Client Alert

Last month, the Securities and Exchange Commission (the "SEC"):

• Proposed interpretive guidance¹ that is intended to assist public company management in complying with its requirement to assess the effectiveness of internal control over financial reporting², 
• Proposed certain conforming amendments to its rules regarding management’s assessment of the effectiveness of internal control over financial reporting and the related auditor attestation,³and 
• Extended the relief for non-accelerated filers with respect to compliance with the management assessment and auditor attestation requirements.  

The proposed interpretive guidance – which focuses on a "top-down, risk-based" approach – is intended to assist public company management in conducting their annual assessment of the effectiveness of internal control over financial reporting, which for both accelerated and large accelerated filers is required to appear in the annual report on Form 10-K. The interpretive guidance should provide management with a more suitable means for conducting the annual assessment and should be much more "management friendly" than the guidance contained in Public Company Accounting Oversight Board (the "PCAOB") Auditing Standard No. 2, "An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements," which was designed to be utilized primarily by the auditing profession rather than company management when evaluating a company’s system of internal control over financial reporting⁴. 

The SEC also proposed to amend its rules to (i) make it clear that a management assessment conducted in compliance with the SEC’s proposed interpretive guidance would satisfy the annual management evaluation required by current SEC rules, and (ii) require a company’s auditor to provide an opinion directly on the effectiveness of the company’s internal control over financial reporting. Finally, as noted above, the SEC extended – for the fourth time – the deadline for non-accelerated filers to comply with the requirement that (i) management conduct an annual assessment of the effectiveness of internal control over financial reporting, and (ii) the company’s auditor attest to management’s assessment.⁵ 

Section 404 Proposed Interpretive Guidance 

The SEC’s proposed Section 404 interpretive guidance should be particularly helpful for the management team at smaller public companies, as it would offer a much more scalable solution for conducting the management assessment than the PCAOB’s Auditing Standard No. 2, which has been utilized by some companies during the annual assessment process despite the fact that it was designed for use by the auditors. In addition, although the proposed guidance is not intended to supersede or modify the "Internal Control-Integrated Framework" established by the Committee of Sponsoring Organizations of the Treadway Commission (commonly referred to as "COSO") that has been relied on by many management teams to help establish a framework for evaluating internal controls ⁶, it is intended to provide an approach for management to follow in evaluating and assessing the effectiveness of a company’s internal control over financial reporting (which is notably absent from both the current COSO framework and Auditing Standard No. 2). 

Rather than establishing a checklist of steps that management should perform to complete its evaluation, the SEC" "top-down, risk-based" approach outlined in its proposed interpretive guidance is organized around two core principles:

• Design of the controls: Management must determine whether there is a reasonable possibility that a material misstatement in the company’s financial statements would not be timely identified or prevented by the existing controls. This principle promotes efficiency by allowing management to focus on prevention/detection controls in the context of the company" financial statements, as opposed to every existing control in all contexts. 
• Operation of the controls: Management must analyze evidence about how the existing controls operate based on the risks to reliable financial reporting associated with those controls. This principle promotes efficiency by allowing management to focus on the controls that pose the greatest risk to accurate financial reporting. 

Having established the underlying principles, the proposed interpretive guidance proceeds to address a number of topics related to the evaluation process and reporting considerations. The SEC specifically identifies various areas where management should focus when conducting its assessment of the effectiveness of internal control over financial reporting, including: 

• Identification of risks to reliable financial reporting and related controls to address such risks. Management should, using its knowledge of the company’s organization and operations, evaluate how the requirements of accounting principles generally accepted in the United States ("GAAP") apply to the company’s business and determine which elements of financial reporting pose the greatest risk of potential misstatements in the financial statements. Once these financial reporting risks are identified, management should then evaluate whether it has established controls (including entity-level controls) that are specifically designed to address each identified financial reporting risk. If the controls are not adequate, there exists a control deficiency that must be analyzed to determine whether it constitutes a material weakness in the company’s system of internal control over financial reporting. 
• Evaluation of operating effectiveness of existing controls. In addition to determining whether controls are in place to address financial reporting risks, management should also determine whether those controls are operating effectively to detect and prevent misstatements or omissions in the company’s GAAP-compliant financial statements. Evidence about whether the controls are operating effectively could be obtained both from direct testing of the controls and ongoing monitoring activities with respect to the controls. 
• Reporting overall results of management’s evaluation. Upon completion of its evaluation, management must determine whether any control deficiency, or combination of control deficiencies, constitutes a material weakness. If a material weakness is determined to exist, management must disclose that weakness in its assessment of the effectiveness of internal control over financial reporting. Management is not permitted to declare the company’s system of internal control over financial reporting effective if a material weakness in the system has been identified. The proposed interpretive guidance explains how management can evaluate control deficiencies, identifies the factors that management should consider when assessing the likelihood of a misstatement and the magnitude of the potential misstatement, and provides a list of circumstances that constitute "strong indicators" that a material weakness in internal control over financial reporting exists. The proposed guidance also discusses the impact of a prior restatement of financial statements on management’s assessment and reaffirms that management" assessment cannot contain a scope limitation in any context. 
• Documentation. Management is required to maintain "reasonable support" for its assessment of the effectiveness of internal control over financial reporting, and the form and extent of this support will likely differ based on the size, complexity and nature of the company. The support may be documented in various ways (e.g., paper and electronic media) and may be presented in numerous formats (e.g., memoranda, models and flowcharts). The documentation may be focused on those controls that management has previously concluded are designed to address the financial reporting risks of the company. 

The procedures adopted in order to build these considerations, among others, into management" approach for conducting its assessment of the effectiveness of internal control over financial reporting are expected to vary widely from company to company. In particular, the principles-based approach outlined in the SEC" proposed interpretive guidance is expected to provide smaller companies with the opportunity to craft assessment mechanics that addresses their specific circumstances, rather than adopting a "one size fits all" process that would likely be costly and unduly burdensome. 

SEC’s Proposed Rulemaking 

The SEC also proposed to amend its rules regarding management’s assessment of the effectiveness of internal control over financial reporting to take into account the proposed interpretive guidance. Compliance with the evaluation approach set forth in the SEC" proposed interpretive guidance would not be deemed the only acceptable approach under SEC rules to satisfy the management assessment requirement, but a management assessment conducted in compliance with that approach would serve as a non-exclusive safe harbor for management with respect to its existing obligation to conduct an assessment of the effectiveness of internal control over financial reporting. Finally, to clarify the auditor’s responsibilities with respect to a company’s internal control over financial reporting, the SEC would require that the auditor express an opinion directly on the effectiveness of the company’s internal control over financial reporting – not just on management" assessment of that effectiveness. The comment period for both the proposed interpretive guidance and proposed rulemaking will close on February 26, 2007. 

Section 404 Reporting Relief 

For non-accelerated filers (generally companies with a public float of less than $75 million), the SEC extended the compliance date for including the management assessment of the effectiveness of internal control over financial reporting from the annual report for the first fiscal year ending on or after July 15, 2007 to the annual report for the first fiscal year ending on or after December 15, 2007. The SEC also extended the compliance date by which a non-accelerated filer must include the auditor’s attestation regarding management’s assessment from the annual report for the first fiscal year ending on or after July 15, 2007 to the annual report for the first fiscal year ending on or after December 15, 2008. During the first year of compliance, the management assessment and auditor’s attestation will each be deemed "furnished" rather than "filed" under the Securities Exchange Act of 1934, as amended (the "Exchange Act"). 

In addition, the SEC granted Section 404 relief for companies that are new to the reporting requirements of the Exchange Act (typically companies that recently completed their initial public offering). These companies, regardless of whether they are a non-accelerated filer, accelerated filer or large accelerated filer, will not have to comply with the Section 404 requirements in their first annual report filed after becoming an Exchange Act reporting company. (To view document table, please see PDF version.)

We expect that many public companies will find the SEC’s actions to be helpful with respect to both management’s assessment regarding a company’s internal control over financial reporting and the costs of compliance with Section 404 requirements. The following Womble Carlyle Corporate and Securities attorneys are available to assist you in addressing any questions that you may have regarding the matters discussed in this client alert.

1 See SEC Proposing Release No. 33-8762 (December 20, 2006), which can be accessed at http://www.sec.gov/rules/proposed/2006/33-8762.pdf.

2 The SEC’s internal control over financial reporting requirements are largely based on Section 404 of the Sarbanes-Oxley Act of 2002, and are thus often referred to colloquially as the "Section 404" requirements.

3 The proposed rulemaking was proposed in the same Proposing Release that contained the proposed interpretive guidance. See Note 1, above.

4 See PCAOB Release No. 2006-007 (December 19, 2006), which can be accessed here . The PCAOB has proposed some significant revisions to Auditing Standard No. 2, which governs the process and procedures that must be followed by auditors that audit public company management’s assessment of the effectiveness of internal control over financial reporting. The proposed revisions to Auditing Standard No. 2 are intended to eliminate unnecessary audit procedures, focus the audit on the aspects that are most critical to internal control over financial reporting, provide a more effective framework for auditing internal control over financial reporting with respect to smaller companies, and generally streamline the myriad requirements of existing Auditing Standard No. 2. Comments on the proposed revisions to Auditing Standard No. 2 may be submitted until February 26, 2007. 

5 See SEC Adopting Release No. 33-8760 (December 15, 2006), which can be accessed at http://www.sec.gov/rules/final/2006/33-8760.pdf.

6 Note that COSO published additional guidance on July 11, 2006 that is specifically intended to assist the management of smaller companies in applying the COSO framework. See "Internal Control Over Financial Reporting – Guidance for Smaller Companies."