Rule: Securities Exchange Act

Wednesday,
June 27, 2007
Part III
Securities and
Exchange
Commission
17 CFR Part 241
Commission Guidance Regarding
Management’s Report on Internal Control
Over Financial Reporting Under Section
13(a) or 15(d) of the Securities Exchange
Act of 1934; Final Rule
rwilkins on PROD1PC63 with RULES3
VerDate Aug<31>2005 16:20 Jun 26, 2007 Jkt 211001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\27JNR3.SGM 27JNR3
35324 Federal Register / Vol. 72, No. 123 / Wednesday, June 27, 2007 / Rules and Regulations
SECURITIES AND EXCHANGE the Sarbanes-Oxley Act of 2002 5 conclusions or methodologies upon
COMMISSION (‘‘Sarbanes-Oxley’’) require management which an issuer may reasonably base its
to annually evaluate whether ICFR is decisions.
17 CFR Part 241 effective at providing reasonable Since companies first began
assurance and to disclose its assessment complying in 2004, the Commission has
[Release Nos. 33–8810; 34–55929; FR–77; to investors.6 Management is received significant feedback on our
File No. S7–24–06] responsible for maintaining evidential rules implementing Section 404.10 This
Commission Guidance Regarding matter, including documentation, to feedback included requests for further
Management’s Report on Internal provide reasonable support for its guidance to assist company
assessment. This evidence will also management in complying with our
Control Over Financial Reporting
allow a third party, such as the ICFR evaluation and disclosure
Under Section 13(a) or 15(d) of the
company’s external auditor, to consider requirements. This guidance is in
Securities Exchange Act of 1934
the work performed by management. response to those requests and reflects
AGENCY: Securities and Exchange ICFR cannot provide absolute the significant feedback we have
Commission. assurance due to its inherent received, including comments on the
ACTION: Interpretation.
limitations; it is a process that involves interpretive guidance we proposed on
human diligence and compliance and is December 20, 2006. In addressing a
SUMMARY: The SEC is publishing this subject to lapses in judgment and number of the commonly identified
interpretive release to provide guidance breakdowns resulting from human areas of concerns, the interpretive
for management regarding its evaluation failures. ICFR also can be circumvented guidance:
and assessment of internal control over by collusion or improper management • Explains how to vary evaluation
financial reporting. The guidance sets override. Because of such limitations, approaches for gathering evidence based
forth an approach by which ICFR cannot prevent or detect all on risk assessments;
management can conduct a top-down, misstatements, whether unintentional • Explains the use of ‘‘daily
risk-based evaluation of internal control errors or fraud. However, these inherent interaction,’’ self-assessment, and other
over financial reporting. An evaluation limitations are known features of the on-going monitoring activities as
that complies with this interpretive financial reporting process, therefore, it evidence in the evaluation;
guidance is one way to satisfy the is possible to design into the process • Explains the purpose of
evaluation requirements of Rules 13a– safeguards to reduce, though not documentation and how management
15(c) and 15d–15(c) under the Securities eliminate, this risk. has flexibility in approaches to
Exchange Act of 1934. The ‘‘reasonable assurance’’ referred documenting support for its assessment;
to in the Commission’s implementing • Provides management significant
DATES: Effective Date: June 27, 2007.
rules relates to similar language in the flexibility in making judgments
FOR FURTHER INFORMATION CONTACT: Josh Foreign Corrupt Practices Act of 1977 regarding what constitutes adequate
K. Jones, Professional Accounting (‘‘FCPA’’).7 Exchange Act Section evidence in low-risk areas; and
Fellow, Office of the Chief Accountant, 13(b)(7) defines ‘‘reasonable assurance’’ • Allows for management and the
at (202) 551–5300, or N. Sean Harrison, and ‘‘reasonable detail’’ as ‘‘such level auditor to have different testing
Special Counsel, Division of of detail and degree of assurance as approaches.
Corporation Finance, at (202) 551–3430, would satisfy prudent officials in the The Interpretive Guidance is
U.S. Securities and Exchange conduct of their own affairs.’’ 8 The organized around two broad principles.
Commission, 100 F Street, NE., Commission has long held that The first principle is that management
Washington, DC 20549. ‘‘reasonableness’’ is not an ‘‘absolute should evaluate whether it has
SUPPLEMENTARY INFORMATION: The standard of exactitude for corporate implemented controls that adequately
amendments to Rules 13a–15(c) 1 and records.’’ 9 In addition, the Commission address the risk that a material
15d–15(c) 2 under the Securities recognizes that while ‘‘reasonableness’’ misstatement of the financial statements
Exchange Act of 1934 3 (the ‘‘Exchange is an objective standard, there is a range would not be prevented or detected in
Act’’), which clarify that an evaluation of judgments that an issuer might make a timely manner. The guidance
of internal control over financial as to what is ‘‘reasonable’’ in describes a top-down, risk-based
reporting that complies with this implementing Section 404 and the approach to this principle, including the
interpretive guidance is one way to Commission’s rules. Thus, the terms role of entity-level controls in assessing
satisfy those rules, are being made in a ‘‘reasonable,’’ ‘‘reasonably,’’ and financial reporting risks and the
separate release.4 ‘‘reasonableness’’ in the context of adequacy of controls. The guidance
Section 404 implementation do not promotes efficiency by allowing
I. Introduction imply a single conclusion or management to focus on those controls
Management is responsible for methodology, but encompass the full that are needed to adequately address
maintaining a system of internal control range of appropriate potential conduct, the risk of a material misstatement of its
over financial reporting (‘‘ICFR’’) that financial statements. The guidance does
provides reasonable assurance regarding 5 15 U.S.C. 7262. not require management to identify
the reliability of financial reporting and 6 Release No. 33–8238 (Jun. 5, 2003) [68 FR
every control in a process or document
the preparation of financial statements 36636] (hereinafter ‘‘Adopting Release’’).
7 Title 1 of Pub. L. 95–213 (1977). the business processes impacting ICFR.
for external purposes in accordance 8 15 U.S.C. 78m(b)(7). The conference committee Rather, management can focus its
with generally accepted accounting report on the 1988 amendments to the FCPA also
principles. The rules we adopted in noted that the standard ‘‘does not connote an 10 Release Nos. 33–8762; 34–54976 (Dec. 20,
June 2003 to implement Section 404 of unrealistic degree of exactitude or precision. The 2006) [71 FR 77635] (hereinafter ‘‘Proposing
concept of reasonableness of necessity contemplates Release’’). For a detailed history of the

the weighing of a number of relevant factors, implementation of Section 404 of Sarbanes-Oxley,
1 17 CFR 240.13a–15(c). including the costs of compliance.’’ Cong. Rec. see Section I., Background, of the Proposing
2 17 CFR 240.15d–15(c). H2116 (daily ed. Apr. 20, 1988). Release. An analysis of the comments we received
3 15 U.S.C. 78a et seq. 9 Release No. 34–17500 (Jan. 29, 1981) [46 FR on the Proposing Release is included in Section III
4 Release No. 34–55928 (Jun. 20, 2007). 11544]. of this release.
Federal Register / Vol. 72, No. 123 / Wednesday, June 27, 2007 / Rules and Regulations 35325
evaluation process and the smaller public companies 12 to take As a companion 14 to this interpretive
documentation supporting the advantage of the flexibility and release, we are adopting amendments to
assessment on those controls that it scalability to conduct an evaluation of Exchange Act Rules 13a–15(c) and 15d–
determines adequately address the risk ICFR that is both efficient and effective 15(c) and revisions to Regulation S–X.15
of a material misstatement of the at identifying material weaknesses. The amendments to Rules 13a–15(c) and
financial statements. For example, if The effort necessary to conduct an 15d–15(c) will make it clear that an
management determines that a risk of a initial evaluation of ICFR will vary evaluation that is conducted in
material misstatement is adequately among companies, partly because this accordance with this interpretive
addressed by an entity-level control, no effort will depend on management’s guidance is one way to satisfy the
further evaluation of other controls is existing financial reporting risk annual management evaluation
required. assessment and control monitoring requirement in those rules. We are also
The second principle is that activities. After the first year of amending our rules to define the term
management’s evaluation of evidence compliance, management’s effort to ‘‘material weakness’’ and to revise the
about the operation of its controls identify financial reporting risks and requirements regarding the auditor’s
should be based on its assessment of controls should ordinarily be less, attestation report on ICFR. Additionally,
risk. The guidance provides an because subsequent evaluations should we are seeking additional comment on
approach for making risk-based be more focused on changes in risks and the definition of the term ‘‘significant
judgments about the evidence needed controls rather than identification of all deficiency.’’ 16
for the evaluation. This allows financial reporting risks and the related
management to align the nature and controls. Further, in each subsequent II. Interpretive Guidance—Evaluation
extent of its evaluation procedures with year, the documentation of risks and and Assessment of Internal Control
those areas of financial reporting that controls will only need to be updated Over Financial Reporting
pose the highest risks to reliable from the prior year(s), not recreated The interpretive guidance addresses
financial reporting (that is, whether the anew. Through the risk and control the following topics:
financial statements are materially identification process, management will
accurate). As a result, management may A. The Evaluation Process
have identified for testing only those 1. Identifying Financial Reporting Risks
be able to use more efficient approaches controls that are needed to meet the and Controls
to gathering evidence, such as self- objective of ICFR (that is, to provide a. Identifying Financial Reporting Risks
assessments, in low-risk areas and reasonable assurance regarding the b. Identifying Controls That Adequately
perform more extensive testing in high- reliability of financial reporting) and for Address Financial Reporting Risks
risk areas. By following these two which evidence about their operation c. Consideration of Entity-Level Controls
principles, we believe companies of all can be obtained most efficiently. The d. Role of Information Technology General
sizes and complexities will be able to nature and extent of procedures Controls
implement our rules effectively and e. Evidential Matter To Support the
implemented to evaluate whether those Assessment
efficiently. controls continue to operate effectively
The Interpretive Guidance reiterates 2. Evaluating Evidence of the Operating
can be tailored to the company’s unique Effectiveness of ICFR
the Commission’s position that circumstances, thereby avoiding a. Determining the Evidence Needed To
management should bring its own unnecessary compliance costs. Support the Assessment
experience and informed judgment to The guidance assumes management b. Implementing Procedures To Evaluate
bear in order to design an evaluation has established and maintains a system Evidence of the Operation of ICFR
process that meets the needs of its of internal accounting controls as c. Evidential Matter To Support the
company and that provides a reasonable required by the FCPA. Further, it is not Assessment
basis for its annual assessment of 3. Multiple Location Considerations
intended to explain how management
whether ICFR is effective. This allows B. Reporting Considerations
should design its ICFR to comply with 1. Evaluation of Control Deficiencies
management sufficient and appropriate the control framework management has 2. Expression of Assessment of
flexibility to design such an evaluation chosen. To allow appropriate flexibility, Effectiveness of ICFR by Management
process.11 Smaller public companies, the guidance does not provide a 3. Disclosures About Material Weaknesses
which generally have less complex checklist of steps management should 4. Impact of a Restatement of Previously
internal control systems than larger perform in completing its evaluation. Issued Financial Statements on
public companies, can use this guidance The guidance in this release shall be Management’s Report on ICFR
to scale and tailor their evaluation effective immediately upon its 5. Inability To Assess Certain Aspects of
methods and procedures to fit their own publication in the Federal Register.13 ICFR
facts and circumstances. We encourage A. The Evaluation Process
12 While a company’s individual facts and
11 Exchange Act Rules 13a–15 and 15d–15 [17 circumstances should be considered in determining The objective of internal control over
CFR 240.13a–15 and 15d–15] require management whether a company is a smaller public company financial reporting 17 (‘‘ICFR’’) is to
to evaluate the effectiveness of ICFR as of the end and the resulting implications to management’s
of the fiscal year. For purposes of this document, evaluation, a company’s public market
capitalization and annual revenues are useful delay would be unnecessary and contrary to the
the term ‘‘evaluation’’ or ‘‘evaluation process’’
indicators of its size and complexity. The Final public interest because following the guidance is
refers to the methods and procedures that
Report of the Advisory Committee on Smaller voluntary. Additionally, delay may deter companies
management implements to comply with these
Public Companies to the United States Securities from realizing all the efficiencies intended by this
rules. The term ‘‘assessment’’ is used in this
and Exchange Commission (Apr. 23, 2006), guidance, and immediate effectiveness will assist in
document to describe the disclosure required by
available at http://www.sec.gov/info/smallbus/ preparing for 2007 evaluations and assessments of
Item 308 of Regulations S–B and S–K [17 CFR
acspc/acspc-finalreport.pdf, defined smaller internal control over financial reporting.
228.308 and 229.308]. This disclosure must include 14 Release No. 34–55928.
discussion of any material weaknesses which exist companies, which included microcap companies,
15 17 CFR 210.1–01 et seq.

as of the end of the most recent fiscal year and and the SEC’s rules include size characteristics for
management’s assessment of the effectiveness of ‘‘accelerated filers’’ and ‘‘non-accelerated filers’’ 16 Release No. 34–55930 (Jun. 20, 2007).
ICFR, including a statement as to whether or not which approximately fit the same definitions. 17 Exchange Act Rules 13a–15(f) and 15d–15(f)
ICFR is effective. Management is not permitted to 13 The Commission finds good cause under 5 [17 CFR 240.13a–15(f) and 15d–15(b)] define
conclude that ICFR is effective if there are one or U.S.C. 808(2) for this interpretation to take effect on internal control over financial reporting as:
more material weaknesses in ICFR. the date of Federal Register publication. Further Continued
provide reasonable assurance regarding section explains the identification of frameworks define elements of internal
the reliability of financial reporting and financial reporting risks and the control that are expected to be present
the preparation of financial statements evaluation of whether the controls and functioning in an effective internal
for external purposes in accordance management has implemented control system. In assessing
with generally accepted accounting adequately address those risks. The effectiveness, management evaluates
principles (‘‘GAAP’’). The purpose of second section explains an approach for whether its ICFR includes policies,
the evaluation of ICFR is to provide making judgments about the methods procedures and activities that address
management with a reasonable basis for and procedures for evaluating whether the elements of internal control that the
its annual assessment as to whether any the operation of ICFR is effective. Both applicable control framework describes
material weaknesses 18 in ICFR exist as sections explain how entity-level as necessary for an internal control
of the end of the fiscal year.19 To controls 21 impact the evaluation system to be effective. The framework
accomplish this, management identifies process, as well as how management elements describe the characteristics of
the risks to reliable financial reporting, should focus its evaluation efforts on an internal control system that may be
evaluates whether controls exist to the highest risks to reliable financial relevant to individual areas of the
address those risks, and evaluates reporting.22 company’s ICFR, pervasive to many
evidence about the operation of the Under the Commission’s rules, areas, or entity-wide. Therefore,
controls included in the evaluation management’s annual assessment of the management’s evaluation process
based on its assessment of risk.20 The effectiveness of ICFR must be made in includes not only controls involving
evaluation process will vary from accordance with a suitable control particular areas of financial reporting,
company to company; however, the top- framework’s 23 definition of effective but also the entity-wide and other
down, risk-based approach which is internal control.24 These control pervasive elements of internal control
described in this guidance will typically defined by its selected control
be the most efficient and effective way 21 The term ‘‘entity-level controls’’ as used in this
framework. This guidance is not
to conduct the evaluation. document describes aspects of a system of internal
control that have a pervasive effect on the entity’s intended to replace the elements of an
The evaluation process guidance is system of internal control such as controls related effective system of internal control as
described in two sections. The first to the control environment (for example, defined within a control framework.
management’s philosophy and operating style,
A process designed by, or under the supervision integrity and ethical values; board or audit 1. Identifying Financial Reporting Risks
of, the issuer’s principal executive and principal committee oversight; and assignment of authority and Controls
financial officers, or persons performing similar and responsibility); controls over management
functions, and effected by the issuer’s board of override; the company’s risk assessment process; Management should evaluate whether
directors, management and other personnel, to centralized processing and controls, including it has implemented controls that will
provide reasonable assurance regarding the shared service environments; controls to monitor
reliability of financial reporting and the preparation results of operations; controls to monitor other achieve the objective of ICFR (that is, to
of financial statements for external purposes in controls, including activities of the internal audit provide reasonable assurance regarding
accordance with generally accepted accounting function, the audit committee, and self-assessment the reliability of financial reporting).
principles and includes those policies and programs; controls over the period-end financial
reporting process; and policies that address
The evaluation begins with the
procedures that:
(1) Pertain to the maintenance of records that in significant business control and risk management identification and assessment of the
reasonable detail accurately and fairly reflect the practices. The terms ‘‘company-level’’ and ‘‘entity- risks to reliable financial reporting (that
transactions and dispositions of the assets of the wide’’ are also commonly used to describe these is, materially accurate financial
issuer; controls.
22 Because management is responsible for
statements), including changes in those
(2) Provide reasonable assurance that transactions
are recorded as necessary to permit preparation of maintaining effective ICFR, this interpretive risks. Management then evaluates
financial statements in accordance with generally guidance does not specifically address the role of whether it has controls placed in
accepted accounting principles, and that receipts the board of directors or audit committee in a operation (that is, in use) that are
and expenditures of the issuer are being made only company’s evaluation and assessment of ICFR.
However, we would ordinarily expect a board of
designed to adequately address those
in accordance with authorizations of management
and directors of the registrant; and directors or audit committee, as part of its oversight risks. Management ordinarily would
(3) Provide reasonable assurance regarding responsibilities for the company’s financial consider the company’s entity-level
prevention or timely detection of unauthorized reporting, to be reasonably knowledgeable and controls in both its assessment of risks
acquisition, use or disposition of the issuer’s assets informed about the evaluation process and
management’s assessment, as necessary in the
and in identifying which controls
that could have a material effect on the financial
statements. circumstances. adequately address the risks.
18 As defined in Exchange Act Rule 12b–2 [17 23 In the Adopting Release, the Commission The evaluation approach described
CFR 240.12b–2] and Rule 1–02 of Regulation S–X specified characteristics of a suitable control herein allows management to identify
[17 CFR 210.1–02], a material weakness is a framework and identified the Internal Control—
Integrated Framework (1992) created by the
controls and maintain supporting
deficiency, or a combination of deficiencies, in
ICFR such that there is a reasonable possibility that Committee of Sponsoring Organizations of the evidential matter for its controls in a
a material misstatement of the registrant’s annual or Treadway Commission (‘‘COSO’’) as an example of manner that is tailored to the company’s
interim financial statements will not be prevented a suitable framework. We also cited the Guidance financial reporting risks (as defined
or detected on a timely basis. See Release No. 34– on Assessing Control published by the Canadian
Institute of Chartered Accountants (‘‘CoCo’’) and
below). Thus, the controls that
55928.
19 This focus on material weaknesses will lead to the report published by the Institute of Chartered management identifies and documents
a better understanding by investors about the Accountants in England & Wales Internal Control: are those that are important to achieving
company’s ICFR, as well as its inherent limitations. Guidance for Directors on the Combined Code the objective of ICFR. These controls are
Further, the Commission’s rules implementing (known as the Turnbull Report) as examples of
other suitable frameworks that issuers could choose
then subject to procedures to evaluate
Section 404, by providing for public disclosure of
material weaknesses, concentrate attention on the in evaluating the effectiveness of their ICFR. We evidence of their operating
most important internal control issues. encourage companies to examine and select a
20 If management’s evaluation process identifies framework that may be useful in their own environment, risk assessment, control activities,
material weaknesses, but all material weaknesses circumstances; we also encourage the further monitoring, and information and communication)
are remediated by the end of the fiscal year, development of existing and alternative are present and functioning effectively. Although
management may conclude that ICFR is effective as frameworks. CoCo states that an assessment of effectiveness
of the end of the fiscal year. However, management 24 For example, both the COSO framework and should be made against twenty specific criteria, it
should consider whether disclosure of such the Turnbull Report state that determining whether acknowledges that the criteria can be regrouped
remediated material weaknesses is appropriate or a system of internal control is effective is a into different structures, and includes a table
required under Item 307 or Item 308 of Regulations subjective judgment resulting from an assessment of showing how the criteria can be regrouped into the
S–K or S–B or other Commission disclosure rules. whether the five components (that is, control five-component structure of COSO.
effectiveness, as determined pursuant to transactions. In contrast, in a small (that is, in use) that adequately address
Section II.A.2. company that operates on a centralized the company’s financial reporting risks.
basis with less complex business The determination of whether an
a. Identifying Financial Reporting Risks
processes and with little change in the individual control, or a combination of
Management should identify those risks or processes, management’s daily controls, adequately addresses a
risks of misstatement that could, involvement with the business may financial reporting risk involves
individually or in combination with provide it with adequate knowledge to judgments about whether the controls, if
others, result in a material misstatement appropriately identify financial operating properly, can effectively
of the financial statements (‘‘financial reporting risks. prevent or detect misstatements that
reporting risks’’). Ordinarily, the Management’s evaluation of the risk could result in material misstatements
identification of financial reporting risks of misstatement should include in the financial statements.28 If
begins with evaluating how the consideration of the vulnerability of the management determines that a
requirements of GAAP apply to the entity to fraudulent activity (for deficiency in ICFR exists, it must be
company’s business, operations and example, fraudulent financial reporting, evaluated to determine whether a
transactions. Management must provide misappropriation of assets and material weakness exists.29 The
investors with financial statements that corruption), and whether any such guidance in Section II.B.1. is designed
fairly present the company’s financial exposure could result in a material to assist management with that
position, results of operations and cash misstatement of the financial evaluation.
flows in accordance with GAAP. A lack statements.25 The extent of activities Management may identify preventive
of fair presentation arises when one or required for the evaluation of fraud risks controls, detective controls, or a
more financial statement amounts or is commensurate with the size and combination of both, as adequately
disclosures (‘‘financial reporting complexity of the company’s operations addressing financial reporting risks.30
elements’’) contain misstatements and financial reporting environment.26 There might be more than one control
(including omissions) that are material. Management should recognize that that addresses the financial reporting
Management uses its knowledge and the risk of material misstatement due to risks for a financial reporting element;
understanding of the business, and its fraud ordinarily exists in any conversely, one control might address
organization, operations, and processes, organization, regardless of size or type, the risks of more than one financial
to consider the sources and potential and it may vary by specific location or reporting element. It is not necessary to
likelihood of misstatements in financial segment and by individual financial identify all controls that may exist or
reporting elements. Internal and reporting element. For example, one identify redundant controls, unless
external risk factors that impact the type of fraud risk that has resulted in redundancy itself is required to address
business, including the nature and fraudulent financial reporting in
extent of any changes in those risks, the financial reporting risks. To
companies of all sizes and types is the illustrate, management may determine
may give rise to a risk of misstatement. risk of improper override of internal
Risks of misstatement may also arise that the risk of a misstatement in
controls in the financial reporting interest expense, which could result in
from sources such as the initiation, process. While the identification of a
authorization, processing and recording a material misstatement of the financial
fraud risk is not necessarily an statements, is adequately addressed by a
of transactions and other adjustments
indication that a fraud has occurred, the control within the company’s period-
that are reflected in financial reporting
absence of an identified fraud is not an end financial reporting process (that is,
elements. Management may find it
indication that no fraud risks exist. an entity-level control). In such a case,
useful to consider ‘‘what could go
Rather, these risk assessments are used management may not need to identify,
wrong’’ within a financial reporting
in evaluating whether adequate controls for purposes of the ICFR evaluation, any
element in order to identify the sources
have been implemented.
and the potential likelihood of
function or activity in a process. A control’s impact
misstatements and identify those that b. Identifying Controls That Adequately on ICFR may be entity-wide or specific to an
could result in a material misstatement Address Financial Reporting Risks account balance, class of transactions or
of the financial statements. Management should evaluate whether application. Controls have unique characteristics—
The methods and procedures for for example, they can be: Automated or manual;
it has controls 27 placed in operation reconciliations; segregation of duties; review and
identifying financial reporting risks will
approval authorizations; safeguarding and
vary based on the characteristics of the 25 For example, COSO’s Internal Control Over accountability of assets; preventing or detecting
company. These characteristics include, Financial Reporting—Guidance for Smaller Public error or fraud. Controls within a process may
among others, the size, complexity, and Companies (2006), Volume 1: Executive Summary, consist of financial reporting controls and
organizational structure of the company Principle 10: Fraud Risk (page 10) states, ‘‘The operational controls (that is, those designed to
potential for material misstatement due to fraud is achieve operational objectives).
and its processes and financial reporting explicitly considered in assessing risks to the 28 Companies may use ‘‘control objectives,’’
environment, as well as the control achievement of financial reporting objectives.’’ which provide specific criteria against which to
framework used by management. For 26 Management may find resources such as evaluate the effectiveness of controls, to assist in
example, to identify financial reporting ‘‘Management Antifraud Programs and Controls— evaluating whether controls can prevent or detect
Guidance to Help Prevent, Deter, and Detect misstatements.
risks in a larger business or a complex
Fraud,’’ which was issued jointly by seven 29 A deficiency in the design of ICFR exists when
business process, management’s professional organizations and is included as an (a) Necessary controls are missing or (b) existing
methods and procedures may involve a exhibit to AU Sec. 316, Consideration of Fraud in controls are not properly designed so that, even if
variety of company personnel, including a Financial Statement Audit (as adopted on an the control operates as designed, the financial
those with specialized knowledge. interim basis by the PCAOB in PCAOB Rule 3200T) reporting risks would not be addressed.
helpful in assessing fraud risks. Other resources 30 Preventive controls have the objective of
These individuals, collectively, may be also exist (for example, the American Institute of preventing the occurrence of errors or fraud that
necessary to have a sufficient Certified Public Accountants’ (AICPA) Management could result in a misstatement of the financial
understanding of GAAP, the underlying Override of Internal Controls: The Achilles’ Heel of statements. Detective controls have the objective of
business transactions and the process Fraud Prevention (2005)), and more may be detecting errors or fraud that has already occurred
developed in the future. that could result in a misstatement of the financial
activities, including the role of 27 A control consists of a specific set of policies, statements. Preventive and detective controls may
computer technology, that are required procedures, and activities designed to meet an be completely manual, involve some degree of
to initiate, authorize, record and process objective. A control may exist within a designated computer automation, or be completely automated.
additional controls related to the risk of the characteristics of the controls that lower-level controls occurred. However,
misstatement in interest expense. should inform its judgments about the if the amount of potential misstatement
Management may also consider the risk that a control will fail to operate as that could exist before being detected by
efficiency with which evidence of the designed. This includes, for example, the monitoring control is too high, then
operation of a control can be evaluated information about the judgment the control may not adequately address
when identifying the controls that required in its operation and the financial reporting risks of a
adequately address the financial information about the complexity of the financial reporting element.
reporting risks. When more than one controls. Section II.A.2. discusses how Entity-level controls may be designed
control exists and each adequately these characteristics are considered in to operate at the process, application,
addresses a financial reporting risk, determining the nature and extent of transaction or account-level and at a
management may decide to select the evidence of the operation of the controls level of precision that would adequately
control for which evidence of operating that management evaluates. prevent or detect on a timely basis
effectiveness can be obtained more At the end of this identification misstatements in one or more financial
efficiently. Moreover, when adequate process, management has identified for reporting elements that could result in
information technology (‘‘IT’’) general evaluation those controls that are a material misstatement of the financial
controls exist and management has needed to meet the objective of ICFR statements. In these cases, management
determined that the operation of such (that is, to provide reasonable assurance may not need to identify or evaluate
controls is effective, management may regarding the reliability of financial additional controls relating to that
determine that automated controls are reporting) and for which evidence about financial reporting risk.
more efficient to evaluate than manual their operation can be obtained most
controls. Considering the efficiency d. Role of Information Technology
efficiently.
with which the operation of a control General Controls
can be evaluated will often enhance the c. Consideration of Entity-Level Controls that management identifies
overall efficiency of the evaluation Controls as addressing financial reporting risks
process. Management considers entity-level may be automated,34 dependent upon IT
In addition to identifying controls that controls when identifying financial functionality,35 or a combination of both
address the financial reporting risks of reporting risks and related controls for manual and automated procedures.36 In
individual financial reporting elements, a financial reporting element. In doing these situations, management’s
management also evaluates whether it so, it is important for management to evaluation process generally considers
has controls in place to address the consider the nature of the entity-level the design and operation of the
entity-level and other pervasive controls and how those controls relate automated or IT dependent application
elements of ICFR that its chosen control to the financial reporting element. The controls and the relevant IT general
framework prescribes as necessary for more indirect the relationship to a controls over the applications providing
an effective system of internal control. financial reporting element, the less the IT functionality. While IT general
This would ordinarily include, for effective a control may be in preventing controls alone ordinarily do not
example, considering how and whether or detecting a misstatement.33 adequately address financial reporting
controls related to the control Some entity-level controls, such as risks, the proper and consistent
environment, controls over management certain control environment controls, operation of automated controls or IT
override, the entity-level risk have an important, but indirect, effect functionality often depends upon
assessment process and monitoring on the likelihood that a misstatement effective IT general controls. The
activities,31 controls over the period-end will be prevented or detected on a identification of risks and controls
financial reporting process,32 and the timely basis. These controls might affect within IT should not be a separate
policies that address significant the other controls management evaluation. Instead, it should be an
business control and risk management determines are necessary to adequately integral part of management’s top-down,
practices are adequate for purposes of address financial reporting risks for a risk-based approach to identifying risks
an effective system of internal control. financial reporting element. However, it and controls and in determining
The control frameworks and related is unlikely that management will evidential matter necessary to support
guidance may be useful tools for identify only this type of entity-level the assessment.
evaluating the adequacy of these control as adequately addressing a Aspects of IT general controls that
elements of ICFR. financial reporting risk identified for a may be relevant to the evaluation of
When identifying the controls that financial reporting element. ICFR will vary depending upon a
address financial reporting risks, Other entity-level controls may be company’s facts and circumstances. For
management learns information about designed to identify possible purposes of the evaluation of ICFR,
breakdowns in lower-level controls, but management only needs to evaluate
31 Monitoring activities may include controls to
not in a manner that would, by those IT general controls that are
monitor results of operations and controls to
monitor other controls, including activities of the
themselves, adequately address necessary for the proper and consistent
internal audit function, the audit committee, and financial reporting risks. For example, operation of other controls designed to
self-assessment programs. an entity-level control that monitors the adequately address financial reporting
32 The nature of controls within the period-end
results of operations may be designed to risks. For example, management might
financial reporting process will vary based on a detect potential misstatements and consider whether certain aspects of IT
company’s facts and circumstances. The period-end
financial reporting process may include matters investigate whether a breakdown in
34 For example, application controls that perform
such as: Procedures to enter transaction totals into
the general ledger; the initiation, authorization, 33 Controls can be either directly or indirectly automated matching, error checking or edit
recording and processing of journal entries in the related to a financial reporting element. Controls checking functions.
35 For example, consistent application of a

general ledger; procedures for the selection and that are designed to have a specific effect on a
application of accounting policies; procedures used financial reporting element are considered directly formula or performance of a calculation and posting
to record recurring and non-recurring adjustments related. For example, controls established to ensure correct balances to appropriate accounts or ledgers.
to the annual and quarterly financial statements; that personnel are properly counting and recording 36 For example, a control that manually
and procedures for preparing annual and quarterly the annual physical inventory relate directly to the investigates items contained in a computer
financial statements and related disclosures. existence of the inventory. generated exception report.
general control areas, such as program In addition to providing support for sufficient to provide a reasonable basis
development, program changes, the assessment of ICFR, documentation for its evaluation of the operation of
computer operations, and access to of the design of controls also supports ICFR, management should consider not
programs and data, apply to its facts and other objectives of an effective system of only the quantity of evidence (for
circumstances.37 Specifically, it is internal control. For example, it serves example, sample size), but also the
unnecessary to evaluate IT general as evidence that controls within ICFR, qualitative characteristics of the
controls that primarily pertain to including changes to those controls, evidence. The qualitative characteristics
efficiency or effectiveness of a have been identified, are capable of of the evidence include the nature of the
company’s operations, but which are being communicated to those evaluation procedures performed, the
not relevant to addressing financial responsible for their performance, and period of time to which the evidence
reporting risks. are capable of being monitored by the relates, the objectivity 40 of those
company. evaluating the controls, and, in the case
e. Evidential Matter To Support the of on-going monitoring activities, the
Assessment 2. Evaluating Evidence of the Operating
Effectiveness of ICFR extent of validation through direct
As part of its evaluation of ICFR, testing of underlying controls. For any
Management should evaluate individual control, different
management must maintain reasonable evidence of the operating effectiveness
support for its assessment.38 combinations of the nature, timing, and
of ICFR. The evaluation of the operating extent of evaluation procedures may
Documentation of the design of the effectiveness of a control considers provide sufficient evidence. The
controls management has placed in whether the control is operating as sufficiency of evidence is not
operation to adequately address the designed and whether the person necessarily determined by any of these
financial reporting risks, including the performing the control possesses the attributes individually.
entity-level and other pervasive necessary authority and competence to
elements necessary for effective ICFR, is perform the control effectively. The a. Determining the Evidence Needed To
an integral part of the reasonable evaluation procedures that management Support the Assessment
support. The form and extent of the uses to gather evidence about the Management should evaluate the
documentation will vary depending on operation of the controls it identifies as ICFR risk of the controls identified in
the size, nature, and complexity of the adequately addressing the financial Section II.A.1.b as adequately
company. It can take many forms (for reporting risks for financial reporting addressing the financial reporting risks
example, paper documents, electronic, elements (pursuant to Section II.A.1.b) for financial reporting elements to
or other media). Also, the should be tailored to management’s determine the evidence needed to
documentation can be presented in a assessment of the risk characteristics of support the assessment. This evaluation
number of ways (for example, policy both the individual financial reporting should consider the characteristics of
manuals, process models, flowcharts, elements and the related controls the financial reporting elements to
job descriptions, documents, internal (collectively, ICFR risk). Management which the controls relate and the
memorandums, forms, etc). The should ordinarily focus its evaluation of characteristics of the controls
documentation does not need to include the operation of controls on areas posing themselves. This concept is illustrated
all controls that exist within a process the highest ICFR risk. Management’s in the following diagram.
that impacts financial reporting. Rather, assessment of ICFR risk also considers
the documentation should be focused the impact of entity-level controls, such 40 In determining the objectivity of those
on those controls that management as the relative strengths and weaknesses evaluating controls, management is not required to
concludes are adequate to address the of the control environment, which may make an absolute conclusion regarding objectivity,
financial reporting risks.39 influence management’s judgments but rather should recognize that personnel will
about the risks of failure for particular have varying degrees of objectivity based on, among
other things, their job function, their relationship to
37 However, the reference to these specific IT controls. the control being evaluated, and their level of
general control areas as examples within this Evidence about the effective operation authority and responsibility within the
guidance does not imply that these areas, either of controls may be obtained from direct organization. Personnel whose core function
partially or in their entirety, are applicable to all involves permanently serving as a testing or
facts and circumstances. As indicated, companies
testing of controls and on-going
compliance authority at the company, such as
need to take their particular facts and circumstances monitoring activities. The nature, timing internal auditors, normally are expected to be the
into consideration in determining which aspects of and extent of evaluation procedures most objective. However, the degree of objectivity
IT general controls are relevant. necessary for management to obtain of other company personnel may be such that the
38 See instructions to Item 308 of Regulations S-
sufficient evidence of the effective evaluation of controls performed by them would
K and S-B. provide sufficient evidence. Management’s
39 Section II.A.2.c also provides guidance with operation of a control depend on the judgments about whether the degree of objectivity
regard to the documentation required to support assessed ICFR risk. In determining is adequate to provide sufficient evidence should
management’s evaluation of operating effectiveness. whether the evidence obtained is take into account the ICFR risk.
Management’s consideration of the • The competence of the personnel significant judgment, or are complex,
misstatement risk of a financial who perform the control or monitor its they should generally be assessed as
reporting element includes both the performance; having higher ICFR risk.
materiality of the financial reporting • Whether there have been changes in When a combination of controls is
element and the susceptibility of the key personnel who either perform the required to adequately address the risks
underlying account balances, control or monitor its performance; related to a financial reporting element,
transactions or other supporting • The nature and materiality of management should analyze the risk
information to a misstatement that misstatements that the control is characteristics of the controls. This is
could be material to the financial intended to prevent or detect; because the controls associated with a
statements. As the materiality of a • The degree to which the control given financial reporting element may
financial reporting element increases in relies on the effectiveness of other not necessarily share the same risk
relation to the amount of misstatement controls (for example, IT general characteristics. For example, a financial
that would be considered material to the controls); and reporting element involving significant
financial statements, management’s • The evidence of the operation of the
estimation may require a combination of
assessment of misstatement risk for the control from prior year(s).
For example, management’s judgment automated controls that accumulate
financial reporting element generally source data and manual controls that
of the risk of control failure would be
would correspondingly increase. In require highly judgmental
higher for controls whose operation
addition, management considers the determinations of assumptions. In this
requires significant judgment than for
extent to which the financial reporting case, the automated controls may be
non-complex controls requiring less
elements include transactions, account judgment. subject to a system that is stable (that is,
balances or other supporting Financial reporting elements that has not undergone significant change)
information that are prone to material involve related party transactions, and is supported by effective IT general
misstatement. For example, the extent to critical accounting policies,41 and controls and are therefore assessed as
which a financial reporting element: (1) related critical accounting estimates 42 lower risk, whereas the manual controls
Involves judgment in determining the generally would be assessed as having a would be assessed as higher risk.
recorded amounts; (2) is susceptible to higher misstatement risk. Further, when The consideration of entity-level
fraud; (3) has complex accounting the controls related to these financial controls (for example, controls within
requirements; (4) experiences change in reporting elements are subject to the risk the control environment) may influence
the nature or volume of the underlying of management override, involve management’s determination of the
transactions; or (5) is sensitive to evidence needed to sufficiently support
changes in environmental factors, such 41 ‘‘Critical accounting policies’’ are defined as its assessment of ICFR. For example,
as technological and/or economic those policies that are most important to the management’s judgment about the
developments, would generally affect financial statement presentation, and require likelihood that a control fails to operate
management’s most difficult, subjective, or complex
management’s judgment of whether a judgments, often as the result of a need to make effectively may be influenced by a
misstatement risk is higher or lower. estimates about the effect of matters that are highly effective control environment
Management’s consideration of the inherently uncertain. See Release No. 33–8040 (Dec. and thereby impact the evidence
12, 2001) [66 FR 65013].
likelihood that a control might fail to 42 ‘‘Critical accounting estimates’’ relate to
evaluated for that control. However, a
operate effectively includes, among estimates or assumptions involved in the strong control environment would not
other things: application of generally accepted accounting eliminate the need to evaluate the
principles where the nature of the estimates or operation of the control in some
• The type of control (that is, manual assumptions is material due to the levels of
or automated) and the frequency with subjectivity and judgment necessary to account for
manner.
which it operates; highly uncertain matters or the susceptibility of b. Implementing Procedures To Evaluate
such matters to change and the impact of the

• The complexity of the control; estimates and assumptions on financial condition Evidence of the Operation of ICFR
• The risk of management override; or operating performance is material. See Release
Management should evaluate
No. 33–8350 (Dec. 19, 2003) [68 FR 75056]. For
• The judgment required to operate additional information, see, for example, Release evidence that provides a reasonable
the control; basis for its assessment of the operating
ER27JN07.000</GPH>
No. 33–8098 (May 10, 2002) [67 FR 35620].
effectiveness of the controls identified due to the evaluator’s lower degree of knowledgeable about the operation of
in Section II.A.1. Management uses its objectivity. the controls. In these situations,
assessment of ICFR risk, as determined As the ICFR risk increases, management would ordinarily utilize
in Section II.A.2 to determine the management will ordinarily adjust the direct testing or on-going monitoring-
evaluation methods and procedures nature of the evidence that is obtained. type evaluation procedures to obtain
necessary to obtain sufficient evidence. For example, management can increase reasonable support for the assessment.
The evaluation methods and procedures the evidence from on-going monitoring Management evaluates the evidence it
may be integrated with the daily activities by utilizing personnel who are gathers to determine whether the
responsibilities of its employees or more objective and/or increasing the operation of a control is effective. This
implemented specifically for purposes extent of validation through periodic evaluation considers whether the
of the ICFR evaluation. Activities that direct testing of the underlying controls. control operated as designed. It also
are performed for other reasons (for Management can also vary the evidence considers matters such as how the
example, day-to-day activities to obtained by adjusting the period of time control was applied, the consistency
manage the operations of the business) covered by direct testing. When ICFR with which it was applied, and whether
may also provide relevant evidence. risk is assessed as high, the evidence the person performing the control
Further, activities performed to meet the management obtains would ordinarily possesses the necessary authority and
monitoring objectives of the control consist of direct testing or on-going competence to perform the control
framework may provide evidence to monitoring activities performed by effectively. If management determines
support the assessment of the operating individuals who have a higher degree of that the operation of the control is not
effectiveness of ICFR. objectivity. In situations where a effective, a deficiency exists that must
company’s on-going monitoring be evaluated to determine whether it is
The evidence management evaluates activities utilize personnel who are not a material weakness.
comes from direct tests of controls, on- adequately objective, the evidence
going monitoring, or a combination of c. Evidential Matter To Support the
obtained would normally be
both. Direct tests of controls are tests Assessment
supplemented with direct testing by
ordinarily performed on a periodic basis those who are independent from the Management’s assessment must be
by individuals with a high degree of operation of the control. In these supported by evidential matter that
objectivity relative to the controls being situations, direct testing of controls provides reasonable support for its
tested. Direct tests provide evidence as corroborates evidence from on-going assessment. The nature of the evidential
of a point in time and may provide monitoring activities as well as matter may vary based on the assessed
information about the reliability of on- evaluates the operation of the level of ICFR risk of the underlying
going monitoring activities. On-going underlying controls and whether they controls and other circumstances.
monitoring includes management’s continue to adequately address financial Reasonable support for an assessment
normal, recurring activities that provide reporting risks. When ICFR risk is would include the basis for
information about the operation of assessed as low, management may management’s assessment, including
controls. These activities include, for conclude that evidence from on-going documentation of the methods and
example, self-assessment 43 procedures monitoring is sufficient and that no procedures it utilizes to gather and
and procedures to analyze performance direct testing is required. Further, evaluate evidence.
measures designed to track the management’s evaluation would The evidential matter may take many
operation of controls.44 Self-assessment ordinarily consider evidence from a forms and will vary depending on the
is a broad term that can refer to different reasonable period of time during the assessed level of ICFR risk for controls
types of procedures performed by year, including the fiscal year-end. over each of its financial reporting
individuals with varying degrees of In smaller companies, management’s elements. For example, management
daily interaction with its controls may may document its overall strategy in a
objectivity. It includes assessments
provide it with sufficient knowledge comprehensive memorandum that
made by the personnel who operate the
about their operation to evaluate the establishes the evaluation approach, the
control as well as members of
operation of ICFR. Knowledge from evaluation procedures, the basis for
management who are not responsible for
daily interaction includes information management’s conclusion about the
operating the control. The evidence
obtained by on-going direct involvement effectiveness of controls related to the
provided by self-assessment activities
with and direct supervision of the financial reporting elements and the
depends on the personnel involved and
execution of the control by those entity-level and other pervasive
the manner in which the activities are
responsible for the assessment of the elements that are important to
conducted. For example, evidence from
effectiveness of ICFR. Management management’s assessment of ICFR.
self-assessments performed by If management determines that the
should consider its particular facts and
personnel responsible for operating the evidential matter within the company’s
circumstances when determining
control generally provides less evidence books and records is sufficient to
whether its daily interaction with
controls provides sufficient evidence to provide reasonable support for its
43 For example, COSO’s 1992 framework defines
evaluate the operating effectiveness of assessment, it may determine that it is
self-assessments as ‘‘evaluations where persons
responsible for a particular unit or function will ICFR. For example, daily interaction not necessary to separately maintain
determine the effectiveness of controls for their may be sufficient when the operation of copies of the evidence it evaluates. For
activities.’’ controls is centralized and the number example, in smaller companies, where
44 Management’s evaluation process may also
of personnel involved is limited. management’s daily interaction with its
consider the results of key performance indicators
(‘‘KPIs’’) in which management reconciles operating
Conversely, daily interaction in controls provides the basis for its
and financial information with its knowledge of the companies with multiple management assessment, management may have
business. The procedures that management reporting layers or operating segments limited documentation created
implements pursuant to this section should would generally not provide sufficient specifically for the evaluation of ICFR.
evaluate the effective operation of these KPI-type
controls when they are identified pursuant to
evidence because those responsible for However, in these instances,
Section II.A.1.b. as addressing financial reporting assessing the effectiveness of ICFR management should consider whether
risk. would not ordinarily be sufficiently reasonable support for its assessment
would include documentation of how sufficient evidence for the evaluation. In combination, is a material weakness as
its interaction provided it with other situations, management may of the end of the fiscal year. Multiple
sufficient evidence. This documentation determine that, because of the control deficiencies that affect the same
might include memoranda, e-mails, and complexity or judgment in the operation financial statement amount or
instructions or directions to and from of the controls at the individual disclosure increase the likelihood of
management to company employees. location, the risk that controls will fail misstatement and may, in combination,
Further, in determining the nature of to operate is high, and therefore more constitute a material weakness if there
supporting evidential matter, evidence is needed about the effective is a reasonable possibility 47 that a
management should also consider the operation of the controls at the location. material misstatement of the financial
degree of complexity of the control, the Management should generally statements would not be prevented or
level of judgment required to operate consider the risk characteristics of the detected in a timely manner, even
the control, and the risk of misstatement controls for each financial reporting though such deficiencies may be
in the financial reporting element that element, rather than making a single individually less severe than a material
could result in a material misstatement judgment for all controls at that location weakness. Therefore, management
of the financial statements. As these when deciding whether the nature and should evaluate individual control
factors increase, management may extent of evidence is sufficient. When deficiencies that affect the same
determine that evidential matter performing its evaluation of the risk financial statement amount or
supporting the assessment should be characteristics of the controls identified, disclosure, or component of internal
separately maintained. For example, management should consider whether control, to determine whether they
management may decide that separately there are location-specific risks that collectively result in a material
maintained documentation in certain might impact the risk that a control weakness.
areas will assist the audit committee in might fail to operate effectively. The evaluation of the severity of a
exercising its oversight of the company’s Additionally, there may be pervasive control deficiency should include both
financial reporting. risk factors that exist at a location that quantitative and qualitative factors.
The evidential matter constituting cause all controls, or a majority of Management evaluates the severity of a
reasonable support for management’s controls, at that location to be deficiency in ICFR by considering
assessment would ordinarily include considered higher risk. whether there is a reasonable possibility
documentation of how management that the company’s ICFR will fail to
formed its conclusion about the B. Reporting Considerations
prevent or detect a misstatement of a
effectiveness of the company’s entity- 1. Evaluation of Control Deficiencies financial statement amount or
level and other pervasive elements of In order to determine whether a disclosure; and the magnitude of the
ICFR that its applicable framework control deficiency, or combination of potential misstatement resulting from
describes as necessary for an effective control deficiencies, is a material the deficiency or deficiencies. The
system of internal control. weakness, management evaluates the severity of a deficiency in ICFR does not
3. Multiple Location Considerations severity of each control deficiency that depend on whether a misstatement
Management’s consideration of comes to its attention. Control actually has occurred but rather on
financial reporting risks generally deficiencies that are determined to be a whether there is a reasonable possibility
includes all of its locations or business material weakness must be disclosed in that the company’s ICFR will fail to
units.45 Management may determine management’s annual report on its prevent or detect a misstatement on a
that financial reporting risks are assessment of the effectiveness of ICFR. timely basis.
Control deficiencies that are considered Risk factors affect whether there is a
adequately addressed by controls which
operate centrally, in which case the to be significant deficiencies are reasonable possibility 48 that a
evaluation approach is similar to that of reported to the company’s audit deficiency, or a combination of
a business with a single location or committee and the external auditor deficiencies, will result in a
business unit. When the controls pursuant to management’s compliance misstatement of a financial statement
necessary to address financial reporting with the certification requirements in amount or disclosure. These factors
risks operate at more than one location Exchange Act Rule 13a–14.46 include, but are not limited to, the
Management may not disclose that it following:
or business unit, management would
has assessed ICFR as effective if one or • The nature of the financial
generally evaluate evidence of the
more deficiencies in ICFR are reporting elements involved (for
operation of the controls at the
determined to be a material weakness. example, suspense accounts and related
individual locations or business units.
Management may determine that the As part of the evaluation of ICFR, party transactions involve greater risk);
ICFR risk of the controls (as determined management considers whether each
through Section II.A.2.a) that operate at deficiency, individually or in 47 There is a reasonable possibility of an event
when the likelihood of the event is either

individual locations or business units is 46 Pursuant to Exchange Act Rules 13a–14 and ‘‘reasonably possible’’ or ‘‘probable’’ as those terms
low. In such situations, management 15d–14 [17 CFR 240.13a–14 and 240.15d–14], are used in Financial Accounting Standards Board
may determine that evidence gathered management discloses to the auditors and to the Statement No. 5, Accounting for Contingencies. The
use of the phrase ‘‘reasonable possibility that a
through self-assessment routines or audit committee of the board of directors (or
material misstatement of the financial statements
other on-going monitoring activities, persons fulfilling the equivalent function) all
material weaknesses and significant deficiencies in would not be prevented or detected in a timely
when combined with the evidence the design or operation of internal controls which manner’’ is intended solely to assist management in
derived from a centralized control that could adversely affect the issuer’s ability to record, identifying matters for disclosure under Item 308 of
process, summarize and report financial data. The Regulation S–K. It is not intended to interpret or
monitors the results of operations at describe management’s responsibility under the
term ‘‘material weakness’’ is defined in the
individual locations, constitutes Commission’s rules in Exchange Act Rule 12b–2 FCPA or modify a control framework’s definition of
and Rule 1–02 of Regulation S–X. See Release No. what constitutes an effective system of internal
45 Consistent with the guidance in Section II.A.1., 34–55928. The Commission is seeking additional control.
management may determine when identifying comment on the definition of the term ‘‘significant 48 The evaluation of whether a deficiency in ICFR
financial reporting risks that some locations are so deficiency’’ in the Commission’s rules in Exchange presents a reasonable possibility of misstatement
insignificant that no further evaluation procedures Act Rule 12b–2 and Rule 1–02 of Regulation S–X. can be made without quantifying the probability of
are needed. See Release No. 34–55930. occurrence as a specific percentage or range.
• The susceptibility of the related • Identification of fraud, whether or 3. Disclosures About Material
asset or liability to loss or fraud (that is, not material, on the part of senior Weaknesses
greater susceptibility increases risk); management; 50 The Commission’s rule implementing
• The subjectivity, complexity, or • Restatement of previously issued Section 404 was intended to bring
extent of judgment required to financial statements to reflect the information about material weaknesses
determine the amount involved (that is, correction of a material misstatement; 51 in ICFR into public view. Because of the
greater subjectivity, complexity, or significance of the disclosure
• Identification of a material
judgment, like that related to an requirements surrounding material
misstatement of the financial statements
accounting estimate, increases risk); weaknesses beyond specifically stating
in the current period in circumstances
• The interaction or relationship of that indicate the misstatement would that the material weaknesses exist,
the control with other controls, not have been detected by the companies should also consider
including whether they are company’s ICFR; and including the following in their
interdependent or redundant; disclosures: 52
• Ineffective oversight of the • The nature of any material
• The interaction of the deficiencies
company’s external financial reporting weakness,
(that is, when evaluating a combination
and internal control over financial • Its impact on the company’s
of two or more deficiencies, whether the
reporting by the company’s audit financial reporting and its ICFR, and
deficiencies could affect the same
committee. • Management’s current plans, if any,
financial statement amounts or
disclosures); and When evaluating the severity of a or actions already undertaken, for
• The possible future consequences of deficiency, or combination of remediating the material weakness.
the deficiency. deficiencies, in ICFR, management also Disclosure of the existence of a
should determine the level of detail and material weakness is important, but
Factors that affect the magnitude of there is other information that also may
degree of assurance that would satisfy
the misstatement that might result from be material and necessary to form an
prudent officials in the conduct of their
a deficiency or deficiencies in ICFR overall picture that is not misleading.53
own affairs that they have reasonable
include, but are not limited to, the The goal underlying all disclosure in
assurance that transactions are recorded
following: this area is to provide an investor with
as necessary to permit the preparation of
• The financial statement amounts or financial statements in conformity with disclosure and analysis that goes
total of transactions exposed to the GAAP. If management determines that beyond describing the mere existence of
deficiency; and the deficiency, or combination of a material weakness. There are many
• The volume of activity in the deficiencies, might prevent prudent different types of material weaknesses
account balance or class of transactions officials in the conduct of their own and many different factors that may be
exposed to the deficiency that has affairs from concluding that they have important to the assessment of the
occurred in the current period or that is reasonable assurance that transactions potential effect of any particular
expected in future periods. are recorded as necessary to permit the material weakness. While management
In evaluating the magnitude of the preparation of financial statements in is required to conclude and state in its
potential misstatement, the maximum conformity with GAAP, then report that ICFR is ineffective when
amount that an account balance or total management should treat the deficiency, there are one or more material
of transactions can be overstated is or combination of deficiencies, as an weaknesses, companies should also
generally the recorded amount, while indicator of a material weakness. consider providing disclosure that
understatements could be larger. Also, allows investors to understand the cause
2. Expression of Assessment of of the control deficiency and to assess
in many cases, the probability of a small
Effectiveness of ICFR by Management the potential impact of each particular
misstatement will be greater than the
probability of a large misstatement. Management should clearly disclose material weakness. This disclosure will
Management should evaluate the its assessment of the effectiveness of be more useful to investors if
effect of compensating controls 49 when ICFR and, therefore, should not qualify management differentiates the potential
determining whether a control its assessment by stating that the impact and importance to the financial
deficiency or combination of company’s ICFR is effective subject to statements of the identified material
deficiencies is a material weakness. To certain qualifications or exceptions. For weaknesses, including distinguishing
have a mitigating effect, the example, management should not state those material weaknesses that may
compensating control should operate at that the company’s controls and have a pervasive impact on ICFR from
a level of precision that would prevent procedures are effective except to the those material weaknesses that do not.
or detect a misstatement that could be extent that certain material weakness(es) 4. Impact of a Restatement of Previously
material. have been identified. In addition, if a Issued Financial Statements on
In determining whether a deficiency material weakness exists, management Management’s Report on ICFR
or a combination of deficiencies may not state that the company’s ICFR
is effective. However, management may Item 308 of Regulation S–K requires
represents a material weakness, disclosure of management’s assessment
management considers all relevant state that controls are ineffective for
specific reasons. of the effectiveness of the company’s
information. Management should ICFR as of the end of the company’s
evaluate whether the following most recent fiscal year. When a material
situations indicate a deficiency in ICFR 50 For purposes of this indicator, the term ‘‘senior
misstatement of previously issued
exists and, if so, whether it represents management’’ includes the principal executive and
financial officers signing the company’s
a material weakness:
certifications as required under Section 302 of 52 Significant deficiencies in ICFR are not
Sarbanes Oxley as well as any other members of required to be disclosed in management’s annual
49 Compensating controls are controls that serve senior management who play a significant role in report on its evaluation of ICFR required by Item
to accomplish the objective of another control that the company’s financial reporting process. 308(a).
did not function properly, helping to reduce risk to 51 See FAS 154, Accounting Changes and Error 53 See Exchange Act Rule 12b–20 [17 CFR
an acceptable level. Corrections, regarding correction of a misstatement. 240.12b–20].
financial statements is discovered, a management may not have auditing standard for ICFR.57
company is required to restate those compensating controls in place that Commenters cited a lack of alignment
financial statements. However, the allow a determination of the between the two with regard to the
restatement of financial statements does effectiveness of the controls over the terminology and definitions used 58 as
not, by itself, necessitate that process in an alternative manner. The well as differences in the overall
management consider the effect of the Commission’s disclosure requirements approach. Some commenters that were
restatement on the company’s prior state that management’s annual report supportive of the principles-based
conclusion related to the effectiveness on ICFR must include a statement as to approach to the proposed interpretive
of ICFR. whether or not ICFR is effective and do guidance expressed concern that
While there is no requirement for not permit management to issue a report improvements in the efficiency of
management to reassess or revise its on ICFR with a scope limitation.55 management’s evaluation of ICFR would
conclusion related to the effectiveness Therefore, management must determine be limited by what they viewed as
of ICFR, management should consider whether the inability to assess controls comparatively more prescriptive
whether its original disclosures are still over a particular process is significant guidance for external auditors in the
appropriate and should modify or enough to conclude in its report that Proposed Auditing Standard.59 Other
supplement its original disclosure to ICFR is not effective. commenters suggested that maximizing
include any other material information their auditor’s ability to rely on the
that is necessary for such disclosures III. Discussion of Comments on the work performed in management’s
not to be misleading in light of the Proposing Release evaluation would require aligning the
restatement. The company should also evaluation approach for management
disclose any material changes to ICFR, The Proposing Release proposed for with the Proposed Auditing Standard.60
as required by Item 308(c) of Regulation public comment interpretive guidance Even so, some of these commenters still
S–K. for management regarding the annual viewed the interpretive guidance as an
Similarly, while there is no evaluation of ICFR required by Rules improvement because it provides
requirement that management reassess 13a-15(c) and 15d-15(c) under the management the ability to choose
or revise its conclusion related to the Exchange Act. We received letters from whether, and to what extent, it should
effectiveness of its disclosure controls 211 commenters in response to the align its evaluation with the auditing
and procedures, management should Proposing Release.56 The majority of standard; whereas commenters said that
consider whether its original disclosures commenters were supportive of the management feels compelled to align
regarding effectiveness of disclosure Commission’s efforts in developing this with the auditing standard under the
controls and procedures need to be Interpretive Guidance. We have current rules. Other commenters
modified or supplemented to include reviewed and considered all of the suggested that the proposed interpretive
any other material information that is comments received on the proposal, and guidance was compatible with the
necessary for such disclosures not to be we discuss our conclusions with respect Proposed Auditing Standard and that
misleading. With respect to the to the comments in more detail in the improvements in implementation could
disclosures concerning ICFR and following sections. be attained with close coordination
disclosure controls and procedures, the between management and auditors.61
A. Alignment between Management’s
company may need to disclose in this In response to the comment letters,
Evaluation and Assessment and the
context what impact, if any, the we have revised our proposal to more
External Audit
restatement has on its original closely align it with how we anticipate
conclusions regarding effectiveness of Commenters expressed concern that the PCAOB will revise its proposed
ICFR and disclosure controls and confusion and inefficiencies may arise auditing standard. For example, the
procedures. from differences between the proposed
57 In PCAOB Release No. 2006–007 the PCAOB
5. Inability To Assess Certain Aspects of guidance for management’s evaluation
proposed for public comment An Audit of Internal
ICFR of ICFR and the PCAOB’s proposed Control Over Financial Reporting That Is Integrated
With An Audit of Financial Statements and
In certain circumstances, management Considering and Using the Work of Others in an
be relevant to a user organization’s internal control
may encounter difficulty in assessing as it relates to an audit of financial statements, on Audit. See http://www.pcaobus.org/Rules/
certain aspects of its ICFR. For example, whether such controls were suitably designed to Docket_021/2006–12–19_Release_No._2006–007.pdf
management may outsource a achieve specified control objectives, on whether (hereinafter ‘‘Proposed Auditing Standard’’).
58 See, for example, letters from American Bar
significant process to a service they had been placed in operation as of a specific
date, and on whether the controls that were tested Association’s Committees on Federal Regulation of
organization and determine that were operating with sufficient effectiveness to Securities and Law and Accounting of the Section
evidence of the operating effectiveness provide reasonable, but not absolute, assurance that of Business Law (ABA), Association of Chartered
of the controls over that process is the related control objectives were achieved during Certified Accountants (ACCA), Edison Electric
the period specified. Institute (EEI), European Federation of Accountants
necessary. However, the service 55 See Item 308(a)(3) of Regulations S–K and S– (FEE), Financial Executives International
organization may be unwilling to B [17 CFR 229.308(a)(3) and 228.308(a)(3)]. Committee on Corporate Reporting (FEI CCR), Frank
provide either a Type 2 SAS 70 report 56 Of the 211 commenters, 43 were issuers, 33 Gorrell (F. Gorrell), Society of Corporate Secretaries
or to provide management access to the professional associations and business groups, 19 and Governance Professionals, and The Institute of
Chartered Accountants in England and Wales
controls in place at the service foreign private issuers and foreign professional
(ICAEW).
organization so that management could associations, 10 investor advocacy and other similar
59 See, for example, letters from Eli Lilly and
groups, 8 major accounting firms, 11 smaller
assess effectiveness.54 Finally, accounting firms and Section 404 service providers, Company (Eli Lilly), FEI CCR, Hutchinson
8 banks and banking associations, 4 law firms and Technology Inc. (Hutchinson), Independent
54 AU Sec. 324, Service Organizations (as adopted law associations, and 75 other interested parties Community Bankers of America (ICBA), MetLife
on an interim basis by the Public Company including students, academics, and other Inc. (MetLife), Procter & Gamble Company (P&G),
Accounting Oversight Board (‘‘PCAOB’’) in PCAOB individuals. The comment letters are available for and Supervalu Inc. (Supervalu).
60 See, for example, letters from Heritage
Rule 3200T), defines a report on controls placed in inspection in the Commission’s Public Reference
operation and test of operating effectiveness, Room at 100 F Street, NE., Washington, DC 20549 Financial Corporation and Southern Company.
commonly referred to as a ‘‘Type 2 SAS 70 report.’’ in File No. S7–24–06, or may be viewed at 61 See, for example, letters from BDO Seidman
This report is a service auditor’s report on a service http://www.sec.gov/comments/s7–24–06/ LLP (BDO), McGladrey & Pullen LLP (M&P), and
organization’s description of the controls that may s72406.shtml. PricewaterhouseCoopers LLP (PwC).
definition of a material weakness and B. Principles-based Nature of Guidance maintained; 70 including specific
the related guidance for evaluating for Conducting the Evaluation guidelines regarding the amount, form
deficiencies, including indicators of a The guidance is intended to assist and medium of evidence; 71 and
material weakness, have been revised.62 • How management should document
management in complying with two
In addition, alignment revisions were the effectiveness of monitoring activities
broad principles: (1) Evaluate whether
made to the guidance for evaluating utilized to support its assessment, as
controls have been implemented to
whether controls adequately address well as how management should
adequately address the risk that a
financial reporting risks, including support the evidence obtained from its
material misstatement of the financial
entity-level controls, the factors to daily interaction with controls as part of
statements would not be prevented or
consider when identifying financial its assessment.72
detected in a timely manner and (2) We have considered the requests for
reporting risks and the factors for evaluate evidence about the operation of
assessing the risk associated with additional guidance and decided to
controls based on an assessment of risk. retain the principles-based nature of the
individual financial reporting elements We believe the guidance will enable
and controls. proposed guidance. We believe an
companies of all sizes and complexities evaluation of ICFR will be most effective
However, some differences between to comply with our rules effectively and and efficient when management makes
our final interpretive guidance for efficiently. use of all available facts and information
management and the PCAOB’s audit Commenters expressed support for to make reasonable judgments about the
standard remain. These differences are the proposed guidance’s principles- evaluation methods and procedures that
not necessarily contradictions or based approach.63 However, some are necessary to have a reasonable basis
misalignment; rather they reflect the fact requested that the proposal be revised to for the assessment of the effectiveness of
that management and the auditor have include additional guidance and ICFR and the evidential matter
different roles and responsibilities with illustrative examples in the following maintained in support of the
respect to evaluating and auditing ICFR. areas: 64 assessment. Additional guidance and
Management is responsible for • The identification of controls that examples in the areas requested would
designing and maintaining ICFR and address financial reporting risks; 65 likely have the negative consequence of
performing an evaluation annually that • The assessment of ICFR risk, establishing ‘‘bright line’’ or ‘‘one-size
provides it with a reasonable basis for including how evidence gained over fits all’’ evaluation approaches. Such an
its assessment as to whether ICFR is prior periods should impact outcome would be contrary to our view
effective as of fiscal year-end. management’s assessment of risks that the evaluations must be tailored to
Management’s daily involvement with associated with controls identified and a company’s individual facts and
its internal control system provides it therefore, the evidence needed to circumstances to be both effective and
with knowledge and information that support its assessment; 66 efficient. Moreover, an evaluation by
may influence its judgments about how • How varying levels of risk impact management that is focused on
best to conduct the evaluation and the the nature of the evidence necessary to compliance with detailed guidance,
sufficiency of evidence it needs to support its assessment; 67 rather than the risks to the reliability of
assess the effectiveness of ICFR. In • When on-going monitoring its financial reporting, would likely lead
contrast, the auditor is responsible for activities, including self-assessments, to evaluations that are inefficient,
conducting an independent audit that could be used to support management’s ineffective or both.
includes appropriate professional assessment and reduce direct testing; 68 Detailed guidance and examples from
skepticism. Moreover, the audit of ICFR • Sampling techniques, sample sizes, the Commission may also limit or
is integrated with the audit of the and testing methods; 69 hinder the natural evolution and further
company’s financial statements. While • The type and manner in which development of control frameworks and
there is a close relationship between the supporting evidence should be evaluation methodologies as technology,
work performed by management and its control systems, and financial reporting
63 See, for example, letters from ACE Limited
auditor, the ICFR audit will not evolve. As we have previously stated,
(ACE), American Electric Power Company, Inc. the Commission supports and
necessarily be limited to the nature and (AEP), Business Roundtable (BR), Canadian Bankers
extent of procedures management has Association, Center for Audit Quality (Center), encourages the further development of
already performed as part of its Ernst & Young LLP (EY), Grant Thornton LLP (GT), control frameworks and related
evaluation of ICFR. There will be
ING Groep N.V. (ING), Manulife Financial implementation guidance. For example,
(Manulife), PwC, P&G, and Reznick Group, P.C. the July 2006 small business guidance
differences in the approaches used by (Reznick).
management and the auditor because 64 See, for example, letters from Brown-Forman,
issued by COSO addresses the
the auditor does not have the same Ford Motor Company, MasterCard Incorporated identification of financial reporting risks
information and understanding as (MasterCard), Northrop Grumman Corporation, and the related controls. Additionally,
Supervalu, UFP Technologies (UFP), and we note that COSO is currently working
management and because the auditor UnumProvident Corporation (UnumProvident). on a project to further define how the
will need to integrate its tests of ICFR 65 See, for example, letter from Nina Stofberg (N.
effectiveness of control systems can be
with the financial statement audit. We Stofberg).
66 See, for example, letters from ISACA and IT monitored.73 As such, companies may
agree with those commenters that
Governance Institute (ISACA), Manulife, and Ohio
suggested coordination between Society of Certified Public Accountants (Ohio). 70 See, for example, letters from AEP, BDO,
management and auditors on their 67 See, for example, letters from Cardinal Health, Center, EEI, Frank Consulting, PLLP (Frank), The
respective efforts will ensure that both Inc. (Cardinal), Cleary Gottlieb Steen & Hamilton Hundred Group of Finance Directors (100 Group),
the evaluation by management and the LLP (Cleary), and ISACA. Institut Der Wirtschaftsprufer [Institute of Public
68 See, for example, letters from BASF Auditors in Germany] (IDW), Managed Funds
independent audit are completed in an Association (MFA), Nasdaq Stock Market, Inc.
Aktiengesellschaft (BASF), Cardinal, Computer
efficient and effective manner.
Sciences Corporation (CSC), ING, ISACA, Ohio, PPL (Nasdaq), Ohio, N. Stofberg, and UFP.
71 See, for example, letter from Nasdaq.
Corporation (PPL), R. Malcolm Schwartz, N.
62 The revisions made to the proposed definition Stofberg, and UnumProvident. 72 See, for example, letters from BDO and Center.
of material weakness and the related guidance, 69 See, for example, letters from BDO, National 73 In a press release on January 8, 2007, COSO
including the strong indicators, are discussed in Association of Real Estate Investment Trusts, announced that Grant Thornton LLP had been
Section III.F. of this document. Reznick, and UFP. Continued
find that there are other sources for the Other commenters, mostly comprised less than reasonable assurance as to the
additional guidance in the areas they are of investor groups, requested that the effectiveness of ICFR at such companies.
seeking. guidance emphasize that scaled or Rather, smaller public companies
Commenters also expressed the view tailored evaluation methods and should utilize the flexibility provided in
that companies may abuse the flexibility procedures for smaller public the guidance to cost-effectively tailor
afforded by the proposed principles- companies should be based on both the and scale their methods and approaches
based guidance to perform inadequate size and complexity of the business and for identifying and documenting
evaluations, thereby undermining the do not imply less rigorous evaluation financial reporting risks and the related
intended investor protection benefits.74 methods and procedures.78 controls and for evaluating whether
Other commenters have observed that Some commenters indicated that
operation of controls is effective (for
material weakness disclosures to smaller public companies should
investors are too often simultaneous continue to be exempt at least until a example, by utilizing evidence gathered
with, rather than in advance of, the thorough examination is conducted of through management’s daily interaction
restatement of financial statements, both the Interpretive Guidance and the with its controls), so that they provide
which undermines the usefulness of the new Auditing Standard to ensure that the evidence needed to assess whether
disclosures.75 In response to these smaller companies are not ICFR is effective.
comments, we note that this principles- disproportionately burdened.79 Some In addition, as previously mentioned,
based guidance enables management to commenters requested that the SEC companies may find that there are other
tailor its evaluation so that it focuses on further delay the implementation for sources for guidance, such as the July
those areas of financial reporting that one additional year 80 or continued to 2006 guidance for applying the COSO
pose the highest risk to reliable financial call for a complete exemption from framework to smaller public companies.
reporting. We believe that a tailored Section 404 for smaller public We believe our guidance, when used in
evaluation approach that focuses companies.81 Other commenters conjunction with other such guidance,
resources on areas of highest risk will requested that smaller public companies
will enable smaller public companies to
improve, rather than degrade, the not be exempted.82
We believe the principles-based have a better understanding of the
effectiveness of many company’s
evaluations and improve the timeliness guidance permits flexible and scalable requirements of a control framework, its
of material weakness disclosures to evaluation approaches that will enable role in effective internal control systems
investors. management of smaller public and the relationship to our evaluation
companies to evaluate and assess the and disclosure requirements. This
C. Scalability and Small Business effectiveness of ICFR without undue should enable management to plan and
Considerations cost burdens. The guidance recognizes conduct its evaluation in an effective
Commenters believed that the that internal control systems and the and efficient manner.
proposed interpretive guidance can be methods and procedures necessary to The Commission believes that
scaled to companies of all sizes and will evaluate their effectiveness may be compliance with the ICFR evaluation
benefit smaller public companies in different in smaller public companies and assessment requirements by smaller
completing their assessments.76 than in larger companies. However, the public companies will further the
However, some commenters requested flexibility provided in the guidance is
more guidance to enable them to primary goal of Sarbanes-Oxley which is
not meant to imply that evaluations for
conduct the evaluation in an effective to enhance the quality of financial
smaller public companies be conducted
and efficient manner. For example, with less rigor, or to provide anything reporting and increase investor
commenters requested more guidance confidence in the fairness and integrity
on how some of the unique Executives International Small Public Company of the securities markets. We note that
characteristics of smaller companies, Task Force (FEI SPCTF), Frank, Institute of all financial statements filed with the
including a lack of segregation of duties, Management Accountants (IMA), MFA, U.S. Commission, even those by smaller
Chamber of Commerce (Chamber), and U.S. Small
should be considered in the Business Administration’s Office of Advocacy public companies, result from a system
evaluation.77 (SBA). of internal controls. Such systems are
78 See, for example, letters from California Public
required by the FCPA to operate at a
commissioned to develop guidance to help Employees’ Retirement System (CalPERS), CFA, level that provides ‘‘reasonable
organizations monitor the quality of their internal Council of Institutional Investors, Ethics Resource
control systems. According to that press release, the Center, International Brotherhood of Teamsters, and assurance’’ about the reliability of
guidance will serve as a tool for effectively Pension Reserves Investment Management Board financial reporting. Our rules
monitoring internal controls while complying with (PRIMB). implementing Section 404 direct
79 See, for example, letters from AeA,
Sarbanes-Oxley. The press release is available at
http://www.coso.org/Publications/COSO% Biotechnology Industry Organization, Committee on management of all companies to
20Monitoring%20GT%20Final%20Release_ Capital Markets Regulation (CCMR), Financial evaluate and assess whether the
1.8.07.pdf. Reporting Committee of the Association of the Bar company’s system of internal controls is
74 See, for example, letters from Joseph V. of the City of New York (NYC Bar), International
Association of Small Broker Dealers and Advisers,
effective at achieving reasonable
Carcello, Consumer Federation of America,
Consumer Action, U.S. Public Interest Research National Venture Capital Association, SBA, Silicon assurance. Our guidance is intended to
Group (CFA), and Moody’s Investors Service Valley Leadership Group (SVLG), Small Business help them do so in a cost-effective
(Moody’s). Entrepreneurship Council, TechNet, and
75 See, for example, letters from CFA and Telecommunications Industry Association.
manner. Given the principles-based
Moody’s. 80 See, for example, letters from American nature of our guidance and the
76 See, for example, letters from American Bankers, America’s Community Bankers, Chandler, flexibility it provides, we do not believe
Bankers Association (American Bankers), Anthony CNB, FEI SPCTF, F. Gorrell, ICBA, MFA, and further postponement of the evaluation
S. Chan, Chandler (U.S.A.), Inc. (Chandler), CNB Washington Legal Foundation (WLF).
Corporation & Citizens National Bank of Cheboygan 81 See, for example, letters from American Stock
requirements are needed for smaller
(CNB), Financial Services Forum, GT, Greater Exchange, ICBA, UFP, and WLF. companies. We believe that the timing
Boston Chamber of Commerce, Minn-Dak Farmers 82 See, for example, letters from American of the issuance of the Interpretive
Cooperative (MDFC), RAM Energy Resources, Inc., Federation of Labor and Congress of Industrial Guidance is adequate to allow for its
and San Jose Water Company. Organizations (AFL-CIO), CalPERS, Frank, F.
77 See, for example, letters from American Gorrell, PRIMB, and WithumSmith+Brown Global effective implementation in 2007
Electronics Association (AeA), EY, Financial Assurance, LLC. evaluations.
D. Identifying Financial Reporting Risks 2. Comments on the Proposal and interpretive guidance, we determined
and Controls Revisions Made that it was unnecessary to provide a list
The Commission received a number of fraud risks expected to be present at
1. Summary of the Proposal every company or a list of the areas of
of comments on the proposed guidance
The proposal directed management to for identifying financial reporting risks financial reporting expected to have a
consider the sources and potential and controls. As discussed in Section risk of material misstatement due to
III.B above, many of these commenters fraud. Moreover, providing such a list
likelihood of misstatements, including
requested more examples or more may result in a ‘‘checklist’’ type
those arising from fraudulent activity,
detailed guidance. Other comments approach to fraud risk assessments that
and identify those that could result in would likely be ineffective as financial
a material misstatement of the financial received related to the identification of
fraud risks and related controls; entity- reporting changes over time, or given
statements (that is, financial reporting the wide variety of facts and
risks). The proposal indicated that level controls; and IT general controls.
circumstances that exist in different
management’s consideration of the risk Identification of Fraud Risks and companies and industries. While
of misstatement generally includes all of Related Controls management may find such checklists a
its locations or business units and that Commenters suggested the guidance useful starting point, effective fraud risk
the methods and procedures for be revised to more strongly emphasize assessments will require sound and
identifying financial reporting risks will management’s responsibility to identify thoughtful judgments that reflect a
vary based on the characteristics of the and evaluate fraud risks and the related company’s individual facts and
individual company. The proposal controls that address those risks.83 circumstances.
discussed factors for management to Commenters also discussed the nature Entity-Level Controls
consider in selecting methods and of fraud risks that most often lead to
procedures for evaluating financial Commenters requested further
materially misstated financial
clarification of how entity-level controls
reporting risks and in identifying the statements and requested additional
can address financial reporting risks in
sources and potential likelihood of guidance regarding which fraud related a top-down, risk based approach.88
misstatement. controls are within the scope of the Commenters also suggested that the
The proposal directed management to evaluation; 84 whether management can guidance place more emphasis on
evaluate whether controls were placed consider the risk of fraud through the entity-level controls given their
in operation to adequately address the overall risk assessment or if a specific pervasive impact on all other aspects of
financial reporting risks it identifies. fraud threat analysis is required; 85 and ICFR.89
examples of the types of fraud that In response to the comments received,
The proposal indicated that controls
should be considered.86 Other we expanded the discussion of entity-
were not adequate when their design
commenters noted that there is existing level controls and how they relate to
was such that there was a reasonable guidance for management, beyond what
possibility that a misstatement in a financial reporting elements. This
was referenced in the proposal, for discussion further clarifies that some
financial reporting element that could assessing fraud risks and the related
result in a material misstatement of the entity-level controls, such as controls
controls. These commenters suggested within the control environment, have an
financial statements would not be that the proposal be revised to directly important, but indirect, effect on the
prevented or detected in a timely incorporate the most relevant elements likelihood that a misstatement will be
manner. The proposal discussed the fact of such guidance.87 prevented or detected on a timely basis.
that some controls may be automated or In response to the comments, the While these controls might affect the
may depend upon IT functionality. In proposal was revised to clarify that other controls management determines
these situations, the proposal stated that fraud risks are expected to exist at every are necessary to address financial
management’s evaluation should company and that the nature and extent reporting risks for a financial reporting
consider not only the design and of the fraud risk assessment activities element, it is unlikely management will
operation of the automated or IT should be commensurate with the size identify only this type of entity-level
dependent controls, but also the aspects and complexity of the company. control as adequately addressing a
of IT general controls necessary to Additionally, we expanded the financial reporting risk. Further, the
adequately address financial reporting references to existing guidance to guidance clarifies that some entity-level
risks. include the AICPA’s 2005 Management controls may be designed to identify
Override of Internal Controls: The possible breakdowns in lower-level
The proposal also indicated that Achilles’ Heel of Fraud Prevention and controls, but not in a manner that
entity-level controls should be COSO’s July 2006 Guidance for Smaller would, by themselves, adequately
considered when identifying financial Public Companies. Given the address financial reporting risks. In
reporting risks and related controls for availability of existing information and these cases, management would identify
a financial reporting element. The guidance on fraud and consistent with the additional controls needed to
proposal discussed the nature of entity- the principles-based nature of the adequately address financial reporting
level controls, how they relate to a risks, which may include those that
financial reporting element and the 83 See, for example, letters from ACE, ACCA,
operate at the transaction or account
need to consider whether they would BDO, Center, CSC, Deloitte & Touche LLP (Deloitte),
GT, IMA, KPMG LLP (KPMG), M&P, Moody’s, and
balance level. Consistent with the
prevent or detect material PwC. proposal, management does not need to
misstatements. If a financial reporting 84 See, for example, letters from BASF, BDO, and identify or evaluate additional controls
risk for a financial reporting element is GT. relating to a financial reporting risk if it
adequately addressed by an entity-level 85 See, for example, letter from Tatum LLC
control, the proposal indicated that no (Tatum). 88 See, for example, letters from EY, Frank,
86 See, for example, letters from FEI CCR, P&G,
MetLife, and UnumProvident.
further controls needed to be identified and N. Stofberg. 89 See, for example, letters from ACCA, ACE, Eli
and tested by management for purposes 87 See, for example, letters from Center, GT, Lilly, European Association of Listed Companies
of the evaluation of ICFR. KPMG, and M&P. (EALIC), and PwC.
determines that the risk is being We made several revisions to the address financial reporting risks.
adequately addressed by an entity-level proposed guidance based on the Additionally, management may
control. comment letters. We revised the implement compensating controls, such
We have also revised the proposed proposal to explain that the as manual reconciliations and
guidance to further clarify that the identification of risks and controls verification, until such time that
controls management identifies in within IT should be integral to, and not management has concluded that the IT
Section II.A.1 should include the entity- separate from, management’s top-down, controls within the system are adequate.
level and pervasive elements of its ICFR risk-based approach to evaluating ICFR Accordingly, we do not believe it is
that are necessary to have a system of and in determining the necessary necessary or appropriate to exclude new
internal control that provides reasonable supporting evidential matter. We IT systems or changes to existing
assurance as to the reliability of clarified that controls which address systems from the scope of the evaluation
financial reporting. Management can financial reporting risks may be of ICFR.
use the existing control frameworks and automated, dependent upon IT
functionality, or require a combination E. Evaluating Evidence of the Operating
related guidance to assist them in Effectiveness of ICFR
evaluating the adequacy of these aspects of both manual and automated
of their ICFR. procedures and that IT general controls 1. Summary of the Proposal
alone, without consideration of Our proposal indicated that
Information Technology General application controls, ordinarily do not
Controls management should consider both the
adequately address financial reporting
risk characteristics of the financial
Commenters expressed concern that risks. We also incorporated guidance
reporting elements to which the controls
the proposal’s guidance on IT general from the May 16, 2005 Staff Statement
relate and the risk characteristics of the
controls was too vague or that it lacked which explains that it is unnecessary to
controls themselves (collectively, ICFR
sufficient clarity 90 and requested evaluate IT general controls that
risk) in making judgments about the
further guidance and illustrative primarily pertain to efficiency or
nature and extent of evidence necessary
examples 91 to clarify the extent to effectiveness of operations, but which
to provide a reasonable basis for the
which IT general controls are within the are not relevant to addressing financial
assessment of whether the operation of
scope of the ICFR evaluation.92 reporting risks.
We have declined to further specify controls is effective. The proposal
Commenters also suggested that the identified significant accounting
Commission directly incorporate the categories or areas of IT general controls
that will be relevant to the ICFR estimates, related party transactions and
May 16, 2005 Staff Guidance 93 on IT critical accounting policies as examples
general controls 94 and that we clarify evaluation for all companies. We
continue to believe that such of financial reporting areas that
that IT general controls alone, without generally would be assessed as having a
consideration of application controls, determinations require consideration of
each company’s individual facts and higher risk of misstatement and control
will not sufficiently address the risk of failure. However, the proposed guidance
material misstatement.95 One circumstances. Moreover, we have
concluded it is not necessary to include recognizes that since not all controls
commenter noted that providing such have the same risk characteristics, when
guidance could have the unintended a discussion of a ‘‘benchmarking’’
approach to evaluating automated a combination of controls is required to
consequence of setting a precedent for adequately address the risks to a
providing more detailed guidance in controls. The lack of such discussion in
our guidance does not preclude financial reporting element,
other areas of the evaluation.96 management should analyze the risk
management from taking such an
Commenters also suggested that we characteristics of each control
approach if they believe it to be both
revise the proposal to clarify how a top- separately. Further, under the proposed
efficient and effective.
down approach considers IT general Additionally, we did not revise the guidance, when evaluating risks in
controls,97 that we encourage a proposed guidance to discuss multi-location environments,
‘‘benchmarking’’ approach for implementation of IT systems, or management should generally consider
evaluating automated controls,98 and changes thereto, late in the year because the risk characteristics of the controls
that we permit companies who we do not believe such decisions should related to each financial reporting
implement IT systems late in the year to be impacted by the requirement to element, rather than making a single
do so while still being able to satisfy evaluate and assess the effectiveness of judgment for all controls at a particular
their ICFR responsibilities.99 ICFR. Even without the evaluation and location when determining the
assessment requirements, the sufficiency of evidence to support its
90 See, for example, letters from Aerospace
implementation of an IT system late in assessment.
Industries Association, MasterCard, and Nasdaq. Our proposal indicated that the
91 See, for example, letter from Microsoft
the year does not change management’s
Corporation (MSFT). responsibility to maintain a system of evidence of the operation of controls
92 See, for example, letters from Faisal Danka, internal control that provides reasonable that management evaluates may come
ISACA, MSFT, Rod Scott, and The Travelers assurance regarding the reliability of from a combination of on-going
Companies, Inc. (Travelers). financial reporting. Allowing an monitoring and direct testing and that
93 Division of Corporation Finance and Office of
exclusion from the evaluation for management should vary the nature,
the Chief Accountant: Staff Statement on
Management’s Report on Internal Control Financial controls placed in operation late in the timing and extent of these based on its
Reporting (May 16, 2005), available at http:// year could have the unintended assessment of the ICFR risk. Our
www.sec.gov/spotlight/soxcom/.htm. consequence of negatively impacting the proposal stated that this evidence would
94 See, for example, letters from FEI CCR and
reliability of financial reporting. ordinarily cover a reasonable period of
P&G. Management has the ability to mitigate time during the year and include the
95 See, for example, letter from IDW.

96 See, for example, letter from ICAEW.
the risk of material misstatement that fiscal year-end. The proposal also
97 See, for example, letters from Cardinal and arises from ineffective controls in a new acknowledged that, in smaller
ISACA. IT system. For example, management companies, those responsible for
98 See, for example, letter from CSC. may perform pre-implementation testing assessing the effectiveness of ICFR may,
99 See, for example, letter from Chamber. of the IT controls needed to adequately through their on-going direct knowledge
and supervision of the operation of changes in the controls since the assessment. Management can use this
controls (that is, daily interaction) have previous assessment,101 or a rotational framework to scale its evaluation
a reasonable basis to evaluate the approach where there is both lower risk methods and procedures in response to
effectiveness of some controls without and no changes in controls.102 In the risks associated with both the
performing direct tests specifically for addition, some suggested a financial reporting elements and related
purposes of the evaluation. ‘‘benchmarking’’ approach, similar to controls in its particular facts and
The proposal explained that the that used for IT controls, be allowed for circumstances.
evidential matter constituting non-IT controls.103 Other commenters However, the guidance has been
reasonable support for the assessment agreed with the proposal’s requirement
clarified to reflect that management’s
would generally include the basis for that management consider evidence of
experience with a control’s operation
management’s assessment and the operation of controls each year.104
documentation of the evaluation both during the year and as part of its
Others noted that while they believed it
methods and procedures for gathering prior year assessment(s) may influence
is appropriate for management to
and evaluating evidence. Additionally, consider the results of its prior year its decisions regarding the risk that
the proposal indicated that the nature of assessments, the guidance should make controls will fail to operate as designed.
the supporting evidential matter, it clear that the evaluation of operating This, in turn, may have a corresponding
including documentation, may take effectiveness is an annual impact on the evidence needed to
many forms and may vary based on requirement.105 support management’s conclusion that
management’s assessment of ICFR risk. Other commenters raised the issue of controls operated effectively as of the
For example, management may a rotational approach specific to multi- date of management’s assessment.
determine that it is not necessary to location considerations. For example, Nature of On-Going Monitoring
maintain separate copies of the evidence commenters suggested that the guidance Activities
evaluated if such evidence already allow for rotation of locations based
exists in the company’s books and upon risk (for example, once every three Commenters expressed concern that,
records. The proposal also indicates that years).106 However, some commenters as defined in the proposal, some on-
as the degree of complexity of the suggested that the risk-based approach going monitoring activities would not be
control, the level of judgment required provided in the proposed guidance deemed to provide sufficient
to operate the control, and the risk of would appropriately allow companies to evidence.108 Other commenters were
misstatement in the financial reporting vary testing in locations based more on concerned that the guidance placed too
element increase, management may risk than coverage, which would much emphasis on the amount of
determine that separate evidential improve the efficiency of their evidence that could be obtained from
matter supporting a control’s operation assessment.107 on-going monitoring activities and
should be maintained. After considering the comments, the called for further examples of when they
Commission has retained the guidance may provide sufficient evidence and
2. Comments on the Proposal and substantially as proposed. We did not
Revisions Made when direct testing would be
introduce a concept that allows required.109 With regard to self-
The Commission received a number management to eliminate from its assessments, commenters suggested that
of comments on the proposed guidance annual evaluation those controls that self-assessments can be an integral
for evaluating whether the operation of are necessary to adequately address
source of evidence when their effective
controls was effective. As discussed in financial reporting risks. For example,
operation is verified by direct testing
Section III.B above, many of these management cannot decide to include
over varying periods of time based on
commenters requested more examples controls for a particular location or
the manner in which the self-
or more detailed guidance. Other process within the scope of its
assessments were conducted and on the
comments received related to the evaluation only once every three years
or exclude controls from the scope of its level of risk associated with the
appropriateness of various ‘‘rotational’’ controls.110 Other commenters
approaches to evaluating evidence of evaluation based on prior year
evaluation results. To have a reasonable requested the proposed guidance be
whether the operation of controls was revised to clarify how, based on the
effective; the nature of on-going basis for its assessment of the
effectiveness of ICFR, management must definitions provided, self-assessments
monitoring activities, including self- differed from direct testing.111
assessments and daily interaction; the have sufficient evidence supporting the
time period to be covered by evaluation operating effectiveness of all aspects of Some commenters questioned the
procedures; and supporting evidential its ICFR as of the date of its assessment. sufficiency of evidence that would
matter. The guidance provides a framework to result from management’s daily
assist management in making judgments interaction with controls and requested
Rotational Approaches to Evaluating regarding the nature, timing and extent more specifics on when it would be
Evidence of evidence needed to support its appropriate as a source of evidence 112
Commenters requested that the and how management should
guidance explicitly allow management 101 See, for example, letters from P&G and
demonstrate that its daily interaction
Travelers. with controls provided it with sufficient
to rotate its evaluation of evidence of 102 See, for example, letters from EEI and
the operation of controls and a variety Supervalu.
evidence to have a reasonable basis to
of different approaches for doing so 103 See, for example, letters from Eli Lilly and FEI
were suggested. These approaches CCR. 108 See, for example, letters from BASF and Cees
included, for example, a rotational 104 See, for example, letters from CCMR, Deloitte, Klumper & Matthew Shepherd (C. Klumper & M.
and KPMG. Shepherd).
approach for lower risk controls,100 a
105 See, for example, letters from AFL-CIO, 109 See, for example, letters from Center and EY.
rotational approach in areas where Center, CFA, Deloitte, and PwC. 110 See, for example, letters from GT and C.
management determines there are no 106 See, for example, letter from CSC. Klumper & M. Shepherd.
107 See, for example, letters from MSFT, New 111 See, for example, letter from Cardinal.
100 See, for example, letters from CSC, EALIC, York State Society of Certified Public Accountants, 112 See, for example, letters from BDO, EY, Ohio,
ING, MasterCard, and NYC Bar. and Plains Exploration & Production Company. and Tatum.
assess whether the operation of controls with sufficient evidence to assess activities covering periods of time that
was effective.113 whether controls are operating vary based on its assessment of risk in
Based on the feedback received, we effectively. The guidance is not order to provide it with a sufficient
modified the discussion of on-going intended to limit management’s basis for its evaluation. This could
monitoring activities, including self- flexibility with regard to the areas of include, for example, a strategy that
assessments, and direct testing to clarify ICFR where its interaction can provide employs direct testing over a control
how the evidence obtained from each of it with sufficient evidence or the during the year (but prior to year-end),
the activities can vary. As commenters manner by which management obtains that is supplemented with a self-
in this area noted, on-going monitoring, knowledge of the operation of the assessment activity at year-end. As a
including self-assessments, controls. However, as noted in the result, we have adopted the guidance
encompasses a wide array of activities guidance, daily interaction as a source related to the period of time for which
that can be performed by a variety of of evidence for the operation of controls management should obtain evidence of
individuals within an organization. applies to management who are the operation of controls substantially as
These individuals have varying degrees responsible for assessing the proposed.
of objectivity, ranging from internal effectiveness of ICFR and whose
auditors to the personnel involved in Supporting Evidential Matter
knowledge about the effective operation
business processes, and can include is gained from its on-going direct Commenters expressed support for
both those responsible for executing a knowledge and direct supervision of the guidance in the proposal related to
control as well as those responsible for controls. In addition, the evidence the supporting evidential matter and
overseeing its effective operation. management maintains in support of its believed it would allow management to
Because of the varying degrees of assessment should include the design of make better judgments and allow for
objectivity, the sufficiency of the the controls that adequately address the sufficient flexibility to vary the nature
evidence management obtains from on- financial reporting risks as well as how and extent of evidence based on the
going monitoring activities is its interaction provides an adequate company’s particular facts and
determined by the nature of the basis for its assessment of the circumstances.115 Other commenters
activities (that is, what they entail and effectiveness of ICFR. observed that a certain level of
how they are performed). documentation was required in order to
We clarified the proposed guidance to Time Period Covered by Evaluation facilitate an efficient and effective audit
indicate that when evaluating the Procedures and suggested the guidance explicitly
objectivity of personnel, management is Commenters requested that the state this fact and/or clarify how the
not required to make an absolute guidance allow for, and encourage, guidance for management was intended
conclusion regarding objectivity, but management to gather evidence to interact with the requirements
rather should recognize that personnel throughout the year to support its provided to auditors.116 One commenter
will have varying degrees of objectivity assessment in lieu of having to gather requested that we clarify our intention
based on, among other things, their job some evidence close to or as-of year- related to the audit committee’s
function, their relationship to the end.114 These commenters believed that involvement in the review of evidential
control being evaluated, and their level such guidance would encourage matter prepared by management in
of authority and responsibility within companies to better integrate their support of its assessment.117
the organization. Management should evaluation procedures into the normal After consideration of the comments,
consider the ICFR risk of the controls activities of their daily operations, we are adopting the guidance
when determining whether the spread the effort more evenly substantially as proposed. We continue
objectivity of the personnel involved in throughout the year, and help reduce to believe that management should have
the monitoring activities results in the strain on resources at year-end when considerable flexibility as to the nature
sufficient evidence. For example, for company personnel are preparing the and extent of the documentation it
areas of high ICFR risk, management’s annual financial statements and maintains to support its assessment,
on-going monitoring activities may complying with other financial while at the same time maintaining
provide sufficient evidence when the reporting activities. sufficient evidence to provide
monitoring activities are carried out by We agree with the comments received reasonable support for its assessment.
individuals with a high degree of in this area with respect to allowing Providing specific guidelines and
objectivity. However, when management the flexibility to gather detailed examples of various types of
management’s support includes evidence in support of its assessment documentation would potentially limit
evidence obtained from activities during the year. Since management’s the flexibility we intended to afford
performed by individuals who are not assessment is performed as of the end of management.
highly objective, management would With respect to the concerns raised
its fiscal year-end, the evidence
ordinarily supplement the evidence regarding the interaction of the
management utilizes to support its
with some degree of direct testing by proposed guidance and the audit
assessment would ordinarily include a
individuals who are independent from requirements, we determined that no
reasonable period of time during the
the operation of the control to changes were necessary. Similar to an
year, including some evidence as of the
corroborate the information from the audit of the financial statements, the
date of its assessment. However, the
monitoring activity. nature and extent of evidential matter
proposal was not intended to limit maintained by management may impact
With regard to requests for more management’s flexibility to conduct its
guidance related to management’s daily how an auditor conducts the audit and
evaluation activities during the year. the efficiency of the audit. We believe
interaction, we have adopted the Rather, the proposed guidance was
guidance substantially as proposed. We intended to provide management with
115 See, for example, letters from BR, EY, Hudson

believe that in smaller companies, the ability to perform a variety of Financial Solutions (HFS), and MSFT.
management’s daily interaction with the 116 See, for example, letters from Center, Deloitte,
operation of controls may provide it 114 See, for example, letters from Eli Lilly, The EY, GT, M&P, MetLife, MDFC, PwC, and N.
Financial Services Roundtable, and Neenah Paper, Stofberg.
113 See, for example, letter from Ohio. Inc. 117 See, for example, letter from ABA.
that the most efficient implementation 2. Comments on the Proposal and Standard.123 One commenter felt that
by management and the auditor is Revisions Made the list of strong indicators needed to be
achieved when flexibility exists to Definition of Material Weakness made more specific, and should include
determine the appropriate manner by more illustrative examples.124 Another
which to complete their respective Commenters expressed concern about commenter stated that the indicator of
tasks. However, we also believe that the differences between our proposed ‘‘significant deficiencies that have been
Proposed Auditing Standard allows definition of material weakness and that identified and remain unaddressed after
auditors sufficient flexibility to consider proposed by the PCAOB in its Proposed some reasonable period of time’’ should
various types of evidence utilized by Auditing Standard and requested that be clarified to mean unremediated
management. The audit standard allows the two definitions be aligned.118 deficiencies.125 Other commenters
auditors to adjust their approach in Commenters provided feedback on the suggested that the list of strong
certain circumstances, if necessary, so reasonably possible threshold for indicators be eliminated completely,
that audit procedures should not place determining the likelihood of a potential stating that designating these items as
any undue burden or expense on material misstatement as well as the strong indicators creates a presumption
management’s evaluation process. reference to interim financial statements that such items are, in fact, material
for determining whether a potential weaknesses, and may impede the use of
F. Evaluation of Control Deficiencies misstatement could be material. judgment to properly evaluate the
Commenters also suggested that a single identified control deficiency in light of
1. Summary of the Proposal
definition of material weakness be the individual facts and
The proposal directed management to established for use by both auditors and circumstances.126 Commenters also felt
evaluate each control deficiency that management and that definition be the Commission should clearly indicate
comes to its attention in order to established by the SEC in its rules.119 that a company may determine that no
determine whether the deficiency, or Based on comments on the proposal, we deficiency exists despite the fact that
combination of control deficiencies, is a are amending Exchange Act Rule 12b– one of the identified strong indicators
material weakness. The proposal 2 and Rule 1–02 of Regulation S–X to was present.127
defined a material weakness as a define the term material weakness. After consideration of the comments,
deficiency, or combination of Further discussion and analysis of the we have decided to modify the
deficiencies, in ICFR such that there is definition of material weakness and proposed guidance. We believe
a reasonable possibility that a material commenter feedback can be found in judgment is imperative in determining
misstatement of the company’s annual that rule release.120 whether a deficiency is a material
or interim financial statements will not weakness and that the guidance should
Strong Indicators of a Material
be prevented or detected on a timely encourage management to use that
Weakness
basis by the company’s ICFR. The judgment. As a result, we have modified
Commenters noted there were the guidance to emphasize that the
proposal contained guidance on the
differences in the list of strong evaluation of control deficiencies
aggregation of deficiencies by indicating
indicators included in the proposal and requires the consideration of all of the
that multiple control deficiencies that
the list of strong indicators included in relevant facts and circumstances. We
affect the same financial reporting
the Proposed Auditing Standard, raising agreed with the concerns that an overly
element increase the likelihood of
concern that the failure of the two detailed list may create a list of de facto
misstatement and may, in combination,
proposals to provide similar guidance material weaknesses or inappropriately
constitute a material weakness, even
would cause unnecessary confusion suggest that identified control
though such deficiencies may be
between management and auditors.121 deficiencies not included in the list are
individually insignificant. The proposal
Commenters also provided suggested of lesser importance. At the same time,
also highlighted four circumstances that
changes, additions or deletions to however, we continue to believe that
were strong indicators that a material
circumstances that were included on the highlighting certain circumstances that
weakness in ICFR existed. In summary,
list of strong indicators. For example, are indicative of a material weakness
the following four items were listed:
commenters raised questions about the provides practical information for
• An ineffective control environment, ‘‘identification of fraud of any management. As a result, rather than
including identification of fraud of any magnitude on the part of senior referring to ‘‘strong indicators,’’ the final
magnitude on the part of senior management,’’ questioning the guidance refers simply to ‘‘indicators.’’
management; significant deficiencies appropriateness of the term ‘‘of any This change should further emphasize
that remain unaddressed after some magnitude’’ or which individuals were that the presence of one of the
reasonable period of time; and encompassed in the term ‘‘senior indicators does not mandate a
ineffective oversight by the audit management.’’ 122 Commenters also felt conclusion that a material weakness
committee (or entire board of directors the Commission’s proposed list of exists. Rather management should apply
if no audit committee exists). indicators should be expanded to professional judgment in this area.
• Restatement of previously issued include the indicator relating to an These examples include indicators
financial statements to reflect the ineffective internal audit function or related to the results of the financial
correction of a material misstatement. risk assessment function that was statement audit, such as material audit
• Identification by the auditor of a included in the Proposed Auditing adjustments and restatements, and
material misstatement of financial 118 See, for example, letters from EEI, FEI CCR, 123 See, for example, letters from BR, Crowe
statements in the current period under FEI SPCTF, ICAEW, N. Stofberg, and SVLG. Chizek & Company LLC (Crowe), Deloitte, and
circumstances that indicate the 119 See, for example, letters from FEE and ICAEW. M&P.
misstatement would not have been 120 Release No. 34–55928. 124 See, for example, letter from Chamber.
discovered by the company’s ICFR. 121 See, for example, letters from BDO, BR, 125 See, for example, letter from EEI.
Center, Cleary, CSC, Deloitte, KPMG, M&P, and 126 See, for example, letters from Cleary, Institute
• For complex entities in highly Schneider Downs & Co., Inc. (Schneider). of Internal Auditors (IIA), and NYC Bar.
regulated industries, an ineffective 122 See, for example, letters from 100 Group, Eli 127 See, for example, letters from Chamber,
regulatory compliance function. Lilly, FEI CCR, and P&G. Cleary, CSC, PPL, and Schneider.
indicators related to the overall opinion, which is prohibited by the related to foreign private issuers. While
evaluation of the company’s oversight of guidance,132 while two others stated three commenters noted that no
financial reporting, such as the that the Commission needed to provide additional guidance for foreign private
effectiveness of the audit committee and additional guidance around the issuers was necessary,138 other
incidences of fraud among senior circumstances under which this commenters suggested changes.
management. These examples are by no approach would be appropriate.133 Commenters raised concerns regarding
means an exhaustive list. For example, Based on the feedback we received, potential duplicative efforts and costs
under COSO, risk assessment and we have eliminated this from the final foreign registrants are subject to, as a
monitoring are two of the five interpretive guidance and revised the result of similar regulations in their
components of an effective system of proposed guidance to simply state that local jurisdictions.139 These
internal control. If management management may not state that the commenters requested that the
concludes that an internal control company’s ICFR is effective. However, Commission attempt to minimize or
component is not effective, or if management may state that controls are remove any duplicative requirements,
required entity-level or pervasive ineffective for specific reasons. with some requesting the Commission
elements of ICFR are not effective, it is Additionally, certain of the requests exempt foreign registrants entirely from
likely that internal control is not received seemed inconsistent with the the ICFR reporting requirements if the
effective. statutory obligation. For example, registrant was subject to similar
Lastly, we agreed with commenters Section 404(a)(2) of Sarbanes-Oxley regulations in their home country. Other
that it is appropriate for the requires that management perform the commenters raised concerns relating to
Commission’s guidance in this area to assessment as of the end of its most the unique challenges that foreign
mirror the PCAOB’s auditing standard. recent fiscal year. As a result, we do not registrants face in evaluating their ICFR,
As a result, we have worked with the believe any further changes to the including language and cultural
PCAOB in reaching conclusions proposed guidance around differences and international legal
regarding the guidance in this area, and management’s expression of its differences.140
we anticipate the PCAOB’s auditing assessment of the effectiveness of ICFR Commenters also made suggestions
standard will align with our final are necessary. regarding how the reconciliation to U.S.
management guidance. H. Previous Staff Guidance and Staff GAAP should be handled in the
Frequently Asked Questions evaluation of ICFR. Certain commenters
G. Management Reporting and
expressed support for the Commission’s
Disclosure Commenters raised questions position that foreign private issuers
Comment letters expressed various regarding the status of guidance should scope their evaluation effort
viewpoints regarding the information previously issued by the Commission based on the financial statements
management provides as part of its and its staff, on May 16, 2005,134 as well prepared in accordance with home
report on the effectiveness of ICFR. For as the Frequently Asked Questions country GAAP, rather than based on the
example, commenters raised concerns (‘‘FAQs’’).135 Some commenters reconciliation to U.S. GAAP.141
regarding the ‘‘point in time’’ requested the FAQs be retained in their However, other commenters requested
assessment and suggested various entirety,136 while others requested that that the Commission exempt the
alternative approaches.128 Commenters some particular FAQs be retained.137 As reconciliation to U.S. GAAP from the
also made suggestions regarding the we indicated in the proposed guidance, scope of the evaluation altogether,142
disclosures management provides when the May 2005 guidance remains while others sought further clarification
a material weakness has occurred. relevant. Additionally, we have as to whether and how the
Certain commenters felt the suggested instructed the staff to review the FAQs reconciliation was included in the
disclosures indicated in the proposing and, as a result of the final issuance of evaluation of ICFR,143 with one
release should be mandatory,129 while this guidance, update them as commenter suggesting the Commission
other commenters wanted the appropriate. staff publish additional Frequently
Commission to specify where in the I. Foreign Private Issuers Asked Questions to address any
Form 10-K management must provide implementation issues.144 One
its disclosures.130 Commenters also The Commission received comments commenter requested the Commission
requested that the Commission include directed towards the information exclude from the evaluation process
in its release additional possible included in the proposed guidance those financial statement disclosures
disclosures for consideration by 132 See,
that are required by home country
for example, letters from BDO and CFA.
management to include in its report.131 133 See, for example, letters from Crowe and
GAAP but not under U.S. GAAP to
In addition, commenters expressed Deloitte. minimize the differences in the ICFR
concerns regarding the language in the 134 Commission Statement on Implementation of evaluation efforts between U.S.
Proposing Release with respect to Internal Control Reporting Requirements, Press registrants and foreign filers as much as
management’s ability to determine that Release No. 2005–74 (May 16, 2005); Division of possible.145
Corporation Finance and Office of the Chief
ICFR is ineffective due solely to, and Accountant: Staff Statement on Management’s
only to the extent of, the identified Report on Internal Control Financial Reporting
138 See, for example, letters from BP, Manulife,
material weakness(es). Some (May 16, 2005), available at http://www.sec.gov/ and Pepsi.
139 See, for example, letters from 100 Group,
commenters felt that this language was spotlight/soxcom/.htm.
135 Office of the Chief Accountant and Division of Banco Itaú Holding Financeira SA, CCMR, Eric
essentially the same as a qualified Corporation Finance: Management’s Report on Fandrich, and FEI CCR.
140 See, for example, letters from IIA and GT.
Internal Control Over Financial Reporting and
128 See, for example, letters from BHP Billiton 141 See, for example, letters from 100 Group, BDO,
Certification of Disclosure in Exchange Act Periodic
Limited, Eli Lilly, and IIA. Reports Frequently Asked Questions (revised Oct. 6, and ICAEW.
129 See, for example, letters from HFS, IDW, and 2004), available at http://www.sec.gov/info/ 142 See, for example, letters from CCMR, Cleary,
Tatum. accountants/controlfaq1004.htm. EALIC, and NYC Bar.

130 See, for example, letters from Crowe and 136 See, for example, letters from BP p.l.c. (BP), 143 See, for example, letters from Deloitte, EY,
KPMG. GT, IIA, ISACA, MSFT, and Tatum. KPMG, and N. Stofberg.
131 See, for example, letters from PCG Worldwide 137 See, for example, letters from BDO, EY, 144 See, for example, letter from Ohio.
Limited and PepsiCo, Inc. (Pepsi). KPMG, and Stantec Inc. 145 See, for example, letter from ING.
After considering the comments Board (‘‘IASB’’) without reconciliation Text of Amendments
received, the Commission has to U.S. GAAP.146
determined not to exempt foreign In light of the comment letters, the ■ For the reasons set out in the
registrants from the ICFR reporting Commission realizes that there are preamble, the Commission is amending
requirements, regardless of whether certain implementation concerns and Title 17, chapter II, of the Code of
they are subject to similar home country issues that are unique to foreign private Federal Regulations as follows:
requirements. The Commission’s issuers. As a result, the Commission has
requirement for all issuers to complete instructed the staff to consider whether PART 241—INTERPRETATIVE
these items should be addressed in a RELEASES RELATING TO THE
an evaluation of ICFR is not derived
Frequently Asked Questions document. SECURITIES EXCHANGE ACT OF 1934
from the Commission’s Interpretive
AND GENERAL RULES AND
Guidance for Management; this List of Subjects in 17 CFR Part 241
REGULATIONS THEREUNDER
requirement has been established by Securities.
Congress. Further, the Commission does ■ Part 241 is amended by adding
not believe it is appropriate to exclude 146 In a press release on April 24, 2007, the Release No. 34–55929 and the release
the U.S. GAAP reconciliation from the Commission announced its next steps pertaining to
date of June 20, 2007 to the list of
acceptance of IFRS without reconciliation to U.S.
scope of the evaluation as long as it is GAAP. In that press release, the Commission stated interpretative releases.
a required element of the financial that it anticipates issuing a Proposing Release in
Dated: June 20, 2007.
statements. Currently, however, the summer 2007 that will request comments on
proposed changes to the Commission’s rules which By the Commission.
Commission is evaluating, as part of would allow the use of IFRS, as published by the
another project, the acceptance of IASB, without reconciliation to U.S. GAAP in Nancy M. Morris,
International Financial Reporting financial reports filed by foreign private issuers that Secretary.
Standards (‘‘IFRS’’) as published by the are registered with the Commission. The press
release is available at http://www.sec.gov/news/
[FR Doc. E7–12299 Filed 6–26–07; 8:45 am]
International Accounting Standards press/2007/2007–72.htm. BILLING CODE 8010–01–P

Rule: Securities Exchange Act

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Rule: Securities Exchange Act

Transféré par

Droits d'auteur :

Formats disponibles

Wednesday,

June 27, 2007

concept of reasonableness of necessity contemplates Release’’). For a detailed history of the

15 17 CFR 210.1–01 et seq.

35 For example, consistent application of a

such matters to change and the impact of the

No. 33–8098 (May 10, 2002) [67 FR 35620].

when the likelihood of the event is either

an acceptable level. Corrections, regarding correction of a misstatement. 240.12b–20].

95 See, for example, letter from IDW.

115 See, for example, letters from BR, EY, Hudson

Tatum. accountants/controlfaq1004.htm. EALIC, and NYC Bar.

Vous aimerez peut-être aussi