Speech by SEC Staff:
The SEC's Internal Control Report Rules and Thoughts on the Sarbanes-Oxley Act

by

Scott A. Taub

Deputy Chief Accountant
U.S. Securities and Exchange Commission

University of Southern California Leventhal School of Accounting SEC and Financial Reporting Conference
Pasadena, California
May 29, 2003

Good morning. It's my pleasure to be here to address this audience, especially at such an important time in the history of accounting and financial reporting. You know, as I make that statement, it occurs to me that people speaking at these kinds of conferences have been using that "important time in the history of accounting" phrase for a long time. In fact, it was 1999 that Arthur Levitt, the former SEC Chairman, dubbed the "Year of the Accountant". Well, the year of the accountant has lasted 4 ½ years now, and shows no sign at all of ending anytime soon. I don't need to remind you of the things that have caused the focus on accounting, auditing, and financial reporting to continue to be so strong over the past few years.

While I have no desire to rehash the events of the past, there are plenty of current events that I can talk about. Luckily for me, I have both this speech and a panel discussion later to discuss those things. Right now, I'm going to focus on the significant rule-making that the Commission completed a couple of days ago to implement Section 404 of the Sarbanes-Oxley Act, on internal control evaluation and reporting. I will also try to give you a few thoughts about the Sarbanes-Oxley Act in general, now that most of the significant rules to implement it have been finalized. During the panel discussion, I'll try to alert you to some things that the SEC is looking at and get you up to date on various projects in the financial reporting area.

But before I do any of that, I need to remind you that my remarks are my own and do not necessarily reflect the views of the Commission, Commissioners, or other members of the Commission's staff.

Internal Control Evaluations and Monitoring

Section 404(a) of the Sarbanes-Oxley Act directs the Commission to adopt rules requiring each annual report filed by a company, other than a registered investment company, pursuant to Section 13(a) or 15(d) of the Exchange Act to include an internal control report from management containing: (1) a statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) management's assessment, as of the end of the fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting. Section 404(b) requires the registered public accounting firm that prepares the company's audit report to attest to, and report on, management's assessment of the effectiveness of the company's internal controls in accordance with standards established by the Public Company Accounting Oversight Board. On Tuesday of this week, the Commission approved the final rules relating to this section of the Act.

The potential impact of the requirements for both management and auditors to issue reports related to issuers' internal controls cannot be understated. We believe that the increased attention to internal controls on the part of the management will reduce the potential for errors in the financial statements, including those due to fraud. The attestation by the auditor will provide additional assurance in this regard, and, not trivially, should also increase the quality of audits. In fact, Congress made it clear that it considers the internal control attestation by the auditor to be important to the financial statement audit by prohibiting the attestation from being a separate engagement. I'm going to take a few minutes now to discuss some of the key points of the rules we finalized on Tuesday.

As I mentioned earlier, Section 404 of the Act requires the SEC to implement rules requiring management to assess the effectiveness of the company's internal controls over financial reporting. However, the Act does not specify a framework for making such an assessment. We had proposed a fairly open-ended rule that would have allowed management significant latitude in determining an appropriate framework to evaluate its internal controls against. However, a wide range of commenters requested more specificity in this area, with some even suggesting that we should mandate a specific framework. Amongst other reasons cited, they believed that doing so would ensure comparability; so that an assertion by management and an attestation by an auditor would mean the same thing from registrant to registrant. Essentially, commenters were concerned that requiring an evaluation of controls without specifying the criteria upon which to evaluate them would be like a requirement that financial statements be fair, without any GAAP on which to rely in evaluating fairness. We revised our proposal after considering these and other comments on this point, and the final rules specify that the framework on which management's assessment of the issuer's internal control over financial reporting is based must be a suitable, recognized, control framework that is established by a body or group that has followed due-process procedures, including the distribution of the framework for public comment. By far the best-known framework that meets that definition is the framework designed by the Committee of Sponsoring Organizations of the Treadway Commission, otherwise known as the COSO report, which was published in 1992. The COSO report is widely available.

It is important to remember that the report is to address not just the design of the controls, but also their operating effectiveness. Thus, some actual testing of controls will need to be performed by management. As you know, internal controls cover a wide range of areas, and there are many different kinds of controls. Therefore, it isn't possible to specify how management should test controls to evaluate their effectiveness. Rather, the nature of a company's testing activities will largely depend on the company's circumstances, the type of control involved, and the significance of such control to the company's financial reporting. It is perhaps important to note that, since management's report must speak to the effectiveness of the internal controls, not just their design, inquiry alone generally will not provide an adequate basis for management's assessment. Equally important to note is that, in developing its assessment of the effectiveness of internal control of financial reporting, a company must maintain evidential matter, including documentation, to provide reasonable support for such assessment. The final rules do not specify the level of testing or documentation, nor do they specify how management should consider any identified weaknesses, except to state that management is prohibited from concluding that the company's internal control over financial reporting is effective overall if there is a material weakness in internal controls, as that term is currently used in the auditing literature.

Our rule proposal suggested that management reports as to the effectiveness of internal controls would be required on a quarterly basis. However, we have come to believe since then that our estimates of the expense and effort required to comply with Section 404 were significantly too low. With the increased estimates of cost, we became convinced that the costs of a quarterly evaluation of the entire internal control structure were not justified by the benefits. Therefore, the full evaluation is required only annually, with material changes since the prior year-end or interim filing being evaluated on a quarterly basis.

One more significant change from our proposal is the effective date of the new rules. The rule proposal would have required management reports and auditor attestations in filings for periods ending on or after September 15, 2003. However, several factors caused us to defer the application of the provisions of the final rules until periods ending on or after June 15, 2004 for large US companies, and April 15, 2005 for smaller US companies and foreign companies. First, as I just mentioned, we became concerned about the cost and time it would take to properly implement these rules. Second, as I will discuss more in a minute or two, there has been significant uncertainty about the level of work required of management and auditors to comply with these rules, and that uncertainty has led to disagreements and friction between companies and their auditors. We were concerned that any implementation for calendar year 2003 would not leave sufficient time for companies and their auditors to resolve these differences constructively. Finally, we believe the deferral of the effective date will provide the Public Company Accounting Oversight Board with time to consider revisions to the current attestation standards regarding internal control. These revisions would clarify the issues leading to the friction between companies and their auditors, and improve the implementation of the new requirements.

Having described the reasons for the time extension on these rules, I want to offer some advice to public companies. If you have not yet started to prepare for the internal control evaluation, begin working on it immediately. The need to document the existing internal controls, consider whether other controls should be added, and design and perform tests of controls, indicates that a lot of time is necessary in order for management to be in a position to conclude as to the effectiveness of the company's internal controls over financial reporting. Please do not use the extension of the compliance date as a reason to relax, take your eye off the ball, or otherwise not make use of the extra time you've been given. We listened to your concerns about timing, and we believe we've done our part to ensure an effective and smooth implementation of the rules, which is in the best interests of investors. If you don't take advantage of this extra time to work on the implementation, you will not have done your part for investors.

Some of you may have already looked for the final release on our website; it isn't there, but it will be soon. In the release, we've tried to provide guidance to help answer some questions and resolve some concerns we've heard over the past few months. I'll try now to provide the SEC staff's thinking on a few of the more significant issues. These issues mainly revolve around defining the responsibilities of the company and the auditor and determining the amount of work that both the company and the auditor need to do to issue their respective reports.

First, the company. The company is responsible, and has been for quite some time under the Commission's rules, for designing and implementing a system of internal controls. In addition, as a matter of policy, we have previously stated that every public company needs to establish and maintain records of sufficient accuracy to ensure that transactions are appropriately recorded, the internal control system is effectively administrated, the financial statements are prepared in accordance with GAAP, and the financial statements can be audited. Given this, we believe that it should have been clear previously that documentation of internal controls is also required. In case it wasn't, the release reiterates that documenting controls is a management responsibility.

What is new in these rules, as far as management's responsibilities, is the requirement to evaluate the effectiveness of those controls and provide a report on that evaluation. In order to clarify that management must have a sufficient basis on which to evaluate controls, the new rules specify that the assessment of a company's internal control must be based on procedures sufficient both to evaluate the design of the controls and to test their operating effectiveness. Furthermore, the rules instruct a company to maintain evidential matter to provide reasonable support for management's conclusions regarding the effectiveness of the internal controls. To summarize what I've just said, the final release points out that design, evaluation, documentation, and testing of internal controls, as well as documentation of that testing are responsibilities of management. Therefore, the company cannot forgo the work to evaluate the effectiveness of controls under the theory that the auditors will do it anyway.

The Commission's independence rules would also prohibit the company from relying on its auditors to perform the evaluation of the effectiveness of internal controls. Such a situation would involve auditors taking on the role of management and/or attesting to their own work, neither of which is permissible under the independence rules. While complete reliance on external auditors is not appropriate, the independence rules do not prevent auditors from assisting management in other ways. An auditor may assist its client in many ways with the work required to comply with the rules implementing Section 404, but management must continue to make all final decisions, exercise its own judgment in performing the analysis, and be "in-charge" of the work being done. For example, providing software templates to help document controls or perform statistical sampling, noting areas where management might wish to improve controls, making suggestions to improve tests of controls, and many other roles would generally be acceptable roles for which a company might look to its auditor to fill. On the other hand, essentially "outsourcing" a major part of the work to the auditors would not be appropriate, nor would relying on the auditors to choose sample sizes, decide on tests to perform, or provide software that concludes as to the effectiveness of controls. Admittedly, determining the line between acceptable and unacceptable involvement by the auditors requires the exercise of judgment. Companies and their auditors should refer to our independence rules for further guidance. Those rules remain unchanged, a fact which is specifically noted in the 404 release.

While external auditors cannot make the initial evaluation and determination as to the effectiveness of internal controls, they are required to attest to management's assertion about the effectiveness of those controls. To do so, the auditing firm must perform enough work on internal controls to assure itself that 1) management has designed sufficient controls and put such controls in place, 2) management has performed sufficient testing to evaluate the effectiveness of those controls and 3) management's conclusion about the effectiveness of those controls is appropriate. The auditor will certainly need documentation of management's work in order to be able to complete its task, and may also need to reperform some of that work. The final rules do not specify the level of work that the auditor must do. Rather, the firm must determine the level of work to perform based on the attestation standards, the firm's knowledge of the company, and its experience and judgment. Much as with an opinion on financial statements, an auditor cannot be compelled to issue a report on internal controls if it is not satisfied with the procedures it has been able to perform.

Another issue has arisen in the past few months regarding the appropriate attestation standards that an auditor should consider. The current standards are codified in Section 501 of the AICPA's standards on attestation engagements. These standards have been adopted by the PCAOB as interim standards, and are therefore in force today. However, in mid-March, the auditing standards board of the AICPA put out an exposure draft of a standard that would have replaced the existing standards. The exposure draft suggests guidance for areas not covered by the existing standards, and, in general, would increase the amount of work to be done by the auditor. As the auditing standards board no longer has the authority to set auditing standards, the exposure draft will not result in a final rule that applies to public companies. However, I understand that the ASB intends to prepare information based on the exposure draft and the comments received and forward such information to the PCAOB, which does have the authority to change the current attestation standards. The PCAOB has indicated that it intends address the standards on internal control attestations in the relatively near future. It is our hope that the PCAOB can make the changes it deems necessary in time to allow the new standards to be used for attestations performed after June 15, 2004.

Sarbanes-Oxley Act: The Big Picture

Overall, the rules we passed Tuesday should do a lot of great things. I believe that they will cause improvements to internal control structures, strengthen audits, provide important information to investors, reduce the chances of material financial statement errors and irregularities, and, quite possibly, resolve the middle east conflict. Ok, maybe they won't accomplish that last one. And I'll tell you what else they won't do — they won't eliminate financial statement fraud. No rule can do that, because, as many have said over and over in the recent past, nobody can legislate ethics.

And that point about ethics is a nice segue into a discussion of what I consider to be the underlying message of the Sarbanes-Oxley Act. First, though — a question. I won't make you raise your hands, just answer the question in your mind. Who in this room believes their job is not significantly affected by the reforms of the Sarbanes-Oxley Act? If anybody thought "Me — I'm not affected", you're either in the wrong conference, you don't understand the Act entirely, or maybe you're the person working the sound and lights. I say that because the Act requires significant reform in all aspects of our financial reporting and disclosure system. A few examples:

In fact, I'm hard-pressed to think of anybody who I interact with in my professional life that isn't affected by this legislation. When all is said and done, the Commission will be required to complete at least 15 rulemaking projects, 7 studies and participate in the process of establishing an entirely new oversight system for auditors.

So, what does this all mean? An optimist would say that the fact all of these groups are touched by the Act is simply an indication that Congress believed improvements were possible in all areas of the financial reporting process. A pessimist might say that Congress believed none of us were doing our jobs and that we couldn't be trusted. Although I suspect the answer is somewhere in between those extremes, there's a fair amount of evidence that Congress didn't have much trust for some participants in the financial reporting community. But if you step back, there is one over-riding theme in all sections of the Act. And that is that all parties should act in the public interest. Keeping that in mind, it is easy to understand many of the provisions of the Act.

So, to me, that's what Sarbanes-Oxley is telling all of us in the financial reporting process — act in the public interest. If we act in the public interest, we will act with the ethics that most of us who joined the auditing profession believed were part of that profession when we joined it. We'll file financial statements that provide investors with the information they need to evaluate the company. We'll write accounting and auditing standards that focus only on providing the best work product possible under the circumstances. We'll enforce those standards in the way the best benefits the capital markets. In short, if we remember to act in the public interest, we'll get the right answer to most questions that we face in our careers. And that's the message I'd like to leave you with today. If you're having trouble understanding the new rules the SEC has passed, or applying an accounting standard, or figuring out whether to make an announcement about an event that has occurred, or any of a million other decision we all make every day, try to look at the situation from the point of view of the public markets, and that should point you in the right direction.