SEC Staff & PCAOB Issue Guidance on Internal Control
advertisement
Client Publication May 18, 2005 SEC Staff & PCAOB Issue Guidance on Internal Control Implementation The Staff of the SEC Division of Corporation Finance and the Office of the Chief Accountant have jointly issued new guidance regarding the implementation of the internal control reporting provisions under Section 404 of the Sarbanes-Oxley Act. See “Staff Statement on Management’s Report on Internal Control over Financial Reporting” (May 16, 2005), http://www.sec.gov/info/accountants/stafficreporting.pdf. The SEC staff guidance complements guidance issued by the PCAOB in the form of a policy statement and a Q&A, both of which are available at http://www.pcaobus.org: • “Policy Statement Regarding Implementation of Auditing Standard No. 2,” PCAOB Release No. 2005-009 (May 16, 2005). • PCAOB Staff Questions and Answers, Auditing Internal Control Over Financial Reporting (May 16, 2005). The SEC and PCAOB staff guidance is based on the feedback they received as part of the SEC’s recent internal control roundtable discussion1 and is intended to provide clarification to make the implementation process more efficient and effective. The PCAOB guidance outlines the PCAOB’s view of the proper planning and performance of an effective internal control audit under PCAOB Auditing Standard No. 2 and should be read in conjunction with the SEC’s internal control guidance. SEC STAFF GUIDANCE Purpose of Internal Control Over Financial Reporting: Reliable Financial Statements The purpose of internal control over financial reporting (“internal control”) is to foster the preparation of reliable, materially accurate financial statements. Management must not allow the assessment process to overshadow the 1 See our client publication, SEC Roundtable on Internal Control Reporting (April 14, 2005), available at http://www.shearman.com/documents/CM_041405a.pdf. goal of Section 404. The overall focus of internal control reporting should be on those items that could result in material errors in the financial statements. The “overarching principle” of the SEC staff guidance is the responsibility of management to determine the form and level of controls appropriate for its particular company and to design the scope of their assessment and testing accordingly. The SEC expressly structured its internal control reporting rules to permit management to design the assessment process to fit the specific needs of each company. The key is that the scope of testing should be reasonable and the assessment (including testing) should be supported by a reasonable level of evidential matter. Reasonable Assurance Is Not Absolute Assurance The staff states that, “While ‘reasonable assurance’ is a high level of assurance, it does not mean absolute assurance.” The standard relates back to similar language in the FCPA and means a “level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.” Although “reasonableness” is an objective standard, the staff believes there is a range of judgments that a company might make as to what is “reasonable” in implementing the SEC’s internal control reporting provisions. The staff expects that it will be rare when there is only one acceptable means of implementing Section 404 in any given situation. Use a Top-Down/Risk-Based Assessment Apparently, one reason why too many controls and processes were identified, documented and tested was that, in many cases, neither a top-down nor a risk-based approach was used. Rather, assessments became mechanistic, check-the-box exercises. As described by the PCAOB in its recently released Policy Statement, Auditing Standard No. 2 was designed to be applied from the top down, as follows: The standard focuses the auditor first on company-level controls and then on significant accounts, which lead the auditor to significant processes and, finally, individual controls at 2 the process, transaction, or application levels. Knowledge obtained at each step guides the auditor toward the higher risk areas within the next succeeding level of controls. . . ., the auditor is naturally steered toward higher risk areas and away from those with less potential to have a material impact on the financials. According to the SEC staff, a top-down approach requires that management first apply its cumulative knowledge, experience and judgment to identify areas of the financial statements that present significant risk of a material misstatement and then identify relevant controls and design appropriate procedures to document and test them. The staff advises management to focus its assessment on the areas of greatest risk to the financial statements and avoid giving all significant accounts and controls equal attention without regard to risk. Narrowing the Scope of an Assessment Overly conservative interpretations of PCAOB Auditing Standard No. 2 and hesitation by the independent auditor to exercise professional judgment in evaluating management’s assessment appears to have resulted, in many cases, in too many controls being identified, documented and tested. The staff guidance provides that, even if management establishes quantitative thresholds for identifying significant accounts to be tested, the use of a percentage (as a minimum threshold) is only a reasonable starting point. Management must still exercise judgment and consider qualitative factors to evaluate the significance of an account or a process to determine if amounts above or below that threshold must be tested. Rather than identifying, documenting, and testing each individual step involved in a broader control definition, the staff urges management to focus on the objective of a control, and test the effectiveness of the combination of detailed steps that meet the broader control objective. Management is not required to test every individual step comprising a control in order to determine that the overall control is operating effectively. focusing on annual and company measures rather than interim or segment measures. At the point at which management identifies a deficiency, however, it must measure the significance of the deficiency using both quarterly and annual measures and considering segment measures where applicable. Management’s Testing May Be Ongoing While the internal control reporting provisions require that management assessment and auditor attestation reports be “as of” fiscal year-end, the guidance clarifies that not all testing must be done within the period immediately surrounding the year-end close. In fact, the staff believes that effective testing and assessment may, and in most cases preferably would, be accomplished over a longer period of time. The staff acknowledges that management may find it appropriate to adjust the nature, extent and timing of testing from year to year. In light of management’s daily interaction with its internal control system, which provides it with an ongoing opportunity to evaluate the operation of its controls during the year, management may be able to test a substantial number of controls at a point in time prior to its fiscal year-end and determine that they also function effectively as of the fiscal year-end date, without performing further detailed testing. Evaluating Internal Control Deficiencies In considering the significance of internal control deficiencies, management must exercise reasonable judgment using both qualitative and quantitative analyses. Among other things, a qualitative analysis should factor in (i) the nature of the deficiency, (ii) its cause, (iii) the relevant financial statement assertion the control was designed to support, (iv) its effect on the broader control environment, and (v) whether other compensating controls are effective. Restatements Based on Errors Do Not Necessarily Imply Material Weaknesses The staff believes that internal audit and other company personnel and external auditors who are “on the ground closest to the assessment” are in the best position to evaluate a particular situation. It is thus critically important that company and auditor personnel have the requisite skills, training, and judgment to make reasonable assessments. The staff clarifies that it is not necessary to conclude there is a material weakness in internal control over financial reporting whenever there is a restatement resulting from an error. Whenever a restatement is necessary, management and the independent auditor should assess why it was necessary and whether the need for the restatement did, in fact, result from a material weakness in internal controls. Financial Periods Used to Assess Significance of Accounts/Deficiencies Required Disclosures About Material Weaknesses Companies generally should determine the accounts included within their internal control assessment by When a material weakness has been identified and has not been remediated prior to the fiscal year-end, 3 management must conclude that its internal control over financial reporting is ineffective. In that case, management should provide the following disclosure: (i) the nature of the material weakness, (ii) its impact on financial reporting and the control environment, and (iii) management’s current plans, if any, for remediating the weakness. Management should also consider whether it is necessary to provide additional disclosure so that the disclosure as a whole is not materially misleading. In their disclosure, companies are permitted to differentiate the potential impact and importance to the financial statements of identified material weaknesses, including distinguishing those that may have a pervasive impact on internal control over financial reporting from those that do not. Indeed, the staff strongly encourages companies to provide disclosure that allows investors to assess the potential impact of each particular material weakness. Management/Auditor Communications Concerned that it could result in the independent auditor unjustifiably finding control deficiencies, management has been hesitant about asking auditors accounting, auditing and financial reporting questions and providing auditors with early drafts of financial statements. Independent auditors have also been concerned that providing management with such advice might impair their independence. The SEC staff believes that investors benefit when management and the auditors engage in dialogue. The staff’s guidance emphasizes that this sort of dialogue does not itself violate auditor independence principles; nor should the giving of advice by the auditors in this context be considered a prohibited non-audit service. As long as management – not the auditor – makes the final determination as to the accounting used, including determining estimates and assumptions, and the auditor does not design or implement accounting policies, auditor involvement is appropriate and does not itself indicate an internal control deficiency. In addition, the staff clarifies that management should not be discouraged from providing its auditors with draft financial statements (including drafts that may be incomplete or that may contain errors due to their preliminary nature); all parties should recognize the draft nature of the information. Errors in draft financial statements in and of themselves should not be the basis for a determination by the company or the auditor of an internal control deficiency. What is relevant to whether a deficiency exists is not whether an error exists in draft financial statements and who found it, but whether a deficiency exists in the process of financial statement preparation. IT Internal Controls The SEC staff expects management to document and test relevant general information technology (“IT”) controls (e.g., controls over program development, program changes, computer operations, and access to programs and data) in addition to application-level controls that are designed to ensure that financial information generated from a company’s application system can reasonably be relied upon. However, for purposes of management’s assessment of internal control, the staff states that it would not expect management to assess general IT controls that do not pertain to financial reporting. IT System Implementations/Upgrades The SEC staff has declined to provide an exclusion (analogous to that provided in connection with business acquisitions) for new IT systems implemented in the later part of a fiscal year from the scope of management’s assessment of internal control. The staff believes that management is able to plan, design, and perform preliminary assessments of internal controls in advance of system implementations or upgrades, and reminds companies that not all testing must occur at year-end. Foreign Private Issuers The SEC staff is continuing to assess the effects of the internal control reporting requirements on foreign private issuers, but to date has not afforded any accommodation beyond extending the date at which they are required to comply. PCAOB GUIDANCE PCAOB Policy Statement The PCAOB’s Policy Statement contain a number of recommendations. Specifically, the PCAOB advises auditors to: • integrate their audits of internal control with their financial statement audits so that evidence gathered and tests conducted in the context of either audit contribute to both; • exercise judgment to tailor their audit plans to the risks facing individual audit clients, instead of using standardized checklists that may not reflect an allocation of audit work weighted toward high-risk areas (and weighted against unnecessary audit focus in low-risk areas); • use a top-down approach that begins with company-level controls to identify for further testing only those accounts and processes that are, in fact, relevant to internal control over financial reporting; 4 • use risk assessments to eliminate from further consideration those accounts that have only a remote likelihood of containing a material misstatement; • take advantage of the significant flexibility that the Auditing Standard No. 2 allows to use the work of others; and • engage in direct and timely communication with audit clients when they seek the auditor’s views on accounting or internal control issues before they make their own decisions or finalize financial reports. Management/Auditor Roles Indeed, with respect to management and auditor communication, the PCAOB takes a stance similar to the SEC staff and urges auditors to use professional judgment and common sense in determining when it is appropriate to provide accounting advice to audit clients. Along these lines: • • Management must make its own decisions regarding the application of accounting principles, but may provide and discuss with the auditor preliminary drafts of accounting research memos, spreadsheets, and other working papers in order to obtain the auditor’s views on the assumptions and methods selected by management. Auditors may discuss freely with management the meaning and significance of those accounting principles and provide technical advice on the proper application of GAAP, including offering suggestions for management’s consideration to improve disclosure and financial statement quality, but they may not make accounting decisions for their clients. Sharing of Draft Financial Statements The PCAOB encourages companies to share draft financial statements with their auditors. It is only at the point at which the company has completed its financial statements and disclosures (without recognizing a potential material misstatement) and it is clear that all applicable controls have operated that a conclusion as to whether a material misstatement in draft financial statements demonstrates a control deficiency would be warranted. PCAOB Inspections In its Policy Statement, the PCAOB noted that it intends to use its upcoming inspections to evaluate how audit firms have conducted the first round of audits under Auditing Standard No. 2. In its inspections, the PCAOB will look for audits that suffer from poor planning and risk assessment, such as by using standardized checklists not appropriately tailored to the risks facing the company. When the PCAOB finds audits that do not apply the approaches it advocates (integrated audit, exercise of professional judgment, a top-down approach, appropriate risk-assessment, use of the work of others), it will expect auditors to justify their decisions and to be able to explain how the audit plan nevertheless met the objectives of the standard. The PCAOB intends for its inspections to promote efficiency without the need for it to get involved in auditors’ billing practices. The PCAOB states that it does not intend to “second-guess” good faith audit judgments. However, if it finds that an auditor has approached an internal control audit in a mechanistic fashion that does not reflect the application of professional judgment on the part of the auditor to the specific risks associated with the client’s financial reporting system, it “will not hesitate to demand changes to the auditor’s approach to implementing Auditing Standard No. 2.” PCAOB Staff Q&A The PCAOB also published a set of staff questions and answers (“Q&A”) with respect to PCAOB Auditing Standard No. 2. The purpose of the Q&A is to seek to correct the misimpression that certain provisions of Auditing Standard No. 2 need to be applied in a rigid manner that constrains professional judgment and prevents the conduct of an audit in a manner that is both effective and cost-efficient. The PCAOB Q&A covers the following topics: Q38 What constitutes a “top-down approach” to an internal control audit and the benefits of such an approach. Q39 The application of a “risk-based approach” to an internal control audit. Q40 The impact of an auditor’s assessment of the risk of financial statement misstatements on its internal control audit. Q41 The role of qualitative factors and risk assessment in the identification of “significant accounts.” Q42 Whether an auditor must test all controls that management tested because management described them as “key” or “significant.” Q43 How an auditor’s assessment of risk affects its decisions about the nature, timing and extent of testing of controls. Q44 The meaning of the phrase “each year’s audit must stand on its own.” 5 Q45 The utility of a benchmarking strategy for testing automated application controls and the manner in which such a strategy could be executed. Q51 Q46 The meaning of the phrase “alternating tests of control” in the context of an internal control audit. Q52 How an auditor should evaluate a company’s internal control when the company has implemented a significant change to IT that affects the company’s preparation of its financial statements. Q47 The impact that management’s role and its control improvements should have on an auditor’s evaluation of management’s assessment of internal control. Q48 How auditors may use management “selfassessment” procedures. Q49 Whether an auditor should evaluate management’s testing on a control-by-control level to determine if it is as extensive as the auditor’s. Q50 The time period over which an auditor should structure its testing of controls. How an auditor should determine what rollforward procedures are required to update testing procedures performed as of an interim date. Q53 Whether the absence of documentation evidencing performance of a control leads to the presumption that the control is ineffective. Q54 How an auditor’s risk assessment with respect to controls and the decision to use the work of others impacts such auditor’s determination of whether it has obtained the principal evidence supporting its opinion. Q55 The types of control tests an auditor must perform on a quarterly basis. This memorandum is intended only as a general discussion of these issues. It should not be regarded as legal advice. We would be pleased to provide additional details or advice about specific situations if desired. For more information on the topics covered in this issue, please contact: New York Marwan Elaraby Robert Evans III Stephen T. Giove Lisa L. Jacobs Peter D. Lyons Ottilie L. Jarmel (+1 212) 848-4000 Washington, D.C. Abigail Arms Thomas J. Friedmann (+1 202) 508-8000 San Francisco John D. Wilson (+1 415) 616-1100 Menlo Park James B. Bucher Bruce Czachor (+1 650) 838-3600 Rome Michael S. Bosco Robert Ellison (+39) 06 697-6791 London James M. Bartos David J. Beveridge Pamela M. Gibson Bonnie Greaves Warden J. McKimm Richard J.B. Price Richard B. Vilsoet (+44 (0)20) 7655-5000 Paris Manuel A. Orillac Sami L. Toutounji Robert C. Treuhold (+33 (0)1) 5389-7000 Frankfurt Stephan Hutter (+49 (0)69) 9711-1000 Düsseldorf Hans Diekmann (+49 (0)211) 17 888-0 São Paulo Richard S. Aldrich, Jr. Andrew B. J<nszky (+55 11) 3702-2200 Hong Kong Matthew D. Bersani Leiming Chen Alan D. Seem (+852) 2978-8000 Singapore Gail Ong (+65) 6230-3800 Tokyo Masahisa Ikeda (+81 3) 5251-1601 Beijing Lee Edwards (+86 10) 6505-3399 Toronto Christopher J. Cummings Jason R. Lehner Brice T. Voran (+1 416) 360-8484 www.shearman.com ©2005 SHEARMAN & STERLING LLP 599 Lexington Avenue, New York, NY 10022 As used herein, “Shearman & Sterling” refers to Shearman & Sterling LLP, a limited liability partnership organized under the laws of the State of Delaware.
