Fall 2007 issue of Horizons

GENERAL TOPICS

Revised 404 Guidance Based on Knowledge

• Proposed rule for management regarding its evaluation of ICFR: “… make it clear that an evaluation that complies with the interpretive guidance is one way to satisfy the rules.” A first in the SOX generation! If a company complies with the guidance, it will have fulfilled its obligation under SEC regulations. • Re-affirmation of the terminology “reasonable assurance” The expectation should not be that controls would be effective 100 percent of the time and that controls address all risks to the business. Rather, controls are designed to address the risk of material misstatement in financial reporting. • Guidance assumes management has established and maintained a system of internal accounting controls as required by the Foreign Corrupt Practices Act of 1977 Effective internal control is not a new concept; it was first addressed by the FCPA, and companies have implemented controls to address those basic requirements. The FCPA addresses the maintenance of “accounting controls,” which the SEC stated is consistent with the definition of ICFR. • Guidance for evaluating the design and operating effectiveness of ICFR using a top-down, risk-based approach The risk of material misstatement over financial reporting should drive the design, evaluation and operating effectiveness of internal controls. Only those controls that address the risk of material misstatement need to be evaluated and compliance tested, and they should be directly linked to a financial statement assertion. In organizations with multiple locations, the degree of testing at each location should vary according to the respective risk associated with that location. Compliance testing should therefore be tailored for each specific location based on the risk and the expected reliance on entity-level controls.

On Dec. 20, 2006, the Securities and Exchange Commission and the Public Company Accounting OversightBoardissuedforpubliccomment theirproposals for complying with Section 404 of the Sarbanes-Oxley Act (SOX). With these two proposals, both agencies are expecting compliance costs to decrease and lessen the burden on smaller public companies. The proposals are a result of what has been learned over the past four years since the enactment of SOX and input from the various groups, committees, established to study the impact of SOX. When the SEC and PCAOB independently issued their revised guidance for Section 404, there is a premise that management and the auditor have knowledge of the risks inherent in the business and that they use that knowledge and experience to determine the scope of their respective work. Furthermore, management’s knowledge of and daily interaction with the controls could be a substitute for management’s testing. SEC - Management’s Report on Internal Control Over Financial Reporting The SEC proposed guidance for management’s assessment of internal controls over financial reporting (ICFR) emphasizes a process that is scalable for the smallest of public companies and is a risk-based approach for evaluating the design and evidence of operation of ICFR. Following are some of the principles emphasized by the proposed SEC guidance:

15 u winter 2007 issue