SEC Issues Concept Release on Management’s Assessment of the Effectiveness of Internal Control Over Financial Reporting

On July 11, the SEC issued a concept release on how management should carry out assessments of the effectiveness of internal control over financial reporting under Section 404 of the Sarbanes-Oxley Act of 2002. The release confirms that the SEC plans to issue additional guidance on the subject and seeks comment on what the guidance should cover. Comments on the concept release are due within 60 days of its publication in the Federal Register.

The concept release is one in a series of steps the SEC plans to take to improve the implementation of Section 404. Other steps the SEC has announced include (a) working with the PCAOB to make revisions to Auditing Standard No. 2, (b) further extending the Section 404 compliance date for non-accelerated filers, (c) reviewing new guidance for smaller public companies from the Committee of Sponsoring Organizations of the Treadway Commission and (d) overseeing the PCAOB’s inspections of accounting firms and their use of SEC and PCAOB guidance to make Section 404 more cost-effective.

The SEC’s planned guidance would address concerns that the absence of guidance on conducting management’s assessment of internal controls has contributed to unnecessary costs and burdens in implementing Section 404. Management assessments to date largely have been driven by the documentation and testing requirements auditors are required to follow under AS No. 2, which the concept release suggests is needlessly burdensome because it disregards management’s greater familiarity with a company’s internal controls.

The concept release provides general indications about the form of the planned guidance and the general areas to be covered, but does not include a rule proposal. It requests public comment on 35 questions about the nature and extent of guidance companies would find useful. The main areas of the concept release are described below:

• Form of Guidance. The SEC anticipates that the guidance will take the form of a rule providing that companies following the rule will be deemed to have satisfied their assessment obligations. The SEC anticipates that any future amendments to AS No. 2 will be consistent with the new rule.
• Topics to Be Covered. The SEC intends to cover three principal areas in its forthcoming guidance:
• Identifying risks and controls. The SEC notes concern that failure to identify internal control risks effectively and efficiently has led to the identification, documentation and testing of an excessive number of controls. The guidance will address how management should determine the overall objectives for internal control over financial reporting and identify the related risks and controls.
• Evaluating the effectiveness of internal control over financial reporting. The SEC notes that failure by management to apply a top-down, risk-based approach to Section 404 has often resulted in too much work being done to test and document low-risk areas. It also notes that management sometimes unnecessarily tests controls using separate evaluation-type testing in connection with its annual assessment when it could instead rely on its ongoing monitoring activities and daily interactions with its internal controls. To improve the focus on risk and encourage better use of entity-level controls, the SEC anticipates that its guidance on the evaluation process will cover topics such as the overall objective of evaluation procedures, methods and approaches to gather evidence to support management’s assessment and factors that management should consider in determining the nature, timing and extent of its evaluation procedures. The SEC anticipates the guidance will also cover whether and how entity-level controls may adequately address risks, considerations regarding how IT controls should be included in the scope of the assessment and considerations management should take into account when determining the severity of an identified control deficiency.
• Documentation to support the assessment. Although the SEC’s rules require a company to maintain evidential matter to provide reasonable support for management’s assessment, the SEC notes that companies have often prepared excessive documentation, driven in part by an overly conservative application by auditors of the requirements of AS No. 2. Further, the SEC notes that documentation in many cases has substantially exceeded that normally produced by financial institutions under comparable provisions in the Federal Deposit Insurance Improvement Act of 1991. The SEC anticipates that its guidance will address documentation issues including the objectives of documentation, documentation updating and controls whose operation does not result in documented evidence.

Copies of the Concept Release can be found by clicking on the attached link: http://www.sec.gov/rules/concept/2006/34-54122.pdf

Please feel free to contact any of your regular contacts at the firm or any of our partners and counsel listed under Capital Markets in the “Our Practice” section of our website if you have any questions.