Management’s Assessment of Internal Control Over Financial Reporting

To assist management in performing its assessment of ICFR, the SEC issued interpretive guidance and simultaneous amended Rules 13a-15(c) and 15d-15(c) under the Securities Exchange Act of 1934 (the Securities Act).

This course is designed for company management and those under their supervision who are involved in the company's assessment of ICFR effectiveness and will enable you to identify management's responsibilities relating to the company's assessment of internal control and the related audit, discuss how the company may and may not work with its auditors to carry out its responsibilities and describe the performance requirements for each major phase of the engagement.

Objectives

• Understand management’s responsibilities in assessing the company’s ICFR
• Work effectively with your auditors to carry out your respective responsibilities
• Identify financial reporting risks and controls that address such risks
• Implement methods and procedures that may be used to evaluate the operating effectiveness of ICFR
• Evaluate the nature and amount of evidence needed to support the ICFR assessment
• Evaluate control deficiencies

The Video Moderator is John Hudson, CPA, founder of Hudson Consulting Group, LLC. In the video, John leads a lively discussion with industry experts covering the new guidance, implementation strategies and best practices.  John is joined by Bob Burkett, CPA, CISA, founder and Managing Director of Quasar Associates; David W. Hinshaw, CPA, a member of Dixon Hughes CPAs; Earl Miller, CPA, MBA, Controller of BioVeris Corporation; and Elizabeth S. Gantnier, CPA, Director of Quality Control for Stegman & Company, CPAs.

The Video Moderator is John Hudson, CPA. In the video, John leads a lively discussion with industry experts covering PCAOB standards, implementation strategies and best practices. John is joined by Lyn Graham, CPA, Certified Fraud Examiner and current chair of the AICPA's Audit Sampling Guide Task Force and Risk Standards Audit Guide Task Force; Rick Ueltschy, CPA, Executive in Charge of Crowe Chizek’s Financial Institution External Audit Group; Peggy Wood, CPA, partner in the Grant Thornton New York Office Professional Standards and former chairman of the NYSSCPA Auditing Standards Committee.

*(120-min. video) The DVD disk contains the video presentation and a viewable copy of the Manual.

**The Additional Manual is for group study training only and has no self-study exam answer sheet. To earn self-study credit, you must purchase the DVD/Manual.

Prerequisite:  Knowledge of accounting systems and auditing standards; knowledge of COSO and AS No. 5 is helpful

Overview

 “… July 30 will mark the five-year anniversary of the Act.  Section 404 has posed
 the single biggest challenge to companies under the entire Act. Without question,
 it has imposed the greatest costs; but it has also contributed significantly to more reliable financial reporting as companies improved their internal controls to meet Section 404’s requirements.”
                        SEC Chairman Christopher Cox
            SEC Open Meeting
Washington, D.C.
July 25, 2007

Management’s Report on ICFR

In July of 2003, as directed by Section 404 of the Act of 2002 (Section 404), the Securities and Exchange Commission (SEC) adopted rules requiring issuers to include in their annual reports a report of management’s assessment of a company’s internal control over financial reporting (ICFR).

Initially, the SEC’s rules included guidance on the form and content of management’s report, but provided only general guidance on the procedures that management should follow to assess ICFR.  In response to calls for additional guidance and concerns regarding the manner in which companies were applying Section 404, in December 2006, the SEC issued Management’s Report on Internal Control over Financial Reporting [Release Nos. 33-8762; 34-54976; File No. S7-24-06].  The SEC issued the interpretive guidance (“the Guidance”) to assist management in performing its assessment of ICFR in an efficient and effective manner.  The Guidance became effective on June 27, 2007.  Simultaneous with issuance of the Guidance, the SEC also amended Rules 13a-15(c) and 15d-15(c) under the Securities Exchange Act of 1934 (the Securities Act).  These rules address management’s requirements to perform an annual assessment of ICFR.  The amended Exchange Act indicates that applying the Guidance is one way that a company’s management may satisfy the requirement, that is, management does not have to adopt the Guidance.  The SEC recognizes that companies that were already complying with Section 404 may have established ICFR assessment processes that they wish to retain.

Readers are encouraged to read the full text of the Guidance, which may be found at: http://www.sec.gov/rules/interp/2007/33-8810.pdf. An SEC staff document entitled, Frequently Asked Questions (revised September 24, 2007) is also available at http://www.sec.gov/info/accountants/controlfaq.htm.

The PCAOB and Auditing Standard No. 5

The Act of 2002 (the Act) directs the Public Company Accounting Oversight Board (PCAOB) to establish auditing and related attestation, quality control, ethics, and independence standards and rules to be used by registered public accounting firms in the preparation and issuance of audit reports as required by the Act or the rules of the SEC.  Thus, PCAOB rules apply to registered public accounting firms.

On December 19, 2006, the PCAOB proposed Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements (AS5), which was intended to replace Auditing Standard No. 2.    The SEC approved AS5 on July 25, 2007. 

The full text of AS5 may be found at: www.pcaobus.org/Rules/Rules_of_the_Board/
Auditing_Standard_5.pdf.

What This Course Covers

This course is designed for company management and those under their supervision who are involved in the company’s assessment of ICFR effectiveness and covers:

•     Management’s responsibilities to assess the company’s ICFR.
•     How the company may work with its auditors to carry out its responsibilities.
•     The general principles and guidance described in the Guidance, including:

1. Identification of financial reporting risks and controls that address such risks.
2. Methods and procedures that may be used to evaluate the operating effectiveness of ICFR.
3. Factors to consider in evaluating ICFR in companies of various sizes and structures. 
4. Evaluation of the nature and amount of evidence needed to support the ICFR assessment.
5. Factors to consider when evaluating control deficiencies.
6. Reporting and other disclosure requirements related to the ICFR assessment.

 
When reading this workbook, please note the following:

• This course will refer to the text of Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15 (d) of the Securities Exchange Act of 1934 (Nos. 33-8810; 34-55929; FR-77; File No. S7-24-06) as the “SEC Release” or “the Guidance.”
  
• In the Guidance, the SEC describes the “evaluation” or “evaluation process” as the methods and procedures management uses within the company to form the basis for its assessment of the effectiveness of ICFR.   The “assessment” is the actual disclosure required by the regulations adopted under the Exchange Act.  This course uses these terms as they are described in the Guidance.
  
• Some of the chapters in the workbook include appendices that appear immediately after the chapter. Reading this material is an integral part of the course, and it may be included in the exam for CPE credit.
  
• Toward the end of the workbook is a section entitled, Reference Materials. The materials in this section are included in the workbook merely for your convenience. The guidance in the reference materials will not be included on the exam for CPE credit.
  
  

Fundamentals

Learning Objectives

At the end of this chapter, you should be able to:

• Articulate the basic requirements of Section 404, Management Assessment of Internal Control Over Financial Reporting, and Section 302 of the Act, Corporate Responsibility for Financial Reports, related to a company’s internal controls.
• Describe the SEC definition of ICFR and the fundamental components of the Council of Sponsoring Organizations of the Treadway Commission (COSO) Framework.
• Understand management’s and the auditor’s respective responsibilities relating to the assessment and audit of ICFR.
• Indicate ways in which management and a company’s auditor may interact without impairing the auditor’s independence.

Legislators created the Act in response to a series of business failures, including Enron in 2001. Failures in internal control, particularly over financial reporting, were among the specific concerns addressed by the Act, and in particular Section 404 of the Act, which states:

SEC. 404.MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.
(a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board.

Observations About the Requirements

• The law requires you to assess your company’s ICFR and requires the auditor to report on the effectiveness of your company’s ICFR. In some areas, the auditors may be able to use your work or work performed by internal auditors to support their conclusion on ICFR.

Management’s ICFR Report

Management’s report on the effectiveness of ICFR is contained in the company’s Form 10-K or similar report, which is filed annually with the SEC. Under the SEC rules, the company’s ICFR report must include:

1. A statement of management’s responsibilities for establishing and maintaining adequate ICFR.
2. A statement identifying the framework used by management to evaluate the effectiveness of the company’s ICFR.
3. Management’s assessment of the effectiveness of the company’s ICFR as of the end of the most recent fiscal year, including a statement as to whether or not ICFR is effective. This discussion must include disclosure of any material weakness in the company’s ICFR identified by management. (Management is not permitted to conclude that the registrant’s ICFR is effective if there were one or more material weaknesses in the company’s ICFR.)
4. A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the registrant’s ICFR.
5. The registered public accounting firm’s attestation report on management’s assessment of the company’s ICFR.
6. Disclosure of any change in the company’s ICFR that has materially affected, or is reasonably likely to materially affect, the company’s ICFR.

The SEC rules regarding the preparation and issuance of audit reports apply to issuers. The term ‘‘issuer’’ means an issuer (as defined in section 3 of the Securities Exchange Act of 1934), the securities of which are registered under section 12 of that Act, or that is required to file reports under section 15(d), or that files or has filed a registration statement that has not yet become effective under the Securities Act of 1933 and that it has not withdrawn. Thus, SEC rules apply to entities that are deemed to be issuers under the securities laws.

In June 2004, the SEC approved PCAOB Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements.

See Regulation S-K, Item 308 (17 CFR §229.308).

 

732492