The views expressed in this document are those of the author’s, and do not necessarily reflect the position of the PCAOB, its other Board members, or its staff.
Table of Contents
“Internal controls” refer to those procedures within a company that are designed to reasonably ensure compliance with the company’s policies. Under the framework developed in the early 1990s by the Committee on Sponsoring Organizations (COSO), there are three types of internal controls:
Frequently, a control may address more than one of these objectives. This paper focuses only on those controls that affect a company’s financial reporting; this is also the sole focus of §404 of the Sarbanes-Oxley Act of 2002 (the Act).
Under the COSO framework, there are five interrelated “components” of an effective internal control system; these are derived from the way the company is managed on a day-to-day basis:
A material weakness in ICFR exists if there is some flaw within the company’s overall control system such that it is at least reasonably possible that a material misstatement in the company’s financial statements will not be prevented or corrected. Such a misstatement may occur on an annual basis (either before or after an audit [see question below]), or through interim financial reporting (e.g., quarterly reports, which are un-audited). Examples may include inadequate segregation of duties (e.g., the person that receives commission from a sale also approves the loan agreement and reconciles the bank account); personnel lacking in sufficient accounting expertise to accurately prepare the financial statements; and failure to reconcile significant account balances.
Under existing SEC and PCAOB rules, material weaknesses in ICFR must be publicly reported. Flaws in control systems that fall below “material” are reported within the company, either to company management or the audit committee (depending upon the severity of the flaw). In evaluating the severity of a flaw in ICFR, both auditors and companies look at two factors: the likelihood that the flaw will result in a financial misstatement, and the magnitude of such an outcome. Thus, this process is, in essence, an exercise of risk analysis.
For ICFR purposes, the meanings of “reasonably possible” and “material” rely upon long-established definitions of these same terms that exist with respect to accounting. However, experience gathered during the first year of implementing §404 and AS2 demonstrate that auditors and companies both had a difficult time applying these terms in this new context. Like the generally accepted accounting principles (GAAP) that govern the preparation of financial statements, there are no clear bright-line tests based solely on quantitative measures; qualitative measures must also be considered, and professional judgment is required.
When an independent auditor issues a “clean” opinion on the company’s financial statements, this is a representation to the public that the auditor has followed applicable auditing and related professional standards so as to allow the auditor to conclude with reasonable assurance that the financial statements are fairly presented in conformity with GAAP in all material respects. A “clean” audit opinion is not a guarantee of error-free financials, but is rather the conclusion by an auditor – using procedures and professional judgment that are reasonable to the circumstances – that the statements are fairly presented.
But, neither the auditor nor the company is required to disclose whether the audit process itself revealed financial statement errors that were corrected before the statements were filed with the SEC. The degree to which the auditor is involved in requiring management to correct financial statements prior to their public filing is an indication of whether the company – using only its own personnel (either employees or third party consultants) – will produce financial information that is materially accurate. The ability of a company to accurately describe its own financial condition is particularly relevant when the company discloses un-audited financial information, as in quarterly reports filed with the SEC. Thus, while the audit of a company’s financial statements may be “clean,” this provides little information to those outside the company as to whether other financial information is of similar reliability.
One of the key purposes of §404 is to provide this additional information to market participants. Specifically, the ICFR audit report provides the public with a barometer against which to evaluate the reliability of a company’s disclosed financial information. Auditors follow certain professional standards (principally contained in PCAOB Auditing Standard No. 2 [AS2]) both to be able to reach a conclusion about the effectiveness of a company’s ICFR, and to report that conclusion to the public.
Since the enactment of the Foreign Corrupt Practices Act of 1977 (FCPA), every US-traded company (regardless of size and place of operations) has been required to create a system of “internal accounting controls”. In its rules implementing the FCPA, the SEC has explained that this responsibility requires that companies:
The Sarbanes-Oxley Act of 2002 enhanced this responsibility in two ways. First, §404(a) of the Act [see Appendix A-1] requires a large subset of these same companies to annually report on the company’s own assessment of the effectiveness of these controls. Second, under §302 of the Act, certain corporate officers must (among other things) accept responsibility (as evidenced by individual signatures) for the content of the company’s annual §404(a) report.
US-domiciled companies with public float over $75 million (also known as “accelerated filers”) have been required to comply with the new reporting rules for annual reports covering fiscal years ending after November 15, 2004. The comparable compliance dates for non-US accelerated filers is July 15, 2006, and for all smaller companies is July 15, 2007.
Auditors, too, have been familiar with the concept of internal controls for years. For decades, auditors have been required to understand the company’s ICFR; this understanding, in turn, was to be used by the auditor to tailor the “nature, timing and extent” of the auditor’s testing with regard to the company’s financial statements’ audit. For example, if an auditor found a company’s ICFR to be poor, the auditor should have responded by performing more extensive testing, or pursuing tests that result in more persuasive evidence (e.g., written vs. oral evidence). However, the auditor’s awareness of significant flaws in a company’s internal control systems provided no incentive for the company to correct the flaws; the auditor was simply expected to “audit around” the flaws.
Under §404(b) of the Act [see Appendix A-1], independent auditors are now required to “attest to, and report on” the company’s §404(a) assessment. This requirement of public disclosure, by both the company and the auditor, now creates a strong incentive for company self-correction.
As in any attestation, for an auditor to attest to managements §404(a) assessment, the auditor must gather evidence to test whether management’s assertion that its ICFR is effective is correct. The auditor’s scope of review is not limited to looking at the process that the company used for its assessment, however. This point – challenged by some – is confirmed by §103 of the Act [see Appendix A-2]. Section 103 directs the PCAOB, in fulfilling its standards-setting responsibility, to adopt a standard requiring that the auditor report on (among other things) “the scope of the auditor’s testing of the internal control structure and procedures of the issuer, required by §404(b).” Moreover, under §103 this report must also include the auditor’s findings; an evaluation of the company’s internal control structure and procedures; and a description of any material weakness in ICFR. All of these items are specifically to be based on the auditor’s testing.
AS2 is the PCAOB auditing standard designed to fulfill both §103’s and §404(b)’s requirements.
The audit of a company’s financial statements and the audit of that company’s ICFR must be performed by the same auditor, and the two audits should be integrated. With integrated audits, the tests that the auditor performs may serve two purposes.
Illustration A: In an audit of ICFR, the auditor is required to “walk-through” at least one transaction within each significant class of transactions. A “walk-through” represents a “soups-to-nuts” review of how a transaction begins (e.g., with a customer order) to how it is recorded on the company’s books and, finally, to how the transaction ultimately flows through to the financial statements. When performing such a walk-through, the auditor gains first-hand knowledge of the points in this process at which material misstatements could occur. This understanding also allows the auditor to design a more effective strategy for auditing the financial statements than if no walk-throughs had been performed.
Illustration B: During an ICFR audit, the auditor will assess the risks of a material weakness arising in various places within the company’s overall financial reporting system. When designing and implementing procedures to test the effectiveness of controls in these areas, the auditor may find that these same procedures are also helpful to the financial statements’ audit; in such a case, the procedures need only be performed once.
Both of these examples illustrate how this integration not only results in a higher quality financial statement audit, but also provides the opportunity for the auditor to be efficient with his/her time.
During AS2’s first year of implementation, participants in the ICFR process raised a number of issues that put in question both the manner in which auditors performed their work, and whether this work provided value in excess of its cost. Were auditors too granular in their review of ICFR? Were auditors pushing company management to take a minute, rather than material approach? Were the costs of the Act’s internal control requirements outweighing the benefits?
As a result of these and other questions, on May 16, 2005 the SEC and PCAOB each issued clarification to both companies and their independent auditors. Among other issues, this guidance addressed the need to analyze ICFR using a “top-down” and “risk-based” approach. In addition, the PCAOB pledged to use its inspection program to review how, in fact, auditors were fulfilling their ICFR responsibilities. A PCAOB report on these findings was issued on November 30, 2005. (See www.pcaobus.org.)
Now, as the second year of AS2 implementation for most US large companies nears an end, it is appropriate to step back and again ask questions: Are auditors doing the work required of them? Perhaps even more fundamentally, are the auditor requirements achieving the desired end-result of greater transparency around the state of company controls? At what cost? These questions, and others, will be explored at a SEC/PCAOB roundtable to be held on May 10, 2006.
As a related matter, in December 2004 the SEC established an Advisory Committee on Smaller Public Companies and charged it with examining, from a cost-benefit perspective, the impact of federal securities laws on smaller companies. This Committee’s draft recommendations are open for public comment until April 3, 2006, after which the Committee will submit its final recommendations to the SEC. As to ICFR, the Committee’s draft recommendations are to exempt (at least temporarily) certain companies from one or more parts of §404. The table on the next page summarizes these recommendations:
Summary of Advisory Committee on
Smaller Public Companies Draft Recommendations
The PCAOB strives to determine that its standards meet a significant need and that the costs they impose – compared with possible alternatives – are justified in relation to long-term benefits. When a new activity or responsibility requires an initial investment in new audit programs and training, then any increase in fees is likely to be larger during this period, before ultimately reaching a stable state. Moreover, when the learning period is necessarily condensed (due to external reasons such as legal deadlines) the audit resources required to fulfill the new obligation also generally increase to reflect the expedited nature of the undertaking. Lastly, when companies are also required to undertake parallel new activity during this same time period, and both auditors and their clients are learning simultaneously, the overall start-up costs of the new activity will be larger still.
This is the factual scenario that presented itself to US-accelerated filers and their independent auditors in 2004 and early 2005 – the first year of implementing §404. Studies calculating these first year costs do not always use the same means of measure, but most agree that the average per-company cost was approximately $4.36 million (with approximately $1.34 million paying for internal company resources, $1.30 million going to outside auditors, and $1.72 million being used for external costs such as consultants and software). Three points, however, are relatively undisputed:
While §404 costs are relatively quantifiable, its benefits are not. What is the value of increasing the reliability of the financial numbers upon which the markets move, and individual investment decisions are made? When enacting the Act, Congress made a determination that increased reliability has an inherent value – not only to investors, but also to company employees, the community, and the national economy. A number of factors, some of which are subject to quantitative analysis and others that are not, are relevant; e.g.,
Many of the studies identified above, as well as those expected in the future, all seek to identify benefits or harm to shareholders. In the end, however, it is really only those shareholders who can decide whether the advantages of the ICFR requirements outweigh the costs.
Nancy M. Morris, SecretarySecurities and Exchange Commission100 F Street, NEWashington, DC 20549-1090
All submissions should refer to File Number 4-511.
Public Company Accounting Oversight BoardAttention: Office of the Secretary1666 K Street NWWashington, DC 20006-2803
Refer to “Internal Control Roundtable.”
SEC Web site: http://www.sec.gov/spotlight/soxcomp.htm
PCAOB Web site: Auditing Standard 2.
Section 404 of the Sarbanes-Oxley Act of 2002 (the Act) states that:
(a) Rules Required.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) Internal Control Evaluation and Reporting.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issues or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
Section 103 of the Act states (in part) that:
(a) Auditing, Quality Control, and Ethics Standards.—
(1) In general.—The [PCAOB] shall, by rule, establish . . . such auditing and related attestation standards . . . to be used by registered public accounting firms in the preparation and issues of audit reports. . . .
(2) Rule requirements.—In carrying out paragraph (1), the [PCAOB]—
(A) shall include in the auditing standards that it adopts, requirements that each registered public accounting firm shall—
(i) . . .
(ii) . . .
(iii) describe in each audit report the scope of the auditor’s testing of the internal control structure and procedures of the issuer, required by section 404(b), and present (in such report or in a separate report)—
(I) the findings of the auditor from such testing;
(II) an evaluation of whether such internal control structure and procedures—
(aa) include maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;
(bb) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statement in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and
(III) a description, at a minimum, of material weaknesses in such internal controls, and of any material noncompliance found on the basis of such testing.
. . . .
 COSO was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting (the Treadway Commission), and consists of organizations of financial executives and auditors.