Skip to Content

Rule

Amendments to Rules Regarding Management's Report on Internal Control Over Financial Reporting

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble Start Printed Page 35310

AGENCY:

Securities and Exchange Commission.

ACTION:

Final rule.

SUMMARY:

We are adopting an amendment to our rules to clarify that an evaluation which complies with the Commission's interpretive guidance published in this issue of the Federal Register in Release No. 34-55929 is one way to satisfy the requirement for management to evaluate the effectiveness of the issuer's internal control over financial reporting. We are also amending our rules to define the term material weakness and to revise the requirements regarding the auditor's attestation report on the effectiveness of internal control over financial reporting. The amendments are intended to facilitate more effective and efficient evaluations of internal control over financial reporting by management and auditors.

DATES:

Effective Date: August 27, 2007, except the amendment to § 210.2-02T is effective from August 27, 2007 until June 30, 2009.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

N. Sean Harrison, Special Counsel, Division of Corporation Finance, at (202) 551-3430, or Josh K. Jones, Professional Accounting Fellow, Office of the Chief Accountant, at (202) 551-5300, U.S. Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549-6628.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

We are adopting amendments to Rules 13a-15(c),[1] 15d-15(c),[2] and 12b-2[3] under the Securities Exchange Act of 1934 (the “Exchange Act”),[4] Rules 1-02,[5] 2-02 [6] and 2-02T [7] of Regulation S-X,[8] and Item 308 of Regulations S-B and S-K.[9]

In a companion release issued in today's Federal Register, we are issuing interpretive guidance to assist companies of all sizes in completing top-down, risk-based evaluations of internal control over financial reporting.[10] In addition, we are issuing a release to request additional comment on the definition of the term “significant deficiency.” [11]

Table of Contents

I. Background

II. Discussion of Amendments

A. Exchange Act Rules 13a-15(c) and 15d-15(c)

1. Proposal

2. Comments on the Proposal

3. Final Rule

B. Rules 1-02 and 2-02 of Regulation S-X and Item 308 of Regulations S-B and S-K

1. Proposal

2. Comments on the Proposal

3. Final Rule

C. Definition of Material Weakness

1. Proposal

2. Comments on the Proposal

3. Final Rule

III. Transition Issues

IV. Background to Regulatory Analyses

V. Paperwork Reduction Act

VI. Cost-Benefit Analysis

VII. Effect on Efficiency, Competition and Capital Formation

VIII. Final Regulatory Flexibility Analysis

IX. Statutory Authority and Text of Rule Amendments

I. Background

In implementing Section 404(a) of the Sarbanes-Oxley Act of 2002 [12] (“Sarbanes-Oxley”), the Commission adopted amendments to Exchange Act Rules 13a-15 and 15d-15 to require companies, other than registered investment companies, to include in their annual reports filed pursuant to Section 13(a) or 15(d) [13] of the Exchange Act a report by management on the company's internal control over financial reporting (“ICFR”) and a registered public accounting firm's attestation report on ICFR. Rules 13a-15 and 15d-15 also require management of each company to evaluate the effectiveness, as of the end of each fiscal year, of the company's ICFR.[14]

On December 20, 2006, the Commission issued a proposing release that contained interpretive guidance for management (“Proposed Interpretive Guidance”) regarding its required evaluation of ICFR and amendments to Exchange Act Rules 13a-15(c) and 15d-15(c) to make it clear that an evaluation conducted in accordance with the Proposed Interpretive Guidance was one way to satisfy the annual management evaluation required by those rules. In addition, we proposed amendments to Rule 2-02(f) of Regulation S-X to require that the registered public accounting firm's attestation report on ICFR express a single opinion directly on the effectiveness of ICFR, and to clarify the circumstances in which we would expect that the accountant cannot express an opinion on ICFR. We also proposed amendments to Rule 1-02(a)(2) of Regulation S-X to revise the definition of attestation report to conform it to the proposed changes to Rule 2-02(f).[15]

We received over 200 comment letters in response to our Proposing Release.[16] These letters came from corporations, professional associations, large and small accounting firms, law firms, consultants, academics, investors and other interested parties. Of these, approximately 70 respondents commented on the proposed rule amendments. We have reviewed and considered all of the comments that we received on the proposed rule amendments. The adopted rules reflect changes made in response to many of these comments. We discuss our conclusions with respect to each proposed rule amendment and the related comments in more detail throughout this release.

II. Discussion of Amendments

A. Exchange Act Rules 13a-15(c) and 15d-15(c)

1. Proposal

Exchange Act Rules 13a-15(c) and 15d-15(c) require the management of each issuer subject to the Exchange Act reporting requirements, other than a registered investment company, to evaluate the effectiveness of the issuer's ICFR as of the end of each fiscal year. We proposed to amend these rules to state that, although there are many different ways to conduct an evaluation of the effectiveness of ICFR, an evaluation conducted in accordance with the Proposed Interpretive Guidance would satisfy the evaluation requirement in those rules. Start Printed Page 35311

2. Comments on the Proposal

While many commenters supported the proposed amendments to Rules 13a-15 and 15d-15,[17] some expressed the view that although the guidance is appropriately principles-based, the nature of the requirements set forth in the Proposed Interpretive Guidance is not well-suited to the type of safe-harbor protection intended by the amendments.[18] For instance, three commenters suggested that the Proposed Interpretive Guidance does not contain specific, objective criteria that a company's management could use to demonstrate that its evaluation complies with the requirements of the Proposed Interpretive Guidance.[19] Consequently, two of these commenters went on to conclude that the amendments may eventually lead to the Interpretive Guidance being viewed as an exclusive evaluation approach. In light of these and similar concerns, one commenter suggested broadening the amended rule language to explicitly indicate that an evaluation provides a reasonable basis for management's ICFR assessment if it includes: (1) An identification of the risks that are reasonably likely to result in a material misstatement of the company's financial statements; (2) an evaluation of whether the company has placed controls in operation that are designed to address those risks; and (3) a risk-based process for gathering and evaluating evidence regarding the effective operation of those controls.[20]

One commenter opposed both the Proposed Interpretive Guidance and the proposed rule amendments and expressed the view that management will, as a result of the nature of the Proposed Interpretive Guidance, claim the protection afforded by the amendments for deficient evaluations.[21] Another commenter expressed the view that the proposed rule amendments could result in a “minimalist” attitude towards the internal control evaluation on the part of management.[22]

3. Final Rule

After consideration of the comments that we received, we have determined to adopt the amendments to Rules 13a-15(c) and 15d-15(c) as proposed. The amended rules state that there are many different ways to conduct an evaluation that will satisfy the evaluation requirement in the rules, and the Interpretive Guidance clearly states that compliance with the guidance is voluntary. Therefore, concerns that the amendments may cause confusion as to whether compliance with the Interpretive Guidance is mandatory or may result in an exclusive standard are unfounded. We understand that many companies already complying with the Section 404 requirements have established an ICFR evaluation process that may differ from the approach described in the Interpretive Guidance. There is no requirement for these companies to alter their procedures to align them with the Interpretive Guidance.

We have decided not to broaden the amended rule language to include factors to consider in determining whether alternative methods satisfy the standard primarily because we think this type of “broadening” may actually limit the potential universe of acceptable evaluation methods. For example, while we believe the Interpretive Guidance's top-down, risk-based approach will result in both effective and efficient evaluations of the effectiveness of ICFR, management may choose to establish an alternative evaluation approach. An alternative approach may be deemed preferable if it complements a company's existing quality improvement processes or enterprise risk management methodologies and still provides management with a reasonable basis for its assessment of ICFR effectiveness. Therefore, we do not think it is appropriate or necessary to mandate the approach set forth in the Interpretive Guidance.

Regarding the comments expressing concern that the principles-based nature of the Proposed Interpretive Guidance may not easily lend itself to the safe-harbor type provisions, we acknowledge that the amendments to Rules 13a-15 and 15d-15 are of a somewhat different nature from other safe-harbor provisions, which typically prescribe very specific conditions that must be met before a company or person may claim protection under the safe-harbor. Nonetheless, we believe establishing the Interpretive Guidance as one way to satisfactorily evaluate ICFR will serve the important purpose of communicating the objectives and requirements of the ICFR evaluation. Moreover, most commenters preferred that the guidance for conducting an evaluation of ICFR be issued on an interpretive basis rather than codified as a rule.[23] Accordingly, a direct reference in the rules to the Interpretive Guidance will help ensure that companies are aware of the guidance.

We are issuing the Interpretive Guidance, and taking a series of other steps, to improve and strengthen implementation of the ICFR requirements. Regardless of whether management uses the Interpretive Guidance, we remain committed to a strong implementation of the ICFR requirements and to ensuring that issuers perform a sufficient evaluation. As is currently the case, the sufficiency of an evaluation will be determined based on each issuer's particular facts and circumstances.

B. Rules 1-02 and 2-02 of Regulation S-X and Item 308 of Regulations S-B and S-K

1. Proposal

Rule 2-02(f) of Regulation S-X requires the registered public accounting firm's attestation report on management's assessment of ICFR to clearly state the “opinion of the accountant as to whether management's assessment of the effectiveness of the registrant's ICFR is fairly stated in all material respects.” The term “assessment” as used in Rule 2-02(f) refers to management's disclosure of its conclusion about the effectiveness of the company's ICFR, not the efficacy of the process followed by management to arrive at its conclusion. To more effectively communicate the auditor's responsibility in relation to management's assessment, we proposed to revise Rule 2-02(f) to require the auditor to express an opinion directly on the effectiveness of ICFR. We believe this opinion necessarily conveys whether the disclosure of management's assessment is fairly stated. In addition, we proposed revisions to Rule 2-02(f) to clarify the rare circumstances in which the accountant would be unable to express an opinion.

Start Printed Page 35312

We also proposed conforming revisions to the definition of attestation report in Rule 1-02(a)(2) of Regulation S-X. The PCAOB proposed a conforming revision to its auditing standard to reflect this revision as well.[24]

2. Comments on the Proposal

We received comments on the proposed revisions to Rules 1-02(a)(2) and 2-02(f) of Regulation S-X to require the expression of a single opinion directly on the effectiveness of ICFR by the auditor in the attestation report on ICFR. Those who commented on this proposed amendment were equally divided, with approximately one-half supporting the Commission's proposal to eliminate the auditor's opinion on management's assessment of the effectiveness of ICFR,[25] and the other half expressing the view that, although the reduction to one opinion by the auditor was preferable, the opinion retained would limit improvements in the efficiency of the 404 process.[26]

Commenters who supported the Commission's proposal believe that an auditor's opinion directly on the effectiveness of a company's ICFR provides investors with a higher level of assurance than the opinion only on management's assessment. These commenters also suggested that an audit opinion directly on the effectiveness of ICFR was a clearer expression of the scope of the auditor's work. However, those who opposed the Commission's proposal argued that an audit opinion directly on the effectiveness of ICFR would require duplicative, unnecessary and excessive testing by auditors and would therefore lead to higher audit costs.[27] These commenters suggested the auditor's work should be limited to evaluating management's assessment process and the testing performed by management and internal audit. They acknowledged that the auditor would need to test at least some controls directly in addition to evaluating and testing management's assessment process; however, they expected that the auditor's own testing could be significantly reduced from the scope required to render an opinion directly on the effectiveness of ICFR.[28] Additionally, commenters were concerned that the proposed rule change was in direct conflict with Section 404(b) of Sarbanes-Oxley, which explicitly calls for the auditor to issue an attestation report on management's assessment of the effectiveness of ICFR.[29]

In view of the proposal to require only one opinion by the auditor in its report on the effectiveness of a company's ICFR, commenters thought that continued references in Rules 1-02(a)(2) and 2-02(f) of Regulation S-X to an “attestation report on management's assessment of internal control over financial reporting” would be confusing.[30] These commenters suggested that we eliminate these references and refer to the auditor's report only as an “attestation report on internal control over financial reporting.”

3. Final Rule

After consideration of the comments, we have decided to adopt the proposed amendments to Rules 1-02(a)(2) and 2-02(f) of Regulation S-X to require the expression of a single opinion directly on the effectiveness of ICFR by the auditor in its attestation report on ICFR because it more effectively communicates the auditor's responsibility in relation to management's process and necessarily conveys whether management's assessment is fairly stated. In view of this decision, we agree with commenters that Rules 1-02(a)(2) and 2-02(f) of Regulation S-X will be clearer if they refer to the auditor's report as an “attestation report on internal control over financial reporting” rather than an “attestation report on management's assessment of internal control over financial reporting.” We, therefore, have made this change. We also have made conforming changes to Rule 2-02T of Regulation S-X and Item 308 of Regulations S-B and S-K.[31]

Despite the fact that the revised rules no longer require the auditor to separately express an opinion concerning management's assessment of the effectiveness of the company's ICFR, auditors currently are required under Auditing Standard No. 2 (“AS No. 2”),[32] and would continue to be required under the Proposed Auditing Standard, to evaluate whether management has included in its annual ICFR assessment report all of the disclosures required by Item 308 of Regulations S-B and S-K. Both AS No. 2 and the Proposed Auditing Standard would require the auditor to modify its audit report on the effectiveness of ICFR if the auditor determines that management's assessment of ICFR is not fairly stated. Consequently, the revisions are fully consistent with, and will continue to achieve, the objectives of Section 404(b) of Sarbanes-Oxley.

In considering the concerns raised by commenters about the scope of auditor testing that is required to render an opinion directly on the effectiveness of ICFR, the Commission believes that an auditing process that is restricted to evaluating what management has done would not necessarily provide the auditor with a sufficient level of assurance to render an independent opinion as to whether management's assessment (that is, conclusion) about the effectiveness of ICFR is correct. Moreover, the PCAOB's auditing standards with respect to a company's ICFR derive from both Section 103(a)(2)(A)(iii) and Section 404(b) of Sarbanes-Oxley. Section 404(b) of Sarbanes-Oxley requires the auditor to “attest to, and report on, the assessment made by the management of the issuer.” Section 103(a)(2)(A)(iii) of Sarbanes-Oxley requires that each audit report describe the scope of the auditor's testing of the internal control structure and procedures and present, among other information: (1) The findings of the auditor from such testing; (2) an evaluation of whether such internal control structure and procedures provide reasonable assurance that transactions are recorded as necessary to Start Printed Page 35313permit preparation of financial statements in accordance with generally accepted accounting principles; and (3) a description of material weaknesses in such internal controls.[33]

The Commission believes that an audit opinion directly on the effectiveness of ICFR is consistent with both Section 404 and Section 103 of Sarbanes-Oxley. Further, the Commission believes that the expression of a single opinion directly on the effectiveness of ICFR clarifies that an auditor is not responsible for issuing an opinion on management's process for evaluating ICFR.

C. Definition of Material Weakness

1. Proposal

The Proposed Interpretive Guidance defined a material weakness as a deficiency, or combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis by the company's ICFR. Further, we indicated that the definition formulated in the proposal was intended to be consistent with its use in existing auditing literature and practice.[34]

2. Comments on the Proposal

Commenters expressed concern about differences between our proposed definition of material weakness and that proposed by the PCAOB in its Proposed Auditing Standard and requested that the two definitions be aligned.[35] Commenters also suggested that a single definition of material weakness be established for use by both auditors and management. They further thought that we should codify the definition in our rules.[36]

In addition, commenters pointed out that while the Proposed Interpretive Guidance referred to significant deficiencies, the Commission did not include a definition of significant deficiency within the Proposed Interpretive Guidance.[37] Despite the fact that the Proposed Interpretive Guidance did not include a definition of significant deficiency, commenters on this topic provided feedback about both the Commission's proposed definition of material weakness and the definition of significant deficiency as proposed by the PCAOB.[38] Certain commenters indicated that the Commission should include a definition of significant deficiency in the Interpretive Guidance.[39]

Commenters also provided feedback on the probability language in the definition of material weakness. Commenters expressing support for the “reasonable possibility” standard in the proposed definition [40] noted that this language improves the clarity of the existing definition and will reduce time spent evaluating deficiencies.[41] In contrast, other commenters felt that the probability standard should be changed.[42] These commenters noted that the meaning of “reasonably possible” was the same as “more than remote” and therefore would not reduce the effort devoted to identifying and analyzing deficiencies. Two of these commenters suggested the Commission use a “reasonable likelihood” standard,[43] and another suggested the Commission change to a “greater than fifty-percent” standard.[44] Commenters also requested additional guidance about how the concept of “materiality” impacted the definition.[45]

Most of the commenters who addressed the reference to interim financial statements in the definition of material weakness indicated that the word “interim” should be removed from the definition,[46] with only one commenter expressing the view that the reference to interim financial statements should remain in the definition.[47] Some commenters who suggested removal of “interim” expressed the view that because Section 404 of Sarbanes-Oxley mandates an annual assessment of ICFR, the deficiency evaluation should also be based on the impact to the annual financial statements. Others stated that the removal of “interim” would allow management and auditors to better focus on the annual financial statements when evaluating the materiality of control deficiencies.

3. Final Rule

After consideration of the comments received, we have determined that it is appropriate for the Commission's rules to include the definition of material weakness since it is an integral term associated with Sarbanes-Oxley and the Commission's implementing rules. Management's disclosure requirements with respect to ICFR are predicated upon the existence of a material weakness; therefore, we agree with the commenters' suggestion that our rules should define this term, rather than refer to auditing literature. As a result, we are amending Exchange Act Rule 12b-2 and Rule 1-02 of Regulation S-X to define the term material weakness.

We have decided to adopt the material weakness definition substantially as proposed. The Commission has determined that the proposed material weakness definition appropriately describes those conditions in ICFR that, if they exist, should be disclosed to investors and should preclude a conclusion that ICFR is effective. Therefore, our final rules define a material weakness as a Start Printed Page 35314deficiency, or a combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the registrant's annual or interim financial statements will not be prevented or detected on a timely basis.[48] We anticipate that the PCAOB's auditing standards will also include this definition of material weakness.

After consideration of the proposed alternatives to the “reasonable possibility” standard in the proposed definition of material weakness, we decided not to change the proposed standard. Revisions that have the effect of increasing the likelihood (that is, risk) of a material misstatement in a company's financial reports that can exist before being disclosed could give rise to questions about the meaning of a disclosure that ICFR is effective and whether the threshold for “reasonable assurance” is being lowered. Moreover, we do not believe improvements in efficiency arising from revisions to the likelihood element would be significant to the overall ICFR evaluation effort, due, in part, to our view that the effort evaluating deficiencies would be similar under the alternative standards (for example, “reasonable possibility” as compared to “reasonable likelihood”). Lastly, we do not believe the volume of material weakness disclosures, which has declined each year since the initial implementation of Section 404 of Sarbanes-Oxley, is too high such that investors would benefit from a reduction in disclosures that would result from a higher likelihood threshold.

Regarding the reference to interim financial statements in the definition of material weakness, while we believe annual materiality considerations are appropriate when making judgments about the nature and extent of evaluation procedures, we believe that the judgments about whether a control is adequately designed or operating effectively should consider the requirement to provide investors reliable annual and quarterly financial reports. Moreover, if management's annual evaluation identifies a deficiency that poses a reasonable possibility of a material misstatement in the company's quarterly reports, we believe management should disclose the deficiency to investors and not assess ICFR as effective. As such, we have not removed the reference to interim financial statements from the definition of material weakness.

In response to the comments regarding the need for the Commission to define the term “significant deficiency,” we are seeking additional comment on a definition of that term as part of a separate release issued in the Federal Register.

III. Transition Issues

Although the amendments to Rules 1-02 and 2-02 of Regulation S-X will no longer require the auditor to separately express an opinion concerning management's assessment of the effectiveness of the company's ICFR, audits conducted under AS No. 2 will continue to result in a separate opinion on management's assessment until the PCAOB's expected new auditing standard replacing AS No. 2 becomes effective and is required for all audits. Until such time, companies may file whichever report they receive from their independent auditor (that is, either one that contains both opinions under AS No. 2 or the single opinion under the expected new auditing standard).

IV. Background to Regulatory Analyses

Congress enacted the Sarbanes-Oxley Act in July 2002. Section 404 of the Act directed the Commission to prescribe rules requiring each issuer required to file an annual report under Section 13(a) or 15(d) of the Exchange Act [49] to prepare an internal control report. The only Exchange Act reporting companies that Congress exempted from the Section 404 requirements were investment companies registered under Section 8 of the Investment Company Act.[50]

To fulfill its statutory mandate, the Commission adopted rules in June 2003 to require all Exchange Act reporting companies other than registered investment companies, regardless of their size, to include in their annual reports a report of management, and an accompanying auditor's report, on the effectiveness of the company's internal control over financial reporting (“ICFR”).[51]

Although the Commission adopted rules in 2003 creating the obligation for all reporting companies to include ICFR reports in their annual reports, it provided a lengthy compliance period for non-accelerated filers, which are smaller public companies with a public float below $75 million.[52] Under the compliance dates that the Commission originally established, non-accelerated filers would not have become subject to the ICFR requirements until they filed an annual report for a fiscal year ending on or after April 15, 2005. In contrast, accelerated filers and large accelerated filers—companies with a public float of $75 million or more—became subject to the Section 404 requirements with respect to annual reports that they filed for fiscal years ending on or after November 15, 2004.

The Commission provided this lengthy compliance period for non-accelerated filers in light of both the substantial time and resources needed by accelerated filers to properly implement the rules. In addition, it believed that a corresponding benefit to investors would result from an extended transition period that allowed companies to carefully implement the new requirements. After each of the first two years accelerated-filers implemented the Section 404 requirements, the Commission held a roundtable discussion, and solicited comment on issues that arose during implementation.[53]

Since the initial extension period, the Commission has further extended the compliance dates for non-accelerated filers. The Commission adopted the most recent compliance date extension for non-accelerated filers in December 2006.[54] This extension was based, in part, on a recommendation from the Commission's Advisory Committee on Smaller Public Companies (“Advisory Committee”). In its Final Report, issued on April 23, 2006, the Advisory Committee raised a number of concerns regarding the ability of smaller companies to comply cost-effectively with the requirements of Section 404. The Advisory Committee identified as an overarching concern the difference in how smaller and larger public companies operate.

It focused in particular on three characteristics: (1) The limited number of personnel in smaller companies, which constrains the companies' ability to segregate conflicting duties; (2) top management's wider span of control and more direct channels of communication, which increase the risk of management override; and (3) the dynamic and evolving nature of smaller companies, which limits their ability to have static processes that are well-documented.[55]

Start Printed Page 35315

The Advisory Committee suggested that these characteristics create unique differences in how smaller companies achieve effective ICFR that may not be adequately accommodated in Auditing Standard No. 2 or other implementation guidance as currently applied in practice. In addition, the Advisory Committee noted serious ramifications for smaller public companies stemming from the cost of frequent documentation changes and sustained review and testing of controls perceived to be necessary to comply with the Section 404 requirements.

The Commission also granted the December 2006 extension in view of a series of actions that the Commission and the PCAOB each announced on May 17, 2006 that they intended to take to improve the implementation of the Section 404 requirements. These actions included:

  • Issuance of a Concept Release soliciting comment on a variety of issues that might be included in future Commission guidance for management to assist in its performance of a top-down, risk-based assessment of ICFR;
  • Consideration of additional guidance from COSO on understanding and applying the COSO framework; [56]
  • Revisions to Auditing Standard No. 2;
  • Reinforcement of auditor efficiency through PCAOB inspections and Commission oversight of the PCAOB's audit firm inspection program;
  • Development, or facilitation of development, of implementation guidance for auditors of smaller public companies; and
  • Continuation of PCAOB forums on auditing in the small business environment.

Pursuant to the most recent extension of the compliance dates, non-accelerated filers are scheduled to begin including a management report on ICFR in their annual reports filed for a fiscal year ending on or after December 15, 2007, and an auditor's report on ICFR for a fiscal year ending on or after December 15, 2008. It was our intention that non-accelerated filers would be able to complete their assessment of internal control without engaging an independent auditor during the first year. In addition, to eliminate second-guessing of management that might result from separating the management and auditor reports, the rules provide that the management report included in a non-accelerated filer's annual report during the first year of compliance is deemed to be “furnished” rather than “filed.” [57]

The December 2006 extension of the management report requirement was intended to provide the non-accelerated filers with the benefit of both the Commission's management guidance and the COSO guidance for smaller companies before planning and conducting their initial ICFR assessments. The extension of the auditor report requirement was intended to:

  • Afford non-accelerated filers and their auditors the benefit of anticipated changes to the PCAOB's Auditing Standard No. 2, and any implementation guidance issued by the PCAOB for auditors of non-accelerated filers;
  • Save non-accelerated filers the costs of the auditor attestation to, and report on, management's initial assessment of ICFR;
  • Enable management of non-accelerated filers to more gradually prepare for full compliance with the Section 404 requirements and to gain some efficiencies in the process of reviewing and evaluating the effectiveness of ICFR before becoming subject to the requirement that the auditor report on ICFR (and to permit investors to see and evaluate the results of management's first compliance efforts); and
  • Provide the Commission with the flexibility to consider any comments it received on the Concept Release and the proposed guidance for management in response to questions related to the appropriate role of the auditor in evaluating management's internal control assessment process.

On July 11, 2006, we issued a Concept Release to seek public comment on the issues to be addressed in our guidance for management on how to assess ICFR.[58] The Commission received approximately 167 comment letters in response to the Concept Release, a majority of which supported additional Commission guidance to management that is applicable to companies of all sizes and complexities. The Commission considered the feedback received in those comment letters in drafting its Interpretive Guidance.

In conjunction with issuance of the Interpretive Guidance, in this release we are adopting amendments to the existing requirements of Exchange Act Rules 13a-15(c) and 15d-15(c) that management of each company subject to the Exchange Act periodic reporting requirements evaluate, as of the end of each fiscal year, the effectiveness of the company's ICFR. The amendments state that an evaluation that complies with the Interpretive Guidance will satisfy the annual evaluation requirement in Rules 13a-15(c) and 15d-15(c).

We are also adopting amendments to Rules 1-02 and 2-02 of Regulation S-X, and Item 308 of Regulations S-B and S-K, to state that the company's auditor must express only one opinion on a company's ICFR. This is a direct opinion by the auditor on the effectiveness of the company's ICFR. Prior to the amendments, auditors expressed two separate opinions: one on the effectiveness of a company's ICFR and another on management's assessment of the effectiveness of the company's ICFR. Finally, we are adopting an amendment to Exchange Act Rule 12b-2, and a corresponding amendment to Rule 1-02 of Regulation S-X, to define the term material weakness.

V. Paperwork Reduction Act

Certain provisions of our ICFR requirements contain “collection of information” requirements within the meaning of the Paperwork Reduction Act of 1995 (“PRA”). We submitted these collections of information to the Office of Management and Budget (“OMB”) for review in accordance with the PRA and received approval for the collections of information. We do not believe the rule amendments in this release will impose any new recordkeeping or information collection requirements, or other collections of information requiring OMB's approval.

VI. Cost-Benefit Analysis

The rule amendments and the Interpretive Guidance that we are adopting are intended to facilitate more effective and efficient evaluations of ICFR by management and auditors. Rules 13a-15 and 15d-15, as initially adopted, and as amended, do not mandate any specific method for management to follow in performing an evaluation of ICFR. Instead, the rules recognize that the methods of conducting evaluations of ICFR will, and should, vary from company to company. Commenters have asserted that the lack of specific direction in Start Printed Page 35316either Section 404 of the Sarbanes-Oxley Act or the implementing rules on how management should conduct an evaluation of ICFR may have resulted in the auditing standards becoming the de facto standard for management's evaluation in many cases, which likely contributed to excessive documentation and testing of internal controls by management in initial compliance efforts.

The benefits and costs to investors of the rule amendments and Interpretive Guidance are directly related to the extent to which issuers choose to rely on the Interpretive Guidance. In part, this is because compliance is voluntary. In addition, companies already subject to the reporting requirement have gained some efficiencies in the evaluation process,[59] and other sources have provided guidance on how to conduct an ICFR evaluation.[60] The very purpose of the rule amendments and the Interpretive Guidance is to ease the compliance burden created by Section 404 of the Sarbanes-Oxley Act. Because of this, and because the use of Interpretive Guidance is voluntary, it is unlikely that it could result in additional incremental cost to issuers. Issuers that choose to use Interpretive Guidance will likely do so because it reduces their overall compliance burden.

A. Benefits

Our issuance of specific Interpretive Guidance for management on how to conduct an ICFR evaluation should significantly lessen the pressures on management to look to the auditing standards for guidance as to how to conduct its evaluation.[61] To the extent that these pressures have led to excessive testing and documentation in the past, the Interpretive Guidance and rule amendments should lead management to avoid excessive costs and aid them in determining the level of effort necessary to evaluate a company's ICFR.

The extent of the benefits of the rule amendments depends on a company's experience conducting an ICFR evaluation. As explained in the release setting forth the Interpretive Guidance, the effort necessary to conduct an initial evaluation of ICFR will vary depending on management's existing financial reporting risk assessment and control monitoring activities. After the first year of compliance, management's effort to identify financial reporting risks and controls should ordinarily be less because subsequent evaluations should be more focused on changes in risks and controls rather than identification of all financial reporting risks and the related controls. Further, in each subsequent year, the documentation of risks and controls will only need to be updated from the prior year or years, not recreated anew.

Through the risk and control identification process, management will have identified for testing only those controls that are needed to meet the objective of ICFR (that is, to provide reasonable assurance regarding the reliability of financial reporting) and for which evidence about their operation can be obtained most efficiently. The nature and extent of procedures implemented to evaluate whether those controls continue to operate effectively can be tailored to the company's unique circumstances, thereby avoiding unnecessary compliance costs.

In addressing a number of the commonly identified areas of concerns, the Interpretive Guidance:

  • Explains how to vary approaches for gathering evidence to support the evaluation based on risk assessments;
  • Explains the use of “daily interaction,” self-assessment, and other on-going monitoring activities as evidence in the evaluation;
  • Explains the purpose of documentation and how management has flexibility in approaches to documenting support for its assessment;
  • Provides management significant flexibility in making judgments regarding what constitutes adequate evidence in low-risk areas; and
  • Allows for management and the auditor to have different testing approaches.

The Interpretive Guidance is organized around two broad principles. The first principle is that management should evaluate whether it has implemented controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner. The guidance describes a top-down, risk-based approach to this principle, including the role of entity-level controls in assessing financial reporting risks and the adequacy of controls. The guidance promotes efficiency by allowing management to focus on those controls that are needed to adequately address the risk of a material misstatement in its financial statements.

The second principle is that management's evaluation of evidence about the operation of its controls should be based on its assessment of risk. The guidance provides an approach for making risk-based judgments about the evidence needed for the evaluation. This allows management to align the nature and extent of its evaluation procedures with those areas of financial reporting that pose the highest risks to reliable financial reporting (that is, whether the financial statements are materially accurate). As a result, management may be able to use more efficient approaches to gathering evidence, such as self-assessments in low-risk areas, and perform more extensive testing in high-risk areas. By following these two principles, companies of all sizes and complexities will be able to implement the rules effectively and efficiently.

The Interpretive Guidance reiterates the Commission's position that management should bring its own experience and informed judgment to bear in order to design an evaluation process that meets the needs of its company and that provides a reasonable basis for its annual assessment of whether ICFR is effective. This allows management sufficient and appropriate flexibility to design such an evaluation process. Smaller public companies, which generally have less complex internal control systems than larger public companies, can scale and tailor their evaluation methods and procedures to fit their own facts and circumstances.[62] Applying the Interpretive Guidance may thus assist management of these companies in scaling and tailoring its evaluation methods and procedures to fit their own unique facts and circumstances in ways that may not be appropriate for larger companies with more complex internal control systems. Through the rule amendments, smaller companies can take advantage of the flexibility and scalability in Interpretive Guidance to conduct an evaluation of ICFR that is both efficient and effective at identifying material weaknesses.

By applying the principles set forth in the Interpretive Guidance, companies of all sizes and complexities will be able to comply with the rules more Start Printed Page 35317effectively and efficiently. The total benefit to investors of the Interpretive Guidance and rule amendments depends on the number of companies that implement these principles and the extent to which their practices under these principles depart from the principles and practices that they would otherwise follow.

Given that non-accelerated filers have not yet been required to conduct an evaluation of ICFR, their use of Interpretive Guidance in their first year of conducting an ICFR evaluation may enable them to avoid some of the initial compliance costs and efforts that were incurred by larger public companies during their early years of compliance with Section 404's requirements. In this respect, investors in non-accelerated filers may benefit more from the amended rules and Interpretive Guidance than investors in larger public companies that already have been required to conduct an evaluation.

The amendments to Exchange Act Rules 13a-15(c) and 15d-15(c) provide for a non-exclusive safe-harbor in that they do not require management to follow the Interpretive Guidance, but still provide assurance to management regarding its compliance obligations. Some of the commenters on the Proposal questioned the benefits of these rule amendments. As noted earlier in this release, three commenters suggested that the Interpretive Guidance does not contain specific, objective criteria that a company's management could use to demonstrate that its evaluation complies with the requirements of the Interpretive Guidance.[63] The Office of Advocacy of the Small Business Administration also stated in its comment letter that some of the participants in a roundtable it hosted on the Section 404 requirements asked for more details as to how the safe harbor protection could be claimed and what type of liability protection it would afford.

The rule amendments are intended to provide those choosing to follow the Interpretive Guidance with greater clarity and transparency about their obligations relative to Section 404. For example, the amendments to Exchange Act Rules 13a-15(c) and 15d-15(c) add a specific reference to the Interpretive Guidance in the rules and thereby make the guidance more visible and accessible to the managers of companies subject to the ICFR evaluation requirement. When a company's management relies on the Interpretive Guidance to conduct its evaluation, the company does not have to take any special action to “claim” the assurance provided by the rule amendments. In addition, the transparency of the guidance may benefit investors by reducing costly second-guessing about the sufficiency of management's evaluation raised by any party, including the company's independent auditor. The Interpretive Guidance is specific enough to enable a company to demonstrate that its management followed the principles set forth in the Interpretive Guidance in conducting its ICFR evaluation to gain the assurance afforded by these rule amendments.

The rule amendments encourage the use of the Interpretive Guidance because it advises management to focus on the controls that address the highest risk of material misstatement. This will benefit investors by reducing the amount of testing and documentation conducted by management and thus reducing the cost of compliance.[64] The rule amendments can remove obstacles by giving management clearer information about its obligations and by reducing undue pressures from auditors.

The Commission did not receive any comments on the dollar magnitude of the likely reduction in compliance costs from the rule amendments in connection with the Proposal. However, the Commission did receive historical estimates of total Section 404 compliance costs from the early years of adoption. These estimates were obtained from surveys of companies with a public float above $75 million in connection with our May 2006 Roundtable on Internal Control Reporting and Auditing Provisions. These historical estimates of the early compliance costs incurred by the relatively larger companies ranged from $860,000 to $5.4 million per company, depending on the survey.[65] The management cost that is the focus of the rule amendments appears to account for the majority of this estimate. One commenter indicated in its comment letter on the Proposal that it is especially important to reduce management costs, as these costs are the most significant costs associated with the Section 404 requirements, and can account for 70-75% of the total compliance costs.[66] Thus, even if the percentage decline in compliance cost under the rule amendment is small, companies and their investors could experience a substantial dollar benefit in terms of lower costs of compliance.

Commenters expressed the view that the rule amendments and Interpretive Guidance will result in more efficient and effective evaluations of internal control relative to what would otherwise occur. In commenting on the amendments, one commenter provided a quantitative estimate of the expected reduction in compliance costs. This commenter estimated that implementation of the Proposed Interpretive Guidance could result in a reduction in company compliance costs of approximately 10% in the first year of implementation (net of first year costs of implementation of the Interpretive Guidance). The commenter further estimated that implementation could result in an additional 15-20% cost reduction over costs incurred in the initial compliance year based on its own experience in conducting an evaluation of internal control and its assessment of the potential efficiencies to be gained from the Interpretive Guidance.[67] The available qualitative and quantitative evidence is consistent with our view that issuers will implement the Interpretive Guidance to the benefit of investors.[68]

We anticipate that the amendments to Exchange Act Rule 12b-2 and Rule 1-02 of Regulation S-X to define the term “material weakness” will benefit companies and investors. Companies will now be able to refer to the definition in the Commission rules requiring management to conduct an ICFR evaluation, rather than having to refer to the definition in the audit standard. We believe that the definition appropriately describes the ICFR conditions that, if they exist, should be disclosed to investors and preclude a conclusion that ICFR is effective.

Commenters suggested that the rule amendments and Proposed Interpretive Guidance will not significantly reduce costs as long as there are significant differences between our management guidance and the Proposed Auditing Start Printed Page 35318Standard.[69] To address these comments and enhance the benefit of the rule amendments, we coordinated with the PCAOB to align our Interpretive Guidance and the PCAOB's new auditing standard.

B. Costs

As stated above, the obligation for all companies, regardless of size, to comply with the ICFR requirements was established in 2002 when Congress directed the Commission to adopt rules to implement Section 404. The rule amendments and Interpretive Guidance are designed to reduce the burden of compliance with those requirements. The rule amendments and Interpretive Guidance do not impose any new compliance obligations on any reporting company. Because compliance with the Interpretive Guidance is voluntary, it is likely that companies and their management will choose to comply with the guidance only if they determine that the benefits exceed the costs.

Companies that have already completed one or more evaluations may choose to continue to use their existing procedures if they are satisfied with the effectiveness and efficiency of those procedures. Alternatively, a company that already has been complying with the ICFR requirements could choose to follow the Interpretive Guidance and to make adjustments to conform its evaluation procedures to the guidance. In that case, some commenters expressed the view that while changing from the current evaluation approaches to the top-down, risk-based approach laid out in the Interpretive Guidance could result in short-term cost increases, it would promote a cost-effective approach in the long-term.[70] It is reasonable to conclude that companies will not elect to follow the Interpretive Guidance if, from a cost standpoint, they determine that is not in their long-term interest to do so.

For smaller public companies that have not been required to comply with the ICFR requirements, the costs that they will incur are a direct result of the imposition by the Congress of the statutory requirements of Section 404 of the Sarbanes-Oxley Act on them. They may be able to reduce their first-time evaluation costs by using the Interpretive Guidance as compared to what those costs would have been.

The Interpretive Guidance advises management on how to conduct an efficient evaluation of ICFR, which could result in management doing less work, and therefore produce cost savings for the company. Those cost savings, however, could be offset if a company's auditor does not choose to use management's work to the same extent it did before, due to management choosing to follow the Interpretive Guidance and doing less work as a result.[71] Because use of the Interpretive Guidance is voluntary, it is reasonable to conclude that management would choose to reduce the extent and cost of its work only to the degree that it did not result in an increase in the overall costs of complying with Section 404, including auditor costs.[72] On the other hand, the rule amendments and Interpretive Guidance could increase the possibility that the auditor will, during the Section 404 audit, perform additional testing of internal controls beyond that which management performed in reliance on the Interpretive Guidance.[73]

VII. Effect on Efficiency, Competition and Capital Formation

Section 3(f) of the Exchange Act [74] requires the Commission, whenever it engages in rulemaking and is required to consider or determine if an action is necessary or appropriate in the public interest, also to consider whether the action will promote efficiency, competition, and capital formation. Section 23(a)(2) of the Exchange Act [75] also requires the Commission, when adopting rules under the Exchange Act, to consider the impact that any new rule would have on competition. In addition, Section 23(a)(2) prohibits the Commission from adopting any rule that would impose a burden on competition not necessary or appropriate in furtherance of the purposes of the Exchange Act.

The rule amendments and Interpretive Guidance will promote efficiency, and capital formation. The Interpretive Guidance and related rule amendments promote efficiency by allowing management to focus on those controls that are needed to adequately address the risk of a material misstatement of the company's financial statements. The guidance does not require management to identify every control in a process or to document the business practices affecting ICFR. Rather, management can focus its evaluation process and the documentation supporting the assessment on those controls that it determines adequately address the risk of a material misstatement of the financial statements.

One commenter expressed the view that the Section 404 requirements have provided significant benefits to investors and business by increasing the reliability of financial statements, strengthening internal controls, improving the efficiency of business operations and helping to reduce the risk of fraud.[76] To the extent that the rule amendments and Interpretive Guidance make the management evaluation process more efficient, these benefits can all be retained at a lower cost.

Under the Sarbanes-Oxley Act, all companies, except registered investment companies, are subject to the requirement to conduct an evaluation of their ICFR. Compliance with the amendments to Exchange Act Rules 13a-15 and 15d-15 and Interpretive Guidance, however, will be voluntary rather than mandatory and, as such, companies will be able to choose whether or not to follow the Interpretive Guidance. The amendments therefore will not impose any costs on companies that they do not choose to incur. Presumably, companies will only choose to rely on the Interpretive Guidance if they think that the benefits of using the guidance outweigh the costs.

The rule amendments will encourage use of the Interpretive Guidance and thereby increase the efficiency with respect to the effort and resources associated with an evaluation of internal control over financial reporting and facilitate more efficient allocation of resources within a company. The guidance is designed to be scalable depending on the size of the company, which should reduce the potential for internal control reporting requirements to impose a higher cost burden on smaller companies relative to revenues.

Capital formation may be promoted to the extent the cost of compliance with the evaluation requirement is lowered. Smaller private companies may be able to access public capital markets earlier in their growth and at lower cost.

We do not believe the rule amendments or the Interpretive Guidance will impact competition. One commenter was concerned that the Interpretive Guidance could become the Start Printed Page 35319exclusive method by which companies would conduct an evaluation of ICFR over time, and could discourage the development of future alternative evaluation frameworks.[77] However, the rules explicitly acknowledge that there are many different ways to conduct an evaluation and the Interpretive Guidance is not exclusive.

VIII. Final Regulatory Flexibility Analysis

This Final Regulatory Flexibility Analysis (“FRFA”) has been prepared in accordance with the Regulatory Flexibility Act.[78] This FRFA relates to amendments to Exchange Act Rules 13a-15(c), 15d-15(c), and 12b-2, Rules 1-02 and 2-02 of Regulation S-X, and Item 308 of Regulations S-B and S-K. These rules require the management of an Exchange Act reporting company, other than a registered investment company, to evaluate, as of the company's fiscal year-end, the effectiveness of the company's ICFR. Furthermore, these rules also require the public accounting firm that issues an audit report on the company's financial statements to attest to, and report on, management's assessment of the company's ICFR. We are amending these rules to: (1) Provide companies with the assurance that an evaluation that complies with our Interpretive Guidance will satisfy the annual management ICFR evaluation requirement; (2) require a company's auditor to express only one opinion on the effectiveness of the company's ICFR; and (3) define the term “material weakness.” An Initial Regulatory Flexibility Analysis was prepared in accordance with the Regulatory Flexibility Act and included in the release proposing these amendments.[79] The Proposing Release solicited comments on this analysis.

A. Need for the Amendments

The amendments are designed to facilitate more effective and efficient evaluations of ICFR by sanctioning the Interpretive Guidance as a method that can be used by management to conduct an ICFR evaluation. Companies already have a legal obligation to establish and maintain an adequate system of ICFR and to evaluate and report annually on those financial reporting controls. Our current rules do not prescribe a method or set of procedures for management to follow in performing an evaluation of ICFR. Commenters have asserted that the lack of direction in either Section 404 of the Sarbanes-Oxley Act or implementing rules on conducting this type of evaluation has led many companies to look to auditing standards as a guide to conducting the evaluation. This has likely contributed to excessive documentation and testing of ICFR.

While the rule amendments and Interpretive Guidance are designed to make ICFR evaluations by management more cost-effective for all reporting companies subject to the Section 404 requirements, they will be particularly useful to smaller public companies that have a public float below $75 million. These companies have not yet been required to comply with the Section 404 requirements. The rule amendments and Interpretive Guidance will encourage managements of smaller companies to scale and tailor their evaluation methods and procedures to fit their companies' own particular facts and circumstances.

B. Significant Issues Raised by Public Comments

In the Proposing Release, we requested comment on any aspect of the IRFA, including the number of small entities that would be affected by the proposed amendments, and the quantitative and qualitative nature of the impact. Commenters addressed several aspects of the proposed rule amendments and the Proposed Interpretive Guidance that could potentially affect small entities. They expressed concern that the proposed amendments would not provide certainty for management because the Proposed Interpretive Guidance was too vague, did not provide adequate guidance for small companies to scale their evaluation procedures, and was inconsistent with several aspects of the PCAOB's Proposed Auditing Standard.[80]

In response to these comments, including comments submitted by the Office of Advocacy of the Small Business Administration, we have coordinated with the PCAOB to harmonize the Interpretive Guidance and rule amendments with the proposed new auditing standard. We also have made revisions to our Proposed Interpretive Guidance to add clarity while still maintaining a principles-based approach. Other comments that we received are discussed below.

Smaller public companies and their investors could realize benefits from the rule amendments that, measured in proportion to their revenues, are greater than the benefits that would accrue to larger companies and their investors. This is because, as commenters on the Proposal and on previous Commission releases related to the Section 404 requirements pointed out, the burden of internal control reporting compliance costs is “disproportionately high” for smaller public companies compared to larger ones.[81] To the extent that Interpretive Guidance and the rule amendments reduce the cost of compliance with the requirements of Section 404, these cost savings will be disproportionately greater for smaller public companies and their investors.[82]

C. Small Entities Subject to the Final Amendments

The amendments will affect some issuers that are “small entities.” Exchange Act Rule 0-10(a) [83] defines an issuer, other than an investment company, to be a “small business” or “small organization” if it had total assets of $5 million or less on the last day of its most recent fiscal year. We estimate that there are approximately 1,110 issuers, other than investment companies, that may be considered small entities. The amendments will apply to any small entity, other than a registered investment company, that is subject to Exchange Act reporting requirements.

Overall, approximately 6,000 smaller public companies that are subject to the Exchange Act reporting requirements, but have a public float below $75 million, will be required to comply with these requirements for the first time in their annual reports for fiscal years ending on or after December 15, 2007. The Interpretive Guidance and rule amendments are intended to reduce the cost of compliance for these companies. Overall, more than half of the reporting companies subject to the Section 404 requirements are smaller public companies that should benefit from the rule amendments and Interpretive Guidance.

D. Reporting, Recordkeeping, and Other Compliance Requirements

The rule amendments and Interpretive Guidance are designed to alleviate reporting and compliance burdens. They do not impose any new Start Printed Page 35320reporting, recordkeeping or compliance requirements on small entities. The amendments are designed to make compliance with existing requirements more efficient. Many factors contribute to the cost of compliance, including the size and complexity of the company and the rigor of its controls. The degree to which the rule amendments will reduce compliance costs will depend on these factors and on the company's prior experience and access to information about alternative methods of compliance with the Section 404 requirements. Therefore, it is difficult to quantify the benefits of the amendments for small entities.

E. Agency Action To Minimize Effect on Small Entities

The Regulatory Flexibility Act directs us to consider alternatives that would accomplish our stated objectives, while minimizing any significant adverse impact on small entities. In connection with the rule amendments and Interpretive Guidance, we considered alternatives, including establishing different compliance or reporting requirements that take into account the resources available to small entities, clarifying or simplifying compliance and reporting requirements under the rules for small entities, using design rather than performance standards, and exempting small entities from all or part of the Interpretive Guidance and rule amendments.

Regarding the first alternative, the Commission has effectively established different compliance requirements for smaller entities by making the Interpretive Guidance scalable in order to take into account the resources available to smaller public companies, including those that are small entities. Regarding the second alternative, the Interpretive Guidance and rule amendments clarify and simplify the Section 404 reporting requirements for all reporting companies, including small entities. The final rules create a principles-based set of guidelines for management that will produce more effective and efficient evaluations of ICFR for small entities, as well as other reporting companies subject to the Section 404 requirements.

The Interpretive Guidance describes a top-down, risk-based approach to evaluating ICFR. It promotes efficiency for companies of all sizes by allowing management to focus its efforts on those controls that are needed to adequately address the risk of a material misstatement in a company's financial statements.

Regarding the third alternative, the rule amendments and Interpretive Guidance set forth primarily performance rather than design standards, in particular to aid the management of non-accelerated filers (including small entities) in conducting an evaluation of ICFR. The amendments provide assurance that compliance with the Interpretive Guidance will satisfy the management evaluation requirement in Exchange Act Rules 13a-15 and 15d-15. The rule amendments and Interpretive Guidance afford companies choosing to follow the Interpretive Guidance considerable flexibility to scale and tailor their evaluation methods to fit the particular circumstances of the company. This flexibility is especially beneficial to non-accelerated filers (including small entities).

For example, in many smaller companies senior management is more involved in the day-to-day operations of the company. The Interpretive Guidance describes how management's daily interaction, as well as other forms of on-going monitoring activities, can provide evidence in the evaluation process. This flexibility should enable smaller companies to keep costs of compliance with the management evaluation requirement as low as possible.

The rule amendments explicitly state that a company's management does not need to comply with the Interpretive Guidance. The amendments provide assurance, however, to a company choosing to follow the guidance that it has satisfied management's obligation to conduct an evaluation of internal control in an appropriate manner. Small entities should be able to reduce the amount of testing and documentation by relying on the Interpretive Guidance rather than auditing standards to plan and conduct their evaluations of ICFR.

Regarding the final alternative, we believe that an exclusion of small entities from the Interpretive Guidance and the rule amendments would discourage small entities from using the principles-based Interpretive Guidance and would be inconsistent with our goal of developing a more effective and flexible ICFR evaluation process that is scaled and tailored to meet the small entity's particular circumstances.

IX. Statutory Authority and Text of Rule Amendments

The amendments described in this release are being adopted under the authority set forth in Sections 12, 13, 15, 23 of the Exchange Act, and Sections 3(a) and 404 of the Sarbanes-Oxley Act.

Start List of Subjects

List of Subjects

, 229 and 240

End List of Subjects

Text of Amendments

Start Amendment Part

For the reasons set out in the preamble, the Commission amends title 17, chapter II, of the Code of Federal Regulations as follows:

End Amendment Part Start Part

PART 210—FORM AND CONTENT OF AND REQUIREMENTS FOR FINANCIAL STATEMENTS, SECURITIES ACT OF 1933, SECURITIES EXCHANGE ACT OF 1934, PUBLIC UTILITY HOLDING COMPANY ACT OF 1935, INVESTMENT COMPANY ACT OF 1940, INVESTMENT ADVISERS ACT OF 1940, AND ENERGY POLICY AND CONSERVATION ACT OF 1975

End Part Start Amendment Part

1. The authority citation for part 210 continues to read as follows:

End Amendment Part Start Authority

Authority: 15 U.S.C. 77f, 77g, 77h, 77j, 77s, 77z-2, 77z-3, 77aa(25), 77aa(26), 78c, 78j-1, 78 l, 78m, 78n, 78o(d), 78q, 78u-5, 78w(a), 78 ll, 78mm, 80a-8, 80a-20, 80a-29, 80a-30, 80a-31, 80a-37(a), 80b-3, 80b-11, 7202 and 7262, unless otherwise noted.

End Authority Start Amendment Part

2. Amend § 210.1-02 by:

End Amendment Part Start Amendment Part

a. revising paragraph (a)(2);

End Amendment Part Start Amendment Part

b. redesignating paragraphs (p) through (bb) as paragraphs (q) through (cc); and

End Amendment Part Start Amendment Part

c. adding new paragraph (p).

End Amendment Part

The revision and additions read as follows:

Definition of terms used in Regulation S-X (17 CFR part 210).
* * * * *

(a) * * *

(2) Attestation report on internal control over financial reporting. The term attestation report on internal control over financial reporting means a report in which a registered public accounting firm expresses an opinion, either unqualified or adverse, as to whether the registrant maintained, in all material respects, effective internal control over financial reporting (as defined in § 240.13a-15(f) or 240.15d-15(f) of this chapter), except in the rare circumstance of a scope limitation that cannot be overcome by the registrant or the registered public accounting firm which would result in the accounting firm disclaiming an opinion.

* * * * *

(p) Material weakness. The term material weakness is a deficiency, or a Start Printed Page 35321combination of deficiencies, in internal control over financial reporting (as defined in § 240.13a-15(f) or 240.15d-15(f) of this chapter) such that there is a reasonable possibility that a material misstatement of the registrant's annual or interim financial statements will not be prevented or detected on a timely basis.

* * * * *
Start Amendment Part

3. Amend § 210.2-02 by revising paragraph (f) to read as follows:

End Amendment Part
Accountants' reports and attestation reports.
* * * * *

(f) Attestation report on internal control over financial reporting. Every registered public accounting firm that issues or prepares an accountant's report for a registrant, other than an investment company registered under section 8 of the Investment Company Act of 1940 (15 U.S.C. 80a-8), that is included in an annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78a et seq.) containing an assessment by management of the effectiveness of the registrant's internal control over financial reporting must clearly state the opinion of the accountant, either unqualified or adverse, as to whether the registrant maintained, in all material respects, effective internal control over financial reporting, except in the rare circumstance of a scope limitation that cannot be overcome by the registrant or the registered public accounting firm which would result in the accounting firm disclaiming an opinion. The attestation report on internal control over financial reporting shall be dated, signed manually, identify the period covered by the report and indicate that the accountant has audited the effectiveness of internal control over financial reporting. The attestation report on internal control over financial reporting may be separate from the accountant's report.

* * * * *
Start Amendment Part

4. Amend § 210.2-02T by revising the section heading to read as follows:

End Amendment Part
Accountants' reports and attestation reports on internal control over financial reporting.
* * * * *
Start Part

PART 228—INTEGRATED DISCLOSURE FOR SMALL BUSINESS ISSUERS

End Part Start Amendment Part

5. The authority citation for part 228 continues to read, in part, as follows:

End Amendment Part Start Authority

Authority: 15 U.S.C. 77e, 77f, 77g, 77h, 77j, 77k, 77s, 77z-2, 77z-3, 77aa(25), 77aa(26), 77ddd, 77eee, 77ggg, 77hhh, 77jjj, 77nnn, 77sss, 78l, 78m, 78n, 78o, 78u-5, 78w, 78ll, 78mm, 80a-8, 80a-29, 80a-30, 80a-37, 80b-11, and 7201 et seq.; and 18 U.S.C. 1350.

End Authority
* * * * *
Start Amendment Part

6. Amend § 228.308 by revising paragraphs (a)(4) and (b) to read as follows:

End Amendment Part
(Item 308) Internal control over financial reporting.

(a) * * *

(4) A statement that the registered public accounting firm that audited the financial statements included in the annual report containing the disclosure required by this Item has issued an attestation report on the small business issuer's internal control over financial reporting.

(b) Attestation report of the registered public accounting firm. Provide the registered public accounting firm's attestation report on the small business issuer's internal control over financial reporting in the small business issuer's annual report containing the disclosure required by this Item.

* * * * *
Start Part

PART 229—STANDARD INSTRUCTIONS FOR FILING FORMS UNDER SECURITIES ACT OF 1933, SECURITIES EXCHANGE ACT OF 1934 AND ENERGY POLICY AND CONSERVATION ACT OF 1975—REGULATION S-K

End Part Start Amendment Part

7. The authority citation for part 229 continues to read, in part, as follows:

End Amendment Part Start Authority

Authority: 15 U.S.C. 77e, 77f, 77g, 77h, 77j, 77k, 77s, 77z-2, 77z-3, 77aa(25), 77aa(26), 77ddd, 77eee, 77ggg, 77hhh, 77iii, 77jjj, 77nnn, 77sss, 78c, 78i, 78j, 78 l, 78m, 78n, 78o, 78u-5, 78w, 78 ll, 78mm, 80a-8, 80a-9, 80a-20, 80a-29, 80a-30, 80a-31(c), 80a-37, 80a-38(a), 80a-39, 80b-11, and 7201 et seq.; and 18 U.S.C. 1350, unless otherwise noted.

End Authority
* * * * *
Start Amendment Part

8. Amend § 229.308 by revising paragraphs (a)(4) and (b) to read as follows:

End Amendment Part
(Item 308) Internal control over financial reporting.

(a) * * *

(4) A statement that the registered public accounting firm that audited the financial statements included in the annual report containing the disclosure required by this Item has issued an attestation report on the registrant's internal control over financial reporting.

(b) Attestation report of the registered public accounting firm. Provide the registered public accounting firm's attestation report on the registrant's internal control over financial reporting in the registrant's annual report containing the disclosure required by this Item.

* * * * *
Start Part

PART 240—GENERAL RULES AND REGULATIONS, SECURITIES EXCHANGE ACT OF 1934

End Part Start Amendment Part

9. The authority citation for part 240 continues to read, in part, as follows:

End Amendment Part Start Authority

Authority: 15 U.S.C. 77c, 77d, 77g, 77j, 77s, 77z-2, 77z-3, 77eee, 77ggg, 77nnn, 77sss, 77ttt, 78c, 78d, 78e, 78f, 78g, 78i, 78j, 78j-1, 78k, 78k-1, 78 l, 78m, 78n, 78o, 78p, 78q, 78s, 78u-5, 78w, 78x, 78 ll, 78mm, 80a-20, 80a-23, 80a-29, 80a-37, 80b-3, 80b-4, 80b-11, and 7201 et seq., and 18 U.S.C. 1350, unless otherwise noted.

End Authority
* * * * *
Start Amendment Part

10. Amend § 240.12b-2 by adding the definition of “Material weakness” in alphabetical order to read as follows:

End Amendment Part
Definitions.
* * * * *

Material weakness. The term material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting such that there is a reasonable possibility that a material misstatement of the registrant's annual or interim financial statements will not be prevented or detected on a timely basis.

* * * * *
Start Amendment Part

11. Amend § 240.13a-15 by revising paragraph (c) to read as follows:

End Amendment Part
Controls and procedures.
* * * * *

(c) The management of each such issuer, that either had been required to file an annual report pursuant to section 13(a) or 15(d) of the Act (15 U.S.C. 78m(a) or 78o(d)) for the prior fiscal year or previously had filed an annual report with the Commission for the prior fiscal year, other than an investment company registered under section 8 of the Investment Company Act of 1940, must evaluate, with the participation of the issuer's principal executive and principal financial officers, or persons performing similar functions, the effectiveness, as of the end of each fiscal year, of the issuer's internal control over financial reporting. The framework on which management's evaluation of the issuer's internal control over financial reporting is based must be a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. Although there are many different ways to conduct an evaluation of the effectiveness of internal control over financial reporting to meet the Start Printed Page 35322requirements of this paragraph, an evaluation that is conducted in accordance with the interpretive guidance issued by the Commission in Release No. 34-55929 will satisfy the evaluation required by this paragraph.

* * * * *
Start Amendment Part

12. Amend § 240.15d-15 by revising paragraph (c) to read as follows:

End Amendment Part
Controls and procedures.
* * * * *

(c) The management of each such issuer, that either had been required to file an annual report pursuant to section 13(a) or 15(d) of the Act (15 U.S.C. 78m(a) or 78o(d)) for the prior fiscal year or previously had filed an annual report with the Commission for the prior fiscal year, other than an investment company registered under section 8 of the Investment Company Act of 1940, must evaluate, with the participation of the issuer's principal executive and principal financial officers, or persons performing similar functions, the effectiveness, as of the end of each fiscal year, of the issuer's internal control over financial reporting. The framework on which management's evaluation of the issuer's internal control over financial reporting is based must be a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. Although there are many different ways to conduct an evaluation of the effectiveness of internal control over financial reporting to meet the requirements of this paragraph, an evaluation that is conducted in accordance with the interpretive guidance issued by the Commission in Release No. 34-55929 will satisfy the evaluation required by this paragraph.

* * * * *
Start Signature

By the Commission.

Dated: June 20, 2007.

Nancy M. Morris,

Secretary.

End Signature End Supplemental Information

Footnotes

10.  Release No. 34-55929 (Jun. 20, 2007) (hereinafter “Interpretive Guidance”).

Back to Citation

11.  Release No. 34-55930 (Jun. 20, 2007).

Back to Citation

13.  15 U.S.C. 78m(a) or 78o(d).

Back to Citation

14.  Release No. 33-8238 (June 5, 2003) [68 FR 36636] (hereinafter “Adopting Release”). See Release No. 33-8392 (Feb. 24, 2004) [69 FR 9722] for compliance dates applicable to accelerated filers. See Release No. 33-8760 (Dec. 15, 2006) [71 FR 76580] for compliance dates applicable to non-accelerated filers.

Back to Citation

15.  Release Nos. 33-8762; 34-54976 (Dec. 20, 2006) [71 FR 77635] (hereinafter “Proposing Release”).

Back to Citation

16.  The comment letters are available for inspection in the Commission's Public Reference Room at 100 F Street, NE., Washington, DC 20549 in File No. S7-24-06, or may be viewed at http://www.sec.gov/​comments/​s7-24-06/​s72406.shtml.

Back to Citation

17.  See, for example, letters from America's Community Bankers (ACB), BP p.l.c. (BP), Business Roundtable, Enbridge Inc., European Association of Listed Companies, Hudson Financial Solutions (Hudson), ING Group N.V. (ING), PPL Corporation (PPL), Silicon Valley Leadership Group (SVLG), The Hundred Group of Finance Directors (100 Group), and UnumProvident Corporation (UnumProvident).

Back to Citation

18.  See, for example, letters from American Electronics Association (AeA), James J. Angel, Cleary Gottlieb Steen & Hamilton LLP (Cleary), Financial Reporting Committee of the Association of the Bar of the City of New York (NYC Bar), and U.S. Chamber of Commerce (Chamber).

Back to Citation

19.  See, for example, letters from Cleary, NYC Bar, and Reznick Group, P.C.

Back to Citation

20.  See letter from Cleary.

Back to Citation

21.  See joint letter from Consumer Federation of America, Consumer Action, and U.S. Public Interest Research Group.

Back to Citation

22.  See letter from Tatum LLC.

Back to Citation

23.  Approximately thirty-three commenters directly responded to the question about whether the guidance should be issued as an interpretation or codified as a Commission rule. Approximately 70% of such respondents indicated that the guidance should be issued as an interpretation.

Back to Citation

24.  PCAOB Release No. 2006-007: Proposed Auditing Standard—An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements. See http://www.pcaobus.org/​Rules/​Docket_​021/​index.aspx (hereinafter “Proposed Auditing Standard”).

Back to Citation

25.  See, for example, letters from Banco Itaú Holding Financeira SA, BP, Cisco Systems, Inc. (Cisco), Computer Sciences Corporation (CSC), Eli Lilly and Company (Eli Lilly), Frank Consulting, PLLP, Grant Thornton LLP, Kimball International (Kimball), Lubrizol Corporation (Lubrizol), MetLife, Inc. (MetLife), NYC Bar, PPG Industries, Inc. (PPG), The Procter & Gamble Company (P&G), and RAM Energy Resources, Inc.

Back to Citation

26.  See, for example, letters from 100 Group, Alamo Group, Association of Chartered Certified Accountants (ACCA), BHP Billiton Limited (BHP), European Federation of Accountants (FEE), The Financial Services Roundtable (FSR), Hess Corporation (Hess), Hutchinson Technology Inc. (Hutchinson), Institute of Internal Auditors (IIA), Institute of Management Accountants (IMA), Institut Der Wirtschaftsprufer [Institute of Public Auditors in Germany] (IDW), Ian D. Lamdin (I. Lamdin), Matthew Leitch, Nasdaq Stock Market, Inc. (Nasdaq), National Venture Capital Association (NVCA), Nike, Inc. (Nike), Robert F. Richter (R. Richter), Rod Scott, Southern Company (Southern), and SVLG.

Back to Citation

27.  See, for example, letters from 100 Group, ACCA, Hess, Nasdaq, Nike, and Southern.

Back to Citation

28.  See, for example, letters from BHP and NVCA.

Back to Citation

29.  See, for example, letters from FEE, FSR, Hutchinson, IDW, IIA, IMA, I. Lamdin, and R. Richter.

Back to Citation

30.  See, for example, letters from 100 Group, BDO Seidman LLP, Cleary, Financial Executives International Committee on Corporate Reporting (FEI CCR), Manulife Financial (Manulife), Microsoft Corporation (MSFT), Neenah Paper, Inc (Neenah), and NYC Bar.

Back to Citation

31.  Item 308 sets forth the ICFR disclosure that must be included in a company's annual and quarterly reports.

Back to Citation

32.  An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements.

Back to Citation

33.  Section 103(a)(2)(A)(iii) states that “each registered public accounting firm shall—describe in each audit report the scope of the auditor's testing of the internal control structure and procedures of the issuer, required by section 404(b), and present (in such report or in a separate report)—

(I.) The findings of the auditor from such testing;

(II.) An evaluation of whether such internal control structure and procedures—

(aa) Include maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;

(bb) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and

(III.) A description, at a minimum, of material weaknesses in such internal controls, and of any material noncompliance found on the basis of such testing.”

Back to Citation

34.  The PCAOB's Proposed Auditing Standard provided the following definition of material weakness: “a control deficiency, or combination of control deficiencies, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected.”

Back to Citation

35.  See, for example, letters from Edison Electric Institute (EEI), FEI CCR, Financial Executives International Small Public Company Task Force (FEI SPCTF), The Institute of Chartered Accountants in England and Wales (ICAEW), Nina Stofberg, and SVLG.

Back to Citation

36.  See, for example, letters from FEE and ICAEW.

Back to Citation

37.  See, for example, letters from Cardinal Health, Inc. (Cardinal), EEI, and Protiviti.

Back to Citation

38.  The PCAOB's Proposed Auditing Standard provided the following definition of significant deficiency: “a control deficiency, or combination of control deficiencies, such that there is a reasonable possibility that a significant misstatement of the company's annual or interim financial statements will not be prevented or detected.” A significant misstatement was defined as “a misstatement that is less than material yet important enough to merit attention by those responsible for oversight of the company's financial reporting.”

Back to Citation

39.  See, for example, letters from Cardinal and Protiviti.

Back to Citation

40.  See, for example, letters from Cisco, FEI CCR, Hudson, MetLife, MSFT, and P&G.

Back to Citation

41.  See, for example, letters from Cisco, Committee on Capital Markets Regulation (CCMR), FEI SPCTF, Hudson, MetLife, MSFT, Nike, P&G, and TechNet.

Back to Citation

42.  See, for example, letters from the American Bar Association's Committees on Federal Regulation of Securities and Law and Accounting of the Section of Business Law (ABA), ACCA, Cardinal Health, Inc., Chamber, CSC, IIA, Kimball, and NYC Bar.

Back to Citation

43.  See letters from NYC Bar and Cleary.

Back to Citation

44.  See letter from ABA.

Back to Citation

45.  See, for example, letters from ABA, CCMR, CSC, Independent Community Bankers of America, ISACA and IT Governance Institute, P&G, and Rockwood Holdings, Inc.

Back to Citation

46.  See, for example, letters from ABA, Cisco, Deloitte & Touche LLP, EEI, Eli Lilly, FEI CCR, FEI SPCTF, Ford Motor Company, MSFT, P&G, and PPL.

Back to Citation

47.  See letter from MetLife.

Back to Citation

48.  Exchange Act Rule 12b-2 and Rule 1-02(p) of Regulation S-X.

Back to Citation

49.  15 U.S.C. 78m or 78o(d).

Back to Citation

51.  Release No. 33-8238 (June 5, 2003) (68 FR 36636).

Back to Citation

52.  Although the term “non-accelerated filer” is not defined in Commission rules, we use it to refer to an Exchange Act reporting company that does not meet the Exchange Act Rule 12b-2 definition of either an “accelerated filer” or a “large accelerated filer.”

Back to Citation

53.  As a result of which, the Commission and its staff issued guidance to assist companies in implementing these requirements.

Back to Citation

54.  Release No. 33-8760 (Dec. 15, 2006) (71 FR 77635).

Back to Citation

55.  Final Report of the Advisory Committee on Smaller Public Companies to the United States Securities and Exchange Commission (Apr. 23, 2006) (“Advisory Committee Report”) available at http://www.sec.gov/​info/​smallbus/​acspc/​acspc-finalreport.pdf.

Back to Citation

56.  On July 11, 2006, COSO issued guidance entitled “Internal Control Over Financial Reporting—Guidance for Smaller Public Companies” that was designed primarily to help management of smaller public companies with establishing and maintaining effective ICFR.

Back to Citation

57.  Management's report is not deemed to be filed for purposes of Section 18 of the Exchange Act [15 U.S.C. 78r] or otherwise subject to the liabilities of that section, unless the issuer specifically states that the report is to be considered “filed” under the Exchange Act or incorporates it by reference into a filing under the Securities Act or the Exchange Act.

Back to Citation

58.  Release No. 34-54122 (July 11, 2006).

Back to Citation

59.  Commenters on the Concept Release Concerning Management's Reports on Internal Control Over Financial Reporting, Release No. 34-54122 (Jul. 11, 2006) [71 FR 40866], available at http://www.sec.gov/​rules/​concept/​2006/​34-54122.pdf, expressed similar views. See, for example, letters from the American Institute of Certified Public Accountants, Crowe Chizek and Company LLC, and Kreischer Miller, all available at http://www.sec.gov/​comments/​s7-11-06/​s71106.shtml.

Back to Citation

60.  See, for example, The Institute of Internal Auditor's Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners, May 2006.

Back to Citation

61.  We are taking this action in conjunction with the PCAOB's elimination of the auditor's requirement to evaluate the efficacy of management's evaluation process.

Back to Citation

62.  Advisory Committee Report at pp. 39-40.

Back to Citation

63.  See, for example, letters from Cleary, NYC Bar, and Reznick Group, P.C.

Back to Citation

64.  Commenters expressed similar views. See, for example, letters from BHP, Employees' Retirement System of Rhode Island, Financial Services Forum, KPMG LLP, McGladrey & Pullen LLP, MSFT, and State Street Corporation.

Back to Citation

65.  See, for example, Financial Executives International Survey on Sarbanes-Oxley Section 404 Implementation (March, 2006) and CRA International Sarbanes-Oxley Section 404 Costs and Implementation Issues: Spring 2006 Survey Update.

Back to Citation

66.  See letter from The Committee on Capital Markets Regulation.

Back to Citation

67.  See letter from CSC.

Back to Citation

68.  Commenters, however, requested that we conduct an analysis of the costs and benefits of the amendments after implementation and assess whether the amendments and the Interpretive Guidance result in cost reductions. See, for example, letters from Biotechnology Industry Organization (BIO) and NVCA. We are sensitive to the costs and benefits of our Section 404 rules, and we intend to monitor the impact of the rule amendments and Interpretive Guidance.

Back to Citation

69.  See, for example, letters from Allstate Corporation, Hudson, ICAEW, Minn-Dak Farmers Cooperative, Nasdaq, Supervalu Inc., and UnumProvident.

Back to Citation

70.  See, for example, letters from Ace Limited, Hutchinson, and Neenah.

Back to Citation

71.  See, for example, letters from Heritage Financial Corporation, MSFT and Neenah.

Back to Citation

72.  This cost-benefit analysis does not address the costs associated with the ICFR audit standard itself because the rule amendments do not affect the ICFR audit standard.

Back to Citation

73.  See letter from UnumProvident.

Back to Citation

76.  See letter from The Committee on Capital Market Regulation.

Back to Citation

77.  See letter from NYC Bar.

Back to Citation

80.  See, for example, letters from AeA, BIO, IMA and U.S. Small Business Administration's Office of Advocacy (SBA).

Back to Citation

81.  See, for example, the letter from the Office of Advocacy of the Small Business Administration, citing the Advisory Committee Report at p. 33.

Back to Citation

82.  Nearly 5,000 companies already are subject to the Section 404 requirements. Larger companies may also be able to perform more efficient ICFR evaluations based on the Interpretive Guidance, and gain assurance that changes they make in their evaluation procedures still comply with Commission rules.

Back to Citation

[FR Doc. E7-12298 Filed 6-26-07; 8:45 am]

BILLING CODE 8010-01-P