Internal Controls Over Financial Reporting
Prior to the enactment of Section 404 of the Sarbanes-Oxley Act of 2002 (the “Act”), auditors typically relied on random spot checks of transactions and account balances on which to base their audit opinion. If a few random spot checks demonstrated that the numbers were correct, it was not necessary to check the system of financial reporting.
Even prior to Section 404 however, auditors conducting the audit of very large corporations had difficulty conducting an adequate amount of random spot checks on which to base their audit. The far flung assets and web of transactions of multi-state or multi-national companies rendered this too burdensome. The auditors would therefore give greater consideration to the company’s internal controls over financial reporting in planning the audit. If the company had designed and implemented an adequate set of internal controls, then the auditor could rely on the controls instead of having to perform multiple tests of transactions and account balances to support its opinion.
Internal controls over financial reporting is a formal system of checks and balances, monitored by management and the board of directors and reviewed by the outside auditor. Internal controls are not a creation of the Act. They have been in existence prior to the Act. As noted in the accounting literature and particularly in the Committee of Sponsoring Organizations of the Treadway Commission, 1992, (“COSO”) and in the Codification of Statements on Auditing Standards Section AU 319 (“AU 319”), this system of checks and balances is intended to provide reasonable assurance that the following objectives are achieved: (a) reliability of financial reporting, (b) effectiveness and efficiency of operations and (c) compliance with applicable laws and regulations.
In accordance with AU 319 and COSO, internal controls consists of five parts: (i) control environment, (ii) risk assessment, (iii) control activities, (iv) information and communication and (v) monitoring. The control environment sets the tone at the top of the company and includes the integrity, ethical values and competence of the company’s management. Risk assessment is the identification and analysis of various risks to the achievement of the company’s objectives. Control activities are actions taken to ensure that the risks to the achievement of the company’s objectives are contained. They include a range of activities such as approvals, authorizations, verifications, reconciliations, security of assets and segregation of powers and responsibilities. Information and communication is necessary to ensure that all pertinent information is captured and communicated in a form and timeframe that enables people to carry out their responsibilities. In addition, information and communication ensures that all personnel receive a clear message from top management that control responsibilities are to be taken seriously and that each person understands his or her own role in the control system and can communicate significant information upstream. Monitoring is a process that assesses the quality of the controls over time.
Following Enron, and in attempt to restore investor confidence in audited financial statements, it became necessary to require all public companies, big or small, to adopt internal controls over financial reporting based upon COSO or similar standards.
Accordingly, Section 404 of the Act and the SEC’s June 5, 2003 final rules (now incorporated in Rules 13a-15 and 15d-15 under the Securities Exchange Act of 1934 and Items 308(a) and (b) of Regulation S-K, the “Rules”) require annual reports, filed after certain compliance dates described below, to contain (i) management’s report on the company’s internal controls including management’s assessment of their effectiveness as of the end of the fiscal year, (ii) a statement identifying the framework used by management to evaluate internal controls and (iii) an independent auditor’s attestation report on management’s assessment. They also require management to evaluate, on a quarterly basis, material changes in the company’s internal controls.
What Is The Meaning Of Internal Control Over Financial Reporting?
The Commission’s definition of Internal Controls Over Financial Reporting is largely based on the definition found in COSO and in AU 319. It is a process designed by, or under the supervision of, the company’s principal executive and principal financial officers and effected by the board and management, to provide reasonable assurance regarding the reliability of financial reporting and includes policies and procedures that (1) pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the company, (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles and that receipts and expenditures of the company are being made only in accordance with management’s and the directors’ approval and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets that could have a material effect on the financial statements.
To which Companies does Section 404 of the Act Apply?
Section 404 applies to all public companies, big or small, domestic or foreign, that have registered under the Exchange Act, or have a pending registration statement under the Securities act of 1933. This includes Foreign Private Issuers, Small Business Issuers, banks that are both subject to FDIC regulations and who file reports under the Exchange Act but excludes registered investment companies.
What Needs to be Done to Comply with Section 404?
Practically speaking, in order for adequate Internal Controls Over Financial Reporting to be in place, management and the outside auditors must be satisfied that there is a flowchart of how all the various line items in the financial statements are assembled from the raw financial data. For example, the line item named “cash in the bank” should be supported by a flow chart showing (i) the source of the cash, (ii) when the cash was received, (iii) how the cash was booked, (iv) who took the cash to the bank, (v) when and by whom it was deposited in the bank and (vi) how and when the deposit was reported to internal audit for recording in the books of the company. The need for such a flowchart is two-fold. First to make sure that every person in the loop knows what the other should be doing and second that if any person in the loop leaves the company, a substitute can step in and close the circle. A great deal of lead time and resources are required to design, implement and evaluate internal controls. Accordingly Congress has postponed the compliance dates for SEC compliance for both large and small companies as further described below, (see “By What Date Must a Company Comply with Section 404 and the Rules.”) In preparing for compliance, companies should work together with their outside auditors and Section 404 consultants to make sure that all parties involved in the effort are on the same page. This should minimize the chance of finding any material deficiency in the internal controls which would have to be cited in the accountants Section 404 opinion. Whether the company has hired an outside consultant to assist it in designing, implementing and evaluating internal controls over financial reporting or whether the company has performed this work itself, the company should involve the outside auditors in all stages of the design, implementation and evaluation rather than making them privy to it at the end of the process. This will ensure an ongoing dialog that will minimize the risk of rejection of the Internal Controls Over Financial Reporting and their evaluation by the auditor at the last minute shortly before the filing deadline, when it is too late to prevent a qualification on the attestation report.
What is the Difference Between Disclosure Controls and Procedures and Internal Control Over Financial Reporting?
Because both Section 302 and Section 404 of the Act deal with “Disclosure Controls And Procedures” and “Internal Control Over Financial Reporting”, it is important to understand the basic difference between them.
Disclosure Controls And Procedures are meant to ensure, as far as possible, that all the information required by law to be included in the periodic reports filed with the SEC is made available to those responsible for preparing them in a complete and timely fashion. The urgency of putting such procedures into place arose out of the loose reporting systems at Enron which resulted in many significant transactions either not making it into the periodic reports at all or not making it in a timely fashion.
Internal Control Over Financial Reporting is meant to ensure the integrity of the financial statements and guard the assets of the company. At the bookkeeping level, these procedures are designed to enforce the proper recording of income and expenditure so that revenues are deposited into the company’s bank account and unauthorized expenditures do not leave the company’s bank account. At the executive level, these procedures are designed to prevent manipulation of revenues and expenses, such as illegal transfers from expense accounts to capital accounts, in which management may to tempted to engage in order to hit the end of the period “whispered numbers”.
Because most periodic reports contain financial statements, there is some inevitable overlap between the two sets of controls.
This effectively means that before the accountant can attest to the effectiveness of the internal controls over financial reporting, he or she must be satisfied that the company has disclosure controls and procedures in place and that the Company is in full compliance with the federal securities laws including the new requirements under the Act and the company’s Self Regulatory Organization (“SRO”), be it the New York Stock Exchange, Nasdaq or other exchanges.
By What Date Must a Company Comply with the Section 404 and the Rules?
There are two different compliance dates relevant to Section 404. The first compliance date, was August 14, 2003, (the “First Compliance Date”). This was the date, when companies had to comply with the revised Section 302 Disclosure Controls and Procedures certification language. The second compliance date (the “Second Compliance Date”) is the date on which companies will have to (i) comply with the revised Section 302 Internal Control Over Financial Reporting certification language, (ii) include an internal control report in their annual reports, (iii) evaluate and disclose in quarterly reports, beginning with the filing of the first quarterly report due after the Second Compliance Date, any change in the internal control that occurred during a fiscal quarter (or fiscal year in the case of a non-U.S. public company) that has a material effect on the internal control. For smaller companies that are not Accelerated Filers, (as this term is explained below), the Second Compliance Date is the date they file their first annual report for fiscal years ending on or after July 15, 2005. For larger companies that are Accelerated Filers, the Second Compliance Date is the date they file their first annual report for fiscal years ending on or after November 15, 2004. The term Accelerated Filer means a company, (including a non-U.S. Public Company) with an aggregate market value of common equity held by non-affiliates as of the last business day of its most recently completed second fiscal quarter, of $75 million or more and subject to the Exchange Act reporting requirements for at least one year. Companies close to the $75 million threshold whose affiliates are selling stock or whose stock price is volatile, must pay close attention to the value of the common equity held by non-affiliates to be sure they comply by the correct compliance date.
What Procedures Should Be Included In the Internal Control Over Financial Reporting?
Internal Control Over Financial Reporting should include policies and procedures that provide reasonable assurance that (i) records are maintained that fairly reflect purchase and sales of the company’s assets, (ii) that transactions are properly recorded so as to permit the preparation of GAAP financial statements, (iii) receipts and expenditures are being made in an authorized fashion and (iv) unauthorized use of company assets, that could have a material effect on the financial statements, will be timely detected.
What is the Extent of Management’s Duty to Assess and Report on the Company’s Internal Control Over Financial Reporting?
In order to ensure the reliability of the Internal Control Over Financial Reporting at all times, management is required to evaluate the effectiveness of those controls on a periodic basis and to include a report of such evaluation in the annual report, which evaluation must be attested to by the company’s outside accountants. Under the Section 404 proposed rules, management would have been required to evaluate the effectiveness of the internal controls quarterly. Recognizing that this would be too burdensome, the Rules only require quarterly evaluation of changes that have materially affected, or are reasonably likely to materially affect, the Company’s Internal Control Over Financial Reporting. Whereas a U.S. public company would have to report these changes quarterly, a non-U.S. public company would only have to report them in its annual report.
If, in the course of the evaluation, management discovers any deficiency in the design or operation of Internal Control Over Financial Reporting that could adversely affect a company’s ability to record, process, summarize and report financial data consistent with the assertions of management in the company’s financial statements, then management must disclose this material weakness in the report.
What Procedures Should Management Follow in Preparing the Report of the Effectiveness of Internal Control Over Financial Reporting?
The Rules do not specify the method or procedures to be performed in an evaluation and such method will vary from company to company. They do, however, require management to maintain the documentation that supports its assessment of the effectiveness of the company’s Internal Control Over Financial Reporting. The documentation regarding the design of internal controls and the testing process should provide reasonable support (i) for the evaluation of whether the control is designed to prevent or detect material misstatement or omissions, (ii) for the conclusion that the tests were appropriately planned and performed and (iii) that the results of the tests were appropriately considered. In performing their evaluation of the design and effectiveness of the Internal Control Over Financial Reporting, management should review the company’s controls over initiating, recording, processing and reconciling account balances, classes of transactions and disclosures and related assertions included in the financial statements; controls related to the initiation and processing of non-routine and non-systematic transactions; controls relating to the selection and application of appropriate accounting policies and controls relating to the prevention, identification and detection of fraud.
Where, in the Annual Report Will Management’s Report on the Effectiveness of Internal Control Over Financial Reporting be Located?
Form 10-K for annual reports of U.S. public companies has been amended by adding Item 9A entitled “Controls and Procedures” to the annual report on Form 10-K. Form 20-F for annual reports for non-U.S. public companies has been amended by revising Item 15 of Part II. After the Second Compliance Date, these amendments will require a company’s annual report to include an internal control report of management that contains (i) a statement of management’s responsibility for establishing and maintaining internal controls over financial reporting for the company, (ii) a statement identifying the framework used by management to conduct the required evaluation, (iii) management’s assessment of the effectiveness of the company’s Internal Control Over Financial Reporting as of the end of the company’s most recent fiscal year, which assessment must include disclosure of any material weakness in the company’s Internal Control Over Financial Reporting identified by management and (iv) a statement that the accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the company’s internal control over financial reporting, which report must be filed as part of the company’s annual report with the SEC. For public companies that are Accelerated Filers, including non-U.S. public companies that are Accelerated Filers, the Second Compliance Date by which they must comply with the internal control report requirement is the date that the company files its first annual report for fiscal years ending on or after November 15, 2004. For public companies that are not Accelerated Filers, the Second Compliance Date by which they must comply with the internal control report requirement is the date that the company files its first annual report for fiscal years ending on or after July 15, 2005.
What Framework Should Management Adopt in Evaluating the Internal Control Over Financial Reporting?
Although the SEC has not mandated any particular framework for the evaluation of the effectiveness of the Internal Control Over Financial Reporting, the framework used must be free of bias; permit qualitative and quantitative measurements; be sufficiently complete to include factors that would alter a conclusion about the effectiveness and be relevant to an evaluation of internal control. COSO or similar standards are acceptable.
What Must the Outside Accountant’s Attestation on Management’s Internal Control Report Include and What Accounting Standards Will Be Used For Such Attestation?
As previously noted, the Rules require each annual report to include an attestation by the company’s outside accountants in which the accounting firm expresses an opinion, or states that an opinion cannot be expressed and if not, why not, about management’s assessment of the effectiveness of the company’s Internal Control Over Financial Reporting in accordance with standards on attestation engagements. The Act requires the new Public Company Accounting Oversight Board (“PCAOB”) to establish standards for these attestation reports. On October 7, 2003, the PCAOB issued proposed standards and final standards have yet to be implemented.
Can Management Delegate the Evaluation of the Internal Control over Financial Reporting to the Company’s Outside Accountants? Management cannot delegate the evaluation of the Internal Control Over Financial Reporting to the company’s outside accountants because under the SEC’s rules of auditor independence, one of the prohibited non-audit services that an outside accountant may not provide to its audit client is the monitoring of internal controls. Nevertheless, because under Section 404 of the Act, the outside accountant must attest to the effectiveness of management’s evaluation of the internal controls, the outside accountant must be involved in the assessment. Accordingly, management must be actively involved in the evaluation of the internal controls by the outside accountants and coordinate the process with them. Many companies who require assistance in the design, implementation and evaluation of internal controls are hiring the services of consultants, often former partners of the big four accounting firms, to work hand in hand with management and the outside auditors.
Complying with Section 404 is perceived to be the most burdensome, time consuming and costly provision of the Act. With the exception of some Fortune 100 companies, most companies do not have Internal Controls Over Financial Reporting that the Act requires. Most companies do not have the internal capacity or expertise to design, implement and evaluate the Internal Controls Over Financial Reporting without professional help. For auditor independence reasons, companies cannot delegate this task to their outside auditors. The documentation required for adequate internal controls must be such that there is back up for each line item in the financial statements. A similar level of documentation should also be created and preserved to evidence the company’s Disclosure Controls and Procedures. In order to provide the attestation report, the auditors will need to be satisfied not only that the Internal Controls and Procedures and the Disclosure Controls and Procedures are in place but also that the company has complied with all relevant federal securities laws and the rules of the SRO on which the company’s securities is listed. In recognition of all of this, the SEC has given companies an extended period of time to comply. Accelerated filers whose fiscal year ends after November 15, 2004 will need to comply for the fiscal year ended December 31, 2004 in the annual report to be filed in March 2005. This means that the outside auditors will have to sign off on the design, implementation and evaluation of management’s Internal Control over Financial Reporting by the end of the third quarter. Companies should therefore take advantage of the time provided to them by the SEC to put all necessary procedures in place now.
Questions regarding securities law issues may be directed to Raphael S. Grunfeld (firstname.lastname@example.org)
Carter Ledyard & Milburn LLP uses Client Advisories to inform clients and other interested parties of noteworthy issues, decisions and legislation which may affect them or their businesses. A Client Advisory does not constitute legal advice or an opinion. This document was not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.
© 2018 Carter Ledyard & Milburn LLP.
© Copyright 2004