopted rules Treadway Commission (COSO) as an invested substantial resources to in June 2003 to implement section 404 example of a suitableframework.7 establish and document programs and of the Sarbanes-Oxley Act, companies While the COSO framework provides procedures to perform their assessments and third parties have devoted an integrated framework that identifies over the last few years. considerable attention to the methods the components and objectives of II. Introduction that management may use to assess the internal control, it does not set forth effectiveness of internal control over detailed guidance as to the steps that financial reporting. To date, many management must follow in assessing Based on the cumulative feedback public companies have developed their the effectiveness of a company's internal received since the adoption of the rules control over financial reporting. We, implementing section 404, the own assessment procedures internally. therefore, distinguish between the Commission deems it necessary to issue Many also have retained consultants or COSO framework as an internal control additional guidance for management on purchased commercial software and framework and other forms of guidance its assessment of the effectiveness of other products to establish or improve that illustrate how to conduct an internal control over financial reporting. their assessment procedures. When the assessment of the effectiveness of We currently anticipate that the Commission first adopted the internal internal control over financial reporting. guidance issued would be in the form of control over financial reporting Any additional management guidance a rule, which would address the topics requirements, we emphasized two broad that we may issue is not intended to that we have outlined in this Concept principles: (1) That the scope and replace or modify the COSO framework Release: Risk and control identification, process of the assessment must be based or any other suitable framework. management's evaluation, and on procedures sufficient both to In determining the need for additional documentation requirements (each of evaluate its design and to test its guidance to management on how to these topics is addressed separately operating effectiveness; and (2) that the conduct its assessment, it is important throughout the remainder of this assessment, including testing, must be to consider the steps that already have document). Additionally, we anticipate supported by reasonable evidential been taken by the Commission and that the rule would be written in such matter. We stated that it was important others to provide guidance to companies and audit firms. The Commission held a manner that if companies followed the for each company to use its informed its first roundtable discussion about rule, they would be deemed to have judgment about its own operations, complied with Rules 13a-15(c) and risks, and processes in documenting and implementation of the internal control 15d-15(c) of the Exchange Act. Further, evaluating its controls. We continue to reporting provisions on April 13, 2005. The Commission held the 2005 we anticipate any modifications to AS believe that management must bring its roundtable to seek input to consider the No. 2 would be consistent with the rule. own experience and informed judgment impact of the section 404 reporting The Commission is publishing this to bear in designing an assessment requirements in view of the fact that the Concept Release to solicit public process that meets the needs of its comment on the provision of additional company and that provides reasonable See COSO, Internal Control-Integrated guidance to management of public assurance as to whether the company's Framework (1992). In 1994, COSO published an internal control over financial reporting addendum to the Reporting to External Parties companies that are subject to the SEC's volume of the COSO Report. The addendum is effective. rules related to management's discusses the issue of, and provides a vehicle for, assessment of internal control over While we emphasized the concept of expanding the scope of a public management report on internal control to address additional controls financial reporting and, to assist the management flexibility in adopting our pertaining to safeguarding of assets: In 1996, COSO Commission SO that any guidance it rules implementing section 404, our issued a supplement to its original framework to ultimately develops addresses the needs rules do require management to base its address the application of internal control over financial derivative activities. and concerns of all public companies. assessment of a company's internal The COSO framework is the result of an extensive We raise a series of questions control on a suitable evaluation study of internal control to establish a common throughout this release on assessing framework, in order to facilitate definition of internal control that would serve the risks, identifying controls, evaluating comparability between the assessment needs of companies; independent public accountants, legislators, and regulatory agencies, effectiveness of internal control, and reports. It is important to note that our and to provide a broad framework of criteria against documenting the basis for the rules do not mandate the use of a which companies could evaluate and improve their assessment. Through the questions in particular framework, because multiple control systems. The COSO framework divides internal control into three broad objectives: this Concept Release, we seek to elicit frameworks exist and others may be effectiveness and efficiency of operations, reliability specific public comment on such developed in' the future. However, in the of financial reporting, and compliance with matters including, but not limited to; release adopting the Section 404 applicable laws and regulations. Our rules relate only to reliability of financial reporting. Each of the the extent and nature of public interest requirements, the Commission objectives in the COSO framework is further broken in the development of additional identified the Internal Control- down into five interrelated components: control management guidance, whether Integrated Framework created and environment, risk assessment, control activities, published by the Committee of information and communication, and monitoring. additional guidance would be useful for Under the COSO framework, management is able to all reporting companies or just a subset Sponsoring Organizations of the monitor, evaluate, and improve their control of those companies, the particular systems through the use of the five components. In that release, we also cited the Guidance on subject areas that any additional Assessing Control published by the Canadian guidance should address, and the extent Institute of Chartered Accountants and the Turnbull of additional guidance that would be Report published by the Institute of Chartered useful. Accountants in England & Wales as examples of other suitable frameworks that issuers could choose in evaluating the effectiveness of their internal control over financial reporting. We encourage companies to examine and select a framework that 5 See Adopting Release at Section II.B.3.d. may be useful in their own circumstances and the G See Adopting Release at Section II.B.3.d. further development of alternative frameworks. 40868 Federal Register 71, No. 137 Tuesday, July 18, 2006 Proposed Rules implementation of the requirements The purpose of internal control over and sustained review and testing for resulted in a major change for financial reporting; perceived compliance with section 404. management and auditors. A broad The concept of reasonable The Advisory Committee's final range of interested parties, including assurance, the importance of a top- report set forth several representatives of managements and down, risk-based approach, and scope recommendations for the Commission to boards of domestic and foreign public of testing and assessment; consider regarding the application of the companies, auditors, investors, legal Evaluating internal control section 404 requirements to smaller counsel, and board members of the deficiencies; public companies. The Advisory PCAOB, participated in the discussion. Disclosures about material Committee recommended partial or We also invited and received written weaknesses; complete exemptions for specified types submissions from the public regarding Information technology issues; of smaller public companies from the section 404 in advance of the Communications with auditors; and internal control reporting requirements roundtable. under certain conditions, unless and Issues related to small businesses Feedback obtained from the 2005 until a framework is developed for and foreign private issuers. roundtable indicated that the internal assessing internal control over financial Overall, the May 16, 2005 guidance control reporting requirements had led reporting that recognizes the was well-received, and some to increased focus by management on characteristics and needs of those commenters have indicated there has internal control over financial reporting. companies. The Advisory Committee been some improvement in the However, the feedback also identified also recommended, among other things, effectiveness and efficiency of section particular implementation areas in need that COSO and the PCAOB provide of further clarification to reduce 404 compliance efforts. However, some additional guidance to help facilitate the constituents, especially smaller public unnecessary costs and burdens without design and assessment of internal companies, continue to request the jeopardizing the benefits of the new control over financial reporting and provision of additional guidance. For requirements. make processes related to internal In response to this feedback, the example, in its Final Report to the control more cost-effective. 12 In Commission and its staff issued Commission, issued on April 23, 2006, addition, some commenters on the guidance on May 16, 2005.9 An the Commission's Advisory Committee Advisory Committee's exposure draft of overarching message of that guidance on Smaller Public Companies raised a its report suggested that the Commission was that it is the responsibility of number of concerns it perceived reexamine the appropriate role of management, not the auditor, to regarding the ability of smaller outside auditors in connection with the determine the appropriate nature and companies to comply cost-effectively management assessment required by form of internal controls for the with the requirements of section 404. Section 404. 13 company and to scope their evaluation The Advisory Committee identified as Further, in April 2006, the U.S. procedures accordingly. Additionally, an overarching concern the difference in Government Accountability Office based on feedback received, a number of how smaller and larger public issued a Report to the Committee on the implementation issues arose from an companies operate. The Advisory Small Business and Entrepreneurship, overly conservative application of the Committee focused in particular on U.S. Senate, entitled Sarbanes-Oxley Commission rules and AS No. 2, and the three characteristics: (1) The limited Act, Consideration of Key Principles requirements of AS No. 2 itself, as well number of personnel in smaller Needed in Addressing Implementation as questions regarding the appropriate companies constrains the companies' for Smaller Public Companies, which role of the auditor. Accordingly, much ability to segregate conflicting duties; (2) recommends that in considering the of the guidance in the staff statement top management's wider span of control concerns of the Advisory Committee, and more direct channels of emphasized and clarified existing the Commission should assess the communication increase the risk of provisions of the rules and other available guidance on management's Commission guidance relating to the management override; and (3) the assessment to determine whether it is exercise of professional judgment, the dynamic and evolving nature of smaller sufficient or whether additional action concept of reasonable assurance, and companies limits their ability to is needed. The report indicates that maintain well-documented static the permitted communications between management's implementation and management and auditors. business processes. 10 assessment efforts were largely driven The staff's guidance addressed The Advisory Committee suggests by AS No. 2, as guidance at a similar these characteristics create unique level of detail was not available for implementation issues in the following seven areas: differences in how smaller companies management's implementation and achieve effective internal control over assessment process. 14 Further, the GAO 9 Commission Statement on Implementation of financial reporting that may not be report recommended that the Internal Control Reporting Requirements. Press adequately accommodated in AS No. 2 Commission coordinate with the Release No. 2005-74 (May 16, 2005) (hereinafter or other implementation guidance as PCAOB to help ensure that the section "May 2005 Commission Guidance"); Division of currently applied in practice. 404-related audit standards and Corporation Finance and Office of Chief Accountant: Staff Statement on Management's addition, the Advisory Committee noted guidance are consistent with any Report on Internal Control Over Financial Reporting serious cost ramifications for smaller (May 16, 2005) (hereinafter "May 2005 Staff public companies stemming from the 12 Advisory Committee Report at 52, available at Guidance")available at SEC.gov/spotlight/soxcom/ cost of frequent documentation change http://SEC.gov/info/smallbus/acspc.shtml. htm. 13 See, e.g., letter from BDO Seidman, LLP (April Also on May 16, 2005, the PCAOB and its staff 3, 2006), available at http://SEC.gov/info/smalbus/ issued guidance to auditors on their audits under 10 Final Report of the Advisory Committee on acspc.shtml. Auditing Standard No. 2. The PCAOB's guidance Smaller Public Companies to the United States 14 United States Government Accountability focused on areas in which the efficiency of the Securities and Exchange Commission (April 23, Office Report to the Committee on Small Business audit could be substantially improved. Topics 2006) (hereinafter 'Advisory Committee Report") at and Entrepreneurship, U.S. Senate: Sarbanes-Oxley included the importance of the integrated audit, the 35-36, available at http://SEC.gov/info/smallbus/ Act: Consideration of Key Principles Needed in role of risk assessment throughout the process, the acspc.shtml. Addressing Implementation for Smaller Public importance of taking a top-down approach, and Advisory Committee Report at 37, available at Companies (April 2006) (hereinafter "GAO Report") auditors' use of the work of others. http://SEC.gov/info/smallbus/acspc.shtml. at 52-53: Federal Register Vol. 71, No. 137/Tuesday, July 18, / Proposed Rules 40869 additional management guidance 1. Would additional guidance to companies benefit from the issued.15 management on how to evaluate the development of additional frameworks? On May 10, 2006, the Commission effectiveness of a company's internal 9. Should the guidance incorporate and PCAOB conducted a second control over financial reporting be the May 16, 2005 "Staff Statement on Roundtable on Internal Control useful? If so, would additional guidance Management's Report on Internal Reporting and Auditing Provisions to be useful to all reporting companies Control Over Financial Reporting"? solicit feedback on accelerated filers' subject to the Section 404 requirements Should any portions of the May 16, second year of compliance with the or only to a sub-group of companies? 2005 guidance be modified or section 404 requirements. Although What are the potential limitations to eliminated? Are there additional topics some participants expressed developing guidance that can be applied that the guidance should address that reservations about changing the by most or all reporting companies were not addressed by that statement? processes they have already subject to the section 404 requirements? For example, are there any topics in the implemented, a number of the 2. Are there special issues applicable staff's "Management's Report on participants expressed at the roundtable to foreign private issuers that the Internal Control Over Financial and in their written comments the view Commission should consider in Reporting and Certification of that additional guidance was needed. 16 developing guidance to management on Disclosure in Exchange Act Periodic COSO plans to publish additional how to evaluate the effectiveness of a Reports Frequently Asked Questions application guidance on its control company's internal control over (revised October 6, 2004)" 19 that should framework in the near future. 17 This financial reporting? If so, what are be incorporated into any guidance the guidance is intended to assist the these? Are such considerations Commission might issue? management of smaller companies in applicable to all foreign private issuers 10. We also seek input on the understanding and applying the COSO or only to a sub-group of these filers? appropriate role of outside auditors in framework. It is expected that COSO's 3. Should additional guidance be connection with the management new guidance will outline principles limited to articulation of broad assessment required by section 404(a) of fundamental to the five components of principles or should it be more detailed? Sarbanes-Oxley, and on the manner in internal control described in the COSO 4. Are there additional topics, beyond which outside auditors provide the framework. The guidance will define what is addressed in this Concept attestation required by section 404(b). each principle and describe the Release, that the Commission should Should possible alternatives to the attributes of each, list a variety of approaches that smaller companies can consider issuing guidance on? If so; current approach be considered and if use to apply the principles, and include what are those topics? so, what? Would these alternatives examples of how smaller companies 5. Would additional guidance in the provide investors with similar benefits format of a Commission rule be without the same level of cost? How have applied the principles. As noted in preferable to interpretive guidance? would these alternatives work? the May 17, 2006 announcement, we anticipate that this guidance will help Why or why not? III. Risk and Control Identification organizations of all sizes to better 6. What types of evaluation understand and apply the COSO approaches have managements of While companies have been required to establish and maintain internal framework as it relates to internal accelerated filers found most effective control over financial reporting. and efficient in assessing internal accounting controls since the enactment control over financial reporting? What of the Foreign Corrupt Practices Act in We are issuing this Concept Release to 1977 20 section 404 of the Sarbanes- understand better the extent of public approaches have not worked, and why? interest in the development of 7. Are there potential drawbacks to or Oxley Act re-emphasized the additional guidance for management other concerns about providing importance of the relationship between effective internal controls and reliable regarding its evaluation and assessment additional guidance that the Commission should consider? If so, financial reporting. An integral element of internal control over financial what are they? How might those of establishing and maintaining effective reporting. As noted in our May 17, 2006 announcement, SO that this guidance drawbacks or other concerns best be internal control over financial reporting might be helpful to all companies, the mitigated? Would more detailed involves identifying risks to reliable Commission currently intends that any Commission guidance hamper future financial reporting and designing future guidance we issue will be efforts by others in this area? appropriate internal controls that address the risks. The controls that scalable and responsive to individual 8. Why have the majority of companies who have completed an management identifies as addressing circumstances. We also are interested in assessment, domestic and foreign, risks to financial reporting include those understanding what additional guidance that operate at a company level and are accelerated filers would find helpful. 18 selected the COSO framework rather than one of the other frameworks pervasive to many individual account balances and disclosures, as well as 15GAO Report at 58. available, such as the Turnbull Report? 16 See transcript of Roundtable on Internal Is it due to a lack of awareness, those that are specific to certain Control Reporting and Auditing Provisions, May 10, individual account balances or knowledge, training, pressure from 2006, Panels 1, 2, 3, and 5; letter from The Institute auditors, or some other reason? Would disclosures. Echoing the Commission's of Internal Auditors (IIA) (May 1, 2006); letter from statement in its May 16, 2005 guidance Institute of Management Accountants (IMA) (May 4, that management must bring reasoned 2006); letter from Canadian Bankers Association dissatisfaction by the Commission with the (CBA) (April 28, 2006); letter from Deloitte & assessments accelerated filers have completed to judgment to the process, the staff stated Touche LLP (May 2006); letter from Ernst & date. Rather, we are issuing this Concept Release Young LLP (May 1,2006); letter from KPMG LLP because we are committed to doing as much as we 19 Available at http://www.sec.gov/info/ (May 1, 2006); letter from PricewaterhouseCoopers can to reduce any concerns about the nature and accountants/controlfaq1004.htm LLP (May 1, 2006) and letter from Pfizer Inc. (May extent of assessment procedures that management Title I of Public Law No. 95-213. The FCPA 1, 2006). must establish and maintain, to assist in making the required the Commission to adopt rules requiring 17 See letter from Larry Rittenberg, COSO (May requirements scalable for companies of all sizes and public companies to make and keep accurate 16, 2006) [File Number 4-511]. complexity, and to help companies evaluate financial records, and to maintain a system of 18 We emphasize that the publication of this internal control over financial reporting in a internal accounting controls. See Exchange Act Concept Release does not reflect a general practical and cost-efficient manner. section 13(b). 40870 Federal Register/Vol. 71, No. 137/Tuesday, July 18, 2006 Proposed Rules that management should use its and identify the related risks. In in the guidance? If so, how should that cumulative knowledge, experience, and determining the objectives for internal guidance reflect the special. judgment (applying both qualitative and control over financial reporting, the characteristics and needs of smaller quantitative factors) in identifying these guidance would discuss how public companies? controls and designing the appropriate management might address company- 17. Should the Commission provide procedures for their documentation and level, financial statement account and management with guidance about fraud testing. disclosure level considerations, as well. controls? If so, what type of guidance? Feedback that the Commission has as fraud risks. Additionally, we Is there existing private sector guidance received indicates that, in implementing anticipate that we would provide that companies have found useful in the requirements of section 404, many additional guidance on how this area? For example, have companies companies did not efficiently and management identifies the controls to found the 2002 guidance issued by the effectively identify risks to reliable address the recognized risks. This AICPA Fraud Task Force entitled financial reporting and relevant internal would include guidance on common "Management Antifraud Programs and control functions, ultimately leading to issues that exist in identifying controls Controls" 23 useful in assessing these the identification, documentation, and (e.g. materiality considerations, multi- risks and controls? testing of an excessive number of location issues, concept of "key" 18. Should guidance be issued to help controls. 21 We are also skeptical of the controls). companies with multiple locations or large number of internal controls that 11. What guidance is needed to help business units to understand how those some companies have identified, management implement a "top-down, affect their risk assessment and control documented and tested. While there risk-based" approach to identifying identification activities? How are were likely numerous contributing risks to reliable financial reporting and companies currently determining which factors to these implementation issues, the related internal controls? locations or units to test? one cause may have been the overly 12. Does the existing guidance, which conservative application of AS No. 2 by has been used by management of IV. Management's Evaluation auditors in the initial years. accelerated filers, provide sufficient As noted, the Commission's and the The Commission also has heard that information regarding the identification staff's May 16, 2005 guidance companies had difficulty in determining of controls that address the risks of emphasized that management's how controls related to the prevention material misstatement? Would assessment should be based on the of fraud should be included in their risk additional guidance on identifying particular risks of individual assessment. 22 However, as noted in the controls that address these risks be companies, and recommended a top- May 16, 2005 staff guidance, while no helpful? down, risk-based approach to determine system of internal control can prevent or 13. In light of the forthcoming COSO the accounts and related processes that detect every instance of fraud, effective guidance for smaller public companies, management should consider in its internal control over financial reporting what additional guidance is necessary assessment. Therefore, management's can help companies deter fraudulent on risk assessment or the identification judgments about the significance and financial accounting practices or detect of controls that address the risks? complexity of the risk areas it has them earlier. 14. In areas where companies identified should form the basis not As noted above, the Advisory identified significant start-up efforts in only for determining what controls to Committee observed that the distinct the first year (e.g., documentation of the evaluate, but also for determining the characteristics of smaller public design of controls and remediation of nature, timing, and extent of its companies affect the financial reporting deficiencies) will the COSO guidance evaluation procedures. A risk-based risks and the controls needed to address for smaller public companies adequately evaluation can allow management to them. For example, the significant risk assist companies that have not yet assess whether the company's internal of management override that arises from complied with section 404 to efficiently control over financial reporting is wider spans of control and more direct and effectively conduct a risk effective at a "reasonable assurance" channels of communication may create assessment and identify controls that level. 24 an increased need for entity level address the risks? Are there areas that One of the reasons cited most controls and board oversight. Moreover, have not yet been addressed or need frequently by accelerated filers for the the difficulty in segregating duties and further emphasis? higher than anticipated costs in their changing business processes may 15. What guidance is needed about first year of compliance with the section the role of entity-level controls in 404 requirements is that too much work impact the implementation of internal evaluating and assessing the was done to test and document low-risk controls at these companies. effectiveness of internal control over areas. 25 The Commission continues to We anticipate additional guidance in this arealwould cover a number of the financial reporting? What specific hear that management has difficulty implementation issues that have arisen entity-level control issues should be applying a top-down, risk-based during the first two years of compliance. addressed (e.g., GAAP expertise, the role of the audit committee, using 23 Management Antifraud Programs and Controls: Guidance issued in this area would entity-level controls rather than low- Guidance to Help Prevent and Deter Fraud, address how management should commissioned by the Fraud Task Force of the determine the overall objectives for level account and transactional American Institute of Certified Public Accounting's internal control over financial reporting controls)? Should these issues be Auditing Standards Board (2002), available at addressed differently for larger http://www.aicpa.org/download/members/div/ companies and smaller companies? auditstd/AU-00316.PDF. 21 See transcript of Roundtable on Internal 16. Should guidance be given about '24 See Rules 13a-15(f) and 15d-15(f) of the Control Reporting and Auditing Provisions, May 10, Exchange Act. 2006, Panels 2 and 3; letter from Protiviti Inc. (April the appropriateness of and extent to 25 See transcript of Roundtable on Internal 28, 2006); letter from Computer Sciences which quantitative and qualitative Control Reporting and Auditing Provisions, May 10, Corporation (CSC) (April 28, 2006); and letter from IMA (May 4, 2006). factors, such as likelihood of an error, 2006, Panels 2 and 3; letter from Watson Wyatt 22 See letter from QUALCOMM Inc. (April 27, should be used when assessing risks Worldwide (March 31, 2006); letter from 2006); and letter from Diane Allen, 3M (Allen) and identifying controls for the entity? QUALCOMM Inc. (April 27, 2006); and letter from Association for Financial Professionals (May 1, (April 28, 2006). If so, what factors should be addressed 2006). Federal Register/Vol. 71, No. 137 Tuesday, July 18, / Proposed Rules 40871 approach in their individual financial reporting involves the impact controls, such as on-going monitoring assessments and some believe that of information technology (IT) activities, be useful? What are some of compliance costs are, and may continue processes. For example, some the sources of evidence that companies to be, higher than necessary. 26 commenters have expressed concerns find most useful in ongoing monitoring The Commission's rules require that over the extent to which IT processes. of control effectiveness? Would management's assessment be "as of' the should be included in the scope of their guidance be useful about how company's fiscal year end, but the rules assessment. 29 As the staff's May 16, management's daily interaction with do not preclude management from 2005 staff guidance indicates, Section controls can be used to support its obtaining evidence to support its 404 is not a one-size-fits-all approach to assessment? assessment through cumulative assessing controls, and for that reason, 21. What considerations are knowledge it acquires throughout the while we believe that controls not appropriate to ensure that the guidance year and in prior years. In fact, related to internal control over financial is responsive to the special management's daily interactions with its reporting should not be included in the characteristics of entity-level controls internal controls may provide it with an assessment, providing a list of the exact and management at smaller public enhanced ability to make informed general IT controls that should be companies? What type of guidance judgments regarding the areas that included in an assessment may not be would be useful to small public present the greatest risk to the reliability practical. Given that fact, we would like companies with regard to those areas? of the financial statements, as well as to explore whether there are specific 22. In situations where management how to evaluate the relevant controls. areas related to IT where additional determines that separate evaluation-type We have heard anecdotal evidence that, guidance could be provided. testing is necessary, what type of in some cases, management may have Based on the cumulative feedback additional guidance to assist unnecessarily tested controls using received, we believe that guidance on management in varying the nature and separatelevaluation-type testing in management's evaluation process and extent of the evaluation procedures connection with its annual assessment, revisions to AS No. 2 may help reduce supporting its assessment would be rather than relying on its ongoing or eliminate the excessive testing of helpful? Would guidance be useful on monitoring activities, which may internal controls by improving the focus how risk, materiality, attributes of the include, for example, cumulative on risk and better use of entity-level controls themselves, and other factors knowledge and experiences from its controls. We anticipate that the play a role in the judgments about when daily interactions with controls. guidance would cover topics such as the to use separate evaluations versus In addition to testing, another key part overall objective of evaluation relying on ongoing monitoring of management's assessment process is procedures; methods or approaches activities? the evaluation of control deficiencies it available to management to gather evidence to support its assessment (i.e. 23. Would guidance be useful on the discovers in the process of its on-going monitoring, benchmarking, timing of management testing of evaluation. Paramount to evaluating the significance of an individual control controls and the need to update and updating prior evaluations); and evidence and conclusions from prior deficiency, or combination of control factors that management should deficiencies, is to have a comprehensive consider in determining the nature, testing to the assessment "as of" date? understanding of the nature of the timing and extent of its evaluation 24. What type of guidance would be deficiency, its cause, the relevant procedures. This guidance would appropriate regarding the evaluation of identified internal control deficiencies? financial statement assertion the control address whether and how entity-level was designed to support, its effect on controls may adequately address risk at Are there particular issues in evaluating the broader control environment, and the financial statement and disclosure deficient controls that have only an whether effective compensating controls level and considerations as to the extent indirect relationship to a specific financial statement account or exist. 27 Management must exercise information technology general controls disclosure? If so, what are some of the judgment in a reasonable manner in the are included in the scope of evaluation of deficiencies in internal management's assessment. Further, we key considerations currently being used control, considering both quantitative anticipate the guidance would cover when evaluating the control deficiency? and qualitative factors. 28 considerations of management in 25. Would guidance be helpful As noted above, the Advisory determining the severity of an identified regarding the definitions of the terms Committee observed that the distinct control deficiency. "material weakness" and "significant characteristics of smaller public 19. What type of guidance would help deficiency"? If so, please explain any issues that should be addressed in the companies affect the assessment of explain how entity-level controls can financial reporting risks and the reduce or eliminate the need for testing guidance. controls implemented to address them. at the individual account or transaction 26. Would guidance be useful on These characteristics may also affect level? If applicable, please provide factors that management should how those companies evaluate their specific examples of types of entity- consider in determining whether internal control. level controls that have been useful in management could conclude that no Another area where the Commission reducing testing elsewhere. material weakness in internal control continues to hear that companies are 20. Would guidance on how over financial reporting exists despite having difficulty in completing their management's assessment can be based the discovery of a need to correct a assessment of internal control over on evidence other than that derived financial statement error as part of the from separate evaluation-type testing of financial statement close process? If so, 26 See transcript of Roundtable on Internal please explain. Control Reporting and Auditing Provisions, May 10, 29 See transcript of Roundtable on Internal 27. Would guidance be useful in 2006, Panels 1 and 2; letter from Pfizer Inc. (May Control Reporting and Auditing Provisions, May 10, addressing the circumstances under 1, 2006); letter from Sotheby's Holdings, Inc. (May 2006, Panels 2 and 3; letter from IIA (May 1, 2006); which a restatement of previously 1, 2006); and letter from U.S. Chamber of Commerce letter from CSC (April 28, 2006); letter from Allen (May 3, 2006). (April 28, 2006); letter from WPS Resources Corp. reported financial information would 27, See May 2005 Staff Guidance at B. (May 5, 2006); and letter from R.G. Scott & not lead to the conclusion that a 28 Id. Associates, LLC (April 8; 2006). material weakness exists in the 40872 Federal Register / Vol. 71, No. 137/Tuesday, July 18, Proposed Rules company's internal control over the effectiveness of the company's notwithstanding substantially similar financial reporting? internal control over financial reporting statutory language to that found in 28. How have companies been able to may review evidential matter section 404. use technology to gain efficiency in supporting management's assessment. 32 In its report, the Advisory Committee evaluating the effectiveness of internal Feedback that the Commission suggested that smaller public companies controls (e.g., by automating the received in connection with its 2005, have unique characteristics and needs effectiveness testing of automated Roundtable and other feedback on the for flexibility that make the controls or through benchmarking first year of compliance indicates that, documentation elements of section 404 strategies)? in implementing the requirements of particularly burdensome for those 29. Is guidance needed to help section 404 for the first time, many companies. In its opinion, the section companies determine which IT general companies approached risk and control 404 internal control reporting controls should be tested? How are identification more formally than they requirements as currently applied in companies determining which IT may have historically and, practice might impose a lack of general controls could impact IT consequently, companies may have flexibility on smaller public companies application controls directly related to incurred significant documentation that would put them at a competitive the preparation of financial statements? costs. 33 This documentation consisted disadvantage. We have also heard that 30. Has management generally been of, among other things, detailed process excessive documentation demands utilizing proprietary IT frameworks as a maps describing controls over initiating, might impose extra or particularly guide in conducting the IT portion of recording, processing and reconciling burdensome costs on smaller public their assessments? If so, which account balances, classes of companies. frameworks? Which components of transactions, and disclosures included The Commission anticipates that those frameworks have been particularly in the financial statements. Many management would benefit from useful? Which components of those companies also have indicated that in additional guidance on the appropriate frameworks go beyond the objectives of their initial implementation of section and required levels of documentation to reliable financial reporting? 404, too many controls were identified; support their assertion on the V. Documentation to Support the which resulted in excessive effectiveness of internal control over Assessment documentation. 34 Frequently, this financial reporting. Topics addressed excessive documentation was blamed, at Developing and maintaining an might include clarifying the overall least in part, on the auditors and their appropriate amount of evidential matter objectives of the documentation, application of AS No. 2. Further, we is an inherent element of effective including factors that might influence have anecdotally heard that this internal control. 30 This evidential documentation requirements and other documentation, in many cases, matter should provide reasonable common documentation concerns (e.g. substantially exceeded that normally support for the assessment of whether updating of previously created produced by financial institutions under documentation or how to address controls are designed to prevent or the Federal Deposit Insurance detect material misstatements OF controls for which operation does not Corporation Improvement Act of 1991, 35 result in documented evidence). We omissions; for the conclusion that tests to assess the effectiveness of internal also anticipate that guidance might be 32 AS No. 2 sets forth the criteria auditors should control were appropriately planned and helpful in addressing the flexibility and use when evaluating whether management's performed; and for the conclusion that documentation provides reasonable support for its cost containment needs of smaller the results of such tests were assessment of internal control over financial public companies in particular. reporting. See 19 42-46 of PCAOB Auditing 31. Were the levels of documentation appropriately considered in Standard No. 2, An Audit of Internal Control over performed by management in the initial management's conclusion about Financial Reporting Performed in Conjunction with effectiveness. 31 Further, public an Audit of Financial Statements. years of completing the assessment 33 See transcript of Roundtable on beyond what was needed to identify accounting firms that attest to, and Implementation of Internal Control Reporting controls for testing? If so, why (e.g., report on, management's assessment of Provisions, April 13, 2005; letter from Mortgage business reasons, auditor required, or Bankers Association (February 25, 2005); letter from 30 Section 13(b)(2)(A) of the Exchange Act Paula Jourde (March 4, 2005); letter from White unsure about "key" controls)? Would requires companies to "make and keep books, Mountains Insurance Group (March 29, 2005); and specific guidance help companies avoid records, and accounts, which in reasonable detail, letter from Intel Corporation (March 31, 2005). this issue in the future? If so, what accurately and fairly reflect the transactions and 34 See transcript of Roundtable on Internal factors should be considered? dispositions'of the assets of the issuer." We have Control Reporting and Auditing Provisions, May 10, 32. What guidance is needed about previously stated, as a matter of policy, that under 2006, Panels and 2; letter from IIA (May 1, 2006); the form, nature, and extent of section 13(b)(2) "every public company needs to letter from America's Community Bankers (May 1, establish and maintain records of sufficient 2006); letter from Stephan Stephanov (March 27, documentation that management must accuracy to meet adequately four interrelated 2006); and letter from Institute of Chartered maintain as evidence for its assessment objectives: appropriate reflection of corporate Accountants in England and Wales (March 28, of risks to financial reporting and transactions and the disposition of assets; effective 2006). control identification? Are there certain administration of other facets of the issuer's internal 35.12 U.S.C. 1831m. Section 112 of the Federal control system; preparation of its financial Deposit Insurance Corporation Improvement Act of factors to consider in making judgments statements in accordance with generally accepted 1991 added section 36, "Independent Annual about the nature and extent of accounting principles; and proper auditing." Audits of Insured Depository Institutions," to the documentation (e.g., entity factors, Statement of Policy Regarding the Foreign Corrupt Federal Deposit Insurance Act. Section 36 required Practices Act of 1977, Release No. 34-17500 process, or account complexity factors)? the Federal Deposit Insurance Corporation, in (January 29, 1981) [46 FR 11544]. consultation with appropriate federal banking If so, what are they? Instruction 1 to Item 308 of Regulations S-K agencies, to promulgate regulations requiring each 33. What guidance is needed about and S-B, Instruction 1 to Item 15 of Form 20-F and insured depository institution with at least $150 the extent of documentation that Instruction 1 to paragraphs (b), (c), (d), and (e) of million in total assets, as of the beginning of its management must maintain about its General Instruction B:6 to Form 40-F provide that fiscal year, to have an annual independent audit of "the Registrant must maintain evidential matter, its financial statements performed in accordance evaluation procedures that support its including documentation, to provide reasonable with generally accepted auditing standards, and to support for management's assessment of the provide a management report and an independent structure and procedures for financial reporting and effectiveness of the registrant's internal control over public accountant's attestation concerning both the its compliance with designated safety and financial reporting." effectiveness of the institution's internal control soundness laws. Federal Register / Vol. 71, No. 137 / Tuesday, July 18, 2006 / Proposed Rules 40873 annual assessment of internal control VI. Solicitation of Additional descriptions of, or actual process plans, over financial reporting? Comments that they have utilized or created for 34. Is guidance needed about portions or all of management's In addition to the areas for comment documentation for information assessment. Please be as specific as identified above, we are interested in technology controls? If so, is guidance possible in your discussion and analysis any other issues that.commenters may needed for both documentation of the of any additional issues. Where wish to address relating to companies controls and documentation of the possible, please provide empirical data compliance with the SEC's rules related testing for the assessment? or observations to support or illustrate to management's assessment of internal your comments. 35. How might guidance be helpful in control over financial reporting. For addressing the flexibility and cost example, we are interested in whether By the Commission. containment needs of smaller public commenters believe that there are Dated: July 11, 2006. companies? What guidance is additional topics not addressed in this Jill M. Peterson, appropriate for smaller public Concept Release for which guidance Assistant Secretary. companies with regard to would be useful. We also invite [FR Doc. E6-11226 Filed 7-17-06; 8:45 am], documentation? commenters to provide to us BILLING CODE 8010-01-P Page 1 of 3 Corbett, Bryan N. From: Shimkus, Matthew [[email protected]] Sent: Wednesday, August 09, 2006 10:31 AM To: undisclosed-recipients Subject: SEC Offers Further Relief from Section 404 Compliance for Smaller Public Companies and Many Foreign Private Issuers SEC OFFERS FURTHER RELIEF FROM SECTION 404 COMPLIANCE FOR SMALLER PUBLIC COMPANIES AND MANY FOREIGN PRIVATE ISSUERS FOR IMMEDIATE RELEASE 2006-136 Washington D.C., Aug. 9, 2006 - The Securities and Exchange Commission today issued two releases to grant smaller public companies and many foreign private issuers further relief from compliance with Section 404 of the Sarbanes-Oxley Act of 2002. The relief is in furtherance of the "next steps for Sarbanes-Oxley implementation" (SEC Press Release 2006-75) announced on May 17, 2006, and includes some new initiatives not previously announced. Today's releases follow the July 11, 2006, publication of a Concept Release soliciting public comment on guidance for management the SEC plans to issue to assist companies in assessing their internal controls over financial reporting. "The actions taken in these releases continue the Commission's efforts to be sensitive and responsive to the particular needs of smaller public companies and foreign private issuers, and to minimize the burdens that Section 404 may impose on them," said SEC Chairman Christopher Cox. "By offering further relief for smaller companies and most foreign issuers, today's actions will allow time for the Commission and the PCAOB to redesign Section 404 implementation in a way that is efficient and cost effective for investors." A summary of the subjects of the two releases appears below: 1. Relief from Section 404 Compliance Dates for Smaller Companies (Non-Accelerated Filers). The Commission is proposing to grant relief to smaller public companies by extending the date by which non-accelerated filers must start providing a report by management assessing the effectiveness of the company's internal control over financial reporting. The initial compliance date for these companies would be moved from fiscal years ending on or after July 15, 2007, until fiscal years ending on or after Dec. 15, 2007. The Commission also proposes to extend the date by which non-accelerated filers must begin to comply with the Section 404(b) requirement to provide an auditor's attestation report on internal control over financial reporting in their annual reports. This deadline would be moved to the first annual report for a fiscal year ending on or after Dec. 15, 2008. This proposed extension would result in all non-accelerated filers being required to complete only the management's portion of the internal control requirements in their first year of compliance with the requirements. This proposal is intended to provide cost savings and efficiency opportunities to smaller public companies and to assist them as they prepare to comply fully with Section 404's reporting requirements. This proposed extension will provide these issuers and their auditors an additional year to consider, and adapt to, the changes in Auditing Standard No. 2 that the Commission and the Public Company Accounting Oversight Board intend to make, as well as the guidance for management the SEC intends to issue, to improve the efficiency of the Section 404(b) auditor attestation report process. 8/9/2006 Page 2 of 3 Approximately 44% of the domestic companies and 38% of the foreign private issuers that file periodic reports with the Commission are non-accelerated filers. The Commission seeks public comment on all aspects of this proposal. Comments should be submitted within 30 days of the proposal's publication in the Federal Register. 2. Relief from Section 404(b) Compliance Date for Certain Foreign Private Issuers. The Commission is granting relief from Section 404(b) compliance for foreign private issuers that are accelerated filers (but not large accelerated filers), and that file their annual reports on Form 20-F or 40-F. These companies will have their compliance deadline extended for an additional year, so that they will not begin complying with the Section 404(b) requirement to provide an auditor's attestation report on internal control over financial reporting in their annual reports until fiscal years ending on or after July 15, 2007. This group of issuers will be required to comply only with the Section 404 requirement to include management's report in the Form 20-F or 40-F annual report filed for their first fiscal year ending on or after July 15, 2006. They will not need to comply with the requirement to provide the registered public accounting firm's attestation report until they file a Form 20-F or 40-F annual report for a fiscal year ending on or after July 15, 2007. The Commission's data indicate that about 23% of the approximately 1,200 foreign private issuers that are subject to the Exchange Act reporting requirements are accelerated filers that will receive the one-year extension of the compliance dates for the Section 404(b) auditor attestation requirement. Because approximately 38% of foreign private issuers are non-accelerated filers that will benefit from the steps outlined in Item 1 above, over 60% of the community of foreign private issuers will receive a measure of relief as a result of the actions we're announcing today. The Commission's actions today do not change the date by which a foreign private issuer that is a large accelerated filer must comply with both the Section 404(a) and (b) requirements. These filers are required to include both a report by management and an attestation report by the issuer's registered accounting firm on internal control over financial reporting in their Form 20-F or 40-F filed for a fiscal year ending on or after July 15, 2006. This extension is a final Commission action and will be effective shortly, on the date that the Commission release granting the extension is published in the Federal Register. 3. Proposed Transition Relief for Newly Public Companies. In the same release in which it proposes an extension of the Section 404 compliance dates for non-accelerated filers, the Commission also proposes a transition period for newly public companies. This transition relief would apply to any company that has become public through an IPO or a registered exchange offer, or that otherwise becomes subject to the Exchange Act reporting requirements. It would include a foreign private issuer that is listing on a U.S. exchange for the first time. To provide meaningful relief to companies that are new to the U.S. markets and our reporting requirements, the Commission is proposing to amend its rules so that a company would not be required to provide either a management assessment or an auditor attestation report until it has previously filed one annual report with the Commission. This relief is being proposed in recognition of the fact that preparation of a newly public company's first annual report can be a time and resource intensive process that may quickly follow an IPO or initial listing. By not requiring the Section 404 reports until a newly public company files its second annual report with the SEC, the Commission hopes to increase the efficiency and effectiveness with which those companies ultimately meet their Section 404 compliance obligations. The Commission seeks public input on this proposal from foreign and domestic companies, their financial and other advisors, investors and other interested members of the public. As with the proposed extension for smaller public companies, comments on this proposal 8/9/2006 Page 3 of 3 should be submitted within 30 days of publication in the Federal Register. "We have heard that the Section 404 reporting requirements impose a special burden on foreign private issuers, smaller companies and newly public companies. These companies play an important role in our capital markets, and these releases illustrate the Commission's commitment to improving the efficiency and effectiveness of Section 404 implementation for them," said John W. White, Director of the Division of Corporation Finance. "We believe our proposed transition relief for newly public companies should enhance the attractiveness and cost-effectiveness of participating in our markets both for companies contemplating IPO's and for foreign companies considering listing in the U.S. for the first time, without sacrificing important investor protections, and we look forward to receiving comment from a diversity of interested parties on that proposal." The Commission will continue to work on its own, and with the Public Company Accounting Oversight Board, to take several additional steps previously outlined on May 17, 2006, in SEC Press Release 2006-75 to improve the implementation of Section 404 so that it will work efficiently and effectively for companies and auditors of all sizes. Additional materials: Release No. 33-8730; Release No. 33-8731 SEC Spotlight On: Internal Control Reporting Provisions http://www.sec.gov/spotlight/soxcomp.htm 8/9/2006 Press Release: SEC Announces Next Steps for Sarbanes-Oxley Implementation; 2006-75; Page 1 of 4 EXPIRATION ONE COMMISSION Home Previous Page U.S. Securities and Exchange Commission MCMXXXIV SEC Announces Next Steps for Sarbanes-Oxley Implementation FOR IMMEDIATE RELEASE 2006-75 Washington, D.C., May 17, 2006 - The Securities and Exchange Commission today announced a series of actions it intends to take to improve the implementation of the Section 404 internal control requirements of the Sarbanes-Oxley Act of 2002. The actions the Commission intends to take include issuing SEC guidance for companies and working with the Public Company Accounting Oversight Board (PCAOB) on revisions of its internal control auditing standard. These actions are based on extensive analysis and commentary in recent months from investors, companies, auditors, and others. The expected actions will also include SEC inspections of PCAOB efforts to improve Section 404 oversight and a brief further postponement of the Section 404 requirements for the smallest company filers, although ultimately all public companies will be required to comply with the internal control reporting requirements of Section 404. "The steps we are announcing today are designed to further improve the reliability of financial statements and to better protect investors while making the Section 404 process more efficient and cost effective," said SEC Chairman Christopher Cox. "As we go forward, we will consider the special concerns of all companies that fall under our jurisdiction -- large and small, foreign and domestic. By providing practical guidance to companies, by working with the Public Company Accounting Oversight Board on their forthcoming revised standard for auditors, and by examining how the PCAOB inspection process is succeeding in increasing the efficiency and cost-effectiveness of the audit process, we will take a giant step toward 'getting it right' when it comes to Section 404 compliance." In recent months, the Commission has obtained comment from a variety of sources concerning the operation and effects of Section 404, including: The May 10, 2006, SEC Roundtable on Second-Year Experiences with Internal Control Reporting and Auditing Provisions; Written comments received in connection with the Roundtable; The April 23, 2006, Report of the SEC Advisory Committee on Smaller Public Companies; The April 2006 Report from the U.S. Government Accountability Office entitled Sarbanes-Oxley Act, Consideration of Key Principles Needed http://www.sec.gov/news/press/2006/2006-75.htm 8/9/2006 Press Release: SEC Announces Next Steps for Sarbanes-Oxley Implementation; 2006-75; Page 2 of 4 in Addressing Implementation for Smaller Public Companies; and Feedback from issuers, auditors, investors, and others since the Sarbanes-Oxley internal control reporting requirements went into effect. "The actions the Commission is announcing today represent key steps toward addressing issues raised by participants involved in the critical process of reporting to investors on the effectiveness of companies' internal control over financial reporting," said John White, Director of the Commission's Division of Corporation Finance. "We will be working on our own, and with the PCAOB, to improve the implementation of Section 404 so that it will work efficiently and effectively for companies and auditors of all sizes and types while still maintaining the important investor protections it provides." The actions the Commission expects to take include: Guidance for Companies. The Commission has received many requests for additional guidance for management on how to complete its assessment of internal control over financial reporting, as required by Section 404(a) of the Sarbanes-Oxley Act. To prepare for the issuance of management guidance, the Commission intends to take the following steps: Concept Release and Opportunity for Public Comment. The Commission expects to issue a Concept Release covering a variety of issues that might be the subject of Commission guidance for management. With the Concept Release, the Commission will solicit views on the management assessment process to ensure that the guidance the Commission ultimately proposes addresses the needs and concerns of all public companies. We will also seek input on the appropriate role of outside auditors in connection with the management assessment required by Section 404(a) of Sarbanes-Oxley, and on the manner in which outside auditors provide the attestation required by Section 404(b), to assist in our consideration of possible alternatives to the current approach. Consideration of Additional Guidance from coso. The Commission has long been supportive of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as it works to provide guidance on COSO's 1992 Internal Control - Integrated Framework to address the needs of smaller companies. The Commission anticipates that this forthcoming guidance will help organizations of all sizes to better understand and apply the control framework as it relates to internal control over financial reporting. As the SEC develops guidance for management on how to assess its internal control over financial reporting, we will consider the extent to which the additional guidance that COSO provides is useful to smaller public companies in completing their Section 404(a) assessments. Issuance of Guidance. Commentary submitted to the Commission has suggested that management assessments http://www.sec.gov/news/press/2006/2006-75.htm 8/9/2006 Press Release: SEC Announces Next Steps for Sarbanes-Oxley Implementation; 2006-75; Page 3 of 4 under Section 404 have not fully reflected the top-down, risk- based approach the Commission intended. Building from the information gathered in response to the Concept Release, and from the anticipated COSO guidance, the Commission currently anticipates that it will issue guidance to management to assist in its performance of a top-down, risk-based assessment of internal control over financial reporting. To ensure that this guidance is of help to non-accelerated filers and smaller public companies, the Commission intends that this future guidance will be scalable and responsive to their individual circumstances. The guidance will also be sensitive to the fact that many companies have already invested substantial resources to establish and document programs and procedures to perform their assessments over the last few years. The form of the guidance has yet to be determined. Revisions to Auditing Standard No. 2. The PCAOB announced today that it intends to propose revisions to its Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements. Any final. revision of AS No. 2 would be subject to SEC approval. The proposed revisions would: Seek to ensure that auditors focus during integrated audits on areas that pose higher risk of fraud or material error; Incorporate key concepts contained in the guidance issued by the PCAOB on May 16, 2005; and Revisit and clarify what, if any, role the auditor should play in evaluating the company's process of assessing internal control effectiveness. The Commission will work closely with the PCAOB to ensure that the proposed revisions to AS No. 2 are in the public interest and consistent with the protection of investors. SEC Oversight of PCAOB Inspection Program. The PCAOB announced on May 1, 2006, that it would focus its 2006 inspections on whether auditors have achieved cost-saving efficiencies in the audits they have performed under AS No. 2, and on whether auditors have followed the guidance that the PCAOB issued in May and November 2005 urging them to do so. As part of the Commission's oversight of the PCAOB, the Commission staff inspects aspects of the PCAOB's operations, including its inspection program. Among other things, upon completion of the PCAOB's 2006 inspections, the staff will examine whether the PCAOB inspections of audit firms have been effective in encouraging implementation of the principles outlined in the PCAOB's May 1, 2006, statement. Extension of Compliance for Non-Accelerated Filers. In order to permit non-accelerated filers and their auditors to have the benefit of the management guidance that the SEC intends to issue, and to have the opportunity to evaluate and implement the revisions that the PCAOB plans to make to AS No. 2, the Commission expects to issue a http://www.sec.gov/news/press/2006/2006-75.html 8/9/2006 Press Release: SEC Announces Next Steps for Sarbanes-Oxley Implementation; 2006-75; Page 4 of 4 short postponement of the effective date of the Commission's rules implementing Section 404 for non-accelerated filers. It is anticipated that any such postponement would nonetheless require all filers to comply with the management assessment required by Section 404(a) of Sarbanes-Oxley for fiscal years beginning on or after Dec. 16, 2006. The Commission is also taking this opportunity to express again its appreciation to its Advisory Committee on Smaller Public Companies for their significant efforts and valuable contributions to the Commission's work, both with regard to Section 404 and other issues affecting smaller companies. # # # http://www.sec.gov/news/press/2006/2006-75.htm Home I Previous Page Modified: 05/26/2006 http://www.sec.gov/news/press/2006/2006-75.htm 8/9/2006 PCAOB Standards and Related Rules - Auditing Standard No. 2 Page 1 of 1 PCAOB Public Company Accounting Oversight Board Standards and Related Rules Auditing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements This standard was approved by the Securities and Exchange Commission on June 17, 2004, and is effective for audits of internal control over financial reporting required by Section 404(b) of the Sarbanes-Oxley Act of 2002. Auditing Standard No. 2 Policy Statement Regarding Implementation of Auditing Standard No. 2 (5/16/2005) Report on the Initial Implementation of Auditing Standard No. 2 (11/30/2005) Staff, Questions and Answers on Auditing Standard No. 2: Questions 1 - 26 (June 23, 2004, Revised July 27, 2004) Questions 27 - 29 (October 6, 2004) Questions 30 - 36 (November 22, 2004) Question 37 (January 21, 2005 Questions 38 - 55 (May 16, 2005) Conforming Amendments to PCAOB Interim Standards Resulting from the Adoption of PCAOB Auditing Standard No. 2 The conforming amendments were approved by the Securities and Exchange Commission on November 17, 2004. For integrated audits of financial statements and internal control over financial reporting, the conforming amendments become effective at the same time that PCAOB Auditing Standard No. 2 becomes effective. For issuers that are not considered to be accelerated filers under Securities Exchange Act Rule 12b-2 and for issuers that are not required to comply with section 404 of the Sarbanes-Oxley Act of 2002, the conforming amendments become effective for audits of financial statements for periods ending on or after July 15, 2005. The part of the conforming amendments that supersedes AT sec. 501, "Reporting on an Entity's Internal Control Over Financial Reporting," was effective immediately upon approval. Section D, "Effective Date," and section E, "Effect of Auditing Standard No: 2 on Audits of Financial Statements Only," of the Board's Release that accompanies the conforming amendments provide more detailed information regarding effective dates and the effect of Auditing Standard No. 2 on audits of financial statements only. Rulemaking Docket: Link to information related to the rulemaking process of this standard, including proposing and adopting releases, public comments, and board statements. PCAOB and SEC Roundtable on Internal Control Reporting Requirements (5/10/2006) Statement Regarding the PCAOB's Approach to Inspections of Internal Control Audits in the 2006 Inspection Cycle (5/1/2006) Briefing Paper: Standing Advisory Group Meeting - Implementation of Section 404 and Auditing Standard No. 2 (6/8- 9/2005) Briefing Paper: Standing Advisory Group Meeting - Challenges of Section 404 (11/17-18/2004) Board Release: Auditing Standard No. 2 (3/9/2004) Roundtable: Reporting on Internal Control (7/29/2003) Briefing Paper: Roundtable on Reporting on Internal Control (7/10/2003) Auditing Standard No. 4: Reporting on Whether a Previously Reported Material Weakness Continues to Exist Overview of Auditing Standard No. 4 Related Securities and Exchange Commission Documents http://www.pcaobus.org/Standards/Standards_and_Related_Rules/Auditing_Standard_No... 8/16/2006 Order Approving Proposed Auditing Standard No. 2, An Audit of Internal Control Ov... Page 1 of 3 EXCHANGE ONE COMMISSION Home I Previous Page U.S. Securities and Exchange Commission MCMXXXIV SECURITIES AND EXCHANGE COMMISSION (Release No. 34-49884; File No. PCAOB 2004-03) June 17, 2004 Public Company Accounting Oversight Board; Order Approving Proposed Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements ("Auditing Standard No. 2") I. Introduction On March 17, 2004, the Public Company Accounting Oversight Board (the "Board" or the "PCAOB") filed with the Securities and Exchange Commission (the "Commission") proposed Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements ("Auditing Standard No. 2"), pursuant to Section 107 of the Sarbanes-Oxley Act of 2002 (the "Act") and Section 19(b) of the Securities Exchange Act of 1934 (the "Exchange Act"). Auditing Standard No. 2 would provide the professional standards and related performance guidance for independent auditors to attest to, and report on, management's assessment of the effectiveness of internal control over financial reporting under Section 404 of the Act. Notice of the proposed standard was published in the Federal Register on April 16, 2004, 1 and the Commission received 31 comment letters. For the reasons discussed below, the Commission is granting approval of the proposed standard. II. Description The Act establishes the PCAOB to oversee the audits of public companies and related matters, to protect investors, and to further the public interest in preparation of informative, accurate and independent audit reports. 2 Section 103(a) of the Act directs the PCAOB to establish auditing and related attestation standards, quality control standards, and ethics standards to be used by registered public accounting firms in the preparation and issuance of audit reports as required by the Act or the rules of the Commission. The Board has defined the term "auditing and related processional practice standards" to mean the standards established or adopted by the Board under Section 103(a) of the Act. Section 404 of the Act requires that registered public accounting firms attest to and report on an assessment of internal control made by management, and that such attestation "shall be made in accordance with standards for attestation engagements issued or adopted by the Board." The Board's proposed Auditing Standard No. 2 provides the professional standards and related performance guidance for independent auditors to //www.sec.gov/rules/pcaob/34-49884.html 8/16/2006 Order Approving Proposed Auditing Standard No. 2, An Audit of Internal Control Ov... Page 2 of 3 attest to, and report on, management's assessment of the effectiveness of internal control over financial reporting under Section 404 of the Act. A significant aspect of this proposed standard is the requirement of the independent auditor to attest on two items. The auditor has to evaluate management's assessment process to be satisfied that management has an appropriate basis for its conclusion. Additionally, the auditor must test and evaluate both the design and the operating effectiveness of internal control to be satisfied that management's conclusion is correct and, therefore, fairly stated. The auditor's report on internal control over financial reporting will express two opinions - an opinion on whether management's assessment of the effectiveness of internal control over financial reporting as of the end of the most recent fiscal year is fairly stated, and an opinion on whether the company has maintained effective internal control over financial reporting as of that date. III. Discussion The Commission received 31 comment letters in response to its request for comments on Auditing Standard No. 2. The comment letters came from issuers, registered public accounting firms, professional associations and others. In general, issuers expressed opposition to the proposed standard, and accounting firms, professional associations, and others expressed support for the proposed standard. Most commenters, irrespective of affiliation or position on the proposed standard, recommended that the Commission and the PCAOB provide additional guidance with respect to a number of different issues. Several commenters recommended that the Commission limit the scope of management's assessment of the effectiveness of internal control over financial reporting by excluding entities that are consolidated but over which the issuer lacks control. Issuers and many of the professional associations also expressed concern with the cost of compliance in terms of management time, consultant fees and audit fees. One commenter requested that the PCAOB closely monitor the impact of the proposed standard on small and medium-sized companies. Other requests included clarifying that an adverse internal control report would not of itself result in regulatory action; delaying the effective date of the proposed standard; providing a one-year deferral to issuers that meet the definition of an accelerated filer for the first time in 2004; and deferring the accelerated filing date for Forms 10-K filed for year-end 2004. The PCAOB gave careful consideration to the issues raised by these commenters in the course of revising the proposed standard prior to its adoption by the Board. The resulting standard is a reasonable exercise of the Board's standards-setting authority under the Act. IV. Conclusion On the basis of the foregoing, the Commission finds that proposed Auditing Standard No. 2 is consistent with the requirements of the Act and the securities laws and is necessary and appropriate in the public interest and for the protection of investors. IT IS THEREFORE ORDERED, pursuant to Section 107 of the Act and Section 19(b)(2) of the Exchange Act, that proposed Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements (File No. PCAOB-2004- http://www.sec.gov/rules/pcaob/34-49884.htm 8/16/2006 Order Approving Proposed Auditing Standard No. 2, <i> An Audit of Internal Control Ov... Page 3 of 3 03) be and hereby is approved. By the Commission. Margaret H. McFarland Deputy Secretary 1 Release No. 34-49544 (April 8, 2004); 69 FR 20672 (April 16, 2004). 2 Section 101(a) of the Act. http://www.sec.gov/rules/pcaob/34-49884.htm Home I Previous Page Modified: 06/18/2004 http://www.sec.gov/rules/pcaob/34-49884.htm 8/16/2006 1666 K Street, NW PCAOB Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202)862-8430 Public Company Accounting Oversight Board www.pcaobus.org POLICY STATEMENT REGARDING PCAOB Release No. 2005-009 IMPLEMENTATION OF AUDITING STANDARD May 16, 2005 NO. 2, AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING PERFORMED IN CONJUNCTION WITH AN AUDIT OF FINANCIAL STATEMENTS Summary This Policy Statement discusses some of the issues raised during the first year of auditors' implementation of the PCAOB's Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements ("Auditing Standard No. 2"), which implements Sections 103 and 404 of the Sarbanes-Oxley Act of 2002 (the "Act") by establishing a process for auditing public companies' internal control over financial reporting in conjunction with an audit of financial statements. Many of these issues were raised, among other occasions, at the Securities and Exchange Commission's ("SEC" or "Commission") Roundtable on Implementation of Internal Control Reporting Provisions, on April 13, 2005. While Roundtable participants generally supported the objectives of Section 404, many expressed concerns about compliance costs and offered constructive comments about how the implementation process can be improved. This Policy Statement considers several of the auditing practices observed in the first year of implementation that may be ineffective or inefficient means of meeting the objectives of Auditing Standard No. 2. It also describes how the PCAOB intends to supervise implementation of the standard, from providing additional guidance to make audits of internal control more effective and cost-efficient to driving improvements in implementation through our inspections of registered public accounting firms. PCAOB PCAOB Release 2005-009 May 16, 2005 Page 2 Public Company Accounting Oversight Board POLICY STATEMENT Specifically, this Policy Statement expresses the Board's view that, to properly plan and perform an effective audit under Auditing Standard No. 2, auditors should - integrate their audits of internal control with their audits of the client's financial statements, so that evidence gathered and tests conducted in the context of either audit contribute to completion of both audits; exercise judgment to tailor their audit plans to the risks facing individual audit clients, instead of using standardized "checklists" that may not reflect an allocation of audit work weighted toward high-risk areas (and weighted against unnecessary audit focus in low-risk areas); use a top-down approach that begins with company-level controls, to identify for further testing only those accounts and processes that are, in fact, relevant to internal control over financial reporting, and use the risk assessment required by the standard to eliminate from further consideration those accounts that have only a remote likelihood of containing a material misstatement; take advantage of the significant flexibility that the standard allows to use the work of others; and engage in direct and timely communication with audit clients when those clients seek auditors' views on accounting or internal control issues before those clients make their own decisions on such issues, implement internal control processes under consideration, or finalize financial reports. Background The Sarbanes-Oxley Act has had a profound effect on the integrity of financial reporting in U.S. capital markets. The Act has strengthened and reformed almost every aspect of the financial reporting process, from the composition and role of the auditi committee to preparers' certifications of accuracy, covering the integrity of gatekeepers such as analysts, lawyers and auditors in between. Although some of these changes have been in place for some time, the participants in the financial reporting process are now implementing one of the most challenging - but also one of the most promising - provisions of the Act. PCAOB PCAOB Release 2005-009 May 16, 2005 Page 3 Public Company Accounting Oversight Board POLICY STATEMENT Section 404 of the Act aims to strengthen the internal controls that underpin the accuracy and reliability of a company's published financial information. That section, along with the SEC's implementing rule, requires a public company to annually report its assessment of the effectiveness of its internal control over financial reporting. The section also requires such a company to provide its auditor's attestation to, and report on, the company's assessment. Auditing Standard No. 2 governs the auditor's responsibilities under Section 404. In the simplest terms, investors can have much more confidence in the reliability of a corporate financial statement if corporate management demonstrates that it maintains adequate internal control over the preparation of accurate financial statements. Companies have been required to have internal control over their accounting since, the Congress enacted the Foreign Corrupt Practices Act in 1977. There is no doubt, however, that the Act's requirement for annual assessments, and auditor attestations to those assessments, has led to a renewed emphasis on internal control over financial reporting and significant improvements in companies' controls. Many of the larger public companies have recently filed their first assessments of the effectiveness of their internal controls, as well as the related reports from their auditors. There is evidence that the benefits of the internal control requirements are already being realized, 1/ and investors have expressed strong support for the goals of Section 404, including the increased transparency that the provision provides. 2/ Section 1/ Seventy-nine percent of the 222 financial executives surveyed by Oversight Systems, Inc. reported that their companies have stronger internal controls after complying with Section 404. Seventy-four percent said that their companies benefited from compliance with Sarbanes-Oxley, and, of those, 33 percent said that compliance lessened the risk of financial fraud. See Oversight Systems, Inc., The 2004 Oversight Systems Financial Executive Report on Sarbanes-Oxley (December 2004). 2/ See, e.g., Remarks of Mark Anson, Chief Investment Officer, California Public Employees' Retirement System, Transcript of SEC Roundtable on Implementation of Internal Control Reporting Provisions (Apr. 13, 2005) ("Roundtable Tr."); Remarks of Ann Yerger, Executive Director, Council of Institutional Investors, Roundtable Tr.; Remarks of Damon Silvers, Associate General Counsel, American Federation of Labor and Congress of Industrial Organizations, Roundtable Tr.; Letter from Laurie Fiori Hacking, Executive Director, Ohio Public Employees Retirement System, to William H. Donaldson, Chairman, SEC (Mar. 1, 2005); see also Remarks of PCAOB PCAOB Release 2005-009 May 16, 2005 Page 4 Public Company Accounting Oversight Board POLICY STATEMENT 404 has, however, proven to be an enormous challenge for those involved in its implementation. Companies have found the requirements costly and demanding, and many have questioned whether the benefits are worth the cost. We take these concerns seriously and are committed to learning from the first year's experience implementing Section 404. As part of this effort, on April 13, 2005, we participated in the Commission's Roundtable. The Roundtable was an opportunity for us and the Commission to hear directly from issuers, auditors, and investors on the front line of the Section 404 implementation process. Many participants at the Roundtable expressed their support for Section 404's purpose. One of the most valuable aspects of the Roundtable, however, has been the constructive criticism provided by many of those currently involved in the implementation process. The cost of Section 404 compliance was the primary concern raised at the Roundtable. Among other reasons, commenters suggested that costs were too high because companies and their auditors did not sufficiently focus their efforts on higher risk areas of internal control over financial reporting. In addition, commenters expressed the view that auditors did not use the work of others sufficiently or fully integrate the audit of internal control with the audit of the financial statements. Some Roundtable participants also stated that auditors are often less willing than they were previously to provide guidance to clients on accounting issues for fear of compromising independence or triggering a material weakness finding. At the conclusion of the Roundtable, the Board agreed to take several steps to promote an internal control audit process that is both effective and cost-efficient. Today, we take the first two of these steps.⁴ First, we are separately publishing a Gregory Jonas, Managing Director of Accounting Specialists Group, Moody's Investors Service, Roundtable Tr. 3/ One survey found that for 217 public companies with average revenues of $5 billion, first year Section 404 compliance cost, on average, $4.36 million and consumed an average of nearly 27,000 hours. See Financial Executives International, FEI Special Survey on SOX Section 404 Implementation (March 2005). 4/ The Board also intends to devote the agenda of the upcoming meeting of its Standing Advisory Group, scheduled for June 8 and 9, 2005, to a discussion about implementation of Auditing Standard No. 2. PCAOB PCAOB Release 2005-009 May 16, 2005 Page 5 Public Company Accounting Oversight Board POLICY STATEMENT series of additional staff questions and answers related to Auditing Standard No. 2. 5/ These questions and answers further explain and clarify provisions in Auditing Standard No. 2. In particular, these questions and answers seek to correct the misimpression that certain provisions of Auditing Standard No. 2 need to be applied in a rigid manner that constrains professional judgment and prevents the conduct of an audit in a manner that is both effective and cost-efficient. Second, we are also issuing today this Policy Statement, which amplifies some of the themes in those questions and answers and articulates our policy with respect to administering Auditing Standard No. 2. Failure to apply the concepts discussed in this Policy Statement may reflect poor audit planning and result in unnecessary cost. Indeed, although we have not performed a detailed analysis, it is sufficiently clear to us that the costs to date associated with the implementation of Section 404 have been too high. For the Section 404 process to be sustainable, these costs must be reduced in future years. Some of this excess expense is attributable to first-year, start-up costs that should not recur in future years; nevertheless, we are concerned that auditors may not sufficiently be using several features of our standard, described below, that are designed to reduce costs without sacrificing quality. The Integrated Audit Concept As auditing has evolved over the last century from a process of detailed examination of individual transactions and account balances into a process of testing samples, internal control over financial reporting has emerged as the foundation not only of the financial reporting process but also of the financial statement audit. Since 1941, the SEC's regulations have required auditors to consider a company's internal controls in planning an audit.⁶/ In addition, if controls had been adequately designed and were operating effectively, then longstanding auditing standards permitted the 5/ The Staff Questions and Answers are available on the Board's Web site, at 6/ Amendment of Rules 2-02 and 3-07 of Regulation S-X, Accounting Series Release No. 21, 11 Fed. Reg. 10921 (Feb. 5, 1941) (amending Regulation S-X to provide that "[i]n determining the scope of the audit necessary, appropriate consideration shall be given to the adequacy of the system of internal check and control. Due weight may be given to an internal system of audit regularly maintained by means of auditors employed on the registrant's own staff."). PCAOB PCAOB Release 2005-009 May 16, 2005 Page 6 Public Company Accounting Oversight Board POLICY STATEMENT auditor to rely on less costly and time-consuming procedures. 7/ Conversely, if an auditor determined that a control was inadequate in its design or operation (or elected not to test the control), then the auditor could not rely upon that control. In this event, the auditor would take a considerably more detailed approach by relying almost exclusively on detailed tests of account balances and transactions. Sections 103 and 404 of the Act, and Auditing Standard No. 2, changed that audit model. Today, auditors of companies subject to Section 404 must not only obtain an understanding of internal control, but they must also examine the design and operating effectiveness of internal control sufficient to render an opinion as to that effectiveness, as required by Section 103(a)(2)(A)(iii). To reap the most benefit from this examination, and to make the overall audit process as efficient as possible, we designed in Auditing Standard No. 2 an integrated audit model. An integrated audit combines an audit of internal control over financial reporting with the auditi of the financial statements, such that the objectives of the two audits are achieved simultaneously through a single coordinated process. In an integrated audit, the auditor's examination of internal control is validated by the findings in the audit of the financial statements. In addition, the auditor's findings and conclusions reached during the audit of internal control help the auditor better plan and conduct the auditing procedures designed to determine whether the financial statements are fairly presented. The two processes are mutually reinforcing. In this way, the integrated audit helps to improve the quality and integrity of both corporate controls over financial reporting and independent financial statement audits. We also believe that an integrated audit is more cost-effective than performing two distinct processes to audit internal control and the financial statements separately. As a practical matter, integration of the two audits means that evidence gathered and tests conducted in the context of either audit contribute to completion of both audits. 7/ See AU Section 319.03, Consideration of Internal Control in a Financial Statement Audit. Effective April 16, 2003, the PCAOB adopted, on an initial, transitional basis, temporary rules that refer to pre-existing professional standards of auditing, attestation, quality control, ethics, and independence (the "interim standards"), including AU Section 319. These standards are reproduced on our Web site at http://www.pcaobus.org/Standards/Interim_Standards/index.asp. 8/ See AU Section 319.04, Consideration of Internal Control in a Financial Statement Audit. PCAOB PCAOB Release 2005-009 May 16, 2005 Page 7 Public Company Accounting Oversight Board POLICY STATEMENT This kind of coordination of work requires an auditor to plan and conduct his or her work with both audits in mind. Failing to integrate these audits not only wastes resources, but it also jeopardizes the quality of the overall audit and, potentially, misses key insights that could identify and uproot a budding accounting or reporting problem. Some auditors have acknowledged that, for a variety of reasons, they did not achieve fully integrated audits this year. As a result, audit costs may have been substantially higher than necessary. According to a recent survey commissioned by the largest U.S. accounting firms, auditors believe that the total costs of compliance with Section 404 will decline by 46 percent next year. 10/ Among the factors cited to support this prediction was auditors' expectations that integration will be improved. 11/ We, too, expect that auditors will better integrate their audits in the coming years. This should meaningfully affect both audit costs and audit quality. The Importance of Professional Judgment Auditing Standard No. 2 is no different from any other auditing standard in that it does not prescribe detailed audit programs. For as long as the profession has established auditing standards, auditors have used those standards to tailor their own audit plans, in a manner that addresses the nature and complexity of the audit client. Many participants in the Roundtable, as well as others, have noted, however, that some auditors have in fact failed to use tailored audit plans in their first year of auditing internal control over financial reporting under Section 404 of the Act and Auditing Standard No. 2. Those auditors have instead used a one-size-fits-all audit plan driven by standardized checklists that may have little to do with the unique issues and risks of the particular client's financial reporting processes. This is a disappointing development indicative of poor training and audit planning. Not only do audit fees 9/ PCAOB Staff Question and Answer No. 50 issued today provides additional guidance on integrating the audit of internal control over financial reporting with the audit of the financial statements. 10/ See Charles River Associates, Sarbanes-Oxley Section 404 Costs and Remediation of Deficiencies: Estimates from a Sample of Fortune 1000 Companies (Apr. 2005). 11/ See Letter from Deloitte & Touche, Ernst & Young, KPMG, and PricewaterhouseCoopers to Jonathan G. Katz, Secretary, SEC (Apr. 11, 2005). PCAOB PCAOB Release 2005-009 May 16, 2005 Page 8 Public Company Accounting Oversight Board POLICY STATEMENT increase when, for example, an audit plan calls for less experienced auditors on the engagement team to devote endless hours to process-level control testing, but audit quality also decreases, because such a plan contributes little to the search for material weaknesses in internal control that could identify a financial reporting problem. The overall objective of Auditing Standard No. 2 is for the auditor to obtain evidence that a company's control system reasonably assures that its financial statements do not contain material misstatements. To accomplish this, the auditor must not only exercise judgment to determine how to apply the standard to audit clients in different industries and of different sizes, but also exercise judgment to focus their work on areas that pose higher risks of misstatement, due either to errors or fraud. Reliance on standardized checklists that lead to a focus on controls in low-risk areas obviously fails to meet this objective. The Top-down Approach and Role of Risk Assessment Auditing Standard No. 2 was designed to be applied from the top down. That is, the standard focuses the auditor first on company-level controls and then on significant accounts, which lead the auditor to significant processes and, finally, individual controls at the process, transaction, or application levels. Knowledge obtained at each step guides the auditor toward the higher risk areas within the next succeeding level of controls. By approaching the task in this way, the auditor is naturally steered toward higher risk areas and away from those with less potential to have a material impact on the financials. This approach also provides a road map through the control system to ensure that the individual controls selected for testing are, in fact, relevant to internal control over financial reporting. An auditor who chooses another approach needlessly risks adding to the audit's cost and reducing its quality. For example, starting at the bottom increases the risk that the auditor will become bogged down in testing that may ultimately prove pointless, in light of the primary objective of preventing or detecting material misstatements of the financial statements, resulting in increased and unnecessary costs. A risk-based approach to the auditor's testing strategy can further reduce costs while increasing audit effectiveness. The auditor should consider the overall risk related to each significant account identified to determine whether he or she should alter the nature, timing, and extent of testing of the controls over that specific account. By doing so, the auditor will be able to eliminate from further consideration accounts that have only a remote likelihood of containing a material misstatement and, in any event, devote PCAOB PCAOB Release 2005-009 May 16, 2005 Page 9 Public Company Accounting Oversight Board POLICY STATEMENT less audit attention to areas of low risk. In addition, the auditor should look to the individual control being tested and consider the nature, frequency, and importance of that specific control in order to determine whether the testing strategy should be revised further. Finally, the auditor should consider, as part of his or her risk assessment, the strength of the company-level controls, to determine whether the result of testing these controls will alter the nature, timing, and extent of testing. Although the auditor may not rely solely on testing company-level controls, 12/ strong company-level controls should lead the auditor to do less work than he or she otherwise would have performed or rely to a greater degree on the work of others. Using the Work of Others An auditor who applies Auditing Standard No. 2 from the top down and appropriately assesses risk should naturally identify areas where use of the work of others is not only appropriate but is also the most efficient way to perform the audit. Redoing work in these areas may unnecessarily increase costs without producing a corresponding increase in audit quality. Spending auditor resources in areas in which the auditor could rely on the work of others also may cause the auditor to focus too much on low-risk controls. As discussed earlier, this could be an early warning sign of poor audit planning. Auditing Standard No. 2 provides the auditor with considerable flexibility to use the work of others, consistent with the profession's longstanding auditing standard on using the work of internal auditors in the financial statement audit. 13/ There is some 12/ See Auditing Standard No. 2, paragraph 54. PCAOB Staff Questions and Answers Nos. 38-43 issued today provide additional guidance on how to plan and perform an audit of internal control over financial reporting using both a top-down and a risk-based approach. 13/ See AU Section 322, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements. This standard provides that the work of competent and objective internal auditors may affect the nature, timing and extent of the audit. Specifically, if internal auditors are competent and objective, then external auditors may rely on work performed by internal auditors in the ordinary course of their duties. For example, "for certain assertions related to less material financial statement amounts where the risk of material misstatement or the degree of subjectivity involved PCAOB PCAOB Release 2005-009 May 16, 2005 Page 10 Public Company Accounting Oversight Board POLICY STATEMENT concern that auditors have been reluctant to use Auditing Standard No. 2's flexibility to rely on the work of others because the standard also requires the external auditor to obtain the principal evidence supporting his or her opinion as to whether internal control is effective overall. These provisions are not in conflict. The principal evidence provision of Auditing Standard No. 2 requires the auditor to perform sufficient auditing to reach his or her own, independent opinion as to the effectiveness of a company's internal control over financial reporting. In broad terms, it prevents auditors from merely passing on to investors the judgments and opinion of others. As one of the questions and answers issued today explains, the principal evidence requirement is "primarily qualitative. 14/ Indeed, under Auditing Standard No. 2 the amount of work necessary to meet the principal evidence test "is not susceptible to precise measurement."15/ In practical terms, this means two things. First, the auditor should perform more work directly in high-risk areas and seek to use the work of others in areas of lesser risk. Second, in evaluating whether the auditor has met the principal evidence test, the auditor should ascribe more weight to the work he or she performs in high-risk areas. 16/ in the evaluation of the audit evidence is low, the auditor may decide, after considering the circumstances and the results of work performed by internal auditors that testing of the assertions directly by the auditor may not be necessary." See id. at paragraph 22. In addition, this standard also permits auditors to request direct assistance from the internal auditors, such that internal auditors will work under the direct supervision of the external auditor. See id. at paragraph 27. PCAOB Staff Question and Answer No. 54 issued today provides additional guidance on using the work of others. See also PCAOB Staff Question and Answer No. 36 (Nov. 22, 2004) (stating that external auditors may "use internal auditors to provide direct assistance in the audit of internal control over financial reporting"). 14/ PCAOB Staff Question and Answer No. 54 (May 16, 2005). 15/ See Auditing Standard No. 2, note to paragraph 108. 16/ In other words, principal evidence is not meant to be assessed by simply adding up hours or numbers of controls tested in a mechanical fashion; rather, such an approach would likely detract from the standard's goal of allowing the auditor to use the work of others in an efficient and appropriate manner. PCAOB PCAOB Release 2005-009 May 16, 2005 Page 11 Public Company Accounting Oversight Board POLICY STATEMENT In this manner, following the risk-based principles regarding using the work of others will, in most circumstances, result in the auditor having obtained the principal evidence supporting his or her opinion. The Auditor's Ability to Provide Advice to Audit Clients Finally, we are concerned about a misconception that, as a result of Auditing Standard No. 2, companies may no longer look to their auditors for advice on difficult accounting and internal control issues. This misconception appears to manifest itself in two particularly problematic ways. First, we have heard at the Roundtable and elsewhere that auditors have been unwilling to provide accounting advice to their audit clients; second, auditors have apparently encouraged audit clients to finish their assessments of internal control and their financial statements before the auditor begins audit work to attest to the fairness of those assessments and financial statements. Such practices are neither necessary nor advisable. Auditing Standard No. 2 provides that an auditor's detection of a material misstatement in financial statements is a "strong indicator" of a material weakness in internal control. In addition, longstanding rules on auditor independence prohibit the auditor from preparing a client's financial statements and from making financial reporting decisions on behalf of management. 17/ The prospect of PCAOB inspectors examining for compliance with these independence rules seems to have led some to conclude that management and the auditor should not consult on accounting and internal control questions or that the auditor should not review draft financial statements that, because they are not finished or complete, may contain misstatements or misapplications of Generally Accepted Accounting Principles ("GAAP"). When auditors are unwilling, or believe that they are unable, to provide advice on accounting or internal control, management may be forced to retain other accounting experts, or to make accounting decisions without the benefit of access to the auditor's technical knowledge. 17/ See Rule 2-01(c)(4)(i) of Regulation S-X, 17 C.F.R. § 210.2-01(c)(4)(i) (stating that an auditor is not independent of an audit client if it "prepar[es] the audit client's financial statements"); Rule 2-01(c)(4)(vi) of Regulation S-X, 17 C.F.R. § 210.2- 01(c)(4)(vi) (stating that an auditor is not independent of an audit client if it "perform[s] any decision-making, supervisory, or ongoing monitoring function for the audit client"); see also Meeting of PCAOB Standing Advisory Group, February 16, 2005, available on the Board's Web site http://www.pcaobus.org. PCAOB PCAOB Release 2005-009 May 16, 2005 Page 12 Public Company Accounting Oversight Board POLICY STATEMENT Nothing in Auditing Standard No. 2 requires this result. Determining when it is appropriate for the auditor to provide accounting advice requires professional judgment and common sense. Auditors may not, of course, make accounting decisions for their clients, and management may not abandon its responsibility for quality financial reporting and simply rely on auditors to catch errors. Where management makes its own informed decisions regarding how applicable accounting principles apply to its company's circumstances, however, the auditor may discuss freely with management the meaning and significance of those principles. To help dispel confusion on this issue, our staff addressed last June the question of whether audit clients may - or should - share draft financial statements with their auditors. The answer is decidedly yes. Indeed, information-sharing on a timely basis between management and the auditor is necessary. When reviewing draft financial statements, in determining the point at which the auditor must draw the line for purposes of identifying when a deficiency exists, the auditor should be concerned primarily about instances in which the company completed its financial statements and disclosures without recognizing a potential material misstatement. If it is clear that all applicable controls have not yet operated, then a conclusion as to whether a material misstatement in draft financial statements demonstrates a control deficiency would be premature. 18/ Auditors may also provide audit clients technical advice on the proper application of GAAP, including offering suggestions for management's consideration to improve disclosure and financial statement quality and giving updates on recent developments with accounting standards-setters. In addition, management may provide and discuss with the auditor preliminary drafts of accounting research memos, spreadsheets, and other working papers in order to obtain the auditor's views on the assumptions and methods selected by management. Although the auditor may determine that some of these communications need to be made in writing, timely and open communication will often be best accomplished orally. For example, a company that is contemplating a transaction may ask the auditor for assistance in determining the proper accounting for the transaction. In this situation, 18/ See PCAOB Staff Question and Answer No. 7 (revised July 27, 2004) (explaining that Auditing Standard No. 2 requires an auditor to judge whether, once all applicable controls have operated, the company is able to prepare financial statements that are free of material misstatements). PCAOB PCAOB Release 2005-009 May 16, 2005 Page 13 Public Company Accounting Oversight Board POLICY STATEMENT the auditor may provide substantial help, including explaining how applicable accounting principles apply to the transaction, offering sample journal entries, and reviewing management's preliminary conclusions. This is very different from a situation in which the auditor identifies a potential misapplication of applicable accounting principles in connection with a transaction that the auditor learns of outside of the consultation process, such as during a quarterly review, or after management has completed its financial statements and disclosures, in which case the auditor would have to consider whether management's failure to recognize the potential misapplication of applicable accounting principles constitutes a significant deficiency or material weakness. The Board's Approach to Oversight of Implementation of Auditing Standard No. 2 We take seriously our responsibility to oversee implementation of Auditing Standard No. 2. This includes issuing additional guidance to explain or interpret the standard as necessary, as well as supervising auditors' implementation of the standard. In particular, we intend to use our upcoming inspections to evaluate how firms have conducted the first round of audits under Auditing Standard No. 2. Our inspections should drive improvements in the effectiveness and efficiency of registered firms' audits of internal control in two ways. First, as we have described above, Auditing Standard No. 2 leaves auditors considerable flexibility to apply the standard in a manner that is appropriate to each audit. Indeed, the standard requires auditors to use professional judgment to tailor their audit plans to the specific risks facing each audit client. In our inspections, we will look for audits that suffer from poor planning and risk assessment, such as by using standardized checklists without appropriately tailoring the procedures to the circumstances or focusing the audit on areas that are unlikely to lead to the discovery of material weaknesses in internal control at the expense of adequately auditing high-risk areas. When we detect such shortcomings, we will demand improvements. Second, we have also described above, as well as in the staff questions and answers issued today and in the past, several approaches to the audit of internal control that we believe improve both the effectiveness and the efficiency of these audits. When we review audits that do not apply the approaches described above, we will expect auditors to justify their decisions and to be able to explain how the audit plan nevertheless met the objectives of the standard. At the Roundtable, a number of the participants focused on the role our inspections will play in shaping implementation of Auditing Standard No. 2. Some PCAOB PCAOB Release 2005-009 May 16, 2005 Page 14 Public Company Accounting Oversight Board POLICY STATEMENT suggested that our inspections should require auditors to reduce costs overall. Others suggested that, if our inspections are narrowly focused on technical compliance, they could have the perverse effect of promoting a checklist mentality and discouraging the use of judgment and tailored audit planning. We intend for our inspections to do neither. By focusing on the conduct of a high-quality audit as described above, we believe our inspections will promote efficiency without the need for us to get involved in auditors' billing practices. And, by focusing on appropriate use of judgment and risk assessment, we are deliberately planning our inspections in a manner that promotes an audit of internal control that is both thoughtful and risk-focused. In other words, we do not intend to second-guess good faith audit judgments. If we believe, however, that an auditor has approached the audit in a way that is mechanistic and does not reflect the application of professional judgment to the specific risks associated with the audit client's financial reporting system, we will not hesitate to demand changes to the auditor's approach to implementing Auditing Standard No. 2. Conclusion The first year's implementation of Section 404 required a tremendous effort on the part of management and auditors, as well as the commitment of substantial corporate resources. The lessons learned so far - and to be learned as we complete our first cycle of inspections of audits under Auditing Standard No. 2 - should provide a solid basis for substantial improvement in the process, including significant cost reduction in the future.