Ask the Scholar
Document scope · 1 page
Scholar
Ask about this object, its catalog metadata, its source description, or the page inventory.
For page-specific OCR and visual context, open one of the page chats.
Scholar Source Context
Document identity
localId
74615968
label
Sarbanes-Oxley
core
doc
dtoType
document
citationUrl
pageCount
1
Source metadata
id
74615968
sourceUrl
contentType
document
title
Sarbanes-Oxley
citationUrl
collections
Records of the National Economic Council (George W. Bush Administration)
Bryan Corbett's Files
largeImageUrl
imageCount
1
hasImages
yes
source
import
hasTranscription
no
Source extras
naId
74615968
levelOfDescription
fileUnit
otherTitles
t029-006-sarbox-20140373f
recordType
description
ocrSource
nara-archive
Single page context
seq
1
pageIndex
0
type
document
mediaId
67604ae7ae6d0dba
ocrText
2014-0373-F
[
]
Wednesday, May 13, 2015
FOIA Marker
This is not a textual record. This FOIA Marker indicates that material has been removed
during FOIA processing by George W. Bush Presidential Library staff.
National Economic Council
Corbett, Bryan
Location or
NARA Number:
FRC ID:
OA Number:
Stack: Row: Sect.: Shelf: Pos.:
Hollinger ID:
W
30
20
1
2
6716
19651
8937
9033
Folder Title:
Sarbanes-Oxley
CHAMBER OF COMMERCE
OF THE
UNITED STATES OF AMERICA
DAVID CHAVERN
1615 H STREET, N.W.
VICE PRESIDENT AND
WASHINGTON, D.C. 20062-2000
CHIEF OF STAFF
September 13, 2006
202-463-3101
202-463-5327 FAX
[email protected]
Ms. Nancy M. Morris
Secretary
U.S. Securities and Exchange Commission
100 F Street, NE
Washington, DC 20549-1090
RE: Release No. 34-54122; File No. S7-11-06
Dear Ms. Morris:
The U.S. Chamber of Commerce is the largest business federation in the
world, representing the interests of some three million companies of every size
and industry. We have been an advocate for the issuance of specific guidance
by the U.S. Securities and Exchange Commission (the "SEC") for issuers under
Section 404 of the Sarbanes-Oxley Act ("SOX"). In that regard, we very much
appreciate the opportunity to provide comments in response to the SEC's
Concept Release on such guidance.
The Chamber has been very supportive of most provisions of SOX and,
with respect to Section 404, strongly advocates for good systems of internal
control in public companies. We agree that SOX has had positive effects in
causing boards, management, and external auditors to be more thorough and
attentive in fulfilling their responsibilities. However, we believe that Section
404 has been implemented in such a way as to create extraordinary and
unnecessary burdens that are disproportionate to identified benefits. This has
had an extremely negative effect on the overall health and competitiveness of
the U.S. capital markets.
Our overall comments regarding improvement in the implementation of
Section 404 are set forth in our comment letters of April 12, 2005, October 24,
2005, April 3, 2006, and May 3, 2006. In addition, Chamber representatives
participated in the SEC/Public Company Accounting Oversight Board
(PCAOB) Roundtables on April 13, 2005, and May 10, 2006. We have been an
active voice for the business community on this issue because it is critically
important to a broad cross-section of domestic and foreign companies.
Ms. Nancy M. Morris
September 13, 2006
Page 2
Overview
The implementation of Section 404 has, to date, failed for several
interrelated reasons:
Auditing Standard # 2 ("AS2") is a vague and difficult to apply standard
- and, to date, there has been no formal standard for issuers.
The auditing profession has legitimate concerns about being second
guessed by the plaintiffs' trial bar and its new regulator, the PCAOB.
The long-term risks to the profession are very significant¹, and there has
been every incentive to apply AS2 (such as it is) in a conservative way.
Issuers have been trapped between the uncertain demands of AS2 and
their own concerns about diverting critical resources from research,
development, investment, and employment.
The result has been generally bad for any public companies with
securities available in the United States - as well as any foreign or domestic
companies who may have hoped to list here in the future. The implementation
of SOX 404 has damaged our capital markets and there is an immediate need
for corrective action.
We are, therefore, hopeful about the dual undertakings of (i) the SEC to
promulgate issuer guidance regarding internal controls, and (ii) the PCAOB to
revise AS2. We are also encouraged that the SEC and PCAOB are seeking to
align their activities to avoid unintentional confusion. There is now a real
opportunity for regulatory action on SOX 404 that would obviate the need for
any legislative adjustment to the Act. We trust that the SEC and PCAOB will
seize the opportunity and drive real improvement in the system.
1 For further discussion of this issue, please see a U.S. Chamber of Commerce publication entitled Auditing: A
Profession at Risk, dated January 2006. http://www.uschamber.com/publications/reports/0601auditing,htm
Ms. Nancy M. Morris
September 13, 2006
Page 3
With respect to the Concept Release, our specific comments below reflect
three basic themes:
There must be a risk-based focus on those controls that are most likely
to have a material impact on the financial statements. This includes an
emphasis on entity-level, rather than transaction-level, controls.
The guidance for issuers should have as much specificity and clarity as
possible. Where this is not achievable, issuers should have some ready
means to seek and obtain on-going guidance from the SEC.
It should be emphasized that the design, creation, and maintenance of
good internal controls is a primary obligation of management. While
auditors evaluate and determine the sufficiency of controls, they should
not - and should not be expected to - decide how companies best
manage their operations.
Discussion
Risk and Control Identification
As mentioned, it is critical to employ a risk-based focus on those internal
controls that are most likely to have a material impact on financial statements.
We agree with the SEC that the evaluation framework of internal controls will
vary depending on what is reasonable for the issuer. This framework, however,
must be aligned with specific guidance that alleviates the implementation issues
that caused the overly conservative application of SOX 404 and AS2.
Specific Responses
We would suggest that the SEC begin by clearly stating the goal of an
appropriate examination of internal controls under SOX 404. We
believe that an implicit expectation has evolved - supported by the
plaintiffs' trial bar, among others - that the purpose of SOX 404 is to
prevent every fraud and, in fact, every other possible type of business
risk. Until the SEC is extremely clear that the purpose is to reach an
appropriate level of assurance about controls - but not obviation of all
risk - then the problems with overly conservative implementation will
remain.
Ms. Nancy M. Morris
September 13, 2006
Page 4
We would suggest that the SEC identify those entity-level controls that it
will always consider relevant. Further, it should provide examples of
entity and transaction-level controls that it would not consider material.
While no guidance can address every possible factual circumstance, it
should be possible to establish guideposts that show the limits of the
analysis. We would also ask that the SEC indicate what constitutes a test
failure and when requirements on additional sampling are necessary.
The Chamber supports the idea of placing greater reliance on assuring
that issuers have a proper base control structure and good entity-level
controls, along with management processes that assure broadly that
these controls are effective.
We would strongly encourage the SEC to specifically address fraud
controls. As noted above, one of the most fundamental problems is a
popular misunderstanding about the reasonable role of SOX 404 analysis
- and auditing generally - in preventing fraud. Experienced accounting
professionals know that there will be companies with excellent internal
controls and superb audits that will, nonetheless, fall victim to collusive
fraud. While it may not be easy or pleasant, the SEC has a core
obligation to educate the public about this fact and provide issuers with
guidance as to the reasoned limits on control evaluation under SOX 404.
We also encourage the PCAOB to quickly and thoughtfully bring closure
on the procedures that should be employed by external auditors to
detect fraud.
The Chamber supports the SEC's August 9, 2006, release proposing a
one-year transition period for newly public companies. We believe that
this will provide relief for start-up costs incurred during the first year.
We continue to urge the SEC to delay implementation for non-
accelerated filers and foreign private issuers until the new and revised
standards have been tested by experience and proven to have been
successful in alleviating key implementation issues.
Ms. Nancy M. Morris
September 13, 2006
Page 5
It is important that the SEC and PCAOB address smaller public
companies as they are - in terms of personnel and resources - and not
apply SOX 404 in a way that requires them to radically alter their
operations or business objectives. Developing "scalable" guidelines
means clearly defining what is "acceptable," even if that means
something less than "perfect." As a clear example, appropriate span of
control should - as a matter of logic - have a different application at a
company with $1 million in revenues when compared to a company with
$1 billion in revenues. "Scalable" doesn't mean two (or more) different
standards or fundamental differences in levels of assurance. It does,
however, mean acknowledging that what might be necessary at one type
of company may not be required for assurance at another.
We continue to believe that not all internal controls need to be evaluated
annually. Appropriate analysis of entity-level controls can include (i)
periodic testing, and (ii) the testing of controls that have changed from
established baseline conditions. In addition, testing by external auditors
should reflect the work of internal parties. This would reduce some of
the unnecessary cost burdens while maintaining a structure that protects
the validity of financial statements.
One of the unintended consequences of SOX is that companies are
forced to delay system implementations or business process changes
planned for the second half of the year in order to obtain a clean
attestation result from the audit firms. We encourage the SEC to
consider solutions to avoid these unnecessary delays.
We would encourage the PCAOB to unify the approach of its standard
setters and investigators. While the standard setters are encouraging the
use of judgment, the inspections appear to be far-reaching.
Management's Evaluation
In absence of direct guidance for issuers, management has been forced
to rely on AS2 in its evaluation of internal controls. Unfortunately, AS2 was
not well-designed for this purpose (nor was the PCAOB ever intended to be a
regulator of issuers). Among other things, this has served to de-emphasize the
importance and primacy of management's own assessment of its internal
controls.
Ms. Nancy M. Morris
September 13, 2006
Page 6
Specific Responses
Our members tell us that the application of AS2 to IT systems has been
particularly problematic. Issuers do not have enough guidance to
determine which systems - and which levels of systems - need to be
evaluated in order to obtain a reasonable assurance as to the
effectiveness of internal controls over financial reporting. As an
example, excessive time, energy, and expense have been devoted to the
evaluation of access controls without regard to whether the access points
in question could pose a significant risk to the validity of the financial
reporting of the company. This is certainly an area where SOX 404 has
been presumed to be about eliminating all business risks, instead of
simply assuring the reasonable validity of the financial statements. In
addition, significant confusion exists on how to assign monetary
exposure to IT deficiencies, especially when they have been mitigated by
entity-level or business process controls. We would strongly urge the
SEC to work with the issuer community and the IT industry to develop
specific standards regarding the evaluation of IT systems that limit the
analysis to the intent and purpose of SOX 404.
As noted above, while no standard could comprehensively address every
situation faced by every affected public company, we would encourage
the SEC to provide as many illustrative examples as possible (including
examples of overly conservative implementation) and also establish a
system for the provision of on-going advice and guidance. It would be
flatly inappropriate for the SEC to issue a standard and then make it "the
issuer's problem" to figure out what it means. This comment most
particularly applies to the meaning of critical but fundamentally hard-to-
define terms, such as "material weakness," "significant deficiency," and
"more than remote."
We have received a number of complaints to the effect that asking for
advice - from outside auditors or others - can itself be construed as a
"material weakness." In short, if you need to ask then you don't know,
and if you don't know then there must be a material weakness. This
only creates a disincentive to seek expert advice on difficult issues. The
SEC must make it clear that a request for guidance should not be used as
evidence as to whether a "material weakness" does or does not exist.
After all, the recognition by an issuer that a problem might exist should
be seen as a strength on its part -- not a weakness.
Ms. Nancy M. Morris
September 13, 2006
Page 7
The SEC should issue guidance as to the appropriate application of the
requirement that the management assessment be "as of" the year end.
There is tremendous confusion about the timing of the examination of
internal controls and the value - or, more appropriately - lack of value
of the experience with controls that is obtained over the course of an
entire year.
There is currently an excessive number of restatements. Many are driven
by "reinterpretations" of long-standing accounting treatments.
Accounting is not an exact science and disagreements about appropriate
application of complex accounting standards are not necessarily evidence
of failure. In fact, the view that "change = failure" does a disservice to
the investing public by implicitly communicating a false precision
surrounding financial statements. The SEC has a basic obligation to
educate investors about the limits of accounting and financial
statements. In that regard, we believe that there are many circumstances
when a restatement should not be construed as evidence of a "material
weakness" in internal controls.
Separately, we continue to support an overall review by the SEC and the
PCAOB of the current standards for restatement, including an
examination of the impact on investors of restatements that do not
result in a material change in the overall financial performance or
prospects of an issuer. Restatements can undermine investor confidence
in an otherwise sound system of accounting principles. To that end,
when the SEC considers the need for a new interpretation of GAAP that
has previously been generally accepted in the marketplace, it should do
so prospectively as opposed to retroactively so as not to undermine
investor confidence.
Ms. Nancy M. Morris
September 13, 2006
Page 8
Documentation to Support the Assessment
During the first two years of implementation, it is clear that accelerated
filers often over-documented internal controls in absence of specific guidance.
Non-accelerated filers do not have access to the same resources and therefore
would be put at a significantly greater disadvantage by overzealous
documentation requirements.
Specific Responses
A lack of documentation should not be confused with poor internal
controls. Smaller public companies, in particular, often have good
internal controls that are simply insufficiently documented. While
documentation is important in order for systems to be auditable, we
would urge the SEC to closely evaluate documentation alternatives and
determine whether there are "low resource cost" solutions that might be
acceptable for smaller compañies, even if they are not appropriate for
larger companies with more complex control systems.
We would encourage the SEC to further examine footnote level
information, particularly as how to measure the materiality of a
deficiency. Not all footnotes are created equally and those that merely
give information on routine accounts such as the composition of
inventory are demonstrably less important than others like the
disclosures of off balance sheet contingencies. One solution would be
to expressly rule some footnotes out of the 404 scope and develop
bright lines test for inclusion/exclusion for all other footnotes.
Conclusion
In summary, the Chamber is very supportive of systems of good internal
controls maintained by management. We look forward to the forthcoming
guidance from the SEC and PCAOB providing clear and specific
recommendations for issuers and auditors. In absence of specific guidance, we
fear that the current ambiguity will continue to cause unintended consequences,
including diverting management time away from valuable business operations.
Ms. Nancy M. Morris
September 13, 2006
Page 9
The Chamber commends your dedication to achieving a long-term
solution that will benefit issuers, auditors, investors, and the health and
competitiveness of our capital markets. Thank you for you consideration, and
we would be happy to discuss our comments with the relevant staff.
Sincerely,
David C Chavern
Vice President
Capital Markets Programs
CC:
Christopher Cox, Chairman, U.S. Securities and Exchange Commission
Paul S. Atkins, Commissioner, U.S. Securities and Exchange Commission
Roel C. Campos, Commissioner, U.S. Securities and Exchange Commission
Kathleen L. Casey, Commissioner, U.S. Securities and Exchange Commission
Annette L. Nazareth, Commissioner, U.S. Securities and Exchange Commission
Mark W. Olson, Chairman, Public Company Accounting Oversight Board
Kayla J. Gillan, Member, Public Company Accounting Oversight Board
Daniel L. Goelzer, Member, Public Company Accounting Oversight Board
Bill Gradison, Member, Public Company Accounting Oversight Board
Charles D. Niemeier, Member, Public Company Accounting Oversight Board
BIOTECHNOLOGY INDUSTRY ORGANIZATION (BIO)
TECHNET
TELECOMMUNICATIONS INDUSTRY ASSOCIATION (TIA)
ELECTRONIC INDUSTRIES ALLIANCE (EIA)
SEMICONDUCTOR INDUSTRY ASSOCIATION (SIA)
ADVANCED MEDICAL TECHNOLOGY ASSOCIATION (ADVAMED)
MEDICAL DEVICE MANUFACTURERS ASSOCIATION (MDMA)
ASSOCIATION OF BIOSCIENCE FINANCIAL OFFICERS (ABFO)
CALIFORNIA HEALTHCARE INSTITUTE (CHI)
September 12, 2006
Chairman Christopher Cox
Commissioner Paul S. Atkins
Commissioner Roel C. Campos
Commissioner Annette L. Nazareth
Commissioner Kathleen L. Casey
U.S. Securities and Exchange Commission
100 F Street, NE
Washington, DC 20549
Re:
Concept Release Concerning Management's Reports on Internal Control Over
Financial Reporting (File No. S7-11-06, Release No. 34-54122);
Internal Control Over Financial Reporting In Exchange Act Periodic Reports Of
Non-Accelerated Filers and Newly Public Companies (File No.S7-06-03, Release
No. 33-8731).
Dear Mr. Chairman and Commissioners:
On behalf of the biotechnology, healthcare technology, high technology, information and
communications technology, electronics, and semiconductor industries, we urge the Securities
and Exchange Commission to expeditiously adopt Section 404 reforms, in the form of a rule,
based on a reform framework that is cost effective, "scaled", and "proportional" to the size and
complexity of corporate structures.
Our member companies include the management of a majority of microcap and smallcap
companies in the U.S. high-growth sectors. As we indicated in our letter to the Commission on
April 3, 2006, we fully support the original goals of the Sarbanes-Oxley Act (SOX) and recognize
the need for responsible internal control standards that create meaningful and transparent
financial reporting for investors.
The implementation of the SOX Section 404 requirements, however, continues to have a
significant impact on smaller public companies that is disproportional to its benefits for the
investors. The result has been a negative impact on America's ability to innovate and maintain its
1
global competitiveness in the high-growth sectors of our nation's economy. For these reasons,
we urge the Commission to expeditiously adopt Section 404 reforms as described below.
We welcome this opportunity to provide comments on the Concept Release and appreciate the
Commission's recognition of the compliance challenges and costs faced by small businesses as
detailed in the Final Report of the Advisory Committee for Smaller Public Companies (Advisory
Committee) and the April 2006 report of the U.S. Government Accountability Office (GAO). It
is our hope that the changes proposed by the Commission and the Public Company Accounting
Oversight Board's (PCAOB) plans to provide further Auditing Standard #2 (AS2) reforms will be
critical steps towards fundamental reform of Section 404 that addresses the significant
compliance burdens on smaller public companies and supports innovation.
The Reform Framework Should Be Principles-Based
For the high-growth industries, the implementation of SOX Section 404 has had a significant
impact on the long-term competitiveness of American companies and the U.S. capital markets.
Section 404 has imposed cost burdens on high-growth companies and their management far
beyond what Congress intended and what is needed to protect investors against corporate fraud.
These disproportional compliance burdens have been described to the SEC and the PCAOB by
participants in the Section 404 Year Two Roundtable discussions and were well documented in
the Final Report by the Advisory Committee.¹
As currently implemented by the Commission and through the guidance provided by AS2,
Section 404 places disproportional cost burdens on America's smaller companies, while specific
benefits are difficult to identify.
As the Advisory Committee recommended after its year-long review of Section 404 impacts,
without a revised implementation framework, the current "one-size-fits-all" approach of Section
404 and AS2 will continue to hamper the ability of smaller public companies to invest in research
and development and to gain access to public capital markets, thereby jeopardizing the
competitiveness of smaller companies.
To ensure the continued innovation and vitality of America's public companies, including the
smaller companies engaged in the high-growth industries -- high technology, biotechnology,
medical devices, electronics, telecommunications and semiconductors, as well as the American
institutions that provide access to public capital -- a principles-based reform framework should
be adopted in the form of a rule by the SEC to be implemented through AS2 revisions.
The Reform Framework Should Be Based On The Following Principles:
Reforms must reflect rational cost/benefit balance. Cost burdens imposed by increasing
complexity of required internal controls must yield increased benefits in assuring greater
investor confidence.
1 During the May 2006 SEC Roundtable on SOX Section 404 Year Two Compliance, the former SEC Commissioner
Joe Grundfest also recommended fundamental Section 404 reforms for smaller public companies. Mr. Grundfest
suggested that the Commission and PCAOB amend AS2 to incorporate many of the findings made by the Advisory
Committee. He also recommended that AS2 reforms should redefine the objective of the control audit process so as to
reduce auditors' incentive to examine controls that are unlikely to have material impact on smaller public companies.
Fixing 404 by Joseph A. Grundfest, Stanford Law School, May 1, 2006.
2
Internal control requirements should be "scaled" and "proportional" to the size of product
revenues and complexity of corporate structures.
Scaled and proportional reform should be based on the principle that the level of
risk and product revenues are intricately tied; product revenues drive the
complexity of corporate structures and the corresponding need for more rigid and
established internal control processes.
Reforms should support management's incentive to màintain an effective and
integrated system of internal controls to produce accurate financial reports, which
are most important to investors. The internal controls necessary to meet Section
404 should be "integrated" and consistent with the level of controls necessary to
meet the CEO and CFO certifications of company financials as required under
Section 302 of SOX.
Reforms should provide clear rules that are risk-based and material to the integrity of the
financial statements.
The rules must provide a clearly defined scope of required assessments with a
focus on entity-level controls material to financial statements.
Frequency of internal control testing should be determined by changes in established
baseline controls and not merely by the calendar.
1) Reforms Must Achieve Cost/Benefit Balance.
We fully appreciate the Congressional intent behind Section 404 - ensuring that companies have
in place effective policies, procedures and controls to protect against material misstatements in
financial statements, and to prevent fraud. However, as currently implemented, AS2 does not
require a cost/benefit balance as part of its objectives.
The majority of smaller public companies simply do not have the manpower or the resources to
perform the requirements under AS2. As most do not have more than one or two dedicated staff
to the internal audit function, these companies are forced to either hire additional internal audit
personnel or engage external consultants to perform the management assessments necessary to
meet the requirements of AS2. As a result, many of our companies are incurring additional
consulting fees in addition to external auditing fees. Many smaller companies, in order to
complete the mandated internal control processes and the "checklist" dictated by AS2, are
required to increase their accounting staff by as much as 50% in addition to hiring additional
consultants.
Smaller public companies have limited resources, leaner staffs and tighter budgets. Given the
disproportionately high cost of Section 404 compliance for smaller companies, it is our
experience that many are forced to redirect funding from other investments, including R&D and
the hiring of additional engineers or scientists, all of which are critical for continued innovation
and survival of a company. For example, a small company with $150 million in market
capitalization but no product revenues recently paid more than $1 million for costs associated
with Section 404 compliance. Such costs are typical and often do not include a company's
indirect costs of complying with Section 404, or the costs associated with non-accounting staff
performing the internal control work due to the shortage of available resources.
3
Due to Section 404, audit firms now have a required audit process, entirely separate from the
typical financial statement audit process, generating fees almost equal to or greater than the
charges for a financial statement audit. This was clearly not the Congressional intent. The Senate
Committee Report on Section 404 was specific: "The Committee does not intend that the
auditor's evaluation be the subject of a separate engagement or the basis for increased charges or
fees". Such windfall is attributable not only to the process imposed by the large accounting firms
but also to AS2, as promulgated by the PCAOB. The current standards require very prescriptive
procedures that auditors must follow to perform the separate attestation, with little room for an
auditor's judgment.
Investor confidence and trust in public companies has increased as a result of the passage of SOX
as a whole in spite of Section 404 and not necessarily because of it. Important and effective
provisions of SOX include whistleblower protections; increased enforcement powers, such as the
SEC's increased ability to obtain officer and director bars; auditor independence requirements;
and, perhaps most importantly, CEO and CFO certifications of company financial statements
under Section 302. As we saw in the first and second years of Section 404 implementation,
investors and the market generally had no market reaction when a company reported a "material
weakness" in internal controls under Section 404. 2 Thus, we believe the costs of the
implementation of Section 404, particularly for smaller public companies, clearly outweigh any
benefits that are directly related to Section 404.
2) Reforms Must Be "Scaled" And "Proportional" To The Level of Product Revenues.
In achieving scaled and proportional reforms that are risk based, it is critical that Section 404
reforms establish a concrete basis for the required levels of internal controls. As recognized by
the Advisory Committee in its Final Report and strongly supported by our members, Section 404
reform should be based on a "revenue filter" or revenue metric, particularly product revenues.
This approach reflects corporate reality in that product revenues drive the complexity of corporate
structures and the corresponding need for increased internal controls to protect against financial
fraud.
Scaling Section 404 requirements, in part, on product revenues is critical to smaller companies in
our industries. Biotech and other innovative start-up companies generally have very low
revenues compared to their market capitalizations. For example, it is not uncommon for an early
stage public biotech company with a market capitalization of $700 million to have product
revenues of $1 million or less.
For smaller public companies, as defined by the level of product revenues, the reform framework
should focus on the internal controls necessary for CEO and CFO certifications of company
financials as currently required under Section 302 of SOX. The proposed reform supports
management's incentive to maintain effective systems of internal controls and produce accurate
financial reports which are most important to financial markets and investors. Section
13(b)(2)(B) of the Exchange Act requires, as it has since 1977, that public companies maintain a
system of internal controls that provide reasonable assurances as to the accuracy of financial
reports. Under section 302, each CEO and CFO must certify that the financial statements fairly
present in all material respects the financial condition of the company, and disclose all
2 See, e.g., Neil O'Hara, An Analysis of the (Non) Impact of SOX 404, Compliance Week, March 8, 2005. In addition,
at the 2005 SEC and PCAOB Roundtable on Section 404, a representative of Moody's on one of the panels stated that,
of the 71 companies disclosing material weaknesses they considered in detail, they ultimately issued a negative rating
action on 12, or 20%, of the companies. Thus, credit rating agencies had no adverse reaction to approximately 80% of
the companies.
4
weaknesses in the internal controls that could adversely affect the company's ability to record,
process, summarize and report financial information, among other things.
3) Reforms Must Be Risk-Based.
The prescriptive nature of AS2 in its current form deters both management and auditors from
taking a risk-based approach to prioritizing key financial controls under Section 404. As
currently implemented, for smaller companies, management has little say in determining the
scope and identification of necessary internal controls. Often, management implements extensive
assessment plans developed by their auditors. As currently required, AS2 provides limited
opportunity for management or external auditors to take a risk-based approach. AS2 thereby
limits the ability of management and auditors to focus on the necessary controls, especially at the
entity-wide level, which ultimately could have a material impact on their financial statements as
required under Section 302. In short, the management and auditors are compelled to focus on the
breadth of controls rather than the depth of necessary controls.
In fact, most small companies currently match their internal reviews to the requirements of the
external reviews. They do not see how it could work any other way. If companies were truly
performing their own internal audits for fraud and accuracy, they would not follow the current
AS2 internal control requirements because many of these processes evaluate items that are
immaterial for smaller companies.
Just to provide two examples of processes lacking a rational basis: a biotech company's
management was required to sign off on every page of its Controller's 150-page close book; and
the same company also received a deficiency because its accounting software did not require
passwords to be alpha-numeric. Additionally, for smaller public companies, cross-training and
interchangeability of staff is often more valuable than the strict segregation of duty that is
required under Section 404, sometimes to a point of dysfunction.
Other examples include a lack of rationale in addressing certain information technology (IT)
controls. The current external auditor-driven approach requires extensive testing of internal
controls over IT as it relates to entire company and not just IT systems related to financial
reporting. Under the current system, company management cannot rely on the capabilities of
external service providers (i.e. payroll providers, tax firms and transfer agents) if no SAS 70
reports are in place. Thus, most companies are left to either pay for the external service provider
to obtain the SAS 70 or put extensive controls in place surrounding the information that the
service providers provide, including extensive manual recalculations.
Under AS2, auditors are SO focused on the detail and the shear breadth of the internal controls and
testing that there is little room for judgment and clear perspective over the overall process goals.
Additionally, management has such extensive compliance requirements, including sign offs,
recalculations and documentation, that many company managers have less time to evaluate the
reasonableness of their disclosures.
As previously discussed, the opportunity cost of time spent on complying with documentation,
testing and review of internal controls is time that could be directed toward functions that add
value to the company and its shareholders (i.e. training staff, forecasting, modeling, monitoring,
bringing in-house tasks done by external parties).
5
4) Frequency Of Internal Control Assessments Should Be Determined By Material Changes In
Key Financial Controls.
Frequency of internal control testing should be determined by changes in established baseline
entity-wide controls. As currently implemented, AS2 fails to recognize the value of cumulative
knowledge and relevance of changes in key control areas that matter to the reporting of financial
statements. Periodic testing or testing when a material change has occurred could alleviate the
excessive duplication year after year that further adds to the high cost and burdens imposed by
Section 404.
5) Additional Deferrals For Non-Accelerated Filers And Newly Public Companies Should Be
Provided Until A New Reform Framework Is Implemented.
We fully support the Commission's proposal to provide further implementation deferrals for non-
accelerated filers (small companies under $75 million in market capitalization) and for newly
public companies. In light of the current uncertainties due to the anticipated reforms by the
Commission and the PCAOB and potential changes to AS2 requirements, we believe it is critical
to further delay both the management assessment and external auditor attestation requirements for
non-accelerated filers as well as newly public companies until a settled guidance can be provided
and revised AS2 rules have been implemented for a reasonable time. In fact, non-accelerated
filers and newly public companies should not be required to comply with Section 404 until a full
assessment can be made by the GAO on the cost/burden impact of the newly revised AS2 rules.
Conclusion
As representatives of the high-growth sectors of the U.S. economy, we appreciate this opportunity
to comment on the concept release. We believe that principles-based reforms that focus on cost
effectiveness, that are risk based, and that are scaled and proportional to the level of product
revenues and complexity of corporate structures will achieve the original intent of Section 404 -
achieving internal controls that provide investors with the optimal level of confidence in the
financial integrity of a public company.
We thank you for your consideration of our views and we urge you to expeditiously adopt a
reform framework that provides fundamental relief to smaller public companies and that supports
innovation in the U.S. high-growth sectors. We look forward to working with you to achieve
these important goals.
Sincerely,
James Commond
Leylee 8 Westine
James C. Greenwood
Lezlee Westine
President and CEO
President and CEO
Biotechnology Industry Organization
TechNet
6
Dave ho Curdy
Matthew J. Flanigan
Dave McCurdy
President
President and CEO
Telecommunications Industry
Electronic Industries Alliance
Association
Serry M. Scabin
Stople 9 Uap
George M. Scalise
Stephen J. Ubl
President
President and CEO
Semiconductor Industry Association
Advanced Medical Technology
Association
nal 1/2 Leby
David Gallahen
Mark B. Leahey
David L. Gollaher, Ph.D.
Executive Director
President and CEO
Medical Device Manufacturers Association
California Healthcare Institute
Alain Cappeluti
Chairman
Association of Bioscience Financial
Officers (B/W Chapter)
Past Chairman, ABFO International
7
WSJ
.com
THE WALL STREET JOURNAL.
ONLINE
November 1, 2006
COMMENTARY
DOW JONES REPRINTS
To Save New York, Learn From London
By CHARLES E. SCHUMER and MICHAEL R. BLOOMBERG
November 1, 2006; Page A18
In recent months, there has been a lot of media chatter about the possibility of London taking over
New York's position as the world's financial capital. Such speculation, although overblown, has
focused our attention on a broader and legitimate concern: Unless we improve our corporate
climate, we risk allowing New York to lose its pre-eminence in the global financial-services sector.
This would be devastating both for our city and nation.
One of the engines of growth for the U.S. economy, the financial-services industry in New York
has long possessed significant comparative advantages over London and all other cities. These
advantages include the broadest, most efficient and liquid capital markets in the world, and a
concentration of the world's biggest financial firms -- which have a much larger presence here than
anywhere else. This city dominates global private-equity markets, secondary trading markets, and
mergers and acquisitions.
New York has unparalleled quality of life and cultural diversity, which global companies
increasingly seek, as well as a dynamic labor market:-- our unemployment rate is lower than the
nation's. Taken together, these advantages explain why New York's financial-sector employment
numbers are greater than any other city's.
Yet while New York remains the dominant global-exchange center, we have been losing ground as
the leader in capital formation. In 2005 only one out of the top 24 IPOs was registered in the U.S.,
and four were registered in London. London is gaining ground in other areas too, but it is not only
London we need to worry about. Next year, more money will be raised through IPOs in Hong
Kong than in either London or New York.
We cannot ignore these warning signs. That is why New York has hired a consulting firm, which
will issue a report in November identifying the specific variables that are negatively impacting our
financial-services industry and recommending an action plan to correct them.
Based on the work completed so far, there are four factors that bear close attention: globalization of
the capital markets, overregulation, frivolous litigation and incompatible accounting standards. The
first factor is beyond our control; advances in technology and communication are allowing capital
to flow more freely, making it much easier to locate financial activities anywhere in the world. But
we can, and must, do something about the other three factors to maintain and expand our
competitive edge.
First, what lessons can we learn from other nations' regulatory systems? Currently, there are more
than 10 federal, state and industry regulatory bodies in the U.S. The British have only one such
body. Industry experts estimate that the gross financial regulatory costs to U.S. companies are 15
times higher than in Britain. Beyond cost savings, the British enjoy another advantage: While our
regulatory bodies are often competing to be the toughest cop on the street, the British regulatory
body seems to be more collaborative and solutions-oriented.
With the benefit of hindsight, the Sarbanes-Oxley Act of 2002, which imposed a new regulatory
framework on all public companies doing business in the U.S., also needs to be re-examined. Since
its passage, auditing expenses for companies doing business in the U.S. have grown far beyond
anything Congress had anticipated. Of course, we must not in any way diminish our ability to
detect corporate fraud and protect investors. But there appears to be a worrisome trend of corporate
leaders focusing inordinate time on compliance minutiae rather than innovative strategies for
growth, for fear of facing personal financial penalties from overzealous regulators.
Second, what lessons can we learn from other nations' legal environments? The total value of
securities class-action lawsuits in the U.S. has skyrocketed in recent years, to $9.6 billion in 2005
from $150 million in 1997. The U.K. and other nations have laws that far more effectively
discourage frivolous suits. It may be time to revisit the best way to reduce frivolous lawsuits
without eliminating meritorious ones.
Third, what lessons can we learn from other nations' experiences with international accounting
standards? Most European and Asian countries have already begun to adopt international
accounting standards, which businesses tend to prefer over the American system. Yet we have set
no timetable for doing the same.
In the last quarter of the 20th century, we achieved an almost exquisite balance between regulation
and entrepreneurial vigor in American financial markets. We learned that too much regulation
stifles entrepreneurship, competition and innovation; while too little regulation creates excessive
risk to industry, investors and the overall system.
This delicate balance has been upset by technological advances, making it much easier to locate
financial-services activities anywhere in the world. As a result, foreign markets may be tempted to
lower regulatory requirements to achieve a temporary competitive advantage. Though deregulation
may help some countries gain more business in the short term, over the long term it could hurt the
stability and reliability of the global marketplace.
New York cannot afford to lose its place as the global leader in financial services. We have to
carefully redefine this balance of innovation and regulation. That is what we seek to do over the
next several months.
Our ability to do that, and to answer these three questions, will determine the future of New York -
- and, in many ways, the nation. If we do not rise to the challenge, the speculation that New York is
losing its pre-eminence in the global marketplace will become more than just chatter.
Mr. Schumer is a Democratic senator from New York. Mr. Bloomberg is mayor of New
York City.
URL for this article:
http://online.wsj.com/article/SB116234404428809623.html
Copyright 2006 Dow Jones & Company, Inc. All Rights Reserved
This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our Subscriber
Agreement and by copyright law. For non-personal use or to order multiple copies, please contact Dow Jones Reprints at 1-800-843-
0008 or visit www.djreprints.com.
REGULATION
SarbOx Setback
EASIER COMPLIANCE FOR SMALL BIZ WAS WITHIN REACH,
BUT THE SEC IS BACKPEDALING BY JEREMY QUITTNER
SMALL COMPANIES that were hoping
have until July 15, 2007, to file
for some regulatory relief from the
their first annual report. The
most onerous provision of the Sar-
best they can hope for, he says, is
banes-Oxley Act are out of luck, at
to see the date postponed.
least in the short term.
The idea of making 404
On Apr. 23, the 21-person Adviso-
work more efficiently is likely to
ry Committee on Smaller Public Com-
be "a very lengthy process and
panies handed the U.S. Securities &
not an easy task," says Thomas
Exchange Commission a list of 33 rec-
Hartmann, a partner at Detroit
ommendations on how to make Sarb-
law firm Foley & Lardner, He says that's
(R-Ohio) remains chair of the House
Ox compliance easier for small public
partly because there is no existing regula-
Financial Services Committee.
companies. The most striking proposal
tory framework for small companies
The SEC committee's recommen-
would have exempted the smallest from
around which to build such an approach.
dations followed a 13-month review
the burdensome Section 404 until the
Some in Congress are trying to
of the accounting and financial report-
SEC can figure out a way to tailor it to
keep the exemption idea afloat. On
ing of smaller businesses, including
them. Section 404 requires that compa-
May 17, Representative Tom Feeney
their audit procedures and the process
nies complete an internal audit of con-
(R-Fla.) introduced a bill that would
of going public. The committee had
trols they've already established. It's not
amend 404 to exempt companies with a
recommended that companies be
uncommon for businesses to spend
market cap of less than $700 million. "I
grouped into tiers by market size and
hundreds of thousands of dollars trying
was disappointed by the SEC response."
that those with less than $787 million
to comply with it.
says Feeney. "For now it seems they
in market capitalization be exempted
from 404. About 7,400 businesses
CHEIN/NY ENTERPRISE REPORT
But on May 17, SEC Chairman
have not fully appreciated the enormity
Christopher Cox signaled his opposi-
of the problems with SarbOx, or they
would have qualified. That's 79% of
tion. "He and the other commissioners
have appreciated the problems and are
public companies but only about 6% of
have indicated that they would rather
not ready to act aggressively to reform
the total public market capitalization.
make 404 work more efficiently. than
the implementation." Senator Jim
The exemption would have remained
[talk] about exempting smaller compa-
Demint (R-S.C.) introduced a similar
in place until a new set of internal audit
nies," says SEC spokesman John Heine.
bill in the Senate. Even so, Feeney says
rules was established specifically for
He adds that companies with less than
the chances of his bill passing are slim
smaller companies. Now it may not go
$75 million of public stock outstanding
while Representative Michael Oxley
into place at all.
SB
SMALLBIZ EDITOR KIMBERLY WEISUL ASKS NAPOLEON BARRAGAN: WHAT'S
THE ONE THING YOU WISH YOU KNEW BEFORE STARTING 1-800-MATTRESS?
one
"
In 1998 we started asking all our customers five simple
questions. Until we did that, it was hard to know if we were
giving the customer what they wanted. We have to be
measuring constantly. We have to look at last week and last
ILLUSTRATION BY TIM
year and be prepared for tomorrow and next month. And
at that time they call you a visionary.
"
-NAPOLEON BARRAGAN
founder and chief executive of 1-800-MATTRESS
BusinessWeek SmallBiz Summer 2006 35
10
Leaders
The Economis April 200 2006
Iran, Israel and Palestine
Rejecting Israel, again
The refusal to accept Israel's right to exist harms Palestinians too
S
E
VERY so often, unpopular
ous international undertakings. Worse still, Hamas this week
H
Muslim regimes on the pe-
sent out an unambiguously wrong signal by justifying as "self
riphery of the Palestine conflict
defence" the deadly Passover suicide-bombing in Tel Aviv by a
S
find it expedient to propose
smaller pro-Iranian Palestinian group, Islamic Jihad.
p
eliminating the Zionist entity.
Right now it is Israel that has the better claim to be defend-
Since his election last year, Mah-
ing itself. Islamic Jihad makes ceaseless attempts to mount sui-
moud Ahmadinejad, Iran's
cide-bombings in Israel and, with other groups, has been fir-
president and chief holocaust
ing rockets at Israeli towns ever since Israel evacuate the Gaza
C
denier, has become a leading exponent of this familiar ruse.
Strip last summer. Israel has killed many members of the
p
His promise last week that Israel would soon be wiped from
rocket-launching teams-and, by accident, some innocent by-
C
the pages of history in accordance with the prophecy of the
standers too. But the deliberate targeting of civilians is a war
late Ayatollah Khomeini was therefore neither especially new
crime in anyone's book, and under the agreements which Ha-
nor-till Iran acquires nuclear weapons-especially frighten-
mas refuses to honour, the Palestinian Authority (PA) under-
T
ing. And, of course, even with a bomb, even Mr Ahmadinejad
took to make an effort to stop such attacks. Its president, Mah-
might think twice about launching a nuclear attack that could
moud Abbas, rightly denounced the Tel Aviv atrocity.
lead to Iran's own swift destruction.
By condoning the attack instead, Hamas will find it harder
What is more depressing is the rise of a similarly atavistic
to win broad international acceptance. That may be a price it is
strain of Israel-destroying rhetoric among the Palestinians
willing to pay. As Western countries give the PA less, Russia,
themselves. It took the Palestine Liberation Organisation until
Iran and the Arab states may give more. Moreover, any at-
the late 1980s to abandon its self-defeating fantasy that it had
tempt by Israel to force the collapse of Hamas's government is
the power and the right to wipe Israel off the map. Now the
liable to fail. For all Israel's power in the territories, it should be
Palestinians are in danger of revisiting the same dead end.
prevented by its own scruples and world opinion from starv-
Like many successful Islamist movements, Hamas com-
ing the Palestinians into reversing their democratic decision.
bines strong ideology with a shrewd pragmatism. But win-
By the same token, however, Hamas's efforts to establish a
ning January's Palestinian elections has been discombobulat-
free Palestine look doomed to fail unless it pays Israel the basic
ing (see page 47). Since then its leaders have broadcast a
price of admission to talks: recognition of its right to exist and
blizzard of crossed and mixed signals about whether they
an end to terrorism. On present showing, Hamas's leaders are
would be content with a state in the West Bank and Gaza in-
not willing to make that leap. It is to be hoped that they can still
$
stead of all historic Palestine, and for how long. Yet they still
change their mind. If they think Israel's offer of a decent two-
seem unable to accept the request of America, Europe, Russia
state solution is a bluff, let them call it. History suggests that al-
and the United Nations to renounce terror and violence, ac-
though both sides suffer when there is deadlock in this miser-
cept Israel's right to exist and honour the Palestinians' previ-
able conflict, the Palestinians tend to suffer more.
Corporate regulation
In search of better SOX
What can be done to loosen America's burdensome post-Enron rules?
O
NLY yesterday companies
and that their attraction to overseas companies was proof of
the world over flocked to
the fact. So what does it mean that many of those firms now
America to list their shares. For
opting to list elsewhere pin much of the blame on the burden
bigger, more established firms,
of America's corporate regulations-above all the Sarbanes-
the razzmatazz of a listing on the
Oxley act (sox) passed by Congress in 2002 after the scandal-
New York Stock Exchange was
ous collapse of Enron and WorldCom?
the mark of blue-chip status. For
To its defenders, and there are still many, sox has done just
younger firms, a NASDAQ list-
what was asked of it and raised the quality of corporate regu-
ing was a crucial step on the way to becoming the next Micro-
lation so as to minimise the risk of the next Enron or World-
soft. Today, however, foreign listings have become a rarity, es-
Com. If the price of that is for flakier Russian companies to
pecially on NASDAQ. Even some of America's home-grown
choose laxer jurisdictions overseas, SO much the better.
would-be Microsofts now list not in New York, but overseas,
That argument might wash were sox a well-crafted piece
especially on London's Alternative Investment Market.
of legislation, rather than a rush-job hurried through a Con-
It used to be taken for granted in the United States that the
gress with its eye on 2002's mid-term elections. sox's sceptics
country's stockmarkets were the best-regulated in the world,
are not restricted to fundamentalists who think that the legis-
the
Economist
Leaders,
11
lation was always unnecessary or went after the wrong tar-
bly be seen through by America's main markets regulator, the
gets. Today, many people who supported SOX in principle-
Securities and Exchange Commission (SEC) without troubling
ranging from the boss of NASDAQ to the sainted former chair-
Congress (see page 59).
man of the Federal Reserve, Alan Greenspan-are increasingly
A good start would be for the SEC to follow the likely advice
disturbed by SOX in practice.
of its own Advisory Committee on Smaller Public Companies
and exempt companies with a stockmarket value below
Strangled by red tape
$128m and sales of less than $125m. That would still leave the
How could SOX be improved? Divisions in Congress mean
bigger firms that account for 94% of the value of America's
that thorough reform is unlikely anytime soon, even though
stockmarkets subject to Section 404. The SEC should also try to
some parts of the legislation could do with a second look. The
lighten the burden on them too. It could, for example, narrow
priority is to modify the most hated part of SOX, the 20 lines of
the scope of the internal-control review carried out by audi-
text called Section 404, which regulates the internal controls
tors so that they examine only the larger risks, not the size of
used by firms in their financial reporting and extends scruti-
people's lunch expenses.
nising to such minutiae as travel expenses and petty cash. The
Small technical changes, perhaps, but in SOX, the detail is
cost of implementing Section 404 has been far higher than ex-
what costs the money. At the least such reforms would help re-
pected, especially in smaller firms. Happily, several changes
store the reputation of America's stockmarkets. They might
could lighten the burden of Section 404 and these can proba-
even make America's own companies more competitive.
The oilmarket
Nostalgia for calmer days
Uncertainty looks a bigger problem than high prices
H
OW high can the oil price
plenty of black gold in the ground.
go? It is striking that so
The hitch is that the most promising territory for explora-
many people are even asking
tion lies in unstable places such as the Middle East and Russia.
the question-let alone answer-
What is more, the oil is controlled by state-owned firms, which
ing it, in some cases, with fright-
often seem blind to the signals sent by the market. While the
ening triple-digit numbers. For
supply remains tight any political or meteorological hiccup in
most of the 1980s and 1990S, the
a producing country (and there always seems to be at least
oil price rarely strayed far from
one) will resonate through the markets.
$20 a barrel. With the exception of a brief interlude following
Three other factors will add to the uncertainty. The first is
Iraq's invasion of Kuwait in 1990, the world grew used to the
the flood of new speculative investment in commodities, es-
joys of cheap oil. But over the past four years, the price has
pecially oil. Speculators are thought to have put more than
more than tripled, to more than $70 a barrel. It is still climbing
$100 billion into commodities markets in the past few years,
and prices in the futures market imply that oil will remain dear
helping to propel the price of oil ever higher. But this new hot
for several years to come. Clearly, investors believe that some
money could quit the oil market in an instant, causing prices to
comfortable old certainties have gone out of the window.
plunge (and throwing the energy industry's investment plans
Chief among them is the idea that Saudi Arabia will always
into disarray).
act to cap prices. The Saudis have many decades-worth of oil
The second unknown is how expensive oil will affect the
left in the ground, and so have an incentive to keep the stuff
world economy. Past surges in the oil price have led to rises in
cheap enough to ward off conservation or substitution. To this
inflation and interest rates that have triggered recessions. This
end-and to help its protectors in Washington, DC-the king-
time might be different, partly because growing demand,
dom used to maintain spare pumping capacity of a few mil-
rather than a reduction in supply, has underpinned the price
lion barrels a day, enough to deal with an unexpected surge in
rise. That means it has been steady and gradual, giving con-
demand or a sudden cut in supply. During the first Gulf war,
sumers more time to adjust. In addition, inflation remains low
for example, Saudi Arabia turned on the taps to compensate
and oil exporters are supporting consumption in the United
for the loss of Iraq and Kuwait's normal output. But as demand
States, the biggest importer (see page 74). Dearer oil will even-
has grown over the past few years, particularly from booming
tually curb demand-but at what price, and at what cost to the
places like China, supply has not kept pace, so Saudi Arabia's
world economy, nobody knows.
buffer has gradually worn through. For the first time in more
than two decades demand is straining at capacity.
Making oil
A freer oil market is no bad thing. In time, higher prices will
In the long run, the biggest uncertainty is technology. Western
lead to conservation-a bonus in a world worried about global
oil firms are beginning to address their difficulty in finding oil
warming (though one better achieved through taxes). In addi-
by manufacturing fuel instead. Man-made fuels, such as etha-
tion, oil firms should respond to higher prices by redoubling
nol derived from plants, or diesel conjured from coal and gas,
their efforts to procure more of the stuff. And so they are: by
hold out the promise of secure and almost unlimited supply.
one estimate, 15m barrels of new capacity should come on-
But with today's technology these are much more expensive
stream by 2010 (see page 65). Moreover, despite a lot of scare-
to produce than oil pumped from the deserts of Arabia. Until
mongering, the geological evidence suggests that there is still
that changes, the oil market is set for an unnerving period.
Business
The Economist April 22nd 2006
59
Also in this section
60 The Enron trial
60 Software as a service
61 Executive pay
62 An Indian LBO
62 General Motors and Saturn
63 Biotechnology
64 Face value: Albert Frère, re-making
corporate Europe
aditic
wenter
Regulating business
far utweighed by the costs.
Messrs Butler and Ribstein would ide-
The trial of Sarbanes-Oxley
ally like SOX to be repealed. But even if a,
court case challenging the constitutional-
ity of the PCAOB (and by extension, sox)
is successful, it is more likely that Congress
NEW YORK
will simply amend the law.
The corporate regulation brought in after the Enron scandal stands accused of
All SOX critics agree that the top prior-
making matters worse
ity for reform is Section 404 of the law,
which regulates the internal controls that
D
OWN in Houston the Enron trial pro-
nancial reports. Second, new measures to
firms use to reduce the risk of fraud or error
ceeds apace. But far more significant
improve the monitoring of firms by rele-
in their financial statements. The burdens
for business, in America and beyond, than
vant outside professionals, such as law-
imposed by Section 404 are the main rea-
the fate of the energy company's former
yers and auditors, who got their own regu-
son why formerly enthusiastic supporters
bosses is the outcome of another "trial"
latory body, the Public Company
of sox, such as Mr Greenspan, are now de-
that is now at a crucial stage-that of the
Accounting Oversight Board (PCAOB).
manding reform.
legislation introduced by Congress in 2002
Third, more disclosure, including of a
Section 404 has almost certainly im-
in the wake of the Enron scandal.
firm's internal-control structure. Fourth,
proved the quality of internal controls at
The act was named after its two main
new rules on the conduct of corporate in-
the firms where it has been implemented.
sponsors, Senator Paul Sarbanes (pictured
siders, such as a prohibition on loans to ex-
But the question is not whether better con-
right above) and Congressman Mike Ox-
ecutives. Finally, new rules to ensure that
trols lead to less risk-how could they
ley (left). Sarbanes-Oxley, or SOX, as it has
securities analysts at banks operate inde-
not?-but whether that reduction in risk is
become known, was unpopular with
pendently from their firms' investment-
worth the price. According to a recent
business people from the start. In recent
banking activities.
study by CRA International, a research
years it has been hard to find a chief execu-
sox-bashers have found fault, to vary-
firm, in the first year of SOX implementa-
tive of a public company who does not
ing degrees, with all five reforms. Henry
tion, for larger companies (with a market
complain vehemently about the burdens
Butler, an economist, and Larry Ribstein, a
capitalisation of at least $700m), the aver-
imposed by the dreaded SOX. Indeed,
law professor, set out the most compre-
age direct cost of Section 404 was $8.5m;
rather than diminish as the initial shock
hensive critique yet in a recent paper, "The
for smaller public companies ($75m-
wore off, the complaints have only got
Sarbanes-Oxley debacle: How to fix it and
700m), the average cost was around $1.2m.
louder. The sox-bashers have been joined
what we've learned", which was pre-
The SEC has not yet asked the very small-
by such luminaries as Alan Greenspan, the
sented at the conservative American En-
est public companies, with a value of less
former head of the Federal Reserve and
terprise Institute. Describing SOX as a "co-
than $75m, to comply with Section 404.
Bob. Greifeld, the boss of the NASDAQ
lossal failure, poorly conceived and hastily
The good news is that Section 404 costs
stockmarket. And the critics are not just
enacted during a regulatory panic", they
are expected to fall by around 40% in the
American. Because of SOX, says Mr Grei-
argue (among other things) that the costs
second year, says CRA, as the new system
feld, "international business clearly per-
of implementing SOX are far higher than
beds in. Even so, the costs are still higher
ceives a 'problem' with US markets today."
expected, both in cash terms, and even
than anyone expected them to be-the SEC
SOX packaged together five different
more so when they count the indirect
initially forecast an average cost of $91,000
categories of reforms intended to protect
costs-such as managers' reluctance to take
per company-and the burden is dispro-
investors from future Enrons. First, rules re-
risks because of the new "climate of fear"
portionately heavy for smaller companies.
quiring better internal monitoring for po-
in the boardroom, and the missed oppor-
Much of the blame for this should be
tential fraud by a company's board and ex-
tunities of foregone investment. Although
pinned on accounting firms, which, de-
ecutives, including making the people at
they admit that SOX may have reduced the
spite being seen by the public as big of-
the top certify the quality of their firm's fi-
risk of fraud, they argue that this benefit is
fenders in the Enron and WorldCom scan- 11
60
Business
The Economist
dals, have emerged as the big beneficiaries
onerous the requirements of Section 404,
to $788m, and revenues of under $250m
from SOX. According to Joe Grundfest, a
the more money the audit profession can
would be partially exempted.
former SEC commissioner, the audit in-
earn" by selling its services.
This proposal has run into strong oppo-
dustry has several incentives to "push Sec-
A couple of proposals could help tackle
sition, not least from Mr Sarbanes himself,
tion 404 compliance to a point of socially
this problem, neither of which would re-
who points out that it would "effectively
inefficient hyper-vigilance." To avoid fur-
quire a wholesale reform of SOX by Con-
exempt four out of every five companies".
ther damage to their reputations, and to
gress. In a report due on April 23rd, the
True, but it was failures at big firms that
minimise the risk that they will be sued
SEC'S Advisory Committee on Smaller
gave rise to SOX, not at small ones, which
over accounting irregularities, audit firms
Public Companies was expected to recom-
investors have always thought riskier. In
are adopting the most prudent possible in-
mend that companies be exempted from
all, the exemption would cover firms ac-
terpretation of the Section 404 rules-rules
Section 404 if their market capitalisation is
counting for only 6% of total American
that are vague and open to argument. And,
less than $128m and their revenues are un-
stock market value, leaving 94% of public
as Mr Grundfest points out, the "more
der $125m. Firms with a market value of up
companies by value still subject to Section
404.
The Enron trial
Rather than exempt companies, Sec-
tion 404 should be refined to make it more
The grilling of Skilling
palatable for all firms, argues Robert Po-
zen, the head of MFS, a fund-management
firm. At the moment, audit companies are
An ustrating week for Telfrey Skilling
looking at far too many internal controls-
some 669 on average at the biggest firms,
=
THIS the man who once
there was no manipulati
according to CRA-including items such as
Gunled a licente place reading WEEE
Mr Berkowitz also argued that ME
travel expenses and the handling of petty
156
with del Leading Energy Company
line kept BIE and trading
cash that are highly unlikely to have any
Critter cross commination this week, the
Email: investors charge Mt
serious impact on a company's financial
brash Jeffrey Skilling were mostly
skilling denied
reporting. Mr Pozen reckons that the SEC
their and respectful despite spasms of
As the all recalls mounted MI
has the authority to require a narrower fo-
bhess The formerchiet executived
Berkow III played 00 Salling have
cus on those internal controls that look at
bankrupt come
memory He efilled inthrabout time
material risks to a firm's financial reports.
may dirisisted 1013 in
Photote Yun by afor:
Mr Grundfest goes further. As it stands,
to that He had moll THE la event
had tailing with
the PCAOB can penalise auditors that are
tax hyolying securities
line estimate.of how
too lax. He would like it to punish those
the instdentraci false states
michilt invested F Photolete was
audit firms that are over-zealous in their in-
DED site auditors
truch How chatures show? Far
terpretation of Section 404, too. What
Belkow the
squestions about
could be fairer than that?
THE and sproduced # 161
to seu of
stilled accusation them that
Entire on Septemberoth
skuline had monipulated the com
WORK the had resigne from the
Software
is earnings LO THE etianaly is targets,
any too prestrial
using reserves from a "conklejet" If-an-
Thous the uppearsito be II fill
Universal service?
wanted cents persibline Ben
of Entons harehbldings at
183 is what Entrin would said Mr
the time, be claims not to tetne Mbet the
DEI kowitz in the second quarter of
Fansaction, which wastap Soon
near the apex of Enton's fortunes,
herethe he sold 500 dob shares which
ME Skilling has he did tell Another
attributes to September ith)
Executive to "shoot for cents a share
kowitz also questionedawhy Mr Skilline,
Proponents of "software as a service"
ex-stite and giffriend all sold sub
say it will wipe out traditional software
Thank stock in the autumh of 2000.
OMETHING momentous is happening
So how did he do? For self-con
in the software business. Bill Gates of
fessed "controls freak", Mr Skilling
Microsoft calls it "the next sea change".
Emerges, atibest, as oddly unaware of his
Analysts call it a "tectonic shift" in the in-
responsibilities and of the peculiar 89
dustry. Trade publications hail it as "the
ings on at his company, which he claims
next big thing". It is software-as-a-service
to have left in its"best shape" in 2001.
(saas)-the delivery of software as an in-
You're out of town, the lights are out,"
ternet-based service via a web browser,
said Mr Berkowitz sceptically of Mr Skil-
rather than as a product that must be pur-
ling's various explanations for why he
chased, installed and maintained. The ap-
was out of the loop. Mr Skilling will get
peal is obvious: saas is quicker, easier and
friendlier face next. His lawyer, Daniel
cheaper to deploy than traditional soft-
Petrocelli, will re-examine him: then
ware, which means technology budgets
comes another chance for Mr Berkowitz,
can be focused on providing competitive
and some other defence witnesses. After
advantage, rather than maintenance.
that, Kenneth Lay, Mr Skilling's defen-
This has prompted an outbreak of icon-
dant, could take the stand next week.
oclasm. "Traditional software is dead,"
Then, the long-suffering jury-now in its
says Jason Maynard, an analyst at Credit
twelfth week of immersion in -bal-
Suisse. Just as most firms do not own gen-
lince sheet vehicles and hedging strate-
erators, but buy electricity from the grid, so
Controls freak
gies-will decide their fates.
in future they will buy software on the
hoof, he says. "It's the end of software as "
Tuesday,
NATIONAL MANET SCRIPIA ARCHIVES AND RECORDS
July 18, 2006
1985
Part IV
Securities and
Exchange
Commission
17 CFR Part 240
Concept Release Concerning
Management's Reports on Internal
Control Over Financial Reporting;
Proposed Rule
40866
Federal Register / Vol. 71, No. 137 / Tuesday, July 18, 2006 / Proposed Rules
SECURITIES AND EXCHANGE
we do not edit personal identifying
accelerated filers. As announced in that
COMMISSION
information from submissions. You
press release, the Commission expects
should submit only information that
to propose an additional extension of
17 CFR Part 240
you wish to make available publicly.
the dates for complying with our
[Release No. 34-54122; File No. S7-11-06]
FOR FURTHER INFORMATION CONTACT:
internal control over financial reporting
Lillian Brown, Division of Corporation
requirements for companies that are
RIN 3235-AJ58
Finance or Michael Gaynor, Office of
non-accelerated filers, including foreign
Chief Accountant, Securities and
private issuers that are non-accelerated
Concept Release Concerning
Exchange Commission, 100 F Street,
filers.
Management's Reports on Internal
NE., Washington, DC 20549.
Section 404(b) of Sarbanes-Oxley, as
Control Over Financial Reporting
SUPPLEMENTARY INFORMATION:
well as the Commission's rules adopted
AGENCY: Securities and Exchange
to implement the requirements of that
Table of Contents
Commission
section of the Act, require every
I. Background
registered public accounting firm that
ACTION: Advance notice of proposed
II. Introduction
prepares or issues a financial statement
rulemaking; Concept Release; request
III. Risk and Control Identification
audit report for a company also to attest
for comment.
IV. Management's Evaluation
to and report on management's
V. Documentation to Support the Assessment
SUMMARY: The Commission is
assessment of internal control over
VI. Solicitation of Additional Comments
publishing this Concept Release to
financial reporting, in accordance with
understand better the extent and nature
I. Background
standards to be established by the
of public interest in the development of
Section 404(a) of the Sarbanes-Oxley
Public Company Accounting Oversight
additional guidance for management
Act of 2002 directed the Commission
Board (PCAOB). On June 17, 2004, the
regarding its evaluation and assessment
to prescribe rules that require each
Commission issued an order approving
of internal control over financial
annual report that a company, other
PCAOB Auditing Standard No. 2, "An
reporting so that any guidance the
than a registered investment company,
Audit of Internal Control over Financial
Commission develops addresses the
files pursuant to section 13(a) or 15(d) 2
Reporting Performed in Conjunction
of the Securities Exchange Act of 1934
with an Audit of the Financial
needs and concerns of public
companies, consistent with the
to contain an internal control report: (1)
Statements" (AS No. 2), published at 69
protection of investors.
Stating management's responsibilities
FR 35083, June 23, 2004, which
DATES: Comments should be submitted
for establishing and maintaining
established the requirements that apply
on or before September 18, 2006.
adequate internal control structure and
when an independent auditor is
procedures for financial reporting; and
engaged to provide an attestation and
ADDRESSES: Comments may be
(2) containing an assessment, as of the
report on management's assessment of
submitted by any of the following
end of the company's most recent fiscal
the effectiveness of a company's internal
methods:
year, of the effectiveness of the
control over financial reporting.
Electronic Comments
company's internal controls and
In the release adopting the
procedures for financial reporting. On
Commission's rules implementing
Use the Commission's Internet
comment form (http://www.sec.gov/
June 5, 2003, the Commission adopted
section 404, we expressed our belief that
rules published at 68 FR 36636, June 18,
the methods of conducting assessments
rules/concept.shtml); or
Send an e-mail to rule-
2003, implementing section 404 with
of internal control over financial
[email protected]. Please include File
regard to management's obligations to
reporting will, and should, vary from
Number S7-11-06 on the subject line;
report on internal control over financial
company to company.4 We continue to
reporting.
believe that it is impractical to prescribe
or
Domestic reporting companies that
a single methodology that meets the
Use the Federal eRulemaking Portal
meet the definition of "accelerated filer"
needs of every company. However, we
(http://www.regulations.gov). Follow the
under the Commission's rules were
have received feedback that the limited
instructions for submitting comments.
required to comply with the internal
nature and extent of detailed
Paper Comments
control reporting provisions for the first
management guidance available has
time in connection with their fiscal
resulted in management's
Send paper submissions in
triplicate to Nancy M. Morris, Secretary,
years ending on or after November 15,
implementation and assessment efforts
2004. Foreign private issuers that meet
being driven largely by AS No. 2.
Securities and Exchange Commission,
the definition of accelerated filer must
Therefore, we are planning to issue
100 F Street, NE., Washington, DC
comply with those provisions for their
additional guidance to assist
20549-1090.
first fiscal year ending on or after July
management its performance of its
All submissions should refer to File
15, 2006. On September 22, 2005, in a
assessment of internal control over
Number S7-11-06. This file number
document published at 70 FR 56825,
financial reporting. On May 17, 2006,
should be included on the subject line
September 29, 2005, the Commission
we announced, among other things, our
if e-mail is used. To help us process and
postponed the compliance date for
intent to issue this Concept Release
review your comments more efficiently,
domestic and foreign non-accelerated
seeking comment on a variety of issues
please use only one method. The
filers until their first fiscal years ending
that might be the subject of Commission
Commission will post all comments on
on or after July 15, 2007.
guidance for management. As we noted
the Commission's Internet Web site
On May 17, 2006, the Commission
in that announcement, in writing any
(http://www.sec.gov/rules/
announced through a press release its
guidance we will be sensitive to the fact
concept shtml). Comments also are
intent to issue an additional
available for public inspection and
postponement for compliance for non-
4 See SEC Final Rule: Management's Reports on
copying in the Commission's Public
Internal Control over Financial Reporting and
Reference Room, 100 F Street, NE.,
Certification of Disclosure in Exchange Act Periodic
1.75 U.S.C. 7262.
Reports, Release No. 34-47986 (June 5, 2003) [68 FR
Washington, DC 20549. All comments
2 15 U.S.C. 78m(a) or 78o(d)
36636, June 18, 2003] (hereinafter "Adopting
received will be posted without change;
3 15 U.S.C. 78a et seq.
Release") at Section II.B.3.d.
Federal Register / 71, No. 137 Tuesday, July 18, 2006 Proposed Rules
40867
that many companies already have
Since the Commission adopted rules
Treadway Commission (COSO) as an
invested substantial resources to
in June 2003 to implement section 404
example of a suitableframework.7
establish and document programs and
of the Sarbanes-Oxley Act, companies
While the COSO framework provides
procedures to perform their assessments
and third parties have devoted
an integrated framework that identifies
over the last few years.
considerable attention to the methods
the components and objectives of
II. Introduction
that management may use to assess the
internal control, it does not set forth
effectiveness of internal control over
detailed guidance as to the steps that
financial reporting. To date, many
management must follow in assessing
Based on the cumulative feedback
public companies have developed their
the effectiveness of a company's internal
received since the adoption of the rules
control over financial reporting. We,
implementing section 404, the
own assessment procedures internally.
therefore, distinguish between the
Commission deems it necessary to issue
Many also have retained consultants or
COSO framework as an internal control
additional guidance for management on
purchased commercial software and
framework and other forms of guidance
its assessment of the effectiveness of
other products to establish or improve
that illustrate how to conduct an
internal control over financial reporting.
their assessment procedures. When the
assessment of the effectiveness of
We currently anticipate that the
Commission first adopted the internal
internal control over financial reporting.
guidance issued would be in the form of
control over financial reporting
Any additional management guidance
a rule, which would address the topics
requirements, we emphasized two broad
that we may issue is not intended to
that we have outlined in this Concept
principles: (1) That the scope and
replace or modify the COSO framework
Release: Risk and control identification,
process of the assessment must be based
or any other suitable framework.
management's evaluation, and
on procedures sufficient both to
In determining the need for additional
documentation requirements (each of
evaluate its design and to test its
guidance to management on how to
these topics is addressed separately
operating effectiveness; and (2) that the
conduct its assessment, it is important
throughout the remainder of this
assessment, including testing, must be
to consider the steps that already have
document). Additionally, we anticipate
supported by reasonable evidential
been taken by the Commission and
that the rule would be written in such
matter. We stated that it was important
others to provide guidance to companies
and audit firms. The Commission held
a manner that if companies followed the
for each company to use its informed
its first roundtable discussion about
rule, they would be deemed to have
judgment about its own operations,
complied with Rules 13a-15(c) and
risks, and processes in documenting and
implementation of the internal control
15d-15(c) of the Exchange Act. Further,
evaluating its controls. We continue to
reporting provisions on April 13, 2005.
The Commission held the 2005
we anticipate any modifications to AS
believe that management must bring its
roundtable to seek input to consider the
No. 2 would be consistent with the rule.
own experience and informed judgment
impact of the section 404 reporting
The Commission is publishing this
to bear in designing an assessment
requirements in view of the fact that the
Concept Release to solicit public
process that meets the needs of its
comment on the provision of additional
company and that provides reasonable
See COSO, Internal Control-Integrated
guidance to management of public
assurance as to whether the company's
Framework (1992). In 1994, COSO published an
internal control over financial reporting
addendum to the Reporting to External Parties
companies that are subject to the SEC's
volume of the COSO Report. The addendum
is effective.
rules related to management's
discusses the issue of, and provides a vehicle for,
assessment of internal control over
While we emphasized the concept of
expanding the scope of a public management report
on internal control to address additional controls
financial reporting and, to assist the
management flexibility in adopting our
pertaining to safeguarding of assets: In 1996, COSO
Commission SO that any guidance it
rules implementing section 404, our
issued a supplement to its original framework to
ultimately develops addresses the needs
rules do require management to base its
address the application of internal control over
financial derivative activities.
and concerns of all public companies.
assessment of a company's internal
The COSO framework is the result of an extensive
We raise a series of questions
control on a suitable evaluation
study of internal control to establish a common
throughout this release on assessing
framework, in order to facilitate
definition of internal control that would serve the
risks, identifying controls, evaluating
comparability between the assessment
needs of companies; independent public
accountants, legislators, and regulatory agencies,
effectiveness of internal control, and
reports. It is important to note that our
and to provide a broad framework of criteria against
documenting the basis for the
rules do not mandate the use of a
which companies could evaluate and improve their
assessment. Through the questions in
particular framework, because multiple
control systems. The COSO framework divides
internal control into three broad objectives:
this Concept Release, we seek to elicit
frameworks exist and others may be
effectiveness and efficiency of operations, reliability
specific public comment on such
developed in' the future. However, in the
of financial reporting, and compliance with
matters including, but not limited to;
release adopting the Section 404
applicable laws and regulations. Our rules relate
only to reliability of financial reporting. Each of the
the extent and nature of public interest
requirements, the Commission
objectives in the COSO framework is further broken
in the development of additional
identified the Internal Control-
down into five interrelated components: control
management guidance, whether
Integrated Framework created and
environment, risk assessment, control activities,
published by the Committee of
information and communication, and monitoring.
additional guidance would be useful for
Under the COSO framework, management is able to
all reporting companies or just a subset
Sponsoring Organizations of the
monitor, evaluate, and improve their control
of those companies, the particular
systems through the use of the five components.
In that release, we also cited the Guidance on
subject areas that any additional
Assessing Control published by the Canadian
guidance should address, and the extent
Institute of Chartered Accountants and the Turnbull
of additional guidance that would be
Report published by the Institute of Chartered
useful.
Accountants in England & Wales as examples of
other suitable frameworks that issuers could choose
in evaluating the effectiveness of their internal
control over financial reporting. We encourage
companies to examine and select a framework that
5 See Adopting Release at Section II.B.3.d.
may be useful in their own circumstances and the
G See Adopting Release at Section II.B.3.d.
further development of alternative frameworks.
40868
Federal Register 71, No. 137 Tuesday, July 18, 2006 Proposed Rules
implementation of the requirements
The purpose of internal control over
and sustained review and testing for
resulted in a major change for
financial reporting;
perceived compliance with section 404.
management and auditors. A broad
The concept of reasonable
The Advisory Committee's final
range of interested parties, including
assurance, the importance of a top-
report set forth several
representatives of managements and
down, risk-based approach, and scope
recommendations for the Commission to
boards of domestic and foreign public
of testing and assessment;
consider regarding the application of the
companies, auditors, investors, legal
Evaluating internal control
section 404 requirements to smaller
counsel, and board members of the
deficiencies;
public companies. The Advisory
PCAOB, participated in the discussion.
Disclosures about material
Committee recommended partial or
We also invited and received written
weaknesses;
complete exemptions for specified types
submissions from the public regarding
Information technology issues;
of smaller public companies from the
section 404 in advance of the
Communications with auditors; and
internal control reporting requirements
roundtable.
under certain conditions, unless and
Issues related to small businesses
Feedback obtained from the 2005
until a framework is developed for
and foreign private issuers.
roundtable indicated that the internal
assessing internal control over financial
Overall, the May 16, 2005 guidance
control reporting requirements had led
reporting that recognizes the
was well-received, and some
to increased focus by management on
characteristics and needs of those
commenters have indicated there has
internal control over financial reporting.
companies. The Advisory Committee
been some improvement in the
However, the feedback also identified
also recommended, among other things,
effectiveness and efficiency of section
particular implementation areas in need
that COSO and the PCAOB provide
of further clarification to reduce
404 compliance efforts. However, some
additional guidance to help facilitate the
constituents, especially smaller public
unnecessary costs and burdens without
design and assessment of internal
companies, continue to request the
jeopardizing the benefits of the new
control over financial reporting and
provision of additional guidance. For
requirements.
make processes related to internal
In response to this feedback, the
example, in its Final Report to the
control more cost-effective. 12 In
Commission and its staff issued
Commission, issued on April 23, 2006,
addition, some commenters on the
guidance on May 16, 2005.9 An
the Commission's Advisory Committee
Advisory Committee's exposure draft of
overarching message of that guidance
on Smaller Public Companies raised a
its report suggested that the Commission
was that it is the responsibility of
number of concerns it perceived
reexamine the appropriate role of
management, not the auditor, to
regarding the ability of smaller
outside auditors in connection with the
determine the appropriate nature and
companies to comply cost-effectively
management assessment required by
form of internal controls for the
with the requirements of section 404.
Section 404. 13
company and to scope their evaluation
The Advisory Committee identified as
Further, in April 2006, the U.S.
procedures accordingly. Additionally,
an overarching concern the difference in
Government Accountability Office
based on feedback received, a number of
how smaller and larger public
issued a Report to the Committee on
the implementation issues arose from an
companies operate. The Advisory
Small Business and Entrepreneurship,
overly conservative application of the
Committee focused in particular on
U.S. Senate, entitled Sarbanes-Oxley
Commission rules and AS No. 2, and the
three characteristics: (1) The limited
Act, Consideration of Key Principles
requirements of AS No. 2 itself, as well
number of personnel in smaller
Needed in Addressing Implementation
as questions regarding the appropriate
companies constrains the companies'
for Smaller Public Companies, which
role of the auditor. Accordingly, much
ability to segregate conflicting duties; (2)
recommends that in considering the
of the guidance in the staff statement
top management's wider span of control
concerns of the Advisory Committee,
and more direct channels of
emphasized and clarified existing
the Commission should assess the
communication increase the risk of
provisions of the rules and other
available guidance on management's
Commission guidance relating to the
management override; and (3) the
assessment to determine whether it is
exercise of professional judgment, the
dynamic and evolving nature of smaller
sufficient or whether additional action
concept of reasonable assurance, and
companies limits their ability to
is needed. The report indicates that
maintain well-documented static
the permitted communications between
management's implementation and
management and auditors.
business processes. 10
assessment efforts were largely driven
The staff's guidance addressed
The Advisory Committee suggests
by AS No. 2, as guidance at a similar
these characteristics create unique
level of detail was not available for
implementation issues in the following
seven areas:
differences in how smaller companies
management's implementation and
achieve effective internal control over
assessment process. 14 Further, the GAO
9 Commission Statement on Implementation of
financial reporting that may not be
report recommended that the
Internal Control Reporting Requirements. Press
adequately accommodated in AS No. 2
Commission coordinate with the
Release No. 2005-74 (May 16, 2005) (hereinafter
or other implementation guidance as
PCAOB to help ensure that the section
"May 2005 Commission Guidance"); Division of
currently applied in practice.
404-related audit standards and
Corporation Finance and Office of Chief
Accountant: Staff Statement on Management's
addition, the Advisory Committee noted
guidance are consistent with any
Report on Internal Control Over Financial Reporting
serious cost ramifications for smaller
(May 16, 2005) (hereinafter "May 2005 Staff
public companies stemming from the
12 Advisory Committee Report at 52, available at
Guidance")available at SEC.gov/spotlight/soxcom/
cost of frequent documentation change
http://SEC.gov/info/smallbus/acspc.shtml.
htm.
13 See, e.g., letter from BDO Seidman, LLP (April
Also on May 16, 2005, the PCAOB and its staff
3, 2006), available at http://SEC.gov/info/smalbus/
issued guidance to auditors on their audits under
10 Final Report of the Advisory Committee on
acspc.shtml.
Auditing Standard No. 2. The PCAOB's guidance
Smaller Public Companies to the United States
14 United States Government Accountability
focused on areas in which the efficiency of the
Securities and Exchange Commission (April 23,
Office Report to the Committee on Small Business
audit could be substantially improved. Topics
2006) (hereinafter 'Advisory Committee Report") at
and Entrepreneurship, U.S. Senate: Sarbanes-Oxley
included the importance of the integrated audit, the
35-36, available at http://SEC.gov/info/smallbus/
Act: Consideration of Key Principles Needed in
role of risk assessment throughout the process, the
acspc.shtml.
Addressing Implementation for Smaller Public
importance of taking a top-down approach, and
Advisory Committee Report at 37, available at
Companies (April 2006) (hereinafter "GAO Report")
auditors' use of the work of others.
http://SEC.gov/info/smallbus/acspc.shtml.
at 52-53:
Federal Register Vol. 71, No. 137/Tuesday, July 18, / Proposed Rules
40869
additional management guidance
1. Would additional guidance to
companies benefit from the
issued.15
management on how to evaluate the
development of additional frameworks?
On May 10, 2006, the Commission
effectiveness of a company's internal
9. Should the guidance incorporate
and PCAOB conducted a second
control over financial reporting be
the May 16, 2005 "Staff Statement on
Roundtable on Internal Control
useful? If so, would additional guidance
Management's Report on Internal
Reporting and Auditing Provisions to
be useful to all reporting companies
Control Over Financial Reporting"?
solicit feedback on accelerated filers'
subject to the Section 404 requirements
Should any portions of the May 16,
second year of compliance with the
or only to a sub-group of companies?
2005 guidance be modified or
section 404 requirements. Although
What are the potential limitations to
eliminated? Are there additional topics
some participants expressed
developing guidance that can be applied
that the guidance should address that
reservations about changing the
by most or all reporting companies
were not addressed by that statement?
processes they have already
subject to the section 404 requirements?
For example, are there any topics in the
implemented, a number of the
2. Are there special issues applicable
staff's "Management's Report on
participants expressed at the roundtable
to foreign private issuers that the
Internal Control Over Financial
and in their written comments the view
Commission should consider in
Reporting and Certification of
that additional guidance was needed. 16
developing guidance to management on
Disclosure in Exchange Act Periodic
COSO plans to publish additional
how to evaluate the effectiveness of a
Reports Frequently Asked Questions
application guidance on its control
company's internal control over
(revised October 6, 2004)" 19 that should
framework in the near future. 17 This
financial reporting? If so, what are
be incorporated into any guidance the
guidance is intended to assist the
these? Are such considerations
Commission might issue?
management of smaller companies in
applicable to all foreign private issuers
10. We also seek input on the
understanding and applying the COSO
or only to a sub-group of these filers?
appropriate role of outside auditors in
framework. It is expected that COSO's
3. Should additional guidance be
connection with the management
new guidance will outline principles
limited to articulation of broad
assessment required by section 404(a) of
fundamental to the five components of
principles or should it be more detailed?
Sarbanes-Oxley, and on the manner in
internal control described in the COSO
4. Are there additional topics, beyond
which outside auditors provide the
framework. The guidance will define
what is addressed in this Concept
attestation required by section 404(b).
each principle and describe the
Release, that the Commission should
Should possible alternatives to the
attributes of each, list a variety of
approaches that smaller companies can
consider issuing guidance on? If so;
current approach be considered and if
use to apply the principles, and include
what are those topics?
so, what? Would these alternatives
examples of how smaller companies
5. Would additional guidance in the
provide investors with similar benefits
format of a Commission rule be
without the same level of cost? How
have applied the principles. As noted in
preferable to interpretive guidance?
would these alternatives work?
the May 17, 2006 announcement, we
anticipate that this guidance will help
Why or why not?
III. Risk and Control Identification
organizations of all sizes to better
6. What types of evaluation
understand and apply the COSO
approaches have managements of
While companies have been required
to establish and maintain internal
framework as it relates to internal
accelerated filers found most effective
control over financial reporting.
and efficient in assessing internal
accounting controls since the enactment
control over financial reporting? What
of the Foreign Corrupt Practices Act in
We are issuing this Concept Release to
1977 20 section 404 of the Sarbanes-
understand better the extent of public
approaches have not worked, and why?
interest in the development of
7. Are there potential drawbacks to or
Oxley Act re-emphasized the
additional guidance for management
other concerns about providing
importance of the relationship between
effective internal controls and reliable
regarding its evaluation and assessment
additional guidance that the
Commission should consider? If so,
financial reporting. An integral element
of internal control over financial
what are they? How might those
of establishing and maintaining effective
reporting. As noted in our May 17, 2006
announcement, SO that this guidance
drawbacks or other concerns best be
internal control over financial reporting
might be helpful to all companies, the
mitigated? Would more detailed
involves identifying risks to reliable
Commission currently intends that any
Commission guidance hamper future
financial reporting and designing
future guidance we issue will be
efforts by others in this area?
appropriate internal controls that
address the risks. The controls that
scalable and responsive to individual
8. Why have the majority of
companies who have completed an
management identifies as addressing
circumstances. We also are interested in
assessment, domestic and foreign,
risks to financial reporting include those
understanding what additional guidance
that operate at a company level and are
accelerated filers would find helpful. 18
selected the COSO framework rather
than one of the other frameworks
pervasive to many individual account
balances and disclosures, as well as
15GAO Report at 58.
available, such as the Turnbull Report?
16 See transcript of Roundtable on Internal
Is it due to a lack of awareness,
those that are specific to certain
Control Reporting and Auditing Provisions, May 10,
individual account balances or
knowledge, training, pressure from
2006, Panels 1, 2, 3, and 5; letter from The Institute
auditors, or some other reason? Would
disclosures. Echoing the Commission's
of Internal Auditors (IIA) (May 1, 2006); letter from
statement in its May 16, 2005 guidance
Institute of Management Accountants (IMA) (May 4,
that management must bring reasoned
2006); letter from Canadian Bankers Association
dissatisfaction by the Commission with the
(CBA) (April 28, 2006); letter from Deloitte &
assessments accelerated filers have completed to
judgment to the process, the staff stated
Touche LLP (May 2006); letter from Ernst &
date. Rather, we are issuing this Concept Release
Young LLP (May 1,2006); letter from KPMG LLP
because we are committed to doing as much as we
19 Available at http://www.sec.gov/info/
(May 1, 2006); letter from PricewaterhouseCoopers
can to reduce any concerns about the nature and
accountants/controlfaq1004.htm
LLP (May 1, 2006) and letter from Pfizer Inc. (May
extent of assessment procedures that management
Title I of Public Law No. 95-213. The FCPA
1, 2006).
must establish and maintain, to assist in making the
required the Commission to adopt rules requiring
17 See letter from Larry Rittenberg, COSO (May
requirements scalable for companies of all sizes and
public companies to make and keep accurate
16, 2006) [File Number 4-511].
complexity, and to help companies evaluate
financial records, and to maintain a system of
18 We emphasize that the publication of this
internal control over financial reporting in a
internal accounting controls. See Exchange Act
Concept Release does not reflect a general
practical and cost-efficient manner.
section 13(b).
40870
Federal Register/Vol. 71, No. 137/Tuesday, July 18, 2006 Proposed Rules
that management should use its
and identify the related risks. In
in the guidance? If so, how should that
cumulative knowledge, experience, and
determining the objectives for internal
guidance reflect the special.
judgment (applying both qualitative and
control over financial reporting, the
characteristics and needs of smaller
quantitative factors) in identifying these
guidance would discuss how
public companies?
controls and designing the appropriate
management might address company-
17. Should the Commission provide
procedures for their documentation and
level, financial statement account and
management with guidance about fraud
testing.
disclosure level considerations, as well.
controls? If so, what type of guidance?
Feedback that the Commission has
as fraud risks. Additionally, we
Is there existing private sector guidance
received indicates that, in implementing
anticipate that we would provide
that companies have found useful in
the requirements of section 404, many
additional guidance on how
this area? For example, have companies
companies did not efficiently and
management identifies the controls to
found the 2002 guidance issued by the
effectively identify risks to reliable
address the recognized risks. This
AICPA Fraud Task Force entitled
financial reporting and relevant internal
would include guidance on common
"Management Antifraud Programs and
control functions, ultimately leading to
issues that exist in identifying controls
Controls" 23 useful in assessing these
the identification, documentation, and
(e.g. materiality considerations, multi-
risks and controls?
testing of an excessive number of
location issues, concept of "key"
18. Should guidance be issued to help
controls. 21 We are also skeptical of the
controls).
companies with multiple locations or
large number of internal controls that
11. What guidance is needed to help
business units to understand how those
some companies have identified,
management implement a "top-down,
affect their risk assessment and control
documented and tested. While there
risk-based" approach to identifying
identification activities? How are
were likely numerous contributing
risks to reliable financial reporting and
companies currently determining which
factors to these implementation issues,
the related internal controls?
locations or units to test?
one cause may have been the overly
12. Does the existing guidance, which
conservative application of AS No. 2 by
has been used by management of
IV. Management's Evaluation
auditors in the initial years.
accelerated filers, provide sufficient
As noted, the Commission's and the
The Commission also has heard that
information regarding the identification
staff's May 16, 2005 guidance
companies had difficulty in determining
of controls that address the risks of
emphasized that management's
how controls related to the prevention
material misstatement? Would
assessment should be based on the
of fraud should be included in their risk
additional guidance on identifying
particular risks of individual
assessment. 22 However, as noted in the
controls that address these risks be
companies, and recommended a top-
May 16, 2005 staff guidance, while no
helpful?
down, risk-based approach to determine
system of internal control can prevent or
13. In light of the forthcoming COSO
the accounts and related processes that
detect every instance of fraud, effective
guidance for smaller public companies,
management should consider in its
internal control over financial reporting
what additional guidance is necessary
assessment. Therefore, management's
can help companies deter fraudulent
on risk assessment or the identification
judgments about the significance and
financial accounting practices or detect
of controls that address the risks?
complexity of the risk areas it has
them earlier.
14. In areas where companies
identified should form the basis not
As noted above, the Advisory
identified significant start-up efforts in
only for determining what controls to
Committee observed that the distinct
the first year (e.g., documentation of the
evaluate, but also for determining the
characteristics of smaller public
design of controls and remediation of
nature, timing, and extent of its
companies affect the financial reporting
deficiencies) will the COSO guidance
evaluation procedures. A risk-based
risks and the controls needed to address
for smaller public companies adequately
evaluation can allow management to
them. For example, the significant risk
assist companies that have not yet
assess whether the company's internal
of management override that arises from
complied with section 404 to efficiently
control over financial reporting is
wider spans of control and more direct
and effectively conduct a risk
effective at a "reasonable assurance"
channels of communication may create
assessment and identify controls that
level. 24
an increased need for entity level
address the risks? Are there areas that
One of the reasons cited most
controls and board oversight. Moreover,
have not yet been addressed or need
frequently by accelerated filers for the
the difficulty in segregating duties and
further emphasis?
higher than anticipated costs in their
changing business processes may
15. What guidance is needed about
first year of compliance with the section
the role of entity-level controls in
404 requirements is that too much work
impact the implementation of internal
evaluating and assessing the
was done to test and document low-risk
controls at these companies.
effectiveness of internal control over
areas. 25 The Commission continues to
We anticipate additional guidance in
this arealwould cover a number of the
financial reporting? What specific
hear that management has difficulty
implementation issues that have arisen
entity-level control issues should be
applying a top-down, risk-based
during the first two years of compliance.
addressed (e.g., GAAP expertise, the
role of the audit committee, using
23 Management Antifraud Programs and Controls:
Guidance issued in this area would
entity-level controls rather than low-
Guidance to Help Prevent and Deter Fraud,
address how management should
commissioned by the Fraud Task Force of the
determine the overall objectives for
level account and transactional
American Institute of Certified Public Accounting's
internal control over financial reporting
controls)? Should these issues be
Auditing Standards Board (2002), available at
addressed differently for larger
http://www.aicpa.org/download/members/div/
companies and smaller companies?
auditstd/AU-00316.PDF.
21 See transcript of Roundtable on Internal
16. Should guidance be given about
'24 See Rules 13a-15(f) and 15d-15(f) of the
Control Reporting and Auditing Provisions, May 10,
Exchange Act.
2006, Panels 2 and 3; letter from Protiviti Inc. (April
the appropriateness of and extent to
25 See transcript of Roundtable on Internal
28, 2006); letter from Computer Sciences
which quantitative and qualitative
Control Reporting and Auditing Provisions, May 10,
Corporation (CSC) (April 28, 2006); and letter from
IMA (May 4, 2006).
factors, such as likelihood of an error,
2006, Panels 2 and 3; letter from Watson Wyatt
22 See letter from QUALCOMM Inc. (April 27,
should be used when assessing risks
Worldwide (March 31, 2006); letter from
2006); and letter from Diane Allen, 3M (Allen)
and identifying controls for the entity?
QUALCOMM Inc. (April 27, 2006); and letter from
Association for Financial Professionals (May 1,
(April 28, 2006).
If so, what factors should be addressed
2006).
Federal Register/Vol. 71, No. 137 Tuesday, July 18, / Proposed Rules
40871
approach in their individual
financial reporting involves the impact
controls, such as on-going monitoring
assessments and some believe that
of information technology (IT)
activities, be useful? What are some of
compliance costs are, and may continue
processes. For example, some
the sources of evidence that companies
to be, higher than necessary. 26
commenters have expressed concerns
find most useful in ongoing monitoring
The Commission's rules require that
over the extent to which IT processes.
of control effectiveness? Would
management's assessment be "as of' the
should be included in the scope of their
guidance be useful about how
company's fiscal year end, but the rules
assessment. 29 As the staff's May 16,
management's daily interaction with
do not preclude management from
2005 staff guidance indicates, Section
controls can be used to support its
obtaining evidence to support its
404 is not a one-size-fits-all approach to
assessment?
assessment through cumulative
assessing controls, and for that reason,
21. What considerations are
knowledge it acquires throughout the
while we believe that controls not
appropriate to ensure that the guidance
year and in prior years. In fact,
related to internal control over financial
is responsive to the special
management's daily interactions with its
reporting should not be included in the
characteristics of entity-level controls
internal controls may provide it with an
assessment, providing a list of the exact
and management at smaller public
enhanced ability to make informed
general IT controls that should be
companies? What type of guidance
judgments regarding the areas that
included in an assessment may not be
would be useful to small public
present the greatest risk to the reliability
practical. Given that fact, we would like
companies with regard to those areas?
of the financial statements, as well as
to explore whether there are specific
22. In situations where management
how to evaluate the relevant controls.
areas related to IT where additional
determines that separate evaluation-type
We have heard anecdotal evidence that,
guidance could be provided.
testing is necessary, what type of
in some cases, management may have
Based on the cumulative feedback
additional guidance to assist
unnecessarily tested controls using
received, we believe that guidance on
management in varying the nature and
separatelevaluation-type testing in
management's evaluation process and
extent of the evaluation procedures
connection with its annual assessment,
revisions to AS No. 2 may help reduce
supporting its assessment would be
rather than relying on its ongoing
or eliminate the excessive testing of
helpful? Would guidance be useful on
monitoring activities, which may
internal controls by improving the focus
how risk, materiality, attributes of the
include, for example, cumulative
on risk and better use of entity-level
controls themselves, and other factors
knowledge and experiences from its
controls. We anticipate that the
play a role in the judgments about when
daily interactions with controls.
guidance would cover topics such as the
to use separate evaluations versus
In addition to testing, another key part
overall objective of evaluation
relying on ongoing monitoring
of management's assessment process is
procedures; methods or approaches
activities?
the evaluation of control deficiencies it
available to management to gather
evidence to support its assessment (i.e.
23. Would guidance be useful on the
discovers in the process of its
on-going monitoring, benchmarking,
timing of management testing of
evaluation. Paramount to evaluating the
significance of an individual control
controls and the need to update
and updating prior evaluations); and
evidence and conclusions from prior
deficiency, or combination of control
factors that management should
deficiencies, is to have a comprehensive
consider in determining the nature,
testing to the assessment "as of" date?
understanding of the nature of the
timing and extent of its evaluation
24. What type of guidance would be
deficiency, its cause, the relevant
procedures. This guidance would
appropriate regarding the evaluation of
identified internal control deficiencies?
financial statement assertion the control
address whether and how entity-level
was designed to support, its effect on
controls may adequately address risk at
Are there particular issues in evaluating
the broader control environment, and
the financial statement and disclosure
deficient controls that have only an
whether effective compensating controls
level and considerations as to the extent
indirect relationship to a specific
financial statement account or
exist. 27 Management must exercise
information technology general controls
disclosure? If so, what are some of the
judgment in a reasonable manner in the
are included in the scope of
evaluation of deficiencies in internal
management's assessment. Further, we
key considerations currently being used
control, considering both quantitative
anticipate the guidance would cover
when evaluating the control deficiency?
and qualitative factors. 28
considerations of management in
25. Would guidance be helpful
As noted above, the Advisory
determining the severity of an identified
regarding the definitions of the terms
Committee observed that the distinct
control deficiency.
"material weakness" and "significant
characteristics of smaller public
19. What type of guidance would help
deficiency"? If so, please explain any
issues that should be addressed in the
companies affect the assessment of
explain how entity-level controls can
financial reporting risks and the
reduce or eliminate the need for testing
guidance.
controls implemented to address them.
at the individual account or transaction
26. Would guidance be useful on
These characteristics may also affect
level? If applicable, please provide
factors that management should
how those companies evaluate their
specific examples of types of entity-
consider in determining whether
internal control.
level controls that have been useful in
management could conclude that no
Another area where the Commission
reducing testing elsewhere.
material weakness in internal control
continues to hear that companies are
20. Would guidance on how
over financial reporting exists despite
having difficulty in completing their
management's assessment can be based
the discovery of a need to correct a
assessment of internal control over
on evidence other than that derived
financial statement error as part of the
from separate evaluation-type testing of
financial statement close process? If so,
26 See transcript of Roundtable on Internal
please explain.
Control Reporting and Auditing Provisions, May 10,
29 See transcript of Roundtable on Internal
27. Would guidance be useful in
2006, Panels 1 and 2; letter from Pfizer Inc. (May
Control Reporting and Auditing Provisions, May 10,
addressing the circumstances under
1, 2006); letter from Sotheby's Holdings, Inc. (May
2006, Panels 2 and 3; letter from IIA (May 1, 2006);
which a restatement of previously
1, 2006); and letter from U.S. Chamber of Commerce
letter from CSC (April 28, 2006); letter from Allen
(May 3, 2006).
(April 28, 2006); letter from WPS Resources Corp.
reported financial information would
27, See May 2005 Staff Guidance at B.
(May 5, 2006); and letter from R.G. Scott &
not lead to the conclusion that a
28 Id.
Associates, LLC (April 8; 2006).
material weakness exists in the
40872
Federal Register / Vol. 71, No. 137/Tuesday, July 18, Proposed Rules
company's internal control over
the effectiveness of the company's
notwithstanding substantially similar
financial reporting?
internal control over financial reporting
statutory language to that found in
28. How have companies been able to
may review evidential matter
section 404.
use technology to gain efficiency in
supporting management's assessment. 32
In its report, the Advisory Committee
evaluating the effectiveness of internal
Feedback that the Commission
suggested that smaller public companies
controls (e.g., by automating the
received in connection with its 2005,
have unique characteristics and needs
effectiveness testing of automated
Roundtable and other feedback on the
for flexibility that make the
controls or through benchmarking
first year of compliance indicates that,
documentation elements of section 404
strategies)?
in implementing the requirements of
particularly burdensome for those
29. Is guidance needed to help
section 404 for the first time, many
companies. In its opinion, the section
companies determine which IT general
companies approached risk and control
404 internal control reporting
controls should be tested? How are
identification more formally than they
requirements as currently applied in
companies determining which IT
may have historically and,
practice might impose a lack of
general controls could impact IT
consequently, companies may have
flexibility on smaller public companies
application controls directly related to
incurred significant documentation
that would put them at a competitive
the preparation of financial statements?
costs. 33 This documentation consisted
disadvantage. We have also heard that
30. Has management generally been
of, among other things, detailed process
excessive documentation demands
utilizing proprietary IT frameworks as a
maps describing controls over initiating,
might impose extra or particularly
guide in conducting the IT portion of
recording, processing and reconciling
burdensome costs on smaller public
their assessments? If so, which
account balances, classes of
companies.
frameworks? Which components of
transactions, and disclosures included
The Commission anticipates that
those frameworks have been particularly
in the financial statements. Many
management would benefit from
useful? Which components of those
companies also have indicated that in
additional guidance on the appropriate
frameworks go beyond the objectives of
their initial implementation of section
and required levels of documentation to
reliable financial reporting?
404, too many controls were identified;
support their assertion on the
V. Documentation to Support the
which resulted in excessive
effectiveness of internal control over
Assessment
documentation. 34 Frequently, this
financial reporting. Topics addressed
excessive documentation was blamed, at
Developing and maintaining an
might include clarifying the overall
least in part, on the auditors and their
appropriate amount of evidential matter
objectives of the documentation,
application of AS No. 2. Further, we
is an inherent element of effective
including factors that might influence
have anecdotally heard that this
internal control. 30 This evidential
documentation requirements and other
documentation, in many cases,
matter should provide reasonable
common documentation concerns (e.g.
substantially exceeded that normally
support for the assessment of whether
updating of previously created
produced by financial institutions under
documentation or how to address
controls are designed to prevent or
the Federal Deposit Insurance
detect material misstatements OF
controls for which operation does not
Corporation Improvement Act of 1991, 35
result in documented evidence). We
omissions; for the conclusion that tests
to assess the effectiveness of internal
also anticipate that guidance might be
32 AS No. 2 sets forth the criteria auditors should
control were appropriately planned and
helpful in addressing the flexibility and
use when evaluating whether management's
performed; and for the conclusion that
documentation provides reasonable support for its
cost containment needs of smaller
the results of such tests were
assessment of internal control over financial
public companies in particular.
reporting. See 19 42-46 of PCAOB Auditing
31. Were the levels of documentation
appropriately considered in
Standard No. 2, An Audit of Internal Control over
performed by management in the initial
management's conclusion about
Financial Reporting Performed in Conjunction with
effectiveness. 31 Further, public
an Audit of Financial Statements.
years of completing the assessment
33 See transcript of Roundtable on
beyond what was needed to identify
accounting firms that attest to, and
Implementation of Internal Control Reporting
controls for testing? If so, why (e.g.,
report on, management's assessment of
Provisions, April 13, 2005; letter from Mortgage
business reasons, auditor required, or
Bankers Association (February 25, 2005); letter from
30 Section 13(b)(2)(A) of the Exchange Act
Paula Jourde (March 4, 2005); letter from White
unsure about "key" controls)? Would
requires companies to "make and keep books,
Mountains Insurance Group (March 29, 2005); and
specific guidance help companies avoid
records, and accounts, which in reasonable detail,
letter from Intel Corporation (March 31, 2005).
this issue in the future? If so, what
accurately and fairly reflect the transactions and
34 See transcript of Roundtable on Internal
factors should be considered?
dispositions'of the assets of the issuer." We have
Control Reporting and Auditing Provisions, May 10,
32. What guidance is needed about
previously stated, as a matter of policy, that under
2006, Panels and 2; letter from IIA (May 1, 2006);
the form, nature, and extent of
section 13(b)(2) "every public company needs to
letter from America's Community Bankers (May 1,
establish and maintain records of sufficient
2006); letter from Stephan Stephanov (March 27,
documentation that management must
accuracy to meet adequately four interrelated
2006); and letter from Institute of Chartered
maintain as evidence for its assessment
objectives: appropriate reflection of corporate
Accountants in England and Wales (March 28,
of risks to financial reporting and
transactions and the disposition of assets; effective
2006).
control identification? Are there certain
administration of other facets of the issuer's internal
35.12 U.S.C. 1831m. Section 112 of the Federal
control system; preparation of its financial
Deposit Insurance Corporation Improvement Act of
factors to consider in making judgments
statements in accordance with generally accepted
1991 added section 36, "Independent Annual
about the nature and extent of
accounting principles; and proper auditing."
Audits of Insured Depository Institutions," to the
documentation (e.g., entity factors,
Statement of Policy Regarding the Foreign Corrupt
Federal Deposit Insurance Act. Section 36 required
Practices Act of 1977, Release No. 34-17500
process, or account complexity factors)?
the Federal Deposit Insurance Corporation, in
(January 29, 1981) [46 FR 11544].
consultation with appropriate federal banking
If so, what are they?
Instruction 1 to Item 308 of Regulations S-K
agencies, to promulgate regulations requiring each
33. What guidance is needed about
and S-B, Instruction 1 to Item 15 of Form 20-F and
insured depository institution with at least $150
the extent of documentation that
Instruction 1 to paragraphs (b), (c), (d), and (e) of
million in total assets, as of the beginning of its
management must maintain about its
General Instruction B:6 to Form 40-F provide that
fiscal year, to have an annual independent audit of
"the Registrant must maintain evidential matter,
its financial statements performed in accordance
evaluation procedures that support its
including documentation, to provide reasonable
with generally accepted auditing standards, and to
support for management's assessment of the
provide a management report and an independent
structure and procedures for financial reporting and
effectiveness of the registrant's internal control over
public accountant's attestation concerning both the
its compliance with designated safety and
financial reporting."
effectiveness of the institution's internal control
soundness laws.
Federal Register / Vol. 71, No. 137 / Tuesday, July 18, 2006 / Proposed Rules
40873
annual assessment of internal control
VI. Solicitation of Additional
descriptions of, or actual process plans,
over financial reporting?
Comments
that they have utilized or created for
34. Is guidance needed about
portions or all of management's
In addition to the areas for comment
documentation for information
assessment. Please be as specific as
identified above, we are interested in
technology controls? If so, is guidance
possible in your discussion and analysis
any other issues that.commenters may
needed for both documentation of the
of any additional issues. Where
wish to address relating to companies
controls and documentation of the
possible, please provide empirical data
compliance with the SEC's rules related
testing for the assessment?
or observations to support or illustrate
to management's assessment of internal
your comments.
35. How might guidance be helpful in
control over financial reporting. For
addressing the flexibility and cost
example, we are interested in whether
By the Commission.
containment needs of smaller public
commenters believe that there are
Dated: July 11, 2006.
companies? What guidance is
additional topics not addressed in this
Jill M. Peterson,
appropriate for smaller public
Concept Release for which guidance
Assistant Secretary.
companies with regard to
would be useful. We also invite
[FR Doc. E6-11226 Filed 7-17-06; 8:45 am],
documentation?
commenters to provide to us
BILLING CODE 8010-01-P
Page 1 of 3
Corbett, Bryan N.
From: Shimkus, Matthew [[email protected]]
Sent:
Wednesday, August 09, 2006 10:31 AM
To:
undisclosed-recipients
Subject: SEC Offers Further Relief from Section 404 Compliance for Smaller Public Companies and Many
Foreign Private Issuers
SEC OFFERS FURTHER RELIEF FROM SECTION 404 COMPLIANCE FOR
SMALLER PUBLIC COMPANIES AND MANY FOREIGN PRIVATE ISSUERS
FOR IMMEDIATE RELEASE
2006-136
Washington D.C., Aug. 9, 2006 - The Securities and Exchange Commission today issued two
releases to grant smaller public companies and many foreign private issuers further relief from
compliance with Section 404 of the Sarbanes-Oxley Act of 2002. The relief is in furtherance of the
"next steps for Sarbanes-Oxley implementation" (SEC Press Release 2006-75) announced on May
17, 2006, and includes some new initiatives not previously announced.
Today's releases follow the July 11, 2006, publication of a Concept Release soliciting public
comment on guidance for management the SEC plans to issue to assist companies in assessing
their internal controls over financial reporting.
"The actions taken in these releases continue the Commission's efforts to be sensitive and
responsive to the particular needs of smaller public companies and foreign private issuers, and to
minimize the burdens that Section 404 may impose on them," said SEC Chairman Christopher Cox.
"By offering further relief for smaller companies and most foreign issuers, today's actions will allow
time for the Commission and the PCAOB to redesign Section 404 implementation in a way that is
efficient and cost effective for investors."
A summary of the subjects of the two releases appears below:
1. Relief from Section 404 Compliance Dates for Smaller Companies (Non-Accelerated
Filers). The Commission is proposing to grant relief to smaller public companies by
extending the date by which non-accelerated filers must start providing a report by
management assessing the effectiveness of the company's internal control over financial
reporting. The initial compliance date for these companies would be moved from fiscal years
ending on or after July 15, 2007, until fiscal years ending on or after Dec. 15, 2007. The
Commission also proposes to extend the date by which non-accelerated filers must begin to
comply with the Section 404(b) requirement to provide an auditor's attestation report on
internal control over financial reporting in their annual reports. This deadline would be moved
to the first annual report for a fiscal year ending on or after Dec. 15, 2008. This proposed
extension would result in all non-accelerated filers being required to complete only the
management's portion of the internal control requirements in their first year of compliance
with the requirements. This proposal is intended to provide cost savings and efficiency
opportunities to smaller public companies and to assist them as they prepare to comply fully
with Section 404's reporting requirements. This proposed extension will provide these issuers
and their auditors an additional year to consider, and adapt to, the changes in Auditing
Standard No. 2 that the Commission and the Public Company Accounting Oversight Board
intend to make, as well as the guidance for management the SEC intends to issue, to
improve the efficiency of the Section 404(b) auditor attestation report process.
8/9/2006
Page 2 of 3
Approximately 44% of the domestic companies and 38% of the foreign private issuers that
file periodic reports with the Commission are non-accelerated filers.
The Commission seeks public comment on all aspects of this proposal. Comments should be
submitted within 30 days of the proposal's publication in the Federal Register.
2. Relief from Section 404(b) Compliance Date for Certain Foreign Private Issuers. The
Commission is granting relief from Section 404(b) compliance for foreign private issuers that
are accelerated filers (but not large accelerated filers), and that file their annual reports on
Form 20-F or 40-F. These companies will have their compliance deadline extended for an
additional year, so that they will not begin complying with the Section 404(b) requirement to
provide an auditor's attestation report on internal control over financial reporting in their
annual reports until fiscal years ending on or after July 15, 2007. This group of issuers will be
required to comply only with the Section 404 requirement to include management's report in
the Form 20-F or 40-F annual report filed for their first fiscal year ending on or after July 15,
2006. They will not need to comply with the requirement to provide the registered public
accounting firm's attestation report until they file a Form 20-F or 40-F annual report for a
fiscal year ending on or after July 15, 2007.
The Commission's data indicate that about 23% of the approximately 1,200 foreign private
issuers that are subject to the Exchange Act reporting requirements are accelerated filers
that will receive the one-year extension of the compliance dates for the Section 404(b)
auditor attestation requirement. Because approximately 38% of foreign private issuers are
non-accelerated filers that will benefit from the steps outlined in Item 1 above, over 60% of
the community of foreign private issuers will receive a measure of relief as a result of the
actions we're announcing today. The Commission's actions today do not change the date by
which a foreign private issuer that is a large accelerated filer must comply with both the
Section 404(a) and (b) requirements. These filers are required to include both a report by
management and an attestation report by the issuer's registered accounting firm on internal
control over financial reporting in their Form 20-F or 40-F filed for a fiscal year ending on or
after July 15, 2006.
This extension is a final Commission action and will be effective shortly, on the date that the
Commission release granting the extension is published in the Federal Register.
3. Proposed Transition Relief for Newly Public Companies. In the same release in which it
proposes an extension of the Section 404 compliance dates for non-accelerated filers, the
Commission also proposes a transition period for newly public companies. This transition
relief would apply to any company that has become public through an IPO or a registered
exchange offer, or that otherwise becomes subject to the Exchange Act reporting
requirements. It would include a foreign private issuer that is listing on a U.S. exchange for
the first time. To provide meaningful relief to companies that are new to the U.S. markets
and our reporting requirements, the Commission is proposing to amend its rules so that a
company would not be required to provide either a management assessment or an auditor
attestation report until it has previously filed one annual report with the Commission. This
relief is being proposed in recognition of the fact that preparation of a newly public
company's first annual report can be a time and resource intensive process that may quickly
follow an IPO or initial listing. By not requiring the Section 404 reports until a newly public
company files its second annual report with the SEC, the Commission hopes to increase the
efficiency and effectiveness with which those companies ultimately meet their Section 404
compliance obligations.
The Commission seeks public input on this proposal from foreign and domestic companies,
their financial and other advisors, investors and other interested members of the public. As
with the proposed extension for smaller public companies, comments on this proposal
8/9/2006
Page 3 of 3
should be submitted within 30 days of publication in the Federal Register.
"We have heard that the Section 404 reporting requirements impose a special burden on foreign
private issuers, smaller companies and newly public companies. These companies play an
important role in our capital markets, and these releases illustrate the Commission's commitment
to improving the efficiency and effectiveness of Section 404 implementation for them," said John
W. White, Director of the Division of Corporation Finance. "We believe our proposed transition relief
for newly public companies should enhance the attractiveness and cost-effectiveness of
participating in our markets both for companies contemplating IPO's and for foreign companies
considering listing in the U.S. for the first time, without sacrificing important investor protections,
and we look forward to receiving comment from a diversity of interested parties on that proposal."
The Commission will continue to work on its own, and with the Public Company Accounting
Oversight Board, to take several additional steps previously outlined on May 17, 2006, in SEC Press
Release 2006-75 to improve the implementation of Section 404 so that it will work efficiently and
effectively for companies and auditors of all sizes.
Additional materials: Release No. 33-8730; Release No. 33-8731
SEC Spotlight On:
Internal Control Reporting Provisions
http://www.sec.gov/spotlight/soxcomp.htm
8/9/2006
Press Release: SEC Announces Next Steps for Sarbanes-Oxley Implementation; 2006-75; Page 1 of 4
EXPIRATION ONE COMMISSION
Home Previous Page
U.S. Securities and Exchange Commission
MCMXXXIV
SEC Announces Next Steps for Sarbanes-Oxley
Implementation
FOR IMMEDIATE RELEASE
2006-75
Washington, D.C., May 17, 2006 - The Securities and Exchange
Commission today announced a series of actions it intends to take to
improve the implementation of the Section 404 internal control
requirements of the Sarbanes-Oxley Act of 2002.
The actions the Commission intends to take include issuing SEC guidance
for companies and working with the Public Company Accounting Oversight
Board (PCAOB) on revisions of its internal control auditing standard. These
actions are based on extensive analysis and commentary in recent months
from investors, companies, auditors, and others. The expected actions will
also include SEC inspections of PCAOB efforts to improve Section 404
oversight and a brief further postponement of the Section 404 requirements
for the smallest company filers, although ultimately all public companies
will be required to comply with the internal control reporting requirements
of Section 404.
"The steps we are announcing today are designed to further improve the
reliability of financial statements and to better protect investors while
making the Section 404 process more efficient and cost effective," said SEC
Chairman Christopher Cox. "As we go forward, we will consider the special
concerns of all companies that fall under our jurisdiction -- large and small,
foreign and domestic. By providing practical guidance to companies, by
working with the Public Company Accounting Oversight Board on their
forthcoming revised standard for auditors, and by examining how the
PCAOB inspection process is succeeding in increasing the efficiency and
cost-effectiveness of the audit process, we will take a giant step toward
'getting it right' when it comes to Section 404 compliance."
In recent months, the Commission has obtained comment from a variety of
sources concerning the operation and effects of Section 404, including:
The May 10, 2006, SEC Roundtable on Second-Year Experiences with
Internal Control Reporting and Auditing Provisions;
Written comments received in connection with the Roundtable;
The April 23, 2006, Report of the SEC Advisory Committee on Smaller
Public Companies;
The April 2006 Report from the U.S. Government Accountability Office
entitled Sarbanes-Oxley Act, Consideration of Key Principles Needed
http://www.sec.gov/news/press/2006/2006-75.htm
8/9/2006
Press Release: SEC Announces Next Steps for Sarbanes-Oxley Implementation; 2006-75; Page 2 of 4
in Addressing Implementation for Smaller Public Companies; and
Feedback from issuers, auditors, investors, and others since the
Sarbanes-Oxley internal control reporting requirements went into
effect.
"The actions the Commission is announcing today represent key steps
toward addressing issues raised by participants involved in the critical
process of reporting to investors on the effectiveness of companies' internal
control over financial reporting," said John White, Director of the
Commission's Division of Corporation Finance. "We will be working on our
own, and with the PCAOB, to improve the implementation of Section 404 so
that it will work efficiently and effectively for companies and auditors of all
sizes and types while still maintaining the important investor protections it
provides."
The actions the Commission expects to take include:
Guidance for Companies. The Commission has received many
requests for additional guidance for management on how to complete
its assessment of internal control over financial reporting, as required
by Section 404(a) of the Sarbanes-Oxley Act. To prepare for the
issuance of management guidance, the Commission intends to take
the following steps:
Concept Release and Opportunity for Public Comment.
The Commission expects to issue a Concept Release covering a
variety of issues that might be the subject of Commission
guidance for management. With the Concept Release, the
Commission will solicit views on the management assessment
process to ensure that the guidance the Commission ultimately
proposes addresses the needs and concerns of all public
companies. We will also seek input on the appropriate role of
outside auditors in connection with the management
assessment required by Section 404(a) of Sarbanes-Oxley, and
on the manner in which outside auditors provide the attestation
required by Section 404(b), to assist in our consideration of
possible alternatives to the current approach.
Consideration of Additional Guidance from coso. The
Commission has long been supportive of the Committee of
Sponsoring Organizations of the Treadway Commission (COSO)
as it works to provide guidance on COSO's 1992 Internal
Control - Integrated Framework to address the needs of smaller
companies. The Commission anticipates that this forthcoming
guidance will help organizations of all sizes to better understand
and apply the control framework as it relates to internal control
over financial reporting. As the SEC develops guidance for
management on how to assess its internal control over financial
reporting, we will consider the extent to which the additional
guidance that COSO provides is useful to smaller public
companies in completing their Section 404(a) assessments.
Issuance of Guidance. Commentary submitted to the
Commission has suggested that management assessments
http://www.sec.gov/news/press/2006/2006-75.htm
8/9/2006
Press Release: SEC Announces Next Steps for Sarbanes-Oxley Implementation; 2006-75; Page 3 of 4
under Section 404 have not fully reflected the top-down, risk-
based approach the Commission intended. Building from the
information gathered in response to the Concept Release, and
from the anticipated COSO guidance, the Commission currently
anticipates that it will issue guidance to management to assist
in its performance of a top-down, risk-based assessment of
internal control over financial reporting. To ensure that this
guidance is of help to non-accelerated filers and smaller public
companies, the Commission intends that this future guidance
will be scalable and responsive to their individual
circumstances. The guidance will also be sensitive to the fact
that many companies have already invested substantial
resources to establish and document programs and procedures
to perform their assessments over the last few years. The form
of the guidance has yet to be determined.
Revisions to Auditing Standard No. 2. The PCAOB announced
today that it intends to propose revisions to its Auditing Standard No.
2, An Audit of Internal Control Over Financial Reporting Performed in
Conjunction with an Audit of Financial Statements. Any final. revision
of AS No. 2 would be subject to SEC approval. The proposed revisions
would:
Seek to ensure that auditors focus during integrated audits on
areas that pose higher risk of fraud or material error;
Incorporate key concepts contained in the guidance issued by
the PCAOB on May 16, 2005; and
Revisit and clarify what, if any, role the auditor should play in
evaluating the company's process of assessing internal control
effectiveness.
The Commission will work closely with the PCAOB to ensure that the
proposed revisions to AS No. 2 are in the public interest and
consistent with the protection of investors.
SEC Oversight of PCAOB Inspection Program. The PCAOB
announced on May 1, 2006, that it would focus its 2006 inspections
on whether auditors have achieved cost-saving efficiencies in the
audits they have performed under AS No. 2, and on whether auditors
have followed the guidance that the PCAOB issued in May and
November 2005 urging them to do so. As part of the Commission's
oversight of the PCAOB, the Commission staff inspects aspects of the
PCAOB's operations, including its inspection program. Among other
things, upon completion of the PCAOB's 2006 inspections, the staff
will examine whether the PCAOB inspections of audit firms have been
effective in encouraging implementation of the principles outlined in
the PCAOB's May 1, 2006, statement.
Extension of Compliance for Non-Accelerated Filers. In order to
permit non-accelerated filers and their auditors to have the benefit of
the management guidance that the SEC intends to issue, and to have
the opportunity to evaluate and implement the revisions that the
PCAOB plans to make to AS No. 2, the Commission expects to issue a
http://www.sec.gov/news/press/2006/2006-75.html
8/9/2006
Press Release: SEC Announces Next Steps for Sarbanes-Oxley Implementation; 2006-75; Page 4 of 4
short postponement of the effective date of the Commission's rules
implementing Section 404 for non-accelerated filers. It is anticipated
that any such postponement would nonetheless require all filers to
comply with the management assessment required by Section 404(a)
of Sarbanes-Oxley for fiscal years beginning on or after Dec. 16,
2006.
The Commission is also taking this opportunity to express again its
appreciation to its Advisory Committee on Smaller Public Companies for
their significant efforts and valuable contributions to the Commission's
work, both with regard to Section 404 and other issues affecting smaller
companies.
# # #
http://www.sec.gov/news/press/2006/2006-75.htm
Home I Previous Page
Modified: 05/26/2006
http://www.sec.gov/news/press/2006/2006-75.htm
8/9/2006
PCAOB Standards and Related Rules - Auditing Standard No. 2
Page 1 of 1
PCAOB
Public Company Accounting Oversight Board
Standards and Related Rules
Auditing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in
Conjunction With an Audit of Financial Statements
This standard was approved by the Securities and Exchange Commission on June 17, 2004, and is effective for audits of
internal control over financial reporting required by Section 404(b) of the Sarbanes-Oxley Act of 2002.
Auditing Standard No. 2
Policy Statement Regarding Implementation of Auditing Standard No. 2 (5/16/2005)
Report on the Initial Implementation of Auditing Standard No. 2 (11/30/2005)
Staff, Questions and Answers on Auditing Standard No. 2:
Questions 1 - 26 (June 23, 2004, Revised July 27, 2004)
Questions 27 - 29 (October 6, 2004)
Questions 30 - 36 (November 22, 2004)
Question 37 (January 21, 2005
Questions 38 - 55 (May 16, 2005)
Conforming Amendments to PCAOB Interim Standards Resulting from the Adoption of PCAOB Auditing Standard No. 2
The conforming amendments were approved by the Securities and Exchange Commission on November 17, 2004. For
integrated audits of financial statements and internal control over financial reporting, the conforming amendments become
effective at the same time that PCAOB Auditing Standard No. 2 becomes effective. For issuers that are not considered to
be accelerated filers under Securities Exchange Act Rule 12b-2 and for issuers that are not required to comply with section
404 of the Sarbanes-Oxley Act of 2002, the conforming amendments become effective for audits of financial statements
for periods ending on or after July 15, 2005. The part of the conforming amendments that supersedes AT sec. 501,
"Reporting on an Entity's Internal Control Over Financial Reporting," was effective immediately upon approval. Section D,
"Effective Date," and section E, "Effect of Auditing Standard No: 2 on Audits of Financial Statements Only," of the Board's
Release that accompanies the conforming amendments provide more detailed information regarding effective dates and
the effect of Auditing Standard No. 2 on audits of financial statements only.
Rulemaking Docket: Link to information related to the rulemaking process of this standard, including proposing and
adopting releases, public comments, and board statements.
PCAOB and SEC Roundtable on Internal Control Reporting Requirements (5/10/2006)
Statement Regarding the PCAOB's Approach to Inspections of Internal Control Audits in the 2006 Inspection Cycle
(5/1/2006)
Briefing Paper: Standing Advisory Group Meeting - Implementation of Section 404 and Auditing Standard No. 2 (6/8-
9/2005)
Briefing Paper: Standing Advisory Group Meeting - Challenges of Section 404 (11/17-18/2004)
Board Release: Auditing Standard No. 2 (3/9/2004)
Roundtable: Reporting on Internal Control (7/29/2003)
Briefing Paper: Roundtable on Reporting on Internal Control (7/10/2003)
Auditing Standard No. 4: Reporting on Whether a Previously Reported Material Weakness Continues to Exist
Overview of Auditing Standard No. 4
Related Securities and Exchange Commission Documents
http://www.pcaobus.org/Standards/Standards_and_Related_Rules/Auditing_Standard_No...
8/16/2006
Order Approving Proposed Auditing Standard No. 2, An Audit of Internal Control Ov... Page 1 of 3
EXCHANGE ONE COMMISSION
Home I Previous Page
U.S. Securities and Exchange Commission
MCMXXXIV
SECURITIES AND EXCHANGE COMMISSION
(Release No. 34-49884; File No. PCAOB 2004-03)
June 17, 2004
Public Company Accounting Oversight Board; Order Approving
Proposed Auditing Standard No. 2, An Audit of Internal Control Over
Financial Reporting Performed in Conjunction with an Audit of
Financial Statements ("Auditing Standard No. 2")
I. Introduction
On March 17, 2004, the Public Company Accounting Oversight Board (the
"Board" or the "PCAOB") filed with the Securities and Exchange Commission
(the "Commission") proposed Auditing Standard No. 2, An Audit of Internal
Control Over Financial Reporting Performed in Conjunction with an Audit of
Financial Statements ("Auditing Standard No. 2"), pursuant to Section 107
of the Sarbanes-Oxley Act of 2002 (the "Act") and Section 19(b) of the
Securities Exchange Act of 1934 (the "Exchange Act"). Auditing Standard
No. 2 would provide the professional standards and related performance
guidance for independent auditors to attest to, and report on,
management's assessment of the effectiveness of internal control over
financial reporting under Section 404 of the Act. Notice of the proposed
standard was published in the Federal Register on April 16, 2004, 1 and the
Commission received 31 comment letters. For the reasons discussed below,
the Commission is granting approval of the proposed standard.
II. Description
The Act establishes the PCAOB to oversee the audits of public companies
and related matters, to protect investors, and to further the public interest
in preparation of informative, accurate and independent audit reports. 2
Section 103(a) of the Act directs the PCAOB to establish auditing and
related attestation standards, quality control standards, and ethics
standards to be used by registered public accounting firms in the
preparation and issuance of audit reports as required by the Act or the rules
of the Commission. The Board has defined the term "auditing and related
processional practice standards" to mean the standards established or
adopted by the Board under Section 103(a) of the Act.
Section 404 of the Act requires that registered public accounting firms
attest to and report on an assessment of internal control made by
management, and that such attestation "shall be made in accordance with
standards for attestation engagements issued or adopted by the Board."
The Board's proposed Auditing Standard No. 2 provides the professional
standards and related performance guidance for independent auditors to
//www.sec.gov/rules/pcaob/34-49884.html
8/16/2006
Order Approving Proposed Auditing Standard No. 2, An Audit of Internal Control Ov... Page 2 of 3
attest to, and report on, management's assessment of the effectiveness of
internal control over financial reporting under Section 404 of the Act. A
significant aspect of this proposed standard is the requirement of the
independent auditor to attest on two items. The auditor has to evaluate
management's assessment process to be satisfied that management has an
appropriate basis for its conclusion. Additionally, the auditor must test and
evaluate both the design and the operating effectiveness of internal control
to be satisfied that management's conclusion is correct and, therefore,
fairly stated. The auditor's report on internal control over financial reporting
will express two opinions - an opinion on whether management's
assessment of the effectiveness of internal control over financial reporting
as of the end of the most recent fiscal year is fairly stated, and an opinion
on whether the company has maintained effective internal control over
financial reporting as of that date.
III. Discussion
The Commission received 31 comment letters in response to its request for
comments on Auditing Standard No. 2. The comment letters came from
issuers, registered public accounting firms, professional associations and
others. In general, issuers expressed opposition to the proposed standard,
and accounting firms, professional associations, and others expressed
support for the proposed standard. Most commenters, irrespective of
affiliation or position on the proposed standard, recommended that the
Commission and the PCAOB provide additional guidance with respect to a
number of different issues. Several commenters recommended that the
Commission limit the scope of management's assessment of the
effectiveness of internal control over financial reporting by excluding
entities that are consolidated but over which the issuer lacks control.
Issuers and many of the professional associations also expressed concern
with the cost of compliance in terms of management time, consultant fees
and audit fees. One commenter requested that the PCAOB closely monitor
the impact of the proposed standard on small and medium-sized
companies. Other requests included clarifying that an adverse internal
control report would not of itself result in regulatory action; delaying the
effective date of the proposed standard; providing a one-year deferral to
issuers that meet the definition of an accelerated filer for the first time in
2004; and deferring the accelerated filing date for Forms 10-K filed for
year-end 2004. The PCAOB gave careful consideration to the issues raised
by these commenters in the course of revising the proposed standard prior
to its adoption by the Board. The resulting standard is a reasonable
exercise of the Board's standards-setting authority under the Act.
IV. Conclusion
On the basis of the foregoing, the Commission finds that proposed Auditing
Standard No. 2 is consistent with the requirements of the Act and the
securities laws and is necessary and appropriate in the public interest and
for the protection of investors.
IT IS THEREFORE ORDERED, pursuant to Section 107 of the Act and
Section 19(b)(2) of the Exchange Act, that proposed Auditing Standard No.
2, An Audit of Internal Control Over Financial Reporting Performed in
Conjunction With an Audit of Financial Statements (File No. PCAOB-2004-
http://www.sec.gov/rules/pcaob/34-49884.htm
8/16/2006
Order Approving Proposed Auditing Standard No. 2, <i> An Audit of Internal Control Ov... Page 3 of 3
03) be and hereby is approved.
By the Commission.
Margaret H. McFarland
Deputy Secretary
1 Release No. 34-49544 (April 8, 2004); 69 FR 20672 (April 16, 2004).
2 Section 101(a) of the Act.
http://www.sec.gov/rules/pcaob/34-49884.htm
Home I Previous Page
Modified: 06/18/2004
http://www.sec.gov/rules/pcaob/34-49884.htm
8/16/2006
1666 K Street, NW
PCAOB
Washington, D.C. 20006
Telephone: (202) 207-9100
Facsimile: (202)862-8430
Public Company Accounting Oversight Board
www.pcaobus.org
POLICY STATEMENT REGARDING
PCAOB Release No. 2005-009
IMPLEMENTATION OF AUDITING STANDARD
May 16, 2005
NO. 2, AN AUDIT OF INTERNAL CONTROL
OVER FINANCIAL REPORTING PERFORMED IN
CONJUNCTION WITH AN AUDIT OF FINANCIAL
STATEMENTS
Summary
This Policy Statement discusses some of the issues raised during the first year of
auditors' implementation of the PCAOB's Auditing Standard No. 2, An Audit of Internal
Control Over Financial Reporting Performed in Conjunction with an Audit of Financial
Statements ("Auditing Standard No. 2"), which implements Sections 103 and 404 of the
Sarbanes-Oxley Act of 2002 (the "Act") by establishing a process for auditing public
companies' internal control over financial reporting in conjunction with an audit of
financial statements. Many of these issues were raised, among other occasions, at the
Securities and Exchange Commission's ("SEC" or "Commission") Roundtable on
Implementation of Internal Control Reporting Provisions, on April 13, 2005. While
Roundtable participants generally supported the objectives of Section 404, many
expressed concerns about compliance costs and offered constructive comments about
how the implementation process can be improved.
This Policy Statement considers several of the auditing practices observed in the
first year of implementation that may be ineffective or inefficient means of meeting the
objectives of Auditing Standard No. 2. It also describes how the PCAOB intends to
supervise implementation of the standard, from providing additional guidance to make
audits of internal control more effective and cost-efficient to driving improvements in
implementation through our inspections of registered public accounting firms.
PCAOB
PCAOB Release 2005-009
May 16, 2005
Page 2
Public Company Accounting Oversight Board
POLICY STATEMENT
Specifically, this Policy Statement expresses the Board's view that, to properly
plan and perform an effective audit under Auditing Standard No. 2, auditors should -
integrate their audits of internal control with their audits of the client's
financial statements, so that evidence gathered and tests conducted in
the context of either audit contribute to completion of both audits;
exercise judgment to tailor their audit plans to the risks facing
individual audit clients, instead of using standardized "checklists" that
may not reflect an allocation of audit work weighted toward high-risk areas
(and weighted against unnecessary audit focus in low-risk areas);
use a top-down approach that begins with company-level controls, to
identify for further testing only those accounts and processes that are, in
fact, relevant to internal control over financial reporting, and use the risk
assessment required by the standard to eliminate from further
consideration those accounts that have only a remote likelihood of
containing a material misstatement;
take advantage of the significant flexibility that the standard allows to use
the work of others; and
engage in direct and timely communication with audit clients when
those clients seek auditors' views on accounting or internal control issues
before those clients make their own decisions on such issues, implement
internal control processes under consideration, or finalize financial reports.
Background
The Sarbanes-Oxley Act has had a profound effect on the integrity of financial
reporting in U.S. capital markets. The Act has strengthened and reformed almost every
aspect of the financial reporting process, from the composition and role of the auditi
committee to preparers' certifications of accuracy, covering the integrity of gatekeepers
such as analysts, lawyers and auditors in between. Although some of these changes
have been in place for some time, the participants in the financial reporting process are
now implementing one of the most challenging - but also one of the most promising -
provisions of the Act.
PCAOB
PCAOB Release 2005-009
May 16, 2005
Page 3
Public Company Accounting Oversight Board
POLICY STATEMENT
Section 404 of the Act aims to strengthen the internal controls that underpin the
accuracy and reliability of a company's published financial information. That section,
along with the SEC's implementing rule, requires a public company to annually report its
assessment of the effectiveness of its internal control over financial reporting. The
section also requires such a company to provide its auditor's attestation to, and report
on, the company's assessment. Auditing Standard No. 2 governs the auditor's
responsibilities under Section 404.
In the simplest terms, investors can have much more confidence in the reliability
of a corporate financial statement if corporate management demonstrates that it
maintains adequate internal control over the preparation of accurate financial
statements. Companies have been required to have internal control over their
accounting since, the Congress enacted the Foreign Corrupt Practices Act in 1977.
There is no doubt, however, that the Act's requirement for annual assessments, and
auditor attestations to those assessments, has led to a renewed emphasis on internal
control over financial reporting and significant improvements in companies' controls.
Many of the larger public companies have recently filed their first assessments of
the effectiveness of their internal controls, as well as the related reports from their
auditors. There is evidence that the benefits of the internal control requirements are
already being realized, 1/ and investors have expressed strong support for the goals of
Section 404, including the increased transparency that the provision provides. 2/ Section
1/
Seventy-nine percent of the 222 financial executives surveyed by
Oversight Systems, Inc. reported that their companies have stronger internal controls
after complying with Section 404. Seventy-four percent said that their companies
benefited from compliance with Sarbanes-Oxley, and, of those, 33 percent said that
compliance lessened the risk of financial fraud. See Oversight Systems, Inc., The 2004
Oversight Systems Financial Executive Report on Sarbanes-Oxley (December 2004).
2/
See, e.g., Remarks of Mark Anson, Chief Investment Officer, California
Public Employees' Retirement System, Transcript of SEC Roundtable on
Implementation of Internal Control Reporting Provisions (Apr. 13, 2005) ("Roundtable
Tr."); Remarks of Ann Yerger, Executive Director, Council of Institutional Investors,
Roundtable Tr.; Remarks of Damon Silvers, Associate General Counsel, American
Federation of Labor and Congress of Industrial Organizations, Roundtable Tr.; Letter
from Laurie Fiori Hacking, Executive Director, Ohio Public Employees Retirement
System, to William H. Donaldson, Chairman, SEC (Mar. 1, 2005); see also Remarks of
PCAOB
PCAOB Release 2005-009
May 16, 2005
Page 4
Public Company Accounting Oversight Board
POLICY STATEMENT
404 has, however, proven to be an enormous challenge for those involved in its
implementation. Companies have found the requirements costly and demanding, and
many have questioned whether the benefits are worth the cost.
We take these concerns seriously and are committed to learning from the first
year's experience implementing Section 404. As part of this effort, on April 13, 2005,
we participated in the Commission's Roundtable. The Roundtable was an opportunity
for us and the Commission to hear directly from issuers, auditors, and investors on the
front line of the Section 404 implementation process. Many participants at the
Roundtable expressed their support for Section 404's purpose. One of the most
valuable aspects of the Roundtable, however, has been the constructive criticism
provided by many of those currently involved in the implementation process.
The cost of Section 404 compliance was the primary concern raised at the
Roundtable. Among other reasons, commenters suggested that costs were too high
because companies and their auditors did not sufficiently focus their efforts on higher
risk areas of internal control over financial reporting. In addition, commenters
expressed the view that auditors did not use the work of others sufficiently or fully
integrate the audit of internal control with the audit of the financial statements. Some
Roundtable participants also stated that auditors are often less willing than they were
previously to provide guidance to clients on accounting issues for fear of compromising
independence or triggering a material weakness finding.
At the conclusion of the Roundtable, the Board agreed to take several steps to
promote an internal control audit process that is both effective and cost-efficient.
Today, we take the first two of these steps.⁴ First, we are separately publishing a
Gregory Jonas, Managing Director of Accounting Specialists Group, Moody's Investors
Service, Roundtable Tr.
3/
One survey found that for 217 public companies with average revenues of
$5 billion, first year Section 404 compliance cost, on average, $4.36 million and
consumed an average of nearly 27,000 hours. See Financial Executives International,
FEI Special Survey on SOX Section 404 Implementation (March 2005).
4/
The Board also intends to devote the agenda of the upcoming meeting of
its Standing Advisory Group, scheduled for June 8 and 9, 2005, to a discussion about
implementation of Auditing Standard No. 2.
PCAOB
PCAOB Release 2005-009
May 16, 2005
Page 5
Public Company Accounting Oversight Board
POLICY STATEMENT
series of additional staff questions and answers related to Auditing Standard No. 2. 5/
These questions and answers further explain and clarify provisions in Auditing Standard
No. 2. In particular, these questions and answers seek to correct the misimpression
that certain provisions of Auditing Standard No. 2 need to be applied in a rigid manner
that constrains professional judgment and prevents the conduct of an audit in a manner
that is both effective and cost-efficient. Second, we are also issuing today this Policy
Statement, which amplifies some of the themes in those questions and answers and
articulates our policy with respect to administering Auditing Standard No. 2.
Failure to apply the concepts discussed in this Policy Statement may reflect poor
audit planning and result in unnecessary cost. Indeed, although we have not performed
a detailed analysis, it is sufficiently clear to us that the costs to date associated with the
implementation of Section 404 have been too high. For the Section 404 process to be
sustainable, these costs must be reduced in future years. Some of this excess expense
is attributable to first-year, start-up costs that should not recur in future years;
nevertheless, we are concerned that auditors may not sufficiently be using several
features of our standard, described below, that are designed to reduce costs without
sacrificing quality.
The Integrated Audit Concept
As auditing has evolved over the last century from a process of detailed
examination of individual transactions and account balances into a process of testing
samples, internal control over financial reporting has emerged as the foundation not
only of the financial reporting process but also of the financial statement audit. Since
1941, the SEC's regulations have required auditors to consider a company's internal
controls in planning an audit.⁶/ In addition, if controls had been adequately designed
and were operating effectively, then longstanding auditing standards permitted the
5/
The Staff Questions and Answers are available on the Board's Web site,
at
6/
Amendment of Rules 2-02 and 3-07 of Regulation S-X, Accounting Series
Release No. 21, 11 Fed. Reg. 10921 (Feb. 5, 1941) (amending Regulation S-X to
provide that "[i]n determining the scope of the audit necessary, appropriate
consideration shall be given to the adequacy of the system of internal check and
control. Due weight may be given to an internal system of audit regularly maintained by
means of auditors employed on the registrant's own staff.").
PCAOB
PCAOB Release 2005-009
May 16, 2005
Page 6
Public Company Accounting Oversight Board
POLICY STATEMENT
auditor to rely on less costly and time-consuming procedures. 7/ Conversely, if an
auditor determined that a control was inadequate in its design or operation (or elected
not to test the control), then the auditor could not rely upon that control. In this event,
the auditor would take a considerably more detailed approach by relying almost
exclusively on detailed tests of account balances and transactions.
Sections 103 and 404 of the Act, and Auditing Standard No. 2, changed that
audit model. Today, auditors of companies subject to Section 404 must not only obtain
an understanding of internal control, but they must also examine the design and
operating effectiveness of internal control sufficient to render an opinion as to that
effectiveness, as required by Section 103(a)(2)(A)(iii). To reap the most benefit from
this examination, and to make the overall audit process as efficient as possible, we
designed in Auditing Standard No. 2 an integrated audit model.
An integrated audit combines an audit of internal control over financial reporting
with the auditi of the financial statements, such that the objectives of the two audits are
achieved simultaneously through a single coordinated process. In an integrated audit,
the auditor's examination of internal control is validated by the findings in the audit of the
financial statements. In addition, the auditor's findings and conclusions reached during
the audit of internal control help the auditor better plan and conduct the auditing
procedures designed to determine whether the financial statements are fairly presented.
The two processes are mutually reinforcing. In this way, the integrated audit helps to
improve the quality and integrity of both corporate controls over financial reporting and
independent financial statement audits. We also believe that an integrated audit is
more cost-effective than performing two distinct processes to audit internal control and
the financial statements separately.
As a practical matter, integration of the two audits means that evidence gathered
and tests conducted in the context of either audit contribute to completion of both audits.
7/
See AU Section 319.03, Consideration of Internal Control in a Financial
Statement Audit. Effective April 16, 2003, the PCAOB adopted, on an initial, transitional
basis, temporary rules that refer to pre-existing professional standards of auditing,
attestation, quality control, ethics, and independence (the "interim standards"), including
AU Section 319. These standards are reproduced on our Web site at
http://www.pcaobus.org/Standards/Interim_Standards/index.asp.
8/
See AU Section 319.04, Consideration of Internal Control in a Financial
Statement Audit.
PCAOB
PCAOB Release 2005-009
May 16, 2005
Page 7
Public Company Accounting Oversight Board
POLICY STATEMENT
This kind of coordination of work requires an auditor to plan and conduct his or her work
with both audits in mind. Failing to integrate these audits not only wastes resources, but
it also jeopardizes the quality of the overall audit and, potentially, misses key insights
that could identify and uproot a budding accounting or reporting problem.
Some auditors have acknowledged that, for a variety of reasons, they did not
achieve fully integrated audits this year. As a result, audit costs may have been
substantially higher than necessary. According to a recent survey commissioned by the
largest U.S. accounting firms, auditors believe that the total costs of compliance with
Section 404 will decline by 46 percent next year. 10/ Among the factors cited to support
this prediction was auditors' expectations that integration will be improved. 11/ We, too,
expect that auditors will better integrate their audits in the coming years. This should
meaningfully affect both audit costs and audit quality.
The Importance of Professional Judgment
Auditing Standard No. 2 is no different from any other auditing standard in that it
does not prescribe detailed audit programs. For as long as the profession has
established auditing standards, auditors have used those standards to tailor their own
audit plans, in a manner that addresses the nature and complexity of the audit client.
Many participants in the Roundtable, as well as others, have noted, however,
that some auditors have in fact failed to use tailored audit plans in their first year of
auditing internal control over financial reporting under Section 404 of the Act and
Auditing Standard No. 2. Those auditors have instead used a one-size-fits-all audit plan
driven by standardized checklists that may have little to do with the unique issues and
risks of the particular client's financial reporting processes. This is a disappointing
development indicative of poor training and audit planning. Not only do audit fees
9/
PCAOB Staff Question and Answer No. 50 issued today provides
additional guidance on integrating the audit of internal control over financial reporting
with the audit of the financial statements.
10/
See Charles River Associates, Sarbanes-Oxley Section 404 Costs and
Remediation of Deficiencies: Estimates from a Sample of Fortune 1000 Companies
(Apr. 2005).
11/
See Letter from Deloitte & Touche, Ernst & Young, KPMG, and
PricewaterhouseCoopers to Jonathan G. Katz, Secretary, SEC (Apr. 11, 2005).
PCAOB
PCAOB Release 2005-009
May 16, 2005
Page 8
Public Company Accounting Oversight Board
POLICY STATEMENT
increase when, for example, an audit plan calls for less experienced auditors on the
engagement team to devote endless hours to process-level control testing, but audit
quality also decreases, because such a plan contributes little to the search for material
weaknesses in internal control that could identify a financial reporting problem.
The overall objective of Auditing Standard No. 2 is for the auditor to obtain
evidence that a company's control system reasonably assures that its financial
statements do not contain material misstatements. To accomplish this, the auditor must
not only exercise judgment to determine how to apply the standard to audit clients in
different industries and of different sizes, but also exercise judgment to focus their work
on areas that pose higher risks of misstatement, due either to errors or fraud. Reliance
on standardized checklists that lead to a focus on controls in low-risk areas obviously
fails to meet this objective.
The Top-down Approach and Role of Risk Assessment
Auditing Standard No. 2 was designed to be applied from the top down. That is,
the standard focuses the auditor first on company-level controls and then on significant
accounts, which lead the auditor to significant processes and, finally, individual controls
at the process, transaction, or application levels. Knowledge obtained at each step
guides the auditor toward the higher risk areas within the next succeeding level of
controls. By approaching the task in this way, the auditor is naturally steered toward
higher risk areas and away from those with less potential to have a material impact on
the financials. This approach also provides a road map through the control system to
ensure that the individual controls selected for testing are, in fact, relevant to internal
control over financial reporting.
An auditor who chooses another approach needlessly risks adding to the audit's
cost and reducing its quality. For example, starting at the bottom increases the risk that
the auditor will become bogged down in testing that may ultimately prove pointless, in
light of the primary objective of preventing or detecting material misstatements of the
financial statements, resulting in increased and unnecessary costs.
A risk-based approach to the auditor's testing strategy can further reduce costs
while increasing audit effectiveness. The auditor should consider the overall risk related
to each significant account identified to determine whether he or she should alter the
nature, timing, and extent of testing of the controls over that specific account. By doing
so, the auditor will be able to eliminate from further consideration accounts that have
only a remote likelihood of containing a material misstatement and, in any event, devote
PCAOB
PCAOB Release 2005-009
May 16, 2005
Page 9
Public Company Accounting Oversight Board
POLICY STATEMENT
less audit attention to areas of low risk. In addition, the auditor should look to the
individual control being tested and consider the nature, frequency, and importance of
that specific control in order to determine whether the testing strategy should be revised
further.
Finally, the auditor should consider, as part of his or her risk assessment, the
strength of the company-level controls, to determine whether the result of testing these
controls will alter the nature, timing, and extent of testing. Although the auditor may not
rely solely on testing company-level controls, 12/ strong company-level controls should
lead the auditor to do less work than he or she otherwise would have performed or rely
to a greater degree on the work of others.
Using the Work of Others
An auditor who applies Auditing Standard No. 2 from the top down and
appropriately assesses risk should naturally identify areas where use of the work of
others is not only appropriate but is also the most efficient way to perform the audit.
Redoing work in these areas may unnecessarily increase costs without producing a
corresponding increase in audit quality. Spending auditor resources in areas in which
the auditor could rely on the work of others also may cause the auditor to focus too
much on low-risk controls. As discussed earlier, this could be an early warning sign of
poor audit planning.
Auditing Standard No. 2 provides the auditor with considerable flexibility to use
the work of others, consistent with the profession's longstanding auditing standard on
using the work of internal auditors in the financial statement audit. 13/ There is some
12/
See Auditing Standard No. 2, paragraph 54. PCAOB Staff Questions and
Answers Nos. 38-43 issued today provide additional guidance on how to plan and
perform an audit of internal control over financial reporting using both a top-down and a
risk-based approach.
13/
See AU Section 322, The Auditor's Consideration of the Internal Audit
Function in an Audit of Financial Statements. This standard provides that the work of
competent and objective internal auditors may affect the nature, timing and extent of the
audit. Specifically, if internal auditors are competent and objective, then external
auditors may rely on work performed by internal auditors in the ordinary course of their
duties. For example, "for certain assertions related to less material financial statement
amounts where the risk of material misstatement or the degree of subjectivity involved
PCAOB
PCAOB Release 2005-009
May 16, 2005
Page 10
Public Company Accounting Oversight Board
POLICY STATEMENT
concern that auditors have been reluctant to use Auditing Standard No. 2's flexibility to
rely on the work of others because the standard also requires the external auditor to
obtain the principal evidence supporting his or her opinion as to whether internal control
is effective overall. These provisions are not in conflict. The principal evidence
provision of Auditing Standard No. 2 requires the auditor to perform sufficient auditing to
reach his or her own, independent opinion as to the effectiveness of a company's
internal control over financial reporting. In broad terms, it prevents auditors from merely
passing on to investors the judgments and opinion of others.
As one of the questions and answers issued today explains, the principal
evidence requirement is "primarily qualitative. 14/ Indeed, under Auditing Standard No. 2
the amount of work necessary to meet the principal evidence test "is not susceptible to
precise measurement."15/
In practical terms, this means two things. First, the auditor should perform more
work directly in high-risk areas and seek to use the work of others in areas of lesser
risk. Second, in evaluating whether the auditor has met the principal evidence test, the
auditor should ascribe more weight to the work he or she performs in high-risk areas. 16/
in the evaluation of the audit evidence is low, the auditor may decide, after considering
the circumstances and the results of work performed by internal auditors that
testing of the assertions directly by the auditor may not be necessary." See id. at
paragraph 22. In addition, this standard also permits auditors to request direct
assistance from the internal auditors, such that internal auditors will work under the
direct supervision of the external auditor. See id. at paragraph 27. PCAOB Staff
Question and Answer No. 54 issued today provides additional guidance on using the
work of others. See also PCAOB Staff Question and Answer No. 36 (Nov. 22, 2004)
(stating that external auditors may "use internal auditors to provide direct assistance in
the audit of internal control over financial reporting").
14/
PCAOB Staff Question and Answer No. 54 (May 16, 2005).
15/
See Auditing Standard No. 2, note to paragraph 108.
16/
In other words, principal evidence is not meant to be assessed by simply
adding up hours or numbers of controls tested in a mechanical fashion; rather, such an
approach would likely detract from the standard's goal of allowing the auditor to use the
work of others in an efficient and appropriate manner.
PCAOB
PCAOB Release 2005-009
May 16, 2005
Page 11
Public Company Accounting Oversight Board
POLICY STATEMENT
In this manner, following the risk-based principles regarding using the work of others
will, in most circumstances, result in the auditor having obtained the principal evidence
supporting his or her opinion.
The Auditor's Ability to Provide Advice to Audit Clients
Finally, we are concerned about a misconception that, as a result of Auditing
Standard No. 2, companies may no longer look to their auditors for advice on difficult
accounting and internal control issues. This misconception appears to manifest itself in
two particularly problematic ways. First, we have heard at the Roundtable and
elsewhere that auditors have been unwilling to provide accounting advice to their audit
clients; second, auditors have apparently encouraged audit clients to finish their
assessments of internal control and their financial statements before the auditor begins
audit work to attest to the fairness of those assessments and financial statements.
Such practices are neither necessary nor advisable.
Auditing Standard No. 2 provides that an auditor's detection of a material
misstatement in financial statements is a "strong indicator" of a material weakness in
internal control. In addition, longstanding rules on auditor independence prohibit the
auditor from preparing a client's financial statements and from making financial reporting
decisions on behalf of management. 17/ The prospect of PCAOB inspectors examining
for compliance with these independence rules seems to have led some to conclude that
management and the auditor should not consult on accounting and internal control
questions or that the auditor should not review draft financial statements that, because
they are not finished or complete, may contain misstatements or misapplications of
Generally Accepted Accounting Principles ("GAAP"). When auditors are unwilling, or
believe that they are unable, to provide advice on accounting or internal control,
management may be forced to retain other accounting experts, or to make accounting
decisions without the benefit of access to the auditor's technical knowledge.
17/
See Rule 2-01(c)(4)(i) of Regulation S-X, 17 C.F.R. § 210.2-01(c)(4)(i)
(stating that an auditor is not independent of an audit client if it "prepar[es] the audit
client's financial statements"); Rule 2-01(c)(4)(vi) of Regulation S-X, 17 C.F.R. § 210.2-
01(c)(4)(vi) (stating that an auditor is not independent of an audit client if it "perform[s]
any decision-making, supervisory, or ongoing monitoring function for the audit client");
see also Meeting of PCAOB Standing Advisory Group, February 16, 2005, available on
the Board's Web site http://www.pcaobus.org.
PCAOB
PCAOB Release 2005-009
May 16, 2005
Page 12
Public Company Accounting Oversight Board
POLICY STATEMENT
Nothing in Auditing Standard No. 2 requires this result. Determining when it is
appropriate for the auditor to provide accounting advice requires professional judgment
and common sense. Auditors may not, of course, make accounting decisions for their
clients, and management may not abandon its responsibility for quality financial
reporting and simply rely on auditors to catch errors. Where management makes its
own informed decisions regarding how applicable accounting principles apply to its
company's circumstances, however, the auditor may discuss freely with management
the meaning and significance of those principles.
To help dispel confusion on this issue, our staff addressed last June the question
of whether audit clients may - or should - share draft financial statements with their
auditors. The answer is decidedly yes. Indeed, information-sharing on a timely basis
between management and the auditor is necessary. When reviewing draft financial
statements, in determining the point at which the auditor must draw the line for
purposes of identifying when a deficiency exists, the auditor should be concerned
primarily about instances in which the company completed its financial statements and
disclosures without recognizing a potential material misstatement. If it is clear that all
applicable controls have not yet operated, then a conclusion as to whether a material
misstatement in draft financial statements demonstrates a control deficiency would be
premature. 18/
Auditors may also provide audit clients technical advice on the proper application
of GAAP, including offering suggestions for management's consideration to improve
disclosure and financial statement quality and giving updates on recent developments
with accounting standards-setters. In addition, management may provide and discuss
with the auditor preliminary drafts of accounting research memos, spreadsheets, and
other working papers in order to obtain the auditor's views on the assumptions and
methods selected by management. Although the auditor may determine that some of
these communications need to be made in writing, timely and open communication will
often be best accomplished orally.
For example, a company that is contemplating a transaction may ask the auditor
for assistance in determining the proper accounting for the transaction. In this situation,
18/
See PCAOB Staff Question and Answer No. 7 (revised July 27, 2004)
(explaining that Auditing Standard No. 2 requires an auditor to judge whether, once all
applicable controls have operated, the company is able to prepare financial statements
that are free of material misstatements).
PCAOB
PCAOB Release 2005-009
May 16, 2005
Page 13
Public Company Accounting Oversight Board
POLICY STATEMENT
the auditor may provide substantial help, including explaining how applicable accounting
principles apply to the transaction, offering sample journal entries, and reviewing
management's preliminary conclusions. This is very different from a situation in which
the auditor identifies a potential misapplication of applicable accounting principles in
connection with a transaction that the auditor learns of outside of the consultation
process, such as during a quarterly review, or after management has completed its
financial statements and disclosures, in which case the auditor would have to consider
whether management's failure to recognize the potential misapplication of applicable
accounting principles constitutes a significant deficiency or material weakness.
The Board's Approach to Oversight of Implementation of Auditing Standard No. 2
We take seriously our responsibility to oversee implementation of Auditing
Standard No. 2. This includes issuing additional guidance to explain or interpret the
standard as necessary, as well as supervising auditors' implementation of the standard.
In particular, we intend to use our upcoming inspections to evaluate how firms have
conducted the first round of audits under Auditing Standard No. 2.
Our inspections should drive improvements in the effectiveness and efficiency of
registered firms' audits of internal control in two ways. First, as we have described
above, Auditing Standard No. 2 leaves auditors considerable flexibility to apply the
standard in a manner that is appropriate to each audit. Indeed, the standard requires
auditors to use professional judgment to tailor their audit plans to the specific risks
facing each audit client. In our inspections, we will look for audits that suffer from poor
planning and risk assessment, such as by using standardized checklists without
appropriately tailoring the procedures to the circumstances or focusing the audit on
areas that are unlikely to lead to the discovery of material weaknesses in internal control
at the expense of adequately auditing high-risk areas. When we detect such
shortcomings, we will demand improvements.
Second, we have also described above, as well as in the staff questions and
answers issued today and in the past, several approaches to the audit of internal control
that we believe improve both the effectiveness and the efficiency of these audits. When
we review audits that do not apply the approaches described above, we will expect
auditors to justify their decisions and to be able to explain how the audit plan
nevertheless met the objectives of the standard.
At the Roundtable, a number of the participants focused on the role our
inspections will play in shaping implementation of Auditing Standard No. 2. Some
PCAOB
PCAOB Release 2005-009
May 16, 2005
Page 14
Public Company Accounting Oversight Board
POLICY STATEMENT
suggested that our inspections should require auditors to reduce costs overall. Others
suggested that, if our inspections are narrowly focused on technical compliance, they
could have the perverse effect of promoting a checklist mentality and discouraging the
use of judgment and tailored audit planning.
We intend for our inspections to do neither. By focusing on the conduct of a
high-quality audit as described above, we believe our inspections will promote efficiency
without the need for us to get involved in auditors' billing practices. And, by focusing on
appropriate use of judgment and risk assessment, we are deliberately planning our
inspections in a manner that promotes an audit of internal control that is both thoughtful
and risk-focused. In other words, we do not intend to second-guess good faith audit
judgments. If we believe, however, that an auditor has approached the audit in a way
that is mechanistic and does not reflect the application of professional judgment to the
specific risks associated with the audit client's financial reporting system, we will not
hesitate to demand changes to the auditor's approach to implementing Auditing
Standard No. 2.
Conclusion
The first year's implementation of Section 404 required a tremendous effort on
the part of management and auditors, as well as the commitment of substantial
corporate resources. The lessons learned so far - and to be learned as we complete
our first cycle of inspections of audits under Auditing Standard No. 2 - should provide a
solid basis for substantial improvement in the process, including significant cost
reduction in the future.