SEC Issues Interpretive Guidance Regarding Section 404 Internal Controls and PCAOB Adopts Auditing Standard No. 5

May 25, 2007

At a meeting held on May 23, 2007, the Securities and Exchange Commission (“SEC”) adopted interpretive guidance for management to use in conducting the annual evaluation of internal control over financial reporting that is required under Section 404 of the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”).  In addition, at a meeting held on May 24, 2007, the Public Company Accounting Oversight Board (“PCAOB”) adopted a new auditing standard, Auditing Standard No. 5 (“AS-5”) for the audits of internal control over financial reporting under Section 404 of Sarbanes-Oxley.  The PCAOB AS-5 can be found at http://www.pcaobus.org/Rules/Docket_021/2007-05-24_Release_No_2007-005.pdf.

A summary of the SEC’s interpretive guidance and related rules and proposals, as well as a summary of AS-5, is set forth below.  The portions of this summary relating to SEC developments are based on information provided at the SEC open meeting, and therefore may not reflect nuances that will appear in the interpretive, proposing and adopting releases, which are expected to be issued shortly.

Section 404 – Internal Control Over Financial Reporting

Interpretive Guidance on Conducting Management’s Evaluation of Internal Control Over Financial Reporting

The SEC adopted, substantially as proposed, interpretive guidance for management to use in conducting its annual evaluation of a company’s internal control over financial reporting, as required under Section 404(a) of Sarbanes-Oxley.  In adopting this interpretive guidance, several Commissioners noted that the guidance is intended to make the Section 404 evaluation process more effective and cost-efficient.  The Commissioners and the SEC Staff emphasized that they believe the interpretive guidance is scalable and can be applied by companies of all sizes and complexities.  The guidance is described as “principles-based” and is premised on a “top-down, risk-based” approach to evaluation.  The interpretive guidance covers four key areas:

  • Identification of Risks – The SEC’s interpretive guidance will provide that in its evaluation process, management should focus on identifying areas of material risks to financial reporting and controls for addressing these risks.  The guidance will urge management to use its judgment in identifying areas where there could be material misstatements and in evaluating related controls to see if the controls address these risks.  The interpretive guidance also will emphasize that management does not need to evaluate all controls in a process; rather, management should focus on identifying and evaluating those controls that in its judgment address the risk of material misstatements in financial statements.  The SEC Staff also stated that its interpretive guidance will closely align to the PCAOB’s new auditing standard with respect to evaluating whether controls adequately address financial reporting risks, the factors to consider when identifying financial reporting risks, and the factors for assessing the risk associated with individual financial reporting elements and controls.
  • Evaluating Operation of Controls – The interpretive guidance will provide that once the relevant controls are identified, management should align its evaluation methods so that they are focused on analyzing those areas that present the highest risk to reliable financial reporting.  The guidance will include examples of ways that management can substantiate its evaluation; this aspect of the guidance is designed in part to limit the amount of testing that management is required to undertake.  The interpretive guidance also will include an expanded discussion of entity-level controls and how these controls should be designed and evaluated.
  • Reporting the Results of Management’s Evaluation – The interpretive guidance will include examples of what are viewed as strong indicators of a material weakness.  At the meeting, the SEC Staff noted that the proposed guidance and the proposed PCAOB auditing standard offered different views as to indicators of material weakness.  The interpretive guidance has been revised to eliminate these inconsistencies and aligns the indicators of material weakness with those found in AS-5.
  • Documentation – The interpretive guidance also will note that management should take steps to evaluate whether reasonable documentation is maintained with respect to those controls that form the basis for management’s evaluation.  The guidance will express that there is no prescribed form of documentation and that management should use its judgment as to the form and extent of documentation maintained.

In addition, the SEC Staff emphasized that the interpretive guidance is not intended to disrupt or change what companies already have done in terms of implementing Section 404.  Rather, the SEC intends that companies that have already complied with the Section 404 requirements can determine whether to use any aspects of the guidance to make their own evaluation process more efficient.  Thus, for companies that have already complied with the Section 404 requirements, the guidance is optional, not prescriptive.  Also, the interpretive guidance will confirm that management can rely on this guidance, and not PCAOB AS-5, for purposes of conducting an appropriate evaluation of the company’s internal control over financial reporting.  The SEC Staff also noted that while the proposed guidance does not include discussion that is tailored specifically toward the types of issues that foreign private issuers are confronting in implementing Section 404, the SEC intends to release a list of Frequently Asked Questions in an attempt to address some of these issues.

Rule Amendments Relating to Management’s Evaluation of Internal Control Over Financial Reporting

To complement the interpretive guidance, the SEC also adopted several rule amendments and proposed a rule regarding the definition of the term “significant deficiency”:

  • The SEC adopted amendments to Rule 13a-15(c) and 15d-15(c) of the Securities Exchange Act of 1934 (the “Exchange Act”) to provide a safe harbor provision that will allow management to establish that it conducted an appropriate evaluation if the evaluation was conducted in accordance with the interpretive guidance.  These amendments will clarify that if management follows the interpretive guidance in conducting its evaluation as to the effectiveness of the company’s internal controls, management will be deemed to have satisfied the annual Section 404 evaluation required by those rules.
  • The SEC also adopted amendments to Rule 1-02(a)(2) and 2-02(f) of Regulation S-X, which require that a company’s registered independent public accounting firm need only provide one opinion on the effectiveness of the company’s internal controls.  Under the rules in place to date, the auditor had to express two separate opinions – one on the effectiveness of internal control over financial reporting and another on management’s evaluation process.
  • In addition, the SEC adopted amendments to Rule 12b-2 of the Exchange Act and Rule 1-02 of Regulation S-X to codify the definition of “material weakness.”  The new rules will define a material weakness as, “a deficiency, or combination of deficiencies, in internal control over financial reporting such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.”  As discussed further below, the PCAOB also revised its definition to conform to the definition adopted by the SEC.  The current definition of material weakness, which is contained in the PCAOB accounting literature but not the SEC’s rules, uses the term “more than a remote likelihood” rather than “reasonable possibility” to describe the likelihood of a material error.  It is unclear if the new definition of material weakness will result in a higher threshold for evaluating the impact of control deficiencies.
  • At the meeting, the SEC also voted to propose amendments to Rule 12b-2 of the Exchange Act and Rule 1-02 of Regulation S-X to define the term “significant deficiency.”  The Staff stated that the definition is intended to track the definition of “significant deficiency” provided in AS-5, as discussed further below.

The SEC also declined to further postpone the application of the Section 404 rules for non-accelerated filers.  The effective date of the interpretive guidance and rules described above will be 30 days from their publication in the Federal Register.  Although not specified at the open meeting, we anticipate that comments on the SEC’s proposed rule on the definition of the term “significant deficiency” will be due 60 days from its publication in the Federal Register.

Practical Considerations

In light of the SEC’s new interpretive guidance, management should evaluate the guidance and assess whether implementing the new guidance immediately, in advance of management’s next Section 404 evaluation, is prudent for the company.  In this regard, management should proactively seek input from its auditor as to its options for implementing the new guidance, and should be prepared to advise the audit committee regarding these options as soon as possible.

New PCAOB Auditing Standard for Internal Control Over Financial Reporting

The PCAOB adopted a new auditing standard for the audits of issuers’ internal control over financial reporting under Section 404 of Sarbanes-Oxley.  If approved by the SEC, AS-5 (An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements) will supersede the PCAOB’s Auditing Standard No. 2 (“AS-2”).  According to statements made at the PCAOB’s open meeting, AS-5 is intended to better align the costs and benefits of the internal control audit by focusing auditors on the matters most important to internal control, eliminating unnecessary procedures, scaling the audit for smaller companies and simplifying auditing requirements.

AS-5 will differ from AS-2 in a number of respects.  For example, AS-5 will focus auditors on the areas that pose the greatest risk that internal controls will fail to protect against material misstatements.  It will do so by using a principles-based, top-town approach that emphasizes the importance of auditing higher risk areas that can have a pervasive affect on internal control over financial reporting, such as the financial statement close process and controls designed to prevent management fraud.  At the same time, AS-5 will encourage auditors to consider a range of possible combinations of procedures to obtain the evidence necessary according to the assessed level of risk.  Additionally, AS-5 will clarify that an auditor is not required to evaluate management’s own evaluation process or express an opinion on the adequacy of management’s evaluation process.  Moreover, AS-5 will provide commentary throughout the standard on how to tailor an internal control audit to the size and complexity of the company being audited.

In addition, AS-5 will provide clarification regarding the appropriate materiality standard to apply in the context of internal audits.  Specifically, AS-5 will provide that, “in planning the audit of internal control over financial reporting, the auditor should use the same materiality considerations he or she would use in planning the audit of the company’s annual financial statements.”

The PCAOB also made a number of changes to AS-5 in response to comments received through the public comment process.  Among the changes are the following:

  • The PCAOB made certain changes to align AS-5 with the SEC guidance, e.g., with respect to the definition of material weakness, indicators of material weakness, and use of the term “entity-level controls.”  AS-5 will define material weakness using the same definition adopted by the SEC in its interpretive guidance.  As mentioned above, it is unclear whether the use of the term “reasonable possibility” instead of “more than a remote likelihood” to describe the likelihood of a material error will result in a higher threshold for evaluating the impact of control deficiencies.  In addition, the AS-5 definition of “significant deficiency” is intended to correspond to the SEC’s proposed definition of that term.  AS-5 will define a significant deficiency as, “a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness yet important enough to merit attention by those responsible for oversight of the company’s financial reporting.”
  • While AS-5 will be organized around a top-down approach, this approach has been modified somewhat in the final standard.  Significantly, AS-5 will eliminate the requirement to identify significant processes and major classes of transactions so as to allow auditors the ability to use more professional judgment in identifying key controls.
  • AS-5 will include an additional discussion of three broad categories of entity-level controls and how each category may have a different affect on the selection and testing of other controls.  For example, entity level controls that monitor the operation of other controls may reduce the need to test the underlying, process-level controls.

In conjunction with the new auditing standard, the PCAOB also adopted proposed Rule 3525, which relates to pre-approval of internal control-related services provided by the auditor.  This rule provides that auditors are required to follow certain documentation and other procedures when requesting pre-approval from the audit committee of internal control-related services.

Auditors will be required to use AS-5 for audits of internal control for fiscal years ending on or after November 15, 2007, assuming the SEC approves AS-5 as adopted by the PCAOB.  Early compliance with AS-5 is permitted immediately following SEC approval of AS-5.  Auditors choosing not to comply early (in other words, auditors who continue to use AS-2 after the SEC approves AS-5, but before AS-5 becomes mandatory) will nonetheless be required to apply the definition of “material weakness” as that term is defined in AS-5.

* * * * *

Gibson, Dunn & Crutcher lawyers are available to assist in addressing questions you may have regarding these issues. Please contact the Gibson Dunn attorney with whom you work, or
John F. Olson (202-955-8522, [email protected]),
Brian J. Lane (202-887-3646, [email protected]),
Ronald O. Mueller (202-955-8671, [email protected]),
Amy L. Goodman (202-955-8653, [email protected]),
Michael Scanlon (202-887-3668, [email protected]),
Elizabeth Ising (202-955-8287, [email protected]) or
Susan Wilson (202-887-3675, [email protected]).

© 2007 Gibson, Dunn & Crutcher LLP