The Securities and Exchange Commission (SEC) recently adopted final rules concerning management reports on internal controls. The rules implement the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 (the Act), and amend the officer certifications required by Sections 302 and 906. In brief, the final rules:
Management’s report on internal control over financial reporting will be required for fiscal years ending after June 15, 2004, for issuers meeting the definition of “accelerated filer.” All other issuers, including small business and foreign private issuers, will be required to comply with the rules for fiscal years ending after April 15, 2005. For reports due after August 13, 2003, companies must comply with new exhibit and text amendment requirements for certifications as required by Sections 302 and 906 of the Act.
For the first quarterly report after the first annual report to include a management report on internal control over financial reporting, companies must comply with requirements concerning evaluation of material changes to these controls.
Auditing Internal Controls over Financial Reporting
The new rules provide significant guidance on the elements of a comprehensive control environment and the related audit considerations. Below is an overview of key items.
Design of the Internal Control. Generally, internal control should be designed to establish reasonable assurance regarding the reliability of key processes, such as in the areas of financial reporting, operating effectiveness, and compliance with laws and regulations. For each significant process, the following will be required to support the control design:
The external auditor needs to determine whether the controls would be effective if they are operated as designed, and whether sufficient controls are in place.
Obtaining an Understanding of Internal Control Over Financial Reporting. The SEC’s rules focus on control objectives related to financial reporting. Examples of financial reporting controls include company policies and procedures related to financial reporting and the process for preparing financial statements in accordance with generally accepted accounting principles. They also include processes that pertain to the maintenance of accounting records, the authorization of receipts and disbursements, and the safeguarding of assets. The external auditor needs to gain an understanding of how the internal controls over financial reporting are designed and operating in order to evaluate and test effectiveness, for example, by performing “walkthroughs” of significant processes. Because of the judgment that walkthroughs require and the importance of understanding the control environment, the proposed auditing standard does not allow the auditor to use the work performed by management or others to satisfy this requirement.
Control Documentation. Documentation of the design of controls over relevant assertions related to significant accounts and disclosures is evidence that controls related to management’s assessment about the effectiveness of internal control over financial reporting, including changes to those controls, have been identified, have been communicated to those responsible for their performance, and are being monitored by the company.
Management’s documentation should provide reasonable support for its assessment. Such documentation can be in the form of flowcharts, policies, or schedules and should include the following:
Evaluating Management’s Assessments. This evaluation is designed to provide the auditor with confidence that management has a basis for expressing its opinion on the effectiveness of internal control, and to help the auditor understand the internal control environment. The auditor’s conclusion will depend on whether the auditor can independently conclude that internal controls are operating effectively. As a result, the standard requires specific testing be performed in order to validate that the internal control processes over financial reporting are working.
Testing Operating Effectiveness. To express an opinion on internal control, the auditor must validate that the controls actually operate effectively. Section 404 of the Act requires management’s assessment and the auditor’s opinion to address whether internal control was effective as of the end of the company’s most recent fiscal year, in other words, as of a point-in-time. As a result, evidence about operating effectiveness can be obtained at different times throughout the year, provided that the auditor updates those tests or obtains other evidence that the controls continued to operate effectively at the end of the company’s fiscal year.
The rules allow the auditor to incorporate into the audit of internal controls some of the work performed by others, such as internal auditors, providing the auditor assesses the competence and objectivity of the persons who have performed it. However, there are certain elements of the internal control assessment that must be performed by the external auditor including the following:
Evaluating the Results. Both management and the auditor may identify deficiencies in the internal control over financial reporting. Inadequate documentation by management is a deficiency in internal control over financial reporting. An internal control deficiency exists when the design or operation of a control does not allow the process to prevent or detect misstatements on a timely basis. A significant deficiency is considered a material weakness if, by itself or in combination with other internal control deficiencies, it results in the likelihood of a material misstatement in the company’s annual or interim financial statements. Most importantly, if a material weakness exists as of the end of the company’s most recent fiscal year, management and the auditor must conclude that the internal control is ineffective.
The internal control standard identifies a number of circumstances that would be a strong indicator that a material weakness exists, including the following: