When determining what type of report to issue on internal control under section 404:
Internal Control Deficiencies The auditing literature describes the extremes of internal control deficiencies.
Management will find preparing the internal control report a challenge, particularly when there are internal control deficiencies. Whether they are part of senior management that signs the internal control report, or act as advisers, cpas—in roles other than auditor—still are critical to assessing the reporting implications of such deficiencies. This article provides guidance to help CPAs effectively fulfill this role. The SEC rules ( www.sec.gov/rules/final.shtml , release no. 33-8238) require that the report a company files annually on its internal control systems contain the following elements:
The SEC rules do not prescribe specific language for these reports. Rather, the intent is that management will craft its report in a way that is most appropriate for the company’s unique circumstances. Exhibit 1 is a sample management report that contains the SEC-required elements. Exhibit 2 provides language that may be used when management has identified material weaknesses. As shown in exhibit 2 , when a material weakness exists as of yearend, management is precluded from stating that internal control is effective.
Significantly, the SEC rules do not provide a definition of “material weakness.” Rather, they state that they cross-reference their rules to the definition that is provided in the auditing standards, as set by the Public Company Accounting Oversight Board (PCAOB). For this reason, CPAs working with senior management should have a working knowledge of the auditing standards if they are to be successful in helping to evaluate and report on internal control.
INTERNAL CONTROL DEFICIENCIES
A company’s financial reporting process must enable it to capture, record, process, summarize and report financial data. An internal control deficiency is a flaw in either the design or operation of a control policy or procedure that has a negative effect on this process. It is relatively easy to reach a consensus on deficiencies that lie toward either end of the spectrum (see “Internal Control Deficiencies”). For example, suppose a company had no procedures for counting its inventory of office supplies at yearend. Most people involved in the financial reporting process probably would agree this lack of a control procedure, which could result in a misstatement of office expenses, lies toward the far left—that is, inconsequential—of the continuum. On the other hand, suppose inventory is a significant financial statement line item but there are no policies or procedures to conduct a physical inventory count—ever. The company never has counted its inventory of goods available for sale. Again, it should be fairly easy to reach a consensus that this deficiency in procedures is toward the far right—material—of the continuum. Therefore, it is in the middle of the spectrum where borderline problems arise, giving rise to the question: At what point does a deficiency cross the line from inconsequential to significant and from there to material weakness? CPAs can help senior management answer this question by breaking it down into its component parts, namely:
Ultimately, the determination of the severity of an internal control flaw is based on the answers to both questions. As stated previously, it is the auditing literature that defines material weakness and describes its component parts. Exhibit 3 summarizes this guidance. As shown in the exhibit, a material weakness is a deficiency in which there is a likelihood (more than remote) that a significant (material) financial statement misstatement will not be prevented or detected on a timely basis.
CHANGES MADE BY THE NEW AUDITING RULES Additionally, the new standard lists several circumstances, each of which is a strong indicator that a material weakness exists (see exhibit 4 for this list). Previous standards included no such list.
During the exposure period for the new standard, many CPAs expressed concern that the definition would require companies to designate and report more internal control weaknesses as material than they would have under the previous standard. As companies begin to file their internal control reports, it remains to be seen whether this concern will be realized. WHAT TO DISCLOSE
The SEC reporting rules under Sarbanes-Oxley do not prescribe any different format or other requirements. REPORTING AFTER MATERIAL WEAKNESS CORRECTIONS The answer is “yes,” assuming the material weakness has been corrected and the new policy or procedure has been in place for a sufficient period of time and is operating effectively at yearend. Determining what constitutes a “sufficient period of time” will require the exercise of professional judgment. Matters to be considered when making this determination include the following. Nature of the control objective. Some control objectives are transaction-oriented and narrowly focused, and have a direct effect on the financial statements—for example, a bank reconciliation and the matching of vendor invoices to an approved vendor list. Other control objectives are control-environment-oriented, affect the entity broadly and have only an indirect effect on the financial statements—for example, management’s philosophy and operating style and the entity’s hiring practices. In general, because of their indirect effect on the financial statements and their ability to influence the effectiveness of other controls, corrections to the control environment should be in place and demonstrating they are operating effectively for a much longer period of time than corrections to controls that are more transaction-oriented.
Nature of the correction. Some corrections may be programmed into the information-processing system to remedy a control deficiency. The company programs its system to generate an exception report. Assuming the entity has effective computer general controls, the computer performs the same task consistently for an indefinite period of time. Thus, the reprogrammed application may need to be operational for only a relatively short period of time before management can draw a reliable conclusion about its effectiveness. However, when a correction cannot be programmed but instead depends on the continued involvement of one or more persons, it should operate effectively for a longer period of time before management can reach a reliable conclusion. Unlike a computer application, the performance of a person might vary and must be proven to be correct over a longer period of time. Frequency. Some control procedures are performed frequently—for example, the authentication of credit card information for all online customers who purchase goods. Other procedures are performed less frequently—for example, the review of period-end journal entries. When control procedures are performed frequently, it takes less time to have enough sample transactions to draw a reliable conclusion. For credit card authorization, the control procedure may be performed thousands of times in just a few days. On the other hand, if management’s review of journal entries is performed only once a month, the procedure may need to be in place for several months before there is enough evidence to assess its effectiveness. Ultimately, taking steps to correct a control deficiency and then waiting a certain amount of time are not sufficient for management to conclude a problem no longer exists. New controls must be tested and the evidence from these tests must be sufficient to enable management to reach a conclusion about their effectiveness.
GET STARTED EARLY What does section 404 require of management's internal control report?The Sarbanes-Oxley Act requires that the management of public companies assess the effectiveness of the internal control of issuers for financial reporting. Section 404(b) requires a publicly-held company's auditor to attest to, and report on, management's assessment of its internal controls.
What is a 404a report?Section 404(a) requires all companies, regardless of filing status, that file an annual report pursuant to Section 13(a) or 15(d) of the Securities and Exchange Act of 1934 (Exchange Act) to include a report on internal controls that states the responsibility of management for establishing and maintaining adequate ...
Who is responsible for the ensuring that internal reporting is accurate and complete under Section 404 of SOX?Section 404(a) of the Act requires management to assess and report on the effectiveness of internal control over financial reporting (“ICFR”). Section 404(b) requires that an independent auditor attest to management's assessment of the effectiveness of those internal controls.
What are SOX 404 internal controls?SOX controls, also known as SOX 404 controls, are rules that can prevent and detect errors in a company's financial reporting process. Internal controls are used to prevent or discover problems in organizational processes, ensuring the organization achieves its goals.
|