SEC Adopts Final Rules on Internal Control and Amends Section 302 and 906 Certification Requirements:

Article by Gordon H. Hayes, Jr.,Jocelyn M. Arel, Miguel J. Vega, Anne G. Plimpton, Jeffrey M. Held, Brian E. Pastuszenski, Jordan D. Hershman

Recently the Securities and Exchange Commission ("SEC") issued final rules mandated by Section 404 of the Sarbanes-Oxley Act of 2002 (the "Act") requiring companies subject to the reporting requirements of the Securities Exchange Act of 1934 (the "Exchange Act") to:

• include in their annual reports a report of management on the company’s "internal control over financial reporting" (a new term defined by the SEC in the final rules); and
• provide in their quarterly reports management’s evaluation of any change in a company’s internal control over financial reporting that occurred during the quarter and that has materially affected, or is reasonably likely to materially affect, the company’s internal control over financial reporting.

The final rules also require the independent auditor that audited the company’s financial statements included in the annual report to issue an attestation report on management’s assessment of the company’s internal control over financial reporting. The company will be required to provide this attestation report as part of its annual report.

Accelerated filers¹ must comply with the new rules regarding internal control reports beginning with the first fiscal year ending after June 15, 2004. All other filers, including small business issuers and foreign private issuers, must comply with the new rules regarding internal control reports beginning with the first fiscal year ending after April 15, 2005.

In addition, the SEC adopted amendments to its rules and forms under the Exchange Act that revise the certifications required by Section 302 of the Act and that require public companies to provide the certifications required by Sections 302 and 906 of the Act as exhibits to the periodic reports to which they relate. These amendments are effective for periodic reports due on or after August 14, 2003, including quarterly reports on Form 10-Q for the period ended June 30, 2003.

The full text of the SEC’s final rules release is available at http://www.sec.gov/rules/final/33-8238.htm.

The following summarizes the key provisions of the new rules and provides some practical guidance for complying with the new rules.

The final rules require reporting companies, other than registered investment companies, to include in their annual report on Form 10-K, 10-KSB, 20-F or 40-F a management report on internal control over financial reporting. The management report must contain:

• a statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company;
• a statement identifying the framework used by management to evaluate the effectiveness of the company’s internal control over financial reporting;
• management’s assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year, including a statement as to whether or not the company’s internal control over financial reporting is effective; and
• a statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the registrant’s internal control over financial reporting.

Definition of Internal Control Over Financial Reporting

The final rules define the term "internal control over financial reporting" as a process designed by, or under the supervision of, the company’s principal executive and principal financial officers, or persons performing similar functions, and implemented by the company’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles ("GAAP"). This new term includes those policies and procedures that:

• pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the company;
• provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with GAAP, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and
• provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets that could have a material effect on the financial statements. ²

Evaluation of Internal Control Over Financial Reporting

The SEC’s final rules require management to base its evaluation of the effectiveness of a company’s internal control over financial reporting on a suitable, recognized control framework that is established by a body or group that has followed what the SEC refers to as "due-process procedures," including the broad distribution of the framework for public comment. Although no particular framework is mandated, the SEC noted that the COSO Framework satisfies this criteria.³

The final rules do not specify the method or procedures to be performed in an evaluation of internal control over financial reporting. However, in conducting such an evaluation and developing its assessment of the effectiveness of internal control over financial reporting, management must:

• document the company’s internal control and maintain such evidential material, including documentation, in order to provide reasonable support for management’s assessment of the effectiveness of internal control over financial reporting, including reasonable support:

1. for the evaluation of whether the control is designed to prevent or detect material mis statements or omissions;
2. for the conclusion that the tests were appropriately planned and performed; and
3. that the results of the tests were appropriately considered; and
4. base its assessment on procedures sufficient both to evaluate the design of internal control and to test its operating effectiveness.

The nature of a company’s testing activities will vary from company to company and largely depend on the circumstances of the company and the significance of the internal control being tested.

Management’s Internal Control Report

Management’s annual internal control report must state affirmatively whether or not the company’s internal control over financial reporting is effective. The final rules prohibit management from determining that a company’s internal control over financial reporting is effective if it identifies one or more "material weaknesses"⁴ in the company’s internal control over financial reporting. The final rules also specify that management’s report must include disclosure of any identified material weakness in the company’s internal control over financial reporting identified by management in the course of its evaluation. The SEC stated in its final rules release that a negative assurance statement indicating that nothing has come to management’s attention to suggest that the company’s internal control over financial reporting is not effective will not be acceptable. In addition, the SEC noted that an aggregation of "significant deficiencies" (a lesser deficiency in the design or operation of internal control than a material weakness) could constitute a material weakness in a company’s internal control over financial reporting.

Although the final rules do not specify where management’s internal control report must appear in the company’s annual report, the SEC suggests that it be in close proximity to the corresponding attestation report issued by a company’s independent auditors and near Management’s Discussion and Analysis of Financial Condition and Results of Operations disclosure or immediately preceding the financial statements.

The SEC’s final rules also require every independent auditor that issues an audit report contained in an annual report filed with the SEC to attest to, and report on, management’s assessment of internal control over financial reporting. All public companies will be required to provide such attestation reports as part of their annual reports. The Public Company Accounting Oversight Board is required to set standards for auditor attestations and has adopted current accounting industry standards (Statements on Standards for Attestation Engagements No. 10 as it existed on April 16, 2003) as interim standards pending further standard-setting and approval of the new standards by the SEC.

The SEC’s rules on auditor independence prohibit an independent auditor from providing certain non-audit services to an audit client, including the design and implementation of internal accounting and risk management controls. Please see our client bulletin dated February 5, 2003, available at http://www.tht.com/pubs/SearchMatchPub.asp?ArticleID=892, for a discussion of the SEC’s auditor independence rules. In its final rules release on internal control, however, the SEC specified that independent auditors may, subject to pre-approval by a company’s audit committee, assist management in documenting internal control and recognized the need for the independent auditor and management to coordinate their processes of documenting and testing internal control. In any case, management cannot delegate its responsibility to assess its internal control over financial reporting to the independent auditor, but must be actively involved in the documentation and evaluation process.

The SEC’s proposed rules called for a full evaluation of internal control effective as of the end of each quarter. The final rules, however, do not require that quarterly evaluations of internal control over financial reporting be as extensive as the annual evaluations. A company’s management, with the participation of the principal executive and financial officers, will be required only to evaluate any change in the company’s internal control over financial reporting that occurred during a fiscal quarter and that has materially affected, or is reasonably likely to materially affect, the company’s internal control over financial reporting.⁵ In addition, under the final rules a company must disclose in its quarterly or annual report, as the case may be, any material changes in its internal control over financial reporting that occurred during the fiscal quarter covered by a quarterly report, or the last fiscal quarter in the case of an annual report. This quarterly disclosure is in addition to the quarterly certifications concerning controls required by Section 302 of the Act.

Section 302 Certifications

The final rules revise the certifications required by Section 302 of the Act (pertaining to, among other things, the accuracy and completeness of the financial statements contained in periodic reports) to require the certifications to be filed as exhibits to the periodic reports to which they relate and, generally, to conform them to the internal control evaluation and disclosure requirements set forth above.

The final rules also address the certifications required by Section 906 of the Act that accompany periodic reports containing financial statements.⁶ Section 906 generally requires the chief executive officer and chief financial officer (or the equivalents thereof) to certify that the report being filed fully complies with the requirements of the Exchange Act and that the information in the report fairly presents, in all material respects, the financial condition and results of operations of the company.

The final rules permit companies to "furnish" rather than "file" the Section 906 certifications and require the certifications to be included as an exhibit to the periodic report to which they relate. As a "furnished" rather than "filed" exhibit, a Section 906 certification will not be subject to liability under Section 18 of the Exchange Act (liability for misleading statements) and such certification would not be automatically incorporated by reference into registration statements filed with the SEC pursuant to the Securities Act of 1933 (which are subject to civil liabilities for material misstatements), unless a company explicitly incorporates such certification into a registration statement by reference. Nonetheless, materially false certifications under Section 906 may still result in civil fraud liability under the Exchange Act or criminal liability under Section 906 itself. In addition, Section 906 certifications may be in the form of a single statement signed by a public company’s chief executive and financial officers.

In its adopting release the SEC extended the interim guidance that it provided on March 21, 2003, with a slight revision to the exhibit legend, suggesting that companies file Section 906 certifications as exhibits before the effective date of the final rules. Please see our client bulletin dated March 31, 2003 at http://www.tht.com/pubs/SearchMatchPub.asp?ArticleID=904 for a discussion of the interim guidance procedures.

In order to provide companies and their independent auditors sufficient time to prepare and satisfy the internal control over financial reporting evaluation, disclosure and attestation requirements of the final rules and to permit the Public Company Accounting Oversight Board to promulgate final attestation standards, the SEC adopted the following extended transition periods for compliance:

• Accelerated filers must file a management report assessing internal control over financial reporting, including the auditor’s attestation, with the annual report filed for the first fiscal year ending after June 15, 2004.
• All non-accelerated filers, including foreign private issuers and small business issuers, must comply with these requirements for the annual report filed for the first fiscal year ending after April 15, 2005.

For example, an accelerated filer with a December 31^st fiscal year end would first be required to file a management report and auditor’s attestation in its annual report on Form 10-K relating to its fiscal year ended December 31, 2004 due no later than March 1, 2005 (60 days after fiscal year end). The quarterly evaluation of material changes to internal control over financial reporting would be required beginning with the first periodic report due after the first annual report that must include management’s report on internal control over financial reporting.

All other rules promulgated by the SEC in its final rules release, including quarterly disclosure requirements concerning material changes in internal control over financial reporting and the final Section 302 and 906 certification rules, are effective for periodic reports due on or after August 14, 2003. Quarterly reports on Form 10-Q for the period ended June 30, 2003, therefore, must contain disclosure regarding disclosure controls and procedures and internal control over financial reporting that meets the requirements of the new rules, Section 302 certifications filed as exhibits and conformed to the new rules and Section 906 certifications furnished as exhibits. However, to coordinate with the extended transition period for management’s report on internal control over financial reporting, the portion of the Section 302 certification pertaining to the certifying officer’s responsibility for establishing and maintaining internal control over financial reporting is not required until the first annual report containing management’s internal control report is filed.

Compliance with the SEC’s final rules concerning internal control over financial reporting is likely to be a significant undertaking for any public company. When documenting and evaluating their internal control systems, companies may discover that improvements are required or desirable before testing by independent auditors. To allow enough time to identify, fix and possibly disclose issues related to internal control, companies should start compliance efforts immediately, if they have not already done so. Companies should consider the following practical guidelines:

• Set the proper "tone at the top" concerning internal control. Consider internally publishing a statement of corporate principles about the importance to management and the board of directors of appropriate business conduct, proper disclosure and internal control, and employees’ compliance with applicable revenue recognition and other policies of the company. You will need to address whether this should be a stand-alone statement from the chief executive officer and the chief financial officer, or incorporated in another company policy, such as a code of business conduct. Also consider sending periodic reminders to employees concerning management’s and the board’s position on these issues. If the company is ever forced to report a financial restatement or other accounting problems, senior management’s and the board’s commitment to accurate financial reporting reflected in such materials and communications may prove very valuable when dealing with regulators and in defending potential litigation concerning financial disclosures.
• Coordinate with the company’s independent auditors on the methodology to be used for the company’s internal control evaluation. Since the enactment of the Sarbanes-Oxley Act, we have encouraged our clients to do this in order to minimize the risk that a company’s independent auditors would be unable to issue a clean attestation due to fundamental disagreements with management over the soundness or completeness of the evaluation methodology (see our client bulletin dated July 30, 2002, available at http://www.tht.com/pubs/SearchMatchPub.asp?ArticleID=817). This coordination is no less important now with the issuance of the final SEC rules.
• Develop an overall strategy and approach to the company’s internal control project. For example, organize a project team to conduct the documentation and evaluation (chief financial officer, controller, legal counsel, independent auditors to the extent permitted, internal auditors and information technology team); identify the project leader; establish communication and reporting guidelines for the project and evaluate supporting tools and techniques (project software and databases). Overall strategy and approach should be approved in advance by the company’s audit committee.
• Identify the scope (geographic and product segments, domestic and international locations, accounts and processes to be documented and evaluated) and timelines for the internal control project to insure timely compliance, including allowances for the discovery and resolution of internal control deficiencies before independent auditor testing.
• Co-ordinate the work of the project team with the work of the company’s disclosure committee, if the company has formed one. (See our client bulletin dated September 5, 2002, available at http://www.tht.com/pubs/SearchMatchPub.asp?ArticleID=835 for a discussion of the benefits of forming such a committee.) Exchanges of information should flow both ways – the information gathered by the disclosure committee could reveal weaknesses in internal control and changes in internal control could affect the information gathered, analyzed and recommended for disclosure by the disclosure committee.
• Carefully analyze in advance the role of and the services and resources to be provided by the independent auditors to the project to insure that they remain independent under the rules of the SEC and the Public Company Accounting Oversight Board. Obtain audit committee pre-approval concerning the involvement of the independent auditor in the project.
• Consult as appropriate with the company’s legal counsel concerning what materials should — and should not — be generated during the course of the company’s internal control evaluation, and the level of detail to be included in any such materials. While communications to and from legal counsel concerning legal issues affecting this evaluation will presumably be subject to the attorney-client privilege and will remain confidential, communications between and among members of management, the board and the outside auditors on these issues will not be privileged or confidential. What this means is that should there ever be a regulatory investigation or shareholder litigation over the company’s financial disclosures, or the appropriateness of its internal control structure or evaluation methodology and processes, these communications will be discoverable. This confidentiality concern is especially important in relation to the use of e-mail (which tends to be created without the same care and thoughtfulness used in writing formal memoranda or correspondence). Similarly, if minutes are to be kept of the meetings of those employees comprising the "evaluation team," companies should take care not to include unnecessary detail in the minutes. Minutes should document that the team met, asked appropriate questions and generally exercised appropriate diligence, but should not be a roadmap for future litigation.
• Reevaluate procedures and documentation related to the quarterly evaluation of disclosure controls and procedures. Because the new rules require an evaluation of disclosure controls and procedures as of the end of the period covered by the report (as opposed to the current requirement that disclosure controls and procedures be evaluated as of a date within 90 days prior to the filing of the report), some companies may need to adjust their evaluation procedures and documentation so as to properly certify.