• Back To News & Views Listing
• News & Views
• S&W Publications
• Events & Speaking Engagements
• Media Contacts
• Speakers Bureau
• Sign-up for Publications
• Podcasts
• Blogs

• Howard E. Berkenblit

• Corporate
• Securities & Corporate Finance

The Costs and Conflicts of Internal Control Reports and Attestations

In an effort to deter fraud, new rules recently adopted by the Securities and Exchange Commission, pursuant to Section 404 of the Sarbanes-Oxley Act of 2002, will impose new requirements on public companies[1] with respect to maintaining and reporting on their internal control over financial reporting. Management will need to assess the effectiveness of such internal control, and outside auditors will need to attest to management's assessment. The new internal reporting framework will require extensive efforts, time and expense for most companies. Many auditors are offering to assist companies in implementing processes and procedures to enable compliance with the new rules. However, management, boards of directors and auditors must all carefully limit the extent of outside auditor involvement in management's activities to maintain the auditors' independence.

New Rules Relating to Internal Control Over Financial Reporting

The new SEC rules will require a public company to comply with, among other things, the following items:

• management will need to report in its annual report on the effectiveness of the company's internal control over financial reporting.
• the company's independent auditors will have to submit an attestation report on management's assessment of the effectiveness of the company's internal control over financial reporting. This report will be included in the company's annual report and will need to conform with standards to be established by the Public Company Accounting Oversight Board (PCAOB).
• the content of existing CEO and CFO certifications of the accuracy and completeness of the periodic reports will be revised to cover internal control over financial reporting and these certifications will become required exhibits to the company's periodic reports.

The new rules require management to disclose annually any material weakness in the internal control framework. Management will be prohibited from concluding in its report that the company's internal control over financial reporting is effective if one or more material weaknesses are discovered.

Due to the high costs and level of efforts required for companies to comply with the new rules, combined with the delay in the issuance of final standards by the PCAOB for the auditor attestations, the SEC has delayed the effective time of the new rules. U.S. companies meeting the definition of an "accelerated filer" (generally, companies that have market capitalization over $75 million and have filed an annual report) will be required to comply with the internal control reporting requirements for their first annual reports for fiscal years ending on or after June 15, 2004.[2] Several of the revisions to the CEO and CFO certification rules and related form amendments will become effective on August 14, 2003.

Management's Report on Internal Control Over Financial Reporting

The Sarbanes-Oxley Act required the SEC to adopt rules requiring public companies to include in their annual reports, "(1) a statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) management's assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting." With the adoption of the new SEC rules, management will be obligated to include the following in its annual internal control report:

• a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;
• a statement identifying the framework used by management to evaluate the effectiveness of this internal control;
• management's assessment of the effectiveness of this internal control as of the end of the company's most recent fiscal year; and
• a statement that the company's independent auditors have issued an attestation report on management's assessment.

The new rules define the term "internal control over financial reporting" to mean a process designed by, or under the supervision of, a company's principal executive and principal financial officers, or persons performing similar functions, and effected by the board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP and includes those policies and procedures that:

• pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the company;
• provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with GAAP, and receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and
• provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company's assets that could have a material effect on the financial statements.

The SEC's definition is based on a subset of the internal controls described in a report of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), as such report was later supplemented. Under the COSO framework, internal control is composed of five components: the control environment, risk assessment, control activities, information and communication, and monitoring. Each of these components is described in greater detail in the COSO report and all must be in place for internal control to be effective.

The SEC's final definition encompasses those internal controls from the COSO report that pertain to financial reporting objectives. Unlike the COSO report, the SEC rules do not explicitly cover the elements of effectiveness and efficiency of operations or compliance with applicable laws and regulations, though aspects of these (such as compliance with laws relating to financial statement preparation) will be covered. The SEC's definition further covers internal control over the safeguarding of assets.

The COSO report states that the composition of a company's board and audit committee, and how the directors fulfill their responsibilities related to the financial reporting process, are key aspects of the company's control environment. The SEC cites the COSO report in pointing out that an important element of the company's internal control over financial reporting "is the involvement of the board or audit committee in overseeing the financial reporting process, including assessing the reasonableness of management's accounting judgments and estimates and reviewing key filings with regulatory agencies."

The SEC has not provided specifications as to the exact content of management assessments of internal control over financial reporting. Instead, management must tailor its reports to the specific circumstances of the company and engage in testing and assessments beyond mere inquiries. The methods of conducting evaluations will vary from company to company. In addition, management may not merely state that nothing has come to management's attention to suggest that the company's internal control over financial reporting is not effective. The SEC has listed a variety of controls subject to assessment, including:

• controls over initiating, recording, processing and reconciling account balances, classes of transactions and disclosure, and related assertions included in the financial statements;
• controls related to the initiation and processing of non-routine and non-systematic transactions;
• controls related to the selection and application of appropriate accounting policies; and controls related to the prevention, identification and detection of fraud.

The SEC's rules provide that a company must maintain evidential matter, including documentation, regarding both the design of internal control and the testing process in order to support management's assessment of the effectiveness of its internal control over financial reporting.

Management must base its evaluation of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework established by a group that has followed certain procedures. This framework must be free from bias, permit reasonably consistent qualitative and quantitative measurements of a company's internal control, be sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company's internal control framework are not omitted, and be relevant to an evaluation of internal control over financial reporting. The SEC has specifically cited the framework set forth in the COSO report as one example of a suitable framework.

Attestation Report of Independent Auditors

Pursuant to the Sarbanes-Oxley Act, the SEC's rules also require the independent accounting firm that prepares or issues the company's audit report to submit an attestation report on management's assessment of the effectiveness of the company's internal control over financial reporting. This report must be conducted in accordance with standards to be established by the PCAOB, and will be filed as part of the company's annual report. The PCAOB will have the opportunity to develop its own standards, but in the interim, it has adopted the AICPA's Statements on Standards for Attestation Engagements (SSAE) No. 10, and related interpretations and statements of position. The PCAOB is expected to assess the appropriateness of these standards, and issue modifications as needed (subject to SEC approval).

Auditor Independence Issues

Given the breadth of the SEC's definition of internal control over financial reporting, along with the extensive, formalized steps called for by the COSO framework, even with the extra time allowed by the SEC, companies are already concerned about the expense and efforts necessary to be able to give requisite management assessments and obtain clean attestation reports. While many companies had in place what they believed to be effective procedures and controls, many of these were not formalized or well-documented. Multiple operating segments, different industries and geographical diversities only increase the complexity of the assessment and attestation processes. Legacy systems and acquisitions will further compound the workload of all involved. To sort out what changes are necessary by companies so that their internal control over financial reporting will be effective, management of many companies has sought input and assistance from outside advisors, including their auditors.

While management grapples with its responsibilities, auditors must begin preparing for their attestation procedures. Though still being formulated, the PCAOB's auditor attestation standards are likely to require a much more fulsome review than a mere audit. The auditors will need to evaluate controls across business and functional areas and engage in much more detailed testing than is required by an audit, including in areas not previously reviewed during standard audits. Additionally, in light of the current scandal-ridden environment and related concerns over litigation, auditors are undertaking a greater level of scrutiny for self-protection.

In planning for management's assessments and attestation engagements, companies must keep in mind the SEC's previously articulated principles of auditor independence, namely that (1) auditors cannot function in the role of management, (2) auditors cannot audit their own work, and (3) auditors cannot serve in an advocacy role for their clients. In May 2003, new SEC rules adopted pursuant to Section 201 of the Sarbanes-Oxley Act became effective.[3] Among other things, these rules augmented existing restrictions on the scope of non-audit services that a company's outside auditors could perform while still being considered independent. Each company must carefully consider whether or not its auditors may provide services used to assist management in developing and assessing the internal controls of the company, and whether such services would violate the auditor independence requirements as set forth in recent SEC rules.[4]

Although under the new rules the attestation report on management's assessment of a company's internal control over financial reporting must be provided by the same accounting firm that audits the company's financial statements, management must first independently prepare its evaluation. Due to the overlay of the attestation process on management's assessment, some degree of cooperation and coordination is necessary and warranted. The SEC has stated that the auditor will need to undertake necessary steps to understand a company's internal control framework and what management has done.

The SEC has also stated that auditors may assist management in documenting internal control over financial reporting, so long as management remains active in this documentation process, but management may not delegate to the auditors management's responsibility to assess its internal control over financial reporting. Management may not satisfy its obligations under these rules by merely accepting responsibility for the actions of the auditors. The actual ultimate documentation of internal control and management's evaluation are management functions. The SEC has informally stated that it would be inappropriate for the auditors to perform these roles instead of, or on behalf of, management. The auditors may not step into management's shoes. The SEC has acknowledged in its auditor independence rules that services in connection with the assessment of internal accounting and risk management controls and recommendations for improvements do not impair an accountant's independence. However, the auditors may not engage in the actual design and implementation of internal controls. Further, the SEC believes that the delayed effective date for the new rules gives management greater flexibility to undertake the required efforts themselves with reduced assistance compared to what otherwise might have been necessary to meet a more aggressive deadline.

Some audit firms are providing companies with software packages to purportedly assist the auditors in preparing their attestations. Unless carefully designed, this software could constitute information technology that is significant to the company's financial statements or other financial information systems and thus prohibited. Further, it may not be reasonable to conclude that the results of the auditors' services in implementing such software or related systems will not be subject to audit procedures during an audit of the company's financial statements. In addition, management functions, including performing decision-making or ongoing monitoring functions (one of the key aspects of the COSO framework), may not be performed by the outside auditors.

There appears to be a fundamental friction in using auditors' software or other services to assist management in documenting or monitoring internal control over financial reporting that at the same time will allow the auditors to fill in their attestation "checklists." A representative of the SEC stated that an auditing firm may supply software to assist in the attestation, so long as the software's use is limited to such purpose. If, however, the software is used to assist management in management's reporting on the effectiveness of the internal control over financial reporting then it would not be consistent with the independence requirement of the attestation and, according to the SEC, "could be" problematic. This will be a very difficult line for companies to draw and they should consult with their advisors and audit committees before engaging their auditors to provide any such software or services.

Audit Committee Pre-Approval

Companies need to keep in mind that any services to be performed by their outside auditors must be pre-approved by their audit committees. Even if management is comfortable that the scope of services being provided does not run afoul of the new auditor independence rules, audit committees should actively discuss these issues and, where necessary, modify their scope before providing their approval. As noted above, the COSO report clearly points out the critical role of board and audit committee oversight in the internal control context.

Alternatively, management may simply seek assistance from accounting firms other than their outside auditors in providing non-audit services. Engaging a third party provider unaffiliated with the auditors for assistance has been noted by the SEC as a viable option.

* * *

As public companies struggle to formalize their internal control over financial reporting and strengthen their procedures so that they are effective and withstand the attestation process, they must also be cognizant of potential conflicts of interest and rule violations as they work closely with their auditors to ensure compliance with new SEC rules.

* Howard E. Berkenblit is an attorney with Sullivan & Worcester LLP, a leading corporate law firm with offices in Boston, New York and Washington, D.C. He can be reached at hberkenblit@sandw.com.

Endnotes

1 The rule changes discussed in this article do not apply to registered investment companies, as Section 404 specifically excludes such companies. However, registered investment companies should be aware that certain technical changes have been made to the certifications contained in Form N-CSR and related rules regarding controls and procedures. The new rules also do not apply to asset-backed issuers. Insured depository institutions and holding companies subject to overlapping FDIC requirements must comply with the new SEC rules, but will have some flexibility in complying with both sets of requirements.

2 Small business issuers and foreign private issuers will not be required to comply with the new rules until the filing of their first annual reports for fiscal years ending on or after April 15, 2005. In the case of some foreign private issuers with home country internal control requirements, local requirements may satisfy the company's obligations under the new rules.

3 Non-audit services that a company's independent accounting firm may not be able to provide, depending on the facts and circumstances, include: (1) bookkeeping or other services related to accounting records or financial statements of the audit client; (2) financial information systems design and implementation; (3) appraisal or valuation services, fairness opinions, or contribution in-kind reports; (4) actuarial services; (5) internal audit outsourcing services; (6) management functions or human resources; (7) broker or dealer, investment adviser, or investment banking services; and (8) legal services and expert services unrelated to the audit.

4 SSAE No. 10 also gives some guidance about what is appropriate for attestations versus what constitutes consulting services. Independence of the attesting auditors is a key component of SSAE No. 10.

• Internal_Control_Reports-SRU.pdf