Washington, D.C.
Dec. 8, 2014
As a matter of policy, the Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author's views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the SEC Staff.
Good morning.
As Dan [Murdock] mentioned, the OCA current projects panel is back this year. For those that recall remarks from prior years, I don´t think we have any update on views on whether bowling is a sport. But, we are happy to share our individual views on accounting, auditing, and internal control matters.
As we all know, the objective of internal control over financial reporting (ICFR) is to provide reasonable assurance regarding the reliability of financial reporting. So perhaps it´s fitting that I´m speaking first amongst us, as I will supplement Brian Croteau´s comments on ICFR from the previous panel. My focus will primarily be on certain aspects of evaluating control deficiencies. Some of these insights stem from the involvement OCA has had with the Division of Corporation Finance over the past year supporting the Disclosure Review Program.
In evaluating ICFR, the staff continues to believe that the top-down, risk-based approach described in the Commission Guidance is typically most effective at providing a reasonable basis for determining whether any material weaknesses exist.[i] This "top-down" focus can be important to helping ensure that sufficient considerations are made when identifying and describing a deficiency. Otherwise, in the case of identified misstatements, management might find itself focused too narrowly on information about what happened as opposed to considering more holistically what could happen in the context of current and evolving financial reporting risks. As an example, consider a company that identifies an immaterial prior period error in one revenue stream. The company is growing and entering into new lines of business, but has not employed sufficient resources in the finance department to keep up. Obviously, this raises questions about what other amounts or disclosures could be impacted by the lack of resources and how the Control Environment and Risk Assessment components of COSO had been evaluated.
Moving on, much of the dialogue we have with companies relates to deficiencies within the Control Activities component. For material weaknesses, as part of the disclosure, Commission Guidance states that
"companies should also consider providing disclosure that allows investors to understand the cause of the control deficiency."[ii]
This is important information because, among other things, it can aid investors in assessing the potential impact to the financial statements of a material weakness. I believe, however, that management needs to understand the cause of all control deficiencies. Otherwise, management is more likely to overlook the possibility that there is a deficiency in another COSO component that may already represent, or could otherwise be developing into, a material weakness.
While it is possible that some transaction-level control failures are isolated within the Control Activities component, the cause may often stem from a broader breakdown, and the nature of the deficiency will provide clues as to what that cause may be. For example, a company that describes a deficiency in the design of one or more Control Activities controls may receive a follow up request from the staff for information about how management considered the effectiveness of the Risk Assessment component. Likewise, a company that describes a deficiency in the operating effectiveness of one or more Control Activities controls may receive a follow up request from the staff for information about how management considered the effectiveness of the Monitoring Activities component.
Such determinations are, of course, fact- and circumstance-based and likely to vary from company to company based on the number of transaction-level deficiencies that exist, the nature of each deficiency, and the financial statement amounts or disclosures affected, among other factors. However, without understanding the cause of each identified deficiency, management may not be in a position to appropriately evaluate the effectiveness of each of the components of internal control. More broadly in this regard, I am hopeful that the improved organization and structure of COSO 2013 versus the 1992 version, through the use of principles and points of focus, leads to improved evaluations of the components outside of Control Activities.
Having just mentioned the relationship of the effective design of Control Activities controls to the Risk Assessment component, it might be helpful now to provide a reminder about a key point for identifying financial reporting risks.
As part of its ongoing assessment of "what could go wrong" within a financial reporting element, it is critical that management consider the nature and extent of any changes in the risks to reliable financial reporting. Such changes can result from a variety of sources, including company reorganization, nature of transactions entered into, overall business environment, and accounting requirements. A few recent examples of such events discussed with registrants in the comment process include:
Let me now move on to two important points that have come up in many of the recent ICFR comment processes stemming from immaterial error corrections: a fully and accurately defined control deficiency, and the potential misstatement resulting from the deficiency, which is sometimes referred to as "the could factor."
First, to be clear, an explanation of the accounting error that resulted from, or could result from, the deficiency, is important to understanding the nature of the deficiency. However, describing the accounting error is not the same as describing the control deficiency. Unfortunately, in initial responses to staff comments, and even in material weakness disclosures, we sometimes see statements that focus only on the error. Such statements may raise questions about management´s understanding of the implications of the deficiency and whether its severity was appropriately evaluated. Furthermore, investors might reasonably question how a company could remediate a control deficiency that it has failed to describe appropriately.
Factors that I have found helpful to consider in understanding and describing a deficiency include, but may not be limited to, the following:
Notably, in some instances, the company´s thought process evolves over the comment process and it appears that management may be properly evaluating the deficiencies for the first time during this process, as we see changes in conclusions regarding nature, component, impact, and cause of identified deficiencies. Undoubtedly, these types of determinations require judgment. However, to ensure that investors receive timely information about management´s assessment of ICFR, these determinations need to be contemporaneous.
Management evaluates the severity of a deficiency in ICFR by considering, in part, "the magnitude of the potential misstatement resulting from the deficiency or deficiencies."[v] Thus, the actual error is only the starting point and the potential impact should be considered as well. As with many aspects of the ICFR evaluation, careful consideration is required when evaluating "the could factor."
In spite of this, some companies we have discussions with initially appear to equate the actual error identified with the reasonably possible potential misstatement. They do so despite the fact that the control did not ultimately detect the error. Essentially, these companies are taking the position that had the error been a dollar more, either the control or a compensating control[vi] would have prevented or detected it in a timely manner. Taking such a position, however, requires an appropriate evaluation of whether the control operates at a level of precision to do so.
Considering the nature of the deficiency is an important next step in determining the magnitude of the potential misstatement. This requires considering the nature of the transactions and the amounts or total of transactions exposed to the deficiency. It also requires considering not only the current volume of activity exposed to the deficiency but also the volume of activity that is expected in future periods.[vii] Determining the activity exposed to the deficiency includes considering whether it could reasonably be expected to affect other accounts. For example, for a deficiency resulting in an asset classification error in accounting for a business combination, the magnitude of the potential misstatement would ordinarily include not only the balance sheet impact, but also the reasonably possible subsequent income statement impact from amortization or impairment.
So why are there sometimes struggles in this area? From my experience, it often starts with a company not fully and accurately describing the deficiency. This may lead to a superficial thinking about the cause of the deficiency based on the error itself. This is convenient given that management has generally just completed its materiality assessment for the error; however, this generally will not result in a full understanding of the limitations of the control and is unlikely to result in developing and implementing sufficient remediation.
Let me conclude here by mentioning that our recent focus on the impact of immaterial errors on ICFR through the Disclosure Review Program is not intended to be a "gotcha" exercise. In addition to satisfying disclosure obligations, these interactions are opportunities for registrants to properly identify and remediate deficiencies in order to avoid recurrence and reduce the risk of material misstatements.
Thank you for your time today.
[i] See Commission Guidance Regarding Management´s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 (Jun 27, 2007) ("Commission Guidance"), at 9-10, at http://www.sec.gov/rules/interp/2007/33-8810.pdf
[ii] See Commission Guidance, at 39.
[iii] See Commission Guidance, at 15, which states, "A deficiency in the design of ICFR exists when (a) necessary controls are missing or (b) existing controls are not properly designed so that, even if the control operates as designed, the financial reporting risks would not be addressed."
[iv] See Commission Guidance, at 30, which states, "Management evaluates the evidence it gathers to determine whether the operation of a control is effective. This evaluation considers whether the control operated as designed. It also considers matters such as how the control was applied, the consistency with which it was applied, and whether the person performing the control possesses the necessary authority and competence to perform the control effectively."
[v] See Commission Guidance, at 35.
[vi] For definition and discussion of compensating controls, see Commission Guidance, at 37.
[vii] See Commission Guidance, at 36.