Because the summer months can be hectic, we want to be sure you noticed the Section 404 interpretive guidance recently published by the SEC. The release provides a road map for management of public companies to follow when evaluating internal controls over financial reporting (ICFR) under the Sarbanes-Oxley Act of 2002 (SOX). You can find it on the SEC's web site at http://www.sec.gov/rules/interp/2007/33-8810.pdf.
The SEC addresses the wide-spread criticism of ICFR's complexity and costliness by providing a simplified, top-down, risk-based approach. The release emphasizes two broad principles. First, management's evaluation of ICFR should focus on whether the internal controls adequately address the risk that a material misstatement of financial statements would not be prevented or detected in a timely manner. Second, the type and form of evidence collected by management to document the operation of ICFR and assess ICFR's effectiveness should be based on management's assessment of risk.
To better understand the process laid out by the SEC in the release, we have broken the interpretive guidance into the following general steps:
- Specifically identify the risks to accurate financial reporting, based on your company's particular structure, operations and complexity.
- Design controls that either prevent or detect the specifically identified risks.
- Collect evidence based on the specifically identified risks to prove that controls have been identified, can be communicated to the responsible persons, are effective and can be monitored.
- Evaluate the effectiveness of controls using the evidence collected.
- Assess whether any deficiency, or group of deficiencies, uncovered by management's evaluation, presents a reasonable possibility that a material misstatement will not be prevented or detected (i.e., whether there is a material weakness).
Following the SEC's interpretive guidance provides a safe harbor from non-compliance with the ICFR requirements. This means that an ICFR assessment conducted by management according to the interpretive guidance satisfies the evaluation requirements of Section 404 of SOX.
On a related front, Auditing Standard No. 5 will replace the PCAOB's current ICFR standard beginning with fiscal years ending on November 15, 2007. This new standard simplifies the ICFR audit process and better aligns it with the interpretive guidance.
Now is the time to re-evaluate your ICFR policies and procedures to ensure compliance with the new guidelines and obtain the benefits of the safe harbor for fiscal 2007. This, of course, will require close coordination with your accountants.
As always, please contact us if you have any questions.