Part II of this article appears in the November 2004 issue of The Metropolitan Corporate Counsel.
Since their adoption, the "accounting provisions"1 of the Foreign Corrupt Practices Act of 1977, which amended the Securities Exchange Act of 1934, have generally required public company issuers to:
- devise and maintain a system of internal control sufficient to provide reasonable assurance that assets are safeguarded and transactions are properly authorized and recorded; and
- keep reasonably detailed records that accurately and fairly reflect financial activities.
Section 404(a) of the Sarbanes-Oxley Act of 2002, enacted in July 2002, mandated the Securities and Exchange Commission to adopt additional rules requiring an issuer to include in each annual report on Form 10-K a report of management regarding its assessment of the issuer's internal controls over financial reporting,2 or "internal controls." Section 404(b) of the SOA requires the issuer's independent auditors to attest to management's assessment of the issuer's internal controls pursuant to standards required to be adopted by the Public Company Accounting Oversight Board.
In June 2003, the SEC adopted its rules under Sections 404(a) and 404(b) of the SOA.3 In June 2004, the SEC approved PCAOB Auditing Standard No. 2,4 which sets forth the standards for an independent auditor's audit5 of internal controls. Together with the accounting provisions of the FCPA, these rules generally require issuers to:
- establish and maintain a system of internal controls; and
- include in each Form 10-K:
a report of management's assessment of the effectiveness of internal controls; and
an attestation report of the independent auditor as to the effectiveness of the issuer's internal controls and management's assessment thereof.6
In Part I of this article, we discuss the general disclosure and reporting requirements related to the assessment of an issuer's internal controls by its management and auditor. In Part II of this article, we will discuss various issues which may arise if the issuer receives a "negative report" regarding its internal controls because either management's report or the auditor's attestation report states that the issuer's internal controls are ineffective. For purposes of both Parts, we have assumed that such a negative report does not result in the issuance of a qualified auditor's report on the issuer's financial statements or a restatement of financial statements previously issued by the issuer. If either of those assumptions were incorrect, the issuer would likely be faced with serious implications apart from those related to the negative report. In addition, for purposes of both Parts, we have assumed that such a negative report does not result in a change in previously recorded financial amounts (even if it does not result in a restatement) that could affect calculation of such matters as determination of compliance with financial covenants, achievement of incentive compensation targets or calculation of tax attributes where such changes may have material consequences.
Internal Controls
Rules 13a-15(f) and 15d-14(f) under the Exchange Act define internal controls as a process designed to provide reasonable assurance7 regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP, which includes policies and procedures that:
- pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer;
- provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with GAAP and that receipts and expenditures of the issuer are being made only in accordance with authorizations of the issuer's management and directors; and
- provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on its financial statements.
The issuer's internal controls must be designed by its principal executive and principal financial officers (or under their direction) and effected8 by its board of directors. Management may not rely on the auditor's audit of the internal controls (in connection with its attestation report) as part of the issuer's internal controls and must have active, substantive and extensive involvement in any internal control services rendered by the auditor.
Furthermore, the auditor's independence may be compromised if the auditor has provided advice to the issuer regarding, among other things, the design and implementation of its internal controls. If the auditor were to provide such advice, it could effectively be placed in a management role and result in the auditor auditing its own work.9 The auditor, however, would not be precluded from making substantive recommendations, based on the results of a preliminary assessment or its final audit, as to how management may improve the design or operation of the issuer's internal controls or from assisting in the preparation of certain documentation of the issuer's internal controls.
Internal Control Reports And Certification
Management's Report
The internal control report which management is required to include in the issuer's Form 10-K must contain:
- a statement of management's responsibility for establishing and maintaining adequate internal controls for the issuer;
- a statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the issuer's internal controls;
- management's assessment of the effectiveness of the issuer's internal controls as of the end of the most recent fiscal year, including a statement as to whether or not the issuer's internal controls are effective10 and disclosure of any material weaknesses identified;11 and
- a statement that the accounting firm that audited the financial statements included in the Form 10-K has issued an attestation report on management's assessment of the issuer's internal controls.
If the issuer consummates a material acquisition during its fiscal year, an assessment of the internal controls of the acquired business need not be undertaken or considered in management's report for that fiscal year if it is impracticable for management to conduct such an assessment during the period between the closing date and the date of management's assessment of the issuer's internal controls. In this case, management may include, and cross-reference in its internal control report, a discussion elsewhere in the Form 10-K regarding:
- the scope of its assessment;
- the identity of the excluded business; and
- the significance of the excluded business to the issuer.12
Management may exclude the acquired business' internal controls from its assessment of the issuer's internal controls for up to one year from the closing date, but may not exclude it from more than one internal control report.13
Auditor's Report
The attestation report on management's assessment of internal controls must be dated, signed manually, identify the period covered by the report and clearly express two opinions:14
- one regarding whether management's assessment of the effectiveness of internal controls is fairly stated; and
- another regarding whether the issuer's internal controls are effective.
If an overall opinion cannot be expressed, the auditor must explain why that is the case. In rendering these opinions, the auditor must conduct an independent audit of the issuer's internal controls and may not rely solely on management's conclusion.
Location of Reports
While perhaps not advisable, the auditor's attestation report may be combined with its report on the financial statements. In determining whether to combine the reports, the auditor should take into account any issues that may arise if its audit report on the financial statements is expected to be reissued, updated or incorporated by reference into a filing under the Securities Act of 1933.
Management's report and the auditor's attestation report (if separate from the report on the financial statements) are not required to appear in any particular location within the Form 10-K. The SEC has suggested, however, that such reports be placed in close proximity to the MD&A section or immediately preceding the financial statements.
Certification
In addition to management's internal control report and auditor's attestation report described above, each certification signed by the principal executive and principal financial officers of the issuer pursuant to Section 302 of the SOA, beginning with the certification included as an exhibit to the issuer's Form 10-K for the fiscal year ending on or after November 15, 2004, will be required to include additional language stating that they have disclosed to the issuer's auditors and audit committee all significant deficiencies and material weaknesses in the design or operation of internal controls which are reasonably likely to adversely affect the issuer's ability to record, process, summarize and report financial information. This additional language effectively imposes a duty on an issuer's principal executive and financial officers to report such information to the issuer's auditors and audit committee.15
Effectiveness Of Internal Controls
As mentioned above, management's internal control report must state whether the issuer's internal controls are effective. Management will be precluded from concluding that the issuer's internal controls are effective if a material weakness has been identified during its evaluation. In this regard, the PCAOB defines a "material weakness" as a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement in the annual or interim financial statements will not be prevented or detected.
A material weakness constitutes a greater deficiency than a significant deficiency. The PCAOB defines a "significant deficiency" as a control deficiency, or combination of control deficiencies, that adversely affects the issuer's ability to initiate, authorize, record, process or report external financial data reliably in accordance with GAAP such that there is more than a remote likelihood that a misstatement in the issuer's annual or interim financial statements that is more than inconsequential will not be prevented or detected. A significant deficiency may also become a material weakness if it is not corrected within a reasonable period of time after it has been identified.
A "control deficiency" exists when the design16 or operation17 of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
If a material weakness exists, then management should state in its report that the issuer's internal controls are ineffective. Similarly, the auditor should include in its attestation report an opinion stating that the issuer's internal controls are ineffective. If management concludes that the issuer's internal controls are effective, but the auditor concludes otherwise, the auditor should still include in its attestation report an opinion stating that the issuer's internal controls are ineffective.
In addition, if the auditor agrees with management's assessment of the issuer's internal controls, then it should include in its attestation report an opinion that such assessment was fairly stated. However, if the auditor disagrees with such assessment, then it should so state in its attestation report.18
As noted above, management must report all significant deficiencies to the auditors and the audit committee. The issuer, however, is not required to disclose significant deficiencies or control deficiencies to the public. Nonetheless, management should evaluate all significant and control deficiencies in the aggregate to determine whether they are material to the issuer or its financial disclosure. If such deficiencies are material, then the issuer may be required to publicly disclose them based on the general securities law principles relating to disclosure of material information.19 Management should also evaluate whether it may be appropriate to include a related discussion under the forward-looking statements or risk factors sections, if any, in the periodic report.
1 The FCPA also contains "anti-bribery provisions" which make it unlawful to bribe a foreign government official in order to obtain or retain business.
2 Although the definition of "internal control" under the FCPA differs slightly from the definition of "internal control over financial reporting" under the SOA, the SEC has stated that it considers such definitions to overlap and be consistent with each other. See SEC Release No. 33-8238 (June 5, 2003).
3 See SEC Release No. 33-8238 (June 5, 2003).
4 See SEC Release No. 34-49884 (June 17, 2004).
5 An independent auditor's audit of the issuer's internal controls may only be performed in conjunction with its audit of the issuer's financial statements.
6 For issuers with a calendar fiscal year, the initial management internal control report and auditor attestation report will be required to be included in the Form 10-K for the fiscal year ended December 31, 2004, which is currently required to be filed by March 1, 2005. Thereafter, issuers will be required to disclose in each Form 10-Q any material changes or material weaknesses in its internal controls which occurred or were identified in the applicable quarter. See Item 308(c) of Regulation S-K.
7 Reasonable assurance includes the understanding that there is a remote likelihood that material misstatements will not be prevented or detected on a timely basis. Although not absolute assurance, reasonable assurance constitutes a high level of assurance. See SEC Release No. 34-49544 (April 8, 2004). 8 Presumably, the term "effected," as used in the rule, means that the internal controls must be adopted by the issuer's board of directors. Therefore, the internal controls should be subject to the issuer's customary board approval procedures, including a presentation on the issuer's internal controls, describing them in all material respects, and a formal request for board approval thereof.
9 A fundamental principle behind auditor independence is that the auditor should not audit its own work. See SEC Release No. 33-8183 (January 28, 2003).
10 Management may not qualify or otherwise limit this conclusion.
11 The issuer may be obligated to disclose a material weakness in a periodic report regardless of whether it was identified subsequent to the end of the period covered by such report. See Rule 12b-20 under the Exchange Act, which generally requires each periodic report to include such additional information as is necessary to make it not misleading.
12 See Rules 1-02(w) and 11-01(b) under Regulation S-X regarding whether and to what extent a business is significant.
13 Despite management's exclusion of an acquired business' internal controls from its annual assessment, the issuer will be required to disclose any material change to its internal controls due to the acquisition pursuant to Exchange Act Rule 13a-15(d) or 15d-15(d), as applicable.
14 The opinions are required to be given as of the end of the period covered by the Form 10-K.
15 An individual who signs a false certification may be subject to liability under the Exchange Act in his or her personal and official capacities, which may include up to a $5 million fine and 20 years in prison.
16 A deficiency in design exists when a control necessary to meet the control objective is missing or an existing control is not properly designed so that, even if the control operates as designed, the control objective is not always met.
17 A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively
18 Such a disagreement is not required to be reported pursuant to Item 304 of Regulation S-K.
19 See Rule 12b-20 and Rule 10b-5 under the Exchange Act.
Published October 1, 2004.
