On May 16, 2005, the staff of the SEC's Division of Corporation Finance, the Public Company Accounting Oversight Board (PCAOB) and the PCAOB staff each issued additional guidance regarding the implementation of Section 404 of the Sarbanes-Oxley Act.1 The stated goal of this guidance is to ensure that the benefits of the report and audit on internal control over financial reporting required by Section 404 are achieved in a sensible and cost-effective manner.
The new guidance was issued in response to comments provided to the SEC and PCAOB in the aftermath of the first wave of annual reports required to include management's assessment of internal control over financial reporting and the related audit report by the company's registered public accounting firm.2 The major themes of the new guidance are:
One Size Does Not Fit All
A top-down, risk-based approach to the Section 404 assessment should be used, rather than a mechanistic, check-the-box approach. It is management's responsibility to determine the form and level of controls appropriate for a company, and the assessment and testing of internal control over financial reporting should be scoped in a manner that is reasonable given the company's own operations, risks and procedures. Auditors should tailor their audit plans to focus on the specific issues and risks of each client's financial reporting process, and audit plans should not be driven by standardized checklists.
Focus Search for Material Weaknesses from the Top-down
Resources should be devoted to those areas of greatest risk and to those areas that are most likely to have a material impact on the company's financial statements. Primary focus should be placed on identifying "material weaknesses"--that is, those deficiencies that have more than a remote likelihood of leading to a material misstatement in the financial statements--rather than on identifying "control deficiencies" and "significant deficiencies." This focus is served through a top-down approach that begins with company-level controls and then drills down--where appropriate based on the risk profile of an area--to significant accounts, then significant processes and finally individual controls. The PCAOB noted in particular that starting at the bottom increases the risk of getting bogged down in testing that will not serve the primary objective of preventing or detecting material misstatements.
It's Good for Management and Auditors to Talk
Investors benefit when auditors and management engage in dialogue, including discussion of new accounting standards and the appropriate accounting treatment for complex or unusual transactions. Engaging in such dialogue is not a prohibited non-audit service and, in and of itself, does not impair auditor independence. As long as management, and not the auditors, makes the final determination as to the accounting used, and the auditors do not design or implement accounting policies, dialogue is appropriate and is not indicative of a deficiency in the company's internal control over financial reporting. Notably, these considerations appear to apply generally to communications with auditors, not just to communications regarding the internal control audit process.
Moreover, management should not be discouraged from providing the auditors with draft financial statements. If the company has not completed its financial statements and disclosures, errors in drafts, in and of themselves, should not be the basis for determining that there is a deficiency in internal control over financial reporting.
Auditors Can Use the Work of Others
Auditors have considerable flexibility to use the work of others, such as competent and objective internal auditors, while at the same time satisfying their obligation to obtain the principal evidence supporting their opinion, because the principal evidence requirement is primarily qualitative and is not assessed by simply adding up hours or the number of controls tested. Auditors can satisfy their obligation to obtain principal evidence by performing work directly in high-risk areas, while using the work of others in areas of lower risk.
Reasonable Assurances Are Not Absolute
Management is required to assess whether the company's internal control over financial reporting is effective in providing reasonable assurance regarding the reliability of financial reporting. "Reasonable assurance"--which means a level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs--is a high level of assurance, but it does not mean absolute assurance. There is a range of judgments that a company might make as to what is reasonable in implementing Section 404, and a range of potential conduct, conclusions and methodologies upon which a company may reasonably base its decisions.
Disclosure about Material Weaknesses Should Be Meaningful
When a material weakness is identified, companies should disclose the nature of the material weakness, its impact on financial reporting and the control environment, and management's current plans for remediation. Companies are encouraged to differentiate the potential impact and importance to the financial statements of the identified weaknesses.
Move up the Learning Curve to Reduce Costs
Companies and auditors are expected to lower the cost of ongoing compliance with Section 404 by applying best practices identified during the first year of implementation. Auditors should improve the planning and conduct of their work in order to better integrate their audits of internal control over financial reporting with the financial statement audit. Companies should reconsider whether some of the controls that they previously identified, documented and tested on an individual basis are actually components or steps of a larger control that should be tested based on the broader control objective. Companies should generally determine the accounts included within their Section 404 assessment by focusing on annual and company-wide measures, rather than interim or segment measures. However, the significance of any identified deficiencies must be evaluated using both quarterly and annual measures and on both a company and segment basis.
Testing Isn't Limited to Year-end
The requirement for management's report and the related audit to speak "as of" year-end does not mean that all testing must be done within the period immediately surrounding the year-end close. In many cases, management may be able to test controls prior to year-end and determine through direct and ongoing monitoring of the operation of the controls that they are continuing to function effectively at year-end, without performing further detailed testing.
Not Every Restatement Triggers a Material Weakness
A material weakness does not necessarily exist every time there is a restatement resulting from an error. Judgment should be used to assess the reasons why the restatement was needed and, based on all the facts and circumstances of the situation, whether the need arose from a material weakness in controls.
Section 404 Does Not Implicate All General Information Technology (IT) Controls
Companies are expected to document and test relevant general IT controls that pertain to financial reporting. However, they are not required by Section 404 to test general IT controls that primarily pertain to the efficiency or effectiveness of the company's operations, but are not relevant to financial reporting.
For more information on this issue, please call your regular WilmerHale contact, or any of the authors listed above.
1 Staff Statement on Management's Report on Internal Control Over Financial Reporting, Division of Corporation Finance, Office of the Chief Accountant, U.S. Securities and Exchange Commission (May 16, 2005), available at http://www.sec.gov/info/accountants/stafficreporting.htm. Policy Statement Regarding Implementation of Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, PCAOB Release No. 2005-009 (May 16, 2005), available at http://www.pcaobus.org/News_and_Events/News/2005/05-16.asp. PCAOB Staff Questions and Answers, Auditing Internal Control Over Financial Reporting (May 16, 2005), available at http://www.pcaobus.org/Standards/Staff_Questions_and_Answers/index.asp.
2 The SEC hosted a roundtable discussion on the topic on April 13, 2005 (available at http://www.connectlive.com/events/secicrp/) and also solicited written comment