Reporting on internal control: the SEC's proposed rules; implementation will bring substantial changes in reporting and auditing.
Implementation will bring substantial changes in reporting and auditing.
If the Securities and Exchange Commission adopts its 1988 rule proposal, Report of Management's Responsibilities, public companies will be required to assess the effectiveness of their internal control structures and report the results to the public. A so-called management report would contain this assessment along with the company's response to significant internal control recommendations by internal and independent auditors.
Although the time for its implementation may have come, the idea of a management report isn't new. For over a decade, financial statement prepares and auditors as well as legislators and regulators have advocated its use. As cases of fraudulent financial reporting and alleged audit failures continue to be reported, pressure for change has mounted. And the recent savings and loan crisis hasn't boosted public confidence in financial reporting.
This article discusses the pros and cons of the SEC's proposed rule, current responsibilities for internal control, and the changes public companies and their auditors face if the new rule is passed.
Proposals for a management report go back at least to 1978, when the Commission on Auditors' Responsibilities (the Cohen commission) recommended it. A year later, the American Institute of CPAs special advisory committee on internal accounting control embraced the concept and the SEC made its first proposal requiring management reports.
The 1979 SEC rule proposal, Statement of Management on Internal Accounting Control, would have increased management's reporting responsibility and required auditors to expand their oversight roles by attesting to management's assertions. The SEC, however, withdrew its proposal, saying the private sector should be permitted to continue its own initiatives in this area. The SEC planned to monitor private initiatives and reconsider the need for a requirement at a later date.
In 1987, the management report idea resurfaced when the National Commission on Fraudulent Financial Reporting (the Treadway commission) recommended that management, in the company's annual report, "acknowledge management's responsibilities for the financial statements and internal control, discuss how these responsibilities were fulfilled and provide management's assessment of the effectiveness of the company's internal controls." However, the Treadway commission did not propose changing auditing standards to require an auditor issue a report on management's assertions.
The management report requirement also has arisen in some proposed legislation. For example, the General Accounting Office proposed that the 1989 S&L bailout bill require management and auditors to report on internal controls and compliance with specified laws and regulations related to the safety and soundness of federally insured institutions. However, the final bill did not include this requirement.
WHAT IS INTERNAL CONTROL?
A uniform approach to reporting on internal control implies there must be a common definition of internal control and common criteria for evaluation--and both must be designed to make the reporting process useful and effective. But currently there are at least three possible approaches.
1. An expanded definition. The Treadway commission concluded the concept of internal control should extend beyond accounting controls. "Internal controls broader than the internal accounting controls contemplated under the FCPA [Foreign Corrupt Practices Act of 1977] are necessary to reduce the incidence of fraudulent financial reporting." The May 1989 issues paper, Guidance on Internal Control, published by the National Association of Accountants, also extended the concept of internal control beyond the traditional accounting controls to include management and operational controls. The authors contended all three are important in detecting fraud in the financial reporting process.
2. The current practice. Public companies that now include a management report in their annual reports generally don't agree with such a broad reporting view. Management often defines internal controls as those controls (primarily accounting controls) that benefit the company's compliance with the FCPA. Current management reports on internal controls don't address management and operational controls.
3. The auditor's view. Statement on Auditing Standards no. 55, Consideration of the Internal Control Structure in a Financial Statement Audit, defines the elements of an entity's internal control structure as the control environment, the accounting system and control procedures. These elements, especially the control environment, encompass certain of a company's management and operational controls in addition to accounting controls, although the SAS requires the auditor to consider only those controls relevant to the audit. It says the auditor's emphasis should not be on which category a control fits into but whether a specific policy or procedure affects financial statement assertions.
THE SEC'S PROPOSAL
In 1988, the SEC returned to the topic of management's reports. Its most recent proposal would require companies to make three representations:
1. Management's assessment of the effectiveness of its internal control structure at the end of the most recent fiscal year.
2. Management's response to significant recommendations of internal and independent auditors about the internal control structure. The SEC proposal defines "significant recommendations" as "reportable conditions" under SAS no. 60, Communication of Internal Control Structure Related Matters Noted in an Audit, and typically covered in a management letter.
3. Management's acknowledgement of its responsibilities for preparing the financial statements in accordance with generally accepted accounting principles and establishing and maintaining a system of internal control related to financial reporting.
The SEC also requested comment on whether it would be desirable to require independent auditors to attest to these assertions, but it did not put the attest requirement in its draft rule.
Response to the proposal. Although some specific requirements of the proposal received broad support from commentators, others were flatly rejected. For example, commentators generally supported the requirements for management to acknowledge its responsibilities for preparing GAAP financial statements and establishing and maintaining a system of internal control. But less than half agreed management should assess the effectiveness of its internal control structure and there was overwhelming opposition to the proposal that management respond to significant recommendations of internal and independent auditors. Respondents also were strongly opposed to a requirement that auditors attest to assertions in the management report. Commentators requested additional clarification from the SEC as to whether controls over interim reporting would be covered in the management report.
Proponents of the management report believe it will lead to improvement in corporate internal controls. However, some hold that public perceptions of such improvements--and perhaps the improvements themselves--depend on an auditor's attestation.
Despite the controversy, it appears the SEC will issue the rule substantially as written. Practitioners should be aware of challenges this will present.
CONSISTENT CRITERIA FOR EVALUATION
Critics of the recent SEC rule proposal pointed out that no consistent criteria had been established to evaluate the effectiveness of a company's internal control structure. The SEC was aware of this problem. A committee of the Treadway commission's sponsoring organizations assessed the criteria available to evaluate the effectiveness of an internal control system and concluded such criteria do not exist at present but will be necessary before management reasonably can be expected to evaluate the effectiveness of its internal control system in a way that's consistent with other companies' evaluations.
Following up on this problem, the Financial Executives Research Foundation (FERF) requested proposals from interested people and organizations to develop criteria for establishing and evaluating internal controls and guidelines for their implementation. The FERF's call for proposal included a definition of internal control encompassing accounting, management and operational controls. The FERF engaged Coopers & Lybrand in June 1989; the results of its research should be available November 1, 1990. Many management report preparers and their auditors expect to be able to refer to the resulting guidance in evaluating the effectiveness of their internal control structures. Of course, the SEC may embrace the FERF's guidelines and include them in its final rule.
THE CHALLENGES AHEAD
Public companies are obligated legally by the FCPA to maintain an effective system of internal control. The act requires the system to meet specified criteria on accountability for and safeguarding of assets and the authorization and recording of transactions. As noted, current management reports often acknowledge responsibilities that parallel the FCPA's requirements.
Today, only one public company in four includes a management report in its annual report. Therefore, if the SEC passes the management report rule, the financial reporting process for most public companies will be affected. Although the SEC's proposal doesn't set forth specific documentation requirements, management might develop additional documentation to support its assertions to the SEC. This means documentation of policies and procedures may have to be improved. Management also would need improved documentation if it chose to have its assertions examined by an auditor or was required to by the SEC.
Many companies believe the incremental cost of such documentation will outweigh any incremental benefits. This is especially true for the medium-sized and smaller public companies.
POTENTIAL EFFECTS ON AUDITORS
The auditing standards board of the AICPA has begun to address auditors' responsibilities in the event auditors are required to attest to management's assertions in the future. A glance at the auditor's current responsibilities shows why. There are two relevant statements in addition to SASs nos. 55 and 60--SAS no. 30, Reporting on Internal Accounting Control, and SAS no. 8, Other Information in Documents Containing Audited Financial Statements.
SAS no. 55 covers the independent auditor's responsibility for considering a company's internal control structure as part of an audit. The SAS requires an auditor to obtain an understanding of an entity's internal control structure sufficient to plan an audit. In obtaining this understanding, the auditor performs procedures to understand the relevant policies and procedures pertaining to each of the three internal control structure elements (control environment, accounting system and control procedures) and whether the policies and procedures have been placed in operation. But SAS no. 55 does not require the auditor to test the operating effectiveness of relevant control policies and procedures unless he or she intends to assess control risk below the maximum level. Thus, compliance with Statement no. 55 generally does not provide a sufficient basis for an opinion on management assertions about the effectiveness of an internal control system.
SAS no. 30 allows auditors to give an opinion on whether a system of internal controls is sufficient to meet the broad objective of prevention or detection of material errors or irregularities. However, the statement doesn't provide guidance to auditors in attesting to management's assertions about its internal controls. In practice, due to the relatively high costs and low demand by companies, SAS no. 30 reports rarely are issued on a company's entire internal control structure. Instead, they're issued on controls over specific aspects of a company's operation, in response to regulatory requirements or terms of agreements.
SAS no. 8 applies to situations in which management's report is included in a client-prepared report that also contains audited financial statements. The interpretation to SAS no. 8 specifically addresses management reports on internal accounting control, requiring the auditor "to read the report by management and consider whether it is materially inconsistent with information appearing in the financial statements." If the auditor discovers a material misstatement of fact, he should ask management to revise its report. If the management report isn't revised, the auditor should consider additional actions, such as revising the auditor's report to include an explanatory paragraph describing the matter, withholding the report or withdrawing from the engagement.
WILL COMPANIES ASK FOR AN ATTESTATION ANYWAY?
Many respondents to the SEC's proposal believe it presumes auditors can provide greater assurance about management's representations on its internal control structure than they can, in fact, reasonably be expected to do in a financial statement audit. The proposal says, ". . . the Commission believes that compliance with SASs nos. 55 and 60 coupled with the knowledge and information obtained during the conduct of other audit procedures, may make it more likely that the independent auditor will discover a material misstatement in management's statements in its report regarding internal controls. . . . While the auditor may not be able to detect all material misstatements in a management report, he should be in a position to recognize major design flaws and many situations where there are significant deficiencies in the operation of such controls." [Emphasis added.]
Many commentators believe the SEC's proposal conveys the message that if the auditor does not object explicitly to assertions in the management report, he is, in effect, providing comfort about these assertions. Unless these expectations about the auditor's responsibilities are removed from the SEC's proposal, auditors may conclude it's necessary to expressly disclaim any form of assurance on the management report. The authors anticipate many registrants will object to this type of disclaimer. Therefore, some clients may ask their auditors to review or examine the internal control structure to avoid such a disclaimer in the auditor's report.
If the SEC doesn't require it, why would some companies believe they need an auditor's attestation report? The companies that currently do include a management report in their annual report often feel no need to get their auditors' approval. Companies may think, because the SEC requires a management report, the public will attach more importance to the information. Thus, they may believe they should obtain an attestation report from their auditors as support for assertions made in the management report.
In anticipation of such client requests, the ASB is developing an attestation standard that's expected to include guidance on
1. Procedures to perform to support issuance of a report.
2. When to issue a report.
3. Form and content of the report.
A NEW ATTESTATION STANDARD
In developing this new attestation standard, the ASB is discussing four significant questions.
* Can the auditor provide both review and examination levels of assurance? The ASB's discussions have highlighted how difficult it is to differentiate procedures to be performed in a review engagement compared with examination procedures. The ASB agrees the extent of procedures performed in an examination should be greater than those performed in a review, but it has not reached a consensus on whether the nature of procedures should be different in an examination. If a clear distinction between the two types of services can't be developed, the ASB may decide to restrict the level of service to examinations.
* Should auditors engaged to review or examine management assertions about the effectiveness of its internal control structure have audited the entity's financial statements? The ASB tentatively believes the answer is no. However, the auditor would have to obtain adequate technical knowledge of the subject matter.
* If a registrant's management report extends beyond accounting controls and encompasses management and operating controls, should the auditor give an opinion on the effectiveness of these controls? Current attestation standards should enable auditors to expand their opinions on internal control to encompass these additional areas if management's assertions are measurable and can be evaluated against reasonable criteria. This is a huge "if." Many people believe assertions about the effectiveness of management and operating controls would be too subjective to be measured and evaluated.
* What matters would cause the auditor to issue something other than a standard report on his examination or review of management assertions about its internal controls? Under current attestation guidance, the ASB has identified these circumstances that would cause an auditor to modify the report:
1. A materially inaccurate statement exists in the management report (for example, an undisclosed material weakness).
2. There are scope limitations.
3. The opinion is based in part on the work of another practitioner.
4. A material weakness in the internal control structure occurs subsequent to the date, but before issuance, of management's report.
AN IDEA WHOSE TIME HAS COME
Financial statement users have a right to expect the statements present reliable information. Such information greatly depends on an effective internal control structure. The SEC's proposed rule would require public companies to include management's assessment of the effectiveness of the company's internal control in their annual reports. The SEC expects a required management report ultimately will increase the reliability of financial information made available to the public.
Management reporting on internal control may be an idea whose time has come. It was long in gestation and there are still recognized difficulties. But they're receiving the attention needed to resolve them.
MORTON B. SOLOMON, CPA, is partner in charge of professional auditing standards and international in the department of professional practice of KPMG Peat Marwick, New York. He serves on the American Institute of CPAs auditing standards board and its task force on reporting on internal controls and was a past member of the Financial Accounting Standards Board emerging issues task force. He is a member of the New York State Society of CPAs and the American Accounting Association. JOE R. COOPER, CPA, is a senior manager in the Jacksonville, Florida, office of KPMG Peat Marwick. He recently completed an assignment in the department of professional practice at KPMG Peat Marwick, New York. He is a member of the AICPA and the Florida Institute of CPAs.
|Printer friendly Cite/link Email Feedback|
|Author:||Cooper, Joe R.|
|Publication:||Journal of Accountancy|
|Date:||Jun 1, 1990|
|Previous Article:||A firm of one's own: how firm ownership improved the quality of one couple's life.|
|Next Article:||Think twice before selling that subsidiary: without proper planning, the new IRS regulations could prevent taking deductions for a loss.|