Overview of the December 2006 SEC Guidelines for Evaluating Internal Controls over Financial Reporting
Founding Partners of the FinEx Group
SEC’S PROPOSED GUIDELINES ON MANAGEMENT EVALUATION OF INTERNAL CONTROLS OVER FINANCIAL REPORTING
January 16, 2007
Table of Contents
SEC’S PROPOSED GUIDELINES ON MANAGEMENT EVALUATION OF INTERNAL CONTROLS OVER FINANCIAL REPORTING (“ICFR”)
A. EXECUTIVE SUMMARY
I. INTRODUCTION TO SEC GUIDELINES
In December 2006, the SEC issued a proposed interpretive guidance (“SEC Guidelines”) for management evaluation of ICFR, with comments due from the public by February 27, 2007. Prior to the issuance of these guidelines, the only guideline available for ICFR evaluation was the PCAOB Auditing Standards No. 2 which was intended to be used as an auditing standard as opposed to management guidelines.
Companies may choose to rely on the interpretive guidance, as an alternative to what is provided in existing auditing standards or elsewhere, for two key reasons. First, the Commission is proposing a rule that would give managers who follow the interpretive guidance comfort that they have conducted a sufficient ICFR evaluation. Second, the proposed elimination of the auditor’s opinion on management’s assessment of ICFR in the auditor’s attestation report should significantly lessen, if not eliminate, the pressures that companies have felt to look to auditing standards for guidance in performing those evaluations.
No announcements have been made by the Canadian regulators with respect to their intention of adopting such guidelines in Canada for Bill 198 compliance requirements. However, most likely, the Canadian Securities Administrators will either adopt or propose similar guidelines in Canada. These guidelines would help the Canadian companies in the design and evaluation of ICFR as required by the regulators.
The SEC Guidelines state that they are intended to:
- Make the evaluation process more effective and cost efficient
- Assist management to scale and tailor their evaluation procedures to fit their facts and circumstances
- Make it clear that management’s evaluation of ICFR is to be conducted without the need to consult any auditing standards
- While the guidance is intended to help public companies of all sizes, smaller companies should particularly benefit from its scalability and flexibility
The objective of the evaluation of ICFR is to provide management with a reasonable basis for its annual assessment as to whether any material weaknesses in ICFR exist as of the end of the fiscal year. To meet this objective, management must:
- Identify the risks to reliable financial reporting
- Evaluate whether the design of the controls which address those risks is such that there is a reasonable possibility that a material misstatement in the financial statements would not be prevented or detected in a timely manner
- Evaluate evidence about the operation of the controls included in the evaluation based on its assessment of risk
The recent SEC Guidelines are non-prescriptive, principle/judgement-based, focused on risk and materiality, and set forth an approach by which management can conduct a top-down, risk-based evaluation of ICFR. By looking to risk, management can effectively identify and focus on those areas of greatest vulnerability in the financial reporting framework, without expending unnecessary resources and time on areas that are unlikely to impact the quality or accuracy of the company's financial reports in a material way.
The guidelines are organized around two important principles:
- Management should evaluate the design of the controls that it has implemented to determine whether there is a reasonable possibility that a material misstatement in the financial statements would not be prevented or detected in a timely manner.
- Management should gather and analyze evidence about the operation of the controls being evaluated based on its assessment of the risk associated with those controls.
The guidance describes a top-down, risk-based approach to the first principle, including the role of entity level controls in assessing financial reporting risks and the adequacy of controls. The proposed guidance promotes efficiency by allowing management to focus on those controls that are needed to adequately address the risk of a material misstatement in its financial statements. There is no requirement in the guidance to identify every control in a process or to document every business process impacting ICFR. Rather, under the approach described in the guidance, management focuses its evaluation process and the documentation supporting the assessment on those controls that it believes adequately address the risk of a material misstatement in the financial statements. For example, if management determines that the risks for a particular financial reporting element are adequately addressed by an entity level control, no further evaluation of other related controls is required.
The second principle is that management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk. The proposed guidance provides an approach for making risk-based judgments about the evidence needed for the evaluation. This allows management to align the nature and extent of its evaluation procedures with those areas of financial reporting that pose the greatest risks to reliable financial reporting (i.e., whether the financial statements are materially accurate). As a result, management may be able to use more efficient approaches to gathering evidence, such as self-assessments in low-risk areas coupled with more extensive testing in high-risk areas.
III. SEC ADDRESSES INDUSTRY CONCERNS
The proposed guidance describes a risk-based approach and addresses many of the concerns that have been raised to the Commission including: excessive testing of controls generally; excessive documentation of processes, controls, and testing; and the ability to scale the evaluation to smaller companies. The guidance addresses four specific areas including:
- Identification of risks to reliable financial reporting and the related controls that management has implemented to address those risks. The proposed guidance describes a risk-based approach that would require the use of judgment to determine those areas that are both material and which pose a risk to reliable financial reporting. Management then would identify the controls that address those risks, including the risk of material misstatement due to fraud. The guidance would not require that every control in a process be identified. Once those controls are identified that adequately address the risk of material misstatement in the financial statements, it would be unnecessary to include additional controls within management's evaluation.
- Evaluation of the operating effectiveness of controls. Once management has determined the controls within the scope of its evaluation, management would then gather and analyze evidence about the operation of those controls. The proposed guidance provides for a risk-based approach that would require the use of judgment to direct management's evaluation efforts towards those areas that pose greatest risk to reliable financial reporting based on the company's unique facts and circumstances. The proposed guidance would allow management to support its evaluation in a variety of ways and illustrates how management can consider and utilize its existing daily interaction with its business, self-assessment, and other ongoing monitoring activities to support its evaluation. Thus, while low risk financial reporting elements may require only "ongoing monitoring" and/or “self-assessments” for management to be able to obtain evidence of the effective operation of controls, higher risk elements generally would require some degree of direct testing covering a reasonable period of time.
- Reporting the overall results of management's evaluation. Once management has completed its evaluation, management must decide if any identified control deficiencies are material weaknesses. The proposed guidance provides management with a framework, outside of the auditing literature, for making these judgments and includes situations that are considered strong indicators that a material weakness exists. The guidance describes the factors that management should consider to evaluate the severity of a deficiency. If the deficiency is a material weakness, consistent with the Commission's existing rules, management must conclude that internal control over financial reporting is not effective and management has reporting responsibilities surrounding that material weakness.
- Documentation. The proposed guidance explains the nature and extent of evidential matter that management must maintain in order to provide reasonable support to its assessment including how management has flexible approaches to documentation. The proposed guidance indicates that such documentation can take many forms, can be presented in a number of ways and does not need to include all controls within a process that impacts financial reporting. The proposed guidance provides that the evidential matter maintained in support of the assessment would also include the methods and procedures it utilizes to gather and evaluate evidence and the basis for its conclusions about the controls related to individual financial reporting elements. The proposed guidance indicates that in those situations in which management is able to rely on its daily interaction with its controls as a basis for its assessment, management may have limited documentation created specifically for the evaluation beyond documentation regarding how its interaction provided it with sufficient evidence.
IV. COSO INTERNAL CONTROL FRAMEWORK
In the release adopting the Section 404 requirements, the Commission identified COSO as an example of a suitable internal control framework. While the COSO framework identifies the components and objectives of an effective system of internal control, it does not set forth an approach for management to follow in evaluating the effectiveness of a company’s ICFR. The Commission, therefore, distinguishes between the COSO framework as a definition of what constitutes an effective system of internal control and SEC Guidelines on how to evaluate ICFR. The SEC Guidelines are not intended to replace or modify the COSO framework or any other suitable framework.
On July 11, 2006, COSO published additional application guidance for its control framework, Internal Control over Financial Reporting – Guidance for Smaller Public Companies. The Commission anticipates that the recent COSO guidance will help organizations of all sizes that use the COSO framework to better understand and apply it to ICFR.
Under the Commission’s rules, management’s annual assessment must be made in accordance with a suitable control framework’s definition of effective internal control. These control frameworks define elements of internal control that are expected to be present and functioning in an effective internal control system. In assessing effectiveness, management evaluates whether its ICFR includes policies, procedures and activities that address all of the elements of internal control that the applicable control framework describes as necessary for an internal control system to be effective. The framework elements describe the characteristics of an internal control system that may be relevant to individual areas of the company’s ICFR, pervasive to many areas, or entity-wide.
Therefore, management’s evaluation process includes not only controls involving particular areas of financial reporting, but also the entity-wide and other pervasive elements of internal control that are defined by the control frameworks.
Management’s assessment is based on whether any material weaknesses exist as of the end of the fiscal year. A material weakness is a deficiency, or combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis by the company’s ICFR. If the evaluation process identifies material weaknesses that exist as of the end of the fiscal year, such weaknesses must be disclosed in management’s annual report with a statement that ICFR is ineffective. If the evaluation identifies no internal control deficiencies that constitute a material weakness, management assesses ICFR as effective. If management’s evaluation process identifies material weaknesses, but all material weaknesses are remediated by the end of the fiscal year, management may exclude disclosure of those from its assessment and state that ICFR is effective as of the end of the fiscal year.
VII. ROLE OF THE BOARD AND THE AUDIT COMMITTEE
As management is responsible for maintaining effective internal control over financial reporting, the SEC Guidelines do not specifically address the role of the board of directors or audit committee in a company’s evaluation and assessment of ICFR. However, the Commission would ordinarily expect a board of directors or audit committee, as part of its oversight responsibilities for the company’s financial reporting, to be knowledgeable and informed about the evaluation process and management’s assessment.
SEC’S PROPOSED GUIDELINES ON MANAGEMENT EVALUATION OF INTERNAL CONTROLS OVER FINANCIAL REPORTING (“ICFR”)
B. ICFR EVALUATION METHODOLOGY
Management should assess whether its controls are designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles (“GAAP”).
The SEC Guidelines provide the following evaluation steps:
- Identification, documentation and assessment of the risks to reliable financial reporting
- Identification, documentation and design assessment of key controls which are in place and address financial reporting risks
- Evaluation of the evidence of the operating effectiveness of key controls
II. STEP 1: IDENTIFICATION, DOCUMENTATION AND ASSESSMENT OF THE RISKS TO RELIABLE FINANCIAL REPORTING
The evaluation begins with the identification and assessment of the risks to reliable financial reporting (i.e., materially accurate financial statements), including changes in those risks.
- Management uses its knowledge and understanding of the business, its organization, the operations as well as processes to consider the sources and potential likelihood of misstatements in financial reporting elements and identifies those that could result in a material misstatement to the financial statements (“financial reporting risks”).
- Internal and external risk factors that impact the business (including the nature and extent of any changes in those risks) and may give rise to financial reporting risks.
- Financial reporting risks may also arise from sources such as the initiation, authorization, processing and recording of transactions and other adjustments that are reflected in financial reporting elements.
- Management’s evaluation of financial reporting risks should also consider the vulnerability of the entity to fraudulent activity (e.g., fraudulent financial reporting, misappropriation of assets and corruption) and whether any of those exposures could result in a material misstatement of the financial statements.
To effectively identify financial reporting risks in larger businesses or in situations involving complex business processes, management’s evaluation may need to involve employees with specialized knowledge who collectively have the necessary understanding of the requirements of GAAP, the underlying business transactions, the process activities, including the role of computer technology that are required to initiate, authorize, record and process transactions, and the points within the process at which a material misstatement, including a misstatement due to fraud, may occur.
In a small company with less complex business processes that operate on a centralized basis and with little change in the risks or processes, management’s daily involvement with the business may provide it with adequate knowledge to appropriately identify financial reporting risks.
III. STEP 2: IDENTIFICATION, DOCUMENTATION AND DESIGN ASSESSMENT OF KEY CONTROLS WHICH ARE IN PLACE AND ADDRESS FINANCIAL REPORTING RISKS
Management should evaluate whether it has controls placed in operation (i.e., in use) that are designed to address the company’s financial reporting risks. The determination of whether an individual control, or a combination of controls, adequately addresses a financial reporting risk involves judgments about both the likelihood and potential magnitude of misstatements arising from the financial reporting risk. For purposes of the evaluation of ICFR, the controls are not adequately designed when there is a reasonable possibility of a misstatement in the related financial reporting element that could result in a material misstatement of the financial statements and that this misstatement will not be prevented or detected on a timely basis. If management determines that its controls are not adequately designed, a deficiency exists that must be evaluated to determine whether it is a material weakness.
(i) Focus on Key Controls
Management may identify controls for a financial reporting element that are preventive, detective or a combination of both. However, it is not necessary to identify all controls that exist. Rather, the objective of this evaluation step is to identify controls that adequately address the risk of misstatement for the financial reporting element that could result in a material misstatement in the financial statements. To illustrate, management may determine for a financial reporting element that a control within the company’s period-end financial reporting process (i.e., an entity level control) is designed in a manner that adequately addresses the risk that a misstatement in interest expense that could result in a material misstatement in the financial statements may occur and not be detected. In such a case, management may not need to identify any additional controls related to interest expense.
(ii) Redundant Controls
Management may consider the efficiency with which evidence of the operation of a control can be evaluated when identifying the controls that adequately address the financial reporting risks. For example, when more than one control exists that individually addresses a particular risk (i.e., redundant controls), management may decide to select the control for which evidence of operating effectiveness can be obtained more efficiently.
(iii) Importance of Entity Level Controls
Under the Commission’s rules, management’s annual assessment must be made in accordance with a suitable control framework’s definition of effective internal control (such as COSO’s Internal Control Framework). These control frameworks define elements of internal control that are expected to be present and functioning in an effective internal control system. In assessing effectiveness, management evaluates whether its ICFR includes policies, procedures and activities that address all of the elements of internal control that the applicable control framework describes as necessary for an internal control system to be effective. Therefore, management’s evaluation process includes not only controls involving particular areas of financial reporting, but also the entity-wide and other pervasive elements of internal control that are defined by the control frameworks such as COSO.
Furthermore, Management ordinarily would consider the company’s entity level controls in both its assessment of risk and in identifying which controls adequately address the risk. In doing so, it is important for management to consider the nature of the entity level controls and how they relate to the financial reporting element. Some entity level controls are designed to operate at the process, transaction or application level and might adequately prevent or detect on a timely basis misstatements in one or more financial reporting elements that could result in a material misstatement to the financial statements. On the other hand, an entity level control may be designed to identify possible breakdowns in lower-level controls, but not in a manner that would, by itself, sufficiently address the risk that misstatements to financial reporting elements that could result in a material misstatement to the financial statements will be prevented or detected on a timely basis.
The more indirect the relationship to a financial reporting element, the less effective a control may be in preventing or detecting a misstatement. Some entity level controls, such as the control environment (e.g., tone at the top and entity-wide programs such as codes of conduct and fraud prevention), are indirectly related to a financial reporting element and may not, by themselves, be effective at preventing or detecting a misstatement in a financial reporting element. Therefore, while management ordinarily would consider entity level controls of this nature when assessing financial reporting risks and evaluating the adequacy of controls, it is unlikely management will identify only this type of entity level control as adequately addressing a financial reporting risk identified for a financial reporting element.
(iv) Importance of General Computer Controls
Controls that management identifies as addressing financial reporting risks may be automated (e.g., application controls that update accounts in the general ledger for sub-ledger activity) or dependent upon IT functionality (e.g., a control that manually investigates items contained in a computer generated exception report). In these situations, management’s evaluation process generally considers the design and operation of the automated or IT dependent controls management identifies and the relevant general
IT controls over the applications providing the IT functionality.
While general IT controls ordinarily do not directly prevent or detect material misstatements in the financial statements, the proper and consistent operation of automated or IT dependent controls depends upon effective general IT controls. Moreover, when adequate general IT controls exist, and management has determined the operation of such controls is effective, management may determine that automated controls may be more efficient to evaluate than manual controls. Considering the efficiency with which the operation of a control can be evaluated will often enhance the overall efficiency of the evaluation process.
Aspects of general IT controls that may be relevant to the evaluation of ICFR will vary depending upon a company’s facts and circumstances. Ordinarily, management should consider whether, and the extent to which, general IT control objectives related to program development, program changes, computer operations and access to programs and data apply to its facts and circumstances. For purposes of the evaluation of ICFR, management only needs to evaluate those general IT controls that are necessary to adequately address financial reporting risks.
(v) Identification of Control Risks
When identifying the controls that address financial reporting risks, management may learn information about the characteristics of the controls, such as the judgment required to operate them or their complexity. This information will then be considered in the assessment of the risk that the control will fail to operate as designed in order to determine the nature and extent of evidence of the operation of the control that management evaluates.
(vi) Form and Extent of Documentation of the Design of Key Controls
As part of its evaluation of ICFR, management must maintain reasonable support for its assessment. Documentation of the design of the controls management has placed in operation to adequately address the financial reporting risks is an integral part of the reasonable support.
The form and extent of the documentation will vary depending on the size, nature, and complexity of the company. It can take many forms (e.g., paper documents, electronic, or other media) and it can be presented in a number of ways (e.g., policy manuals, process models, flowcharts, job descriptions, documents, internal memorandums, forms, etc). The documentation does not need to include all controls that exist within a process that impacts financial reporting. Rather, and more importantly, the documentation can be focused on those controls that management concludes are adequate to address the financial reporting risks.
In addition to providing support for the assessment of ICFR, documentation of the design of controls also supports other objectives of an effective system of internal control. For example, it serves as evidence that controls within ICFR, including changes to those controls, have been identified, are capable of being communicated to those responsible for their performance, and are capable of being monitored by the company. The documentation also provides the foundation for appropriate communication concerning responsibilities for performing controls and for the company's evaluation and monitoring of the operation of controls.
Management should also consider the need to maintain evidential matter, including documentation, of the entity-wide and other pervasive elements of its ICFR that it believes address the control elements that its chosen control framework such as COSO prescribes as necessary for an effective system of internal control.
IV. STEP 3: EVALUATION OF THE EVIDENCE OF THE OPERATING EFFECTIVENESS OF KEY CONTROLS
The controls that management identifies as adequately addressing the financial reporting risks are then subject to procedures to evaluate evidence of the operating effectiveness. This evaluation considers whether the control operated as designed and includes matters such as how the control was applied, the consistency with which it was applied, and whether the person performing the control possesses the necessary authority and competence to perform the control effectively. If management determines that the operation of the control is not effective, then a deficiency exists that must be evaluated to determine whether it is a material weakness.
The evaluation procedures that management uses to gather evidence about the effective operation of ICFR and the nature of evidence required should be tailored to its assessment of the risk characteristics of both the individual financial reporting elements and the related controls (collectively, ICFR risk).
The higher the misstatement risk of financial reporting element and the higher the risk of related control failure, the more quantitative and qualitative evidence would be required in the evaluation process.
(i) Nature, Timing and Extent of Testing
Evidence about the effective operation of controls may be obtained from direct-testing of controls and on-going monitoring activities. The nature, timing and extent of evaluation procedures necessary for management to obtain sufficient evidence of the effective operation of a control depend on the assessed ICFR risk. In determining whether the evidence obtained is sufficient to provide a reasonable basis for its evaluation of the operation of ICFR, management should consider not only the quantity of evidence
(e.g., sample size) but also qualitative characteristics of the evidence. The qualitative characteristics of the evidence include the nature of the evaluation procedures performed, the period of time to which the evidence relates, the objectivity of those evaluating the controls, and, in the case of monitoring controls, the extent of validation through direct testing of underlying controls. For any individual control, different combinations of the nature, timing, and extent of evaluation procedures may provide sufficient evidence. The sufficiency of evidence is not determined by any of these attributes individually.
(ii) Assessment of ICFR Risk
(a) Risk Associated with the Financial Reporting Element
Characteristics of the financial reporting element that management considers include both the materiality of the financial reporting element and the susceptibility of the underlying account balances, transactions or other supporting information to material misstatement. Financial reporting elements would generally have higher risk when they include transactions, account balances or other supporting information that is prone to misstatement. For example, elements which: (1) involve judgment in determining the recorded amounts; (2) are susceptible to fraud; (3) have complexity in the underlying accounting requirements; or (4) are subject to environmental factors, such as technological and/or economic developments, would generally be assessed as higher risk.
(b) Risk Associated with Control Failure
Management also considers the likelihood that a control might fail to operate effectively. That likelihood may depend on, among other things, the type of control (i.e. manual or automated), the complexity of the control, the risk of management override, the judgment required to operate the control, the nature and materiality of misstatements that the control is intended to prevent or detect, and the degree to which the control relies on the effectiveness of other controls (e.g., general IT controls). For example, management’s risk assessment would be higher for a financial reporting element that involves controls whose operation requires significant judgment than for a financial reporting element that involves non-complex controls requiring little judgment on behalf of management.
Certain financial reporting elements, such as those involving significant accounting estimates, related party transactions, or critical accounting policies generally would be assessed as having higher risk for both the risk of material misstatement to the financial reporting element and the risk of control failure. When the controls related to these financial reporting elements are subject to the risk of management override, involve significant judgment, or are complex, they should generally be assessed as having higher ICFR risk.
(iii) Evaluation Methods and Procedures
The methods and procedures, including the timing of when they are performed, that management uses to gather evidence about the effective operation of controls are based on its assessment of the ICFR risk. The evaluation procedures may be integrated with the daily responsibilities of the company’s employees or implemented specifically for purposes of the ICFR evaluation.
The evidence management evaluates may come from a combination of on-going monitoring and direct testing of controls.
- On-going monitoring includes activities that provide information about the operation of controls and may be obtained, for example, through self-assessment procedures and the analysis of performance measures designed to track the operation of controls. Management’s evaluation process may consider the results of key performance indicators (“KPI’s”) in which management reconciles operating and financial information with its knowledge of the business. These KPI’s may indicate a potential misstatement in a financial reporting element and therefore are relevant to meeting the objectives of ICFR.
- Direct tests of controls are tests performed periodically to provide evidence as of a point in time and may provide information about the reliability of on-going monitoring activities.
The result of risk assessments can assist management in determining the evaluation procedures that provide reasonable support for the assessment. As the assessed risk increases, management will ordinarily adjust the nature of the evidence that is obtained. For example, management can vary the nature of evidence from on-going monitoring by adjusting the extent of validation through periodic direct testing of the underlying controls and/or adjusting the objectivity of those performing the self-assessments. Management can also vary the nature of evidence obtained by adjusting the period of time covered by direct testing. When ICFR risk is assessed as high, management’s evaluation would ordinarily include evidence obtained from direct testing. Further, management’s evaluation would ordinarily consider evidence from a reasonable period of time during the year, including the fiscal year-end. For lower risk areas, management may conclude that evidence from on-going monitoring is sufficient and that no direct testing is required.
(iv) Impact of Entity Level Controls
Management’s assessment of ICFR risk also considers the impact of entity level controls, such as the relative strengths and weaknesses of the control environment, which may influence management’s judgment about the risks of failure for particular controls.
The existence of entity level controls (e.g., controls within the control environment) may influence management’s determination of the evidence needed to sufficiently support its assessment. For example, management’s judgment about the likelihood that a control fails to operate effectively may be influenced by a highly effective control environment and thereby impact the evidence evaluated for that control. However, a strong control environment would not eliminate the need for evaluation procedures that consider the effective operation of the control in some manner.
(v) Evaluation Procedures for Smaller Companies
In smaller companies, management’s daily interaction with its controls may provide it with sufficient knowledge about their operation to evaluate the operation of ICFR. Knowledge from daily interaction includes information obtained by those responsible for evaluating the effectiveness of ICFR through their on-going direct knowledge and direct supervision of control operation. Management should consider its particular facts and circumstances when determining whether or not its daily interaction with controls provides sufficient evidence for the evaluation. For example, daily interaction may provide sufficient evidence when the operation of controls is centralized and the number of personnel involved in their operation is limited. Conversely, daily interaction in companies with multiple management reporting layers or operating segments would generally not provide sufficient evidence because those responsible for assessing the effectiveness of ICFR would not ordinarily be sufficiently knowledgeable about the operation of the controls. In these situations, management would ordinarily utilize direct testing or on-going monitoring type evaluation procedures to have reasonable support for the assessment.
(vi) Initial and Subsequent Evaluations
The effort necessary to conduct an initial evaluation of financial reporting risks and the related controls will vary among companies, partly because this effort will depend on management’s existing financial reporting risk assessment and monitoring activities. Monitoring activities are those that assess the quality of internal control performance over time. These activities involve assessing the design and operation of controls on a timely basis and taking necessary corrective actions. This process is accomplished through on-going monitoring activities, separate evaluations by internal audit or personnel performing similar functions, or a combination of the two. On-going monitoring activities are often built into the normal recurring activities of an entity and include regular management and supervisory review activities.
In subsequent years for most companies, management’s effort should ordinarily be significantly less because subsequent evaluations should be more focused on changes in risks and controls rather than identification of all financial reporting risks and the related controls. Further, in each subsequent year, the evidence necessary to reasonably support the assessment will only need to be updated from the prior year(s), not recreated anew.
(vii) Evidential Matter to Support the Evaluation of Operating Effectiveness of Controls
Management’s assessment must be supported by evidential matter that provides reasonable support for its assessment. The nature of the evidential matter may vary based on the assessed level of risk of the underlying controls and other circumstances, but the Commission would expect reasonable support for an assessment to include the basis for management’s assessment, including documentation of the methods and procedures it utilizes to gather and evaluate evidence.
The evidential matter may take many forms and will vary depending on the assessed level of risk for controls over each of its financial reporting elements. For example, management may document its overall strategy in a comprehensive memorandum that establishes the evaluation approach, the evaluation procedures, and the basis for conclusions for each financial reporting element.
Management may determine that it is not necessary to separately maintain copies of the evidence it evaluates; however, the evidential matter within the company’s books and records should be sufficient to provide reasonable support for its assessment. For example, in smaller companies, where management’s daily interaction with its controls provides the basis for its assessment, management may have limited documentation created specifically for the evaluation of ICFR. However, in these instances, management should consider whether reasonable support for its assessment would include documentation of how its interaction provided it with sufficient evidence. This documentation might include memoranda, e-mails, and instructions or directions from management to company employees.
Further, management should also consider the degree of complexity of the control, the level of judgment required to operate the control, and the risk of misstatement in the financial reporting element that could result in a material misstatement in the financial statements in determining the nature of supporting evidential matter. As these factors increase, management may determine that evidential matter supporting the assessment should be separately maintained. For example, management may decide that separately maintained documentation will assist the audit committee in exercising its oversight of the company’s financial reporting.
If management believes that the operation of the entity-wide and other pervasive elements of its ICFR address the elements of internal control that its applicable framework, such as COSO, describes as necessary for an effective system, then the evidential matter constituting reasonable support for management’s assessment would ordinarily include documentation of how management formed that belief.
V. IDENTIFICATION AND REPORTING OF MATERIAL WEAKNESSES
In order to determine whether a control deficiency, or combination of control deficiencies, is a material weakness, management evaluates each control deficiency that comes to its attention. Control deficiencies that are determined to be a material weakness must be disclosed in management’s annual report on its assessment of the effectiveness of ICFR. Management may not disclose that it has assessed ICFR as effective if there is one or more control deficiencies determined to be a material weakness in ICFR.
As part of the evaluation of ICFR, management considers whether the deficiencies, individually or in combination, are material weaknesses as of the end of the fiscal year. Multiple control deficiencies that affect the same financial statement account balance or disclosure increase the likelihood of misstatement and may, in combination, constitute a material weakness if there is a reasonable possibility that a material misstatement to the financial statements would not be prevented or detected in a timely manner, even though such deficiencies may be individually insignificant. Therefore, management should evaluate individual control deficiencies that affect the same account balance, disclosure, relevant assertion, or component of internal control, to determine whether they collectively result in a material weakness.
The evaluation of a control deficiency should include both quantitative and qualitative factors. Management can evaluate a deficiency in ICFR by considering the likelihood that the company's ICFR will fail to prevent or detect a misstatement of a financial statement element, or component thereof, on a timely basis and the magnitude of the potential misstatement resulting from the deficiency or deficiencies. This evaluation is based on whether the company's controls will fail to prevent or detect a misstatement on a timely basis, not necessarily on whether a misstatement actually has occurred.
Management should evaluate how the controls interact with other controls when evaluating the likelihood that the company's controls will fail to prevent or detect on a timely basis a misstatement that is material to the company’s financial statements. There are controls, such as general IT controls, on which other controls depend. Some controls function together as a group of controls. Other controls overlap, in the sense that more than one control may individually achieve the same objective.
Management should also evaluate the effect of compensating controls when determining whether a control deficiency or combination of deficiencies is a material weakness.
SEC’S PROPOSED GUIDELINES ON MANAGEMENT EVALUATION OF INTERNAL CONTROLS OVER FINANCIAL REPORTING (“ICFR”)
APPENDIX A
SPECIFIC GUIDELINES
EXAMPLES OF SIGNIFICANT DEFICIENCIES
Management is required to disclose to the auditors and to the audit committee of the board of directors all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer's ability to record, process, summarize and report financial data and to identify for the issuer's auditors any material weaknesses in internal controls.
The interaction of qualitative considerations that affect ICFR with quantitative considerations ordinarily results in deficiencies in the following areas being at least significant deficiencies in ICFR:
- Controls over the selection and application of accounting policies that are in conformity with generally accepted accounting principles
- Antifraud programs and controls
- Controls over non-routine and non-systematic transactions
- Controls over the period-end financial reporting process
If management determines that the deficiency would prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles, then management should deem the deficiency to be at least a significant deficiency.
FACTORS RESULTING IN DEFICIENCIES
Several factors affect the likelihood that a deficiency, or a combination of deficiencies, will result in a misstatement in a financial reporting element not being prevented or detected on a timely basis. The factors include, but are not limited to, the following:
- The nature of the financial statement elements, or components thereof, involved (e.g., suspense accounts and related party transactions involve greater risk);
- The susceptibility of the related asset or liability to loss or fraud (i.e., greater susceptibility increases risk)
- The subjectivity, complexity, or extent of judgment required to determine the amount involved (i.e., greater subjectivity, complexity, or judgment, like that related to an accounting estimate, increases risk)
- The interaction or relationship of the control with other controls (i.e., the interdependence or redundancy of the control)
- The interaction of the deficiencies (i.e., when evaluating a combination of two or more deficiencies, whether the deficiencies could affect the same financial statement accounts and assertions)
- The possible future consequences of the deficiency
FACTORS AFFECTING THE MAGNITUDE OF MISSTATEMENT
Several factors affect the magnitude of the misstatement that might result from a deficiency or deficiencies in controls. The factors include, but are not limited to, the following:
- The financial statement amounts or total of transactions exposed to the deficiency
- The volume of activity in the account balance or class of transactions exposed to the deficiency that has occurred in the current period or that is expected in future periods
In evaluating the magnitude of the potential misstatement to the company’s financial statements as a whole, management should recognize that the maximum amount that an account balance or total of transactions can be overstated is the recorded amount, while understatements could be larger.
STRONG INDICATORS OF A MATERIAL WEAKNESS
The following circumstances are strong indicators that a material weakness in ICFR exists:
(i) An ineffective control environment
Circumstances that may indicate that the company's control environment is ineffective include, but are not limited to:
- Identification of fraud of any magnitude on the part of senior management
- Significant deficiencies that have been identified and remain unaddressed after some reasonable period of time
- Ineffective oversight of the company's external financial reporting and ICFR by the company's audit committee
(ii) Restatement of previously issued financial statements to reflect the correction of a material misstatement
The correction of a material misstatement includes misstatements due to error or fraud; it does not include retrospective application of a change in accounting principle to comply with a new accounting principle or a voluntary change from one generally accepted accounting principle to another generally accepted accounting principle.
(iii) Identification by the auditor of a material misstatement in financial statements in the current period under circumstances that indicate the misstatement would not have been discovered by the company's ICFR
(iv) For complex entities in highly regulated industries, an ineffective regulatory compliance function
This relates solely to those aspects of the ineffective regulatory compliance function in which associated violations of laws and regulations could have a material effect on the reliability of financial reporting.
DISCLOSURES ABOUT MATERIAL WEAKNESSES
The Commission’s rule implementing Section 404 was intended to bring information about material weaknesses in ICFR into public view. Because of the significance of the disclosure requirements surrounding material weaknesses beyond specifically stating that the material weaknesses exist, companies should also consider including the following in their disclosures:
- The root cause and nature of any material weakness
- The impact of the material weakness on financial reporting and the control environment
- Management’s current plans, if any, for remediating the weakness
Significant deficiencies in ICFR are not required to be disclosed in management’s annual report on its evaluation of ICFR.
EXPRESSION OF ASSESSMENT OF EFFECTIVENESS OF ICFR BY MANAGEMENT
Management should disclose a clear expression of its assessment related to the effectiveness of ICFR and, therefore, should not qualify its assessment by saying that the company’s ICFR is effective subject to certain qualifications or exceptions or express similar positions. For example, management should not state that the company’s controls and procedures are effective except to the extent that certain material weakness(es) have been identified. In addition, if a material weakness exists, management may not state that the company’s ICFR is effective. However, management may state that controls are ineffective due solely to, and only to the extent of, the identified material weakness(es).
In addition, management may disclose any remediation efforts to the identified material weakness(es).
MULTIPLE LOCATIONS/BUSINESS UNITS
Management’s consideration of financial reporting risks generally includes all of its locations or business units. However, management may determine when identifying financial reporting risks that some locations are so insignificant that no further evaluation procedures are needed. Furthermore, management may determine that financial reporting risks are adequately addressed by controls which operate centrally, in which case the evaluation approach is similar to that of a business with a single location or business unit.
When the controls necessary to address financial reporting risks operate at more than one location or business unit, management would generally evaluate evidence of the operation of the controls at the individual locations or business units.
In situations where management determines that the ICFR risk of the controls that operate at individual locations or business units is low, management may determine that evidence gathered through self-assessment routines or other on-going monitoring activities, when combined with the evidence derived from a centralized control that monitors the results of operations at individual locations, may constitute sufficient evidence for the evaluation. In other situations, management may determine that, because of the complexity or judgment in the operation of the controls at the individual location, the risks of the controls are high, and therefore more evidence is needed about the effective operation of the controls at the location.
When performing its evaluation of the risk characteristics of the controls identified, management should consider whether there are location-specific risks that might impact the risk that a control might fail to operate effectively. Additionally, there may be pervasive factors at a given location that cause all controls, or a majority of controls, at that location to be considered higher risk. Management should generally consider the risk characteristics of the controls for each financial reporting element, rather than making a single judgment for all controls at that location when deciding whether the nature and extent of evidence is sufficient.
FOREIGN PRIVATE ISSUERS GAAP
Management of foreign private issuers that file financial statements prepared in accordance with home country generally accepted accounting principles (“GAAP”) or International Financial Reporting Standards (“IFRS”) with a reconciliation to U.S. GAAP should plan and conduct their evaluation process based on their primary financial statements (i.e., home country GAAP or IFRS) rather than the reconciliation to U.S. GAAP. However, because of the importance to investors of the reconciliation to U.S. GAAP, when management of foreign private issuers that file in home country GAAP or IFRS determine the severity of an identified control deficiency, management should consider the impact of the control deficiency to the U.S. GAAP reconciliation disclosure. Hence, management should take into consideration both the amounts reported in the primary financial statements and the amounts reported in the reconciliation to U.S. GAAP in evaluating the severity of the control deficiency. For example, it would be inappropriate to determine, without further consideration, that a control deficiency associated with an item included in the reconciliation to U.S. GAAP, is not material to the primary financial statements, and therefore cannot be, by definition, a material weakness.
IMPACT OF A RESTATEMENT OF PREVIOUSLY ISSUED FINANCIAL STATEMENTS ON MANAGEMENT’S REPORT ON ICFR
Item 308 of Regulation S-K requires disclosure of management’s assessment of the effectiveness of the company’s ICFR as of the end of the company’s most recent fiscal year. When a material misstatement in previously issued financial statements is discovered, a company is required to restate those financial statements. However, the restatement of financial statements does not, by itself, necessitate that management consider the effect of the restatement on the company’s prior conclusion related to the effectiveness of ICFR.
While there is no requirement for management to reassess or revise its conclusion related to the effectiveness of ICFR, management should consider whether its original disclosures are still appropriate and should modify or supplement its original disclosure to include any other material information that is necessary for such disclosures not to be misleading in light of the restatement. The company should also disclose any material changes to ICFR, as required by Item 308(c) of Regulation S-K.
Similarly, while there is no requirement that management reassess or revise its conclusion related to the effectiveness of its disclosure controls and procedures, management should consider whether its original disclosures regarding effectiveness of disclosure controls and procedures need to be modified or supplemented to include any other material information that is necessary for such disclosures not to be misleading.
With respect to the disclosures concerning ICFR and disclosure controls and procedures, the company may need to disclose in this context what impact, if any, the restatement has on its original conclusions regarding effectiveness of ICFR and disclosure controls and procedures.
CONTROLS OVER OUTSOURCED OPERATIONS
Management may outsource a significant process to a service organization and determine that evidence of the operating effectiveness of the controls over that process is necessary. However, the service organization may be unwilling to provide either a Type II SAS 70 report or to provide management access to the controls in place at the service organization so that management could assess effectiveness. Management may not have compensating controls in place that allow a determination of the effectiveness of the controls over the process in an alternative manner. The Commission’s disclosure requirements state that management’s annual report on ICFR must include a statement as to whether or not ICFR is effective and do not permit management to issue a report on ICFR with a scope limitation. Therefore, management must determine whether the inability to assess controls over a particular process is significant enough to conclude in its report that ICFR is not effective.
SEC’S PROPOSED GUIDELINES ON MANAGEMENT EVALUATION OF INTERNAL CONTROLS OVER FINANCIAL REPORTING (“ICFR”)
APPENDIX B
DEFINITIONS
Financial Reporting Elements
Financial reporting elements represent financial statement amounts or disclosures.
Internal Control over Financial Reporting
Internal control over financial reporting is a process designed by, or under the supervision of, the issuer’s principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
- Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer
- Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer
- Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer’s assets that could have a material effect on the financial statements.
Control
A control consists of a specific set of policies, procedures, and activities designed to meet an objective. A control may exist within a designated function or activity in a process. A control’s impact on ICFR may be entity-wide or specific to a class of transactions or application.
Controls have unique characteristics – they can be:
- Automated or manual
- Reconciliations
- Segregation of duties
- Review and approval authorizations
- Safeguarding and accountability of assets
- Preventing error
- Fraud detection
- Disclosure
Controls within a process may consist of financial reporting controls and operational controls (i.e., those designed to achieve operational objectives).
Preventative and Detective Controls
Preventive controls have the objective of preventing the occurrence of errors or fraud that could result in a misstatement of the financial statements. Detective controls have the objective of detecting errors or fraud that has already occurred that could result in a misstatement of the financial statements. Preventive and detective controls may be completely manual, involve some degree of computer automation, or be completely automated.
Compensating Controls
Compensating controls are controls that serve to accomplish the objective of another control that did not function properly, helping to reduce risk to an acceptable level. To have a mitigating effect, the compensating control should operate at a level of precision that would prevent or detect a misstatement that was material.
Entity Level Controls
The term “entity level controls” as used in the SEC Guidance describes aspects of a system of internal control that have a pervasive effect on the entity’s system of internal control such as controls related to the:
- Control environment (e.g., management’s philosophy and operating style, integrity and ethical values, board or audit committee oversight; and assignment of authority and responsibility)
- Controls over management override
- Risk assessment process
- Centralized processing and controls, including shared service environments
- Controls to monitor results of operations
- Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs
- Controls over the period-end financial reporting process
- Policies that address significant business control and risk management practices
The term “company level” is also commonly used to describe these controls.
Design Deficiency
A deficiency in the design of ICFR exists when (a) necessary controls are missing or (b) existing controls are not properly designed so that, even if the control operates as designed, the financial reporting risks would not be addressed.
Material Weakness
A material weakness is a deficiency, or combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis by the company’s ICFR.
Monitoring Activities
Monitoring activities are those that assess the quality of internal control performance over time. These activities involve assessing the design and operation of controls on a timely basis and taking necessary corrective actions. This process is accomplished through on-going monitoring activities, separate evaluations by internal audit or personnel performing similar functions, or a combination of the two. On-going monitoring activities are often built into the normal recurring activities of an entity and include regular management and supervisory review activities.
Self-Assessments
Self-assessment is a broad term that refers to different types of procedures performed by various parties. It includes an assessment made by the same personnel who are responsible for performing the control. However, self-assessment may also be used to refer to assessments and tests of controls performed by persons who are members of management but are not the same personnel who are responsible for performing the control. In this manner, an assessment may be carried out with varying degrees of objectivity. The sufficiency of the evidence derived from self-assessment depends on how it is implemented and the objectivity of those performing the assessment. COSO’s 1992 framework defines self-assessments as “evaluations where persons responsible for a particular unit or function will determine the effectiveness of controls for their activities.”
Significant Accounting Estimates
Significant accounting estimates relate to accounting estimates or assumptions where the nature of the estimates or assumptions is material due to the levels of subjectivity and judgment necessary to account for highly uncertain matters or the susceptibility of such matters to change; and the impact of the estimates and assumptions on financial condition or operating performance is material.
Critical Accounting Policies
Critical accounting policies” are defined as those policies that are most important to the financial statement presentation, and require management’s most difficult, subjective, or complex judgments, often as the result of a need to make estimates about the effect of matters that are inherently uncertain.
Type II SAS 70 Report from Service Organizations
This report is a service auditor's report on a service organization's description of the controls that may be relevant to a user organization's internal control as it relates to an audit of financial statements, on whether such controls were suitably designed to achieve specified control objectives, on whether they had been placed in operation as of a specific date, and on whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related control objectives were achieved during the period specified.
Small Public Companies
While a company’s individual facts and circumstances should be considered in determining whether a company is a smaller public company, a company’s market capitalization and annual revenues are useful indicators of its size and complexity. In light of the Advisory Committee Final Report and the SEC’s rules defining “accelerated filers” and “large accelerated filers,” companies with a market capitalization of approximately US$700 million or less, with reported annual revenues of approximately US$250 million or less, should be presumed to be “smaller companies,” with the smallest of these companies, with a market capitalization of approximately $75 million or less, described as “microcaps.”
Massood Oroomchi and Alec Moore are the founding partners of FinEx Group providing leadership, execution and training for both public and private firms in Sarbanes-Oxley/Bill 198 compliance. For further information, please fill out our contact form or contact Massood Oroomchi at (519) 574-8691 or Alec Moore at (519) 580-3690.
Click here to return to the articles and links page.