The SEC and PCAOB have taken significant new steps to implement promised reforms to the implementation of Section 404 of the Sarbanes-Oxley Act, which has been widely perceived to be unduly expensive and burdensome. On May 23, 2007, the SEC approved new interpretive guidance for management’s assessment of internal controls, and amendments to certain Section 404 related rules. The new guidance provides a principles-based framework intended to help public companies strengthen their internal control over financial reporting while reducing unnecessary costs, particularly for smaller companies. On May 24, 2007, the PCAOB voted to adopt Auditing Standard No. 5 to replace its previous internal control auditing standard, Auditing Standard No. 2.
SEC’s Interpretive Guidance Uses Risk-Based Approach
The interpretive guidance is centered around two broad principles.
- Management should evaluate whether it has implemented controls that adequately address the risk that a material misstatement in the financial statements would not be prevented or detected in a timely manner.
- Management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk.
As a result, management may be able to use more efficient approaches to gathering evidence, such as self-assessments, in low-risk areas and perform more extensive testing in high-risk areas. The guidance is intended to reduce uncertainty about what constitutes a reasonable approach to management’s evaluation, while maintaining flexibility for companies that have already developed their own assessment procedures. The SEC staff indicated that they declined to include illustrative examples in the final guidance in order to avoid the unintended consequence of establishing "bright line" or "one-size fits all" evaluation approaches. The guidance therefore reflects the view that effective and efficient evaluations require company management to make reasonable judgments that reflect each company’s individual facts and circumstances.
Conrad Hewitt, the SEC’s Chief Accountant, expressed the staff’s position that smaller public companies, which generally have less complex internal control systems than larger public companies, should use this guidance to scale and tailor their evaluation methods and procedures to fit their own facts and circumstances.
Interpretive Guidance is not Mandatory
The guidance is not mandatory, and the SEC has indicated that many companies will be able to continue using their existing procedures if they choose, assuming those procedures are otherwise in accordance with Section 404 and related rules.
Rule Amendments Related to Section 404 – Definition of Material Weakness
The SEC also adopted a separate release amending certain rules related to Section 404. The rule amendments define the term material weakness as a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis. The SEC also revised the requirements regarding the auditor’s attestation report on the effectiveness of internal control over financial reporting to provide that the auditor is opining directly on internal control over financial reporting, rather than on management’s evaluation process.
The SEC also proposed, but did not adopt, a new definition of significant deficiency, which does not include an express risk component. The proposed definition of significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of a registrant’s financial reporting.
PCAOB’s Auditing Standard No. 5 Mandates Risk-Based Approach
The PCAOB’s new Auditing Standard No. 5 will apply to audits of all companies required by SEC rules to obtain an audit of internal control over financial reporting.
- The new standard focuses auditors on those areas that present the greatest risk that a company’s internal control will fail to prevent or detect a material misstatement in the financial statements. It encourages a top-down, risk-based approach to audit planning.
- The new standard eliminates unnecessary procedures. Among other things, and consistent with the SEC’s rule changes discussed above, the new standard clarifies that an internal control audit does not require an opinion on the adequacy of management’s process. The new standard also refocuses the multi-location direction on risk rather than coverage by removing the requirement that auditors test a large portion of the company’s operations or financial position.
- The new standard makes the audit scalable to fit the size and the complexity of the company. It does so by including notes throughout the standard on how to apply the principles in the standard to smaller, less complex companies.
PCAOB Inspections to Ensure Auditor Compliance with New Standard
The PCAOB also announced that it intends to adjust its inspection program to ssure that it is consistent with the new standard and its principles-based approach. The PCAOB is also continuing to develop for auditors of smaller public companies tailored guidance for applying the new standard.
Auditing Standard No. 5 Not Identical to SEC’s Interpretive Guidance
The SEC’s Deputy Chief Accountant, Zoe-Vonna Palmrose, noted that some differences will remain between the SEC’s interpretive guidance for management, and Auditing Standard No. 5, reflecting that management and the auditor have different roles and responsibilities with respect to evaluating and auditing internal control over financial reporting.
Compliance Deadlines – No Further Extensions for Non-Accelerated Filers
The SEC did not adopt a further delay in Section 404 implementation for non-accelerated filers (small business issuers, and those with less than $75 million in market capitalization). However, two of the five commissioners indicated they were still considering a further extension, and there may be pressure from Congress to further extend. Under the extension presently in effect, non-accelerated filers will need to provide a management assessment of the effectiveness of internal control over financial reporting for the first fiscal year ending on or after December 15, 2007, and will need to have an audit of internal control over financial reporting for the first fiscal year ending on or after December 15, 2008.
Although the PCAOB worked closely with the SEC in developing Auditing Standard No. 5, the new standard remains subject to SEC approval. The new standard may be used by auditors immediately following SEC approval, and will be required for all audits of internal control for fiscal years ending on or after November 15, 2007.
For further information, please contact a member of the Corporate Practice Group.