Kohrman Jackson & Krantz :: SEC Issues Final Rules on Management’s Report on Internal Control over Financial Reporting

	Legal Developments

	Publications

	Archive

	Firm News

	Legal News

	Publications

	Legal Links

SEC Issues Final Rules on Management’s Report on Internal Control over Financial Reporting

The SEC has adopted final rules implementing Section 404 of the Sarbanes Oxley Act of 2002. Through new Item 308 to Regulations S-K and S-B, the final rules require a company’s annual report to include a report by management on the company’s “internal control over financial reporting.” The final rules also require a company’s auditors to attest to, and report on, management’s assessment of the company’s internal controls. The adopting release is available on the SEC’s website at www.sec.gov/rules/final/33-8238.htm.

The rules provide for an extended period for compliance. Companies that are “accelerated filers” (generally, companies that have equity market capitalization of more than $75 million and previously have filed an annual report with the SEC) must begin to comply with the new reporting requirements in annual reports for fiscal years ending on or after June 15, 2004. Other companies will not have to comply with the disclosure requirements until they file their annual reports for the fiscal year ending on or after April 15, 2005.

Internal Control over Financial Reporting

In adopting the final rules, the SEC concluded that the term “internal control over financial reporting” is more consistent with the terminology used in the auditing literature and better serves the objectives of the Sarbanes Oxley Act. The final rules define “internal control over financial reporting” to mean a process designed by, or under the supervision of, the company’s principal executive and principal financial officers, and effected by the company’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP and includes those policies and procedures that:

Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the company;
Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with GAAP, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and
Provide reasonable assurance regarding prevention or timely detention of unauthorized acquisition, use or disposition of the company’s assets that could have a material effect on the financial statements.

The SEC acknowledged that there is substantial overlap between the “disclosure controls and procedures” adopted by the SEC in connection with the rules governing Section 302 certifications and “internal control over financial reporting.” The SEC emphasized that the former relates solely to assuring the timeliness, accuracy and completeness of Exchange Act filings, and that in most cases disclosure controls and procedures will not encompass all of the elements included in the definition of internal control over financial reporting.

Contents of Management’s Report

In each annual report, the company will be required to furnish an internal control report of management that contains the following four elements:

A statement of management’s responsibilities for establishing and maintaining adequate internal control over financial reporting.
A statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company’s internal control over financial reporting.
Management’s assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year, including a statement as to whether or not the company’s internal control over financial reporting is effective. The assessment must disclose any material weakness in the company’s internal control over financial reporting. If management identifies one or more material weaknesses, management is not permitted to conclude that the company’s internal control over financial reporting is effective.
A statement that the auditor of the financial statements included in the company’s annual report has attested to, and reported on, management’s evaluation of the company’s internal control over financial reporting.

A company must identify the evaluation framework used by management to assess the effectiveness of the company’s internal control over financial reporting. The rules do not prescribe the use of a particular evaluation framework. However, the SEC has stated that the framework used must be “suitable” and “recognized.” The adopting release specifically states that the framework of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission meets those criteria, although the new rules do not mandate its use. COSO’s framework views the core elements of a control system as consisting of five interrelated components: the control environment, risk assessment, control activities, information and communications, and monitoring.

The internal control report must be filed as part of the company’s annual report on Form 10-K or 10-KSB. The rules do not specify where the internal control report must appear in the annual report. The SEC has indicated that the internal control report should be in close proximity to the auditor’s attestation report (as more fully described below). The SEC expects many companies will place the internal control report and auditor attestation reports near the MD&A disclosure or immediately preceding the financial statements.

Quarterly Evaluations

While a report on internal controls is required only on an annual basis, the rules require a company to evaluate and disclose any change in its internal control over financial reporting that occurred during the fiscal quarter covered by the quarterly report that has materially affected, or is reasonably likely to materially affect, the company’s internal control over financial reporting.

Auditor Attestation and Report on Management’s Assessment

The final rules require that a company’s auditor both attest to, and report on, management’s assessment of the effectiveness of the company’s internal control over financial reporting. The rules require that the auditor’s report be filed as part of the company’s annual report. The auditor’s report will have to state either the auditor’s opinion as to whether management’s assessment of the effectiveness of the company’s internal control over financial reporting is fairly stated in all material respects, or include an opinion to the effect that an overall opinion cannot be expressed. If an overall opinion cannot be expressed, the auditor would have to explain why. The attestation report may be separate from the auditor’s report on the financial statements.

For more information regarding internal control over financial reporting and management’s report on internal control, please contract one of our securities attorneys.

Steven C. Bersticker
Christopher J. Hubbert
Connie S. Carr

Byron S. Krantz
Michele L. Hoza
Marc C. Krantz