Management's Report on Internal Control Over Financial Reporting, 77635-77653 [E6-22099]

Agencies

• SECURITIES AND EXCHANGE COMMISSION

[Federal Register Volume 71, Number 248 (Wednesday, December 27, 2006)]
[Proposed Rules]
[Pages 77635-77653]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E6-22099]


=======================================================================
-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

17 CFR Parts 210, 240 and 241

[Release Nos. 33-8762; 34-54976; File No. S7-24-06]
RIN 3235-AJ58


Management's Report on Internal Control Over Financial Reporting

AGENCY: Securities and Exchange Commission.

ACTION: Proposed interpretation; Proposed rule.

-----------------------------------------------------------------------

SUMMARY: We are proposing interpretive guidance for management 
regarding its evaluation of internal control over financial reporting. 
The interpretive guidance sets forth an approach by which management 
can conduct a top-down, risk-based evaluation of internal control over 
financial reporting. The proposed guidance is intended to assist 
companies of all sizes to complete their annual evaluation in an 
effective and efficient manner and it provides guidance on a number of 
areas commonly cited as concerns over the past two years. In addition, 
we are proposing an amendment to our rules requiring management's 
annual evaluation of internal control over financial reporting to make 
it clear that an evaluation that complies with the interpretive 
guidance is one way to satisfy those rules. Further, we are proposing 
an amendment to our rules to revise the requirements regarding the 
auditor's attestation report on the assessment of internal control over 
financial reporting.

DATES: Comment Date: Comments should be received on or before February 
26, 2007.

ADDRESSES: Comments may be submitted by any of the following methods:

Electronic Comments

     Use the Commission's Internet comment form (https://www.sec.gov/rules/proposed.shtml); or
     Send an e-mail to rule-comments@sec.gov. Please include 
File Number S7-24-06 on the subject line; or
     Use the Federal eRulemaking Portal (https://www.regulations.gov). Follow the instructions for submitting comments.

Paper Comments

     Send paper comments in triplicate to Nancy M. Morris, 
Secretary, Securities and Exchange Commission, 100 F Street, NE., 
Washington, DC 20549-1090.

    All submissions should refer to File Number S7-24-06. This file 
number should be included on the subject line if e-mail is used. To 
help us process and review your comments more efficiently, please use 
only one method. The Commission will post all comments on the 
Commission's Internet Web site (https://www.sec.gov/rules/proposed.shtml). Comments are also available for public inspection and 
copying in the Commission's Public Reference Room, 100 F Street, NE., 
Washington, DC 20549. All comments received will be posted without 
change; we do not edit personal identifying information from 
submissions. You should submit only information that you wish to make 
available publicly.

FOR FURTHER INFORMATION CONTACT: Michael G. Gaynor, Professional 
Accounting Fellow, Office of the Chief Accountant, at (202) 551-5300, 
or N. Sean Harrison, Special Counsel, Division of Corporation Finance, 
at (202) 551-3430 U.S. Securities and Exchange Commission, 100 F 
Street, NE., Washington, DC 20549.

SUPPLEMENTARY INFORMATION: We are proposing amendments to Rule 13a-
15(c),\1\ and Rule 15d-15(c) \2\ under the Securities Exchange Act of 
1934 (the ``Exchange Act'');\ 3\ and Rules 1-02(a)(2) \4\ and 2-02(f) 
\5\ of Regulation S-X.\6\
---------------------------------------------------------------------------

    \1\ 17 CFR 240.13a-15(c).
    \2\ 17 CFR 240.15d-15(c).
    \3\ 15 U.S.C. 78a et seq.
    \4\ 17 CFR 210.1-02.
    \5\ 17 CFR 210.2-02(f).
    \6\ 17 CFR 210.1-01 et seq.
---------------------------------------------------------------------------

I. Background

    Section 404(a) of the Sarbanes-Oxley Act of 2002 \7\ (``Sarbanes-
Oxley'') directed the Commission to prescribe rules that require each 
annual report that a company, other than a registered investment 
company, files pursuant to Section 13(a) or 15(d) \8\ of the Exchange 
Act to contain an internal control report: (1) Stating management's 
responsibility for establishing and maintaining an adequate internal 
control structure and procedures for financial reporting; and (2) 
containing an assessment, as of the

[[Page 77636]]

end of the company's most recent fiscal year, of the effectiveness of 
the company's internal control structure and procedures for financial 
reporting. On June 5, 2003, the Commission adopted rules implementing 
Section 404 with regard to management's obligations to report on its 
internal control structure and procedures and, in so doing, created the 
term ``internal control over financial reporting'' (``ICFR'').\9\
---------------------------------------------------------------------------

    \7\ 15 U.S.C. 7262.
    \8\ 15 U.S.C. 78m(a) or 78o(d).
    \9\ See Release No. 33-8238 (June 5, 2003) [68 FR 36636] 
(hereinafter the ``Adopting Release''). See Release No. 33-8392 
(February 24, 2004) [69 FR 9722] for compliance dates applicable to 
accelerated filers. See Release No. 33-8760 (December 15, 2006) for 
compliance dates applicable to non-accelerated filers.
---------------------------------------------------------------------------

    The establishment and maintenance of internal accounting controls 
has been required of public companies since the enactment of the 
Foreign Corrupt Practices Act of 1977 (``FCPA'').\10\ The significance 
of Section 404 of Sarbanes-Oxley is that it re-emphasizes the important 
relationship between the maintenance of effective ICFR and the 
preparation of reliable financial statements. Effective ICFR can also 
help companies deter fraudulent financial accounting practices or 
detect them earlier and perhaps reduce their adverse effects. While 
controls are susceptible to manipulation, especially in instances of 
fraud involving the collusion of two or more people, including senior 
management, these are known limitations of internal control systems. 
Therefore, it is possible to design ICFR to reduce, though not 
eliminate, instances of fraud.
---------------------------------------------------------------------------

    \10\ Title I of Pub. L. 95-213 (1977). Under the FCPA, companies 
that have a class of securities registered under Section 12 of the 
Exchange Act, or that are required to file reports under Section 
15(d) of the Exchange Act, are required to (a) make and keep books, 
records, and accounts, which, in reasonable detail, accurately and 
fairly reflect the transactions and dispositions of the assets of 
the issuer; and (b) to devise and maintain a system of internal 
accounting controls sufficient to provide reasonable assurances 
that:
    (i) transactions are executed in accordance with management's 
general or specific authorization;
    (ii) transactions are recorded as necessary (1) to permit 
preparation of financial statements in conformity with generally 
accepted accounting principles or any other criteria applicable to 
such statements, and (2) to maintain accountability for assets;
    (iii) access to assets is permitted only in accordance with 
management's general or specific authorization; and
    (iv) the recorded accountability for assets is compared with the 
existing assets at reasonable intervals and appropriate action is 
taken with respect to any differences.
    The definition of internal control over financial reporting is 
consistent with the description of internal accounting controls 
under the FCPA.
---------------------------------------------------------------------------

    When the Commission adopted rules in June 2003 to implement Section 
404 of Sarbanes-Oxley, we emphasized two broad principles: (1) That the 
evaluation must be based on procedures sufficient both to evaluate the 
design and to test the operating effectiveness \11\ of ICFR; and (2) 
that the assessment, including testing, must be supported by reasonable 
evidential matter.\12\ Instead of providing specific guidance regarding 
the evaluation, we expressed our belief that the methods of conducting 
evaluations of ICFR will, and should, vary from company to company and 
will depend on the circumstances of the company and the significance of 
the controls.\13\ We continue to believe that it is impractical to 
prescribe a single methodology that meets the needs of every company.
---------------------------------------------------------------------------

    \11\ See Adopting Release at Section II.B.3.d.
    \12\ Id.
    \13\ Id.
---------------------------------------------------------------------------

    Since the Commission first adopted the ICFR requirements, companies 
and third parties have devoted considerable attention to the methods 
that management may use to evaluate ICFR. Efforts to comply with the 
Commission's rules have resulted in many public companies internally 
developing their own evaluation processes, while other companies have 
retained consultants or purchased commercial software and other 
products to establish or improve their ICFR evaluation process.\14\ 
Management must bring its own experience and informed judgment to bear 
in order to design an evaluation process that meets the needs of its 
company and that provides reasonable assurance for its assessment. This 
proposed guidance is intended to allow management the flexibility to 
design such an evaluation process.
---------------------------------------------------------------------------

    \14\ Exchange Act Rules 13a-15 and 15d-15 require management to 
evaluate the effectiveness of ICFR as of the end of the fiscal year. 
For purposes of this document, the term ``evaluation'' or 
``evaluation process'' refers to the methods and procedures that 
management implements to comply with these rules. The term 
``assessment'' is used in this document to describe the disclosure 
required by Item 308 of Regulations S-B and S-K [17 CFR 228.308 and 
229.308]. This disclosure must include discussion of any material 
weaknesses which exist as of the end of the most recent fiscal year 
and management's assessment of the effectiveness of ICFR, including 
a statement as to whether or not ICFR is effective. Management is 
not permitted to conclude that ICFR is effective if there are one or 
more material weaknesses in ICFR.
---------------------------------------------------------------------------

    In order to facilitate the comparability of the assessment reports 
among companies, our rules implementing Section 404 require management 
to base its assessment of a company's internal control on a suitable 
evaluation framework. While the establishment and maintenance of 
internal accounting controls have been required since the enactment of 
the FCPA, as discussed above, the Commission's rules implementing 
Section 404 required management for the first time to use a framework 
for evaluating ICFR. It is important to note that our rules do not 
mandate the use of a particular framework, since multiple viable 
frameworks exist and others may be developed in the future. However, in 
the release adopting the Section 404 requirements, the Commission 
identified the Internal Control--Integrated Framework created by the 
Committee of Sponsoring Organizations of the Treadway Commission 
(``COSO'') as an example of a suitable framework.15 16
---------------------------------------------------------------------------

    \15\ See COSO, Internal Control-Integrated Framework (1992). In 
1994, COSO published an addendum to the Reporting to External 
Parties volume of the COSO Report. The addendum discusses the issue 
of, and provides a vehicle for, expanding the scope of a public 
management report on internal control to address additional controls 
pertaining to safeguarding of assets. In 1996, COSO issued a 
supplement to its original framework to address the application of 
internal control over financial derivative activities.
    The COSO framework is the result of an extensive study of 
internal control to establish a common definition of internal 
control that would serve the needs of companies, independent public 
accountants, legislators, and regulatory agencies, and to provide a 
broad framework of criteria against which companies could evaluate 
and improve their control systems. The COSO framework divides 
internal control into three broad objectives: effectiveness and 
efficiency of operations, reliability of financial reporting, and 
compliance with applicable laws and regulations. Our rules relate 
only to reliability of financial reporting. Each of the objectives 
in the COSO framework is further broken down into five interrelated 
components: control environment, risk assessment, control 
activities, information and communication, and monitoring.
    \16\ In that release, we also cited the Guidance on Assessing 
Control published by the Canadian Institute of Chartered Accountants 
(``CoCo'') and the report published by the Institute of Chartered 
Accountants in England & Wales Internal Control: Guidance for 
Directors on the Combined Code (known as the Turnbull Report) as 
examples of other suitable frameworks that issuers could choose in 
evaluating the effectiveness of their internal control over 
financial reporting. We encourage companies to examine and select a 
framework that may be useful in their own circumstances; we also 
encourage the further development of alternative frameworks.
---------------------------------------------------------------------------

    While the COSO framework identifies the components and objectives 
of an effective system of internal control, it does not set forth an 
approach for management to follow in evaluating the effectiveness of a 
company's ICFR.\17\ We, therefore, distinguish between the COSO 
framework as a definition of what constitutes an effective system of 
internal control and guidance on how to evaluate ICFR for purposes of 
our rules. The guidance that we are proposing in

[[Page 77637]]

this release is not intended to replace or modify the COSO framework or 
any other suitable framework.
---------------------------------------------------------------------------

    \17\ On July 11, 2006, COSO issued guidance entitled ``Internal 
Control Over Financial Reporting--Guidance for Smaller Public 
Companies'' that was designed primarily to help management of 
smaller public companies with establishing and maintaining effective 
ICFR. The guidance includes evaluation tools; however, these tools 
are intended only to be illustrative.
---------------------------------------------------------------------------

    In determining the need for additional guidance to management on 
how to conduct its evaluation, it is important to consider the steps 
that have been taken by the Commission and others to provide guidance 
to companies and audit firms. The Commission held its first roundtable 
discussion about implementation of the internal control reporting 
provisions on April 13, 2005. The 2005 roundtable sought input to 
consider the impact of the implementation of the Section 404 reporting 
requirements in view of the fact that Section 404 resulted in a major 
change for management and auditors. A broad range of interested 
parties, including representatives of managements and boards of 
domestic and foreign public companies, auditors, investors, legal 
counsel, and board members of the Public Company Accounting Oversight 
Board (``PCAOB''), participated in the discussion. We also invited and 
received written submissions from the public regarding Section 404 in 
advance of the roundtable.
    Feedback obtained from the 2005 roundtable indicated that the 
internal control reporting requirements had led to an increased focus 
by management on ICFR. However, the feedback also identified particular 
areas which were in need of further clarification to reduce unnecessary 
costs and burdens while at the same time not jeopardizing the benefits 
of Section 404. In addition, feedback indicated that a number of the 
implementation issues arose from an overly conservative application of 
the Commission rules and PCAOB Auditing Standard No. 2, An Audit of 
Internal Control Over Financial Reporting Performed in Conjunction With 
an Audit of Financial Statements (``AS No. 2''), and the requirements 
of AS No. 2 itself, as well as questions regarding the appropriate role 
of the auditor in management's evaluation process.
    In response to this feedback, the Commission and its staff issued 
guidance on May 16, 2005,\18\ emphasizing that management, not the 
auditor, is responsible for determining the appropriate nature and form 
of internal controls for the company as well as their evaluation 
methods and procedures. The May 2005 Staff Guidance emphasized and 
clarified existing provisions of the rules and other Commission 
guidance relating to the exercise of professional judgment, the concept 
of reasonable assurance, and the permitted communications between 
management and auditors. Feedback has indicated that the May 2005 Staff 
Guidance was appropriate, and while we have incorporated certain 
sections of that guidance into the proposed interpretive guidance set 
forth in this release, the May 2005 Staff Guidance remains 
relevant.\19\
---------------------------------------------------------------------------

    \18\ Commission Statement on Implementation of Internal Control 
Reporting Requirements, Press Release No. 2005-74 (May 16, 2005); 
Division of Corporation Finance and Office of the Chief Accountant: 
Staff Statement on Management's Report on Internal Control Over 
Financial Reporting (May 16, 2005) (hereinafter ``May 2005 Staff 
Guidance'') available at https://www.sec.gov/spotlight/soxcom/.htm.
    Also on May 16, 2005, the PCAOB and its staff issued guidance to 
auditors on their audits under AS No. 2. The PCAOB's guidance 
focused on areas in which the efficiency of the audit could be 
substantially improved. Topics included the importance of the 
integrated audit, the role of risk assessment throughout the 
process, the importance of taking a top-down approach, and auditors' 
use of the work of others.
    \19\ The incorporation of our May 16, 2005 guidance into this 
guidance was generally supported in comments received in response to 
the Concept Release Concerning Management's Reports on Internal 
Control Over Financial Reporting, Release No. 34-54122 (July 11, 
2006) [71 FR 40866] available at https://www.sec.gov/rules/concept/2006/34-54122.pdf (hereinafter ``Concept Release'') . See, for 
example, letters received from the American Electronics Association, 
Computer Sciences Corporation, American Institute of Certified 
Public Accountants, Institute of Management Accountants and Schering 
AG (available at https://www.sec.gov/comments/s7-11-06/s71106.shtml).
---------------------------------------------------------------------------

    In its Final Report to the Commission, issued on April 23, 2006, 
the Commission's Advisory Committee on Smaller Public Companies 
(``Advisory Committee'') raised a number of concerns regarding the 
ability of smaller companies to comply cost-effectively with the 
requirements of Section 404. The Advisory Committee identified as an 
overarching concern the difference in how smaller and larger public 
companies operate. The Advisory Committee focused in particular on 
three characteristics: (1) The limited number of personnel in smaller 
companies, which constrains the companies' ability to segregate 
conflicting duties; (2) top management's wider span of control and more 
direct channels of communication, which increase the risk of management 
override; and (3) the dynamic and evolving nature of smaller companies, 
which limits their ability to have static processes that are well-
documented.\20\
---------------------------------------------------------------------------

    \20\ Final Report of the Advisory Committee on Smaller Public 
Companies to the United States Securities and Exchange Commission 
(April 23, 2006) at 35-36, available at https://www.sec.gov/info/smallbus/acspc/acspc-finalreport.pdf (hereinafter ``Advisory 
Committee Final Report'').
---------------------------------------------------------------------------

    The Advisory Committee suggested that these characteristics create 
unique differences in how smaller companies achieve effective ICFR that 
may not be adequately accommodated in AS No. 2 or other implementation 
guidance as currently applied in practice.\21\ In addition, the 
Advisory Committee noted serious ramifications for smaller public 
companies stemming from the cost of frequent documentation changes and 
sustained review and testing of controls perceived to be necessary to 
comply with the Section 404 requirements. Indeed, the Advisory 
Committee noted that costs in relation to revenue have been 
disproportionately borne by smaller public companies.\22\
---------------------------------------------------------------------------

    \21\ Id. at 37.
    \22\ Id. at 33.
---------------------------------------------------------------------------

    The Advisory Committee Final Report sets forth several 
recommendations for the Commission to consider regarding the 
application of the Section 404 requirements to smaller public 
companies. The Advisory Committee recommended partial or complete 
exemptions from the internal control reporting requirements for 
specified types of smaller public companies under certain conditions, 
unless and until a framework is developed for assessing ICFR that 
recognizes the characteristics and needs of those companies. The 
Advisory Committee also recommended, among other things, that the 
Commission, COSO and the PCAOB provide additional guidance to 
management to help facilitate the design and evaluation of ICFR and 
make processes related to internal control more cost-effective.\23\ In 
addition, some commenters on the Advisory Committee's exposure draft of 
its report suggested that the Commission reexamine the appropriate role 
of outside auditors in connection with the management assessment 
required by the rules implementing Section 404.\24\
---------------------------------------------------------------------------

    \23\ Id. at 52.
    \24\ See, e.g., letter from BDO Seidman, LLP (April 3, 2006), 
available at https://www.sec.gov/rules/other/265-23/bdoseidman9239.pdf.
---------------------------------------------------------------------------

    Further, in April 2006, the U.S. Government Accountability Office 
issued a Report to the Committee on Small Business and 
Entrepreneurship, U.S. Senate, entitled Sarbanes-Oxley Act, 
Consideration of Key Principles Needed in Addressing Implementation for 
Smaller Public Companies, which recommended that in considering the 
concerns of the Advisory Committee, the Commission should assess the 
available guidance for management to determine whether it is sufficient 
or whether additional action is needed. That report stated that 
management's implementation and evaluation efforts were largely driven 
by AS No. 2 because guidance was not available for

[[Page 77638]]

management.\25\ Further, the GAO Report recommended that the Commission 
coordinate with the PCAOB to help ensure that the Section 404-related 
audit standards and guidance are consistent with any additional 
management guidance issued.\26\
---------------------------------------------------------------------------

    \25\ United States Government Accountability Office Report to 
the Committee on Small Business and Entrepreneurship, U.S. Senate: 
Sarbanes-Oxley Act: Consideration of Key Principles Needed in 
Addressing Implementation for Smaller Public Companies (April 2006) 
at 52-53, available at https://www.gao.gov/new.items/d06361.pdf 
(hereinafter ``GAO Report'').
    \26\ Id. at 58.
---------------------------------------------------------------------------

    On May 10, 2006, the Commission and PCAOB conducted a second 
Roundtable on Internal Control Reporting and Auditing Provisions to 
solicit feedback on accelerated filers' second year of compliance with 
the Section 404 requirements. Several participants indicated that their 
evaluation processes had improved from year one, but that additional 
improvements were needed. Although some expressed concern about being 
required to change the evaluation processes they have already 
implemented, a number of the participants expressed, at the roundtable 
and in their written comments, the view that additional management 
guidance was needed.\27\
---------------------------------------------------------------------------

    \27\ See transcript of Roundtable Discussion on Second Year 
Experiences with Internal Control Reporting and Auditing Provisions, 
May 10, 2006, Panels 1, 2, 3, and 5; letter from The Institute of 
Internal Auditors (IIA) (May 1, 2006); letter from Institute of 
Management Accountants (IMA) (May 4, 2006); letter from Canadian 
Bankers Association (CBA) (April 28, 2006); letter from Deloitte & 
Touche LLP (May 1, 2006); letter from Ernst & Young LLP (May 1, 
2006); letter from KPMG LLP (May 1, 2006); letter from 
PricewaterhouseCoopers LLP (May 1, 2006) and letter from Pfizer Inc. 
(May 1, 2006), all available at https://www.sec.gov/news/press/4-511.shtml.
---------------------------------------------------------------------------

    On July 11, 2006, COSO published additional application guidance 
for its control framework, Internal Control over Financial Reporting--
Guidance for Smaller Public Companies. This guidance is intended to 
assist the management of smaller companies in understanding and 
applying the COSO framework. It outlines principles fundamental to the 
five components of internal control described in the COSO framework. 
Further, this guidance defines each of these principles and describes 
the attributes of each. It also lists a variety of approaches that 
smaller companies can use to apply the principles and includes examples 
of how smaller companies have applied the principles. The Commission 
anticipates that the guidance will help organizations of all sizes that 
use the COSO framework to better understand and apply it to ICFR.
    On July 11, 2006, the Commission issued a Concept Release to seek 
public feedback on the Commission's planned issuance of guidance 
regarding management's evaluation and assessment of the effectiveness 
of ICFR.\28\ The Concept Release sought specific feedback in three 
areas described below, as well as inquired about whether there were 
other areas where guidance should also be provided.
---------------------------------------------------------------------------

    \28\ See footnote 19 above for reference.
---------------------------------------------------------------------------

     Risk and control identification (such as how management 
considers entity-level controls, financial statement account and 
disclosure level considerations, as well as fraud risks); \29\
     The methods or approaches available to management to 
gather evidence to support its assessment, and factors management 
should consider in determining the nature, timing and extent of its 
evaluation procedures; and
     Documentation requirements, including overall objectives 
of the documentation and factors that might influence documentation 
requirements.
---------------------------------------------------------------------------

    \29\ The term ``entity-level controls'' as used in this document 
describes aspects of a system of internal control that have a 
pervasive effect on the entity's system of internal control such as 
controls related to the control environment (e.g., management's 
philosophy and operating style, integrity and ethical values, board 
or audit committee oversight; and assignment of authority and 
responsibility); controls over management override; the company's 
risk assessment process; centralized processing and controls, 
including shared service environments; controls to monitor results 
of operations; controls to monitor other controls, including 
activities of the internal audit function, the audit committee, and 
self-assessment programs; controls over the period-end financial 
reporting process; and policies that address significant business 
control and risk management practices. The term ``company-level'' is 
also commonly used to describe these controls.

The Commission received 167 comment letters in response to the Concept 
Release, a majority of which supported additional Commission guidance 
to management that is applicable to companies of all sizes and 
complexities.\30\ The Commission considered the feedback received in 
those comment letters in drafting this proposed interpretive guidance.
---------------------------------------------------------------------------

    \30\ The public comments we received are available for 
inspection in the Commission's Public Reference Room at 100 F 
Street, NE., Washington DC 20549 in File No. S7-11-06. They are also 
available on-line at https://www.sec.gov/comments/s7-11-06/s71106.shtml.
---------------------------------------------------------------------------

    Further, the Commission has also received feedback that its 
guidance and ICFR rules have been interpreted as applying to non-profit 
and non-public organizations. The Commission does not regulate such 
organizations, and none of the Commission's guidance or rules is 
intended to apply to such organizations.

II. Introduction

    To implement Section 404(a) of the Sarbanes-Oxley Act, the 
Commission adopted rules requiring that management annually issue a 
report that contains an assessment of the effectiveness of ICFR.\31\ An 
overall objective of ICFR is to foster the preparation of reliable 
financial statements. Reliable financial statements must be materially 
accurate. Therefore, the central purpose of the evaluation is to assess 
whether there is a reasonable possibility of a material misstatement in 
the financial statements not being prevented or detected on a timely 
basis by the company's ICFR.\32\
---------------------------------------------------------------------------

    \31\ Exchange Act Rules 13a-15(f) and 15d-15(f) [17 CFR 240.13a-
15(f) and 15d-15(b)] define internal control over financial 
reporting as:
    A process designed by, or under the supervision of, the issuer's 
principal executive and principal financial officers, or persons 
performing similar functions, and effected by the registrant's board 
of directors, management and other personnel, to provide reasonable 
assurance regarding the reliability of financial reporting and the 
preparation of financial statements for external purposes in 
accordance with generally accepted accounting principles and 
includes those policies and procedures that:
    (1) Pertain to the maintenance of records that in reasonable 
detail accurately and fairly reflect the transactions and 
dispositions of the assets of the registrant;
    (2) Provide reasonable assurance that transactions are recorded 
as necessary to permit preparation of financial statements in 
accordance with generally accepted accounting principles, and that 
receipts and expenditures of the registrant are being made only in 
accordance with authorizations of management and directors of the 
registrant; and
    (3) Provide reasonable assurance regarding prevention or timely 
detection of unauthorized acquisition, use or disposition of the 
registrant's assets that could have a material effect on the 
financial statements.
    \32\ There is a reasonable possibility of an event when the 
likelihood of the event is either ``reasonably possible'' or 
``probable'' as those terms are used in Financial Accounting 
Standards Board Statement No. 5, Accounting for Contingencies.
---------------------------------------------------------------------------

    Management's assessment is based on whether any material weaknesses 
exist as of the end of the fiscal year. A material weakness is a 
deficiency, or combination of deficiencies, in ICFR such that there is 
a reasonable possibility that a material misstatement of the company's 
annual or interim financial statements will not be prevented or 
detected on a timely basis by the company's ICFR.\33\
---------------------------------------------------------------------------

    \33\ Existing PCAOB auditing literature describes a material 
weakness as a control deficiency, or combination of control 
deficiencies, that result in more than a remote likelihood that a 
material misstatement of the company's annual or interim financial 
statements will not be prevented or detected. Our use of the phrase 
``reasonable possibility'' rather than ``more than remote'' to 
describe the likelihood of a material error is intended to more 
clearly communicate the likelihood element. We note that the PCAOB 
has indicated that it intends to revise its definitions to use the 
phrase ``reasonable possibility.'' AS No. 2 establishes that a 
control is deficient when the design or operation of a control does 
not allow management or employees, in the normal course of 
performing their assigned functions, to prevent or detect 
misstatements on a timely basis. The definition formulated here is 
intended to be consistent with its use in existing auditing 
literature and practice.

---------------------------------------------------------------------------

[[Page 77639]]

    Management should implement and conduct an evaluation that is 
sufficient to provide it with a reasonable basis for its annual 
assessment. Management should use its own experience and informed 
judgment in designing an evaluation process that aligns with the 
operations, financial reporting risks and processes of the company.\34\ 
If the evaluation process identifies material weaknesses that exist as 
of the end of the fiscal year, such weaknesses must be disclosed in 
management's annual report with a statement that ICFR is 
ineffective.\35\ If the evaluation identifies no internal control 
deficiencies that constitute a material weakness, management assesses 
ICFR as effective.\36\
---------------------------------------------------------------------------

    \34\ This point also is made in one of the publicly available 
and commonly used assessment tools--the third volume of the report 
by COSO, Internal Control--Integrated Framework: Evaluation Tools. 
That volume cautioned that ``because facts and circumstances vary 
between entities and industries, evaluation methodologies and 
documentation will also vary. Accordingly, entities may use 
different evaluation tools, or use other methodologies utilizing 
different evaluative techniques.''
    \35\ This focus on material weaknesses will lead to a better 
understanding by investors of internal control over financial 
reporting, as well as its inherent limitations. Further, the 
Commission's rules implementing Section 404, by providing for public 
disclosure of material weaknesses, concentrate attention on the most 
important internal control issues.
    \36\ If management's evaluation process identifies material 
weaknesses, but all material weaknesses are remediated by the end of 
the fiscal year, management may exclude disclosure of those from its 
assessment and state that ICFR is effective as of the end of the 
fiscal year. However, management should consider whether disclosure 
of the remediated material weaknesses is appropriate or required 
under Item 307 or Item 308 of Regulations S-K or S-B or other 
Commission disclosure rules.
---------------------------------------------------------------------------

    Management is required to assess as of the end of the fiscal year 
whether the company's ICFR is effective in providing reasonable 
assurance regarding the reliability of financial reporting.\37\ 
Management is not required by Section 404 of Sarbanes-Oxley to assess 
other internal controls, such as controls solely implemented to meet a 
company's operational objectives. Further, ``reasonable assurance'' 
does not mean absolute assurance. ICFR cannot prevent or detect all 
misstatements, whether unintentional errors or fraud. Rather, the 
``reasonable assurance'' referred to in the Commission's implementing 
rules relates to similar language in the FCPA. Exchange Act Section 
13(b)(7) defines ``reasonable assurance'' and ``reasonable detail'' as 
``such level of detail and degree of assurance as would satisfy prudent 
officials in the conduct of their own affairs.'' \38\ The Commission 
has long held that ``reasonableness'' is not an ``absolute standard of 
exactitude for corporate records.'' \39\ In addition, the Commission 
recognizes that while ``reasonableness'' is an objective standard, 
there is a range of judgments that an issuer might make as to what is 
``reasonable'' in implementing Section 404 and the Commission's rules. 
Thus, the terms ``reasonable,'' ``reasonably'' and ``reasonableness'' 
in the context of Section 404 implementation do not imply a single 
conclusion or methodology, but encompass the full range of appropriate 
potential conduct, conclusions or methodologies upon which an issuer 
may reasonably base its decisions.
---------------------------------------------------------------------------

    \37\ See Exchange Act Rules 13a-15 and 15d-15.
    \38\ 15 U.S.C. 78m(b)(7). The conference committee report on 
amendments to the FCPA also noted that the standard ``does not 
connote an unrealistic degree of exactitude or precision. The 
concept of reasonableness of necessity contemplates the weighing of 
a number of relevant factors, including the costs of compliance.'' 
Cong. Rec. H2116 (daily ed. April 20, 1988).
    \39\ Release No. 34-17500 (January 29, 1981) [46 FR 11544].
---------------------------------------------------------------------------

    This release proposes guidance regarding matters we believe will 
help management design and conduct its evaluation and assess the 
effectiveness of ICFR. The guidance assumes management has established 
and maintains a system of internal accounting controls as required by 
the FCPA. Further, it does not explain how management should design its 
ICFR to comply with the control framework it has chosen. To allow 
appropriate flexibility, the guidance does not provide a checklist of 
steps management should perform in completing its evaluation. Rather, 
it describes a top-down, risk-based approach that allows for the 
exercise of significant judgment so that management can design and 
conduct an evaluation that is tailored to its company's individual 
circumstances.40 41
---------------------------------------------------------------------------

    \40\ Because management is responsible for maintaining effective 
internal control over financial reporting, this proposed 
interpretive guidance does not specifically address the role of the 
board of directors or audit committee in a company's evaluation and 
assessment of ICFR. However, we would ordinarily expect a board of 
directors or audit committee, as part of its oversight 
responsibilities for the company's financial reporting, to be 
knowledgeable and informed about the evaluation process and 
management's assessment, as necessary in the circumstances.
    \41\ See footnote 42 below.
---------------------------------------------------------------------------

    The proposed guidance is organized around two broad principles. The 
first principle is that management should evaluate the design of the 
controls that it has implemented to determine whether they adequately 
address the risk that a material misstatement in the financial 
statements would not be prevented or detected in a timely manner. The 
guidance describes a top-down, risk-based approach to this principle, 
including the role of entity-level controls in assessing financial 
reporting risks and the adequacy of controls. The proposed guidance 
promotes efficiency by allowing management to focus on those controls 
that are needed to adequately address the risk of a material 
misstatement in its financial statements. There is no requirement in 
our guidance to identify every control in a process or document the 
business processes impacting ICFR. Rather, under the approach described 
herein, management focuses its evaluation process and the documentation 
supporting the assessment on those controls that it believes adequately 
address the risk of a material misstatement in the financial 
statements. For example, if management determines that the risks for a 
particular financial reporting element are adequately addressed by an 
entity-level control, no further evaluation of other controls is 
required.
    The second principle is that management's evaluation of evidence 
about the operation of its controls should be based on its assessment 
of risk. The proposed guidance provides an approach for making risk-
based judgments about the evidence needed for the evaluation. This 
allows management to align the nature and extent of its evaluation 
procedures with those areas of financial reporting that pose the 
greatest risks to reliable financial reporting (i.e., whether the 
financial statements are materially accurate). As a result, management 
may be able to use more efficient approaches to gathering evidence, 
such as self-assessments, in low-risk areas and perform more extensive 
testing in high-risk areas.
    By following these two principles, we believe companies of all 
sizes and complexities will be able to implement our rules effectively 
and efficiently.\42\ As smaller public companies generally have less 
complex internal control systems than larger public companies, this 
top-down, risk-based approach should enable smaller public companies in 
particular to scale and tailor their

[[Page 77640]]

evaluation methods and procedures to fit their own facts and 
circumstances.\43\ We encourage smaller public companies to take 
advantage of the flexibility and scalability of this approach to 
conduct an efficient evaluation of internal control over financial 
reporting.\44\ Further, we believe the proposed guidance will assist 
companies of all sizes in completing the annual evaluation of ICFR in 
an effective and efficient manner by addressing a number of the common 
areas of concern that have been identified over the past two years. For 
example, the proposed guidance:
---------------------------------------------------------------------------

    \42\ Commenters on the Concept Release were supportive of 
principles-based guidance that applies to all companies. See for 
example, letters regarding file number S7-11-06 of: Financial 
Executives International, Metlife, and Siemens AG at https://www.sec.gov/comments/s7-11-06/s71106.shtml.
    \43\ See Advisory Committee Final Report at 35-38.
    \44\ While a company's individual facts and circumstances should 
be considered in determining whether a company is a smaller public 
company, a company's market capitalization and annual revenues are 
useful indicators of its size and complexity. In light of the 
Advisory Committee Final Report and the SEC's rules defining 
``accelerated filers'' and ``large accelerated filers,'' companies 
with a market capitalization of approximately $700 million or less, 
with reported annual revenues of approximately $250 million or less, 
should be presumed to be ``smaller companies,'' with the smallest of 
these companies, with a market capitalization of approximately $75 
million or less, described as ``microcaps.''
---------------------------------------------------------------------------

     Explains how to vary approaches for gathering evidence to 
support the evaluation based on risk assessments;
     Explains the use of ``daily interaction,'' self-
assessment, and other on-going monitoring activities as evidence in the 
evaluation;
     Explains the purpose of documentation and how management 
has flexibility in approaches to documenting support for its 
assessment;
     Provides management significant flexibility in making 
judgments regarding what constitutes adequate evidence in low-risk 
areas; and
     Allows for management and the auditor to have different 
testing approaches.
    The information management gathers and analyzes from its evaluation 
process serves as the basis for its assessment on the effectiveness of 
its ICFR. The extent of effort required for a reasonable evaluation 
process will largely depend on the company's existing policies, 
procedures and practices. For example, in some situations management 
may determine that its existing activities, which may be undertaken for 
other reasons, provide information that is relevant to the assessment. 
In other situations, management may have to implement additional 
procedures to gather and analyze the information needed to provide a 
reasonable basis for its annual assessment.

III. Proposed Interpretive Guidance

    The proposed interpretive guidance addresses the following topics:

A. The Evaluation Process
    1. Identifying Financial Reporting Risks and Controls
    a. Identifying Financial Reporting Risks
    b. Identifying Controls that Adequately Address Financial Reporting 
Risks
    c. Consideration of Entity-level Controls
    d. Role of General Information Technology Controls
    e. Evidential Matter to Support the Assessment
    2. Evaluating Evidence of the Operating Effectiveness of ICFR
    a. Determining the Evidence Needed to Support the Assessment
    b. Implementing Procedures to Evaluate Evidence of the Operation of 
ICFR
    c. Evidential Matter to Support the Assessment
    3. Multiple Location Considerations

B. Reporting Considerations
    1. Evaluation of Control Deficiencies
    2. Expression of Assessment of Effectiveness of ICFR by Management 
and the Registered Public Accounting Firm
    3. Disclosures About Material Weaknesses
    4. Impact of a Restatement of Previously Issued Financial 
Statements on Management's Report on ICFR
    5. Inability to Assess Certain Aspects of ICFR

A. The Evaluation Process

    The objective of the evaluation of ICFR is to provide management 
with a reasonable basis for its annual assessment as to whether any 
material weaknesses in ICFR exist as of the end of the fiscal year. To 
meet this objective, management identifies the risks to reliable 
financial reporting, evaluates whether the design of the controls which 
address those risks is such that there is a reasonable possibility that 
a material misstatement in the financial statements would not be 
prevented or detected in a timely manner, and evaluates evidence about 
the operation of the controls included in the evaluation based on its 
assessment of risk. The evaluation process will vary from company to 
company; however, the approach we discuss is a top-down, risk-based 
approach which we believe is typically most efficient and effective.
    The evaluation process guidance is presented in two sections. The 
first section explains an approach to identifying financial reporting 
risks and evaluating whether the controls management has implemented 
are designed to address those risks. The second section describes an 
approach for making judgments about the methods and procedures for 
evaluating whether the operation of ICFR is effective. Both sections 
explain how entity-level controls \45\ impact the evaluation process as 
well as how management focuses its evaluation efforts on the greatest 
risks.
---------------------------------------------------------------------------

    \45\ See footnote 29 above.
---------------------------------------------------------------------------

    Under the Commission's rules, management's annual assessment must 
be made in accordance with a suitable control framework's definition of 
effective internal control.\46\ These control frameworks define 
elements of internal control that are expected to be present and 
functioning in an effective internal control system. In assessing 
effectiveness, management evaluates whether its ICFR includes policies, 
procedures and activities that address all of the elements of internal 
control that the applicable control framework describes as necessary 
for an internal control system to be effective. The framework elements 
describe the characteristics of an internal control system that may be 
relevant to individual areas of the company's ICFR, pervasive to many 
areas, or entity-wide. Therefore, management's evaluation process 
includes not only controls involving particular areas of financial 
reporting, but also the entity-wide and other pervasive elements of 
internal control that are defined by the control frameworks. This 
guidance is not intended to replace the elements of an effective system 
of internal control as defined within a control framework.
---------------------------------------------------------------------------

    \46\ For example, both the COSO framework and the Turnbull 
Report state that determining whether a system of internal control 
is effective is a subjective judgment resulting from an assessment 
of whether the five components (i.e., control environment, risk 
assessment, control activities, monitoring, and information and 
communication) are present and functioning effectively. Although 
CoCo states that an assessment of effectiveness be made against 
twenty specific criteria, it acknowledges that the criteria can be 
regrouped into different structures, and includes a table showing 
how the criteria can be regrouped into the five-component structure 
of COSO. Thus, these five components are also criteria for effective 
internal control.
---------------------------------------------------------------------------

1. Identifying Financial Reporting Risks and Controls
    The approach described herein allows management to identify 
controls and maintain supporting evidential matter for its controls in 
a manner that is tailored to a company's financial reporting risks (as 
defined below). Thus, management can avoid identifying and

[[Page 77641]]

documenting controls that are not important to achieving the objectives 
of ICFR. Management should assess whether its controls are designed to 
provide reasonable assurance regarding the reliability of financial 
reporting and the preparation of financial statements for external 
purposes in accordance with generally accepted accounting principles 
(``GAAP'').\47\ The evaluation begins with the identification and 
assessment of the risks to reliable financial reporting (i.e., 
materially accurate financial statements), including changes in those 
risks. Management then evaluates whether it has controls placed in 
operation that are designed to adequately address those risks. 
Management ordinarily would consider the company's entity-level 
controls in both its assessment of risk and in identifying which 
controls adequately address the risk. The controls that management 
identifies as adequately addressing the financial reporting risks are 
then subject to procedures to evaluate evidence of the operating 
effectiveness, as determined pursuant to Section III.A.2.
---------------------------------------------------------------------------

    \47\ Management of foreign private issuers that file financial 
statements prepared in accordance with home country generally 
accepted accounting principles or International Financial Reporting 
Standards with a reconciliation to U.S. GAAP should plan and conduct 
their evaluation process based on their primary financial statements 
(i.e., home country GAAP or IFRS) rather than the reconciliation to 
U.S. GAAP.
---------------------------------------------------------------------------

    The effort necessary to conduct an initial evaluation of financial 
reporting risks (as defined below) and the related controls will vary 
among companies, partly because this effort will depend on management's 
existing financial reporting risk assessment and monitoring 
activities.\48\ Even so, in subsequent years for most companies, 
management's effort should ordinarily be significantly less because 
subsequent evaluations should be more focused on changes in risks and 
controls rather than identification of all financial reporting risks 
and the related controls. Further, in each subsequent year, the 
evidence necessary to reasonably support the assessment will only need 
to be updated from the prior year(s), not recreated anew.
---------------------------------------------------------------------------

    \48\ Monitoring activities are those that assess the quality of 
internal control performance over time. These activities involve 
assessing the design and operation of controls on a timely basis and 
taking necessary corrective actions. This process is accomplished 
through on-going monitoring activities, separate evaluations by 
internal audit or personnel performing similar functions, or a 
combination of the two. On-going monitoring activities are often 
built into the normal recurring activities of an entity and include 
regular management and supervisory review activities.
---------------------------------------------------------------------------

a. Identifying Financial Reporting Risks
    Ordinarily, the identification of financial reporting risks begins 
with evaluating how the requirements of GAAP apply to the company's 
business, operations and transactions. Management must provide 
investors with financial statements that fairly present the company's 
financial position, results of operations and cash flows in accordance 
with GAAP. A lack of fair presentation involves material misstatements 
(including omissions) in one or more of the financial statement amounts 
or disclosures (``financial reporting elements'').
    Management uses its knowledge and understanding of the business, 
its organization, operations, and processes to consider the sources and 
potential likelihood of misstatements in financial reporting elements 
and identifies those that could result in a material misstatement to 
the financial statements (``financial reporting risks''). Internal and 
external risk factors that impact the business, including the nature 
and extent of any changes in those risks, may give rise to financial 
reporting risks. Financial reporting risks may also arise from sources 
such as the initiation, authorization, processing and recording of 
transactions and other adjustments that are reflected in financial 
reporting elements. Management's evaluation of financial reporting 
risks should also consider the vulnerability of the entity to 
fraudulent activity (e.g., fraudulent financial reporting, 
misappropriation of assets and corruption) and whether any of those 
exposures could result in a material misstatement of the financial 
statements.\49\
---------------------------------------------------------------------------

    \49\ See ``Management Antifraud Programs and Controls--Guidance 
to Help Prevent, Deter, and Detect Fraud,'' which was issued jointly 
by seven professional organizations and is included as an exhibit to 
AU Sec. 316, Consideration of Fraud in a Financial Statement Audit 
(as adopted on an interim basis by the PCAOB in PCAOB Rule 3200T).
---------------------------------------------------------------------------

    The methods and procedures for identifying financial reporting 
risks will vary based on the characteristics of the company.\50\ These 
characteristics include, among others, the size, complexity, and 
organizational structure of the company and its processes and financial 
reporting environment, as well as the control framework used by 
management. For example, to effectively identify financial reporting 
risks in larger businesses or in situations involving complex business 
processes, management's evaluation may need to involve employees with 
specialized knowledge who collectively have the necessary understanding 
of the requirements of GAAP, the underlying business transactions, the 
process activities, including the role of computer technology, that are 
required to initiate, authorize, record and process transactions, and 
the points within the process at which a material misstatement, 
including a misstatement due to fraud, may occur. In contrast, in a 
small company with less complex business processes that operate on a 
centralized basis and with little change in the risks or processes, 
management's daily involvement with the business may provide it with 
adequate knowledge to appropriately identify financial reporting risks.
---------------------------------------------------------------------------

    \50\ To provide management the flexibility needed to implement 
an evaluation process that best suits its particular circumstances; 
the guidance in this proposed interpretative release does not 
prescribe a particular methodology for the identification of risks 
and controls. While the May 2005 Staff Guidance used the term 
``significant account,'' which is used in AS No. 2, we are not 
requiring that companies use the guidance in the auditing literature 
to conduct their evaluation approach. The Commission encourages the 
development of methodologies and tools that meet the objectives of 
the ICFR evaluation.
---------------------------------------------------------------------------

b. Identifying Controls That Adequately Address Financial Reporting 
Risks
    Management should evaluate whether it has controls placed in 
operation (i.e., in use) that are designed to address the company's 
financial reporting risks.\51\ The determination of whether an 
individual control, or a combination of controls, adequately addresses 
a financial reporting risk involves judgments about both the likelihood 
and potential magnitude of misstatements arising from the financial 
reporting risk. For purposes of the evaluation of ICFR, the controls 
are not adequate when their design is such that there is a reasonable 
possibility that a misstatement in the related financial reporting 
element that could result in a material misstatement of the financial 
statements will not be prevented or detected on a timely basis.\52\ If 
management determines that

[[Page 77642]]

its controls are not adequately designed, a deficiency exists that must 
be evaluated to determine whether it is a material weakness. The 
guidance in Section III.B.1. is designed to assist management with that 
evaluation.\53\
---------------------------------------------------------------------------

    \51\ A control consists of a specific set of policies, 
procedures, and activities designed to meet an objective. A control 
may exist within a designated function or activity in a process. A 
control's impact on ICFR may be entity-wide or specific to a class 
of transactions or application. Controls have unique 
characteristics--they can be: automated or manual; reconciliations; 
segregation of duties; review and approval authorizations; 
safeguarding and accountability of assets, preventing error or fraud 
detection, or disclosure. Controls within a process may consist of 
financial reporting controls and operational controls (i.e., those 
designed to achieve operational objectives).
    \52\ The use of the phrase ``reasonable possibility that a 
misstatement in the related financial reporting element that could 
result in a material misstatement of the financial statements'' is 
intended solely to assist management in identifying matters for 
disclosure under Item 308 of Regulation S-K. It is not intended to 
interpret or describe management's responsibility under FCPA or 
modify a control framework's definition of what constitutes an 
effective system of internal control.
    \53\ A deficiency in the design of ICFR exists when (a) 
necessary controls are missing or (b) existing controls are not 
properly designed so that, even if the control operates as designed, 
the financial reporting risks would not be addressed. AS No. 2 
states that a deficiency in the design of ICFR exists when (a) a 
control necessary to meet the control objective is missing or (b) an 
existing control is not properly designed so that, even if the 
control operates as designed, the control objective is not always 
met. See AS No. 2 ] 8.
---------------------------------------------------------------------------

    Management may identify controls for a financial reporting element 
that are preventive, detective or a combination of both.\54\ It is not 
necessary to identify all controls that exist. Rather, the objective of 
this evaluation step is to identify controls that adequately address 
the risk of misstatement for the financial reporting element that could 
result in a material misstatement in the financial statements. To 
illustrate, management may determine for a financial reporting element 
that a control within the company's period-end financial reporting 
process (i.e., an entity-level control) is designed in a manner that 
adequately addresses the risk that a misstatement in interest expense, 
that could result in a material misstatement in the financial 
statements, may occur and not be detected. In such a case, management 
may not need to identify any additional controls related to interest 
expense.
---------------------------------------------------------------------------

    \54\ Preventive controls have the objective of preventing the 
occurrence of errors or fraud that could result in a misstatement of 
the financial statements. Detective controls have the objective of 
detecting errors or fraud that has already occurred that could 
result in a misstatement of the financial statements. Preventive and 
detective controls may be completely manual, involve some degree of 
computer automation, or be completely automated.
---------------------------------------------------------------------------

    Management may consider the efficiency with which evidence of the 
operation of a control can be evaluated when identifying the controls 
that adequately address the financial reporting risks. For example, 
when more than one control exists that individually addresses a 
particular risk (i.e., redundant controls), management may decide to 
select the control for which evidence of operating effectiveness can be 
obtained more efficiently. Moreover, when adequate general information 
technology (``IT'') controls exist, and management has determined the 
operation of such controls is effective, management may determine that 
automated controls may be more efficient to evaluate than manual 
controls. Considering the efficiency with which the operation of a 
control can be evaluated will often enhance the overall efficiency of 
the evaluation process.
    When identifying the controls that address financial reporting 
risks, management may learn information about the characteristics of 
the controls, such as the judgment required to operate them or their 
complexity, that are considered in its judgments about the risk that 
the control will fail to operate as designed. Section III.A.2. 
discusses how these characteristics are considered in determining the 
nature and extent of evidence of the operation of the control that 
management evaluates.
    At the end of this identification process, management will have 
identified for testing only those controls that are needed to 
adequately address the risk of a material misstatement in its financial 
statements and for which evidence about their operation can be obtained 
most efficiently.
c. Consideration of Entity-level Controls
    Management considers entity-level controls when identifying and 
assessing financial reporting risks and related controls for a 
financial reporting element. In doing so, it is important for 
management to consider the nature of the entity-level controls and how 
they relate to the financial reporting element.\55\ Some entity-level 
controls are designed to operat