The Securities and Exchange Commission proposed on Wednesday to make rule changes to encourage financial managers to focus their internal controls assessments on “those controls that are needed to prevent or detect material misstatement in the financial statements.”
By injecting the notion of materiality — as well as a “risk-based” approach — into compliance with Section 404 of the Sarbanes-Oxley Act, the commission hopes to cure corporate executives of what Commissioner Paul Atkins calls an “obsessive-compulsive mentality” in checking for controls lapses.
Instead, the commission wants to steer companies toward basing their assessments on a “top-down” attack based on broad principles and individual judgments, SEC officials said at an open meeting of the commission. The goal is to encourage managers to abandon a nit-picking, “bottom-up” compliance approach that has been exceedingly costly.
At the meeting, the commissioners voted unanimously to propose guidance for the interpretation of 404 rules; amend securities law to say that companies that follow the guidance will be in full compliance with 404; and trim down auditor reporting rules under the Sarbox provision.
Officials also said the SEC has synched up its moves with those of the Public Company Accounting Oversight Board, which is planning to propose a revamp of Accounting Standard No.2 on December 19.
The commission plans to issue the actual proposal “as soon as possible,” the SEC said. Officials who worked on the plan said that it provides few specific examples. The reason, they added, is that a plethora of case studies would make the proposal — which is meant to be “scalable” to the needs of smaller companies — too prescriptive.
Up until now, corporate managements have lacked guidance about how to comply with Section 404, the sparely worded Sarbox provision that orders CFOs and chief executives to attest to the existence and effectiveness of their companies’ internal controls. For instruction on how to meet that mandate, finance executives have relied on AS2, the internal-controls guidance for auditors issued by the Public Company Accounting Oversight Board.
But AS2 provided corporate managers with little guidance about how to plan their controls assessments efficiently, according to Atkins. “Without materiality, this results in a bottom-up approach,” he added.
While AS2 might have benefited auditors, it has proved to be the bane of their clients, SEC Chairman Christopher Cox suggested. “This approach failed to recognize the difference between the types of procedures and documentation that are needed by those who are coming in from outside a company to audit and report on its internal control, as compared to the insiders who created the internal control system and interact with it on a daily basis,” he said Cox.
The guidance proposed by the SEC would allow companies to tailor their 404 compliance efforts according to the size and complexity of their operations, according to the SEC chairman. That would benefit smaller companies, who have long argued that compliance with the internal controls provision is too costly for operations of their size.
Under the plan, for instance, managers of small companies could use their “ongoing daily interaction” with the business — such as information recorded in memos — as evidence to support their evaluation of their companies’ controls.
Smaller companies are likely to have “fewer layers of staff between controller and CFO” than bigger ones do, noted SEC Commissioner Roel Campos. Thus, the proposed guidance acknowledges that while bigger companies might need to hire outside help to evaluate their controls, “smaller ones can use management’s interaction with the company” as the basis for evaluation, he said.
Campos also said that under the proposal, risk assessment is “the single most critical factor in assessing the effectiveness” of controls. That, however, would represent little change from AS2, which urges auditors to use risk assessments to decide which controls to focus their efforts on.
The commissioners also voted in favor of a plan to clarify auditors’ responsibilities. Under 404 rules, auditors must file two audit opinions — one on management’s assessment of internal controls and the other on the effectiveness of the controls themselves. The SEC is proposing to revise the rule to require auditors to deliver just one opinion, on the effectiveness of controls. That opinion would include the auditor’s attestation to management’s controls assessment.
Previously, some auditors may have focused too much attention on assessing managers’ evaluations. The current “dual” opinion “is unnecessarily complex and may have caused confusion about the auditor’s responsibility in relation to management’s evaluation process,” said Cox.