United States: Sarbanes-Oxley Section 404 Guidance From the SEC and PCAOB

On May 16, 2005, the Public Company Accounting Oversight Board ("PCAOB") and the staff of the Securities and Exchange Commission ("SEC") separately issued guidance regarding implementation of Section 404 of the Sarbanes-Oxley Act of 202 ("SOX 404"). Both sets of guidance respond to questions and concerns raised prior to and at the April 13, 2005, Roundtable Discussion on Implementation of Internal Control Reporting Provisions that was hosted by the SEC (the "SEC Roundtable").

SOX 404 requires public companies to (i) establish, maintain, and assess their internal control over financial reporting and (ii) obtain an opinion of their independent auditors as to the effectiveness of their internal control.¹ The purpose of internal control over financial reporting is to promote the preparation of reliable financial statements, and the purpose of assessing such internal control is to identify material weaknesses that may cause a material misstatement in the financial statements.

Auditors should integrate their audits of internal control with their audits of financial statements. Audit integration should decrease internal and external costs of SOX 404 compliance and allow the objectives of the two audits to be achieved via a single coordinated audit.

Auditors and management should exercise their professional judgment to tailor audits to individual companies. A one-size fits all, check-the-box approach that does not focus on high-risk areas and does not deal with the unique issues and risks of a particular company should be avoided.

Auditors and management should use a top-down, risk-based approach to compliance with SOX 404. Auditors and management should first examine company-level controls and significant accounts, and then analyze significant processes and individual controls. This approach will focus resources on higher risk areas and away from those less likely to contain a material misstatement.

SOX 404 requires "reasonable assurance" regarding the reliability of a company’s financial reporting, not absolute assurance. SOX 404 requires management to assess whether its internal controls are effective in providing "reasonable assurance" regarding the reliability of its financial reporting. Auditors should be aware that there is a zone of reasonable company conduct that is acceptable in the implementation of SOX 404.

Auditors are allowed and encouraged to use the work of others in conducting their audits. Auditing Standard No. 2 gives the auditor flexibility to rely on the work of others, such as the client’s internal accountants, especially in areas involving lesser risk.

Auditors and companies may communicate frequently and directly. Dialogue among management, auditors and audit committees helps achieve the goal of improving both internal controls and financial reports, and is not evidence of a deficiency in internal control nor an indication that auditors are not independent.

Companies may distinguish among reported material weaknesses in their disclosure. Companies are strongly encouraged to provide disclosure that will allow investors to assess for themselves the potential impact of each disclosed material weakness, distinguishing those weaknesses that may have a pervasive impact on internal control from those that do not.

Companies must test relevant IT controls, including new or upgraded IT systems. Companies must test those IT controls that are designed to ensure that the financial information produced may reasonably be relied upon.

The SEC will continue to assess the effects of SOX 404 on small businesses and foreign private issuers, neither of which is yet required to comply with SOX 404.

Compliance with SOX 404 may be less costly and less time consuming going forward. The main concern raised at the SEC Roundtable was that the cost of compliance with SOX 404 was too high, in terms of both money and time. Going forward, auditors should perform integrated audits, focusing on high-risk areas and relying upon the work of internal auditors for lower-risk areas, thereby potentially leading to a significant decrease in total compliance costs and duplication of effort. One survey surmised that SOX 404 compliance costs should decline by 46% in the second year of SOX 404 compliance.

Companies can freely communicate with their auditors, seek advice when needed on difficult accounting and internal control issues, and provide their auditors with draft financial statements. Guidance from the staff of the SEC states: "Investors benefit when auditors and management engage in dialogue, including regarding new accounting standards and the appropriate accounting treatment for complex or unusual transactions. The staff believes that as long as management, and not the auditor, makes the final determination as to the accounting used, including determination of estimates and assumptions, and the auditor does not design or implement accounting policies, such auditor involvement is appropriate and is not of itself indicative of a deficiency in the registrant’s internal control over financial reporting…. The staff believes that management should not be discouraged from providing its auditors with draft financial statements (including drafts that may be incomplete in certain respects). Providing draft financial statements promotes communication between the auditor and management, and all parties should recognize the draft nature of the information."

Companies reporting material weaknesses in their internal control over financial reporting are allowed to describe the importance of each material weakness, differentiating the more important ones from the less important ones. Companies should disclose information that allows investors to assess the potential impact of each particular material weakness. Disclosures about material weaknesses should include the nature of any material weakness, its impact on the company’s financial reporting and control environment, and any plans to remediate the weakness. The goal is to provide increased investor information by bringing information about material weaknesses in internal control into public view.

The PCOB Policy Statement Regarding Implementation of Auditing Standard No. 2 ("PCOB Guidance") stated that auditors should:

• integrate the internal control audit with the financial statements audit;

• exercise judgment to tailor their audits to the specific risks facing individual companies;

• use a top-down approach that begins with company-level controls to identify for further testing only the accounts and processes that are relevant to internal control over financial reporting;

• use risk assessment to eliminate from further consideration those accounts that have only a remote likelihood of containing a material misstatement;

• use the work of others; and

• engage in direct and timely communication with audit clients when those clients seek auditors’ views on accounting or internal control issues.

PCAOB Guidance states that the outside auditor should combine its audit of the client’s internal control over financial reporting with the audit of the client’s financial statements, thereby decreasing total time, money and effort spent on auditing through a single coordinated process. In an integrated audit, the examination of the client’s internal controls should validate the auditor’s findings in the audit of the financial statements. Furthermore, an integrated audit will help to help to "improve the quality and integrity of both corporate controls over financial reporting and independent financial statement audits."

One of the complaints often repeated at the SEC Roundtable was that auditors took an overly conservative approach to SOX 404 and were unwilling to use their professional judgment in their first year of auditing internal controls under SOX 404. Instead, many auditors used a "one-size-fits-all audit plan driven by standardized checklists that may have little to do with the unique issues and risks of the particular client’s financial reporting processes." PCAOB Guidance notes that this was "a disappointing development indicative of poor training and audit planning" and that certain provisions of Auditing Standard No. 2 (An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements)² should not be applied in "a rigid manner that constrains professional judgment."

The main objective of Auditing Standard No. 2 is for the auditor to gather evidence that a client’s system of internal financial controls provides reasonable assurance that its financial statements do not contain material misstatements. To accomplish this task, PCAOB Guidance clearly states that auditors must exercise their professional judgment in two areas. First, auditors must exercise judgment in their application of Auditing Standard No. 2 to clients in different industries and of different sizes. Second, auditors must exercise judgment to focus their work on areas that pose higher risks.

PCAOB Guidance states that auditors should take a "top-down" approach in their audits of internal controls. A top-down approach means that auditors will first concentrate on company-level controls and then on significant accounts, thereby leading the auditors to examine significant processes and finally individual controls. By approaching the audit in this manner, auditors will naturally be steered toward areas of higher risk and away from those less likely to have a material impact on the client’s financial statements.

Another theme often repeated at the SEC Roundtable was a call for a risk-based approach to the audit of internal controls. PCAOB Guidance states that a risk-based approach "can further reduce costs while increasing audit effectiveness" and that auditors should focus their efforts on areas of higher risk. Using a risk-based approach will allow auditors to avoid wasting time and money auditing accounts that only have a remote likelihood of containing a material misstatement.

In this first year of compliance with SOX 404, auditors often re-tested internal controls that the company had already tested itself, thereby duplicating effort and wasting time and money. PCAOB Guidance states that an auditor utilizing a top-down, risk-based approach will naturally "identify areas where use of the work of others is not only appropriate but is also the most efficient way to perform the audit." PCAOB Guidance notes that auditors may rely on the work of competent and objective internal auditors, and such reliance is consistent with the flexibility given the auditor by Auditing Standard No. 2.

Auditors may be concerned about meeting the "principal evidence" provision of Audit Standard No. 2, which requires the external auditor to perform sufficient auditing to reach his own, independent opinion as to the effectiveness of the client’s internal controls. PCAOB Guidance observes, however, that the principal evidence provision is meant only to prevent auditors from simply passing on to investors another person’s judgment and opinion regarding the effectiveness of internal controls. Reliance upon the work of others is acceptable. Additionally, the principal evidence requirement is also qualitative, and therefore PCAOB Guidance acknowledges that while high-risk areas will require the auditors to perform more work themselves, lower risk areas allow the auditors to rely more on the work of others.

PCAOB Guidance also seeks to clarify a common misconception that as a result of Auditing Standard No. 2, companies could not consult with their auditors regarding advice on accounting and internal control issues. Auditors feared that consultations with their clients could jeopardize their independence, while their clients feared providing their auditors with any hint of a possible material weaknesses in internal control. As a result, auditors were often unwilling to provide their clients with accounting advice and encouraged clients to finish their internal control assessments and the preparation of their financial statements prior to the auditor starting its audits, and clients were wary of providing draft financial statements to their auditors. PCAOB Guidance states that such practices "are neither necessary nor advisable."

While auditors may not make accounting decisions for their clients, and while management cannot relinquish its responsibility for quality financial reporting to any outside entity, auditors may discuss with management a variety of issues. PCAOB Guidance notes that auditors may:

• review a draft of the financial statements;

• provide technical advice regarding the proper application of GAAP, including making suggestions to management as to how disclosure and financial statement quality could be improved;

• give updates to management on recent accounting developments;

• discuss the auditor’s views on the assumptions and methods selected by management in the preliminary company drafts of accounting research memos, spreadsheets, and other working papers; and

• provide assistance in determining the proper accounting treatment for a contemplated transaction.

In their Statement on Management’s Report on Internal Control Over Financial Reporting ("SEC Guidance"), the staff of the Securities and Exchange Commission expresses many of the same broad policy goals found in the PCAOB Guidance, and provides greater detail in connection with issues faced by management of companies undertaking internal control evaluations. Specifically, the SEC Guidance notes that:

• both management and external auditors must use reasoned judgment and a top-down, risk-based approach to compliance with SOX 404;

• in the future, the internal control audit and the financial statement audit should be integrated;

• internal controls over financial reporting should be tailored to reflect the nature and size of the company; and

• frequent and frank dialogue between the auditor and the company is to be encouraged in order to promote improved internal controls and improved financial reports.

SEC Guidance discourages a formulaic, check-the-box approach as employed by many companies and auditors in testing internal control this past year. Instead, SEC Guidance stresses the necessity of customizing each company’s testing program on a yearly basis, based on the cumulative knowledge, experience and judgment of management, emphasizing the unique risks of individual companies.

Companies should use a risk-based approach to internal control testing, whereby management prioritizes areas of the company’s financial statements according to relative levels of risk of misstatement and allocates resources accordingly. Areas posing greater risks to the accuracy of the company’s financial reporting should receive more management attention and should undergo more extensive testing of related controls.

Management should identify controls related to each relevant area of the company’s financial statements and design appropriate documentation and testing procedures relative to that area’s risk level. In designing a testing program, management need only assess those controls that affect the reliability of the company’s financial reporting. Testing should lead to "reasonable assurance" of the reliability of the company’s financial reporting, not necessarily absolute assurance.³ Thus, not every step of a relevant control process must necessarily be tested – only enough steps to enable management to conclude that the process meets the broad control objective.

In determining the scope of a testing program, SEC Guidance notes that management may use quantitative factors as a starting point, such as a threshold level for identifying accounts significant enough to be subject to internal control testing. SEC Guidance states, however, that qualitative factors, including the risk to reliable financial reporting of a particular account, should be considered to determine whether certain accounts above or below a quantitative threshold should nonetheless be evaluated. Additionally, SEC Guidance suggests that any quantitative measures be based on annual and company-wide measures, rather than interim and segment-specific measures, unless individual circumstances make interim or segmented data a more appropriate measure. This is not to say that all testing must occur at the close of the company’s fiscal year, as SEC Guidance encourages companies to conduct testing and assessment over longer periods of time.

Furthermore, SEC Guidance notes that during the first year of SOX 404 implementation, a large number of controls were tested. Going forward, SEC Guidance states that management should focus on the objective of controls, rather than testing individual steps in a broader control, and test "the effectiveness of the combination of detailed steps that meet the broader control objective." In conducting this testing, SEC Guidance states that management may determine that is acceptable not to test every individual step comprising a control in determining that the overall control is effective.

If testing and assessment identify a control deficiency, management must consider its level of significance. A quantitative analysis is appropriate, again using annual and company-wide measures, as well as a qualitative analysis, including such factors as the nature and cause of the deficiency, the financial statement assertion the deficient control was designed to support, the effect of the deficiency on the broader control environment and whether there are effective compensating controls.

SEC Guidance also emphasizes that a financial restatement due to error is not a per se indication of a material weakness in internal control. Instead, management and the external auditor should use their professional judgment to evaluate the reasons that caused the financial restatement and determine if the restatement resulted from a material weakness in internal control. SEC Guidance states that this evaluation should be "based on all the facts and circumstances, including the probability of occurrence in light of the assessed effectiveness of the company’s internal control," keeping in mind the "reasonable assurance" standard is applied to internal control over financial reporting, not an absolute assurance standard.

If a company identifies a material weakness in its internal control and does not remediate that weakness before its fiscal year-end, the company must disclose that its internal control over financial reporting is not effective. In such disclosure, SEC Guidance suggests that a company include:

• the nature of any material weakness;

• its impact on the company’s financial reporting and control environment; and

• any plans to remediate the weakness.

Companies are encouraged to provide additional disclosure to allow investors to assess the potential impact of a particular material weakness, including distinguishing material weaknesses that may have "a pervasive impact on internal control over financial reporting" from those that do not.

SEC Guidance encourages companies to continue timely dialogue with auditors regarding company financial statements, so long as management, not the auditor, makes the final determinations as to accounting used, including estimates and assumptions, and remains in control of the design and implementation of the company’s accounting policies. Additionally, management should feel comfortable sharing draft financial statements with its auditors. SEC Guidance states that errors in draft financial statements, in and of themselves, do not conclusively constitute a deficiency in internal control over financial reporting. Instead, the process of financial statement preparation will have to be examined in order to identify possible deficiencies.

Questions were raised at the SEC Roundtable regarding testing of information technology (IT) systems. SEC Guidance confirms that the only IT controls that need to be tested are those that pertain to financial reporting and that management should exercise judgment in determining the scope of the company’s testing program, inclusive of IT control testing. A one-size-fits-all list of IT controls to be tested is not possible, meaning companies should use proprietary IT testing frameworks as guidelines only, subject to the reasonable judgment of management. Furthermore, companies may not exempt from testing any new or upgraded IT systems pertaining to financial reporting, even if implemented late in the year.

SEC Guidance noted that the SEC will continue to assess the effects of SOX 404 on small businesses and foreign private issuers, both of which are not yet required to comply with SOX 404. In addition, a task force has been established to develop additional guidance for smaller companies on applying internal control over financial reporting.

1. For further details regarding SOX 404, see our Client Alert dated September 29, 2003, entitled "Management’s Report on Internal Control Over Financial Reporting: SEC Issues Final Rules," our Client Alert dated December 1, 2004, entitled "SEC Postpones Internal Control Report Filing Date for Certain Accelerated Filers," and our Client Alert dated May 3, 2005 entitled "Roundtable Discussion on Implementation of Internal Control Reporting Provisions."

2. Auditing Standard No. 2 establishes the requirements that apply when an auditor is engaged to audit a client’s financial statements and management’s assessment of the effectiveness of internal control over financial reporting.

3. Although "reasonable assurance" is not absolute assurance, SEC Guidance notes that it is still "a high level of assurance." Section 13(b)(7) of the Securities Exchange Act of 1934, as amended, defines reasonable assurance as the "degree of assurance as would satisfy prudent officials in the conduct of their own affairs." What is considered reasonable may vary from one company to another.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.