Amendments to Rules Regarding Management's Report on Internal Control Over Financial Reporting, 35310-35322 [E7-12298]

Download as PDF 35310 Federal Register / Vol. 72, No. 123 / Wednesday, June 27, 2007 / Rules and Regulations SECURITIES AND EXCHANGE COMMISSION 17 CFR Parts 210, 228, 229 and 240 [Release Nos. 33–8809; 34–55928; FR–76; File No. S7–24–06] RIN 3235–AJ58 Amendments to Rules Regarding Management’s Report on Internal Control Over Financial Reporting Securities and Exchange Commission. ACTION: Final rule. AGENCY: SUMMARY: We are adopting an amendment to our rules to clarify that an evaluation which complies with the Commission’s interpretive guidance published in this issue of the Federal Register in Release No. 34–55929 is one way to satisfy the requirement for management to evaluate the effectiveness of the issuer’s internal control over financial reporting. We are also amending our rules to define the term material weakness and to revise the requirements regarding the auditor’s attestation report on the effectiveness of internal control over financial reporting. The amendments are intended to facilitate more effective and efficient evaluations of internal control over financial reporting by management and auditors. DATES: Effective Date: August 27, 2007, except the amendment to § 210.2–02T is effective from August 27, 2007 until June 30, 2009. FOR FURTHER INFORMATION CONTACT: N. Sean Harrison, Special Counsel, Division of Corporation Finance, at (202) 551–3430, or Josh K. Jones, Professional Accounting Fellow, Office of the Chief Accountant, at (202) 551– 5300, U.S. Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549–6628. SUPPLEMENTARY INFORMATION: We are adopting amendments to Rules 13a– 15(c),1 15d–15(c),2 and 12b–23 under the Securities Exchange Act of 1934 (the ‘‘Exchange Act’’),4 Rules 1–02,5 2–02 6 and 2–02T 7 of Regulation S–X,8 and Item 308 of Regulations S–B and S–K.9 In a companion release issued in today’s Federal Register, we are issuing interpretive guidance to assist 1 17 CFR 240.13a-15(c). CFR 240.15d-15(c). 3 17 CFR 240.12b-2. 4 15 U.S.C. 78a et seq. 5 17 CFR 210.1–02. 6 17 CFR 210.2–02. 7 17 CFR 210.2–02T. 8 17 CFR 210.1–01 et seq. 9 17 CFR 228.308 and 229.308. mstockstill on PROD1PC66 with RULES2 2 17 VerDate Aug<31>2005 16:18 Jun 26, 2007 Jkt 211001 companies of all sizes in completing top-down, risk-based evaluations of internal control over financial reporting.10 In addition, we are issuing a release to request additional comment on the definition of the term ‘‘significant deficiency.’’ 11 Table of Contents I. Background II. Discussion of Amendments A. Exchange Act Rules 13a–15(c) and 15d– 15(c) 1. Proposal 2. Comments on the Proposal 3. Final Rule B. Rules 1–02 and 2–02 of Regulation S– X and Item 308 of Regulations S–B and S–K 1. Proposal 2. Comments on the Proposal 3. Final Rule C. Definition of Material Weakness 1. Proposal 2. Comments on the Proposal 3. Final Rule III. Transition Issues IV. Background to Regulatory Analyses V. Paperwork Reduction Act VI. Cost-Benefit Analysis VII. Effect on Efficiency, Competition and Capital Formation VIII. Final Regulatory Flexibility Analysis IX. Statutory Authority and Text of Rule Amendments I. Background In implementing Section 404(a) of the Sarbanes-Oxley Act of 2002 12 (‘‘Sarbanes-Oxley’’), the Commission adopted amendments to Exchange Act Rules 13a–15 and 15d–15 to require companies, other than registered investment companies, to include in their annual reports filed pursuant to Section 13(a) or 15(d) 13 of the Exchange Act a report by management on the company’s internal control over financial reporting (‘‘ICFR’’) and a registered public accounting firm’s attestation report on ICFR. Rules 13a–15 and 15d–15 also require management of each company to evaluate the effectiveness, as of the end of each fiscal year, of the company’s ICFR.14 On December 20, 2006, the Commission issued a proposing release that contained interpretive guidance for management (‘‘Proposed Interpretive Guidance’’) regarding its required evaluation of ICFR and amendments to 10 Release No. 34–55929 (Jun. 20, 2007) (hereinafter ‘‘Interpretive Guidance’’). 11 Release No. 34–55930 (Jun. 20, 2007). 12 15 U.S.C. 7262. 13 15 U.S.C. 78m(a) or 78o(d). 14 Release No. 33–8238 (June 5, 2003) [68 FR 36636] (hereinafter ‘‘Adopting Release’’). See Release No. 33–8392 (Feb. 24, 2004) [69 FR 9722] for compliance dates applicable to accelerated filers. See Release No. 33–8760 (Dec. 15, 2006) [71 FR 76580] for compliance dates applicable to nonaccelerated filers. PO 00000 Frm 00002 Fmt 4701 Sfmt 4703 Exchange Act Rules 13a–15(c) and 15d– 15(c) to make it clear that an evaluation conducted in accordance with the Proposed Interpretive Guidance was one way to satisfy the annual management evaluation required by those rules. In addition, we proposed amendments to Rule 2–02(f) of Regulation S–X to require that the registered public accounting firm’s attestation report on ICFR express a single opinion directly on the effectiveness of ICFR, and to clarify the circumstances in which we would expect that the accountant cannot express an opinion on ICFR. We also proposed amendments to Rule 1– 02(a)(2) of Regulation S–X to revise the definition of attestation report to conform it to the proposed changes to Rule 2–02(f).15 We received over 200 comment letters in response to our Proposing Release.16 These letters came from corporations, professional associations, large and small accounting firms, law firms, consultants, academics, investors and other interested parties. Of these, approximately 70 respondents commented on the proposed rule amendments. We have reviewed and considered all of the comments that we received on the proposed rule amendments. The adopted rules reflect changes made in response to many of these comments. We discuss our conclusions with respect to each proposed rule amendment and the related comments in more detail throughout this release. II. Discussion of Amendments A. Exchange Act Rules 13a–15(c) and 15d–15(c) 1. Proposal Exchange Act Rules 13a–15(c) and 15d–15(c) require the management of each issuer subject to the Exchange Act reporting requirements, other than a registered investment company, to evaluate the effectiveness of the issuer’s ICFR as of the end of each fiscal year. We proposed to amend these rules to state that, although there are many different ways to conduct an evaluation of the effectiveness of ICFR, an evaluation conducted in accordance with the Proposed Interpretive Guidance would satisfy the evaluation requirement in those rules. 15 Release Nos. 33–8762; 34–54976 (Dec. 20, 2006) [71 FR 77635] (hereinafter ‘‘Proposing Release’’). 16 The comment letters are available for inspection in the Commission’s Public Reference Room at 100 F Street, NE., Washington, DC 20549 in File No. S7–24–06, or may be viewed at https://www.sec.gov/comments/s7–24–06/ s72406.shtml. E:\FR\FM\27JNR2.SGM 27JNR2 Federal Register / Vol. 72, No. 123 / Wednesday, June 27, 2007 / Rules and Regulations 2. Comments on the Proposal mstockstill on PROD1PC66 with RULES2 While many commenters supported the proposed amendments to Rules 13a– 15 and 15d–15,17 some expressed the view that although the guidance is appropriately principles-based, the nature of the requirements set forth in the Proposed Interpretive Guidance is not well-suited to the type of safe-harbor protection intended by the amendments.18 For instance, three commenters suggested that the Proposed Interpretive Guidance does not contain specific, objective criteria that a company’s management could use to demonstrate that its evaluation complies with the requirements of the Proposed Interpretive Guidance.19 Consequently, two of these commenters went on to conclude that the amendments may eventually lead to the Interpretive Guidance being viewed as an exclusive evaluation approach. In light of these and similar concerns, one commenter suggested broadening the amended rule language to explicitly indicate that an evaluation provides a reasonable basis for management’s ICFR assessment if it includes: (1) An identification of the risks that are reasonably likely to result in a material misstatement of the company’s financial statements; (2) an evaluation of whether the company has placed controls in operation that are designed to address those risks; and (3) a risk-based process for gathering and evaluating evidence regarding the effective operation of those controls.20 One commenter opposed both the Proposed Interpretive Guidance and the proposed rule amendments and expressed the view that management will, as a result of the nature of the Proposed Interpretive Guidance, claim the protection afforded by the amendments for deficient evaluations.21 Another commenter expressed the view that the proposed rule amendments could result in a ‘‘minimalist’’ attitude 17 See, for example, letters from America’s Community Bankers (ACB), BP p.l.c. (BP), Business Roundtable, Enbridge Inc., European Association of Listed Companies, Hudson Financial Solutions (Hudson), ING Group N.V. (ING), PPL Corporation (PPL), Silicon Valley Leadership Group (SVLG), The Hundred Group of Finance Directors (100 Group), and UnumProvident Corporation (UnumProvident). 18 See, for example, letters from American Electronics Association (AeA), James J. Angel, Cleary Gottlieb Steen & Hamilton LLP (Cleary), Financial Reporting Committee of the Association of the Bar of the City of New York (NYC Bar), and U.S. Chamber of Commerce (Chamber). 19 See, for example, letters from Cleary, NYC Bar, and Reznick Group, P.C. 20 See letter from Cleary. 21 See joint letter from Consumer Federation of America, Consumer Action, and U.S. Public Interest Research Group. VerDate Aug<31>2005 16:18 Jun 26, 2007 Jkt 211001 towards the internal control evaluation on the part of management.22 3. Final Rule After consideration of the comments that we received, we have determined to adopt the amendments to Rules 13a– 15(c) and 15d–15(c) as proposed. The amended rules state that there are many different ways to conduct an evaluation that will satisfy the evaluation requirement in the rules, and the Interpretive Guidance clearly states that compliance with the guidance is voluntary. Therefore, concerns that the amendments may cause confusion as to whether compliance with the Interpretive Guidance is mandatory or may result in an exclusive standard are unfounded. We understand that many companies already complying with the Section 404 requirements have established an ICFR evaluation process that may differ from the approach described in the Interpretive Guidance. There is no requirement for these companies to alter their procedures to align them with the Interpretive Guidance. We have decided not to broaden the amended rule language to include factors to consider in determining whether alternative methods satisfy the standard primarily because we think this type of ‘‘broadening’’ may actually limit the potential universe of acceptable evaluation methods. For example, while we believe the Interpretive Guidance’s top-down, riskbased approach will result in both effective and efficient evaluations of the effectiveness of ICFR, management may choose to establish an alternative evaluation approach. An alternative approach may be deemed preferable if it complements a company’s existing quality improvement processes or enterprise risk management methodologies and still provides management with a reasonable basis for its assessment of ICFR effectiveness. Therefore, we do not think it is appropriate or necessary to mandate the approach set forth in the Interpretive Guidance. Regarding the comments expressing concern that the principles-based nature of the Proposed Interpretive Guidance may not easily lend itself to the safeharbor type provisions, we acknowledge that the amendments to Rules 13a–15 and 15d–15 are of a somewhat different nature from other safe-harbor provisions, which typically prescribe very specific conditions that must be met before a company or person may claim protection under the safe-harbor. 22 See PO 00000 letter from Tatum LLC. Frm 00003 Fmt 4701 Sfmt 4703 35311 Nonetheless, we believe establishing the Interpretive Guidance as one way to satisfactorily evaluate ICFR will serve the important purpose of communicating the objectives and requirements of the ICFR evaluation. Moreover, most commenters preferred that the guidance for conducting an evaluation of ICFR be issued on an interpretive basis rather than codified as a rule.23 Accordingly, a direct reference in the rules to the Interpretive Guidance will help ensure that companies are aware of the guidance. We are issuing the Interpretive Guidance, and taking a series of other steps, to improve and strengthen implementation of the ICFR requirements. Regardless of whether management uses the Interpretive Guidance, we remain committed to a strong implementation of the ICFR requirements and to ensuring that issuers perform a sufficient evaluation. As is currently the case, the sufficiency of an evaluation will be determined based on each issuer’s particular facts and circumstances. B. Rules 1–02 and 2–02 of Regulation S–X and Item 308 of Regulations S–B and S–K 1. Proposal Rule 2–02(f) of Regulation S–X requires the registered public accounting firm’s attestation report on management’s assessment of ICFR to clearly state the ‘‘opinion of the accountant as to whether management’s assessment of the effectiveness of the registrant’s ICFR is fairly stated in all material respects.’’ The term ‘‘assessment’’ as used in Rule 2–02(f) refers to management’s disclosure of its conclusion about the effectiveness of the company’s ICFR, not the efficacy of the process followed by management to arrive at its conclusion. To more effectively communicate the auditor’s responsibility in relation to management’s assessment, we proposed to revise Rule 2–02(f) to require the auditor to express an opinion directly on the effectiveness of ICFR. We believe this opinion necessarily conveys whether the disclosure of management’s assessment is fairly stated. In addition, we proposed revisions to Rule 2–02(f) to clarify the rare circumstances in which the accountant would be unable to express an opinion. 23 Approximately thirty-three commenters directly responded to the question about whether the guidance should be issued as an interpretation or codified as a Commission rule. Approximately 70% of such respondents indicated that the guidance should be issued as an interpretation. E:\FR\FM\27JNR2.SGM 27JNR2 35312 Federal Register / Vol. 72, No. 123 / Wednesday, June 27, 2007 / Rules and Regulations We also proposed conforming revisions to the definition of attestation report in Rule 1–02(a)(2) of Regulation S–X. The PCAOB proposed a conforming revision to its auditing standard to reflect this revision as well.24 2. Comments on the Proposal mstockstill on PROD1PC66 with RULES2 We received comments on the proposed revisions to Rules 1–02(a)(2) and 2–02(f) of Regulation S–X to require the expression of a single opinion directly on the effectiveness of ICFR by the auditor in the attestation report on ICFR. Those who commented on this proposed amendment were equally divided, with approximately one-half supporting the Commission’s proposal to eliminate the auditor’s opinion on management’s assessment of the effectiveness of ICFR,25 and the other half expressing the view that, although the reduction to one opinion by the auditor was preferable, the opinion retained would limit improvements in the efficiency of the 404 process.26 Commenters who supported the Commission’s proposal believe that an auditor’s opinion directly on the effectiveness of a company’s ICFR provides investors with a higher level of assurance than the opinion only on management’s assessment. These commenters also suggested that an audit opinion directly on the effectiveness of ICFR was a clearer expression of the scope of the auditor’s work. However, those who opposed the Commission’s proposal argued that an audit opinion directly on the effectiveness of ICFR would require duplicative, unnecessary and excessive testing by auditors and 24 PCAOB Release No. 2006–007: Proposed Auditing Standard—An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements. See https:// www.pcaobus.org/Rules/Docket_021/index.aspx (hereinafter ‘‘Proposed Auditing Standard’’). 25 See, for example, letters from Banco Itau ´ Holding Financeira SA, BP, Cisco Systems, Inc. (Cisco), Computer Sciences Corporation (CSC), Eli Lilly and Company (Eli Lilly), Frank Consulting, PLLP, Grant Thornton LLP, Kimball International (Kimball), Lubrizol Corporation (Lubrizol), MetLife, Inc. (MetLife), NYC Bar, PPG Industries, Inc. (PPG), The Procter & Gamble Company (P&G), and RAM Energy Resources, Inc. 26 See, for example, letters from 100 Group, Alamo Group, Association of Chartered Certified Accountants (ACCA), BHP Billiton Limited (BHP), European Federation of Accountants (FEE), The Financial Services Roundtable (FSR), Hess Corporation (Hess), Hutchinson Technology Inc. (Hutchinson), Institute of Internal Auditors (IIA), Institute of Management Accountants (IMA), Institut Der Wirtschaftsprufer [Institute of Public Auditors in Germany] (IDW), Ian D. Lamdin (I. Lamdin), Matthew Leitch, Nasdaq Stock Market, Inc. (Nasdaq), National Venture Capital Association (NVCA), Nike, Inc. (Nike), Robert F. Richter (R. Richter), Rod Scott, Southern Company (Southern), and SVLG. VerDate Aug<31>2005 16:18 Jun 26, 2007 Jkt 211001 would therefore lead to higher audit costs.27 These commenters suggested the auditor’s work should be limited to evaluating management’s assessment process and the testing performed by management and internal audit. They acknowledged that the auditor would need to test at least some controls directly in addition to evaluating and testing management’s assessment process; however, they expected that the auditor’s own testing could be significantly reduced from the scope required to render an opinion directly on the effectiveness of ICFR.28 Additionally, commenters were concerned that the proposed rule change was in direct conflict with Section 404(b) of Sarbanes-Oxley, which explicitly calls for the auditor to issue an attestation report on management’s assessment of the effectiveness of ICFR.29 In view of the proposal to require only one opinion by the auditor in its report on the effectiveness of a company’s ICFR, commenters thought that continued references in Rules 1–02(a)(2) and 2–02(f) of Regulation S–X to an ‘‘attestation report on management’s assessment of internal control over financial reporting’’ would be confusing.30 These commenters suggested that we eliminate these references and refer to the auditor’s report only as an ‘‘attestation report on internal control over financial reporting.’’ 3. Final Rule After consideration of the comments, we have decided to adopt the proposed amendments to Rules 1–02(a)(2) and 2– 02(f) of Regulation S–X to require the expression of a single opinion directly on the effectiveness of ICFR by the auditor in its attestation report on ICFR because it more effectively communicates the auditor’s responsibility in relation to management’s process and necessarily conveys whether management’s assessment is fairly stated. In view of this decision, we agree with commenters that Rules 1–02(a)(2) and 2–02(f) of Regulation S–X will be clearer if they refer to the auditor’s report as an ‘‘attestation report on internal control 27 See, for example, letters from 100 Group, ACCA, Hess, Nasdaq, Nike, and Southern. 28 See, for example, letters from BHP and NVCA. 29 See, for example, letters from FEE, FSR, Hutchinson, IDW, IIA, IMA, I. Lamdin, and R. Richter. 30 See, for example, letters from 100 Group, BDO Seidman LLP, Cleary, Financial Executives International Committee on Corporate Reporting (FEI CCR), Manulife Financial (Manulife), Microsoft Corporation (MSFT), Neenah Paper, Inc (Neenah), and NYC Bar. PO 00000 Frm 00004 Fmt 4701 Sfmt 4703 over financial reporting’’ rather than an ‘‘attestation report on management’s assessment of internal control over financial reporting.’’ We, therefore, have made this change. We also have made conforming changes to Rule 2–02T of Regulation S–X and Item 308 of Regulations S–B and S–K.31 Despite the fact that the revised rules no longer require the auditor to separately express an opinion concerning management’s assessment of the effectiveness of the company’s ICFR, auditors currently are required under Auditing Standard No. 2 (‘‘AS No. 2’’),32 and would continue to be required under the Proposed Auditing Standard, to evaluate whether management has included in its annual ICFR assessment report all of the disclosures required by Item 308 of Regulations S–B and S–K. Both AS No. 2 and the Proposed Auditing Standard would require the auditor to modify its audit report on the effectiveness of ICFR if the auditor determines that management’s assessment of ICFR is not fairly stated. Consequently, the revisions are fully consistent with, and will continue to achieve, the objectives of Section 404(b) of Sarbanes-Oxley. In considering the concerns raised by commenters about the scope of auditor testing that is required to render an opinion directly on the effectiveness of ICFR, the Commission believes that an auditing process that is restricted to evaluating what management has done would not necessarily provide the auditor with a sufficient level of assurance to render an independent opinion as to whether management’s assessment (that is, conclusion) about the effectiveness of ICFR is correct. Moreover, the PCAOB’s auditing standards with respect to a company’s ICFR derive from both Section 103(a)(2)(A)(iii) and Section 404(b) of Sarbanes-Oxley. Section 404(b) of Sarbanes-Oxley requires the auditor to ‘‘attest to, and report on, the assessment made by the management of the issuer.’’ Section 103(a)(2)(A)(iii) of SarbanesOxley requires that each audit report describe the scope of the auditor’s testing of the internal control structure and procedures and present, among other information: (1) The findings of the auditor from such testing; (2) an evaluation of whether such internal control structure and procedures provide reasonable assurance that transactions are recorded as necessary to 31 Item 308 sets forth the ICFR disclosure that must be included in a company’s annual and quarterly reports. 32 An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements. E:\FR\FM\27JNR2.SGM 27JNR2 Federal Register / Vol. 72, No. 123 / Wednesday, June 27, 2007 / Rules and Regulations permit preparation of financial statements in accordance with generally accepted accounting principles; and (3) a description of material weaknesses in such internal controls.33 The Commission believes that an audit opinion directly on the effectiveness of ICFR is consistent with both Section 404 and Section 103 of Sarbanes-Oxley. Further, the Commission believes that the expression of a single opinion directly on the effectiveness of ICFR clarifies that an auditor is not responsible for issuing an opinion on management’s process for evaluating ICFR. C. Definition of Material Weakness 1. Proposal The Proposed Interpretive Guidance defined a material weakness as a deficiency, or combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis by the company’s ICFR. Further, we indicated that the definition formulated in the proposal was intended to be consistent with its use in existing auditing literature and practice.34 mstockstill on PROD1PC66 with RULES2 2. Comments on the Proposal Commenters expressed concern about differences between our proposed definition of material weakness and that proposed by the PCAOB in its Proposed Auditing Standard and requested that the two definitions be aligned.35 33 Section 103(a)(2)(A)(iii) states that ‘‘each registered public accounting firm shall—describe in each audit report the scope of the auditor’s testing of the internal control structure and procedures of the issuer, required by section 404(b), and present (in such report or in a separate report)— (I.) The findings of the auditor from such testing; (II.) An evaluation of whether such internal control structure and procedures— (aa) Include maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer; (bb) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and (III.) A description, at a minimum, of material weaknesses in such internal controls, and of any material noncompliance found on the basis of such testing.’’ 34 The PCAOB’s Proposed Auditing Standard provided the following definition of material weakness: ‘‘a control deficiency, or combination of control deficiencies, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected.’’ 35 See, for example, letters from Edison Electric Institute (EEI), FEI CCR, Financial Executives VerDate Aug<31>2005 16:18 Jun 26, 2007 Jkt 211001 Commenters also suggested that a single definition of material weakness be established for use by both auditors and management. They further thought that we should codify the definition in our rules.36 In addition, commenters pointed out that while the Proposed Interpretive Guidance referred to significant deficiencies, the Commission did not include a definition of significant deficiency within the Proposed Interpretive Guidance.37 Despite the fact that the Proposed Interpretive Guidance did not include a definition of significant deficiency, commenters on this topic provided feedback about both the Commission’s proposed definition of material weakness and the definition of significant deficiency as proposed by the PCAOB.38 Certain commenters indicated that the Commission should include a definition of significant deficiency in the Interpretive Guidance.39 Commenters also provided feedback on the probability language in the definition of material weakness. Commenters expressing support for the ‘‘reasonable possibility’’ standard in the proposed definition 40 noted that this language improves the clarity of the existing definition and will reduce time spent evaluating deficiencies.41 In contrast, other commenters felt that the probability standard should be changed.42 These commenters noted that the meaning of ‘‘reasonably possible’’ was the same as ‘‘more than remote’’ and therefore would not reduce the effort devoted to identifying and analyzing deficiencies. Two of these commenters suggested the Commission International Small Public Company Task Force (FEI SPCTF), The Institute of Chartered Accountants in England and Wales (ICAEW), Nina Stofberg, and SVLG. 36 See, for example, letters from FEE and ICAEW. 37 See, for example, letters from Cardinal Health, Inc. (Cardinal), EEI, and Protiviti. 38 The PCAOB’s Proposed Auditing Standard provided the following definition of significant deficiency: ‘‘a control deficiency, or combination of control deficiencies, such that there is a reasonable possibility that a significant misstatement of the company’s annual or interim financial statements will not be prevented or detected.’’ A significant misstatement was defined as ‘‘a misstatement that is less than material yet important enough to merit attention by those responsible for oversight of the company’s financial reporting.’’ 39 See, for example, letters from Cardinal and Protiviti. 40 See, for example, letters from Cisco, FEI CCR, Hudson, MetLife, MSFT, and P&G. 41 See, for example, letters from Cisco, Committee on Capital Markets Regulation (CCMR), FEI SPCTF, Hudson, MetLife, MSFT, Nike, P&G, and TechNet. 42 See, for example, letters from the American Bar Association’s Committees on Federal Regulation of Securities and Law and Accounting of the Section of Business Law (ABA), ACCA, Cardinal Health, Inc., Chamber, CSC, IIA, Kimball, and NYC Bar. PO 00000 Frm 00005 Fmt 4701 Sfmt 4703 35313 use a ‘‘reasonable likelihood’’ standard,43 and another suggested the Commission change to a ‘‘greater than fifty-percent’’ standard.44 Commenters also requested additional guidance about how the concept of ‘‘materiality’’ impacted the definition.45 Most of the commenters who addressed the reference to interim financial statements in the definition of material weakness indicated that the word ‘‘interim’’ should be removed from the definition,46 with only one commenter expressing the view that the reference to interim financial statements should remain in the definition.47 Some commenters who suggested removal of ‘‘interim’’ expressed the view that because Section 404 of Sarbanes-Oxley mandates an annual assessment of ICFR, the deficiency evaluation should also be based on the impact to the annual financial statements. Others stated that the removal of ‘‘interim’’ would allow management and auditors to better focus on the annual financial statements when evaluating the materiality of control deficiencies. 3. Final Rule After consideration of the comments received, we have determined that it is appropriate for the Commission’s rules to include the definition of material weakness since it is an integral term associated with Sarbanes-Oxley and the Commission’s implementing rules. Management’s disclosure requirements with respect to ICFR are predicated upon the existence of a material weakness; therefore, we agree with the commenters’ suggestion that our rules should define this term, rather than refer to auditing literature. As a result, we are amending Exchange Act Rule 12b–2 and Rule 1–02 of Regulation S– X to define the term material weakness. We have decided to adopt the material weakness definition substantially as proposed. The Commission has determined that the proposed material weakness definition appropriately describes those conditions in ICFR that, if they exist, should be disclosed to investors and should preclude a conclusion that ICFR is effective. Therefore, our final rules define a material weakness as a 43 See letters from NYC Bar and Cleary. letter from ABA. 45 See, for example, letters from ABA, CCMR, CSC, Independent Community Bankers of America, ISACA and IT Governance Institute, P&G, and Rockwood Holdings, Inc. 46 See, for example, letters from ABA, Cisco, Deloitte & Touche LLP, EEI, Eli Lilly, FEI CCR, FEI SPCTF, Ford Motor Company, MSFT, P&G, and PPL. 47 See letter from MetLife. 44 See E:\FR\FM\27JNR2.SGM 27JNR2 mstockstill on PROD1PC66 with RULES2 35314 Federal Register / Vol. 72, No. 123 / Wednesday, June 27, 2007 / Rules and Regulations deficiency, or a combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the registrant’s annual or interim financial statements will not be prevented or detected on a timely basis.48 We anticipate that the PCAOB’s auditing standards will also include this definition of material weakness. After consideration of the proposed alternatives to the ‘‘reasonable possibility’’ standard in the proposed definition of material weakness, we decided not to change the proposed standard. Revisions that have the effect of increasing the likelihood (that is, risk) of a material misstatement in a company’s financial reports that can exist before being disclosed could give rise to questions about the meaning of a disclosure that ICFR is effective and whether the threshold for ‘‘reasonable assurance’’ is being lowered. Moreover, we do not believe improvements in efficiency arising from revisions to the likelihood element would be significant to the overall ICFR evaluation effort, due, in part, to our view that the effort evaluating deficiencies would be similar under the alternative standards (for example, ‘‘reasonable possibility’’ as compared to ‘‘reasonable likelihood’’). Lastly, we do not believe the volume of material weakness disclosures, which has declined each year since the initial implementation of Section 404 of Sarbanes-Oxley, is too high such that investors would benefit from a reduction in disclosures that would result from a higher likelihood threshold. Regarding the reference to interim financial statements in the definition of material weakness, while we believe annual materiality considerations are appropriate when making judgments about the nature and extent of evaluation procedures, we believe that the judgments about whether a control is adequately designed or operating effectively should consider the requirement to provide investors reliable annual and quarterly financial reports. Moreover, if management’s annual evaluation identifies a deficiency that poses a reasonable possibility of a material misstatement in the company’s quarterly reports, we believe management should disclose the deficiency to investors and not assess ICFR as effective. As such, we have not removed the reference to interim financial statements from the definition of material weakness. In response to the comments regarding the need for the Commission 48 Exchange Act Rule 12b–2 and Rule 1–02(p) of Regulation S–X. VerDate Aug<31>2005 16:18 Jun 26, 2007 Jkt 211001 to define the term ‘‘significant deficiency,’’ we are seeking additional comment on a definition of that term as part of a separate release issued in the Federal Register. III. Transition Issues Although the amendments to Rules 1– 02 and 2–02 of Regulation S–X will no longer require the auditor to separately express an opinion concerning management’s assessment of the effectiveness of the company’s ICFR, audits conducted under AS No. 2 will continue to result in a separate opinion on management’s assessment until the PCAOB’s expected new auditing standard replacing AS No. 2 becomes effective and is required for all audits. Until such time, companies may file whichever report they receive from their independent auditor (that is, either one that contains both opinions under AS No. 2 or the single opinion under the expected new auditing standard). IV. Background to Regulatory Analyses Congress enacted the Sarbanes-Oxley Act in July 2002. Section 404 of the Act directed the Commission to prescribe rules requiring each issuer required to file an annual report under Section 13(a) or 15(d) of the Exchange Act 49 to prepare an internal control report. The only Exchange Act reporting companies that Congress exempted from the Section 404 requirements were investment companies registered under Section 8 of the Investment Company Act.50 To fulfill its statutory mandate, the Commission adopted rules in June 2003 to require all Exchange Act reporting companies other than registered investment companies, regardless of their size, to include in their annual reports a report of management, and an accompanying auditor’s report, on the effectiveness of the company’s internal control over financial reporting (‘‘ICFR’’).51 Although the Commission adopted rules in 2003 creating the obligation for all reporting companies to include ICFR reports in their annual reports, it provided a lengthy compliance period for non-accelerated filers, which are smaller public companies with a public float below $75 million.52 Under the compliance dates that the Commission 49 15 U.S.C. 78m or 78o(d). U.S.C. 80a–8. 51 Release No. 33–8238 (June 5, 2003) (68 FR 36636). 52 Although the term ‘‘non-accelerated filer’’ is not defined in Commission rules, we use it to refer to an Exchange Act reporting company that does not meet the Exchange Act Rule 12b–2 definition of either an ‘‘accelerated filer’’ or a ‘‘large accelerated filer.’’ 50 15 PO 00000 Frm 00006 Fmt 4701 Sfmt 4703 originally established, non-accelerated filers would not have become subject to the ICFR requirements until they filed an annual report for a fiscal year ending on or after April 15, 2005. In contrast, accelerated filers and large accelerated filers—companies with a public float of $75 million or more—became subject to the Section 404 requirements with respect to annual reports that they filed for fiscal years ending on or after November 15, 2004. The Commission provided this lengthy compliance period for nonaccelerated filers in light of both the substantial time and resources needed by accelerated filers to properly implement the rules. In addition, it believed that a corresponding benefit to investors would result from an extended transition period that allowed companies to carefully implement the new requirements. After each of the first two years accelerated-filers implemented the Section 404 requirements, the Commission held a roundtable discussion, and solicited comment on issues that arose during implementation.53 Since the initial extension period, the Commission has further extended the compliance dates for non-accelerated filers. The Commission adopted the most recent compliance date extension for non-accelerated filers in December 2006.54 This extension was based, in part, on a recommendation from the Commission’s Advisory Committee on Smaller Public Companies (‘‘Advisory Committee’’). In its Final Report, issued on April 23, 2006, the Advisory Committee raised a number of concerns regarding the ability of smaller companies to comply cost-effectively with the requirements of Section 404. The Advisory Committee identified as an overarching concern the difference in how smaller and larger public companies operate. It focused in particular on three characteristics: (1) The limited number of personnel in smaller companies, which constrains the companies’ ability to segregate conflicting duties; (2) top management’s wider span of control and more direct channels of communication, which increase the risk of management override; and (3) the dynamic and evolving nature of smaller companies, which limits their ability to have static processes that are well-documented.55 53 As a result of which, the Commission and its staff issued guidance to assist companies in implementing these requirements. 54 Release No. 33–8760 (Dec. 15, 2006) (71 FR 77635). 55 Final Report of the Advisory Committee on Smaller Public Companies to the United States Securities and Exchange Commission (Apr. 23, E:\FR\FM\27JNR2.SGM 27JNR2 Federal Register / Vol. 72, No. 123 / Wednesday, June 27, 2007 / Rules and Regulations mstockstill on PROD1PC66 with RULES2 The Advisory Committee suggested that these characteristics create unique differences in how smaller companies achieve effective ICFR that may not be adequately accommodated in Auditing Standard No. 2 or other implementation guidance as currently applied in practice. In addition, the Advisory Committee noted serious ramifications for smaller public companies stemming from the cost of frequent documentation changes and sustained review and testing of controls perceived to be necessary to comply with the Section 404 requirements. The Commission also granted the December 2006 extension in view of a series of actions that the Commission and the PCAOB each announced on May 17, 2006 that they intended to take to improve the implementation of the Section 404 requirements. These actions included: • Issuance of a Concept Release soliciting comment on a variety of issues that might be included in future Commission guidance for management to assist in its performance of a topdown, risk-based assessment of ICFR; • Consideration of additional guidance from COSO on understanding and applying the COSO framework; 56 • Revisions to Auditing Standard No. 2; • Reinforcement of auditor efficiency through PCAOB inspections and Commission oversight of the PCAOB’s audit firm inspection program; • Development, or facilitation of development, of implementation guidance for auditors of smaller public companies; and • Continuation of PCAOB forums on auditing in the small business environment. Pursuant to the most recent extension of the compliance dates, nonaccelerated filers are scheduled to begin including a management report on ICFR in their annual reports filed for a fiscal year ending on or after December 15, 2007, and an auditor’s report on ICFR for a fiscal year ending on or after December 15, 2008. It was our intention that non-accelerated filers would be able to complete their assessment of internal control without engaging an independent auditor during the first year. In addition, to eliminate secondguessing of management that might 2006) (‘‘Advisory Committee Report’’) available at https://www.sec.gov/info/smallbus/acspc/acspcfinalreport.pdf. 56 On July 11, 2006, COSO issued guidance entitled ‘‘Internal Control Over Financial Reporting—Guidance for Smaller Public Companies’’ that was designed primarily to help management of smaller public companies with establishing and maintaining effective ICFR. VerDate Aug<31>2005 16:18 Jun 26, 2007 Jkt 211001 result from separating the management and auditor reports, the rules provide that the management report included in a non-accelerated filer’s annual report during the first year of compliance is deemed to be ‘‘furnished’’ rather than ‘‘filed.’’ 57 The December 2006 extension of the management report requirement was intended to provide the non-accelerated filers with the benefit of both the Commission’s management guidance and the COSO guidance for smaller companies before planning and conducting their initial ICFR assessments. The extension of the auditor report requirement was intended to: • Afford non-accelerated filers and their auditors the benefit of anticipated changes to the PCAOB’s Auditing Standard No. 2, and any implementation guidance issued by the PCAOB for auditors of non-accelerated filers; • Save non-accelerated filers the costs of the auditor attestation to, and report on, management’s initial assessment of ICFR; • Enable management of nonaccelerated filers to more gradually prepare for full compliance with the Section 404 requirements and to gain some efficiencies in the process of reviewing and evaluating the effectiveness of ICFR before becoming subject to the requirement that the auditor report on ICFR (and to permit investors to see and evaluate the results of management’s first compliance efforts); and • Provide the Commission with the flexibility to consider any comments it received on the Concept Release and the proposed guidance for management in response to questions related to the appropriate role of the auditor in evaluating management’s internal control assessment process. On July 11, 2006, we issued a Concept Release to seek public comment on the issues to be addressed in our guidance for management on how to assess ICFR.58 The Commission received approximately 167 comment letters in response to the Concept Release, a majority of which supported additional Commission guidance to management that is applicable to companies of all sizes and complexities. The Commission considered the feedback 57 Management’s report is not deemed to be filed for purposes of Section 18 of the Exchange Act [15 U.S.C. 78r] or otherwise subject to the liabilities of that section, unless the issuer specifically states that the report is to be considered ‘‘filed’’ under the Exchange Act or incorporates it by reference into a filing under the Securities Act or the Exchange Act. 58 Release No. 34–54122 (July 11, 2006). PO 00000 Frm 00007 Fmt 4701 Sfmt 4703 35315 received in those comment letters in drafting its Interpretive Guidance. In conjunction with issuance of the Interpretive Guidance, in this release we are adopting amendments to the existing requirements of Exchange Act Rules 13a–15(c) and 15d-15(c) that management of each company subject to the Exchange Act periodic reporting requirements evaluate, as of the end of each fiscal year, the effectiveness of the company’s ICFR. The amendments state that an evaluation that complies with the Interpretive Guidance will satisfy the annual evaluation requirement in Rules 13a–15(c) and 15d–15(c). We are also adopting amendments to Rules 1–02 and 2–02 of Regulation S– X, and Item 308 of Regulations S–B and S–K, to state that the company’s auditor must express only one opinion on a company’s ICFR. This is a direct opinion by the auditor on the effectiveness of the company’s ICFR. Prior to the amendments, auditors expressed two separate opinions: one on the effectiveness of a company’s ICFR and another on management’s assessment of the effectiveness of the company’s ICFR. Finally, we are adopting an amendment to Exchange Act Rule 12b–2, and a corresponding amendment to Rule 1–02 of Regulation S–X, to define the term material weakness. V. Paperwork Reduction Act Certain provisions of our ICFR requirements contain ‘‘collection of information’’ requirements within the meaning of the Paperwork Reduction Act of 1995 (‘‘PRA’’). We submitted these collections of information to the Office of Management and Budget (‘‘OMB’’) for review in accordance with the PRA and received approval for the collections of information. We do not believe the rule amendments in this release will impose any new recordkeeping or information collection requirements, or other collections of information requiring OMB’s approval. VI. Cost-Benefit Analysis The rule amendments and the Interpretive Guidance that we are adopting are intended to facilitate more effective and efficient evaluations of ICFR by management and auditors. Rules 13a–15 and 15d–15, as initially adopted, and as amended, do not mandate any specific method for management to follow in performing an evaluation of ICFR. Instead, the rules recognize that the methods of conducting evaluations of ICFR will, and should, vary from company to company. Commenters have asserted that the lack of specific direction in E:\FR\FM\27JNR2.SGM 27JNR2 35316 Federal Register / Vol. 72, No. 123 / Wednesday, June 27, 2007 / Rules and Regulations either Section 404 of the Sarbanes-Oxley Act or the implementing rules on how management should conduct an evaluation of ICFR may have resulted in the auditing standards becoming the de facto standard for management’s evaluation in many cases, which likely contributed to excessive documentation and testing of internal controls by management in initial compliance efforts. The benefits and costs to investors of the rule amendments and Interpretive Guidance are directly related to the extent to which issuers choose to rely on the Interpretive Guidance. In part, this is because compliance is voluntary. In addition, companies already subject to the reporting requirement have gained some efficiencies in the evaluation process,59 and other sources have provided guidance on how to conduct an ICFR evaluation.60 The very purpose of the rule amendments and the Interpretive Guidance is to ease the compliance burden created by Section 404 of the Sarbanes-Oxley Act. Because of this, and because the use of Interpretive Guidance is voluntary, it is unlikely that it could result in additional incremental cost to issuers. Issuers that choose to use Interpretive Guidance will likely do so because it reduces their overall compliance burden. mstockstill on PROD1PC66 with RULES2 A. Benefits Our issuance of specific Interpretive Guidance for management on how to conduct an ICFR evaluation should significantly lessen the pressures on management to look to the auditing standards for guidance as to how to conduct its evaluation.61 To the extent that these pressures have led to excessive testing and documentation in the past, the Interpretive Guidance and rule amendments should lead management to avoid excessive costs and aid them in determining the level of effort necessary to evaluate a company’s ICFR. 59 Commenters on the Concept Release Concerning Management’s Reports on Internal Control Over Financial Reporting, Release No. 34– 54122 (Jul. 11, 2006) [71 FR 40866], available at https://www.sec.gov/rules/concept/2006/3454122.pdf, expressed similar views. See, for example, letters from the American Institute of Certified Public Accountants, Crowe Chizek and Company LLC, and Kreischer Miller, all available at https://www.sec.gov/comments/s7-11-06/ s71106.shtml. 60 See, for example, The Institute of Internal Auditor’s Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners, May 2006. 61 We are taking this action in conjunction with the PCAOB’s elimination of the auditor’s requirement to evaluate the efficacy of management’s evaluation process. VerDate Aug<31>2005 16:18 Jun 26, 2007 Jkt 211001 The extent of the benefits of the rule amendments depends on a company’s experience conducting an ICFR evaluation. As explained in the release setting forth the Interpretive Guidance, the effort necessary to conduct an initial evaluation of ICFR will vary depending on management’s existing financial reporting risk assessment and control monitoring activities. After the first year of compliance, management’s effort to identify financial reporting risks and controls should ordinarily be less because subsequent evaluations should be more focused on changes in risks and controls rather than identification of all financial reporting risks and the related controls. Further, in each subsequent year, the documentation of risks and controls will only need to be updated from the prior year or years, not recreated anew. Through the risk and control identification process, management will have identified for testing only those controls that are needed to meet the objective of ICFR (that is, to provide reasonable assurance regarding the reliability of financial reporting) and for which evidence about their operation can be obtained most efficiently. The nature and extent of procedures implemented to evaluate whether those controls continue to operate effectively can be tailored to the company’s unique circumstances, thereby avoiding unnecessary compliance costs. In addressing a number of the commonly identified areas of concerns, the Interpretive Guidance: • Explains how to vary approaches for gathering evidence to support the evaluation based on risk assessments; • Explains the use of ‘‘daily interaction,’’ self-assessment, and other on-going monitoring activities as evidence in the evaluation; • Explains the purpose of documentation and how management has flexibility in approaches to documenting support for its assessment; • Provides management significant flexibility in making judgments regarding what constitutes adequate evidence in low-risk areas; and • Allows for management and the auditor to have different testing approaches. The Interpretive Guidance is organized around two broad principles. The first principle is that management should evaluate whether it has implemented controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner. The guidance describes a top-down, risk-based approach to this principle, including the PO 00000 Frm 00008 Fmt 4701 Sfmt 4703 role of entity-level controls in assessing financial reporting risks and the adequacy of controls. The guidance promotes efficiency by allowing management to focus on those controls that are needed to adequately address the risk of a material misstatement in its financial statements. The second principle is that management’s evaluation of evidence about the operation of its controls should be based on its assessment of risk. The guidance provides an approach for making risk-based judgments about the evidence needed for the evaluation. This allows management to align the nature and extent of its evaluation procedures with those areas of financial reporting that pose the highest risks to reliable financial reporting (that is, whether the financial statements are materially accurate). As a result, management may be able to use more efficient approaches to gathering evidence, such as selfassessments in low-risk areas, and perform more extensive testing in highrisk areas. By following these two principles, companies of all sizes and complexities will be able to implement the rules effectively and efficiently. The Interpretive Guidance reiterates the Commission’s position that management should bring its own experience and informed judgment to bear in order to design an evaluation process that meets the needs of its company and that provides a reasonable basis for its annual assessment of whether ICFR is effective. This allows management sufficient and appropriate flexibility to design such an evaluation process. Smaller public companies, which generally have less complex internal control systems than larger public companies, can scale and tailor their evaluation methods and procedures to fit their own facts and circumstances.62 Applying the Interpretive Guidance may thus assist management of these companies in scaling and tailoring its evaluation methods and procedures to fit their own unique facts and circumstances in ways that may not be appropriate for larger companies with more complex internal control systems. Through the rule amendments, smaller companies can take advantage of the flexibility and scalability in Interpretive Guidance to conduct an evaluation of ICFR that is both efficient and effective at identifying material weaknesses. By applying the principles set forth in the Interpretive Guidance, companies of all sizes and complexities will be able to comply with the rules more 62 Advisory E:\FR\FM\27JNR2.SGM Committee Report at pp. 39–40. 27JNR2 mstockstill on PROD1PC66 with RULES2 Federal Register / Vol. 72, No. 123 / Wednesday, June 27, 2007 / Rules and Regulations effectively and efficiently. The total benefit to investors of the Interpretive Guidance and rule amendments depends on the number of companies that implement these principles and the extent to which their practices under these principles depart from the principles and practices that they would otherwise follow. Given that non-accelerated filers have not yet been required to conduct an evaluation of ICFR, their use of Interpretive Guidance in their first year of conducting an ICFR evaluation may enable them to avoid some of the initial compliance costs and efforts that were incurred by larger public companies during their early years of compliance with Section 404’s requirements. In this respect, investors in non-accelerated filers may benefit more from the amended rules and Interpretive Guidance than investors in larger public companies that already have been required to conduct an evaluation. The amendments to Exchange Act Rules 13a–15(c) and 15d–15(c) provide for a non-exclusive safe-harbor in that they do not require management to follow the Interpretive Guidance, but still provide assurance to management regarding its compliance obligations. Some of the commenters on the Proposal questioned the benefits of these rule amendments. As noted earlier in this release, three commenters suggested that the Interpretive Guidance does not contain specific, objective criteria that a company’s management could use to demonstrate that its evaluation complies with the requirements of the Interpretive Guidance.63 The Office of Advocacy of the Small Business Administration also stated in its comment letter that some of the participants in a roundtable it hosted on the Section 404 requirements asked for more details as to how the safe harbor protection could be claimed and what type of liability protection it would afford. The rule amendments are intended to provide those choosing to follow the Interpretive Guidance with greater clarity and transparency about their obligations relative to Section 404. For example, the amendments to Exchange Act Rules 13a–15(c) and 15d–15(c) add a specific reference to the Interpretive Guidance in the rules and thereby make the guidance more visible and accessible to the managers of companies subject to the ICFR evaluation requirement. When a company’s management relies on the Interpretive Guidance to conduct its evaluation, the 63 See, for example, letters from Cleary, NYC Bar, and Reznick Group, P.C. VerDate Aug<31>2005 16:18 Jun 26, 2007 Jkt 211001 company does not have to take any special action to ‘‘claim’’ the assurance provided by the rule amendments. In addition, the transparency of the guidance may benefit investors by reducing costly second-guessing about the sufficiency of management’s evaluation raised by any party, including the company’s independent auditor. The Interpretive Guidance is specific enough to enable a company to demonstrate that its management followed the principles set forth in the Interpretive Guidance in conducting its ICFR evaluation to gain the assurance afforded by these rule amendments. The rule amendments encourage the use of the Interpretive Guidance because it advises management to focus on the controls that address the highest risk of material misstatement. This will benefit investors by reducing the amount of testing and documentation conducted by management and thus reducing the cost of compliance.64 The rule amendments can remove obstacles by giving management clearer information about its obligations and by reducing undue pressures from auditors. The Commission did not receive any comments on the dollar magnitude of the likely reduction in compliance costs from the rule amendments in connection with the Proposal. However, the Commission did receive historical estimates of total Section 404 compliance costs from the early years of adoption. These estimates were obtained from surveys of companies with a public float above $75 million in connection with our May 2006 Roundtable on Internal Control Reporting and Auditing Provisions. These historical estimates of the early compliance costs incurred by the relatively larger companies ranged from $860,000 to $5.4 million per company, depending on the survey.65 The management cost that is the focus of the rule amendments appears to account for the majority of this estimate. One commenter indicated in its comment letter on the Proposal that it is especially important to reduce management costs, as these costs are the most significant costs associated with the Section 404 requirements, and can account for 70–75% of the total 64 Commenters expressed similar views. See, for example, letters from BHP, Employees’ Retirement System of Rhode Island, Financial Services Forum, KPMG LLP, McGladrey & Pullen LLP, MSFT, and State Street Corporation. 65 See, for example, Financial Executives International Survey on Sarbanes-Oxley Section 404 Implementation (March, 2006) and CRA International Sarbanes-Oxley Section 404 Costs and Implementation Issues: Spring 2006 Survey Update. PO 00000 Frm 00009 Fmt 4701 Sfmt 4703 35317 compliance costs.66 Thus, even if the percentage decline in compliance cost under the rule amendment is small, companies and their investors could experience a substantial dollar benefit in terms of lower costs of compliance. Commenters expressed the view that the rule amendments and Interpretive Guidance will result in more efficient and effective evaluations of internal control relative to what would otherwise occur. In commenting on the amendments, one commenter provided a quantitative estimate of the expected reduction in compliance costs. This commenter estimated that implementation of the Proposed Interpretive Guidance could result in a reduction in company compliance costs of approximately 10% in the first year of implementation (net of first year costs of implementation of the Interpretive Guidance). The commenter further estimated that implementation could result in an additional 15–20% cost reduction over costs incurred in the initial compliance year based on its own experience in conducting an evaluation of internal control and its assessment of the potential efficiencies to be gained from the Interpretive Guidance.67 The available qualitative and quantitative evidence is consistent with our view that issuers will implement the Interpretive Guidance to the benefit of investors.68 We anticipate that the amendments to Exchange Act Rule 12b–2 and Rule 1– 02 of Regulation S–X to define the term ‘‘material weakness’’ will benefit companies and investors. Companies will now be able to refer to the definition in the Commission rules requiring management to conduct an ICFR evaluation, rather than having to refer to the definition in the audit standard. We believe that the definition appropriately describes the ICFR conditions that, if they exist, should be disclosed to investors and preclude a conclusion that ICFR is effective. Commenters suggested that the rule amendments and Proposed Interpretive Guidance will not significantly reduce costs as long as there are significant differences between our management guidance and the Proposed Auditing 66 See letter from The Committee on Capital Markets Regulation. 67 See letter from CSC. 68 Commenters, however, requested that we conduct an analysis of the costs and benefits of the amendments after implementation and assess whether the amendments and the Interpretive Guidance result in cost reductions. See, for example, letters from Biotechnology Industry Organization (BIO) and NVCA. We are sensitive to the costs and benefits of our Section 404 rules, and we intend to monitor the impact of the rule amendments and Interpretive Guidance. E:\FR\FM\27JNR2.SGM 27JNR2 35318 Federal Register / Vol. 72, No. 123 / Wednesday, June 27, 2007 / Rules and Regulations Standard.69 To address these comments and enhance the benefit of the rule amendments, we coordinated with the PCAOB to align our Interpretive Guidance and the PCAOB’s new auditing standard. mstockstill on PROD1PC66 with RULES2 B. Costs As stated above, the obligation for all companies, regardless of size, to comply with the ICFR requirements was established in 2002 when Congress directed the Commission to adopt rules to implement Section 404. The rule amendments and Interpretive Guidance are designed to reduce the burden of compliance with those requirements. The rule amendments and Interpretive Guidance do not impose any new compliance obligations on any reporting company. Because compliance with the Interpretive Guidance is voluntary, it is likely that companies and their management will choose to comply with the guidance only if they determine that the benefits exceed the costs. Companies that have already completed one or more evaluations may choose to continue to use their existing procedures if they are satisfied with the effectiveness and efficiency of those procedures. Alternatively, a company that already has been complying with the ICFR requirements could choose to follow the Interpretive Guidance and to make adjustments to conform its evaluation procedures to the guidance. In that case, some commenters expressed the view that while changing from the current evaluation approaches to the top-down, risk-based approach laid out in the Interpretive Guidance could result in short-term cost increases, it would promote a cost-effective approach in the long-term.70 It is reasonable to conclude that companies will not elect to follow the Interpretive Guidance if, from a cost standpoint, they determine that is not in their longterm interest to do so. For smaller public companies that have not been required to comply with the ICFR requirements, the costs that they will incur are a direct result of the imposition by the Congress of the statutory requirements of Section 404 of the Sarbanes-Oxley Act on them. They may be able to reduce their first-time evaluation costs by using the Interpretive Guidance as compared to what those costs would have been. The Interpretive Guidance advises management on how to conduct an 69 See, for example, letters from Allstate Corporation, Hudson, ICAEW, Minn-Dak Farmers Cooperative, Nasdaq, Supervalu Inc., and UnumProvident. 70 See, for example, letters from Ace Limited, Hutchinson, and Neenah. VerDate Aug<31>2005 16:18 Jun 26, 2007 Jkt 211001 efficient evaluation of ICFR, which could result in management doing less work, and therefore produce cost savings for the company. Those cost savings, however, could be offset if a company’s auditor does not choose to use management’s work to the same extent it did before, due to management choosing to follow the Interpretive Guidance and doing less work as a result.71 Because use of the Interpretive Guidance is voluntary, it is reasonable to conclude that management would choose to reduce the extent and cost of its work only to the degree that it did not result in an increase in the overall costs of complying with Section 404, including auditor costs.72 On the other hand, the rule amendments and Interpretive Guidance could increase the possibility that the auditor will, during the Section 404 audit, perform additional testing of internal controls beyond that which management performed in reliance on the Interpretive Guidance.73 VII. Effect on Efficiency, Competition and Capital Formation Section 3(f) of the Exchange Act 74 requires the Commission, whenever it engages in rulemaking and is required to consider or determine if an action is necessary or appropriate in the public interest, also to consider whether the action will promote efficiency, competition, and capital formation. Section 23(a)(2) of the Exchange Act 75 also requires the Commission, when adopting rules under the Exchange Act, to consider the impact that any new rule would have on competition. In addition, Section 23(a)(2) prohibits the Commission from adopting any rule that would impose a burden on competition not necessary or appropriate in furtherance of the purposes of the Exchange Act. The rule amendments and Interpretive Guidance will promote efficiency, and capital formation. The Interpretive Guidance and related rule amendments promote efficiency by allowing management to focus on those controls that are needed to adequately address the risk of a material misstatement of the company’s financial statements. The guidance does not require management to identify every control in a process or to document the 71 See, for example, letters from Heritage Financial Corporation, MSFT and Neenah. 72 This cost-benefit analysis does not address the costs associated with the ICFR audit standard itself because the rule amendments do not affect the ICFR audit standard. 73 See letter from UnumProvident. 74 15 U.S.C. 78c(f). 75 15 U.S.C. 78w(a)(2). PO 00000 Frm 00010 Fmt 4701 Sfmt 4703 business practices affecting ICFR. Rather, management can focus its evaluation process and the documentation supporting the assessment on those controls that it determines adequately address the risk of a material misstatement of the financial statements. One commenter expressed the view that the Section 404 requirements have provided significant benefits to investors and business by increasing the reliability of financial statements, strengthening internal controls, improving the efficiency of business operations and helping to reduce the risk of fraud.76 To the extent that the rule amendments and Interpretive Guidance make the management evaluation process more efficient, these benefits can all be retained at a lower cost. Under the Sarbanes-Oxley Act, all companies, except registered investment companies, are subject to the requirement to conduct an evaluation of their ICFR. Compliance with the amendments to Exchange Act Rules 13a–15 and 15d–15 and Interpretive Guidance, however, will be voluntary rather than mandatory and, as such, companies will be able to choose whether or not to follow the Interpretive Guidance. The amendments therefore will not impose any costs on companies that they do not choose to incur. Presumably, companies will only choose to rely on the Interpretive Guidance if they think that the benefits of using the guidance outweigh the costs. The rule amendments will encourage use of the Interpretive Guidance and thereby increase the efficiency with respect to the effort and resources associated with an evaluation of internal control over financial reporting and facilitate more efficient allocation of resources within a company. The guidance is designed to be scalable depending on the size of the company, which should reduce the potential for internal control reporting requirements to impose a higher cost burden on smaller companies relative to revenues. Capital formation may be promoted to the extent the cost of compliance with the evaluation requirement is lowered. Smaller private companies may be able to access public capital markets earlier in their growth and at lower cost. We do not believe the rule amendments or the Interpretive Guidance will impact competition. One commenter was concerned that the Interpretive Guidance could become the 76 See letter from The Committee on Capital Market Regulation. E:\FR\FM\27JNR2.SGM 27JNR2 Federal Register / Vol. 72, No. 123 / Wednesday, June 27, 2007 / Rules and Regulations exclusive method by which companies would conduct an evaluation of ICFR over time, and could discourage the development of future alternative evaluation frameworks.77 However, the rules explicitly acknowledge that there are many different ways to conduct an evaluation and the Interpretive Guidance is not exclusive. mstockstill on PROD1PC66 with RULES2 VIII. Final Regulatory Flexibility Analysis This Final Regulatory Flexibility Analysis (‘‘FRFA’’) has been prepared in accordance with the Regulatory Flexibility Act.78 This FRFA relates to amendments to Exchange Act Rules 13a–15(c), 15d–15(c), and 12b–2, Rules 1–02 and 2–02 of Regulation S–X, and Item 308 of Regulations S–B and S–K. These rules require the management of an Exchange Act reporting company, other than a registered investment company, to evaluate, as of the company’s fiscal year-end, the effectiveness of the company’s ICFR. Furthermore, these rules also require the public accounting firm that issues an audit report on the company’s financial statements to attest to, and report on, management’s assessment of the company’s ICFR. We are amending these rules to: (1) Provide companies with the assurance that an evaluation that complies with our Interpretive Guidance will satisfy the annual management ICFR evaluation requirement; (2) require a company’s auditor to express only one opinion on the effectiveness of the company’s ICFR; and (3) define the term ‘‘material weakness.’’ An Initial Regulatory Flexibility Analysis was prepared in accordance with the Regulatory Flexibility Act and included in the release proposing these amendments.79 The Proposing Release solicited comments on this analysis. A. Need for the Amendments The amendments are designed to facilitate more effective and efficient evaluations of ICFR by sanctioning the Interpretive Guidance as a method that can be used by management to conduct an ICFR evaluation. Companies already have a legal obligation to establish and maintain an adequate system of ICFR and to evaluate and report annually on those financial reporting controls. Our current rules do not prescribe a method or set of procedures for management to follow in performing an evaluation of ICFR. Commenters have asserted that the lack of direction in either Section 77 See letter from NYC Bar. U.S.C. 601. 79 5 U.S.C. 603. 16:18 Jun 26, 2007 B. Significant Issues Raised by Public Comments In the Proposing Release, we requested comment on any aspect of the IRFA, including the number of small entities that would be affected by the proposed amendments, and the quantitative and qualitative nature of the impact. Commenters addressed several aspects of the proposed rule amendments and the Proposed Interpretive Guidance that could potentially affect small entities. They expressed concern that the proposed amendments would not provide certainty for management because the Proposed Interpretive Guidance was too vague, did not provide adequate guidance for small companies to scale their evaluation procedures, and was inconsistent with several aspects of the PCAOB’s Proposed Auditing Standard.80 In response to these comments, including comments submitted by the Office of Advocacy of the Small Business Administration, we have coordinated with the PCAOB to harmonize the Interpretive Guidance and rule amendments with the proposed new auditing standard. We also have made revisions to our Proposed Interpretive Guidance to add clarity while still maintaining a principlesbased approach. Other comments that we received are discussed below. Smaller public companies and their investors could realize benefits from the rule amendments that, measured in proportion to their revenues, are greater 80 See, for example, letters from AeA, BIO, IMA and U.S. Small Business Administration’s Office of Advocacy (SBA). 78 5 VerDate Aug<31>2005 404 of the Sarbanes-Oxley Act or implementing rules on conducting this type of evaluation has led many companies to look to auditing standards as a guide to conducting the evaluation. This has likely contributed to excessive documentation and testing of ICFR. While the rule amendments and Interpretive Guidance are designed to make ICFR evaluations by management more cost-effective for all reporting companies subject to the Section 404 requirements, they will be particularly useful to smaller public companies that have a public float below $75 million. These companies have not yet been required to comply with the Section 404 requirements. The rule amendments and Interpretive Guidance will encourage managements of smaller companies to scale and tailor their evaluation methods and procedures to fit their companies’ own particular facts and circumstances. Jkt 211001 PO 00000 Frm 00011 Fmt 4701 Sfmt 4703 35319 than the benefits that would accrue to larger companies and their investors. This is because, as commenters on the Proposal and on previous Commission releases related to the Section 404 requirements pointed out, the burden of internal control reporting compliance costs is ‘‘disproportionately high’’ for smaller public companies compared to larger ones.81 To the extent that Interpretive Guidance and the rule amendments reduce the cost of compliance with the requirements of Section 404, these cost savings will be disproportionately greater for smaller public companies and their investors.82 C. Small Entities Subject to the Final Amendments The amendments will affect some issuers that are ‘‘small entities.’’ Exchange Act Rule 0–10(a) 83 defines an issuer, other than an investment company, to be a ‘‘small business’’ or ‘‘small organization’’ if it had total assets of $5 million or less on the last day of its most recent fiscal year. We estimate that there are approximately 1,110 issuers, other than investment companies, that may be considered small entities. The amendments will apply to any small entity, other than a registered investment company, that is subject to Exchange Act reporting requirements. Overall, approximately 6,000 smaller public companies that are subject to the Exchange Act reporting requirements, but have a public float below $75 million, will be required to comply with these requirements for the first time in their annual reports for fiscal years ending on or after December 15, 2007. The Interpretive Guidance and rule amendments are intended to reduce the cost of compliance for these companies. Overall, more than half of the reporting companies subject to the Section 404 requirements are smaller public companies that should benefit from the rule amendments and Interpretive Guidance. D. Reporting, Recordkeeping, and Other Compliance Requirements The rule amendments and Interpretive Guidance are designed to alleviate reporting and compliance burdens. They do not impose any new 81 See, for example, the letter from the Office of Advocacy of the Small Business Administration, citing the Advisory Committee Report at p. 33. 82 Nearly 5,000 companies already are subject to the Section 404 requirements. Larger companies may also be able to perform more efficient ICFR evaluations based on the Interpretive Guidance, and gain assurance that changes they make in their evaluation procedures still comply with Commission rules. 83 17 CFR 240.0–10(a). E:\FR\FM\27JNR2.SGM 27JNR2 35320 Federal Register / Vol. 72, No. 123 / Wednesday, June 27, 2007 / Rules and Regulations mstockstill on PROD1PC66 with RULES2 reporting, recordkeeping or compliance requirements on small entities. The amendments are designed to make compliance with existing requirements more efficient. Many factors contribute to the cost of compliance, including the size and complexity of the company and the rigor of its controls. The degree to which the rule amendments will reduce compliance costs will depend on these factors and on the company’s prior experience and access to information about alternative methods of compliance with the Section 404 requirements. Therefore, it is difficult to quantify the benefits of the amendments for small entities. E. Agency Action To Minimize Effect on Small Entities The Regulatory Flexibility Act directs us to consider alternatives that would accomplish our stated objectives, while minimizing any significant adverse impact on small entities. In connection with the rule amendments and Interpretive Guidance, we considered alternatives, including establishing different compliance or reporting requirements that take into account the resources available to small entities, clarifying or simplifying compliance and reporting requirements under the rules for small entities, using design rather than performance standards, and exempting small entities from all or part of the Interpretive Guidance and rule amendments. Regarding the first alternative, the Commission has effectively established different compliance requirements for smaller entities by making the Interpretive Guidance scalable in order to take into account the resources available to smaller public companies, including those that are small entities. Regarding the second alternative, the Interpretive Guidance and rule amendments clarify and simplify the Section 404 reporting requirements for all reporting companies, including small entities. The final rules create a principles-based set of guidelines for management that will produce more effective and efficient evaluations of ICFR for small entities, as well as other reporting companies subject to the Section 404 requirements. The Interpretive Guidance describes a top-down, risk-based approach to evaluating ICFR. It promotes efficiency for companies of all sizes by allowing management to focus its efforts on those controls that are needed to adequately address the risk of a material misstatement in a company’s financial statements. Regarding the third alternative, the rule amendments and Interpretive VerDate Aug<31>2005 16:18 Jun 26, 2007 Jkt 211001 Guidance set forth primarily performance rather than design standards, in particular to aid the management of non-accelerated filers (including small entities) in conducting an evaluation of ICFR. The amendments provide assurance that compliance with the Interpretive Guidance will satisfy the management evaluation requirement in Exchange Act Rules 13a–15 and 15d– 15. The rule amendments and Interpretive Guidance afford companies choosing to follow the Interpretive Guidance considerable flexibility to scale and tailor their evaluation methods to fit the particular circumstances of the company. This flexibility is especially beneficial to non-accelerated filers (including small entities). For example, in many smaller companies senior management is more involved in the day-to-day operations of the company. The Interpretive Guidance describes how management’s daily interaction, as well as other forms of ongoing monitoring activities, can provide evidence in the evaluation process. This flexibility should enable smaller companies to keep costs of compliance with the management evaluation requirement as low as possible. The rule amendments explicitly state that a company’s management does not need to comply with the Interpretive Guidance. The amendments provide assurance, however, to a company choosing to follow the guidance that it has satisfied management’s obligation to conduct an evaluation of internal control in an appropriate manner. Small entities should be able to reduce the amount of testing and documentation by relying on the Interpretive Guidance rather than auditing standards to plan and conduct their evaluations of ICFR. Regarding the final alternative, we believe that an exclusion of small entities from the Interpretive Guidance and the rule amendments would discourage small entities from using the principles-based Interpretive Guidance and would be inconsistent with our goal of developing a more effective and flexible ICFR evaluation process that is scaled and tailored to meet the small entity’s particular circumstances. IX. Statutory Authority and Text of Rule Amendments The amendments described in this release are being adopted under the authority set forth in Sections 12, 13, 15, 23 of the Exchange Act, and Sections 3(a) and 404 of the Sarbanes-Oxley Act. PO 00000 Frm 00012 Fmt 4701 Sfmt 4703 List of Subjects 17 CFR Part 210 Accountants, Accounting, Reporting and recordkeeping requirements, Securities. 17 CFR Parts 228, 229 and 240 Reporting and recordkeeping requirements, Securities. Text of Amendments For the reasons set out in the preamble, the Commission amends title 17, chapter II, of the Code of Federal Regulations as follows: I PART 210—FORM AND CONTENT OF AND REQUIREMENTS FOR FINANCIAL STATEMENTS, SECURITIES ACT OF 1933, SECURITIES EXCHANGE ACT OF 1934, PUBLIC UTILITY HOLDING COMPANY ACT OF 1935, INVESTMENT COMPANY ACT OF 1940, INVESTMENT ADVISERS ACT OF 1940, AND ENERGY POLICY AND CONSERVATION ACT OF 1975 1. The authority citation for part 210 continues to read as follows: I Authority: 15 U.S.C. 77f, 77g, 77h, 77j, 77s, 77z–2, 77z–3, 77aa(25), 77aa(26), 78c, 78j–1, 78l, 78m, 78n, 78o(d), 78q, 78u–5, 78w(a), 78ll, 78mm, 80a–8, 80a–20, 80a–29, 80a–30, 80a–31, 80a–37(a), 80b–3, 80b–11, 7202 and 7262, unless otherwise noted. 2. Amend § 210.1–02 by: a. revising paragraph (a)(2); b. redesignating paragraphs (p) through (bb) as paragraphs (q) through (cc); and I c. adding new paragraph (p). The revision and additions read as follows: I I I § 210.1–02 Definition of terms used in Regulation S–X (17 CFR part 210). * * * * * (a) * * * (2) Attestation report on internal control over financial reporting. The term attestation report on internal control over financial reporting means a report in which a registered public accounting firm expresses an opinion, either unqualified or adverse, as to whether the registrant maintained, in all material respects, effective internal control over financial reporting (as defined in § 240.13a–15(f) or 240.15d– 15(f) of this chapter), except in the rare circumstance of a scope limitation that cannot be overcome by the registrant or the registered public accounting firm which would result in the accounting firm disclaiming an opinion. * * * * * (p) Material weakness. The term material weakness is a deficiency, or a E:\FR\FM\27JNR2.SGM 27JNR2 Federal Register / Vol. 72, No. 123 / Wednesday, June 27, 2007 / Rules and Regulations combination of deficiencies, in internal control over financial reporting (as defined in § 240.13a–15(f) or 240.15d– 15(f) of this chapter) such that there is a reasonable possibility that a material misstatement of the registrant’s annual or interim financial statements will not be prevented or detected on a timely basis. * * * * * I 3. Amend § 210.2–02 by revising paragraph (f) to read as follows: § 210.2–02 Accountants’ reports and attestation reports. * * * * * (f) Attestation report on internal control over financial reporting. Every registered public accounting firm that issues or prepares an accountant’s report for a registrant, other than an investment company registered under section 8 of the Investment Company Act of 1940 (15 U.S.C. 80a–8), that is included in an annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78a et seq.) containing an assessment by management of the effectiveness of the registrant’s internal control over financial reporting must clearly state the opinion of the accountant, either unqualified or adverse, as to whether the registrant maintained, in all material respects, effective internal control over financial reporting, except in the rare circumstance of a scope limitation that cannot be overcome by the registrant or the registered public accounting firm which would result in the accounting firm disclaiming an opinion. The attestation report on internal control over financial reporting shall be dated, signed manually, identify the period covered by the report and indicate that the accountant has audited the effectiveness of internal control over financial reporting. The attestation report on internal control over financial reporting may be separate from the accountant’s report. * * * * * I 4. Amend § 210.2–02T by revising the section heading to read as follows: § 210.2–02T Accountants’ reports and attestation reports on internal control over financial reporting. mstockstill on PROD1PC66 with RULES2 * * * * * PART 228—INTEGRATED DISCLOSURE FOR SMALL BUSINESS ISSUERS 5. The authority citation for part 228 continues to read, in part, as follows: I Authority: 15 U.S.C. 77e, 77f, 77g, 77h, 77j, 77k, 77s, 77z–2, 77z–3, 77aa(25), 77aa(26), VerDate Aug<31>2005 16:18 Jun 26, 2007 Jkt 211001 35321 77ddd, 77eee, 77ggg, 77hhh, 77jjj, 77nnn, 77sss, 78l, 78m, 78n, 78o, 78u–5, 78w, 78ll, 78mm, 80a–8, 80a–29, 80a–30, 80a–37, 80b– 11, and 7201 et seq.; and 18 U.S.C. 1350. containing the disclosure required by this Item. * * * * * * PART 240—GENERAL RULES AND REGULATIONS, SECURITIES EXCHANGE ACT OF 1934 * * * * 6. Amend § 228.308 by revising paragraphs (a)(4) and (b) to read as follows: I § 228.308 (Item 308) Internal control over financial reporting. (a) * * * (4) A statement that the registered public accounting firm that audited the financial statements included in the annual report containing the disclosure required by this Item has issued an attestation report on the small business issuer’s internal control over financial reporting. (b) Attestation report of the registered public accounting firm. Provide the registered public accounting firm’s attestation report on the small business issuer’s internal control over financial reporting in the small business issuer’s annual report containing the disclosure required by this Item. * * * * * PART 229—STANDARD INSTRUCTIONS FOR FILING FORMS UNDER SECURITIES ACT OF 1933, SECURITIES EXCHANGE ACT OF 1934 AND ENERGY POLICY AND CONSERVATION ACT OF 1975— REGULATION S–K 7. The authority citation for part 229 continues to read, in part, as follows: I Authority: 15 U.S.C. 77e, 77f, 77g, 77h, 77j, 77k, 77s, 77z–2, 77z–3, 77aa(25), 77aa(26), 77ddd, 77eee, 77ggg, 77hhh, 77iii, 77jjj, 77nnn, 77sss, 78c, 78i, 78j, 78l, 78m, 78n, 78o, 78u–5, 78w, 78ll, 78mm, 80a–8, 80a–9, 80a–20, 80a–29, 80a–30, 80a–31(c), 80a–37, 80a–38(a), 80a–39, 80b–11, and 7201 et seq.; and 18 U.S.C. 1350, unless otherwise noted. * * * * * 8. Amend § 229.308 by revising paragraphs (a)(4) and (b) to read as follows: I § 229.308 (Item 308) Internal control over financial reporting. (a) * * * (4) A statement that the registered public accounting firm that audited the financial statements included in the annual report containing the disclosure required by this Item has issued an attestation report on the registrant’s internal control over financial reporting. (b) Attestation report of the registered public accounting firm. Provide the registered public accounting firm’s attestation report on the registrant’s internal control over financial reporting in the registrant’s annual report PO 00000 Frm 00013 Fmt 4701 Sfmt 4703 9. The authority citation for part 240 continues to read, in part, as follows: I Authority: 15 U.S.C. 77c, 77d, 77g, 77j, 77s, 77z–2, 77z–3, 77eee, 77ggg, 77nnn, 77sss, 77ttt, 78c, 78d, 78e, 78f, 78g, 78i, 78j, 78j–1, 78k, 78k–1, 78l, 78m, 78n, 78o, 78p, 78q, 78s, 78u–5, 78w, 78x, 78ll, 78mm, 80a– 20, 80a–23, 80a–29, 80a–37, 80b–3, 80b–4, 80b–11, and 7201 et seq., and 18 U.S.C. 1350, unless otherwise noted. * * * * * 10. Amend § 240.12b–2 by adding the definition of ‘‘Material weakness’’ in alphabetical order to read as follows: I § 240.12b–2 Definitions. * * * * * Material weakness. The term material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting such that there is a reasonable possibility that a material misstatement of the registrant’s annual or interim financial statements will not be prevented or detected on a timely basis. * * * * * I 11. Amend § 240.13a–15 by revising paragraph (c) to read as follows: § 240.13a–15 * Controls and procedures. * * * * (c) The management of each such issuer, that either had been required to file an annual report pursuant to section 13(a) or 15(d) of the Act (15 U.S.C. 78m(a) or 78o(d)) for the prior fiscal year or previously had filed an annual report with the Commission for the prior fiscal year, other than an investment company registered under section 8 of the Investment Company Act of 1940, must evaluate, with the participation of the issuer’s principal executive and principal financial officers, or persons performing similar functions, the effectiveness, as of the end of each fiscal year, of the issuer’s internal control over financial reporting. The framework on which management’s evaluation of the issuer’s internal control over financial reporting is based must be a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. Although there are many different ways to conduct an evaluation of the effectiveness of internal control over financial reporting to meet the E:\FR\FM\27JNR2.SGM 27JNR2 35322 Federal Register / Vol. 72, No. 123 / Wednesday, June 27, 2007 / Rules and Regulations requirements of this paragraph, an evaluation that is conducted in accordance with the interpretive guidance issued by the Commission in Release No. 34–55929 will satisfy the evaluation required by this paragraph. * * * * * I 12. Amend § 240.15d–15 by revising paragraph (c) to read as follows: § 240.15d–15 Controls and procedures. * * * * (c) The management of each such issuer, that either had been required to file an annual report pursuant to section 13(a) or 15(d) of the Act (15 U.S.C. 78m(a) or 78o(d)) for the prior fiscal year or previously had filed an annual report with the Commission for the mstockstill on PROD1PC66 with RULES2 * VerDate Aug<31>2005 16:18 Jun 26, 2007 Jkt 211001 prior fiscal year, other than an investment company registered under section 8 of the Investment Company Act of 1940, must evaluate, with the participation of the issuer’s principal executive and principal financial officers, or persons performing similar functions, the effectiveness, as of the end of each fiscal year, of the issuer’s internal control over financial reporting. The framework on which management’s evaluation of the issuer’s internal control over financial reporting is based must be a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. Although there are many PO 00000 Frm 00014 Fmt 4701 Sfmt 4703 different ways to conduct an evaluation of the effectiveness of internal control over financial reporting to meet the requirements of this paragraph, an evaluation that is conducted in accordance with the interpretive guidance issued by the Commission in Release No. 34–55929 will satisfy the evaluation required by this paragraph. * * * * * By the Commission. Dated: June 20, 2007. Nancy M. Morris, Secretary. [FR Doc. E7–12298 Filed 6–26–07; 8:45 am] BILLING CODE 8010–01–P E:\FR\FM\27JNR2.SGM 27JNR2

Agencies

SECURITIES AND EXCHANGE COMMISSION

[Federal Register Volume 72, Number 123 (Wednesday, June 27, 2007)]
[Rules and Regulations]
[Pages 35310-35322]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-12298]



[[Page 35309]]

-----------------------------------------------------------------------

Part II





Securities and Exchange Commission





-----------------------------------------------------------------------



17 CFR Parts 210, 228, 229 and 240



 Amendments to Rules Regarding Management's Report on Internal Control 
Over Financial Reporting; Final Rule

Federal Register / Vol. 72, No. 123 / Wednesday, June 27, 2007 / 
Rules and Regulations

[[Page 35310]]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

17 CFR Parts 210, 228, 229 and 240

[Release Nos. 33-8809; 34-55928; FR-76; File No. S7-24-06]
RIN 3235-AJ58


Amendments to Rules Regarding Management's Report on Internal 
Control Over Financial Reporting

AGENCY: Securities and Exchange Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: We are adopting an amendment to our rules to clarify that an 
evaluation which complies with the Commission's interpretive guidance 
published in this issue of the Federal Register in Release No. 34-55929 
is one way to satisfy the requirement for management to evaluate the 
effectiveness of the issuer's internal control over financial 
reporting. We are also amending our rules to define the term material 
weakness and to revise the requirements regarding the auditor's 
attestation report on the effectiveness of internal control over 
financial reporting. The amendments are intended to facilitate more 
effective and efficient evaluations of internal control over financial 
reporting by management and auditors.

DATES: Effective Date: August 27, 2007, except the amendment to Sec.  
210.2-02T is effective from August 27, 2007 until June 30, 2009.

FOR FURTHER INFORMATION CONTACT: N. Sean Harrison, Special Counsel, 
Division of Corporation Finance, at (202) 551-3430, or Josh K. Jones, 
Professional Accounting Fellow, Office of the Chief Accountant, at 
(202) 551-5300, U.S. Securities and Exchange Commission, 100 F Street, 
NE., Washington, DC 20549-6628.

SUPPLEMENTARY INFORMATION: We are adopting amendments to Rules 13a-
15(c),\1\ 15d-15(c),\2\ and 12b-2\3\ under the Securities Exchange Act 
of 1934 (the ``Exchange Act''),\4\ Rules 1-02,\5\ 2-02 \6\ and 2-02T 
\7\ of Regulation S-X,\8\ and Item 308 of Regulations S-B and S-K.\9\
---------------------------------------------------------------------------

    \1\ 17 CFR 240.13a-15(c).
    \2\ 17 CFR 240.15d-15(c).
    \3\ 17 CFR 240.12b-2.
    \4\ 15 U.S.C. 78a et seq.
    \5\ 17 CFR 210.1-02.
    \6\ 17 CFR 210.2-02.
    \7\ 17 CFR 210.2-02T.
    \8\ 17 CFR 210.1-01 et seq.
    \9\ 17 CFR 228.308 and 229.308.
---------------------------------------------------------------------------

    In a companion release issued in today's Federal Register, we are 
issuing interpretive guidance to assist companies of all sizes in 
completing top-down, risk-based evaluations of internal control over 
financial reporting.\10\ In addition, we are issuing a release to 
request additional comment on the definition of the term ``significant 
deficiency.'' \11\
---------------------------------------------------------------------------

    \10\ Release No. 34-55929 (Jun. 20, 2007) (hereinafter 
``Interpretive Guidance'').
    \11\ Release No. 34-55930 (Jun. 20, 2007).
---------------------------------------------------------------------------

Table of Contents

I. Background
II. Discussion of Amendments
    A. Exchange Act Rules 13a-15(c) and 15d-15(c)
    1. Proposal
    2. Comments on the Proposal
    3. Final Rule
    B. Rules 1-02 and 2-02 of Regulation S-X and Item 308 of 
Regulations S-B and S-K
    1. Proposal
    2. Comments on the Proposal
    3. Final Rule
    C. Definition of Material Weakness
    1. Proposal
    2. Comments on the Proposal
    3. Final Rule
III. Transition Issues
IV. Background to Regulatory Analyses
V. Paperwork Reduction Act
VI. Cost-Benefit Analysis
VII. Effect on Efficiency, Competition and Capital Formation
VIII. Final Regulatory Flexibility Analysis
IX. Statutory Authority and Text of Rule Amendments

I. Background

    In implementing Section 404(a) of the Sarbanes-Oxley Act of 2002 
\12\ (``Sarbanes-Oxley''), the Commission adopted amendments to 
Exchange Act Rules 13a-15 and 15d-15 to require companies, other than 
registered investment companies, to include in their annual reports 
filed pursuant to Section 13(a) or 15(d) \13\ of the Exchange Act a 
report by management on the company's internal control over financial 
reporting (``ICFR'') and a registered public accounting firm's 
attestation report on ICFR. Rules 13a-15 and 15d-15 also require 
management of each company to evaluate the effectiveness, as of the end 
of each fiscal year, of the company's ICFR.\14\
---------------------------------------------------------------------------

    \12\ 15 U.S.C. 7262.
    \13\ 15 U.S.C. 78m(a) or 78o(d).
    \14\ Release No. 33-8238 (June 5, 2003) [68 FR 36636] 
(hereinafter ``Adopting Release''). See Release No. 33-8392 (Feb. 
24, 2004) [69 FR 9722] for compliance dates applicable to 
accelerated filers. See Release No. 33-8760 (Dec. 15, 2006) [71 FR 
76580] for compliance dates applicable to non-accelerated filers.
---------------------------------------------------------------------------

    On December 20, 2006, the Commission issued a proposing release 
that contained interpretive guidance for management (``Proposed 
Interpretive Guidance'') regarding its required evaluation of ICFR and 
amendments to Exchange Act Rules 13a-15(c) and 15d-15(c) to make it 
clear that an evaluation conducted in accordance with the Proposed 
Interpretive Guidance was one way to satisfy the annual management 
evaluation required by those rules. In addition, we proposed amendments 
to Rule 2-02(f) of Regulation S-X to require that the registered public 
accounting firm's attestation report on ICFR express a single opinion 
directly on the effectiveness of ICFR, and to clarify the circumstances 
in which we would expect that the accountant cannot express an opinion 
on ICFR. We also proposed amendments to Rule 1-02(a)(2) of Regulation 
S-X to revise the definition of attestation report to conform it to the 
proposed changes to Rule 2-02(f).\15\
---------------------------------------------------------------------------

    \15\ Release Nos. 33-8762; 34-54976 (Dec. 20, 2006) [71 FR 
77635] (hereinafter ``Proposing Release'').
---------------------------------------------------------------------------

    We received over 200 comment letters in response to our Proposing 
Release.\16\ These letters came from corporations, professional 
associations, large and small accounting firms, law firms, consultants, 
academics, investors and other interested parties. Of these, 
approximately 70 respondents commented on the proposed rule amendments. 
We have reviewed and considered all of the comments that we received on 
the proposed rule amendments. The adopted rules reflect changes made in 
response to many of these comments. We discuss our conclusions with 
respect to each proposed rule amendment and the related comments in 
more detail throughout this release.
---------------------------------------------------------------------------

    \16\ The comment letters are available for inspection in the 
Commission's Public Reference Room at 100 F Street, NE., Washington, 
DC 20549 in File No. S7-24-06, or may be viewed at https://
www.sec.gov/comments/s7-24-06/s72406.shtml.
---------------------------------------------------------------------------

II. Discussion of Amendments

A. Exchange Act Rules 13a-15(c) and 15d-15(c)

1. Proposal
    Exchange Act Rules 13a-15(c) and 15d-15(c) require the management 
of each issuer subject to the Exchange Act reporting requirements, 
other than a registered investment company, to evaluate the 
effectiveness of the issuer's ICFR as of the end of each fiscal year. 
We proposed to amend these rules to state that, although there are many 
different ways to conduct an evaluation of the effectiveness of ICFR, 
an evaluation conducted in accordance with the Proposed Interpretive 
Guidance would satisfy the evaluation requirement in those rules.

[[Page 35311]]

2. Comments on the Proposal
    While many commenters supported the proposed amendments to Rules 
13a-15 and 15d-15,\17\ some expressed the view that although the 
guidance is appropriately principles-based, the nature of the 
requirements set forth in the Proposed Interpretive Guidance is not 
well-suited to the type of safe-harbor protection intended by the 
amendments.\18\ For instance, three commenters suggested that the 
Proposed Interpretive Guidance does not contain specific, objective 
criteria that a company's management could use to demonstrate that its 
evaluation complies with the requirements of the Proposed Interpretive 
Guidance.\19\ Consequently, two of these commenters went on to conclude 
that the amendments may eventually lead to the Interpretive Guidance 
being viewed as an exclusive evaluation approach. In light of these and 
similar concerns, one commenter suggested broadening the amended rule 
language to explicitly indicate that an evaluation provides a 
reasonable basis for management's ICFR assessment if it includes: (1) 
An identification of the risks that are reasonably likely to result in 
a material misstatement of the company's financial statements; (2) an 
evaluation of whether the company has placed controls in operation that 
are designed to address those risks; and (3) a risk-based process for 
gathering and evaluating evidence regarding the effective operation of 
those controls.\20\
---------------------------------------------------------------------------

    \17\ See, for example, letters from America's Community Bankers 
(ACB), BP p.l.c. (BP), Business Roundtable, Enbridge Inc., European 
Association of Listed Companies, Hudson Financial Solutions 
(Hudson), ING Group N.V. (ING), PPL Corporation (PPL), Silicon 
Valley Leadership Group (SVLG), The Hundred Group of Finance 
Directors (100 Group), and UnumProvident Corporation 
(UnumProvident).
    \18\ See, for example, letters from American Electronics 
Association (AeA), James J. Angel, Cleary Gottlieb Steen & Hamilton 
LLP (Cleary), Financial Reporting Committee of the Association of 
the Bar of the City of New York (NYC Bar), and U.S. Chamber of 
Commerce (Chamber).
    \19\ See, for example, letters from Cleary, NYC Bar, and Reznick 
Group, P.C.
    \20\ See letter from Cleary.
---------------------------------------------------------------------------

    One commenter opposed both the Proposed Interpretive Guidance and 
the proposed rule amendments and expressed the view that management 
will, as a result of the nature of the Proposed Interpretive Guidance, 
claim the protection afforded by the amendments for deficient 
evaluations.\21\ Another commenter expressed the view that the proposed 
rule amendments could result in a ``minimalist'' attitude towards the 
internal control evaluation on the part of management.\22\
---------------------------------------------------------------------------

    \21\ See joint letter from Consumer Federation of America, 
Consumer Action, and U.S. Public Interest Research Group.
    \22\ See letter from Tatum LLC.
---------------------------------------------------------------------------

3. Final Rule
    After consideration of the comments that we received, we have 
determined to adopt the amendments to Rules 13a-15(c) and 15d-15(c) as 
proposed. The amended rules state that there are many different ways to 
conduct an evaluation that will satisfy the evaluation requirement in 
the rules, and the Interpretive Guidance clearly states that compliance 
with the guidance is voluntary. Therefore, concerns that the amendments 
may cause confusion as to whether compliance with the Interpretive 
Guidance is mandatory or may result in an exclusive standard are 
unfounded. We understand that many companies already complying with the 
Section 404 requirements have established an ICFR evaluation process 
that may differ from the approach described in the Interpretive 
Guidance. There is no requirement for these companies to alter their 
procedures to align them with the Interpretive Guidance.
    We have decided not to broaden the amended rule language to include 
factors to consider in determining whether alternative methods satisfy 
the standard primarily because we think this type of ``broadening'' may 
actually limit the potential universe of acceptable evaluation methods. 
For example, while we believe the Interpretive Guidance's top-down, 
risk-based approach will result in both effective and efficient 
evaluations of the effectiveness of ICFR, management may choose to 
establish an alternative evaluation approach. An alternative approach 
may be deemed preferable if it complements a company's existing quality 
improvement processes or enterprise risk management methodologies and 
still provides management with a reasonable basis for its assessment of 
ICFR effectiveness. Therefore, we do not think it is appropriate or 
necessary to mandate the approach set forth in the Interpretive 
Guidance.
    Regarding the comments expressing concern that the principles-based 
nature of the Proposed Interpretive Guidance may not easily lend itself 
to the safe-harbor type provisions, we acknowledge that the amendments 
to Rules 13a-15 and 15d-15 are of a somewhat different nature from 
other safe-harbor provisions, which typically prescribe very specific 
conditions that must be met before a company or person may claim 
protection under the safe-harbor. Nonetheless, we believe establishing 
the Interpretive Guidance as one way to satisfactorily evaluate ICFR 
will serve the important purpose of communicating the objectives and 
requirements of the ICFR evaluation. Moreover, most commenters 
preferred that the guidance for conducting an evaluation of ICFR be 
issued on an interpretive basis rather than codified as a rule.\23\ 
Accordingly, a direct reference in the rules to the Interpretive 
Guidance will help ensure that companies are aware of the guidance.
    We are issuing the Interpretive Guidance, and taking a series of 
other steps, to improve and strengthen implementation of the ICFR 
requirements. Regardless of whether management uses the Interpretive 
Guidance, we remain committed to a strong implementation of the ICFR 
requirements and to ensuring that issuers perform a sufficient 
evaluation. As is currently the case, the sufficiency of an evaluation 
will be determined based on each issuer's particular facts and 
circumstances.

B. Rules 1-02 and 2-02 of Regulation S-X and Item 308 of Regulations S-
B and S-K

1. Proposal
    Rule 2-02(f) of Regulation S-X requires the registered public 
accounting firm's attestation report on management's assessment of ICFR 
to clearly state the ``opinion of the accountant as to whether 
management's assessment of the effectiveness of the registrant's ICFR 
is fairly stated in all material respects.'' The term ``assessment'' as 
used in Rule 2-02(f) refers to management's disclosure of its 
conclusion about the effectiveness of the company's ICFR, not the 
efficacy of the process followed by management to arrive at its 
conclusion. To more effectively communicate the auditor's 
responsibility in relation to management's assessment, we proposed to 
revise Rule 2-02(f) to require the auditor to express an opinion 
directly on the effectiveness of ICFR. We believe this opinion 
necessarily conveys whether the disclosure of management's assessment 
is fairly stated. In addition, we proposed revisions to Rule 2-02(f) to 
clarify the rare circumstances in which the accountant would be unable 
to express an opinion.
---------------------------------------------------------------------------

    \23\ Approximately thirty-three commenters directly responded to 
the question about whether the guidance should be issued as an 
interpretation or codified as a Commission rule. Approximately 70% 
of such respondents indicated that the guidance should be issued as 
an interpretation.

---------------------------------------------------------------------------

[[Page 35312]]

    We also proposed conforming revisions to the definition of 
attestation report in Rule 1-02(a)(2) of Regulation S-X. The PCAOB 
proposed a conforming revision to its auditing standard to reflect this 
revision as well.\24\
---------------------------------------------------------------------------

    \24\ PCAOB Release No. 2006-007: Proposed Auditing Standard--An 
Audit of Internal Control Over Financial Reporting that is 
Integrated with an Audit of Financial Statements. See https://
www.pcaobus.org/Rules/Docket_021/index.aspx (hereinafter ``Proposed 
Auditing Standard'').
---------------------------------------------------------------------------

2. Comments on the Proposal
    We received comments on the proposed revisions to Rules 1-02(a)(2) 
and 2-02(f) of Regulation S-X to require the expression of a single 
opinion directly on the effectiveness of ICFR by the auditor in the 
attestation report on ICFR. Those who commented on this proposed 
amendment were equally divided, with approximately one-half supporting 
the Commission's proposal to eliminate the auditor's opinion on 
management's assessment of the effectiveness of ICFR,\25\ and the other 
half expressing the view that, although the reduction to one opinion by 
the auditor was preferable, the opinion retained would limit 
improvements in the efficiency of the 404 process.\26\
---------------------------------------------------------------------------

    \25\ See, for example, letters from Banco Ita[uacute] Holding 
Financeira SA, BP, Cisco Systems, Inc. (Cisco), Computer Sciences 
Corporation (CSC), Eli Lilly and Company (Eli Lilly), Frank 
Consulting, PLLP, Grant Thornton LLP, Kimball International 
(Kimball), Lubrizol Corporation (Lubrizol), MetLife, Inc. (MetLife), 
NYC Bar, PPG Industries, Inc. (PPG), The Procter & Gamble Company 
(P&G), and RAM Energy Resources, Inc.
    \26\ See, for example, letters from 100 Group, Alamo Group, 
Association of Chartered Certified Accountants (ACCA), BHP Billiton 
Limited (BHP), European Federation of Accountants (FEE), The 
Financial Services Roundtable (FSR), Hess Corporation (Hess), 
Hutchinson Technology Inc. (Hutchinson), Institute of Internal 
Auditors (IIA), Institute of Management Accountants (IMA), Institut 
Der Wirtschaftsprufer [Institute of Public Auditors in Germany] 
(IDW), Ian D. Lamdin (I. Lamdin), Matthew Leitch, Nasdaq Stock 
Market, Inc. (Nasdaq), National Venture Capital Association (NVCA), 
Nike, Inc. (Nike), Robert F. Richter (R. Richter), Rod Scott, 
Southern Company (Southern), and SVLG.
---------------------------------------------------------------------------

    Commenters who supported the Commission's proposal believe that an 
auditor's opinion directly on the effectiveness of a company's ICFR 
provides investors with a higher level of assurance than the opinion 
only on management's assessment. These commenters also suggested that 
an audit opinion directly on the effectiveness of ICFR was a clearer 
expression of the scope of the auditor's work. However, those who 
opposed the Commission's proposal argued that an audit opinion directly 
on the effectiveness of ICFR would require duplicative, unnecessary and 
excessive testing by auditors and would therefore lead to higher audit 
costs.\27\ These commenters suggested the auditor's work should be 
limited to evaluating management's assessment process and the testing 
performed by management and internal audit. They acknowledged that the 
auditor would need to test at least some controls directly in addition 
to evaluating and testing management's assessment process; however, 
they expected that the auditor's own testing could be significantly 
reduced from the scope required to render an opinion directly on the 
effectiveness of ICFR.\28\ Additionally, commenters were concerned that 
the proposed rule change was in direct conflict with Section 404(b) of 
Sarbanes-Oxley, which explicitly calls for the auditor to issue an 
attestation report on management's assessment of the effectiveness of 
ICFR.\29\
---------------------------------------------------------------------------

    \27\ See, for example, letters from 100 Group, ACCA, Hess, 
Nasdaq, Nike, and Southern.
    \28\ See, for example, letters from BHP and NVCA.
    \29\ See, for example, letters from FEE, FSR, Hutchinson, IDW, 
IIA, IMA, I. Lamdin, and R. Richter.
---------------------------------------------------------------------------

    In view of the proposal to require only one opinion by the auditor 
in its report on the effectiveness of a company's ICFR, commenters 
thought that continued references in Rules 1-02(a)(2) and 2-02(f) of 
Regulation S-X to an ``attestation report on management's assessment of 
internal control over financial reporting'' would be confusing.\30\ 
These commenters suggested that we eliminate these references and refer 
to the auditor's report only as an ``attestation report on internal 
control over financial reporting.''
---------------------------------------------------------------------------

    \30\ See, for example, letters from 100 Group, BDO Seidman LLP, 
Cleary, Financial Executives International Committee on Corporate 
Reporting (FEI CCR), Manulife Financial (Manulife), Microsoft 
Corporation (MSFT), Neenah Paper, Inc (Neenah), and NYC Bar.
---------------------------------------------------------------------------

3. Final Rule
    After consideration of the comments, we have decided to adopt the 
proposed amendments to Rules 1-02(a)(2) and 2-02(f) of Regulation S-X 
to require the expression of a single opinion directly on the 
effectiveness of ICFR by the auditor in its attestation report on ICFR 
because it more effectively communicates the auditor's responsibility 
in relation to management's process and necessarily conveys whether 
management's assessment is fairly stated. In view of this decision, we 
agree with commenters that Rules 1-02(a)(2) and 2-02(f) of Regulation 
S-X will be clearer if they refer to the auditor's report as an 
``attestation report on internal control over financial reporting'' 
rather than an ``attestation report on management's assessment of 
internal control over financial reporting.'' We, therefore, have made 
this change. We also have made conforming changes to Rule 2-02T of 
Regulation S-X and Item 308 of Regulations S-B and S-K.\31\
---------------------------------------------------------------------------

    \31\ Item 308 sets forth the ICFR disclosure that must be 
included in a company's annual and quarterly reports.
---------------------------------------------------------------------------

    Despite the fact that the revised rules no longer require the 
auditor to separately express an opinion concerning management's 
assessment of the effectiveness of the company's ICFR, auditors 
currently are required under Auditing Standard No. 2 (``AS No. 
2''),\32\ and would continue to be required under the Proposed Auditing 
Standard, to evaluate whether management has included in its annual 
ICFR assessment report all of the disclosures required by Item 308 of 
Regulations S-B and S-K. Both AS No. 2 and the Proposed Auditing 
Standard would require the auditor to modify its audit report on the 
effectiveness of ICFR if the auditor determines that management's 
assessment of ICFR is not fairly stated. Consequently, the revisions 
are fully consistent with, and will continue to achieve, the objectives 
of Section 404(b) of Sarbanes-Oxley.
---------------------------------------------------------------------------

    \32\ An Audit of Internal Control Over Financial Reporting 
Performed in Conjunction With an Audit of Financial Statements.
---------------------------------------------------------------------------

    In considering the concerns raised by commenters about the scope of 
auditor testing that is required to render an opinion directly on the 
effectiveness of ICFR, the Commission believes that an auditing process 
that is restricted to evaluating what management has done would not 
necessarily provide the auditor with a sufficient level of assurance to 
render an independent opinion as to whether management's assessment 
(that is, conclusion) about the effectiveness of ICFR is correct. 
Moreover, the PCAOB's auditing standards with respect to a company's 
ICFR derive from both Section 103(a)(2)(A)(iii) and Section 404(b) of 
Sarbanes-Oxley. Section 404(b) of Sarbanes-Oxley requires the auditor 
to ``attest to, and report on, the assessment made by the management of 
the issuer.'' Section 103(a)(2)(A)(iii) of Sarbanes-Oxley requires that 
each audit report describe the scope of the auditor's testing of the 
internal control structure and procedures and present, among other 
information: (1) The findings of the auditor from such testing; (2) an 
evaluation of whether such internal control structure and procedures 
provide reasonable assurance that transactions are recorded as 
necessary to

[[Page 35313]]

permit preparation of financial statements in accordance with generally 
accepted accounting principles; and (3) a description of material 
weaknesses in such internal controls.\33\
---------------------------------------------------------------------------

    \33\ Section 103(a)(2)(A)(iii) states that ``each registered 
public accounting firm shall--describe in each audit report the 
scope of the auditor's testing of the internal control structure and 
procedures of the issuer, required by section 404(b), and present 
(in such report or in a separate report)--
    (I.) The findings of the auditor from such testing;
    (II.) An evaluation of whether such internal control structure 
and procedures--
    (aa) Include maintenance of records that in reasonable detail 
accurately and fairly reflect the transactions and dispositions of 
the assets of the issuer;
    (bb) Provide reasonable assurance that transactions are recorded 
as necessary to permit preparation of financial statements in 
accordance with generally accepted accounting principles, and that 
receipts and expenditures of the issuer are being made only in 
accordance with authorizations of management and directors of the 
issuer; and
    (III.) A description, at a minimum, of material weaknesses in 
such internal controls, and of any material noncompliance found on 
the basis of such testing.''
---------------------------------------------------------------------------

    The Commission believes that an audit opinion directly on the 
effectiveness of ICFR is consistent with both Section 404 and Section 
103 of Sarbanes-Oxley. Further, the Commission believes that the 
expression of a single opinion directly on the effectiveness of ICFR 
clarifies that an auditor is not responsible for issuing an opinion on 
management's process for evaluating ICFR.

C. Definition of Material Weakness

1. Proposal
    The Proposed Interpretive Guidance defined a material weakness as a 
deficiency, or combination of deficiencies, in ICFR such that there is 
a reasonable possibility that a material misstatement of the company's 
annual or interim financial statements will not be prevented or 
detected on a timely basis by the company's ICFR. Further, we indicated 
that the definition formulated in the proposal was intended to be 
consistent with its use in existing auditing literature and 
practice.\34\
---------------------------------------------------------------------------

    \34\ The PCAOB's Proposed Auditing Standard provided the 
following definition of material weakness: ``a control deficiency, 
or combination of control deficiencies, such that there is a 
reasonable possibility that a material misstatement of the company's 
annual or interim financial statements will not be prevented or 
detected.''
---------------------------------------------------------------------------

2. Comments on the Proposal
    Commenters expressed concern about differences between our proposed 
definition of material weakness and that proposed by the PCAOB in its 
Proposed Auditing Standard and requested that the two definitions be 
aligned.\35\ Commenters also suggested that a single definition of 
material weakness be established for use by both auditors and 
management. They further thought that we should codify the definition 
in our rules.\36\
---------------------------------------------------------------------------

    \35\ See, for example, letters from Edison Electric Institute 
(EEI), FEI CCR, Financial Executives International Small Public 
Company Task Force (FEI SPCTF), The Institute of Chartered 
Accountants in England and Wales (ICAEW), Nina Stofberg, and SVLG.
    \36\ See, for example, letters from FEE and ICAEW.
---------------------------------------------------------------------------

    In addition, commenters pointed out that while the Proposed 
Interpretive Guidance referred to significant deficiencies, the 
Commission did not include a definition of significant deficiency 
within the Proposed Interpretive Guidance.\37\ Despite the fact that 
the Proposed Interpretive Guidance did not include a definition of 
significant deficiency, commenters on this topic provided feedback 
about both the Commission's proposed definition of material weakness 
and the definition of significant deficiency as proposed by the 
PCAOB.\38\ Certain commenters indicated that the Commission should 
include a definition of significant deficiency in the Interpretive 
Guidance.\39\
---------------------------------------------------------------------------

    \37\ See, for example, letters from Cardinal Health, Inc. 
(Cardinal), EEI, and Protiviti.
    \38\ The PCAOB's Proposed Auditing Standard provided the 
following definition of significant deficiency: ``a control 
deficiency, or combination of control deficiencies, such that there 
is a reasonable possibility that a significant misstatement of the 
company's annual or interim financial statements will not be 
prevented or detected.'' A significant misstatement was defined as 
``a misstatement that is less than material yet important enough to 
merit attention by those responsible for oversight of the company's 
financial reporting.''
    \39\ See, for example, letters from Cardinal and Protiviti.
---------------------------------------------------------------------------

    Commenters also provided feedback on the probability language in 
the definition of material weakness. Commenters expressing support for 
the ``reasonable possibility'' standard in the proposed definition \40\ 
noted that this language improves the clarity of the existing 
definition and will reduce time spent evaluating deficiencies.\41\ In 
contrast, other commenters felt that the probability standard should be 
changed.\42\ These commenters noted that the meaning of ``reasonably 
possible'' was the same as ``more than remote'' and therefore would not 
reduce the effort devoted to identifying and analyzing deficiencies. 
Two of these commenters suggested the Commission use a ``reasonable 
likelihood'' standard,\43\ and another suggested the Commission change 
to a ``greater than fifty-percent'' standard.\44\ Commenters also 
requested additional guidance about how the concept of ``materiality'' 
impacted the definition.\45\
---------------------------------------------------------------------------

    \40\ See, for example, letters from Cisco, FEI CCR, Hudson, 
MetLife, MSFT, and P&G.
    \41\ See, for example, letters from Cisco, Committee on Capital 
Markets Regulation (CCMR), FEI SPCTF, Hudson, MetLife, MSFT, Nike, 
P&G, and TechNet.
    \42\ See, for example, letters from the American Bar 
Association's Committees on Federal Regulation of Securities and Law 
and Accounting of the Section of Business Law (ABA), ACCA, Cardinal 
Health, Inc., Chamber, CSC, IIA, Kimball, and NYC Bar.
    \43\ See letters from NYC Bar and Cleary.
    \44\ See letter from ABA.
    \45\ See, for example, letters from ABA, CCMR, CSC, Independent 
Community Bankers of America, ISACA and IT Governance Institute, 
P&G, and Rockwood Holdings, Inc.
---------------------------------------------------------------------------

    Most of the commenters who addressed the reference to interim 
financial statements in the definition of material weakness indicated 
that the word ``interim'' should be removed from the definition,\46\ 
with only one commenter expressing the view that the reference to 
interim financial statements should remain in the definition.\47\ Some 
commenters who suggested removal of ``interim'' expressed the view that 
because Section 404 of Sarbanes-Oxley mandates an annual assessment of 
ICFR, the deficiency evaluation should also be based on the impact to 
the annual financial statements. Others stated that the removal of 
``interim'' would allow management and auditors to better focus on the 
annual financial statements when evaluating the materiality of control 
deficiencies.
---------------------------------------------------------------------------

    \46\ See, for example, letters from ABA, Cisco, Deloitte & 
Touche LLP, EEI, Eli Lilly, FEI CCR, FEI SPCTF, Ford Motor Company, 
MSFT, P&G, and PPL.
    \47\ See letter from MetLife.
---------------------------------------------------------------------------

3. Final Rule
    After consideration of the comments received, we have determined 
that it is appropriate for the Commission's rules to include the 
definition of material weakness since it is an integral term associated 
with Sarbanes-Oxley and the Commission's implementing rules. 
Management's disclosure requirements with respect to ICFR are 
predicated upon the existence of a material weakness; therefore, we 
agree with the commenters' suggestion that our rules should define this 
term, rather than refer to auditing literature. As a result, we are 
amending Exchange Act Rule 12b-2 and Rule 1-02 of Regulation S-X to 
define the term material weakness.
    We have decided to adopt the material weakness definition 
substantially as proposed. The Commission has determined that the 
proposed material weakness definition appropriately describes those 
conditions in ICFR that, if they exist, should be disclosed to 
investors and should preclude a conclusion that ICFR is effective. 
Therefore, our final rules define a material weakness as a

[[Page 35314]]

deficiency, or a combination of deficiencies, in ICFR such that there 
is a reasonable possibility that a material misstatement of the 
registrant's annual or interim financial statements will not be 
prevented or detected on a timely basis.\48\ We anticipate that the 
PCAOB's auditing standards will also include this definition of 
material weakness.
---------------------------------------------------------------------------

    \48\ Exchange Act Rule 12b-2 and Rule 1-02(p) of Regulation S-X.
---------------------------------------------------------------------------

    After consideration of the proposed alternatives to the 
``reasonable possibility'' standard in the proposed definition of 
material weakness, we decided not to change the proposed standard. 
Revisions that have the effect of increasing the likelihood (that is, 
risk) of a material misstatement in a company's financial reports that 
can exist before being disclosed could give rise to questions about the 
meaning of a disclosure that ICFR is effective and whether the 
threshold for ``reasonable assurance'' is being lowered. Moreover, we 
do not believe improvements in efficiency arising from revisions to the 
likelihood element would be significant to the overall ICFR evaluation 
effort, due, in part, to our view that the effort evaluating 
deficiencies would be similar under the alternative standards (for 
example, ``reasonable possibility'' as compared to ``reasonable 
likelihood''). Lastly, we do not believe the volume of material 
weakness disclosures, which has declined each year since the initial 
implementation of Section 404 of Sarbanes-Oxley, is too high such that 
investors would benefit from a reduction in disclosures that would 
result from a higher likelihood threshold.
    Regarding the reference to interim financial statements in the 
definition of material weakness, while we believe annual materiality 
considerations are appropriate when making judgments about the nature 
and extent of evaluation procedures, we believe that the judgments 
about whether a control is adequately designed or operating effectively 
should consider the requirement to provide investors reliable annual 
and quarterly financial reports. Moreover, if management's annual 
evaluation identifies a deficiency that poses a reasonable possibility 
of a material misstatement in the company's quarterly reports, we 
believe management should disclose the deficiency to investors and not 
assess ICFR as effective. As such, we have not removed the reference to 
interim financial statements from the definition of material weakness.
    In response to the comments regarding the need for the Commission 
to define the term ``significant deficiency,'' we are seeking 
additional comment on a definition of that term as part of a separate 
release issued in the Federal Register.

III. Transition Issues

    Although the amendments to Rules 1-02 and 2-02 of Regulation S-X 
will no longer require the auditor to separately express an opinion 
concerning management's assessment of the effectiveness of the 
company's ICFR, audits conducted under AS No. 2 will continue to result 
in a separate opinion on management's assessment until the PCAOB's 
expected new auditing standard replacing AS No. 2 becomes effective and 
is required for all audits. Until such time, companies may file 
whichever report they receive from their independent auditor (that is, 
either one that contains both opinions under AS No. 2 or the single 
opinion under the expected new auditing standard).

IV. Background to Regulatory Analyses

    Congress enacted the Sarbanes-Oxley Act in July 2002. Section 404 
of the Act directed the Commission to prescribe rules requiring each 
issuer required to file an annual report under Section 13(a) or 15(d) 
of the Exchange Act \49\ to prepare an internal control report. The 
only Exchange Act reporting companies that Congress exempted from the 
Section 404 requirements were investment companies registered under 
Section 8 of the Investment Company Act.\50\
---------------------------------------------------------------------------

    \49\ 15 U.S.C. 78m or 78o(d).
    \50\ 15 U.S.C. 80a-8.
---------------------------------------------------------------------------

    To fulfill its statutory mandate, the Commission adopted rules in 
June 2003 to require all Exchange Act reporting companies other than 
registered investment companies, regardless of their size, to include 
in their annual reports a report of management, and an accompanying 
auditor's report, on the effectiveness of the company's internal 
control over financial reporting (``ICFR'').\51\
---------------------------------------------------------------------------

    \51\ Release No. 33-8238 (June 5, 2003) (68 FR 36636).
---------------------------------------------------------------------------

    Although the Commission adopted rules in 2003 creating the 
obligation for all reporting companies to include ICFR reports in their 
annual reports, it provided a lengthy compliance period for non-
accelerated filers, which are smaller public companies with a public 
float below $75 million.\52\ Under the compliance dates that the 
Commission originally established, non-accelerated filers would not 
have become subject to the ICFR requirements until they filed an annual 
report for a fiscal year ending on or after April 15, 2005. In 
contrast, accelerated filers and large accelerated filers--companies 
with a public float of $75 million or more--became subject to the 
Section 404 requirements with respect to annual reports that they filed 
for fiscal years ending on or after November 15, 2004.
---------------------------------------------------------------------------

    \52\ Although the term ``non-accelerated filer'' is not defined 
in Commission rules, we use it to refer to an Exchange Act reporting 
company that does not meet the Exchange Act Rule 12b-2 definition of 
either an ``accelerated filer'' or a ``large accelerated filer.''
---------------------------------------------------------------------------

    The Commission provided this lengthy compliance period for non-
accelerated filers in light of both the substantial time and resources 
needed by accelerated filers to properly implement the rules. In 
addition, it believed that a corresponding benefit to investors would 
result from an extended transition period that allowed companies to 
carefully implement the new requirements. After each of the first two 
years accelerated-filers implemented the Section 404 requirements, the 
Commission held a roundtable discussion, and solicited comment on 
issues that arose during implementation.\53\
---------------------------------------------------------------------------

    \53\ As a result of which, the Commission and its staff issued 
guidance to assist companies in implementing these requirements.
---------------------------------------------------------------------------

    Since the initial extension period, the Commission has further 
extended the compliance dates for non-accelerated filers. The 
Commission adopted the most recent compliance date extension for non-
accelerated filers in December 2006.\54\ This extension was based, in 
part, on a recommendation from the Commission's Advisory Committee on 
Smaller Public Companies (``Advisory Committee''). In its Final Report, 
issued on April 23, 2006, the Advisory Committee raised a number of 
concerns regarding the ability of smaller companies to comply cost-
effectively with the requirements of Section 404. The Advisory 
Committee identified as an overarching concern the difference in how 
smaller and larger public companies operate.
---------------------------------------------------------------------------

    \54\ Release No. 33-8760 (Dec. 15, 2006) (71 FR 77635).
---------------------------------------------------------------------------

    It focused in particular on three characteristics: (1) The limited 
number of personnel in smaller companies, which constrains the 
companies' ability to segregate conflicting duties; (2) top 
management's wider span of control and more direct channels of 
communication, which increase the risk of management override; and (3) 
the dynamic and evolving nature of smaller companies, which limits 
their ability to have static processes that are well-documented.\55\
---------------------------------------------------------------------------

    \55\ Final Report of the Advisory Committee on Smaller Public 
Companies to the United States Securities and Exchange Commission 
(Apr. 23, 2006) (``Advisory Committee Report'') available at https://
www.sec.gov/info/smallbus/acspc/acspc-finalreport.pdf.

---------------------------------------------------------------------------

[[Page 35315]]

    The Advisory Committee suggested that these characteristics create 
unique differences in how smaller companies achieve effective ICFR that 
may not be adequately accommodated in Auditing Standard No. 2 or other 
implementation guidance as currently applied in practice. In addition, 
the Advisory Committee noted serious ramifications for smaller public 
companies stemming from the cost of frequent documentation changes and 
sustained review and testing of controls perceived to be necessary to 
comply with the Section 404 requirements.
    The Commission also granted the December 2006 extension in view of 
a series of actions that the Commission and the PCAOB each announced on 
May 17, 2006 that they intended to take to improve the implementation 
of the Section 404 requirements. These actions included:
     Issuance of a Concept Release soliciting comment on a 
variety of issues that might be included in future Commission guidance 
for management to assist in its performance of a top-down, risk-based 
assessment of ICFR;
     Consideration of additional guidance from COSO on 
understanding and applying the COSO framework; \56\
---------------------------------------------------------------------------

    \56\ On July 11, 2006, COSO issued guidance entitled ``Internal 
Control Over Financial Reporting--Guidance for Smaller Public 
Companies'' that was designed primarily to help management of 
smaller public companies with establishing and maintaining effective 
ICFR.
---------------------------------------------------------------------------

     Revisions to Auditing Standard No. 2;
     Reinforcement of auditor efficiency through PCAOB 
inspections and Commission oversight of the PCAOB's audit firm 
inspection program;
     Development, or facilitation of development, of 
implementation guidance for auditors of smaller public companies; and
     Continuation of PCAOB forums on auditing in the small 
business environment.
    Pursuant to the most recent extension of the compliance dates, non-
accelerated filers are scheduled to begin including a management report 
on ICFR in their annual reports filed for a fiscal year ending on or 
after December 15, 2007, and an auditor's report on ICFR for a fiscal 
year ending on or after December 15, 2008. It was our intention that 
non-accelerated filers would be able to complete their assessment of 
internal control without engaging an independent auditor during the 
first year. In addition, to eliminate second-guessing of management 
that might result from separating the management and auditor reports, 
the rules provide that the management report included in a non-
accelerated filer's annual report during the first year of compliance 
is deemed to be ``furnished'' rather than ``filed.'' \57\
    The December 2006 extension of the management report requirement 
was intended to provide the non-accelerated filers with the benefit of 
both the Commission's management guidance and the COSO guidance for 
smaller companies before planning and conducting their initial ICFR 
assessments. The extension of the auditor report requirement was 
intended to:
     Afford non-accelerated filers and their auditors the 
benefit of anticipated changes to the PCAOB's Auditing Standard No. 2, 
and any implementation guidance issued by the PCAOB for auditors of 
non-accelerated filers;
     Save non-accelerated filers the costs of the auditor 
attestation to, and report on, management's initial assessment of ICFR;
     Enable management of non-accelerated filers to more 
gradually prepare for full compliance with the Section 404 requirements 
and to gain some efficiencies in the process of reviewing and 
evaluating the effectiveness of ICFR before becoming subject to the 
requirement that the auditor report on ICFR (and to permit investors to 
see and evaluate the results of management's first compliance efforts); 
and
     Provide the Commission with the flexibility to consider 
any comments it received on the Concept Release and the proposed 
guidance for management in response to questions related to the 
appropriate role of the auditor in evaluating management's internal 
control assessment process.
    On July 11, 2006, we issued a Concept Release to seek public 
comment on the issues to be addressed in our guidance for management on 
how to assess ICFR.\58\ The Commission received approximately 167 
comment letters in response to the Concept Release, a majority of which 
supported additional Commission guidance to management that is 
applicable to companies of all sizes and complexities. The Commission 
considered the feedback received in those comment letters in drafting 
its Interpretive Guidance.
    In conjunction with issuance of the Interpretive Guidance, in this 
release we are adopting amendments to the existing requirements of 
Exchange Act Rules 13a-15(c) and 15d-15(c) that management of each 
company subject to the Exchange Act periodic reporting requirements 
evaluate, as of the end of each fiscal year, the effectiveness of the 
company's ICFR. The amendments state that an evaluation that complies 
with the Interpretive Guidance will satisfy the annual evaluation 
requirement in Rules 13a-15(c) and 15d-15(c).
    We are also adopting amendments to Rules 1-02 and 2-02 of 
Regulation S-X, and Item 308 of Regulations S-B and S-K, to state that 
the company's auditor must express only one opinion on a company's 
ICFR. This is a direct opinion by the auditor on the effectiveness of 
the company's ICFR. Prior to the amendments, auditors expressed two 
separate opinions: one on the effectiveness of a company's ICFR and 
another on management's assessment of the effectiveness of the 
company's ICFR. Finally, we are adopting an amendment to Exchange Act 
Rule 12b-2, and a corresponding amendment to Rule 1-02 of Regulation S-
X, to define the term material weakness.

V. Paperwork Reduction Act

    Certain provisions of our ICFR requirements contain ``collection of 
information'' requirements within the meaning of the Paperwork 
Reduction Act of 1995 (``PRA''). We submitted these collections of 
information to the Office of Management and Budget (``OMB'') for review 
in accordance with the PRA and received approval for the collections of 
information. We do not believe the rule amendments in this release will 
impose any new recordkeeping or information collection requirements, or 
other collections of information requiring OMB's approval.
---------------------------------------------------------------------------

    \57\ Management's report is not deemed to be filed for purposes 
of Section 18 of the Exchange Act [15 U.S.C. 78r] or otherwise 
subject to the liabilities of that section, unless the issuer 
specifically states that the report is to be considered ``filed'' 
under the Exchange Act or incorporates it by reference into a filing 
under the Securities Act or the Exchange Act.
    \58\ Release No. 34-54122 (July 11, 2006).
---------------------------------------------------------------------------

VI. Cost-Benefit Analysis

    The rule amendments and the Interpretive Guidance that we are 
adopting are intended to facilitate more effective and efficient 
evaluations of ICFR by management and auditors. Rules 13a-15 and 15d-
15, as initially adopted, and as amended, do not mandate any specific 
method for management to follow in performing an evaluation of ICFR. 
Instead, the rules recognize that the methods of conducting evaluations 
of ICFR will, and should, vary from company to company. Commenters have 
asserted that the lack of specific direction in

[[Page 35316]]

either Section 404 of the Sarbanes-Oxley Act or the implementing rules 
on how management should conduct an evaluation of ICFR may have 
resulted in the auditing standards becoming the de facto standard for 
management's evaluation in many cases, which likely contributed to 
excessive documentation and testing of internal controls by management 
in initial compliance efforts.
    The benefits and costs to investors of the rule amendments and 
Interpretive Guidance are directly related to the extent to which 
issuers choose to rely on the Interpretive Guidance. In part, this is 
because compliance is voluntary. In addition, companies already subject 
to the reporting requirement have gained some efficiencies in the 
evaluation process,\59\ and other sources have provided guidance on how 
to conduct an ICFR evaluation.\60\ The very purpose of the rule 
amendments and the Interpretive Guidance is to ease the compliance 
burden created by Section 404 of the Sarbanes-Oxley Act. Because of 
this, and because the use of Interpretive Guidance is voluntary, it is 
unlikely that it could result in additional incremental cost to 
issuers. Issuers that choose to use Interpretive Guidance will likely 
do so because it reduces their overall compliance burden.

A. Benefits

    Our issuance of specific Interpretive Guidance for management on 
how to conduct an ICFR evaluation should significantly lessen the 
pressures on management to look to the auditing standards for guidance 
as to how to conduct its evaluation.\61\ To the extent that these 
pressures have led to excessive testing and documentation in the past, 
the Interpretive Guidance and rule amendments should lead management to 
avoid excessive costs and aid them in determining the level of effort 
necessary to evaluate a company's ICFR.
    The extent of the benefits of the rule amendments depends on a 
company's experience conducting an ICFR evaluation. As explained in the 
release setting forth the Interpretive Guidance, the effort necessary 
to conduct an initial evaluation of ICFR will vary depending on 
management's existing financial reporting risk assessment and control 
monitoring activities. After the first year of compliance, management's 
effort to identify financial reporting risks and controls should 
ordinarily be less because subsequent evaluations should be more 
focused on changes in risks and controls rather than identification of 
all financial reporting risks and the related controls. Further, in 
each subsequent year, the documentation of risks and controls will only 
need to be updated from the prior year or years, not recreated anew.
    Through the risk and control identification process, management 
will have identified for testing only those controls that are needed to 
meet the objective of ICFR (that is, to provide reasonable assurance 
regarding the reliability of financial reporting) and for which 
evidence about their operation can be obtained most efficiently. The 
nature and extent of procedures implemented to evaluate whether those 
controls continue to operate effectively can be tailored to the 
company's unique circumstances, thereby avoiding unnecessary compliance 
costs.
    In addressing a number of the commonly identified areas of 
concerns, the Interpretive Guidance:
     Explains how to vary approaches for gathering evidence to 
support the evaluation based on risk assessments;
     Explains the use of ``daily interaction,'' self-
assessment, and other on-going monitoring activities as evidence in the 
evaluation;
     Explains the purpose of documentation and how management 
has flexibility in approaches to documenting support for its 
assessment;
     Provides management significant flexibility in making 
judgments regarding what constitutes adequate evidence in low-risk 
areas; and
     Allows for management and the auditor to have different 
testing approaches.
    The Interpretive Guidance is organized around two broad principles. 
The first principle is that management should evaluate whether it has 
implemented controls that adequately address the risk that a material 
misstatement of the financial statements would not be prevented or 
detected in a timely manner. The guidance describes a top-down, risk-
based approach to this principle, including the role of entity-level 
controls in assessing financial reporting risks and the adequacy of 
controls. The guidance promotes efficiency by allowing management to 
focus on those controls that are needed to adequately address the risk 
of a material misstatement in its financial statements.
---------------------------------------------------------------------------

    \59\ Commenters on the Concept Release Concerning Management's 
Reports on Internal Control Over Financial Reporting, Release No. 
34-54122 (Jul. 11, 2006) [71 FR 40866], available at https://
www.sec.gov/rules/concept/2006/34-54122.pdf, expressed similar 
views. See, for example, letters from the American Institute of 
Certified Public Accountants, Crowe Chizek and Company LLC, and 
Kreischer Miller, all available at https://www.sec.gov/comments/s7-
11-06/s71106.shtml.
    \60\ See, for example, The Institute of Internal Auditor's 
Sarbanes-Oxley Section 404: A Guide for Management by Internal 
Control Practitioners, May 2006.
    \61\ We are taking this action in conjunction with the PCAOB's 
elimination of the auditor's requirement to evaluate the efficacy of 
management's evaluation process.
---------------------------------------------------------------------------

    The second principle is that management's evaluation of evidence 
about the operation of its controls should be based on its assessment 
of risk. The guidance provides an approach for making risk-based 
judgments about the evidence needed for the evaluation. This allows 
management to align the nature and extent of its evaluation procedures 
with those areas of financial reporting that pose the highest risks to 
reliable financial reporting (that is, whether the financial statements 
are materially accurate). As a result, management may be able to use 
more efficient approaches to gathering evidence, such as self-
assessments in low-risk areas, and perform more extensive testing in 
high-risk areas. By following these two principles, companies of all 
sizes and complexities will be able to implement the rules effectively 
and efficiently.
    The Interpretive Guidance reiterates the Commission's position that 
management should bring its own experience and informed judgment to 
bear in order to design an evaluation process that meets the needs of 
its company and that provides a reasonable basis for its annual 
assessment of whether ICFR is effective. This allows management 
sufficient and appropriate flexibility to design such an evaluation 
process. Smaller public companies, which generally have less complex 
internal control systems than larger public companies, can scale and 
tailor their evaluation methods and procedures to fit their own facts 
and circumstances.\62\ Applying the Interpretive Guidance may thus 
assist management of these companies in scaling and tailoring its 
evaluation methods and procedures to fit their own unique facts and 
circumstances in ways that may not be appropriate for larger companies 
with more complex internal control systems. Through the rule 
amendments, smaller companies can take advantage of the flexibility and 
scalability in Interpretive Guidance to conduct an evaluation of ICFR 
that is both efficient and effective at identifying material 
weaknesses.
---------------------------------------------------------------------------

    \62\ Advisory Committee Report at pp. 39-40.
---------------------------------------------------------------------------

    By applying the principles set forth in the Interpretive Guidance, 
companies of all sizes and complexities will be able to comply with the 
rules more

[[Page 35317]]

effectively and efficiently. The total benefit to investors of the 
Interpretive Guidance and rule amendments depends on the number of 
companies that implement these principles and the extent to which their 
practices under these principles depart from the principles and 
practices that they would otherwise follow.
    Given that non-accelerated filers have not yet been required to 
conduct an evaluation of ICFR, their use of Interpretive Guidance in 
their first year of conducting an ICFR evaluation may enable them to 
avoid some of the initial compliance costs and efforts that were 
incurred by larger public companies during their early years of 
compliance with Section 404's requirements. In this respect, investors 
in non-accelerated filers may benefit more from the amended rules and 
Interpretive Guidance than investors in larger public companies that 
already have been required to conduct an evaluation.
    The amendments to Exchange Act Rules 13a-15(c) and 15d-15(c) 
provide for a non-exclusive safe-harbor in that they do not require 
management to follow the Interpretive Guidance, but still provide 
assurance to management regarding its compliance obligations. Some of 
the commenters on the Proposal questioned the benefits of these rule 
amendments. As noted earlier in this release, three commenters 
suggested that the Interpretive Guidance does not contain specific, 
objective criteria that a company's management could use to demonstrate 
that its evaluation complies with the requirements of the Interpretive 
Guidance.\63\ The Office of Advocacy of the Small Business 
Administration also stated in its comment letter that some of the 
participants in a roundtable it hosted on the Section 404 requirements 
asked for more details as to how the safe harbor protection could be 
claimed and what type of liability protection it would afford.
---------------------------------------------------------------------------

    \63\ See, for example, letters from Cleary, NYC Bar, and Reznick 
Group, P.C.
---------------------------------------------------------------------------

    The rule amendments are intended to provide those choosing to 
follow the Interpretive Guidance with greater clarity and transparency 
about their obligations relative to Section 404. For example, the 
amendments to Exchange Act Rules 13a-15(c) and 15d-15(c) add a specific 
reference to the Interpretive Guidance in the rules and thereby make 
the guidance more visible and accessible to the managers of companies 
subject to the ICFR evaluation requirement. When a company's management 
relies on the Interpretive Guidance to conduct its evaluation, the 
company does not have to take any special action to ``claim'' the 
assurance provided by the rule amendments. In addition, the 
transparency of the guidance may benefit investors by reducing costly 
second-guessing about the sufficiency of management's evaluation raised 
by any party, including the company's independent auditor. The 
Interpretive Guidance is specific enough to enable a company to 
demonstrate that its management followed the principles set forth in 
the Interpretive Guidance in conducting its ICFR evaluation to gain the 
assurance afforded by these rule amendments.
    The rule amendments encourage the use of the Interpretive Guidance 
because it advises management to focus on the controls that address the 
highest risk of material misstatement. This will benefit investors by 
reducing the amount of testing and documentation conducted by 
management and thus reducing the cost of compliance.\64\ The rule 
amendments can remove obstacles by giving management clearer 
information about its obligations and by reducing undue pressures from 
auditors.
---------------------------------------------------------------------------

    \64\ Commenters expressed similar views. See, for example, 
letters from BHP, Employees' Retirement System of Rhode Island, 
Financial Services Forum, KPMG LLP, McGladrey & Pullen LLP, MSFT, 
and State Street Corporation.
---------------------------------------------------------------------------

    The Commission did not receive any comments on the dollar magnitude 
of the likely reduction in compliance costs from the rule amendments in 
connection with the Proposal. However, the Commission did receive 
historical estimates of total Section 404 compliance costs from the 
early years of adoption. These estimates were obtained from surveys of 
companies with a public float above $75 million in connection with our 
May 2006 Roundtable on Internal Control Reporting and Auditing 
Provisions. These historical estimates of the early compliance costs 
incurred by the relatively larger companies ranged from $860,000 to 
$5.4 million per company, depending on the survey.\65\ The management 
cost that is the focus of the rule amendments appears to account for 
the majority of this estimate. One commenter indicated in its comment 
letter on the Proposal that it is especially important to reduce 
management costs, as these costs are the most significant costs 
associated with the Section 404 requirements, and can account for 70-
75% of the total compliance costs.\66\ Thus, even if the percentage 
decline in compliance cost under the rule amendment is small, companies 
and their investors could experience a substantial dolla

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.