Real Corporate Lawyer

G. Implications of the Failure to File Reports on Internal Control over Financial Reporting or the Filing of a Qualified or Disclaimed Auditors' Opinion

Will the SEC accept a Form 10-K without the required reports on internal control over financial reporting?
Will the SEC accept a qualified auditors' opinion?
Will the SEC accept a disclaimed auditors' opinion?
Will the SEC accept an adverse auditors' opinion?

The principal sources cited in these FAQs are:

Securities and Exchange Commission Releases

Public Company Accounting Oversight Board Releases

PCAOB Release No. 2005-009, Policy Statement Regarding Implementation of Auditing Standard No. 2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (May 16, 2005).
PCAOB Staff Questions and Answers: Auditing Internal Control over Financial Reporting (May 16, 2005) (Questions 38 - 55).
PCAOB Staff Questions and Answers: Auditing Internal Control Over Financial Reporting (Nov. 22, 2004) (Questions 30 - 36).
PCAOB Staff Questions and Answers: Auditing Internal Control Over Financial Reporting (Oct. 6, 2004) (Questions 27 - 29).
PCAOB Staff Questions and Answers: Auditing Internal Control Over Financial Reporting (originally issued June 23, 2004, revised July 27, 2004) (Questions 1 - 26).
PCAOB Auditing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements (March 9, 2004).

SEC Rules and Forms

Exchange Act Rules 13a-14 and 15d-14, Certification of Disclosure in Annual and Quarterly Reports
Exchange Act Rules 13a-15 and 15d-15, Controls and Procedures
Item 307 of Regulation S-K, Disclosure Controls and Procedures
Item 308 of Regulation S-K, Internal Control over Financial Reporting
Item 601 (b)(31)(i) and (b)(32)(i) of Regulation S-K Certifications
Item 9A of Part II of Form 10-K, Controls and Procedures
Item 4 of Part I of Form 10-Q, Controls and Procedures

Cites to the forms and rules applicable to small businesses, foreign private issuers, investment companies, and asset-backed issuers are not included in these FAQs.

A. Nature and Timing of the Reporting Requirement

1. When must registrants begin to report on internal control over financial reporting?

“Accelerated filers,” as defined in Exchange Act Rule 12b-2, began reporting on internal control over financial reporting for their fiscal years ended on or after November 15, 2004. The effective date of the SEC's rules implementing Section 404 of the Sarbanes-Oxley Act of 2002 were extended for all issuers in February 2004 (See SEC Release No. 33-8392). A registrant is an accelerated filer if, as of the end of its fiscal year, it:

has a public float of $75 million or more computed on the last business day of its most recently completed second fiscal quarter;
has been subject to Exchange Act reporting for at least 12 calendar months;
has filed at least one annual report; and
is not eligible to use Forms 10-KSB and 10-QSB for its annual and quarterly reports.

Thanks to another extension of the compliance deadline, registrants that are neither accelerated filers nor foreign private issuers filing their annual reports on Form 20-F or 40-F (“non-accelerated filers”) must begin to comply with the internal control over financial reporting requirements for their first fiscal year ending on or after July 15, 2006 (See SEC Release No. 33-8545). This is a one-year extension from the previously established compliance date of fiscal years ending on or after July 15, 2005.

At a public meeting on September 21, 2005, the SEC again extended the compliance date for registrants “that are not accelerated filers” to fiscal years ending on or after July 15, 2007. (See SEC Release No. 33-8618). By letter dated August 18, 2005 to Chairman Christopher Cox of the SEC, the SEC Advisory Committee on Smaller Public Companies recommended that the Commission further extend the date as of which smaller companies that are non-accelerated filers begin to comply with the requirements for reports on internal control over financial reporting. The Advisory Committee recommended that the SEC delay compliance until fiscal years ending on or after July 15, 2007, because of the disproportionately higher costs for smaller companies to comply with the internal control over financial reporting requirements, the on-going efforts by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) to develop guidance relating to internal control over financial reporting for smaller public companies, and the greater level of complexity to the process for reporting on internal control over financial reporting than previously thought. COSO's proposed guidance, which was issued for comment in October 2005, is available here.

2. Where must a registrant disclose the management report on internal control over financial reporting?

The management report on internal control over financial reporting must be included in an annual report on Form 10-K or in whatever form is applicable to the registrant. The SEC Staff has urged registrants to include the report also in their annual reports to shareholders. Warning that failure to do so when the report is qualified in any way may render the annual report misleading, the Staff has noted that it intends to recommend that the SEC propose to amend Rules 14a-3(b) and 14c-3(a) under the Securities Exchange Act of 1934 and Item 13 of Schedule 14A under the Exchange Act to require such presentation. (See Question 22 of the SEC October 6, 2004, Internal Control FAQs).

Although the SEC's rules do not specify where the reports on internal control over financial reporting should be included, the SEC's adopting release for the internal control rules encouraged companies to put the management report “in close proximity to the corresponding attestation report issued by the registrant's registered public accounting firm.” (See SEC Release No. 33-8238, Section B.3.e. ) Nevertheless, many accelerated filers have included the management report within Item 9A of the Form 10-K. When the auditors' report on internal control over financial reporting was separate from the auditors' report on the financial statements, it was generally included near the audited financial statements. Comments made by the SEC staff prior to the filings of Form 10-Ks by calendar year-end accelerated filers suggested that management's report on internal control over financial reporting should be a separate report, signed by management, and included in the Form 10-K near the auditors' report on internal control.

3. What must management say in its report on internal control over financial reporting?

Item 308 of Regulation S-K provides that the management report on internal control over financial reporting must:

State that management is responsible for establishing and maintaining adequate internal control over financial reporting for the registrant.
Identify the framework that management has used to evaluate the effectiveness of the registrant's internal control over financial reporting (see "What internal control framework should management use to assess its internal control over financial reporting?").
State management's conclusion as to whether the registrant's internal control over financial reporting is effective (that is, the report must state either that the registrant's internal control over financial reporting is effective or, if management has identified any material weakness in the registrant's internal control over financial reporting, that the registrant's internal control over financial reporting is not effective) and describe any such material weakness in internal control over financial reporting. The SEC Staff expects that management's report will use the term “material weakness” in describing any identified material weaknesses. (See Question 20 of the SEC Internal Control FAQs.) No statement that internal controls are effective “except for” certain identified problems or any similar qualified language is permitted (see Question 5 of the SEC Internal Control FAQs and "What disclosure is required about the effectiveness of disclosure controls and procedures?").
State that the registrant's outside auditors have reported on management's assessment of internal control over financial reporting. The outside auditors' report must be included in the Form 10-K. (See Section II.B.3. of SEC Release No. 33-8238 (June 5, 2003).)

4. What additional disclosures are included in reports on internal control over financial reporting?

The management reports on internal control over financial reporting that accelerated filers included in their annual reports on Form 10-K for their 2004 fiscal years often included an explanation about the inherent weaknesses of internal control similar to that included in the report of the outside auditors. Although the SEC Staff has issued comments that have led registrants to exclude any such explanation from the disclosure about the effectiveness of disclosure controls and procedures required by Item 307 of Regulation S-K, the SEC may accept an explanatory paragraph in the report on internal control over financial reporting because the illustrative reports on internal control over financial reporting for the outside auditors set forth in Appendix A of PCAOB Auditing Standard No. 2 include the following “Inherent limitations paragraph”:

Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.

If management describes any material weakness in internal control over financial reporting, it should fully describe the weakness. The management reports issued this year have included details that appeared to be designed to enable readers to understand the severity of the weakness. Such transparent disclosure is very appropriate and probably necessary to avoid inappropriate investor concern about the impact of the weakness on the registrant's ability to prepare accurate financial statements.

Information about how the registrant is addressing the deficiency, including the nature of any improvements and enhancements that were made or are being implemented, the timing of such remediation efforts and any additional steps that the registrant is taking to ensure that its financial statements are accurate in the interim should also be provided. These disclosures should not be included in the management report on internal control over financial reporting. Rather, that disclosure should be set forth in Item 9A of the Form 10-K. (See Question 11 of the SEC Internal Control FAQs.)

5. What other disclosure about internal control over financial reporting must a registrant make?

The annual report on Form 10-K and interim reports on Form 10-Q must include disclosure about any change in internal control over financial reporting that occurred during the fourth quarter of the fiscal year, in the case of the Form 10-K, or in the period covered by a Form 10-Q, that materially affected or is reasonably likely to materially affect internal control over financial reporting. This disclosure results from the representation in paragraph 4(d) of the certification required to be set forth as an exhibit to the Form 10-K and the Form 10-Q by Exchange Act Rules 13a-14(a) and 15d-14(a) and set forth in Item 601(b)(31)(i) of Regulation S-K. Paragraph 4(d) provides that the principal executive and financial officers "[d]isclosed in this report any change in the registrant's internal control over financial reporting that occurred during the registrant's most recent fiscal quarter (the registrant's fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant's internal control over financial reporting.”

In addition, once a registrant is subject to the requirement to report on internal control over financial reporting, Exchange Act Rules 13a-15(d) and 15d-15(d) become effective. This provision requires management to evaluate, with the CEO and CFO's participation, “any change in the registrant's internal control over financial reporting, that occurred during each of the issuer's fiscal quarters... that has materially affected, or is reasonably likely to materially affect, the issuer's internal control over financial reporting.” Item 308(c) of Regulation S-K, which is effective once a registrant is subject to the internal control over financial reporting requirements, requires a registrant to disclose any change in “internal control over financial reporting identified in connection with the evaluation required by [Exchange Act Rule 13a-15 or 15d-15] that occurred during the registrant's last fiscal quarter (the registrant's fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant's internal control over financial reporting.” It is unclear why the effective date of Exchange Act Rules 13a-15(d) and 15d-15(d) and Item 308(c) of Regulation S-K was delayed given paragraph 4(d) of the certification required by Exchange Act Rules 13a-14(a) and 15d-14(a). Perhaps the SEC believes that the evaluation process required by Exchange Act Rules 13a-15(d) and 15d-15(d) is more meaningful than the steps the CFO and CEO had to take to ensure that they were complying with paragraph 4(d) of their certification. (See Item 9A of Form 10-K, "Must a registrant describe changes in internal control over financial reporting?" and "Should a registrant review internal control over financial reporting on a quarterly basis?".)

6. What internal control framework should management use to assess its internal control over financial reporting?

In the United States, the only framework for evaluating internal control is the framework established by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”). In 1992, COSO issued its "Internal Control - Integrated Framework.” (See Section II.B.3.a. of SEC Release No. 33-8238.) COSO has proposed for comment a framework for small businesses to use to evaluate internal control, which, once finalized, will be available to managements of small businesses required to comply with the internal control reporting requirements.

7. What must the independent registered public accounting firm (the “outside auditors”) say about internal control over financial reporting?

The outside auditors must state in their report their opinions on whether management's assessment of internal control over financial reporting is fairly stated, in all material respects, and whether the registrant maintained, in all material respects, effective internal control over financial reporting. The report also must describe, among other things, the outside auditors' opinion on the registrant's financial statements, unless the outside auditors issue a combined report on both the financial statements and internal control over financial reporting. (See Paragraphs 167(l) and (m) and 170 of PCAOB Auditing Standard No. 2.)

8. Should registrants ask their outside auditors for separate or combined reports?

PCAOB Auditing Standard No. 2 and Rule 2-02(f) of Regulation S-X permit outside auditors to issue their opinions on internal control over financial reporting in either a separate report or together with their opinion on the financial statements. The SEC Staff's response to Question 15 of the SEC Internal Control FAQs notes that the “auditor should take into account any issues that may arise if its audit report on the financial statements is expected to be reissued or incorporated by reference into a filing under the Securities Act.” Registrants may want to consider whether to request separate reports so that any need for the outside auditors to reissue or double date their report on the financial statements does not raise a question as to the need for an update to the opinion on internal control over financial reporting. At least one accounting firm, however, may be taking the position that its reports on internal control over financial reporting must be combined with the report on the financial statements.

9. What must registrants that are not yet required to report on internal control over financial reporting (“non-accelerated filers”) say about their internal control over financial reporting before they must include reports on internal control in their annual reports?

Non-accelerated filers must report most, if not all, material weaknesses in internal control over financial reporting and any change in internal control over financial reporting that occurred during the period reflected in a Form 10-Q or the fourth quarter of a fiscal year if that change materially affected or is reasonably likely to materially affect the registrant's internal control over financial reporting. Non-accelerated filers also must disclose material weaknesses because Item 307 of Regulation S-K requires registrants to state the conclusion of their CEO and CFO as to the effectiveness of disclosure controls and procedures, which generally include internal control over financial reporting. Disclosure about changes in internal control over financial reporting that materially affected or are reasonably likely to materially affect internal control is required because of paragraph 4(d) of the certification required by Exchange Act Rule Exchange Act Rules 13a-14(a) and 15d-14(a). (See "What disclosure is required about the effectiveness of disclosure controls and procedures?” and "Must a registrant describe changes in internal control over financial reporting?".)

10. How do disclosure controls and procedures and internal control over financial reporting differ?

Disclosure controls and procedures include all controls relating to the preparation of Exchange Act reports and other documents and almost all controls included in internal control over financial reporting, so this category is broader than internal control over financial reporting. Item 307 of Regulation S-K requires disclosure of the conclusions of the CEO and the CFO regarding the effectiveness of disclosure controls and procedures. Exchange Act Rules 13a-15(e) and 15d-15(e) define disclosure controls and procedures as those controls and other procedures that are designed to ensure that information required to be disclosed by a registrant in the reports that it submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified in the SEC's rules and forms and include, without limitation, controls and procedures designed to ensure that information required to be disclosed by a registrant is accumulated and communicated to the registrant's management, including its CEO and CFO, as appropriate to allow timely decisions regarding required disclosure.

The only controls in internal control over financial reporting that would not be encompassed by disclosure controls and procedures are those that relate only to the safeguarding, and not the reporting, of assets. Any registrant that concludes that an aspect of its internal control over financial reporting is not part of disclosure controls and procedures will have the burden of proving its position. Therefore, the CEO and CFO are not likely to be able to conclude that their disclosure controls and procedures are effective if they, or their outside auditors, have identified any material weakness in internal control over financial reporting. (See Item 307 of Regulation S-K referred to in Item 9A of Part II of Form 10-K and Item 4 of Part I of Form 10-Q.) Disclosure controls and procedures also may be ineffective for reasons unrelated to internal control over financial reporting.

11. What disclosure is required about the effectiveness of disclosure controls and procedures?

A registrant's CEO and CFO must state either that the registrant's disclosure controls and procedures are effective or, if they have identified any material deficiency within the disclosure controls and procedures, such as a material weakness in internal control over financial reporting, that the registrant's disclosure controls and procedures are not effective. They cannot state that the registrant's disclosure controls and procedures are effective except to the extent of specifically described problems or express similar qualified conclusions. (See Question 5 of the SEC Internal Control FAQs.)

If the CEO and CFO conclude that the registrant's disclosure controls and procedures are not effective, the annual or quarterly report should state the reasons for that conclusion, including the nature of the deficiency, so that the disclosure is not misleading. (See Question 11 of the SEC Internal Control FAQs.) In addition, the registrant should describe how it is addressing the deficiency, including the nature of any improvements and enhancements that were made or are being implemented, the timeline for any further improvements and enhancements, and any efforts to mitigate the weakness in the interim to ensure appropriate public disclosures, including, if the deficiency is in internal control, adequate financial statements.

Unlike the disclosure about internal control over financial reporting, a registrant should not include disclosure about the inherent weaknesses of disclosure controls and procedures. The SEC has issued confusing comments on registrants' disclosure explaining that a controls system, no matter how well designed and operated, cannot provide absolute assurance that the objectives of the controls system are met, and that no evaluation of controls can provide absolute assurance that all control issues and instances of fraud, if any, within a registrant have been detected. In view of the difficulty of addressing the confusing comments, registrants have deleted the explanatory language.

The SEC Staff has issued comments requiring a registrant to include the entire definition of disclosure controls and procedures in its disclosure responsive to Item 307 of Regulation S-K if it includes any part of the definition. For example, the SEC Staff has required a registrant that defined disclosure controls and procedures as “those controls and other procedures that are designed to ensure that information required to be disclosed by a registrant in the reports that it submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified in the SEC's rules and forms” to state also that “such controls include, without limitation, controls and procedures designed to ensure that information required to be disclosed by a registrant is accumulated and communicated to the registrant's management, including its CEO and CFO, as appropriate to allow timely decisions regarding required disclosure.”

12. Must a registrant describe changes in internal control over financial reporting?

Disclosure about changes in internal control is required regardless of whether a registrant is required to report on internal control over financial reporting. The CEO and the CFO must represent in their certification required by Section 302 of Sarbanes-Oxley, implemented by Exchange Act Rules 13a-14(a) and 15d-14(a), that they have disclosed in the related report “any change in the registrant's internal control over financial reporting that occurred during the registrant's most recent fiscal quarter (the registrant's fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant's internal control over financial reporting.” (See Paragraph 4(d) of Item 601(b)(31) of Regulation S-K.)

Although the SEC Staff's response to Question 9 of the SEC Internal Control FAQs states that changes in internal control that are made in preparation for a registrant's first management report on internal control over financial reporting need not be disclosed, this relief does not affect the language in paragraph 4(d) of the Section 302 certification and, therefore, in my view, the disclosure is required by that paragraph. Since the CEO and the CFO must make the representation in paragraph 4(d) of the Section 302 certification, they need to make sure the applicable report includes the disclosure about material changes that they represent is set forth in the report. Furthermore, the disclosure is likely to be required as a result of Rule 12b-20 under the Exchange Act, which requires material disclosures necessary so that the required disclosures are not misleading.

Accordingly, changes in internal control over financial reporting that are made as a part of a registrant's project to fully document its internal control over financial reporting in preparation for management reports on internal control should be disclosed if they have had or are reasonably likely to have a material effect on the registrant's internal control over financial reporting. Changes to simply document a registrant's internal control in anticipation of reporting on internal control over financial reporting likely would not have a material effect on such internal control over financial reporting.

Once a registrant is required to report on internal control over financial reporting, it must also comply with Item 308(c) of Regulation S-K. (See "Should a registrant review its internal control over financial reporting on a quarterly basis?”.)

13. Should a registrant disclose in advance any possibility that it will not be able to file the required reports on internal control over financial reporting on a timely basis?

If management reasonably believes the registrant will not be able to file management's or the outside auditors' reports on internal control over financial reporting when they are required, the registrant should disclose that possibility in its risk factors.

A registrant should consider whether the circumstances that may make it impossible for its management or outside auditors to report on internal control over financial reporting suggest that the registrant's disclosure controls and procedures are not effective. Registrants that receive notifications from their outside auditors that they have experienced slippage in their Section 404 implementation schedule and there is no assurance that Section 404 reporting will be timely if there is further slippage should consider warning investors of that possibility. Receipt of that notification by itself should not require disclosure if the registrant reasonably believes it will be able to file the required reports on internal control over financial reporting on a timely basis.

14. Will a registrant be able to file its Form 10-K without the required reports on internal control over financial reporting?

Given the language of the certification required by Section 906 of Sarbanes-Oxley, and Exchange Act Rules 13a-14(b) and 15d-14(b), a registrant's CEO and CFO may not feel comfortable signing the 906 certification required in an annual report on Form 10-K that does not include the required reports on internal control over financial reporting. The 906 certifications are required by Exchange Act Rules 13a-14(b) and 15(d)-14(b) to be filed as exhibits to the periodic report containing financial statements. (The 906 certifications are filed as Exhibit 32 to the Form 10-K and Form 10-Q pursuant to Item 601(b)(32)(i) of Regulation S-K)

Section 906 requires the CEO and CFO to certify that the periodic report containing financial statements “fully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act of 1934... and that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer.” Since an annual report on Form 10-K that does not include the required reports on internal control over financial reporting would not “fully comply” with the applicable reporting requirements, the CEO and CFO may consider whether to file the Form 10-K without the required 906 certifications, file 906 certifications that have been modified to report the absence of the internal control reports, or file the annual report on a Form 8-K.

The CEO and CFO may be able to execute the Section 302 certifications, however, as long as they are satisfied with the disclosures in the Form 10-K. These certifications state, among other things, that, based on the signing officer's knowledge, the report does not contain any untrue statement of a material fact or omit to state any material fact necessary to make the statements made, in light of the circumstances in which they were made, not misleading. Accordingly, the CEO and CFO may be willing to execute the Section 302 certifications as long as they are satisfied that the Form 10-K adequately describes the reasons management cannot include the required reports in the Form 10-K, the status of the efforts to provide the required reports, any preliminary views as to the registrant's internal control over financial reporting, and the steps the registrant is taking to ensure that the reports will be filed as soon as possible.

B. Meaning of Internal Control over Financial Reporting

1. How is internal control over financial reporting defined?

Exchange Act Rules 13a-15(f) and 15d-15(f) define internal control over financial reporting as a “process designed by, or under the supervision of, the issuer's principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;
Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and
Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements.”

2. Does internal control over financial reporting encompass supplementary financial information?

Internal control over financial reporting does not encompass supplementary information that registrants must disclose in accordance with Regulation S-X, such as financial statement schedules. The SEC Staff is considering, however, whether to recommend that the Commission propose to expand the definition of internal control over financial reporting to encompass such supplementary information. (See Question 23 of the SEC Internal Control FAQs. )

3. What controls are included within internal control over financial reporting?

Internal control over financial reporting requires controls over all relevant assertions related to all “significant” accounts and disclosures in the financial statements. An account is significant if there is more than a remote likelihood that the account could contain misstatements that individually, or when aggregated with others, could have a material effect on the financial statements, or the account represents an important performance measure even though it is not quantitatively large.

Generally, internal control over financial reporting includes the following:

Controls over initiating, authorizing, recording, processing, and reporting significant accounts and disclosures and related assertions embodied in the financial statements.
Controls over the selection and application of accounting policies that conform to generally accepted accounting principles (“GAAP”).
Controls over significant nonroutine and nonsystematic transactions, such as accounts involving judgments and estimates.
Controls, including information technology general controls, on which other controls are dependent.
Company-level controls. (See "What are registrant level controls?”.)
Controls designed to prevent, deter, and detect fraud. (See "What controls are necessary to prevent, deter, and detect fraud?".)

(See Paragraphs 24, 40, 53 and 114 of PCAOB Auditing Standard No. 2.)

4. What are registrant level controls?

Registrant level controls are:

Controls over common processes and systems and the centralized financial system, and encompass the tone at the top;
Human resources policies and programs;
The assignment of authority and responsibility to persons having the requisite competence, integrity, and ethics;
Management's philosophy and operating style;
Board-approved policies that address significant business control and risk management practices;
Management's risk assessment process;
Controls to monitor the results of operations;
Controls to monitor other controls—including activities of the internal audit function, the board, and particularly the audit committee—and self-assessment programs; and
The period-end financial reporting process, including controls over procedures used to initiate, authorize, record, and process journal entries in the general ledger and to record recurring and non-recurring adjustments to the financial statements.

(See Paragraphs 40 and 50-54 of PCAOB Auditing Standard No. 2.)

5. What controls are necessary to prevent, deter, and detect fraud?

Controls to prevent, deter, and detect fraud include:

Controls restraining misappropriation of the registrant's assets;
The registrant's risk assessment processes;
The registrant's code of business conduct and ethics, especially the provisions relating to conflicts of interest, related party transactions, and illegal acts, and the monitoring of the code by management and the audit committee or board;
The internal audit function as well as the audit committee's involvement and interaction with internal audit; and
The audit committee's procedures for handling complaints and concerns about accounting, auditing, and internal control matters, including those submitted on a confidential basis.

These controls, including the activities undertaken in response to any allegations of fraud, are consistent with the Amendments to the Sentencing Guidelines, which became effective on November 1, 2004. (See Paragraphs 24-26 of PCAOB Auditing Standard No. 2.)

6. How much judgment is involved in identifying the controls necessary in internal control over financial reporting?

On May 16, 2005, the SEC issued a statement that addresses issues that arose during the first year experience with the implementation of the internal control reporting requirements of Section 404 of Sarbanes-Oxley, including feedback the SEC received at its April 13, 2005, Roundtable on Implementation of Internal Control Reporting Provisions. In its "Commission Statement on Implementation of Internal Control Reporting Requirements,” the SEC noted that it “is the responsibility of management to determine the form and level of controls appropriate for each registrant and to scope their assessment and the testing accordingly.”

In the first instance, it is management that should identify the appropriate controls based upon the specific characteristics of the registrant. The SEC observed that the costs incurred by accelerated filers to comply with the internal control reporting requirements may have been the result of “a mechanical, and even overly cautious, way” in which registrants and outside auditors complied with the rules. The SEC urged both management and outside auditors to use “reasoned judgment and a top-down, risk-based approach to the Section 404 compliance process. A one-size fits all, bottom-up, check-the-box approach that treats all controls equally is less likely to improve internal controls and financial reporting than reasoned, good faith exercise of professional judgment focused on reasonable, as opposed to absolute, assurance.”

Hence, the identification of controls requires considerable judgment from management in the first instance. Management should focus on the controls necessary for the areas of greatest risk and not treat all significant accounts and related controls equally. In addition, the controls that are necessary are those required to provide “reasonable assurance” that financial statements will be reliable, not absolute assurance of such reliability.

In the "Staff Statement on Management's Report on Internal Control Over Financial Reporting,” also issued on May 16, 2005, the SEC Staff explains that "[t]he assessment of internal control over financial reporting will be more effective if it focuses on controls related to those processes and classes of transactions for financial statement accounts and disclosures that are most likely to have a material impact on the registrant's financial statements.” Referring to this approach as a “top-down” approach, the Staff suggested that management first “identify the areas of the financial statements that present significant risk that the financial statements could be materially misstated,” and then “identify relevant controls and design appropriate procedures for documentation and testing of those controls.”

7. How does reporting on internal control over financial reporting affect the documentation of the tax accrual?

In a February 2004 speech to the Tax Council Institute Conference, SEC Chief Accountant Donald T. Nicolaisen noted that, in connection with the documentation of internal control over financial reporting, he anticipates that “management and the internal auditors will be documenting [their registrant's] procedures for the preparation of tax accounts, evaluating [their] compliance functions, considering how key estimates are developed and recorded, and reviewing how tax planning strategies are developed, evaluated, and approved, and how well [the tax] department documents key conclusions and decisions.” Accordingly, management and outside auditors may need to include in their documentation of internal control over financial reporting and audits, respectively, more detailed information, including legal opinions, to support the tax accruals.

8. Must a registrant's internal control over financial reporting include controls relating to all of the entities reflected in a registrants' financial statements, i.e., subsidiaries, equity investees, and variable interest entities (“VIEs”)?

A registrant's internal control over financial reporting must include controls at all of the entities that are included within a registrant's consolidated financial statements, including majority owned subsidiaries and VIEs that are consolidated as a result of Financial Accounting Standards Board Interpretation No. 46 (January 2003, revised December 2003), “Consolidation of Variable Interest Entities - an Interpretation of ARB No. 51.” (See Question 1 of the SEC Internal Control FAQs.)

Although a registrant need not have controls at any entities that it accounts for using the equity method of accounting, management must consider equity investments in assessing the registrant's internal control over financial reporting. The SEC Staff's response to Question 2 of the SEC Internal Control FAQs states that the registrant must have controls over the recording of amounts related to its investments, and, accordingly, must consider, among other things, its controls over the accounting methods for its investments, the recognition of equity method earnings and losses, and its investment account balance. Moreover, the response notes that there may be circumstances where the evaluation by a registrant of the control over financial reporting of an equity method investment is not only appropriate but also may be the most effective form of evaluation of that investment.

9. Are there any exceptions to the requirement that all consolidated subsidiaries and VIEs be included within a registrant's internal control over financial reporting?

The SEC Staff has provided two exceptions to the requirement that a registrant's internal control over financial reporting include controls at all of the entities reflected in the registrant's consolidated financial statements. The response to Question 1 of the SEC Internal Control FAQs provides an exception for consolidated entities that were in existence prior to December 15, 2003, are considered to be VIEs, and are consolidated as a result of Financial Accounting Standards Board Interpretation No. 46 if the registrant does not have the right or authority (that is, the ability) to assess the internal controls of the entity or the ability, in practice, to make that assessment. A registrant that relies on that exception must disclose in its annual report on Form 10-K:

Its inability to evaluate the internal controls of the specifically identified VIE due to the fact that it does not have the ability to dictate or modify the controls of the entity and does not have the ability, in practice, to assess those controls; and
Any key amounts in the financial statements that result from consolidation of the entity whose internal controls have not been assessed.

Management's report on internal control over financial reporting should include a reference to that disclosure.

The other exception to the need for internal control over financial reporting to include controls at all subsidiaries is explained in the Staff's response to Question 3 of the SEC Internal Control FAQs. There, the Staff provides an exception for a subsidiary that was acquired in a material purchase business combination that occurred during a registrant's most recent fiscal year, provided that management's report on internal control over financial reporting refers to a discussion in the Form 10-K describing the limitation on the scope of the assessment of internal control over financial reporting and the excluded identified business and its significance to the registrant. This exception may not be helpful to a registrant that plans to sell securities if the underwriting agreement relating to the offering requires the registrant to make representations with respect to its internal control over financial reporting. Presumably, a registrant that made an acquisition that was not “material” would not need to rely on the exception because the controls at the acquired entity would not be sufficiently significant to the registrant's internal control over financial reporting.

10. Must a registrant's internal control over financial reporting include the controls relating to outsourced activities, processes, or functions?

Yes, if the outsourced activities, processes, or functions are significant to the registrant's internal control over financial reporting. PCAOB Auditing Standard No. 2 states that internal control over financial reporting must include controls that address the relevant financial statement assertions for each significant account and disclosure in a registrant's financial statements. Therefore, the outsourced activity must be encompassed by the registrant's internal control over financial reporting if it relates to a significant account. (See "What controls are included within internal control over financial reporting?”.)

Historically, outsourced activities have been considered by the outside auditors in determining the scope of their audits in accordance with Auditing Standard Section 234, Service Organizations (Statement on Auditing Standard No. 70 or AU §324). AU §324 indicates that activities are considered part of a registrant's internal control if they affect any of the following:

The classes of transactions that are significant to the registrant's financial statements;
The procedures, both automated and manual, by which the registrant's transactions are initiated, recorded, processed, and reported from their occurrence to their inclusion in the financial statements;
The related accounting record, whether electronic or manual, supporting information, and specific accounts in the registrant's financial statements involved in initiating, recording, processing, and reporting the registrant's transactions;
How the registrant's information system captures other events and conditions that are significant to the financial statements; and
The financial reporting process used to prepare the registrant's financial statements, including significant accounting estimates and disclosures.

Service organizations that provide such services include, for example, bank trust departments that invest and service assets for employee benefit plans or for others; mortgage bankers that service mortgages for others; application service providers that provide packaged software applications and a technology environment that enables customers to process financial and operations transactions; entities that develop, provide, and maintain the software used by client organizations; and payroll service providers.

Not all outsourced activities are part of internal control. For example, where the service organization executes transactions that the registrant specifically authorizes, such as processing checking account transactions or wire transfer instructions, or where the registrant outsources actuarial services or other specialist services, such activity is not part of internal control. (See Question 24 of PCAOB's Questions and Answers: Auditing Internal Control over Financial Reporting (originally issued June 23, 2004, revised July 27, 2004).) Financial interests in partnerships, corporations, and joint ventures, including working interests in oil and gas ventures, should not be considered to cause the controls at such entities to be part of a registrant's internal control over financial reporting, however. (See AU §324.03.)

(See "How should management assess the controls at service organizations providing outsourced activities that are part of internal control over financial reporting?”.)

11. Does internal control over financial reporting include compliance with laws and regulations?

Internal control over financial reporting includes controls relating to laws and regulations that pertain directly to the preparation of financial statements, such as the SEC's financial reporting requirements and the requirements under the Internal Revenue Code. The SEC Staff's response to Question 10 of the SEC Internal Control FAQs states that internal control over financial reporting also includes “controls to ensure that the effects of non-compliance with laws, rules and regulations are recorded in the registrant's financial statements, including the recognition of probable losses under Financial Accounting Standards Board Statement No. 5, Accounting for Contingencies.”

In addition, “all controls that focus primarily on the effectiveness and efficiency of operations or compliance with laws and regulations and also have a material effect on the reliability of financial reporting, are a part of internal control over financial reporting.” (See Paragraph 15 of PCAOB Auditing Standard No. 2.) This means, according to the response to Question 27 of the PCAOB's Q&As dated October 6, 2004, that, “internal control over financial reporting encompasses controls over the identification, measurement, and reporting of all material actual loss events which have occurred, including controls over the monitoring and risk assessment of areas in which, given the nature of the registrant's operations, such actual loss events are reasonably possible.”

Internal control over financial reporting does not encompass compliance with other laws. However, the evaluation of disclosure controls and procedures requires consideration of the registrant's compliance with laws, rules, and regulations, including whether the registrant adequately monitors such compliance and has procedures to ensure appropriate disclosure of legal or regulatory matters. (See Question 10 of the SEC Internal Control FAQs.)

C. Registrants' Responsibilities

1. How extensively must registrants document their internal control over financial reporting?

A registrant's documentation of its internal control over financial reporting should be complete enough to:

Enable accurate and timely implementation of the controls by the persons having the responsibility for those controls;
Permit someone to assess whether the design of the controls is adequate and whether they appropriately take into account the five components of internal control over financial reporting (that is, the control environment, risk assessment, control activities, information and communication, and monitoring);
Describe how significant transactions are initiated, authorized, recorded, processed, and reported; and
Evaluate the point during the flow of transactions at which material misstatements due to error or fraud could occur.

(See Paragraphs 42-44 of PCAOB Auditing Standard No. 2)

The controls over all relevant financial statement assertions must provide “the foundation for appropriate communication concerning responsibilities for performing controls and for the registrant's evaluation of and monitoring of the effective operation of controls.” (See Paragraph 44 of PCAOB Auditing Standard No. 2.) In this regard, a registrant should consider documenting a delegation of authority policy that, among other things, sets a framework for the segregation of duties, encompasses all key decision-making functions, identifies the personnel responsible for those decisions, defines powers reserved for the board, determines how much executives can commit or spend, identifies who can originate and approve policies, and implements a consistent process to monitor compliance and appropriately address any non-compliance through disciplinary actions and modifications of programs.

2. Who is management?

Presumably, the management that must issue the report on internal control over financial reporting required by the SEC's rules that implement Section 404 of Sarbanes-Oxley Act may include more than just a registrant's principal executive and principal financial officers. Exchange Act Rules 13a-15(c) and 15d-15(c) provide that “management... must evaluate, with the participation of the issuer's principal executives and principal financial officers, or persons performing similar functions, the effectiveness, as of the end of each fiscal year, of the issuer's internal control over financial reporting.”

With respect to management's report on internal control over financial reporting, Item 308(a) of Regulation S-K states that management's report must contain, among other things, a “statement of management's responsibility establishing and maintaining adequate internal control over financial reporting.” In contrast, the principal executive and principal financial officers must certify in their certificates required by Exchange Act Rules 13a-14(a) and 15d-14(a) that they, and not “management,” “are responsible for establishing and maintaining... internal control over financial reporting.” (See new language in paragraph 4 of the Certification in Item 601(b)(31) of Regulation S-K, effective, together with paragraph 4(b), once internal control over financial reporting is effective.) Accordingly, registrants may determine that the management who issues the report should be the CEO and CFO, particularly since the management report should be signed.

3. What representations must management make to the outside auditors?

Management must provide to the outside auditors written representations relating to, among other things:

Management's responsibility for establishing and maintaining effective internal control over financial reporting;
Management's acknowledgement that its assessment of the effectiveness of internal control over financial reporting was not based at all on the outside auditor's audit of such internal control; and
Management's disclosure to the outside auditor of:
- all deficiencies in the design or operation of internal control over financial reporting;
- any identification of any fraud that involves senior management or employees who have a significant role in the registrant's internal control over financial reporting;
- the resolution or other status of any control deficiencies identified and communicated to the audit committee during previous engagements; and
- any changes in internal control over financial reporting or other factors subsequent to the end of the fiscal year that might significantly affect internal control over financial reporting, including any corrective actions with regard to significant deficiencies and material weaknesses.

(See Paragraph 142 of PCAOB Auditing Standard No 2.)

The response to Question 34 of the PCAOB's Q&As dated November 22, 2004, states that management must disclose to the outside auditors deficiencies that it identifies, regardless of whether the deficiencies had been corrected as of the date of management's assessment of internal control over financial reporting.

4. How should management assess the registrant's internal control over financial reporting?

Exchange Act Rules 13a-15(c) and 15d-15(c) provide that "[t]he framework on which management's evaluation of the issuer's internal control over financial reporting is based must be a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.” In SEC Release No. 33-8238, the SEC stated that the COSO framework satisfies that criteria. As noted above, COSO is the only framework currently available in the United States. (See COSO “Internal Control - Integrated Framework”] and "What internal control framework should management use to assess its internal control over financial reporting?".)

COSO requires an evaluation of the five components of internal control:

The control environment: the overall tone for the registrant;
Risk assessment: the assessment of risks from both internal and external sources that affect the registrant's ability to carry out its business;
Control activities: the policies and procedures that help ensure that management's instructions are implemented;
Information and communication: the mechanisms intended to ensure that employees understand their responsibilities and that informed business decision-making and external reporting is achieved; and
Monitoring: the assessment of the quality of the internal control system over time.

In Section II.B.3.d of SEC Release No. 33-8238, the SEC also stated that the assessment of internal control over financial reporting must be based on procedures sufficient both to evaluate the design of internal control over financial reporting as well as to test its operating effectiveness. Inquiry is not enough, but management may rely on activities conducted by non-management personnel acting under their supervision.

The statements issued by the SEC and its Staff on May 16, 2005, relating to reporting on internal control over financial reporting emphasized the need for management to use reasonable judgment in determining the scope of its assessment and testing of internal control. The SEC Staff noted that some of the feedback it had received relating to the experiences of registrants and outside auditors with implementation of the internal control over financial reporting rules noted that too many controls were identified, documented, and tested. A top-down approach to the assessment process is necessary to appropriately focus the assessment effort.

Both qualitative and quantitative factors are relevant in assessing the significant accounts to be included within the assessment. The SEC Staff noted that qualitative factors include the risk associated with the various accounts and their related processes. The Staff noted that quantitative thresholds may provide a reasonable starting point for evaluating the significance of an account or process but that judgment, including a review of qualitative factors, must be exercised to determine the need for exceptions to those thresholds. Whereas in most cases the identification of significant accounts will focus on annual and registrant measures rather than interim or segment measures, the SEC Staff noted that, in some cases, interim or segment measures may be appropriate.

In addition, the SEC Staff noted that the assessment process should focus on the objective of controls and combine controls for testing purposes to determine that they meet the broad objective. Accordingly, the assessment process may not need to test every individual step comprising a control. In addition, the SEC Staff noted that the assessment process should not require the assessment of general information technology internal controls that relate to the efficiency or effectiveness of the operations of the registrant since they are not relevant to financial reporting. This statement suggests that the assessment process also may become more efficient in the future as management can avoid further detailed testing as of the fiscal year-end date based upon greater reliance on its evaluation of controls through its daily interaction with the internal control system and ongoing monitoring of the operation of controls.

5. How should management assess the five components of internal control over financial reporting?

In evaluating the components of internal control over financial reporting, management may want to consider the following matters, among other things.

With respect to the control environment:

The degree of specification as to the level of competence necessary for specific assigned responsibilities;
The adequacy of the example provided with respect to, and the adequacy of communication of, integrity and ethical values, including the nature of the training provided to employees;
The adequacy of employees' understanding of the code of business conduct and ethics and the procedures for reporting concerns or complaints with respect to accounting, internal control, and auditing matters;
The adequacy of the responses of the board, audit committee, and management to information about violations of the code of business conduct and ethics and concerns about accounting, internal control, and auditing matters;
The adequacy of the example provided and the oversight role played by management and the board of directors, including the audit committee; and
The adequacy of human resource activities in assuring competence and ethical qualities.

With respect to risk assessment, the adequacy of:

The identification of areas where material misstatements of the significant accounts and disclosures and related assertions in the financial statements might occur; and
Mechanisms to monitor events that suggest that significant estimates and other judgments reflected in the financial statements must be re-examined.

With respect to control activities, the adequacy of:

Initiatives to check whether the control over assets is accurate and complete, and whether the authorization of transactions is appropriate;
Mechanisms to investigate unexpected results or unusual trends; and
The segregation of duties.

With respect to information and communication, the adequacy of the methods that a registrant uses to generate its financial data.

With respect to monitoring, the adequacy of:

The quarterly evaluation of internal controls and the results of internal audits;
The activities of the disclosure committee;
The audit committee's oversight of internal control over financial reporting; and
The responses to reports of deficiencies in quarterly certifications and any other self-assessment processes.

(See COSO “Internal Control - Integrated Framework”.)

6. How should management assess the controls at service organizations providing outsourced activities that are part of internal control over financial reporting?

When a service organization provides outsourced activities, processes, or functions that are part of the registrant's internal control over financial reporting, management must consider the activities of the service organization in making its assessment of internal control over financial reporting. (See "Must a registrant's internal control over financial reporting include the controls relating to outsourced activities, processes, or functions?".) This means that management must obtain an understanding of the controls at the service organization that are relevant to the registrant's internal control over financial reporting and the controls at the registrant over the activities of the service organization, and must obtain evidence that the controls that are relevant to management's assessment are operating effectively. Management's procedures may include:

Performing tests of the registrant's controls over the activities of the service organization;
Performing tests of controls at the service organization; and
Obtaining a report from the service organization's outside auditors on controls in operation and tests of operating effectiveness, or a report on the application of agreed-upon procedures that describes relevant tests of controls (a Type 2 SAS 70 Report ). (See Appendix B.18-B.29 of PCAOB Auditing Standard No. 2.) The SEC Staff explained in footnote 3 to the SEC Internal Control FAQs that, in a Type 2 SAS 70 Report, the outside auditors “report on a service organization's description of the controls that may be relevant to a user organization's internal control as it relates to an audit of financial statements, on whether such controls were suitably designed to achieve specified control objectives, on whether they had been placed in operation as of a specific date, and on whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related control objectives were achieved during the period specified.”

In all cases, however, management must maintain and evaluate, as appropriate, controls over the flow of information to and from the service organization. (See Question 14 of the SEC Internal Control FAQs.)

The easiest way for management to assess the effectiveness of the service organization's controls may be for management to obtain a Type 2 SAS 70 report from the service organization's outside auditors. If the Type 2 SAS 70 report adequately addresses the procedures and controls relevant to management's assessment process, management may not need to test the service organization's controls at all.

Not all service organizations have Type 2 SAS 70 reports, however, and it may take a long time to obtain one if the service organization never has had one before. Therefore, registrants should have already focused on identifying organizations that provide outsourced services that are part of the registrant's internal control over financial reporting so they can either begin the process of obtaining Type 2 SAS 70 reports or identifying other procedures that will enable them to assess the effectiveness of the relevant controls at the service organization.

In the response to Question 28 of the PCAOB's Q&A's dated October 6, 2004, the PCAOB Staff noted that management's inability to assess controls at a service organization could lead to a disclaimed opinion by the outside auditors if the outside auditors conclude that management did not fulfill its responsibilities. Management's failure to try to renegotiate a contract in order to obtain a Type 2 SAS 70 report might be viewed as a failure by management to fulfill its responsibilities.

How management obtains a Type 2 SAS 70 report is critical, however. Although the SEC Staff's response to Question 14 in the SEC Internal Control FAQs states that management would be able to rely on a Type 2 SAS 70 report even if the outside auditors for both the registrant and the service organization were the same, it also states that management may not rely on a Type 2 SAS 70 report if management were to engage the registrant's audit firm to prepare the report on the service organization.

7. Should management assess the effectiveness of the audit committee?

Given the requirement in Paragraphs 55-59 of PCAOB Auditing Standard No. 2 that the outside auditors evaluate the effectiveness of the audit committee, management will need to assess the effectiveness of the audit committee as a part of its assessment of internal control over financial reporting. Among the items the outside auditors may consider, and, therefore, management should consider, are the following:

The independence of the audit committee members from management, including the manner in which the audit committee members were identified for election to the board. (See Paragraph 57 of PCAOB Release No. 2003-017 (proposal) (Oct. 7, 2003) and Paragraph 58 of PCAOB Auditing Standard No. 2.)
The clarity with which the audit committee's responsibilities are articulated (for example, in the audit committee charter) and how well the audit committee and management understand those responsibilities. (See Paragraph 57 of PCAOB Auditing Standard No. 2.)
The quality of the information provided to the audit committee with respect to its oversight activities and the amount of time the audit committee spends on such activities.
The level of the audit committee's involvement and interaction with the outside auditors (s ee Paragraph 57 of PCAOB Auditing Standard No. 2) and the nature of the audit committee's evaluation of the outside auditors' performance and independence, including with respect to non-audit services provided by the outside auditors to the registrant. (See Paragraph 34 of PCAOB Auditing Standard No. 2.)
The level of the audit committee's involvement with the internal auditors as well as the audit committee's interaction with key members of financial management, including the chief financial officer and chief accounting officer. (See Paragraph 57 of PCAOB Auditing Standard No. 2.)
Whether the audit committee raises and pursues the right questions with management and the outside auditors. (See Paragraph 58 of PCAOB Auditing Standard No. 2.)
Whether the audit committee asks questions that indicate an understanding of the critical accounting policies and judgmental accounting estimates, including the critical accounting estimates related to income taxes. (See Paragraph 58 of PCAOB Auditing Standard No. 2 and Nicolaisen Tax Council Institute Speech.)
Whether the audit committee is responsive to issues raised by the outside auditors, including information about control deficiencies. (See Paragraphs 39 and 205 of PCAOB Auditing Standard No. 2.)
The adequacy of the compliance by the members of the audit committee with, and oversight of, the code of business conduct, if the audit committee has that oversight responsibility. (See Paragraph 24 of PCAOB Auditing Standard No. 2.)
Whether the audit committee appropriately evaluates the risk environment and the registrant's establishment of controls to prevent, deter, and detect risk and fraud, and monitors the registrant's efforts to address any weaknesses in the controls. (See Section 303A.07(c)(iii)(D) of the NYSE Listed Registrant Manual, which is applicable to registrants that have securities listed on the New York Stock Exchange and arguably establishes best practices applicable to audit committees.)
The adequacy of the audit committee's participation in the oversight of the period-end reporting process (See Paragraph 77 of PCAOB Auditing Standard No. 2), and whether that participation includes the review of earnings releases before they are issued. (See Section 303A.07(c)(iii)(c) of the NYSE Listed Company Manual, which requires a discussion by the audit committee of earnings releases generally, among other things, although best practices suggest the advance review of draft earnings releases.)
Whether the audit committee members assist management in setting the proper tone at the registrant and creating and maintaining a culture of honesty and high ethical standards. (See Paragraph 25 of PCAOB Auditing Standard No. 2.)
The results of the annual audit committee self-assessment. (See Section 303A.07(c)(ii) of the NYSE Listed Company Manual.)

8. How extensively must a registrant document its assessment of internal control over financial reporting?

Instruction 1 to Item 308 of Regulation S-K provides guidance as to the nature of management's documentation of its assessment of the effectiveness of internal control. It states that: “The registrant must maintain evidential matter, including documentation, to provide reasonable support for management's assessment of the effectiveness of the registrant's internal control over financial reporting.”

In addition, Section II.B.3 of SEC Release No. 33-8238 (June 5, 2003) explains that the “evidential matter” that supports management's assessment “should provide reasonable support: for the evaluation of whether the control is designed to prevent or detect material misstatements or omissions; for the conclusion that the tests were appropriately planned and performed; and that the results of the tests were appropriately considered.”

Perhaps outside auditors evaluate the quality of management's documentation of its assessment of the effectiveness of internal control over financial reporting using the standard applicable to their audits in the PCAOB's Auditing Standard No. 3, “Audit Documentation.” This standard requires that the documentation of an audit “contain sufficient information to enable an experienced auditor, having no previous connection with the engagement: to understand the nature, timing, extent, and results of the procedures performed, evidence obtained and conclusions reached.”

Given the May 16, 2005, guidance of the SEC and the PCAOB, however, the documentation of management's assessment of internal control over financial reporting may not need to be as extensive as registrants have thought. The SEC stated in its guidance that management's assessment and the documentation of that assessment should be consistent with the focus on areas of the financial statements that present significant risk that the financial statements could be materially misstated. That is, management should not need to assess the adequacy of controls that do not relate to areas of the financial statements that present significant risk that the financial statements could be materially misstated. In addition, the extent of documentation may be affected by the nature of management's assessment process. To the extent that management relies on its direct and ongoing monitoring of the operation of controls rather than specific testing, which the response to Question 47 of the PCAOB's Q&As dated May 16, 2005, describes as appropriate, the level of documentation would likely be very different. Finally, the PCAOB Staff provided guidance as to how the outside auditors evaluate a registrant's documentation of its assessment. The response to Question 53 of the PCAOB's Q&As states that PCAOB Auditing Standard No. 2 does not presume that a control is ineffective solely because there is no documentation evidencing the operation of the control.

9. Should a registrant review its internal control over financial reporting on a quarterly basis?

To assess the effectiveness of disclosure controls and procedures on a quarterly basis in accordance with Exchange Act Rules 13a-15(b) and 15d-15(b), a registrant's management must evaluate also its internal control over financial reporting because disclosure controls and procedures include most, if not all, of a registrant's internal control over financial reporting. That evaluation is not required to be as extensive as the evaluation and testing of internal control over financial reporting required by Section 404 of Sarbanes-Oxley and Exchange Act Rules 13a-15(c) and 15d-15(c), which must be based upon a suitable, recognized framework for such an assessment. (See SEC Release No. 33-8238, at 19 (stating that, while the quarterly evaluation of disclosure controls and procedures is of “effectiveness overall, a registrant's management has the ability to make judgments... that evaluations, particularly quarterly evaluations, should focus on developments since the most recent evaluation, areas of weakness or continuing concern or other aspects of disclosure controls and procedures that merit attention”).)

Once a registrant is subject to the requirement to report on internal control over financial reporting, paragraph (d) of Exchange Act Rules 13a-15 and 15d-15 becomes effective. As noted above, this provision requires management to evaluate, with the CEO and CFO's participation, “any change in the registrant's internal control over financial reporting, that occurred during each of the issuer's fiscal quarters... that has materially affected, or is reasonably likely to materially affect, the issuer's internal control over financial reporting.” Although the evaluation of the effectiveness of disclosure controls and procedures and the disclosure of material changes in internal control over financial reporting pursuant to paragraph 4(d) of the certification required by Exchange Act Rules 13a-14(a) and 15d-14(a) have required registrants to evaluate internal control over financial reporting, the effectiveness of paragraph (d) of Exchange Rules 13a-15 and 15d-15 and Item 308(c) of Regulation S-K suggests that registrants' managements should consider additional procedures. The SEC does not expect these procedures to be as extensive as the annual evaluation (see SEC Release No. 33-8238, at 17) but expects the nature of the quarterly evaluation to “be informed by the purposes of disclosure controls and procedures.” (See SEC Release No. 33-8238, at 19.)

Possible additional procedures are an evaluation of whether any control deficiencies identified by management, any of its employees, or its outside auditors at any time, including during the most recent quarter, have been appropriately remediated; consideration of whether any additional controls are necessary as a result of changes in the business or management structure in the entity or changes in the industry or other developments; and consideration of whether recommendations for enhancements or changes to internal control over financial reporting should be solicited from persons involved in the control system.

D. Responsibilities of Outside Auditors

1. What is the objective of the outside auditors' audit of internal control over financial reporting?

The objective of such an audit is for the outside auditors to obtain reasonable assurance that no material weaknesses exist in the registrant's internal control over financial reporting as of the end of the registrant's fiscal year. This goal requires the outside auditors to evaluate:

Management's assessment of the effectiveness of internal control over financial reporting;
Evidence the outside auditors obtain from the work performed by others; and
Evidence obtained by the outside auditors by performing auditing procedures themselves about whether the internal control over financial reporting was designed and operated effectively.

The outside auditors' job will be considerably assisted if a registrant's management thoroughly documents its assessment of internal control over financial reporting. (See "How extensively must registrants document their internal control over financial reporting?”.) The outside auditors must perform enough of their own tasks so that their work provides the principal evidence for their opinion. (See Paragraphs 4, 5, and 111 of PCAOB Auditing Standard No. 2.)

In its statement issued on May 16, 2005, the PCAOB emphasized its view that the outside auditors must exercise “the judgment necessary to conduct an internal control audit in a manner that is both effective and cost-efficient.” In this regard, the PCAOB noted its view that the outside auditors should:

Integrate their audits of internal control over financial reporting with their audits of financial statements;
Exercise judgment to tailor their audit plans to focus on areas that pose higher risks of misstatement of the individual audit client's financial statements;
Use a “top-down” approach that focuses on company-level controls to identify for further testing only those accounts and processes that are relevant to internal control over financial reporting and that uses a risk assessment process to eliminate from further consideration those accounts that have only a remote likelihood of containing a material misstatement;
Use the work of others to the maximum extent possible by performing more work in high-risk areas and using the work of others in areas of lesser risk; and
Respond on a timely basis to audit clients' requests for the outside auditors' views on accounting or internal control issues.

2. What is an integrated audit?

The PCAOB's May 16, 2005 statement relating to internal control over financial reporting explains that "[a]n integrated audit combines an audit of internal control over financial reporting with the audit of the financial statements, so that the objectives of two audits are achieved simultaneously through a single coordinated process.” The benefits of the integration are that the processes required to reach opinions on the financial statements and on internal control are “mutually reinforcing.” The findings and conclusions reached by the outside auditors during the audit of internal control “help the auditor better plan and conduct the auditing procedures designed to determine whether the financial statements are fairly presented.” In the opinion of the PCAOB, the failure to integrate the audit of the financial statements with the audit of internal control over financial reporting “not only wastes resources, but it also jeopardizes the quality of the overall audit and, potentially, misses key insights that could identify and uproot a budding accounting or reporting problem.”

3. What must the outside auditors do in conducting the audit?

To perform an engagement to audit a registrant's internal control over financial reporting, the outside auditors must:

Plan the audit;
Evaluate management's assessment process;
Obtain an understanding of the registrant's internal control over financial reporting by:
- evaluating the design of controls relating to the five components of internal control, that is, the control environment, risk assessment, control activities, information and communication, and monitoring, which should include all controls specifically intended to address the risks of fraud that have at least a reasonably possible likelihood of having a material effect on the registrant's financial statements;
- identifying entity-level controls, which include the tone at the top;
- evaluating the effectiveness of the audit committee's oversight;
- identifying significant accounts and disclosures;
- identifying relevant financial statement assertions;
- identifying significant processes and major classes of transactions;
- identifying the period-end reporting process;
- performing walkthroughs; and
- identifying controls to test;
Test and evaluate the design effectiveness of the registrant's internal control over financial reporting;
Test and evaluate the operating effectiveness of the registrant's internal control over financial reporting; and
Form an opinion on the effectiveness of the registrant's internal control over financial reporting.

(See Paragraphs 28 through 141 of PCAOB Auditing Standard No. 2.)

4. Should the cost of the audit of financial statements and internal control over financial reporting decrease after the first audits of internal control over financial reporting?

The PCAOB's May 16, 2005 statement noted that the survey conducted by Charles River Associates in April 2005, which was commissioned by the largest U.S. accounting firms, stated that outside “auditors believe that the total costs of compliance with Section 404 will decline by 46 percent next year.” One of the factors accounting for that cost reduction was the expectation that audits of internal control over financial reporting will be better integrated with audits of financial statements.

5. How much judgment can the outside auditors exercise?

The PCAOB's May 16, 2005 statement explains that outside auditors must “exercise judgment to determine how to apply [PCAOB Auditing Standard No. 2] to audit clients in different industries and of different sizes, but also exercise judgment to focus their work on areas that pose higher risks of misstatement, due either to errors or fraud. Reliance on standardized checklists that lead to a focus on controls in low-risk areas obviously fails to meet this objective.”

The PCAOB Staff believes that the judgments exercised through the top-down approach should help the auditor “eliminate from further consideration accounts, disclosures, and assertions that have only a remote likelihood of containing misstatements that could cause the financial statements to be materially misstated.” (See Question 38 of the PCAOB's Q&As dated May 16, 2005.) The degree of risk that a material weakness might exist is relevant to the attention that the outside auditors will give to an area.

The response to Question 40 of the PCAOB's Q&As dated May 16, 2005 notes that the outside auditors' risk assessment will affect the identification of significant accounts that must be evaluated; the identification of relevant assertions related to such significant accounts; the nature, timing, and extent of the auditors' tests of controls; and the auditors' use of the work of others. Whether, as a result of this guidance, outside auditors will reduce their efforts in any way, and therefore reduce the costs of internal control audits, remains to be seen.

6. When must the outside auditors modify their opinion?

The outside auditors cannot issue a clean opinion on internal control over financial reporting under certain circumstances, including:

If the outside auditors disagree with management's conclusion as to the effectiveness of the registrant's internal control over financial reporting;
If management fails to provide to the outside auditors written representations relating to, among other things:
- management's responsibility for establishing and maintaining effective internal control over financial reporting;
- management's acknowledgement that its assessment of the effectiveness of internal control over financial reporting was not based at all on the outside auditors' audit of such internal control; and
- management's disclosure to the outside auditors of
  - all deficiencies in the design or operation of internal control over financial reporting,
  - any identification of any fraud that involves senior management or employees who have a significant role in the registrant's internal control over financial reporting,
  - the resolution or other status of any control deficiencies identified and communicated to the audit committee during previous engagements, and
  - any changes in internal control over financial reporting or other factors subsequent to the end of the fiscal year that might significantly affect internal control over financial reporting, including any corrective actions with regard to significant deficiencies and material weaknesses;
If management has not accepted responsibility for the effectiveness of the registrant's internal control over financial reporting;
If management has evaluated the effectiveness of internal control over financial reporting using unsuitable control criteria;
If management's documentation of internal control over financial reporting or its documentation of its assessment of the effectiveness of internal control over financial reporting is inadequate;
If management does not articulate clearly its conclusion as to the effectiveness of internal control over financial reporting;
If the scope of the outside auditors' audit was restricted;
If a significant subsequent event occurs after the end of the fiscal year; and
If management's inability to assess certain controls reflects a failure to fulfill its responsibilities. (See Question 28 of the PCAOB's Q&As dated October 6, 2004, stating in response to the question that such a failure may trigger auditor responsibilities under Section 10A of the Exchange Act.)

(See Paragraphs 143 and 173-192 of PCAOB Auditing Standard No. 2.)

Where the circumstances suggest that management is not taking appropriate responsibility, the outside auditors may need to consider withdrawing from the engagement. (See Paragraph 143 of PCAOB Auditing Standard No. 2.)

7. Must the outside auditors evaluate internal control over financial reporting in connection with their review of quarterly financial statements?

Registrants subject to Exchange Act Rules 13a-15(d) and 15d-15(d), which require a quarterly evaluation of any change in internal control over financial reporting that has materially affected or is reasonably likely to materially affect internal control over financial reporting, are probably conducting additional procedures to evaluate their internal control over financial reporting. (See "Should a registrant review its internal control over financial reporting on a quarterly basis?”.) The outside auditors also must conduct certain procedures. Paragraph 202 of PCAOB Auditing Standard No. 2 provides that the outside auditor “should perform limited procedures quarterly to provide a basis for determining whether he or she has become aware of any material modifications that, in the auditor's judgment, should be made to the disc