CLIENT ALERT: INTERNAL CONTROL OVER FINANCIAL REPORTING

Transcription

1 CLIENT ALERT: INTERNAL CONTROL OVER FINANCIAL REPORTING All public companies either have begun or will soon begin a process, required under Section 404 of the Sarbanes-Oxley Act of 2002 ( SOX ), of reviewing their internal control over financial reporting. The purpose of this client alert is to provide (1) detail to assist companies in understanding this process and (2) information with respect to the auditor s role in the process and the auditor's procedures for performing the integrated audit of a company's internal control over financial reporting required under Section 404 of SOX. In early March 2004, the Public Company Accounting Oversight Board ( PCAOB ), pursuant to PCAOB Release No , adopted Auditing Standard No. 2, An Audit of Performed in Conjunction With an Audit of Financial Statements implementing the requirement in Section 404(b) of SOX that PCAOB-registered public company auditors perform integrated audits on publicly-traded companies to evaluate their internal control over financial reporting and attest to the accuracy of management reports on such internal control. Additionally, Auditing Standard No. 2 mandates that the auditors perform this integrated audit in conjunction with the audit of the company s financial statements. The objective of the internal control audit is for the outside auditor to obtain reasonable assurance that no material weaknesses exist in the company s internal control over financial reporting as of the company s fiscal year-end and that management has fairly evaluated the effectiveness of the company's internal control over financial reporting. EFFECTIVE DATE OF MANAGEMENT REPORTING REQUIREMENT Companies that are accelerated filers must include in their annual reports on Form 10-K for fiscal years ending on or after November 15, 2004, a management report on internal control over financial reporting and opinions of the company s outside auditor on the internal controls and management s assessment of the controls. Companies that are not accelerated filers must begin to comply with the internal control over financial reporting requirements in their annual reports for fiscal years ending on or after July 15, OUTSIDE AUDITOR MUST NOW ISSUE THREE OPINIONS, WHICH MUST APPEAR IN NO MORE THAN TWO REPORTS The outside auditor must now render three opinions in connection with the year-end financial statements: 1

2 An opinion on the financial statements; An opinion on whether management s assessment of the effectiveness of the company s internal control over financial reporting is fairly stated; and An opinion on whether the company maintained, in all material respects, effective internal control over financial reporting as of the end of its fiscal year, based on the control criteria. These three opinions can be included in one report or the internal control opinions can be included in a separate report, provided the separate report makes reference to the outside auditor s report on the financial statements. DEFINITION OF INTERNAL CONTROL OVER FINANCIAL REPORTING Internal control over financial reporting is a framework incorporating processes designed to assure that transactions are booked properly initially and find their way to the appropriate place on the company s financial statements. Securities Exchange Act Rule 13a-15(f) defines internal control over financial reporting as a process: designed by, or under the supervision of, the registrant s principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that: Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions involving the assets of the registrant; Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; and Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant s assets that could have a material effect on the financial statements. 2

3 CONTENT OF MANAGEMENT S REPORT Section 308 of Regulation S-K, promulgated under the Securities Act of 1933, as amended, and the Securities Exchange Act of 1934, as amended, requires that management s internal control report, to be included in the company's annual report, contain the following four parts: A statement of management s responsibility for establishing and maintaining adequate internal control over financial reporting for the company; A statement identifying the framework used by management to evaluate the effectiveness of this internal control over financial reporting; Management s assessment of the effectiveness of the company s internal control over financial reporting as of the end of the company s most recent fiscal year, including a statement as to whether its internal control over financial reporting is effective as well as disclosure of any material weakness in the company s internal control over financial reporting identified by management (the existence of a material weakness prevents management from concluding that the controls are effective); and A statement that the registered public accounting firm that audited the company s financial statements has issued an attestation report on management s assessment of the company s internal control over financial reporting. MANAGEMENT S RESPONSIBILITY FOR INTERNAL CONTROLS Management, and specifically the principal executive officer and the principal financial officer, has the responsibility to design and implement the company s system for internal control over financial reporting. The rules of the Securities and Exchange Commission ( SEC ) regarding auditor independence prohibit auditors from performing certain non-audit services for their audit clients. SEC Release No states that, while the company s independent auditor may assist management in providing some support for this process of design and implementation such as documenting internal controls, management must be actively involved in the process and cannot delegate its responsibility to assess its internal control over financial reporting to the auditor. FRAMEWORK FOR EVALUATING THE EFFECTIVENESS OF INTERNAL CONTROLS The rules require management s report to identify the evaluation framework management used to assess the effectiveness of the company s internal control over financial reporting. Management must base its evaluation of the effectiveness of the company s internal control over financial reporting on a suitable, recognized control framework established by a body or group that has followed due-process procedures, including the broad distribution of the framework for 3

4 public comment. The SEC suggests use of the framework established by the Committee of Sponsoring Organizations of the Treadway Commission ( COSO framework ), which was formed in 1985 by then SEC Commissioner James Treadway. The COSO framework satisfies the SEC s criteria and may be used as an evaluation framework for purposes of management s annual internal control evaluation and disclosure requirements, but use of the COSO framework is not specifically required. The COSO framework consists of the following five components: (i) control environment, (ii) risk assessment, (iii) control activities, (iv) information and communications systems, and (v) monitoring. NECESSARY DOCUMENTATION OF THE COMPANY S INTERNAL CONTROL OVER FINANCIAL REPORTING Management must support its evaluation of the effectiveness of the company s internal control over financial reporting with sufficient evidence, including documentation. PCAOB Auditing Standard No. 2 identifies certain items that should be included in the company s documentation as follows: The design of controls over all relevant assertions related to all significant accounts and disclosures in the financial statements. See Page 8 of this client alert for a description of "relevant assertions". The documentation should include the five components of internal control over financial reporting set forth in the COSO framework; Information about how significant transactions are initiated, authorized, recorded, processed and reported; Sufficient information about the flow of transactions to identify the points at which material misstatements due to error or fraud could occur; Controls designed to prevent or detect fraud, including who performs the controls and the related segregation of duties; and Controls designed to safeguard assets. The auditor must review this documentation to determine if management has made a proper assessment of the effectiveness of the company s internal controls. Auditors will use this review as part of their planning for what tests to use for the audit engagement. Inadequate documentation of the design of internal controls can be construed by the auditor as a simple deficiency, a significant deficiency, or a material weakness, or could represent a limitation on the scope of the audit of the company s internal control over financial reporting. 4

5 REPRESENTATIONS MANAGEMENT MUST MAKE IN ORDER TO OBTAIN A CLEAN OPINION The outside auditor cannot issue a clean opinion on the company s internal control over financial reporting unless management provides to the auditor written representations relating to, among other things: Management s responsibility for establishing and maintaining effective internal control over financial reporting; Management s acknowledgement that its assessment of the effectiveness of internal control over financial reporting was not based in any way on the outside auditor s audit of the internal controls; and Management s disclosure to the outside auditor of: All deficiencies in the design or operation of the company s internal control over financial reporting; Any identification of fraud that involved senior management or employees who had or have a significant role in the company s internal control over financial reporting; The resolution or other status of any internal control deficiencies identified and communicated to the Audit Committee during previous engagements; and Any changes in the company s internal control over financial reporting or other factors subsequent to the end of the fiscal year that might significantly affect internal control over financial reporting, including any corrective actions with regard to significant deficiencies and material weaknesses. If management refuses to provide the above representations, the outside auditor must either withdraw from the engagement or disclaim any opinion because of the limitation on the scope of the audit and must consider whether he or she can rely on management s representations made in connection with the audit of the company s financial statements. AUDIT COMMITTEE S RESPONSIBILITIES It is the responsibility of the Audit Committee to pre-approve any internal control-related service an outside auditor may perform in assisting in the design and implementation of the internal controls to ensure that these services will not impair the outside auditor s independence in performing the audit of the internal control over financial reporting. The Audit Committee is not required to design the processes of internal control over financial reporting, but it is required to effect the processes and become satisfied that they are working before it recommends that the company include its financial statements in its annual report on Form 10-K. The Audit 5

6 Committee should conduct meetings with management and the company s internal audit staff to review internal controls. THE OUTSIDE AUDITOR S ROLE The outside auditor must conduct an integrated audit of the internal control over financial reporting using the guidelines established in PCAOB Auditing Standard No. 2 to form opinions on management s assessment of the company s internal controls and on the effectiveness of such internal controls. The audit should consist of five steps: (i) evaluating management s internal control assessment process, (ii) obtaining an understanding of the overall design and operation of the controls, (iii) testing and evaluating the operating effectiveness of the controls, (iv) forming an opinion on the effectiveness of the controls and on remedial steps to address any deficiencies, and (v) reporting on the results of the audit of the controls. 1. Evaluating Management s Internal Control Assessment Process In evaluating management s assessment process, the auditor should determine the basis on which management reached its conclusion on the effectiveness of the internal controls. Auditors can use these evaluations in the planning of their work and in understanding the controls. The more extensive and reliable management s assessment and the accompanying documentation, the less extensive and costly the auditor s work is likely to be. 2. Obtaining an Understanding of the Overall Design and Operation of the Controls The auditor, through review of the documentation provided by management and personal interviews of company personnel, needs to understand the controls and ascertain whether they are operating properly. A. Review of the Audit Committee The auditor will interview the Audit Committee to determine its oversight responsibilities and how it performed these responsibilities. A weak or ineffective Audit Committee will be considered a strong indicator of a material weakness in the internal controls. The effectiveness of the Audit Committee as an overseer of the internal control process will be tested by the outside auditor examining at least the following: The independence of the Audit Committee members from management; The clarity with which the Audit Committee s responsibilities are articulated (for example, in the Audit Committee s charter); How well the Audit Committee and management understand those responsibilities; 6

7 The Audit Committee s involvement and interaction with the independent auditor and with internal auditors, as well as interaction with key members of financial management, including the chief financial officer and the chief accounting officer; and Whether the right questions are raised and pursued with management and the auditor, including questions that indicate an understanding of the critical accounting policies and judgmental accounting estimates, and the responsiveness to issues raised by the auditor. B. Walkthroughs PCAOB Auditing Standard No. 2 requires auditors to perform walkthroughs of the major classes of transactions that are part of the company s significant processes in each annual audit of internal control over financial reporting. The auditor, not relying on others, must be the one to perform the walkthrough. In a walkthrough, the auditor traces a transaction from origination through the company s information systems until it is reflected in the company s financial reports. Walkthroughs help the auditor to: Confirm the auditor s understanding of the process flow of transactions; Confirm the auditor s understanding of the design of controls identified for all five components of internal control over financial reporting, including those related to the prevention or detection of fraud; Confirm that the auditor s understanding of the process is complete by determining whether all points in the process at which misstatements related to each relevant financial statement assertion could occur have been identified; Evaluate the effectiveness of the design of controls; and Confirm whether controls have been placed in operation. The walkthrough should encompass the entire process of initiating, authorizing, recording, processing, and reporting individual transactions and controls for each of the significant classes of transactions identified, including controls intended to address the risk of fraud. During the walkthrough, at each point at which important processing procedures or controls occur, the auditor should question the company s personnel about their understanding of what is required by the company s prescribed procedures and controls and determine whether the procedures are performed as originally intended and on a timely basis. While performing the walkthrough, the auditor should also evaluate the quality of the evidence obtained. If significant changes in the process flow of transactions have occurred, the auditor should evaluate the nature of the changes and the 7

8 effect on related accounts to determine whether to walk through transactions that were processed both before and after the change. 3. Testing and Evaluating the Operating Effectiveness of Controls Testing involves a mix of interviews, observations, inspection of documents and other techniques to make a specific evaluation of whether controls are operating as intended. The auditor should test the effectiveness of controls for all relevant assertions related to all significant accounts and disclosures in the financial statements. An account is considered significant if there is more than a remote likelihood that the account could contain misstatements that individually, or when aggregated with others, could have a material effect on the financial statements, considering the risks of both overstatement and understatement. To determine which accounts are significant for purposes of the internal control audit, the auditor should begin by performing both a quantitative and qualitative evaluation of accounts at the financial-statement level. The factors to be considered include: Size and composition of the account; Susceptibility of loss due to errors or fraud; Volume of activity, complexity, and homogeneity of the individual transactions processed through the account; Nature of the account; Accounting and reporting complexities associated with the account; Exposure to losses represented by the account; Likelihood or possibility of significant contingent liabilities arising from the activities represented by the account; Existence of related party transactions in the account; and Changes from the prior period in account characteristics. Relevant assertions are assertions that have a meaningful bearing on whether the account is fairly stated. For each account determined to be significant, the auditor should determine the relevance of each of the following financial statement assertions: Existence or occurrence (Does the asset exist, or did the transaction occur?); Completeness (Has the company included all items of a particular type in the relevant account?); 8

9 Valuation or allocation (Has the asset in question been valued properly?); Rights and obligations (Does the company have the rights to the asset, or conversely, is the liability in question a proper obligation of the company?); and Presentation and disclosure (Are the amounts in the financial statements appropriately presented, and is there adequate disclosure about them?). In determining whether a particular assertion is relevant to a significant account balance or disclosure, the auditor should evaluate (i) the nature of the assertion, (ii) the volume of transactions, and (iii) the nature and complexity of the systems, including the use of information technology by which the company processes and controls information supporting the assertion. A. Use of Prior Year s Testing In performing the testing, the auditor may use last year s tests as additional information, but each audit must stand on its own. Therefore, the auditor should vary from year to year the nature, timing, and extent of testing of controls to introduce unpredictability into the testing and respond to changes in circumstances. B. Using the Work of Others In all internal control audits, the auditor must perform enough of the testing himself or herself so that the auditor s own work provides the principal evidence for the auditor s opinion. The auditor may use, to a certain extent, the work of others as long as it determines the information is trustworthy. For these purposes, the work of others includes relevant work performed by internal auditors, company personnel, and third parties working under the direction of management or the Audit Committee that provides information about the effectiveness of the internal controls. To rely on the work of others, the auditor should: Evaluate the nature of the controls subjected to the work of others; Relevant control-related factors include the materiality of the accounts and disclosures controlled; the degree of judgment involved in the evaluation of the control; the pervasiveness of the control; the level of judgment or estimation in the account or disclosure; and the potential for management override. Evaluate the competence and objectivity of the personnel who performed the work; and Test some of the work performed by others to evaluate the quality and effectiveness of their work. 9

10 4. Forming an Opinion on the Effectiveness of Internal Controls and on Remedial Steps to Address any Deficiencies All deficiencies, including material weaknesses, found by the auditor must be reported in writing to management. All significant deficiencies must be reported in writing to the Audit Committee but do not, in and of themselves, require the issuance of an unfavorable report. However, the existence of a material weakness does require the issuance of an unfavorable report (or a report agreeing with management, if management also identified the material weakness). PCAOB Auditing Standard No. 2 contains revised definitions of the following foundation terms that are crucial to this phase of the internal control audit: Internal Control Deficiency A deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. Significant Deficiency A significant deficiency is a deficiency that adversely affects the company s ability to initiate, record, process, or externally report financial data reliably in accordance with Generally Accepted Accounting Principles. Alone or with other deficiencies, a significant deficiency results in more than a remote likelihood that a misstatement of the financial statements, that is more than inconsequential in amount, will not be prevented or detected. Material Weakness A material weakness is a significant deficiency that, alone or with others, results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected. PCAOB Auditing Standard No. 2 identifies certain deficiencies that are always significant and are strong indicators of material weakness. These deficiencies include: Restatement of previously issued financial statements to reflect the correction of a misstatement; Identification by the auditor of a material misstatement in financial statements in the current period that was not initially identified by the company s internal control over financial reporting (even if management subsequently corrects the misstatement); Ineffective oversight of the company s external financial reporting and internal control over financial reporting by the company s Audit Committee; The internal audit function or the risk assessment function is ineffective at a company for which such a function needs to be effective for the company to have an effective monitoring or risk assessment component, such as for very large or highly complex companies; 10

11 For complex entities in highly regulated industries, an ineffective regulatory compliance function. This relates solely to those aspects of the ineffective regulatory compliance in which associated violations of laws and regulations could have a material effect on the reliability of financial reporting; Identification of fraud of any magnitude on the part of senior management; Significant deficiencies that have been communicated to management and the Audit Committee remain uncorrected after some reasonable period of time; and An ineffective control environment. 5. Reporting on the Results of the Audit of Internal Controls As mentioned previously, the auditor s report must include two opinions regarding the audit of internal control over financial reporting: one on management s assessment and one on the effectiveness of internal control over financial reporting. PCAOB Auditing Standard No. 2 permits the auditor to express an unqualified opinion if the auditor has identified no material weaknesses in internal control over financial reporting after having performed all of the procedures that the auditor considers necessary under the circumstances. In the event the auditor cannot perform all of the procedures the auditor considers necessary under the circumstances, the auditor may either qualify or disclaim an opinion. PCAOB Auditing Standard No. 2 does allow a company to exclude an assessment of the internal control over financial reporting of a newly-acquired material business as long as management's report on such assessment discloses that fact and refers to the section in the annual report discussing the acquisition and the materiality level of the newly-acquired business. If an overall opinion cannot be expressed, PCAOB Auditing Standard No. 2 requires the auditor to explain why. PCAOB Auditing Standard No. 2 does not permit a qualified opinion in the event of a material weakness. In the event of a material weakness, the auditor could express an unqualified opinion on management s assessment, so long as management properly identified the material weakness and concluded in its assessment that internal control was not effective. If management did not detect the material weakness or if the auditor and management disagree about whether a material weakness exists, then the auditor would render an adverse opinion on management s 11

12 LOOKING AHEAD assessment. The report date must be the same as the date of the opinion on the financial statements. The audits of internal control over financial reporting will entail extra work for management and extra expense, particularly in the first year of implementation or when the company changes auditors. Auditors will be evaluating the effectiveness of the Audit Committee in their oversight of internal controls. A weak or ineffective Audit Committee is a strong indicator of a material weakness in the internal control over financial reporting, so the Audit Committee must exercise effective oversight. The SEC is cognizant of the cost to small companies, but is emphasizing that all public companies must have strong internal control over financial reporting so that their financial statements will be accurate, reliable and fair. This client alert is sent for the information of our clients and friends and covers only some of the many issues raised by Section 404 of the Sarbanes-Oxley Act. Please contact your T&K corporate/securities attorney if you would like to discuss this client alert or the application of Section 404 to your particular situation. Moreover, Fred W. Fulton ( ) and Thomas R. Lamme ( ) can provide assistance about these issues Thompson & Knight LLP 12