Section 404 compliance in the annual report: assessing control deficiencies now is a documented process required of management.EXECUTIVE SUMMARY
* BEGINNING IN 2004, MANY PUBLICLY traded companies publicly traded company
A company whose shares of common stock are held by the public and are available for purchase by investors. The shares of publicly traded firms are bought and sold on the organized exchanges or in the over-the-counter market. must comply with SEC rules by reporting on the effectiveness of their internal controls in the annual report. The content should contain
* A statement of management's responsibilities for establishing and maintaining an adequate system.
* The identification of the framework used to evaluate the internal controls.
* A statement as to whether or not the internal control system is effective as of yearend.
* The disclosure of any material weaknesses in the system.
* A statement that the company's auditors AUDITORS, practice. Persons lawfully appointed to examine and digest accounts referred to them, take down the evidence in writing, which may be lawfully offered in relation to such accounts, and prepare materials on which a decree or judgment may be made; and to report the whole, together have issued an audit report on management's assessment.
* AS COMPANIES EVALUATE THEIR internal control systems, senior management, with input from CPAs, must determine whether there are any material weaknesses and if so, what they should report.
* MANAGEMENT MUST REPORT ON ITS system's effectiveness as of a point in time rather than over a span of time, raising the question of what to disclose when a material weakness had been identified and corrected prior to yearend. Management will judge what is a "sufficient period of time" to prove corrections or new procedures are effective. New controls must be tested and the evidence sufficient for management to reach a conclusion.
Beginning in 2004, many publicly traded companies must comply with new SEC rules issued under section 404 of the Sarbanes-Oxley Act See SOX. and include in their annual reports (Forms 10-K or 10-KSB) a discussion of the effectiveness of their internal control over financial reporting. (The November November: see month. 15, 2004, effective date applies to "accelerated filers," which generally are companies whose market value exceeds $75 million. Nonaccelerated filers and foreign private issuers have until July July: see month. 15, 2005, to file their first internal control report.) Management should include this report near the section on management's discussion and analysis Management's discussion and analysis (MD&A)
A report from management to shareholders that accompanies the firm's financial statements in the annual report. It explains the period's financial results and enables management to discuss topics that may not be apparent in the financial or immediately preceding the financial statements.
Management will find preparing the internal control report a challenge, particularly when there are internal control deficiencies. Whether they are part of senior management that signs the internal control report, or act as advisers, CPAs--in roles other than auditor--still are critical to assessing the reporting implications of such deficiencies. This article provides guidance to help CPAs effectively fulfill ful·fill also ful·fil
tr.v. ful·filled, ful·fill·ing, ful·fills also ful·fils
1. To bring into actuality; effect: fulfilled their promises.
2. this role.
The SEC rules (www.sec.gov/rules/final.shtml, release no. 33-8238) require that the report a company files annually on its internal control systems contain the following elements:
* A statement of management's responsibilities for establishing and maintaining an adequate system.
* The identification of the framework used to evaluate the internal controls.
* A statement as to whether the internal control system is effective as of yearend.
* The disclosure of any material weaknesses in the internal control system.
* A statement that the company's external auditors The examples and perspective in this article or section may not represent a worldwide view of the subject.
Please [ improve this article] or discuss the issue on the talk page. have issued an audit report on management's assessment of its internal controls.
The SEC rules do not prescribe pre·scribe
To give directions, either orally or in writing, for the preparation and administration of a remedy to be used in the treatment of a disease. specific language for these reports. Rather, the intent is that management will craft its report in a way that is most appropriate for the company's unique circumstances CIRCUMSTANCES, evidence. The particulars which accompany a fact.
2. The facts proved are either possible or impossible, ordinary and probable, or extraordinary and improbable, recent or ancient; they may have happened near us, or afar off; they are public or . Exhibit 1, at right, is a sample management report that contains the SEC-required elements. Exhibit 2, page 45, provides language that may be used when management has identified material weaknesses. As shown in exhibit 2, when a material weakness exists as of yearend, management is precluded from stating that internal control is effective.
Significantly, the SEC rules do not provide a definition of "material weakness." Rather, they state that they cross reference their rules to the definition that is provided in the auditing standards, as set by the Public Company Accounting Oversight Board The Public Company Accounting Oversight Board (or PCAOB) (sometimes called "Peekaboo") is a private-sector, non-profit corporation created by the Sarbanes-Oxley Act, a 2002 United States federal law, to oversee the auditors of public companies. (PCAOB PCAOB Public Company Accounting Oversight Board ). For this reason, CPAs working with senior management should have a working knowledge of the auditing standards if they are to be successful in helping to evaluate and report on internal control.
INTERNAL CONTROL DEFICIENCIES
As entities document and test their internal controls, deficiencies in the system are bound to be identified. As these deficiencies come to light, CPAs need to be informed of them as quickly as possible so they can assess the magnitude of the deficiency and take appropriate corrective action A corrective action is a change implemented to address a weakness identified in a management system. Normally corrective actions are instigated in response to a customer complaint, abnormal levels if internal nonconformity, nonconformities identified during an internal audit or . When evaluating internal control deficiencies, two significant issues are most likely to surface:
* Does the deficiency--or the aggregation of deficiencies--rise to the level of a "material weakness" that must be disclosed and which will preclude pre·clude
tr.v. pre·clud·ed, pre·clud·ing, pre·cludes
1. To make impossible, as by action taken in advance; prevent. See Synonyms at prevent.
2. the company from issuing a "clean" internal control report?
* What should a company report when it has identified and corrected a material weakness prior to yearend?
A company's financial reporting process must enable it to capture, record, process, summarize sum·ma·rize
intr. & tr.v. sum·ma·rized, sum·ma·riz·ing, sum·ma·riz·es
To make a summary or make a summary of.
sum and report financial data. An internal control deficiency is a flaw in either the design or operation of a control policy or procedure that has a negative effect on this process.
It is relatively easy to reach a consensus on deficiencies that lie toward either end of the spectrum (see "Internal Control Deficiencies," page 43). For example, suppose a company had no procedures for counting its inventory of office supplies Office supplies is the generic term that refers to all supplies regularly used in offices by businesses and other organizations, from private citizens to governments, who works with the collection, refinement, and output of information (colloquially referred to as "paper work"). at yearend. Most people involved in the financial reporting process probably would agree this lack of a control procedure, which could result in a misstatement mis·state
tr.v. mis·stat·ed, mis·stat·ing, mis·states
To state wrongly or falsely.
mis·statement n. of office expenses, lies toward the far left--that is, inconsequential--of the continuum Continuum (pl. -tinua or -tinuums) can refer to:
borderline problems arise, giving rise to the question: At what point does a deficiency cross the line from inconsequential in·con·se·quen·tial
1. Lacking importance.
2. Not following from premises or evidence; illogical.
A triviality. to significant and from there to material weakness?
CPAs can help senior management answer tiffs question by breaking it down into its component parts, namely:
* What would be the significance if. for example, a company's office supply expenses were misstated?
* What are the chances that, for example, the deficiency would result in failure to detect a financial statement error, taking into account any "compensating controls" designed to achieve the same control objective?
Ultimately, the determination of the severity of an internal control flaw is based on the answers to both questions.
As stated previously, it is the auditing literature that defines material weakness and describes its component parts. Exhibit 3, page 46, summarizes this guidance. As shown in the exhibit, a material weakness is a deficiency in which there is a likelihood (more than remote) that a significant (material) financial statement misstatement will not be prevented or detected on a timely basis.
CHANGES MADE BY THE NEW AUDITING RULES
PCAOB Auditing Standard no. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, made a subtle but significant change to the previously established definition of material weakness. Under the new standard, a material weakness exists if the likelihood of a material error is "more than remote." Under the previous standard, the threshold was defined as "greater than a relatively low risk."
Additionally, the new standard lists several circumstances, each of which is a strong indicator that a material weakness exists (see exhibit 4, page 46, for this list). Previous standards included no such list.
During the exposure period for the new standard, many CPAs expressed concern that the definition would require companies to designate des·ig·nate
tr.v. des·ig·nat·ed, des·ig·nat·ing, des·ig·nates
1. To indicate or specify; point out.
2. To give a name or title to; characterize.
3. and report more internal control weak nesses as material than they would have under the precious standard. As companies begin to file their internal control reports, it remains to he seen whether this concern will be realized.
WHAT TO DISCLOSE
In the event that a company determines a material weakness exists at yearend, it must disclose this fact. Historically, in these situations, a company's annual report has included
* The fact that management has identified a material weakness in its internal control over financial reporting.
* A definition of, or reference to the definition of, "material weakness."
* The actions taken by company management to correct the deficiency.
The SEC reporting rules under Sarbanes-Oxley do not prescribe any different format or other requirements.
REPORTING AFTER MATERIAL WEAKNESS CORRECTIONS
The SEC requires management to report on the effectiveness of its internal control system as of a point in time rather than for a span of time. This "as of" reporting requirement raises the question of what management should conclude about internal control effectiveness at yearend when earlier it had identified a material weakness and corrected it prior to yearend. Would it be appropriate for management to conclude that controls were effective at yearend, even though a material weakness had been identified earlier?
The answer is "yes," assuming the material weakness has been corrected and the new policy or procedure has been in place for a sufficient period of time and is operating effectively at yearend. Determining what constitutes a "sufficient period of time" will require the exercise of professional judgment. Matters to be considered when making this determination include the following.
Nature of the control objective. Some control objectives are transaction-oriented and narrowly focused, and have a direct effect on the financial statements--for example, a bank reconciliation and the matching of vendor invoices to an approved vendor list. Other control objectives are control environment-oriented, affect the entity broadly and have only an indirect effect on the financial statements--for example, management's philosophy and operating style and the entity's hiring practices.
In general, because of their indirect effect on the financial statements and their ability to influence the effectiveness of other controls, corrections to the control environment should be in place and demonstrating they are operating effectively for a much longer period of time than corrections to controls that are more transaction-oriented.
Nature of the correction. Some corrections may be programmed into the information-processing system to remedy a control deficiency. The company programs its system to generate an exception report. Assuming the entity has effective computer general controls, the computer performs the same task consistently for an indefinite INDEFINITE. That which is undefined; uncertain.
INDEFINITE, NUMBER. A number which may be increased or diminished at pleasure.
2. When a corporation is composed of an indefinite number of persons, any number of them consisting of a majority of those period of time. Thus, the reprogrammed application may need to be operational for only a relatively short period of time before management can draw a reliable conclusion about its effectiveness.
However, when a correction cannot be programmed but instead depends on the continued involvement of one or more persons, it should operate effectively for a longer period of time before management can reach a reliable conclusion. Unlike a computer application, the performance of a person might vary and must be proven to be correct over a longer period of time.
Frequency. Some control procedures are performed frequently--for example, the authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC.
(2) Verifying the identity of a user logging into a network. of credit card information for all online customers who purchase goods. Other procedures are performed less frequently--for example, the review of period-end journal entries. When control procedures are performed frequently, it takes less time to have enough sample transactions to draw a reliable conclusion. For credit card authorization The right or permission to use a system resource; the process of granting access. See access control. , the control procedure may be performed thousands of times in just a few days. On the other hand, if management's review of journal entries is performed only once a month, the procedure may need to be in place for several months before there is enough evidence to assess its effectiveness.
Ultimately, taking steps to correct a control deficiency and then waiting a certain amount of time are not sufficient for management to conclude a problem no longer exists. New controls must be tested and the evidence from these tests must be sufficient to enable management to reach a conclusion about their effectiveness.
GET STARTED EARLY
The "as of" reporting requirements under Sarbanes-Oxley provide an important incentive for company management to identify and correct internal control weaknesses on a timely basis. CPAs with a significant stake in the internal control evaluation, testing and reporting process should impress upon senior management the benefits of getting a quick, substantial start to Sarbanes-Oxley section 404 compliance projects.
Exhibit 1: Sample Management Report on Internal Control Over Financial Reporting
The management of ABC ABC
in full American Broadcasting Co.
Major U.S. television network. It began when the expanding national radio network NBC split into the separate Red and Blue networks in 1928. is responsible for establishing and maintaining adequate internal control over financial reporting. ABC's See Win abc's, MSW abc's, XL abc's, DOS abc's and PKZIP abc's. internal control system was designed to provide reasonable assurance to the company's management and board of directors regarding the preparation and fair presentation of published financial statements.
All internal control systems, no matter how well designed, have inherent limitations. Therefore, even those systems determined to be effective can provide only reasonable assurance with respect to financial statement preparation and presentation. [Author's note: This statement regarding the inherent limitations of internal control is not required by SEC rules. It is included in this sample report solely for illustrative il·lus·tra·tive
Acting or serving as an illustration.
Adj. 1. purposes.]
ABC management assessed the effectiveness of the company's internal control over financial reporting as of December December: see month. 31, 2004. In making this assessment, it used the criteria set forth by the Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. (COSO COSO Committee of Sponsoring Organizations of the Treadway Commission
COSO Church of Spiral Oak
COSO Corporate South
COSO Class of Service Override
COSO Combat Oriented Supply Operations (USAF) ) in Internal Control--Integrated Framework. Based on our assessment we believe that, as of December 31, 2004, the company's internal control over financial reporting is effective based on those criteria.
ABC's independent auditors Independent Auditor
An external auditor with a certified public accounting designation that qualifies him or her to provide an auditor's report.
These auditors aren't affiliated with the company being audited. have issued an audit report on our assessment of the company's internal control over financial reporting. This report appears on page xx.
Exhibit 2: Sample Management Report When Material Weakness Have Been Indentified
[Introductory paragraph--same as in exhibit 1.]
[Optional, inherent limitations paragraph--see exhibit 1.]
An internal control material weakness is a significant deficiency, or aggregation of deficiencies, that does not reduce to a relatively low level me risk that material misstatements in financial statements will be prevented or detected on a timely basis by employees in the normal course of their work. An internal control significant deficiency, or aggregation of deficiencies, is one that could result in a misstatement of the financial statements that is more than inconsequential.
The management of ABC assessed the effectiveness of the company's internal control over financial reporting as of December 31, 2004. and this assessment identified the following material weakness in the company's Internal control over financial reporting. [Describe the material weakness.]
In making its assessment of internal control over financial reporting management used the criteria issued by me Committee of Sponsoring Organizations of the Treadway Commission (COSO) in Internal Control--Integrated Framework, Because of the material weakness described in the preceding paragraph, management believes that. as of December 31. 2004. the company's internal control over financial reporting was not effective based on those criteria.
ABC's independent auditors have issued an attestation report Noun 1. attestation report - a consulting service in which a CPA expresses a conclusion about the reliability of a written statement that is the responsibility of someone else
attestation service on management's assessment of the company's internal control over financial reporting. It appears on page XX.
Exhibit 3: Evaluating Internal Control Deficiencies
As shown in this diagram diagram /di·a·gram/ (di´ah-gram) a graphic representation, in simplest form, of an object or concept, made up of lines and lacking pictorial elements. , internal control deficiencies must be evaluated along two dimensions to determine their relative significance. Those two dimensions are likelihood and significance, depicted de·pict
tr.v. de·pict·ed, de·pict·ing, de·picts
1. To represent in a picture or sculpture.
2. To represent in words; describe. See Synonyms at represent. here along the horizontal and vertical axes axes
[L., Gr.] plural of axis. The straight lines which intersect at right angles and on which graphs are drawn. Usually the horizontal axis is the x-axis and the vertical one the y-axis. Called also axes of reference. , respectively. If there is more than a remote chance (likelihood) that a material error (significance) could result from the deficiency, then it is considered a material weakness, which must be reported.
PCAOB Auditing Standard no. 2 changes the criteria for determining the relative significance of an internal control deficiency, as summarized above. Both company management and its external auditors should use this new definition to assess identified control deficiencies. The new definition does not change the significance factor, but it does alter the threshold for assessing the likelihood of the misstatement.
Exhibit 4: Strong Indicators of a Material Weakness
PCAOB Auditing Standard no. 2 provides definitive guidance on how auditors should evaluate the magnitude of internal control deficiencies. It says each of the following circumstances should be regarded as a strong indicator that a material weakness in internal control exists:
* Restatement Restatement
A revision in a company's earlier financial statements.
The need for restating financial figures can result from fraud, misrepresentation, or a simple clerical error. of previously issued financial statements to reflect the correction of a misstatement.
* Identification by the company's independent auditor of a material misstatement in financial statements in the current period that was not initially identified by the company's internal control over financial reporting.
* The audit committee's oversight
Oversight may refer to:
* The internal audit or risk assessment function at very large or highly complex companies is ineffective.
* For complex entities in highly regulated industries, an ineffective regulatory compliance function.
* Identification of fraud of any magnitude on the part of senior management.
* Significant deficiencies that have been communicated to management and the audit committee remain uncorrected after some reasonable period of time.
* An ineffective control environment.
PRACTICAL TIPS TO REMEMBER
* Obtain a good, working definition of material weakness. When designing your tests of internal control, make sure they are sufficient to detect a material weakness.
* Test internal controls as far in advance of yearend as possible, and correct any identified weaknesses quickly. If you take action early, you may be able to avoid disclosing a material weakness in your annual report.
* Draft the internal control report in a way that reflects the unique circumstances at the company.
See American Institute of Certified Public Accountants (AICPA). Resources
The Institute answers individual questions at the Sarbanes-Oxley Act hot line--866-265-1977--and up-to-date compliance reformation Reformation, religious revolution that took place in Western Europe in the 16th cent. It arose from objections to doctrines and practices in the medieval church (see Roman Catholic Church) and ultimately led to the freedom of dissent (see Protestantism). for CPAs is available at Sarbanes-Oxley Act/PCAOB Implementation Central, www.aicpa.org/sarbanes/Index.asp.
* MCPA MCPA, MCP
2-methyl-4-chlorophenoxyacetic acid; a weedkiller reported to be nontoxic at the levels likely to be encountered on pasture, though it has killed cattle dosed experimentally with large single doses. Audit and Accounting Guide, Consideration of Internal Control in a Financial Statement Audit (# 012451JA).
* Financial Reporting Alert. Internal Control Reporting--Implementing Sarbanes-Oxley Section 404 (# 029200JA).
* Financial Reporting Fraud: A Practical Guide to Detection and Internal Control by Charles Charles, archduke of Austria
Charles, 1771–1847, archduke of Austria; brother of Holy Roman Emperor Francis II. Despite his epilepsy, he was the ablest Austrian commander in the French Revolutionary and Napoleonic wars; however, he was handicapped by R. Lundelius Jr. (# 029879JA).
* Internal Control--Integrated Framework. COSO report (# 990012JA).
CPE (Customer Premises Equipment) Communications equipment that resides on the customer's premises.
CPE - Customer Premises Equipment
* Internal Control Reporting for Public Companies: A Practical Guide to the PCAOB Standard, a video course: DVD/manual (# 181421JA); VHS/manual (# 1811420).
* Internal Control Reporting: A Manager's Guide to Surviving the Audit, a video course: DVD/manual (# 181423JA); VHS/manual (# 181422JA).
* Internal Controls Reporting: A Guide to Effective Documentation, a video course: DVD/manual (# 181401JA); VHS/manual (# 181400JA).
* Internal Controls: Design and Documentation, a self-study self-stud·y
1. Study or examination of oneself.
2. A form of study in which one is to a large extent responsible for one's own instruction. course (# 731850JA).
* SEC Reporting, a self-study course: text (# 736771JA); VHS/manual (# 186751JA).
Conference on Current SEC and PCAOB Developments December 6-8, 2004 Marriott Wardman Park Washington, D.C.
For more information about any of these resources, to place an order or to register, go to www.cpa2biz biz
Noun 1. .com or call the AICPA at 888-777-7077.
MICHAEL RAMOS is the author of How to Comply with Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control, published by John Wiley John Wiley may refer to:
e-mail address - electronic mail address is email@example.com.