SEC Adopts Management Guidance on Internal Controls

The SEC has adopted new risk-based, principles-based management guidance for internal control over financial reporting pursuant to section 404 of the Sarbanes-Oxley Act. Section 404, of course, remains unchanged, but the rules and guidance promulgated pursuant to the statute have been reformed in response to concerns that internal controls compliance was overly costly and harmful to the competitiveness of US financial markets. The effective date of the interpretive guidance and adopted rules will be 30 days from their publication in the Federal Register. The full text of the interpretive guidance and rules will be posted to the SEC Web site as soon as possible.

The reforms build on the guidance issued by the SEC in May of 2005. Further, while the SEC incorporated certain sections of the May 2005 staff guidance into the new interpretive guidance, the Commission has emphasized that the staff guidance remains relevant. The PCAOB is slated to adopt a new principles-based internal control standard for auditors tomorrow, which promises to be closely aligned with the guidance.

The Commission's interpretive guidance is centered on two broad principles. The first principle is that management should evaluate whether it has implemented controls that adequately address the risk that a material misstatement in the financial statements would not be prevented or detected in a timely manner. The second principle is that management's evaluation of evidence about the operation of its controls should be based on its assessment of risk.

Under the guidance, management can align the nature and extent of its evaluation procedures with those areas of financial reporting that pose the highest risks to reliable financial reporting (that is, whether the financial statements are materially accurate). As a result, management may be able to use more efficient approaches to gathering evidence, such as self-assessments, in low-risk areas and perform more extensive testing in high-risk areas. By following these two principles, the SEC believes that companies of all sizes and complexities will be able to implement the rules effectively and efficiently.

While commenters sought guidance and illustrative examples in areas such as the identification of controls that address financial reporting risks, including IT general controls, the SEC said that additional specificity and examples would have the negative consequence of establishing bright line or one-size fits all evaluation approaches. Rather, the Commission wants management to make reasonable judgments that reflect each company's individual facts and circumstances.

The definition of material weakness has been aligned with the PCAOB’s expected definition based on the general principle that the SEC and PCAOB should be in alignment on reform. But even so, some differences are expected to remain between the interpretive management guidance and the PCAOB's audit standard. Far from being contradictions or misalignments, explained the SEC, these differences reflect the fact that management and the auditor have different roles and duties with respect to evaluating and auditing internal controls.

Material weakness is defined as a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.

Importantly, the SEC clarified that, under Section 404(b), the auditor is not evaluating management’s evaluation process but is opining directly on internal control over financial reporting.

The guidance broadly declares that management's evaluation of internal controls should consider the control environment, and other entity level activities that are necessary to have a system of internal control that is effective at providing reasonable assurance regarding the reliability of financial reporting.

The SEC accepts that the risk of fraudulent financial reporting will exist in all companies. Rigorous evaluations require management to recognize that the existence of a fraud risk does not mean that fraud has occurred. Further, the guidance clarifies that the risk of management override is something that every company needs to consider. Effective control systems ought to take steps to manage this risk, and the Commission believes that companies of all sizes can do so.

The SEC also understands that many of the larger public companies already complying with Section 404 have established a compliant evaluation process that may differ from the approach described in the interpretive guidance. That is okay, said Corp Fin Director John White, since there is no requirement for these companies to alter their procedures from the last three years to align them with the new interpretive guidance, unless they choose to do so.

Also, now, the auditor will be required to express only one opinion directly on the effectiveness of internal control over financial reporting in its audit report. Previously, the auditor expressed two separate opinions: one on effectiveness and another on management's assessment.