The Sarbanes-Oxley Act of 2002: SEC Issues Final Rules Regarding Internal Control Over Financial Reporting Under Section 404
The SEC has issued its final rules implementing Section 404 of the Sarbanes-Oxley Act of 2002 (SOX), which require public companies to include in their annual reports filed with the SEC reports by management on internal control over financial reporting, together with reports by the company’s auditors attesting to management’s assessment of internal control: http://www.sec.gov/rules/final/33-8238.htm. Outside of concerns regarding the SEC’s substantial underestimation of the cost to companies of compliance with the new rules, surprisingly, neither Section 404 nor the basic tenets of the SEC’s new rules generated significant controversy. However, no one should be deceived by the relative ease with which these new rules have been adopted by the SEC or accepted by the business community. In fact, they represent the realization of over two decades of unsuccessful effort by the SEC—first, in 1979, following enactment of the Foreign Corrupt Practices Act, and then again, in 1988, following the recommendations of the Report of the National Commission on Fraudulent Financial Reporting, known as the Treadway Commission. Both previous efforts met with such powerful resistance that the SEC was dissuaded from acting on its own proposals. Not until the enactment of SOX in 2002, reinforced by the continuing public clamor for regulatory action, was the SEC finally able to achieve its goal of a mandatory internal control report and attestation requirement.
In this Alert, we first address the definition of the new term coined by the SEC, “internal control over financial reporting.” Next, we analyze the requirements for management’s assessment and report and auditors’ attestations. Following those discussions, we address the modified requirement for quarterly evaluations. Then, we consider changes made at the same time to the periodic disclosure requirements and to SOX 302 and SOX 906 certifications. We conclude with a discussion of the transition rules.
What does Section 404 of SOX require?
SOX 404 directs the SEC to prescribe new rules requiring public companies to file annual reports containing internal control reports:
- stating management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
- containing an assessment, as of the end of the company’s most recent fiscal year, of the effectiveness of the company’s internal control structure and procedures for financial reporting.
SOX 404 also requires the auditors to attest to, and report on, the assessment made by management in accordance with standards for attestation engagements adopted by the Public Company Accounting Oversight Board (PCAOB).
Generally, what is required under the new SEC rules implementing SOX 404?
As directed by SOX 404, the SEC adopted rules requiring public companies to include in their annual reports a report of management on the company’s internal control over financial reporting. In addition, the public accounting firm that audited the company’s financial statements included in the annual report must issue an attestation report on management’s assessment of internal control, and the company is then required to file the attestation report as part of its annual report. With respect to quarterly reports, the new rules require that management evaluate any change in the company’s internal control that occurred during a fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company’s internal control.
At the same time, the SEC adopted amendments to its rules and forms revising the SOX 302 certification requirements and requiring companies to provide the certifications required by SOX 302 and SOX 906 as exhibits to certain periodic reports.
What is the role of the board and management in implementing internal control?
The board and management must set the “tone at the top,” an element of the control environment that the SEC views to be critical. In its 1981 Statement of Policy regarding the Foreign Corrupt Practices Act, the SEC stated that, “[i]n the last analysis, the key to an adequate `control environment’ is an approach on the part of the board and top management which makes clear what is expected and that conformity to these expectations will be rewarded while breaches will be punished.”
When will we be required to comply with the new rules regarding internal control reports?
The rules become effective on August 14, 2003. Each company (other than foreign private issuers) that satisfies the definition of “accelerated filer” as of the end of its first fiscal year ending on or after June 15, 2004, must begin to comply with the management report requirements in its annual report for that fiscal year. Each company that is not an accelerated filer as of the end of its first fiscal year ending on or after June 15, 2004, as well as each foreign private issuer, must begin to comply with the annual internal control report requirement for its first fiscal year ending on or after April 15, 2005. Compliance with the requirements regarding evaluation of any material changes to internal control will be required in the first periodic report due after the first annual report required to include a management report. Companies may comply early if they choose. The transition rules are discussed in more detail at the end of this Alert.
When will we need to comply with the new rules regarding certifications?
Companies must comply with the new exhibit requirements for the SOX 302 and SOX 906 certifications, including changes to the SOX 302 certification, in quarterly or annual reports due on or after August 14 and, as SEC staff have informally advised, irrespective of when filed. Because there is a difference in the compliance date of the rules relating to internal control and the effective date of changes to the SOX 302 certification, certifying officers may temporarily modify the content of their SOX 302 certifications to eliminate certain references to internal control until the applicable compliance date.
DEFINITION OF INTERNAL CONTROL OVER FINANCIAL REPORTING
The SEC had originally proposed a very broad definition of internal control. Was that definition adopted in the final rules?
No. As originally proposed by the SEC, the rules would have used the broad definition of internal control contained in Codification of Statements on Auditing Standards §319. In response to numerous comments, however, the SEC has selected a different definition. The final rules employ a modified version of the widely recognized definition of internal control developed in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
What is the COSO definition of internal control?
COSO defined internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in [three] categories:
- Effectiveness and efficiency of operations.
- Reliability of financial reporting.
- Compliance with applicable laws and regulations.”
What do the specified COSO objectives mean?
The first category of objectives addresses an entity’s “basic business objectives, including performance and profitability goals and safeguarding of resources.” The second category relates to the “preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from those statements, such as earnings releases, reported publicly.” The third category addresses compliance with applicable laws.
How did the SEC modify the COSO definition for purposes of the new rules?
The definition used for purposes of the new rules encompasses only that subset of the COSO internal control definition that pertains to financial reporting objectives and excludes the elements of the COSO definition that relate to effectiveness and efficiency of a company’s operations and, generally, a company’s compliance with applicable laws and regulations. However, compliance with the applicable laws and regulations directly related to the preparation of financial statements, such as the SEC’s financial reporting requirements, would still be included within the definition. For example, Statement on Auditing Standards No. 317 requires auditors to consider a company’s compliance with laws and regulations that have a direct and material effect on the financial statements.
What is the SEC’s definition of “internal control over financial reporting” used in the new rules?
The new rules define “internal control over financial reporting” as:
“A process designed by, or under the supervision of, the issuer’s principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
- Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;
- Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and
- Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer’s assets that could have a material effect on the financial statements.”
The first and second clauses are matters that the auditors are required to evaluate in their audit or attestation reports. The SEC indicated that it included the third clause to make explicit that the safeguarding of assets is one of the elements of internal control over financial reporting.
Relationship Between Disclosure Controls and Internal Control
How do “disclosure controls” differ from “internal control over financial reporting”?
Although there is substantial overlap between the two concepts, they each involve some distinct elements.
Rule 13a-15 defines “disclosure controls and procedures” to mean controls and procedures designed to ensure that information required to be disclosed by the company in its SEC reports is recorded, processed, summarized and reported within the time periods specified in the SEC’s rules and forms. Although disclosure controls may include some components of internal control, they will typically not include all components. In particular, some components that relate to accurate recording of transactions and disposition of assets or to safeguarding of assets are components of internal control that may not be considered to be a part of disclosure controls and procedures. For example, internal control might include, as a component of safeguarding of assets, dual signature requirements or limitations on signature authority on checks. These components would not necessarily be viewed to be part of disclosure controls.
What are the areas of overlap?
There are a number of areas of overlap. In particular, however, the components of internal control that will be included in disclosure controls and procedures for all companies include elements that provide reasonable assurances that transactions are recorded as necessary to permit preparation of financial statements in accordance with GAAP.
MANAGEMENT’S ASSESSMENT AND REPORT
What is required to be in the management report?
The new rules require a company’s annual report filed with the SEC to include an internal control report by management containing:
- a statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company;
- a statement identifying the framework used by management to evaluate the effectiveness of the company’s internal control over financial reporting;
- management’s assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year, including a statement as to whether or not the company’s internal control is effective as well as disclosure of any “material weakness” in internal control identified by management; and
- a statement that the public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the company’s internal control over financial reporting.
Is management allowed to present its conclusion regarding effectiveness of internal control as a statement of “negative assurances”?
No. A negative assurances statement indicating that nothing has come to management’s attention to suggest that the company’s internal control is not effective will not be acceptable. The SEC makes clear that management must state whether or not the company’s internal control over financial reporting is effective.
Must the report be placed in any specific location?
No. Although no specific location is identified for management’s internal control report, the SEC does consider it important that the report be in close proximity to the corresponding attestation report issued by the auditors and expects that many companies will place the internal control report and attestation report near MD&A or immediately preceding the financial statements.
Evaluation of Internal Control
Who must participate in the evaluation of effectiveness?
Management must perform the evaluation with the participation of the chief executive and financial officers.
As of what date must the evaluation be effective?
The report must state the effectiveness of internal control as of the end of the fiscal year.
What is the required scope of the evaluation?
The evaluation must address both the design of internal control as well as its operating effectiveness. To determine effectiveness, management will need to perform some actual testing of the controls.
Does the SEC prescribe a method of evaluation?
No. The SEC expects the methods of conducting evaluations of internal control to vary from company to company. As a result, the final rules do not specify the methods to be used or procedures to be performed in an evaluation.
What steps would you recommend that we take?
Although, as the SEC observes, the actions to be taken must necessarily vary by company, virtually all companies will need to:
- identify and document existing controls;
- test for design and operating effectiveness of existing controls;
- identify the applicable areas of risk for the company;
- evaluate if any risk areas are not subject to controls;
- design and document new controls affecting identified risk areas not covered by existing controls or subject to inadequate existing controls;
- test for design and operating effectiveness of new controls;
- document results of all testing; and
- discuss the procedures and results with the audit committee.
Are there any types of internal control that we should certainly evaluate?
The SEC suggests that the types of controls subject to assessment include, but are not limited to:
- controls over initiating, recording, processing and reconciling account balances, classes of transactions and disclosure and related assertions included in the financial statements;
- controls related to the initiation and processing of non-routine and non-systematic transactions;
- controls related to the selection and application of appropriate accounting policies; and
- controls related to the prevention, identification and detection of fraud.
What kind of testing will we need to perform?
The nature of the testing activities will largely depend upon the circumstances, the type of control involved and the significance of the control to the company’s financial reporting. Because management must evaluate the effectiveness of internal control, not just its design, the SEC makes clear that inquiry alone generally will not provide an adequate basis for management’s assessment.
To provide the report, does management need to perform the tests itself?
No. Non-management personnel, acting under the supervision of management, may conduct the necessary activities upon which management’s assessment is based.
What about the auditors? Can we engage them to perform the evaluation on management’s behalf?
No. Although the auditors and management must coordinate their processes of documenting and testing internal control, SEC rules regarding auditor independence prohibit management from delegating to the auditors management’s responsibility to assess internal control.
Why would that delegation affect auditor independence?
Under the SEC’s new auditor independence rules, management’s reliance on the auditors to perform the evaluation of effectiveness of internal control could involve the performance by the auditors of a management function or attestation by the auditors to their own work, both of which are prohibited under the auditor independence rules. Management’s acceptance of responsibility for documentation, testing or other functions performed by the auditor would not satisfy the auditor independence rules.
Are there examples of functions that the auditors clearly should not perform?
Yes. According to SEC staff, examples of functions that, if performed by the auditors, would be likely to run afoul of the independence rules include:
- outsourcing a major part of the project;
- relying on the auditors to choose sample sizes;
- allowing the auditors to select which tests are to be performed; and
- using auditors’ software that provides conclusions as to the effectiveness of controls.
Are there functions that the auditors may perform to assist us?
Yes. SEC staff have indicated that the auditors may assist management in performing some functions so long as management makes all final decisions, exercises its own judgment in performing the analyses and is actively involved in and supervises the work performed. Some examples of functions that may acceptably be performed by the auditors, as suggested by SEC staff, include:
- providing software templates to help document controls or perform statistical sampling;
- noting areas where management may want to improve controls; and
- making suggestions to improve tests of controls.
It is possible, however, that the PCAOB, in considering new standards, may impose additional restrictions on performance by the auditors of non-audit services in connection with internal control.
When should we begin?
SEC staff recommend that companies that have not yet begun to prepare for their evaluations of internal control should commence that process immediately.
Framework for Evaluation
Why has the SEC imposed the requirement for a framework?
Following its initial proposal, the SEC received a number of comments advocating the mandatory imposition of a framework. The rationale suggested for a required framework was that an evaluation of controls that did not specify the criteria for evaluation would be like a requirement for fair financial statements without a requirement to use GAAP to evaluate the fairness.
What type of framework is acceptable?
The framework must be a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.
What are the criteria for a “suitable” framework?
A suitable framework must:
- be free from bias;
- permit reasonably consistent qualitative and quantitative measurements of a company’s internal control;
- be sufficiently complete so as not to omit factors that would alter a conclusion about the effectiveness of a company’s internal control; and
- be relevant to an evaluation of internal control over financial reporting.
Has the SEC identified any acceptable frameworks?
Yes. The SEC has identified the COSO framework as a framework that satisfies these criteria and that may be used as an evaluation framework for purposes of management’s annual internal control evaluation and disclosure requirements.
What is the COSO internal control framework?
The COSO internal control framework combines the COSO definition of “internal control”—a process, effected by people, providing reasonable assurance regarding the achievement of categories of objectives—together with the components and criteria for effectiveness.
Under the COSO framework, what are the components necessary to achieving the COSO objectives?
COSO identifies five interrelated components necessary to achieving the COSO objectives:
- Control environment, which sets the ethical tone of the organization and constitutes the foundation of all other components of internal control, including factors such as integrity, values, competence, management philosophy, style and delegation of responsibility, employee development and board oversight;
- Risk assessment, which involves the identification and analysis of relevant risks, leading to a determination of how risks should be managed;
- Control activities, which comprise policies and procedures, such as those relating to approvals, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties, that help ensure that management’s directives are implemented and that actions necessary to address risks are taken;
- Information and communication, which requires that pertinent information, relating both to internally generated data and external events, be identified, captured and communicated throughout the organization in a form and timeframe that enables individuals to understand their roles in the internal control system, engage in informed decision-making and effective internal and external reporting and otherwise carry out their responsibilities; and
- Monitoring, which assesses the quality of the internal control system’s performance over time through ongoing activities during the ordinary course of operations, as well as separate evaluations conducted periodically, depending on the assessment of risks and effectiveness of ongoing procedures, with all deficiencies reported to higher authorities within the organization.
The COSO framework emphasizes that all of these components are relevant to each objective, and all five components must be “present and functioning effectively” to conclude that internal control is effective.
Under COSO, how do we judge if internal control is ultimately effective?
The COSO framework provides that, at any particular point in time, internal control can be judged effective if the board of directors and management have reasonable assurance that:
- they understand the extent to which the company’s operations objectives are being achieved;
- published financial statements are being prepared reliably; and
- the company is complying with applicable laws and regulations.
Note, however, that, in light of the SEC’s modified definition of internal control over financial reporting, not all of these factors will necessarily be relevant to the inquiry.
But is the COSO framework mandatory?
No, the new rules do not mandate use of any particular framework, especially given that non-U.S. companies may want to use other evaluation standards. The SEC recognizes that other appropriate evaluation frameworks exist outside the U.S., such as the Turnbull Report, published by the Institute of Chartered Accountants in England and Wales.
Problems with Internal Control
What circumstances would require management to state that internal control is not effective?
Management is not permitted to conclude that internal control over financial reporting is effective if there are any material weaknesses.
What is a “material weakness”?
Statement on Auditing Standards No. 60 (codified in AU §325) defines a material weakness as a “reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by errors or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.”
We often have a number of problems with internal control, none of which, on an individual basis, amounts to a material weakness. Could they possibly add up to a material weakness?
Yes. The SEC believes that an aggregation of significant deficiencies could constitute a material weakness in a company’s internal control over financial reporting.
What is a “significant deficiency”?
A “significant deficiency” and a “material weakness” are both deficiencies in the design or operation of internal control that could adversely affect a company’s ability to record, process, summarize and report financial data consistent with the assertions of management in the company’s financial statements; however, although no bright line exists, a material weakness represents a greater deficiency than a significant deficiency. Significant deficiencies are sometimes also referred to as “reportable conditions.”
If we have a material weakness, will we need to disclose it in management’s report?
Yes. The report must include disclosure of any material weakness identified by management in the course of its evaluation.
If we have a significant deficiency, will we need to disclose it in the management report?
No. Under existing standards, significant deficiencies must be reported by management to the auditors and to the audit committee. However, it is possible that the PCAOB may, in the future, require disclosure of significant deficiencies in the auditors’ report or elsewhere.
Do we need to document our activities?
Yes. In conducting the evaluation and developing the assessment, a company must maintain “evidential matter,” including documentation, to provide reasonable support for management’s assessment of effectiveness. This requirement is reflected in an instruction to the new rules.
What is “evidential matter”?
“Evidential matter” is a term coined by the SEC to cover supporting documentation such as general ledgers and accounting entries, as well as memoranda and internal corporate reports.
What must the evidential matter cover?
The evidential matter should relate to both the design of internal control and the testing processes. It should provide reasonable support:
- for the evaluation of whether the control is designed to prevent or detect material misstatements or omissions;
- for the conclusion that the tests were appropriately planned and performed; and
- that the results of the tests were appropriately considered.
Is the evidential matter intended just for internal purposes?
No. To provide their attestation (discussed below), the auditors will also require the company to develop and maintain evidential matter to support management’s assessment. The level of documentation must be sufficient to permit the auditors providing the attestation to, in effect, conduct an “audit” of internal control and management’s assessment.
What is the auditors’ attestation report?
Under the new rules, the auditors’ “attestation report on management’s assessment of internal control over financial reporting” means a report, prepared in accordance with standards on attestation engagements, in which the public accounting firm expresses an opinion, or states that an opinion cannot be expressed, as to whether management’s assessment of the effectiveness of the company’s internal control over financial reporting is fairly stated in all material respects. If an opinion cannot be expressed, the firm must state why it is unable to do so.
Haven’t auditors had to consider internal control before as part of their performance of an audit? Certainly attestations are not an entirely new concept?
In financial statement audits, the auditors must achieve an understanding of internal control only to a level sufficient to plan the audit by performing procedures to understand the design of controls relevant to the audit, to determine whether they have been implemented and to obtain evidence of their operating effectiveness. Historically, however, formal auditor attestations have been extremely rare outside of certain industries, such as banking. Moreover, auditors generally view attestation reports to require a level of assurance as to the effectiveness of internal control comparable to an audit report.
When is an auditors’ attestation required?
The attestation will be required annually in annual reports, such as 10-Ks or 10-KSBs, required by Section 13(a) or 15(d) of the Securities Exchange Act of 1934.
What must the auditors do to enable them to provide the attestation?
The auditors must perform sufficient work to assure themselves that management has:
- designed and implemented sufficient controls;
- performed sufficient testing of those controls to evaluate their effectiveness; and
- reached a conclusion about the effectiveness of those controls that is appropriate.
What procedures does that entail?
To carry out their analyses, the auditors will need to review and consider management’s documentation and will likely also need to perform independent testing of the effectiveness of the control system on a selective basis as appropriate.
How much work is involved?
The level of work required will depend on the applicable attestation standards, the extent of the auditors’ knowledge of the company as well as the extent of the auditors’ own level of experience generally.
What standards will apply to attestations?
The PCAOB has adopted, as interim standards applicable to attestations, Statements on Standards for Attestation Engagements No. 10, as in existence on April 16. These standards have been codified by the AICPA for attestation engagements. In March, the Auditing Standards Board (ASB) of the AICPA released an exposure draft proposing a revised standard for attestations that would substantially increase the amount of work to be performed by the auditors and, as a result, by management. Because standard-setting is now the province of the PCAOB and the ASB no longer has authority to set standards, there has been significant uncertainty on the part of companies and auditors as to the scope and breadth of work required to be performed and the extent of documentation to be provided. It is anticipated that, to clarify the requirements, the PCAOB will adopt final standards prior to the compliance date for internal control under the new rules.
Will we need to perform a complete evaluation every quarter?
No. The SEC had originally proposed to require a quarterly evaluation of internal control. However, the SEC ultimately recognized the substantial costs involved in performing a full-blown evaluation. As a result, in the final rules, the SEC has required management, with the participation of the principal executive and financial officers, to evaluate only any change in internal control that occurred during a fiscal quarter that has materially affected, or is reasonably likely to materially affect, internal control over financial reporting.
Has the certification required under Section 302 of SOX been modified to conform to this change?
Yes. The SEC adopted modifications to the SOX 302 certification requirement and the related disclosure requirements consistent with this approach.
Are the rules different for foreign private issuers?
Yes. Because foreign private issuers are not required to file quarterly reports, a foreign private issuer would disclose in its annual report the material changes to internal control over financial reporting that have occurred in the period covered by the annual report.
Will disclosure controls still require full quarterly evaluations, even if internal control does not?
Yes. Companies will still be required to perform quarterly evaluations of disclosure controls and to disclose management’s conclusions regarding their effectiveness, including the elements of internal control that are subsumed within disclosure controls. However, while the quarterly evaluations of disclosure controls involve evaluations of effectiveness overall, the SEC observes in the adopting release that a company’s management is permitted to make judgments to focus on developments since the most recent evaluation, areas of weakness or continuing concern or other aspects of disclosure controls and procedures that merit attention.
How do we evaluate elements of internal control that are subsumed within the concept of disclosure controls?
Evaluations of components of internal control that are subsumed within disclosure controls may vary depending on whether they are conducted as part of an annual review of internal control or a quarterly review of disclosure controls. Where elements of internal control are evaluated as part of the quarterly evaluation of disclosure controls, the evaluation should be oriented toward assessing whether the basic purposes of disclosure controls have been satisfied. The SEC suggests that systems testing of a component of internal control may clearly be required as part of the annual evaluation of internal control, but management could make a different determination of the appropriate nature of the evaluation of that component for purposes of a quarterly evaluation of disclosure controls.
What periodic disclosure is required regarding internal control?
In addition to the annual report by management discussed above, the new rules require a company to disclose any change in its internal control over financial reporting that occurred during the fiscal quarter covered by a quarterly report, or the last fiscal quarter in the case of an annual report, that has materially affected, or is reasonably likely to materially affect, the company’s internal control.
Do the new rules specify the date as of which the quarterly evaluation of changes in internal control must be made? What about the annual evaluation?
No. The SEC does not specify the point at which management must evaluate changes to the company’s internal control on a quarterly basis. With regard to the annual evaluation of internal control, the new rules require that the statement of effectiveness of the company’s internal control be as of the end of the period, but do not require the evaluation itself to take place on the last day of the period.
Do we need to disclose the reasons for any changes that have been implemented?
The rules do not explicitly require a company to disclose the reasons for any change that occurred during a fiscal quarter; however, the company will have to determine, on a facts-and-circumstances basis, whether the reasons for the change, or other information about the circumstances surrounding the change, constitute material information necessary to make the disclosure about the change not misleading.
Are there any changes to the disclosure requirements for disclosure controls and procedures?
Yes. Currently, each company is required to disclose, in its quarterly and annual reports, the conclusions of its principal executive and financial officers about the effectiveness of its disclosure controls and procedures as of a date within 90 days of the filing date of the quarterly or annual report. These rules have been amended to change the evaluation date for disclosure controls to “as of the end of the period” covered by the quarterly or annual report. As with the evaluation of internal control, however, the amended rules do not require that the evaluation itself take place on the last day of the period.
If there have been no changes to our disclosure, do we still need to repeat it every quarter?
No. Disclosure in an annual report that continues to be accurate need not be repeated each quarter. Rather, disclosure in quarterly reports may make appropriate reference to disclosures in the most recent annual report (and, where appropriate, intervening quarterly reports) and disclose subsequent developments required to be disclosed in the quarterly report.
We have been including risk-factor language in our disclosure regarding controls, but we recently heard that the SEC has objected to this practice. Is that the case?
The SEC has generally not objected to disclosures indicating that disclosure controls and procedures are designed only to provide “reasonable assurance” that the controls and procedures will meet their objectives. The SEC staff have, however, requested companies including that disclosure to set forth, if true, the conclusions of the principal executive and principal financial officers that the disclosure controls and procedures are, in fact, effective at the “reasonable assurance” level. Other companies have included disclosure that there can be “no assurance” that the disclosure controls and procedures will operate effectively under all circumstances. In these instances, the staff have requested companies to clarify that the disclosure controls and procedures are designed to provide reasonable assurance of achieving their objectives and to set forth, if true, the conclusions of the principal executive and principal financial officers that the controls and procedures are, in fact, effective at the “reasonable assurance” level.
Are there any limitations on the discussion of reasonable assurance in the internal control report?
The SEC maintains that any discussion of reasonable assurance in the internal control report “must be presented in a manner that neither makes the disclosure in the report confusing nor renders management’s assessment concerning the effectiveness of the company’s internal control over financial reporting unclear.” The SEC believes that its definition of internal control over financial reporting comprises a concept of reasonable assurance that conforms to the statutory standards and current auditing literature.
CHANGES TO CERTIFICATIONS
What are the changes effected by the new rules to the form of SOX 302 certifications?
The new rules made the following changes to the form of SOX 302 certification:
- added a statement that the principal executive and financial officers are responsible for designing internal control over financial reporting or having such control designed under their supervision;
- clarified that disclosure controls and procedures may be designed under the supervision of the principal executive and financial officers;
- required the statement regarding effectiveness of disclosure controls and procedures to be made as of the end of the period (but without specifying the date of evaluation); and
- amended the provision relating to changes in internal control over financial reporting, consistent with the final rules discussed above, so that it refers to changes that have materially affected, or are reasonably likely to materially affect, internal control.
There are also some other organizational changes in the certification. A copy of the new form of certification is attached to this Alert as Appendix A [MS Word].
Are there any changes to the text of the SOX 906 certifications?
No. Unlike SOX 302 certifications, the specific form of the SOX 906 certifications is not prescribed by the rules. Rather, only the required general content of the form is provided, and there is no change to the general content.
Are there any changes to the location of the certifications in our filings?
Yes. The new rules require that SOX 302 and SOX 906 certifications be submitted as exhibits to filings.
Are we required to “file” the certifications or can they be “furnished”?
Because SOX 906 requires that certifications “accompany” the periodic reports to which they relate (as opposed to SOX 302, which requires certifications to be “in” the reports), companies may “furnish,” rather than “file,” SOX 906 certifications. Thus, SOX 906 certifications would not be subject to liability under Section 18 of the Exchange Act or to automatic incorporation by reference into Securities Act of 1933 registration statements (unless the company takes steps to include the certifications in a registration statement).
What is the impact of failure to furnish a SOX 906 certification?
Failure to furnish SOX 906 certifications would cause the periodic reports to which they relate to be incomplete, thereby violating Section 13(a) of the Exchange Act.
Are SOX 906 certifications now required for amendments to periodic reports?
No. SOX 906 certifications are required only in periodic reports that contain financial statements. Therefore, amendments to periodic reports that do not contain financial statements would not require a new SOX 906 certification, but would require that a new SOX 302 certification be filed with the amendment. However, depending on the contents of the amendment, the form of certification required to be included may be subject to modification.
We have heard that there is some discussion that SOX 906 certifications may be required for Forms 8-K, 6-K and 11-K. Aren’t SOX 906 certifications required only for “periodic reports”?
Yes. SOX requires that SOX 906 certifications accompany only “periodic reports,” and, historically, the SEC has not interpreted that term to apply to Forms 8-K, 6-K or 11-K. However, Senator Joseph Biden, one of the drafters of Section 906 of SOX, has recently added a lengthy statement in the Congressional Record, which he characterizes as legislative history, asserting that Section 906 “is intended to apply to any financial statement filed by a publicly-traded company, upon which the investing public will rely to gauge the financial health of the company,” including financial statements in current reports on Forms 6-K and 8-K and in annual reports on Form 11-K. For obvious reasons, his statement has caused considerable confusion in the legal and business communities.
Did the SEC clarify the issue?
No. Unfortunately, the SEC did not take a position on this point, instead simply concluding that it is “considering, in consultation with the Department of Justice, the application of Section 906 to current reports on Forms 6-K and 8-K and annual reports on Form 11-K and the possibility of taking additional action.” There is, however, at least some hint of a favorable inclination in the text, as the SEC expressed its concerns that “extending Section 906 certifications to Forms 6-K or 8-K could potentially chill the disclosure of information by companies.” In addition, the SEC notes that the ABA expressed its concerns that extending the requirement to 8-Ks would create substantial practical burdens for companies.
When will we need to comply with the requirement to provide an internal control report?
If your company is an “accelerated filer” as of the end of its first fiscal year ending on or after June 15, 2004, you must begin to comply with the disclosure requirements for the management report on internal control over financial reporting in your annual report for that fiscal year.
What is an “accelerated filer”?
The term “accelerated filer” refers to an issuer after it meets the following conditions as of the end of its fiscal year:
- the aggregate market value of the voting and non-voting common equity held by non-affiliates of the company is $75 million or more, calculated as of the last business day of the company’s most recently completed second fiscal quarter;
- the company has been public for at least 12 months and has filed at least one annual report with the SEC; and
- the company is not eligible to use the forms for annual and quarterly reports available only to small business issuers.
Is there any relief provided for small business issuers and other companies that are not accelerated filers? What about foreign private issuers?
Yes. Small business issuers and other companies that are not accelerated filers, as well as foreign private issuers, must begin to comply with the disclosure requirements in annual reports for their first fiscal years ending on or after April 15, 2005.
When do we need to comply with the requirements for quarterly evaluations of internal control?
A company must begin to comply with the quarterly evaluation of changes to internal control requirements for its first periodic report due after the first annual report that must include management’s report on internal control over financial reporting.
Are any other provisions of the rules subject to the extended compliance period?
Yes. Additional provisions subject to the extended compliance period include specified provisions related to disclosure of management’s internal control report and the related attestation, maintenance of internal control over financial reporting and specified requirements for evaluations of internal control over financial reporting and related changes.
When do the other rules relating to evaluation and disclosure become effective?
The other rules relating to evaluation and disclosure will become effective on August 14.
When do the changes relating to certifications become effective?
With one exception, the new rules regarding certifications under SOX 302 and SOX 906 will become effective on August 14. SEC staff have informally advised that the new form of SOX 302 certification, as well as the SOX 906 certification, should be filed as exhibits to periodic reports due on or after August 14, even if filed with the SEC prior to that date.
What is the exception?
The exception concerns the portions of the SOX 302 certification that relate to internal control reports, which are subject to the extended compliance period. The SEC provides that the extended compliance period will apply to the portion of the introductory language in paragraph 4 of the SOX 302 certification that refers to the certifying officers’ responsibility for establishing and maintaining internal control over financial reporting for the company, as well as paragraph 4(b), which must be provided in the first annual report required to contain management’s internal control report and thereafter. Portions subject to the extended compliance period are indicated in bold italics in the form of certification attached as Appendix A [MS Word].