Washington D.C.
Dec. 4, 2017
The Securities and Exchange Commission ("SEC" or "Commission") disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author's views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the staff.
I would like to speak to you today about the need for companies' internal control over financial reporting ("ICFR") to adapt to change and share my thoughts about ways to design effective controls. Members of the SEC staff have spoken frequently about the importance of effective ICFR both at this conference and in other forums. Our focus on ICFR is based on our experience, long recognized in our securities laws,[1] that management's ability to produce reliable financial information for investors depends, in part, on the effectiveness of the company's internal controls. However, we believe that there are benefits to approaching ICFR as more than just a compliance exercise. In addition to supporting reliable financial reporting, effective ICFR also promotes internal accountability and contributes to better information flows within the company which in turn can translate into greater investment efficiency and improved operating performance.[2]
A key feature of an effective system of internal control is its ability to adapt timely to changes that, if not addressed, may impact the company's ability to achieve its objectives. In the case of ICFR, the objective is defined, in part, as "to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP."[3] That ability to adapt is important because internal control that is effective within one set of conditions may not necessarily be effective when those conditions change significantly.[4] This concept is recognized in Principle #9 of the COSO Framework, which is a part of the risk assessment component of internal control. It directs companies to identify and assess changes that could significantly impact their system of internal control. The COSO Framework further explains that this can be accomplished, in part, by establishing a process to identify and assess those internal and external factors that can significantly affect the company's ability to achieve its objectives.[5] Furthermore, to the extent practicable, these mechanisms should be forward looking.[6]
One might ask, however, whether some companies sufficiently consider these adaptive mechanisms of Principle #9 in their ongoing risk assessment. This question arises, for example, when companies identify errors in their financial statements related to, so called, "significant, complex, or unusual transactions." In those circumstances, it is important for management, audit committees, and auditors to ask why the company was not prepared to appropriately account for the particular transaction in accordance with GAAP. I believe that a thorough response to this question might indicate that, in addition to deficiencies in process-level controls that directly contributed to the misstatements, there may also exist, and indeed might have existed for a while, underlying deficiencies in the company's risk assessment, including Principle #9, or other components of ICFR outside of control activities.[7] These underlying deficiencies may themselves represent material weaknesses.
Adoption of the new accounting standards for revenue, leases, and credit losses may be akin to a significant, complex, or unusual transaction for many companies and, like those transactions, it will put the design of companies' ICFR to test. I believe that, if effective, the adaptive mechanisms considered in Principle #9 of the COSO Framework should help companies appropriately prepare for the adoption of the new standards and support timely informative transition disclosures.[8] They may also help management timely identify areas that may require designing new or revising existing controls to adequately address risks of material misstatement. Therefore, as companies work through their adoption of the new standards, management and auditors may identify information relevant to their evaluation of the effectiveness of the company's existing risk assessment controls, including those described in Principle #9. If the evaluation identifies deficiencies that may affect the company's financial reporting in the current period (e.g., related to significant, complex, or unusual transactions during the period or transition disclosures for the new accounting standards), such deficiencies need to be evaluated as to their severity and communicated to the company's investors (if they rise to the level of a material weakness) or audit committee (if they represent significant deficiencies).
The need to reassess and possibly update internal controls in connection with the adoption of the new accounting standards has been a consistent theme of speeches and presentations by SEC staff over the past several years. We are aware that identifying relevant risks of material misstatement that may arise under the new accounting standards and designing appropriately responsive controls may not be an easy task. However, we believe that if done right, the foundation established will over time yield benefits of a more effective and efficient ICFR process.
Designing effective controls often requires significant judgment. This is particularly true with reference to complex controls that contain judgments related to management's review. And while judgment about the design of a control can never be eliminated,[9] I believe there are certain considerations that can provide a useful road map to thinking through the design of a control and documenting it. Some of these considerations include:
Making and documenting these and other relevant considerations about a control's design up-front has many potential benefits. Among others, it can facilitate consistent execution of the control over time. But it also has the potential to strengthen confidence in management's judgments about its controls when ICFR is assessed by external parties, including auditors.
That concludes my prepared remarks. Thank you for your kind attention.
[1] For example, in 1977, the Foreign Corrupt Practices Act added Section 13(b)(2) to the Securities Exchange Act of 1934 ("Exchange Act") to require all U.S. public companies to, among other things, devise and maintain a system of internal accounting controls sufficient to provide "reasonable assurances" that transactions are recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principles ("GAAP").
[2] Recent academic studies show, among other things, that companies which remediate their control deficiencies experience increases in investment efficiency and in operating performance, suggesting that accounting information generated by effective ICFR is more useful for managerial decision-making. See, e.g., Cheng, M., Dhaliwal, D., Zhang, Y., Does Investment Efficiency Improve after the Disclosure of Material Weaknesses in Internal Control Over Financial Reporting? Journal of Accounting and Economics 56(1): 1–18 (2013); and Feng, M., Li, C., McVay, S., Skaife, H., Does Ineffective Internal Control Over Financial Reporting Affect a Firm's Operations? Evidence from Firms' Inventory Management, The Accounting Review 90: 529–557 (2015).
[3] Exchange Act Rules 13a-15(f) and 15d-15(f).
[4] See: Committee of Sponsoring Organizations of the Treadway Commission, Internal Control – Integrated Framework ("COSO Framework") (2013), at 83.
[5] Id.
[6] See COSO Framework, at 84.
[7] See Commission Guidance Regarding Management's Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, Release No. 33-8810 (June 20, 2007) [72 FR 35324 (June 27, 2007)], which states that "companies should also consider providing disclosure that allows investors to understand the cause of the control deficiency." Id. at 35333.
[8] See Staff Accounting Bulletin Topic 11.M, Disclosure of the Impact That Recently Issued Accounting Standards Will Have on the Financial Statements of the Registrant When Adopted in a Future Period.
[9] The COSO Framework recognizes that designing, implementing, and conducting internal control and assessing its effectiveness requires judgment. See COSO Framework, at 23.