1 Practical Implications of U.S. Requirements to Report on Internal Control Andrew D. Bailey, Jr. Deputy Chief Accountant: Professional Practice U.S. Securities

11

Practical Implications of U.S. Practical Implications of U.S. Requirements to Report on Requirements to Report on

Internal ControlInternal ControlAndrew D. Bailey, Jr.Andrew D. Bailey, Jr.

Deputy Chief Accountant: Professional PracticeDeputy Chief Accountant: Professional PracticeU.S. Securities and Exchange CommissionU.S. Securities and Exchange Commission

October 2005October 2005

22

FEE Forum on Risk FEE Forum on Risk Management and Internal Management and Internal

Control in the European UnionControl in the European Union

Brussels, BelgiumBrussels, Belgium

October 25, 2005October 25, 2005

33

The Securities and Exchange The Securities and Exchange Commission, as a matter of policy, Commission, as a matter of policy, disclaims responsibility for any private disclaims responsibility for any private publication or statement by any of its publication or statement by any of its employees. Therefore, the views employees. Therefore, the views expressed today are my own, and do expressed today are my own, and do not necessarily reflect the views of the not necessarily reflect the views of the Commission or the other members of Commission or the other members of the staff of the Commission.the staff of the Commission.

DisclaimerDisclaimer

44

SEC SOX Related InitiativesSEC SOX Related Initiatives– Early Activities Early Activities

PCAOB establishmentPCAOB establishmentCEO and CFO certifications CEO and CFO certifications Internal Control Reporting (404)Internal Control Reporting (404)Codes of ethics for senior executives Codes of ethics for senior executives Financial experts on audit committees Financial experts on audit committees Retention of audit records Retention of audit records Stronger auditor independence standards Stronger auditor independence standards Prohibitions on improper influence of auditorsProhibitions on improper influence of auditorsStandards for listed company audit Standards for listed company audit committeescommittees

55

SEC and PCAOB InitiativesSEC and PCAOB Initiatives

– More Recent SEC and PCAOB Activity:More Recent SEC and PCAOB Activity:Internal control auditing and reporting (AS 2)Internal control auditing and reporting (AS 2)

SEC 404 FAQ and PCAOB AS 2 Q&A including SEC 404 FAQ and PCAOB AS 2 Q&A including SEC Staff Comments follow-up to May 2005 SEC Staff Comments follow-up to May 2005 RoundtableRoundtable

Documentation (AS 3)Documentation (AS 3)

Rule 3102 Certain TermsRule 3102 Certain Terms

Elimination of a Material Weakness (AS 4)Elimination of a Material Weakness (AS 4)

Independence and Tax (Rules 35XX) Independence and Tax (Rules 35XX)

Stock Comp/Fair Value (PCAOB FAQ in process)Stock Comp/Fair Value (PCAOB FAQ in process)

66

Releted PCAOB InitiativesReleted PCAOB Initiatives

PCAOBPCAOB– Engagement Quality ControlEngagement Quality Control

Second Partner ReviewSecond Partner Review

– Communications with the Audit CommitteeCommunications with the Audit Committee– Financial FraudFinancial Fraud– Risk AssessmentRisk Assessment– Related Party TransactionsRelated Party Transactions

77

404 and AS 2 – Year 1 and 404 and AS 2 – Year 1 and BeyondBeyond

88

The 404/AS 2 IndustryThe 404/AS 2 Industry

There is no question that the most There is no question that the most influential and controversial activity influential and controversial activity occupying the Professional Practice occupying the Professional Practice Groups time has been the implementation Groups time has been the implementation of the SEC’s 302 and 404 rules and its of the SEC’s 302 and 404 rules and its companion Audit Standard, AS 2.companion Audit Standard, AS 2.

April SEC 404 RoundtableApril SEC 404 Roundtable

May SEC 404 Roundtable Follow-up May SEC 404 Roundtable Follow-up

99

Management’s Assessment of Management’s Assessment of Internal Control Under Section 404Internal Control Under Section 404

– 404 requires management to assess the 404 requires management to assess the effectiveness of its internal controls over effectiveness of its internal controls over financial reportingfinancial reporting

– Effective dates (for fiscal years ending on or Effective dates (for fiscal years ending on or after):after):

November 15, 2004 for Accelerated filers (45 day November 15, 2004 for Accelerated filers (45 day temporary postponement for certain filers)temporary postponement for certain filers)

July 15, 2006 for Non-Accelerated filers and July 15, 2006 for Non-Accelerated filers and foreign private issuers (9/21/05 extended to foreign private issuers (9/21/05 extended to 7/15/07)7/15/07)

1010

Current 404/AS 2 ActivitiesCurrent 404/AS 2 Activities

Current Activities Related to 404 Current Activities Related to 404 Evaluating feedback and next stepsEvaluating feedback and next stepsMonitoring reporting resultsMonitoring reporting resultsConsidering issues related to small Considering issues related to small

businessbusiness

1111

Feedback on ImplementationFeedback on Implementation

– Request for Public CommentRequest for Public CommentOver 200 comment letters receivedOver 200 comment letters received

– Commission Roundtable April 13Commission Roundtable April 13thth

54 participants54 participants

Representing issuers, auditors, investors, audit Representing issuers, auditors, investors, audit committees, among otherscommittees, among others

6 panels focusing on different topics6 panels focusing on different topics

1212

Roundtable and Comment LettersRoundtable and Comment LettersWhat We’ve Heard:What We’ve Heard:

Benefits Benefits – Promotes investor confidencePromotes investor confidence– Increased management focus on controls – Increased management focus on controls –

impacting tone at the topimpacting tone at the top– Improved controls documentation Improved controls documentation – Understanding throughout organization of Understanding throughout organization of

importance of internal controlsimportance of internal controls– Identification of operating efficiency Identification of operating efficiency

opportunitiesopportunities

1313


Costs Costs – Significant training efforts Significant training efforts Deferred maintenance Deferred maintenance

Development of controlsDevelopment of controlsAutomation of controlsAutomation of controlsIntegration of systemsIntegration of systemsDocumentation of controlsDocumentation of controls

Auditor costs – greater than expectedAuditor costs – greater than expectedOpportunity costs Opportunity costs

1414


Scope of TestingScope of Testing– Call for more risk-based approachCall for more risk-based approach– Need for more use of judgment Need for more use of judgment

Assessing materiality and designing scopeAssessing materiality and designing scope

Identifying “key” controls and significant accountsIdentifying “key” controls and significant accounts

– IT general computer controls / new systemsIT general computer controls / new systemsExtent of general computer controls testingExtent of general computer controls testing

Testing and remediation of control deficiencies in Testing and remediation of control deficiencies in new systemsnew systems

1515


Using the Work of Management and OthersUsing the Work of Management and OthersDuplicated work effortsDuplicated work effortsCall for ability to rely more on work of Call for ability to rely more on work of

management and othersmanagement and othersPrincipal audit evidencePrincipal audit evidence

1616

Roundtable and Comment Letters Roundtable and Comment Letters What We’ve Heard:What We’ve Heard:

Terminology and DefinitionsTerminology and Definitions– Difficulty and inconsistencies in applying:Difficulty and inconsistencies in applying:

Significant DeficiencySignificant Deficiency

Material WeaknessMaterial Weakness

More than a remote likelihoodMore than a remote likelihood

More than inconsequentialMore than inconsequential

1717

Roundtable and Public Comments Roundtable and Public Comments What We’ve Heard:What We’ve Heard:

Communications with AuditorsCommunications with AuditorsNeed to restore communication between Need to restore communication between

auditors and issuersauditors and issuersAdditional guidance on potential auditor Additional guidance on potential auditor

independence implicationsindependence implications

1818

Roundtable and Public Comments Roundtable and Public Comments What We’ve Heard: What We’ve Heard:

Other Other Encourage use of judgment through the Encourage use of judgment through the

inspections processinspections processRequest to indefinitely delay the final Request to indefinitely delay the final

accelerated filing datesaccelerated filing datesFully integrate financial statement and internal Fully integrate financial statement and internal

control audits to achieve efficiencycontrol audits to achieve efficiencyDesire to share best practicesDesire to share best practices

1919

Actions Actions

Continuing Commitment to SOX 404Continuing Commitment to SOX 404 Want to address unintended consequences while Want to address unintended consequences while

maintaining investor safeguardsmaintaining investor safeguards

Additional Guidance Posted 5-16-05Additional Guidance Posted 5-16-05 SEC Commission Press Release and Staff SEC Commission Press Release and Staff

StatementStatement PCAOB Board Statement and Staff Q&APCAOB Board Statement and Staff Q&A June SAG meeting devoted to AS2June SAG meeting devoted to AS2

2020

What We’ve Done: SEC Staff What We’ve Done: SEC Staff StatementStatement

– May 16, 2005 Staff Statement issuedMay 16, 2005 Staff Statement issued

Reasonable AssuranceReasonable Assurance

Top-Down Approach / Risk-Based AssessmentsTop-Down Approach / Risk-Based Assessments

Scope of AssessmentsScope of Assessments

Timing of Management’s TestingTiming of Management’s Testing

Evaluating Control DeficienciesEvaluating Control Deficiencies

Disclosures About Material WeaknessesDisclosures About Material Weaknesses

Information Technology IssuesInformation Technology Issues

Communications with AuditorsCommunications with Auditors

2121

SEC Staff StatementSEC Staff Statement

Reasonable AssuranceReasonable AssuranceLevel of assurance regarding the reliability of Level of assurance regarding the reliability of

financial statementsfinancial statementsReasonable assurance does not mean Reasonable assurance does not mean

absolute assurance but it does mean a high absolute assurance but it does mean a high level of assurancelevel of assurance

2222


– Top-Down / Risk Based AssessmentsTop-Down / Risk Based AssessmentsFocus should be on controls and accounts most Focus should be on controls and accounts most likely to have a material impact on financial likely to have a material impact on financial statementsstatements

Judgment should be used in identifying accounts Judgment should be used in identifying accounts and key controls to testand key controls to test

Resources should be devoted to areas of greatest Resources should be devoted to areas of greatest riskrisk

Audits should not be “check the box” exercisesAudits should not be “check the box” exercises

2323

SEC Staff Statement SEC Staff Statement

– Scope of AssessmentsScope of AssessmentsJudgment should be used in identifying accounts Judgment should be used in identifying accounts and key controls to testand key controls to test

Judgment should be used in determining the Judgment should be used in determining the extent of testing of key controlsextent of testing of key controls

Should relate to the risk of material misstatement Should relate to the risk of material misstatement in the annual, not interim financial statementsin the annual, not interim financial statements

2424


Timing of Management’s TestingTiming of Management’s TestingEffective testing and assessment may be Effective testing and assessment may be

performed during the yearperformed during the yearJudgment must be used in determining additional Judgment must be used in determining additional

testing required closer to year-end testing required closer to year-end

Evaluating Control DeficienciesEvaluating Control DeficienciesJudgment must be used in determining the Judgment must be used in determining the

severity of control deficienciesseverity of control deficiencies

2525


Disclosures About Material WeaknessesDisclosures About Material WeaknessesThe nature of the weaknessThe nature of the weaknessThe impact of the weakness on financial The impact of the weakness on financial

reportingreportingPlans for remediating the weaknessPlans for remediating the weakness

2626


Information Technology IssuesInformation Technology IssuesInclude relevant IT controls in the assessment Include relevant IT controls in the assessment

(controls related to financial reporting)(controls related to financial reporting)Judgment must be used in identifying IT Judgment must be used in identifying IT

controls to testcontrols to testInclude IT upgrades and new systems in Include IT upgrades and new systems in

assessmentassessment

2727


Communications with AuditorsCommunications with AuditorsThe chilling effect was an unintended The chilling effect was an unintended

consequenceconsequenceAuditor’s discussing and exchanging views Auditor’s discussing and exchanging views

with management does not in itself violate with management does not in itself violate independence principlesindependence principles

Judgment is required in ongoing dialogues Judgment is required in ongoing dialogues with managementwith management

2828

PCAOB Policy Statement and PCAOB Policy Statement and Staff Q&A’sStaff Q&A’s

May 16, 2005 GuidanceMay 16, 2005 GuidanceAudit IntegrationAudit IntegrationThe use of Professional JudgmentThe use of Professional JudgmentTop-down Approach / Risk-based Top-down Approach / Risk-based

AssessmentsAssessmentsUsing the Work of OthersUsing the Work of OthersAuditor Communications with ClientsAuditor Communications with ClientsAdditional Guidance ExpectedAdditional Guidance Expected

2929

Reporting Results So Far…Reporting Results So Far…

Through early July:Through early July: 3,140 filings3,140 filings 419 (13.3%) received audit opinion 419 (13.3%) received audit opinion

indicating ineffective ICFR indicating ineffective ICFR Over 50% had revenues less than $500 million Over 50% had revenues less than $500 million Conversely, less than 10% had revenues greater Conversely, less than 10% had revenues greater

than $1 billionthan $1 billion

3030

Reporting Results So Far…Reporting Results So Far…

Filed Filed reports by reports by industryindustry

With MWWith MW

(% of 419)(% of 419)

ManufacturingManufacturing 32%32% 30%30%

Finance, Insurance, Real Finance, Insurance, Real EstateEstate

29%29% 18%18%

ServicesServices 14%14% 21%21%

Transportation, Transportation, Communication, UtilitiesCommunication, Utilities

12%12% 10%10%

Wholesale and Retail TradeWholesale and Retail Trade 8%8% 14%14%

OtherOther 5%5% 7%7%

3131

419 Adverse Opinions419 Adverse OpinionsWhat types of issues did they What types of issues did they

have?have? Accounting Failures (GAAP) with respect to Accounting Failures (GAAP) with respect to

specific accounts (95%)specific accounts (95%) Accounting documentation, policy and Accounting documentation, policy and

procedures (87%)procedures (87%) Material or numerous auditor/year-end Material or numerous auditor/year-end

adjustments (46%)adjustments (46%) Accounting personnel resources, Accounting personnel resources,

training/competency issues (40%)training/competency issues (40%) Restatement or non-reliance on financial Restatement or non-reliance on financial

statements (39%)statements (39%)

3232

PCAOB Standard:PCAOB Standard:Elimination of Material WeaknessesElimination of Material Weaknesses

– Voluntary engagementVoluntary engagement– Allows auditors to provide reasonable assurance Allows auditors to provide reasonable assurance

that MW has been remediatedthat MW has been remediated– Significant flexibility in how the auditors perform Significant flexibility in how the auditors perform

engagement engagement – PCAOB comment period ended May 16, 2005PCAOB comment period ended May 16, 2005– Board voted approval July 2005.Board voted approval July 2005.– SEC Comment period (TBD)SEC Comment period (TBD)– SEC FAQ (TBD)SEC FAQ (TBD)

3333

Small Business ConcernsSmall Business Concerns

Guidance from COSO – application for Small Guidance from COSO – application for Small Businesses Businesses Expect to issue exposure draft this summerExpect to issue exposure draft this summer

Advisory Committee on Smaller Public Advisory Committee on Smaller Public CompaniesCompanies404 Subcommittee404 SubcommitteeRecommendations expected to be finalized end of Recommendations expected to be finalized end of

September, to be approved by full committee in September, to be approved by full committee in OctoberOctober

3434

SEC Advisory Committee on SEC Advisory Committee on Smaller Public CompaniesSmaller Public Companies

Established December 2004 to examine the impact of Established December 2004 to examine the impact of Sarbanes-Oxley Act and other federal securities laws Sarbanes-Oxley Act and other federal securities laws on smaller companies.on smaller companies.

Agenda items include:Agenda items include:Definition of “smaller public company”Definition of “smaller public company”Consideration of Section 404 of SOAConsideration of Section 404 of SOACorporate governance and disclosureCorporate governance and disclosureAccounting standardsAccounting standardsCapital formationCapital formation

http://www.sec.gov/info/smallbus/acspc.shtmlhttp://www.sec.gov/info/smallbus/acspc.shtml

3535

COSO ActivitiesCOSO Activities

In January 2005, COSO announced a new In January 2005, COSO announced a new project, project, Implementing the COSO Control Implementing the COSO Control Framework in Smaller BusinessesFramework in Smaller Businesses

Anticipate an exposure draft to be issued in Anticipate an exposure draft to be issued in the near futurethe near future

3636

Recent Commission ActionRecent Commission Action

On September 21, 2005, the Commission On September 21, 2005, the Commission extended for one additional year the extended for one additional year the compliance dates for non-accelerated compliance dates for non-accelerated filers ($75 million or less) and for Foreign filers ($75 million or less) and for Foreign Private Issuers that would qualify as non- Private Issuers that would qualify as non- accelerated filers to the fiscal year ending accelerated filers to the fiscal year ending or after July 15, 2007.or after July 15, 2007.

3737

Question and Answer SessionQuestion and Answer Session

Documents

1 Practical Implications of U.S. Requirements to Report on Internal Control Andrew D. Bailey, Jr. Deputy Chief Accountant: Professional Practice U.S. Securities