Practical Implications of U.S.
Requirements to Report on
Internal Control
Andrew D. Bailey, Jr.
Deputy Chief Accountant: Professional Practice
U.S. Securities and Exchange Commission
October 2005
1
FEE Forum on Risk
Management and Internal
Control in the European Union
Brussels, Belgium
October 25, 2005
2
Disclaimer
The Securities and Exchange
Commission, as a matter of policy,
disclaims responsibility for any private
publication or statement by any of its
employees. Therefore, the views
expressed today are my own, and do
not necessarily reflect the views of the
Commission or the other members of
the staff of the Commission.
3
SEC SOX Related Initiatives
– Early Activities
PCAOB establishment
CEO and CFO certifications
Internal Control Reporting (404)
Codes of ethics for senior executives
Financial experts on audit committees
Retention of audit records
Stronger auditor independence standards
Prohibitions on improper influence of auditors
Standards for listed company audit
committees
4
SEC and PCAOB Initiatives
– More Recent SEC and PCAOB Activity:
Internal control auditing and reporting (AS 2)
SEC 404 FAQ and PCAOB AS 2 Q&A including SEC
Staff Comments follow-up to May 2005 Roundtable
Documentation (AS 3)
Rule 3102 Certain Terms
Elimination of a Material Weakness (AS 4)
Independence and Tax (Rules 35XX)
Stock Comp/Fair Value (PCAOB FAQ in process)
5
Releted PCAOB Initiatives
PCAOB
– Engagement Quality Control
Second Partner Review
–
–
–
–
Communications with the Audit Committee
Financial Fraud
Risk Assessment
Related Party Transactions
6
404 and AS 2 – Year 1 and
Beyond
7
The 404/AS 2 Industry
There is no question that the most
influential and controversial activity
occupying the Professional Practice
Groups time has been the implementation
of the SEC’s 302 and 404 rules and its
companion Audit Standard, AS 2.
April SEC 404 Roundtable
May SEC 404 Roundtable Follow-up
8
Management’s Assessment of
Internal Control Under Section 404
– 404 requires management to assess the
effectiveness of its internal controls over
financial reporting
– Effective dates (for fiscal years ending on or
after):
November 15, 2004 for Accelerated filers (45 day
temporary postponement for certain filers)
July 15, 2006 for Non-Accelerated filers and
foreign private issuers (9/21/05 extended to
7/15/07)
9
Current 404/AS 2 Activities
Current Activities Related to 404
Evaluating feedback and next steps
Monitoring reporting results
Considering issues related to small
business
10
Feedback on Implementation
– Request for Public Comment
Over 200 comment letters received
– Commission Roundtable April 13th
54 participants
Representing issuers, auditors, investors, audit
committees, among others
6 panels focusing on different topics
11
Roundtable and Comment Letters
What We’ve Heard:
Benefits
– Promotes investor confidence
– Increased management focus on controls –
impacting tone at the top
– Improved controls documentation
– Understanding throughout organization of
importance of internal controls
– Identification of operating efficiency
opportunities
12
Roundtable and Comment Letters
What We’ve Heard:
Costs
– Significant training efforts
Deferred maintenance
Development of controls
Automation of controls
Integration of systems
Documentation of controls
Auditor costs – greater than expected
Opportunity costs
13
Roundtable and Comment Letters
What We’ve Heard:
Scope of Testing
– Call for more risk-based approach
– Need for more use of judgment
Assessing materiality and designing scope
Identifying “key” controls and significant accounts
– IT general computer controls / new systems
Extent of general computer controls testing
Testing and remediation of control deficiencies in new
systems
14
Roundtable and Comment Letters
What We’ve Heard:
Using the Work of Management and Others
Duplicated work efforts
Call for ability to rely more on work of
management and others
Principal audit evidence
15
Roundtable and Comment Letters
What We’ve Heard:
Terminology and Definitions
– Difficulty and inconsistencies in applying:
Significant Deficiency
Material Weakness
More than a remote likelihood
More than inconsequential
16
Roundtable and Public Comments
What We’ve Heard:
Communications with Auditors
Need to restore communication between
auditors and issuers
Additional guidance on potential auditor
independence implications
17
Roundtable and Public Comments
What We’ve Heard:
Other
Encourage use of judgment through the
inspections process
Request to indefinitely delay the final
accelerated filing dates
Fully integrate financial statement and internal
control audits to achieve efficiency
Desire to share best practices
18
Actions
 Continuing Commitment to SOX 404
 Want to address unintended consequences while
maintaining investor safeguards
 Additional Guidance Posted 5-16-05
 SEC Commission Press Release and Staff
Statement
 PCAOB Board Statement and Staff Q&A
 June SAG meeting devoted to AS2
19
What We’ve Done: SEC Staff
Statement
– May 16, 2005 Staff Statement issued
Reasonable Assurance
Top-Down Approach / Risk-Based Assessments
Scope of Assessments
Timing of Management’s Testing
Evaluating Control Deficiencies
Disclosures About Material Weaknesses
Information Technology Issues
Communications with Auditors
20
SEC Staff Statement
Reasonable Assurance
Level of assurance regarding the reliability of
financial statements
Reasonable assurance does not mean
absolute assurance but it does mean a high
level of assurance
21
SEC Staff Statement
– Top-Down / Risk Based Assessments
Focus should be on controls and accounts most
likely to have a material impact on financial
statements
Judgment should be used in identifying accounts
and key controls to test
Resources should be devoted to areas of greatest
risk
Audits should not be “check the box” exercises
22
SEC Staff Statement
– Scope of Assessments
Judgment should be used in identifying accounts
and key controls to test
Judgment should be used in determining the
extent of testing of key controls
Should relate to the risk of material misstatement
in the annual, not interim financial statements
23
SEC Staff Statement
Timing of Management’s Testing
Effective testing and assessment may be
performed during the year
Judgment must be used in determining additional
testing required closer to year-end
Evaluating Control Deficiencies
Judgment must be used in determining the
severity of control deficiencies
24
SEC Staff Statement
Disclosures About Material Weaknesses
The nature of the weakness
The impact of the weakness on financial
reporting
Plans for remediating the weakness
25
SEC Staff Statement
Information Technology Issues
Include relevant IT controls in the assessment
(controls related to financial reporting)
Judgment must be used in identifying IT
controls to test
Include IT upgrades and new systems in
assessment
26
SEC Staff Statement
Communications with Auditors
The chilling effect was an unintended
consequence
Auditor’s discussing and exchanging views
with management does not in itself violate
independence principles
Judgment is required in ongoing dialogues
with management
27
PCAOB Policy Statement and
Staff Q&A’s
May 16, 2005 Guidance
Audit Integration
The use of Professional Judgment
Top-down Approach / Risk-based
Assessments
Using the Work of Others
Auditor Communications with Clients
Additional Guidance Expected
28
Reporting Results So Far…
Through early July:
 3,140 filings
 419 (13.3%) received audit opinion
indicating ineffective ICFR
 Over 50% had revenues less than $500 million
 Conversely, less than 10% had revenues greater
than $1 billion
29
Reporting Results So Far…
Filed
reports by
industry
With MW
(% of 419)
Manufacturing
32%
30%
Finance, Insurance, Real
Estate
Services
29%
18%
14%
21%
Transportation,
Communication, Utilities
12%
10%
8%
5%
14%
7%
Wholesale and Retail Trade
Other
30
419 Adverse Opinions
What types of issues did they
have?
 Accounting Failures (GAAP) with respect
to specific accounts (95%)
 Accounting documentation, policy and
procedures (87%)
 Material or numerous auditor/year-end
adjustments (46%)
 Accounting personnel resources,
training/competency issues (40%)
 Restatement or non-reliance on financial
statements (39%)
31
PCAOB Standard:
Elimination of Material Weaknesses
– Voluntary engagement
– Allows auditors to provide reasonable assurance
that MW has been remediated
– Significant flexibility in how the auditors perform
engagement
– PCAOB comment period ended May 16, 2005
– Board voted approval July 2005.
– SEC Comment period (TBD)
– SEC FAQ (TBD)
32
Small Business Concerns
Guidance from COSO – application for Small
Businesses
Expect to issue exposure draft this summer
Advisory Committee on Smaller Public
Companies
404 Subcommittee
Recommendations expected to be finalized end of
September, to be approved by full committee in
October
33
SEC Advisory Committee on
Smaller Public Companies
Established December 2004 to examine the impact of
Sarbanes-Oxley Act and other federal securities laws
on smaller companies.
Agenda items include:
Definition of “smaller public company”
Consideration of Section 404 of SOA
Corporate governance and disclosure
Accounting standards
Capital formation
http://www.sec.gov/info/smallbus/acspc.shtml
34
COSO Activities
In January 2005, COSO announced a new
project, Implementing the COSO Control
Framework in Smaller Businesses
Anticipate an exposure draft to be issued in
the near future
35
Recent Commission Action
On September 21, 2005, the Commission
extended for one additional year the
compliance dates for non-accelerated
filers ($75 million or less) and for Foreign
Private Issuers that would qualify as nonaccelerated filers to the fiscal year ending
or after July 15, 2007.
36
Question and Answer Session
37