Internal Control Reports, Auditor Attestation and Officer Certification of Disclosure in Periodic Reports

On June 5, 2003, the SEC adopted final rules implementing Section 404 of the Sarbanes-Oxley Act of 2002 (the "Act") relating to management reports on internal control over financial reporting ("Management Internal Control Reports") and amending rules requiring officer certifications under Sections 302 and 906 of the Act ("Section 302 Certification" and "Section 906 Certification," respectively). These rules and SEC explanatory text can be found at Securities Act Release No. 33-8238 (June 5, 2003), www.sec.gov/rules/final/33-8238.htm (the "Release").

Section 404 of the Act requires the SEC to adopt rules requiring a company that files reports under Section 13(a) or 15(d) of the Exchange Act (other than registered investment companies) to include in its annual report a Management Internal Control Report (1) stating that it is management’s responsibility to establish and maintain an adequate internal control structure and procedures for financial reporting, and (2) containing an assessment as of the end of the company’s most recent fiscal year of the effectiveness of the company’s internal control structure and procedures for financial reporting. Section 404 also requires every registered public accounting firm that prepares or issues an audit report on a company’s annual financial statements to attest to, and report on, the evaluation made by management in the Management Internal Control Report.

The final rules attempt to bring some clarity to the term "internal control report" by using and defining the phrase "internal control over financial reporting." This is distinct from a company’s "disclosure controls and procedures," which must be evaluated and reported on quarterly. The SEC, however, recognizes that there may be substantial overlap between internal control over financial reporting and disclosure controls and procedures. Since officers will be required to conduct a full evaluation of the former only annually and the latter quarterly, some effort should be made to understand, in each company’s case, where the two control concepts differ.

Internal control over financial reporting is defined as a process designed by or under the supervision of a company’s principal executive and principal financial officers to provide reasonable assurance regarding the reliability of financial reporting for external purposes in accordance with GAAP and includes those policies and procedures that:

• pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the company;
• provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with GAAP and that receipts and expenditures of the company are made only in accordance with appropriate authorization; and
• provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets that could have a material affect on its financial statements.

This definition borrows considerably from AU §319 in the Codification of Statements of Auditing Standards.

Under the final rules, a company’s annual report must include a Management Internal Control Report that contains the following:

• A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting.
• A statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company’s internal control over financial reporting. An appropriate framework relied upon for this evaluation must be one that is established by a body or group that has followed due process procedures. The Release recognizes that the framework established by the Committee of Sponsoring Organizations of the Treadway Commission ("COSO") as its Internal Control – Integrated Framework is an acceptable framework on which management may base its evaluation. Information on COSO and its Internal Control – Integrated Framework can be obtained at www.coso.org.
• Management’s assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year. Management must make a statement as to whether or not the company’s internal control over financial reporting is effective and disclose any "material weaknesses" that have been identified by management. If management concludes that there are any material weaknesses it may not reach the conclusion that the company’s internal control over financial reporting is "effective."
• A statement that the company’s outside auditing firm has issued an attestation report regarding management’s assessment of internal controls. The attestation report must be filed as part of the company’s annual report.

Independent auditors will be required to attest to management’s assessment of the internal control over financial reporting and in the process of doing that may assist management in documenting internal controls. Indeed, it may be advisable to involve the company’s auditing firm in helping management set up documentation procedures that the auditing firm will find acceptable for purposes of its attestation report. Management, however, must be actively involved in the process and cannot delegate its responsibility to assess its internal control over financial reporting to its independent auditor. Registrants must keep in mind that the rules on auditor independence are not in any way modified by the SEC’s recognition that the independent auditors may assist in documenting internal controls. Based on guidance from the SEC in Release No. 33-8183, Strengthening the Commission’s Requirements Regarding Auditor Independence (January 28, 2003), we believe that the costs of this assistance in most cases will appropriately be characterized as "audit services" for proxy disclosure purposes.

Management’s Internal Control Report is not required to be set forth in any particular location in the annual report, but the Release indicates that the SEC expects the report to be in close proximity to the auditor’s attestation report, and, therefore, expects the Management Internal Control Report to be located either near MD&A or immediately preceding the audited financial statements.

As proposed, the SEC would have required companies to include a quarterly evaluation by management of the internal control over financial reporting and hence include the Management Internal Control Report in quarterly filings on Form 10-Q. The final rules dispense with that requirement and instead require management to evaluate and disclose any change in the company’s internal control over financial reporting that has materially affected, or is reasonably likely to materially affect, the company’s internal control over financial reporting. No change was made to the requirement that disclosure controls and procedures be evaluated quarterly, except that the evaluation date for such determination (other than for registered investment companies) is now as of the end of the period covered by the quarterly report (or annual report) as opposed to "within 90 days" of the filing date for such report, as is currently the case.

Under Section 404 of the Act, a company’s independent auditor must issue an attestation report attesting to management’s evaluation of its internal control over financial reporting. The standards for that attestation report are currently set forth in Statements on Standards for Attestation Engagements ("SSAE") No. 10, which was the standard for voluntary attestations in existence at the time the Act was enacted. The Public Company Accounting Oversight Board has approved SSAE No. 10 as the appropriate attestation standard under Section 404 but may revise that determination after further review, subject to SEC approval.

Any company that has securities registered under Sections 13(a) or 15(d) of the Exchange Act, with the exception of registered investment companies, is subject to the management internal control report and attestation provisions of Section 404 of the Act. The SEC, however, has excluded asset-backed issuers from the requirements of Section 404.

Financial institutions that are subject to the internal control report requirements of the FDIC must satisfy the substantive requirements for internal control reports of both the FDIC and the SEC. Such organizations have the option of preparing two separate Management Internal Control Reports, one to satisfy FDIC requirements and one to satisfy the SEC requirements, or a single report that satisfies both requirements.

The final rules now require Section 302 Certifications and Section 906 Certifications to be filed and furnished, respectively, as an Exhibit to the applicable Form. Since Section 906 Certifications are now required to be filed as an Exhibit, failure to file such certification would be a violation of Section 13(a) of the Exchange Act. There continues to be some debate (notwithstanding efforts of Senator Biden to rewrite enacted legislation through the introduction of a statement to the Congressional Record on April 11, 2003) as to whether Forms 11-K, 6-K and 8-K that contain financial statements require a Section 906 Certification. The SEC did not reach any conclusions regarding this matter but advised in the Release that it is in consultation with the Justice Department to attempt to reach some resolution and provide some guidance.

The SEC clarified that amendments to periodic reports do not require Section 906 Certification unless the amendment itself contains financial statements. In contrast, a Section 302 Certification would be required with any amendment to a periodic report.

The SEC adopted several changes to the form of the Section 302 Certification to conform that certification to revisions in the disclosure requirements. For example, the Section 302 Certification has been revised to add a statement relating to the effectiveness of internal control over financial reporting and a representation that any material changes in internal control over financial reporting that occurred in the most recent fiscal quarter have been disclosed. In addition, the certification with regard to the effectiveness of disclosure controls and procedures is now required (except for registered investment companies) to be as of the end of the period rather than within 90 days prior to the filing.

The certification that significant deficiencies in internal controls have been disclosed to the independent auditors and board of directors has also been revised to replace the word "could" with the term "reasonably likely" when certifying whether a particular deficiency or weakness would have the requisite adverse consequences. Finally, the new form of certification clarifies that disclosure controls and procedures may be designed under the supervision of principal executive and financial officers and that principal executive and financial officers are either responsible for designing internal control over financial reporting or for having internal controls over financial reporting designed under their supervision.

A company that is an "accelerated filer," as defined in Exchange Act Rule 12d-2, must comply with the Management Internal Control Report and auditor attestation provisions as of the end of its fiscal year ending on or after June 15, 2004. This compliance deadline has been extended for small issuers and foreign private issuers to apply with the first annual reports filed by such companies for the fiscal year ending on or after April 15, 2005.

Other provisions, including the requirements to disclose material changes in internal control over financial reporting and changes to the Form of the Section 302 Certification and Section 906 Certification are effective on August 14, 2003, with the exception noted below for two aspects of the Section 302 Certification that have a longer phase-in period.

Since the Management Internal Control Report and related auditor attestation have a deferred effective date, the reference in the introduction of paragraph 4 of the Section 302 Certification to the internal control over financial reporting and all of paragraph 4(b) of the Section 302 Certification will not be required until a company is first required to include in its annual report a Management Internal Control Report and related auditor attestation.

Notwithstanding what appears to be a long transition period for the requirements to include Management Internal Control Reports and attestations thereof in annual filings, companies cannot be complacent in their efforts to prepare for such compliance. We understand many companies, at a minimum, will require substantial additional documentation procedures to be installed to enable their independent auditors to provide the requisite attestation. Companies should coordinate with their auditors in the establishment of documentation procedures to ensure such procedures will be satisfactory to enable the auditing firm to deliver the necessary attestation.

Copyright 2003 Gardner Carton & Douglas

This article is not intended as legal advice, which may often turn on specific facts. Readers should seek specific legal advice before acting with regard to the subjects mentioned here.