The Securities and Exchange Commission (SEC or Commission) and the Public Company Accounting Oversight Board (PCAOB) have recently taken several long-awaited steps toward providing public companies with relief from the burdens of compliance with Section 404 of the Sarbanes-Oxley Act. Section 404 mandates annual assessments of a company's internal control over financial reporting (ICFR) by the company's management and external auditor. At an open meeting on December 13, the SEC proposed interpretive guidance and rule amendments designed to help management conduct its annual ICFR evaluation in a more risk-focused and cost-effective manner. On December 15, the SEC approved previously proposed extensions to Section 404 compliance deadlines for non-accelerated filers and newly public companies. On December 19, the PCAOB proposed a replacement to the much-criticized Auditing Standard 2 (AS-2), which currently governs the way external auditors evaluate ICFR, and related rules designed to make the Section 404 audit process more efficient and cost effective.
Proposed SEC Guidance for Management
In proposing the new guidance, the SEC acknowledged the need to provide more concrete direction to management on how to conduct its assessment of ICFR. The interpretive guidance reflects a "principles-based" approach that allows companies to tailor their ICFR assessments to their individual circumstances. Key features of the guidance include the following:
Assessment Process. The guidance is "risk based" and focuses management's efforts on (1) evaluating the design of controls to determine whether there is a reasonable possibility that a material misstatement in financial reports will not be prevented or detected in a timely manner, and (2) gathering and analyzing evidence about the operation of those controls based on its assessment of the risks associated with them. Among other things, the guidance clarifies that management is not required to evaluate all the controls in each ICFR process. The guidance provides a framework for management to make judgments as to whether there are any material weaknesses in ICFR, including specifying "strong indicators" that a material weakness exists.
Documentation. The guidance explains the nature and extent of documentation management must maintain to support its assessment. It allows for significant flexibility in the type of documentation and evidentiary support that management needs to gather for its assessment, based upon the company's individual facts and circumstances and the risk level associated with a particular process. The guidance recognizes that, in some cases, management may rely on its daily interactions with its controls as the basis for the assessment and, therefore, management may only need to document how its interaction provided it with sufficient evidence.
Scalability. The guidance does not provide a special set of rules for smaller companies, but addresses small company concerns throughout and is intended to be highly "scalable" to these companies. For instance, it gives the management of small companies flexibility to use its daily interaction with internal controls as a component of its assessment, and, accordingly, to limit the need to perform extensive testing.
In conjunction with the proposed interpretive guidance to management, the SEC proposed a related amendment to its ICFR rules to establish that a company that conducts its management evaluation per the interpretative guidance will have satisfied its management assessment obligations under such rules. Companies may choose whether to conduct their evaluations per the new guidelines and take advantage of this safe harbor, or use another evaluation method. The Commission emphasized that accelerated filers, who have already been subject to SOX 404 for a couple of years, may continue to use their existing evaluation methods as long as they are effective.
Elimination of Auditor Attestation Requirement
During the December 13 meeting, SEC Commissioners and staff frequently described the interpretive guidance as satisfying a need to provide management with an alternative to the PCAOB's Auditing Standard 2, which had by default become the standard for many management assessments of ICFR—even though AS-2 was intended to be used by external auditors. The SEC took another step to differentiate between management's assessment and the external auditor's assessment by proposing to amend Regulation S-X to eliminate the requirement that external auditors evaluate management's assessment of ICFR. Under the proposed amended rule, outside auditors would still need to conduct their own evaluation of ICFR as part of the audit, but would no longer need to opine on management's assessment itself, thus eliminating a confusing and often duplicative step in the annual ICFR assessment process.
Final Rules on Extension of Compliance Dates for Non-accelerated Filers and Newly Public Companies
Just two days after the December 13 meeting, the SEC issued additional good news for small and newly public companies. It approved final rules, previously proposed in August, that further extend the deadline for Section 404 compliance by these companies. Previously, non-accelerated filers were to be required to comply with both the management's assessment and auditor attestation requirements starting with fiscal years ending after July 15, 2007. Under the newly adopted final rules, non-accelerated filers must comply with the management's assessment requirement of Section 404 starting with their first fiscal year ending on or after December 15, 2007. However, they will not have to provide an auditor attestation for another year—i.e., until fiscal years ending on or after December 15, 2008.
Newly public companies and foreign private issuers listing on a US exchange for the first time will not have to comply with Section 404 until they file their second annual report after becoming a reporting company under the Securities and Exchange Act.
The final rules may present some complications for certain companies, including those who are or may be transitioning between non-accelerated and accelerated filer status during the extension period, but in general they provide welcome relief for many smaller and newly public companies who will continue to be exempt from 404 compliance while the SEC and PCAOB consider changes to their 404 rules. The final rule release is available here. A summary chart included in the SEC press release that announced the adoption of the final rules is reproduced below:
| Accelerated Filer Status | Revised Compliance Dates and Final Rules Regarding the Internal Control Over Financial Reporting Requirements | |
Management's Report | Auditor's Attestation | ||
US Issuer | Large Accelerated Filer OR Accelerated Filer ($75MM or more) | Already complying (annual reports for fiscal years ending on or after November 15, 2004) | Already complying (annual reports for fiscal years ending on or after November 15, 2004) |
Non-accelerated Filer (less than $75MM) | Annual reports for fiscal years ending on or after December 15, 2007 | Annual reports for fiscal years ending on or after December 15, 2008 | |
Foreign Issuer | Large Accelerated Filer ($700MM or more) | Annual reports for fiscal years ending on or after July 15, 2006 | Annual reports for fiscal years ending on or after July 15, 2006 |
Accelerated Filer ($75MM or more and less than $700MM) | Annual reports for fiscal years ending on or after July 15, 2006 | Annual reports for fiscal years ending on or after July 15, 2007 | |
Non-accelerated Filer (less than $75MM) | Annual reports for fiscal years ending on or after December 15, 2007 | Annual reports for fiscal years ending on or after December 15, 2008 | |
US or Foreign Issuer | Newly Public Company | Second annual report | Second annual report |
A Replacement for Auditing Standard 2
At its meeting on December 19, the PCAOB described Auditing Standard 5 (AS-5), the proposed replacement for AS-2, in terms that parallel the SEC's description of its interpretive guidance to management. According to the PCAOB, the new standard—entitled "An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements"—is designed to focus auditors on evaluating the most important internal controls that may identify the problems that are most likely to result in a material misstatement of a company's financial statements, and to eliminate certain audit requirements that result in unnecessary work and cost. Key features of the proposed revised standard include the following:
Changes to Key Definitions. The proposed standard attempts to promote focus on material issues by changing several important definitions. It proposes to change the definition of "material weakness" from a significant deficiency or a combination of significant deficiencies that results in "more than a remote likelihood" of a material misstatement of a company's financial statements to a significant deficiency or combination of deficiencies that results in a "reasonable possibility" of that outcome. It also proposes to change the definition of "significant deficiency" from a deficiency that is "more than inconsequential" to one that is less than material, but significant enough that a person in an oversight position should be made aware of the deficiency. The standard also proposes revisions to the description of "strong indicators" of a material weakness.
Elimination of Auditor Attestation. Consistent with the rule amendments proposed by the SEC, proposed AS-5 eliminates the requirement that auditors attest to management's assessment of ICFR.
Efficiency Focus. Proposed AS-5 permits auditors to consider knowledge obtained during previous audits and explicitly addresses appropriate use of evaluation of company-level controls as a substitute for costly testing of process- or transaction-level controls.
Scalability. Like the SEC's interpretive guidance, proposed AS-5 encourages auditors to make ICFR audits scalable to small companies, and focuses on qualitative indicia of "small" companies, such as the number of business lines or employees, rather than market capitalization or other quantitative factors.
A Simpler and More Accessible Standard. Proposed AS-5 is significantly shorter and is intended to be simpler and more readable than AS-2; it is written in "plain English" to make it more accessible to non-accountants.
Using the Work of Others
Also at its December 19 meeting, the PCAOB proposed a related standard regarding use of the work of others that would operate in tandem with AS-5. The proposed standard, which would supersede the current guidance on this topic in AS-2 and in other auditing standards, encourages auditors to use the work of others in appropriate circumstances and provides guidance as to when such reliance is appropriate, based upon the subject matter being tested and the objectivity and competence of the parties who conducted the work. The new standard also permits the use of the work of others for both the internal control audit and financial statement audit, thus promoting the integration of the two.
Next Steps for Proposals
Both the SEC's proposed guidance and related rule changes and the PCAOB's proposed auditing standards will be subject to public comment. Comments must be received by the SEC or PCAOB, as applicable, on or before February 26, 2007. Following the end of the comment period, the PCAOB will decide whether to adopt a final standard, which must then be submitted to the SEC for approval. In light of these time periods, neither proposal will apply to 404 evaluations already underway for 2006.
For more information on this or other corporate matters, please contact:
Curtis Mo
Erika Robinson
+1 202 663 6402
[email protected]
Patrick Rondeau
Knute Salhus
+1 212 230 8805
[email protected]
Thomas White
+1 202 663 6556
[email protected]
Jonathan Wolfman
+1 617 526 6833
[email protected]
