Test of Controls
Robert N. Waxman
men were angels, no government would be necessary. If angels
were to govern men, neither external nor internal controls
on government would be necessary. —James Madison, The
Federalist Papers, No. 51, 1788
SEC, in its Release 33-8238 (issued June 5, 2003, and revised
by Release 33-8392), adopted final rules to carry out the
requirements of section 404 of the Sarbanes-Oxley Act. Section
404, “Management Assessment of Internal Controls,”
directs the SEC to adopt rules requiring each annual report
required by section 13(a) or 15(d) of the Securities Exchange
Act of 1934 to contain an internal control report. That
report must state the responsibility of management for setting
up and maintaining an adequate internal control structure
and procedures for financial reporting; it must also contain
an assessment, at the end of the most recent fiscal year,
of the effectiveness of the internal control structure and
procedures of the issuer for financial reporting.
following requirements apply to this internal control assessment:
Each public accounting firm registered with the PCAOB
that prepares or issues the audit report must attest to,
and report on, management’s assessment.
attestation must be made in accordance with standards
for attestation engagements issued or adopted by the PCAOB.
On March 9, 2004, the PCAOB issued Auditing Standard 2,
An Audit of Internal Control Over Financial Reporting
Performed in Conjunction with an Audit of Financial Statements,
which the SEC approved on June 17 (34-49884).
The attestation must not be the subject of a separate
of the Release
rules and the Sarbanes-Oxley Act require every issuer to
maintain two types of controls: “disclosure controls
and procedures” and “internal control over financial
reporting” (or simply “internal control”).
other objective is to improve both the disclosure and the
financial controls of every public company worldwide and
on a real-time basis (every 90 days).
hope here is to substantially upgrade the disclosure system,
reprogram management, and upgrade the performance of the
auditors. The ultimate goal is to improve business performance
and investor confidence in financial statements and capital
markets, and as a by-product to strengthen investor confidence
in the accounting profession.
S-K and S-B, Item 308, “Internal Control over Financial
report on internal control. The SEC’s
recently issued Item 308 closely follows the requirements
of section 404. It requires the annual report (Form 10-K
or 10-KSB) of almost every company filing periodic reports
under either section 13(a) or 15(d) of the 1934 Act to include
an internal control report. This report must state the following
Management’s responsibility for setting up and maintaining
adequate internal control;
(2) The framework used to evaluate the effectiveness of
(3) Management’s assessment of the effectiveness
of the internal control at the end of the year, and the
disclosure of any material weakness in internal control.
Management cannot say that the internal controls are effective
if there are one or more material weaknesses, or if there
is a combination of reportable conditions that result
in a material weakness; and
(4) That the registered public accounting firm that audited
the financial statements included in the annual report
has issued an attestation report on management’s
evaluation framework must be based on a suitable, recognized
control framework that is established by a body or group
that has followed due-process procedures, including public
comment. In the United States, the Committee of Sponsoring
Organizations (COSO) framework clearly satisfies the SEC
criteria and for now is the framework that should be followed.
The rules do, however, recognize that other evaluation standards
exist outside of the United States and that other frameworks
may be developed in the future, and do not require the use
of any one framework [Rule 13a-15(c)/15d-15(c)].
Act Rule 13a-15(f)/15d-15(f) and PCAOB Standard 2 define
internal control over financial reporting as follows:
A process designed by or under the supervision of the
issuer’s CEO and CFO, or persons performing similar
Carried out by the issuer’s board of directors,
management, and other personnel;
Designed to provide reasonable assurance on the reliability
of financial reporting and the preparation of GAAP financial
statements for external purposes; and
Including policies and procedures that—
relate to the maintenance of records that in reasonable
detail accurately and fairly reflect the transactions
and dispositions of the assets (Sarbanes-Oxley Act section
provide reasonable assurance that transactions are recorded
to allow the preparation of GAAP financial statements,
and that receipts and disbursements are authorized by
management and directors (Sarbanes-Oxley Act section 103);
provide reasonable assurance about the prevention or timely
detection of unauthorized acquisition, use, or disposition
of the company’s assets that could have a material
effect on the financial statements (the “safeguarding
“reasonable assurance” concept is integral to
the definition of internal control and the auditor’s
opinion. Reasonable assurance equates to a remote likelihood
that material misstatements will not be prevented or not
be detected on a timely basis. There is a perceptible margin
of difference between reasonable assurance and absolute
assurance, and what is reasonable will depend on the issuer’s
facts and circumstances.
definition focuses on the reliability of financial reporting
but does not include the other two objectives of internal
control found in SAS 55, Consideration of Internal Control
in a Financial Statement Audit, and the COSO report.
The first is the “effectiveness and efficiency of
a company’s operations,” which translates into
a company’s basic business objectives, including profitability
and performance goals. The second is “compliance with
applicable laws and regulations,” excepting those
laws directly related to the preparation of financial statements
and the SEC’s financial reporting requirements.
definition of internal control is essentially consistent
with the description of internal accounting controls in
1934 Act section 13(b)(2), “Periodical and Other Reports.”
It requires that issuers make and keep books, records, and
accounts in reasonable detail to accurately and fairly reflect
transactions and dispositions of assets. It also requires
public companies to maintain a system of internal controls
that permits the preparation of GAAP financial statements.
reporting of changes in internal control.
1934 Act Rule 13a-15(d)/15d-15(d) requires management to
evaluate all material changes in internal controls every
quarter. Item 308(c) requires the reporting of any change
in the company’s internal control that occurred during
the quarter that materially affected, or is reasonably likely
to materially affect, the company’s internal control.
challenge here is that management must decide what is material
to the quarter and to future quarters. The safest course
may be to disclose every internal control change after eliminating
those changes that are clearly immaterial. Accordingly,
if, during a quarter, a significant deficiency or material
weakness is corrected that does or will materially affect
internal control, the change must be disclosed. If the control
is not corrected at the end of the quarter and it is viewed
as material, then Item 307 disclosures must discuss the
deficiency or weakness, and the company must then report
the change in the later quarter when it is corrected.
rules do not require the company to disclose the reasons
for the change, but the SEC warns that management must decide
whether the reason for the change, or any other information
about the change, is material information that investors
should have. Information is generally considered material
if there is a substantial likelihood that a reasonable investor
would consider it important in deciding whether to buy,
sell, or retain a security.
foreign private issuers are not required to file quarterly,
the management of a foreign private issuer that files Exchange
Act reports needs to disclose in its annual Form 20-F or
Form 40-F only those material changes to its internal control
that occurred during the year.
S-K and S-B, Item 307, Disclosure Controls and Procedures
307 was added to the integrated disclosure rules by Release
33-8124 (August 2002). It originally called for management’s
evaluation of disclosure controls and procedures within
90 days of the filing date and the disclosure of any significant
changes in internal controls after the date of the evaluation,
including any corrective action the company took relating
to significant deficiencies and material weaknesses. The
SEC release revised Item 307 to require that the company’s
principal executive and financial officers (or persons performing
similar functions) disclose their conclusions about the
effectiveness of the disclosure controls and procedures
at the end of every quarter. Their conclusion must be based
upon their evaluation of these controls and procedures,
as required by 1934 Act Rule 13a-15(b)/15d-15(b).
the rules do not require it, the evaluation date should
be near the end of the period, and if not at the end, it
should involve a roll-forward of the information to allow
the CEO and CFO to conclude on the effectiveness at the
end of the quarter.
of disclosure controls and procedures. The
SEC states that “disclosure controls and procedures”
[Rule 13a-15(e)/15d-15(e)] have the following characteristics:
Designed to ensure disclosure of information that is required
to be disclosed in the reports that the issuer files or
submits under the Exchange Act;
Recorded, processed, summarized, and reported within the
time periods required by the SEC’s rules and forms;
Accumulated and communicated to management to allow them
to make timely decisions about the required disclosures.
controls and procedures are intended to capture all information
required to be disclosed in Exchange Act reports. The company’s
procedures should ensure that the control system will produce
Form 10-Ks and 10-Qs that are timely, reliable, and accurate.
includes both the financial statements and all of the nonfinancial
information disclosed. Therefore, all the other non–financial
statement disclosures on a Form 10-K/SB or 10-Q/SB are covered
by “disclosure controls and procedures”: for
example, MD&A, legal proceedings, disclosure of market
risk, the business, properties, and executive compensation.
SEC’s objective in requiring these controls and procedures
was to extend auditors’ concepts about internal controls
over financial information to controls over all the other
information required to be included in Exchange Act reports.
It extends the internal control concepts in SAS 55, Consideration
of Internal Control in a Financial Statement Audit,
and SAS 78 (amending SAS 55) from financial statements to
all other disclosures.
evaluation of effectiveness of disclosure controls and procedures.
Because the auditor will be required to express an opinion
of management’s assessment process and an opinion
on the effectiveness of internal control, management should
document both the process and its effectiveness. PCAOB Standard
2, in paragraphs 162–166, provides guidance on management’s
release does not give management specific procedures to
follow in evaluating the effectiveness of disclosure controls;
therefore, every issuer will need documentation and a process
that is unique to its business and its management. Inadequate
documentation is a deficiency in internal control that,
if significant, would impair the auditor’s opinion,
and PCAOB Standard 2 offers guidance for auditors evaluating
management’s assessment process and documentation
of Item 307 disclosure. The SEC has no particular
format for the Item 307 disclosures, so it can be brief
or long (see the Sidebar).
Both examples assume no changes in internal control or any
controls and procedures versus internal control over financial
reporting. The 1934 Act Rule 13a-15(a)/15d-15(a)
says that every issuer must maintain both “disclosure
controls and procedures” and “internal control
over financial reporting.” These two types of controls
are different, but overlap in some important areas and do
not overlap in others:
Some “disclosure controls” are not part of
“internal control over financial reporting”—namely,
all controls related to nonfinancial information.
Both types of controls include controls over transactions
that are needed to prepare GAAP financial statements.
The release says that some “internal controls”
are not part of “disclosure controls,” such
as the safeguarding of assets (e.g., limiting the signature
authority on checks).
1-02(a)(2), “Accountants’ Reports and Attestation
Reports on Management’s Assessment of Internal Control
over Financial Reporting,” was added to Regulation
S-X in the SEC release. Item 308(b) requires that the accounting
firm’s attestation report be filed in the annual report.
Furthermore, according to new Regulation S-X Rule 2-02(f),
“Attestation Report on Management’s Assessment
of Internal Control over Financial Reporting,” every
public accounting firm registered with the PCAOB that prepares
or issues an audit report on the annual financial statements
must attest to and report on management’s assessment.
The rule gives detailed instructions for preparing and filing
this attestation report.
SEC recommends that management’s report be located
near the accounting firm’s attestation report, and
that both reports be either near the MD&A disclosure
or immediately before the financial statements. Because
the attestation report may be combined with the auditor’s
opinion on the financial statements, it would seem that
both management’s report and the auditor’s opinion
(whether a separate or a combined opinion) would be best
placed just before the financial statements.
The release provides a reminder that companies and their
auditors should refer to the SEC’s independence rules.
Auditors may help management in documenting internal controls,
but only if management is actively involved in the process.
Management must exercise their own judgment in performing
the various analyses; they must be in charge of all the
work done and make all the final decisions. The design,
documentation, testing, and ultimate evaluations are the
responsibilities of management. They cannot delegate any
of these tasks to their accounting firm.
client can use the accounting firm’s internal control
questionnaire or software product as a standardized tool
to evaluate its internal controls or perform statistical
sampling. Thus, while the auditor may give management a
mechanism to document and assess the controls, the audit
firm itself would not actually document the controls or
draw any conclusions about their effectiveness. The rule
also permits the auditors to point out areas where management
can improve controls, and make suggestions about the testing
of controls without violating their independence. Appendix
E101–104 of PCAOB Standard 2 also addresses independence
guidance. The release amended certain rules
and items of the periodic reporting forms under the 1934
and 1940 Acts. The release also revises 1934 Act Rule 12b-15,
“Amendments,” requiring that any amendment to
a report that is required to contain section 302 and 906
certifications must include new certifications by the CEO
and the CFO.
Sarbanes-Oxley Act and the SEC’s new rules will affect
almost every public company and its auditor. An estimated
13,700 filing companies and some 1,000 firms registered
with the PCAOB will be affected.
404 makes no distinction between domestic and foreign private
issuers. All rules in the SEC release apply to foreign companies
filing periodic reports under either section 13(a) or 15(d)
of the 1934 Act. In addition, section 404 makes no distinctions
between large and small issuers filing reports with the
SEC and therefore they are not exempt from the rules.
a number of years, section 36 of the Federal Deposit Insurance
Act has required federally insured depository institutions
with total assets of $500 million or more to file an annual
management report on internal controls. The act also requires
auditors to examine and attest to management’s assertions
about the internal control structure. These requirements
for banks are very similar to the requirements of Sarbanes-Oxley
section 404 and the SEC rules, but the SEC decided not to
grant these entities any relief. These financial institutions
are subject to both the FDIC’s requirements and all
of the SEC’s internal control reporting rules. Release
33-8238 lets these institutions choose between two reporting
options: They can prepare two separate reports, or prepare
a single report that satisfies both the FDIC and the SEC
404 does not apply to registered investment companies; however,
these companies are not exempt from the section 302 certification
requirements. The SEC release contains a number of technical
changes to various rules and forms implementing section
302 for registered investment companies in order to conform
them to the changes made for all other operating companies.
asset-backed issuers are usually passive pools of assets
without boards of directors and are generally not required
to file the same types of financial statements that other
companies must file, they are not subject to the SEC’s
internal control rules.
filers. A company that is an “accelerated
filer” at the end of its first fiscal year ending
on or after November 15, 2004, must file the Item 308 internal
control report in its annual report for that fiscal year.
Release 33-8128, “Acceleration of Periodic Report
Filing Dates” (September 2002), the SEC accelerated
the filing of quarterly and annual reports under Rule 12b-2
by domestic reporting companies that—
have a common equity public float of at least $75 million
on the last business day of the company’s second
been subject to the 1934 Act’s periodic reporting
requirements for at least 12 months;
have previously filed at least one annual report under
the 1934 Act; and
ineligible to use the small business issuer Forms 10-KSB
dates for these “accelerated filers” are being
phased-in over three years (Exhibit),
meaning that, for calendar-year companies, the effective
date of Release 33-8238 is December 31, 2004, and the Form
10-K is due March 1, 2005.
filers and foreign private issuers. The SEC
recognizes that small businesses may not have as formal
or well structured a system of internal control as larger
companies and may initially have difficulty evaluating their
internal controls. As a result, small business issuers and
other companies that are not “accelerated filers”
have a later implementation date. Such entities must file
their internal control report in their annual report for
the first year ending on or after July 15, 2005. This means
December 31, 2005, for calendar-year companies whose Form
10-K must be filed no later than March 31, 2006.
S-K and S-B Item 307. Item 307 requires disclosure
about the effectiveness of disclosure controls and procedures
beginning with the Form 10-Q/SB filed for June 30, 2003
(which was due August 14, 2003).
in internal controls. A company must begin
to disclose any material change to its internal control
over financial reporting in its first periodic report due
after the first annual report that is required to include
the management report on internal control. This means a
calendar-year accelerated filer must begin to comply with
the disclosure about changes in internal control beginning
with the Form 10-Q for the quarter ended March 31, 2005
(form due May 10, 2005). Nonaccelerated filers must begin
to comply with the Form 10-Q/SB filed for the quarter ended
March 31, 2006 (form due May 15, 2006).
section 302 requires the CEO and the CFO to certify that
they have disclosed in the Form 10-K/SB or 10-Q/SB any material
change in internal control over financial reporting. This
is similar to the information required by the old Item 307(b),
so these changes should continue to be included in the Item
Beginning with reports due on or after August 14, 2003 (due
date for June 30, 2003, quarterly filings), issuers must
file the section 302 and 906 certifications as exhibits,
and they must follow certain of the text changes in the
302 certification. To account for the differences between
the compliance date of the rules relating to the internal
control reports and the effective date of changes to the
text of the section 302 certification, the SEC allows the
certifying officers to temporarily eliminate some of the
text until the Item 308 internal control report requirements
are effective (see discussion above).
investment companies. Registered investment
companies must comply with the rules and form amendments
that apply to them on and after August 14, 2003.
adoption. The SEC will allow companies to
voluntarily comply with the new disclosure requirements
before any of the mandated compliance dates.
Deficiencies, Significant Deficiencies, and Material Weaknesses
SEC rules clearly state that management has the primary
obligation to determine whether there are material weaknesses
in internal control, whether a deficiency is significant,
and whether an aggregation of significant deficiencies is
a material weakness.
auditing literature and the SEC provide no implementation
guidance or examples on how to determine if a deficiency
is significant, a weakness is material, or when a combination
of significant deficiencies becomes a material weakness.
PCAOB Standard 2 defines these critical terms as follows:
A control deficiency exists when the design or
operation of a control does not allow management or employees,
in the normal course of performing their assigned functions,
to prevent or detect misstatements on a timely basis.
A deficiency in design exists when a control
necessary to meet the control objective is missing or
an existing control is not properly designed, such that,
even if the control operates as designed, the control
objective is not always met.
A deficiency in operation exists when a properly
designed control does not operate as designed, or when
the person performing the control does not possess the
necessary authority or qualifications to perform the control
significant deficiency is a control deficiency (or
combination of control deficiencies) that adversely affects
the company's ability to initiate, authorize, record, process,
or report external financial data reliably in accordance
with GAAP such that there is more than a remote likelihood
that a misstatement of the company’s annual or interim
financial statements that is more than inconsequential will
not be prevented or detected. The term “remote likelihood”
is defined in paragraph 3(c) of SFAS 5 as when the “chance
of the future events or events occurring is slight.”
Thus, the likelihood of an event is “more than remote”
when it is either reasonably possible or probable.
material weakness is a significant deficiency,
or a combination of significant deficiencies, that results
in more than a remote likelihood that a material misstatement
of the annual or interim financial statements will not be
prevented or detected. PCAOB Standard 2 points out that
in evaluating whether a control deficiency exists and whether
control deficiencies, either individually or in combination
with other control deficiencies, are significant deficiencies
or material weaknesses, the auditor should consider the
definitions in paragraphs 8, 9, and 10 and the directions
in paragraphs 130 through 137. The evaluation of the materiality
(paragraph 23) of the control deficiency should include
both quantitative and qualitative considerations. Qualitative
factors might include the nature of the financial statement
accounts and assertions involved and the reasonably possible
future consequences of the deficiency. Furthermore, in determining
whether a control deficiency or combination of deficiencies
is a significant deficiency or a material weakness, the
auditor should evaluate the effect of compensating controls.
in annual and quarterly reports. Section 302
and the related SEC rules require CEOs and CFOs to certify
the company’s annual and quarterly reports. The certification
requires management to sign a statement stating the following:
They have reviewed the report.
n Based on their knowledge, the report does not contain
any untrue statement of a material fact or fail to state
a material fact that is needed to make the statements
Based on their knowledge, the financial statements and
other financial information fairly present in all material
respects the financial condition, results of operations,
and cash flows of the company. (Note that this certification
goes beyond just saying that the financial statements
and other financial information are presented in accordance
They are responsible for setting up and maintaining “disclosure
controls and procedures” and “internal control
over financial reporting.”
They designed the “disclosure controls and procedures”
to make sure that material information is communicated
to management by others in the company.
They designed the “internal control over financial
reporting” to provide reasonable assurance about
the reliability of financial reporting and the preparation
of GAAP financial statements.
They evaluated and reported on the effectiveness of the
“disclosure controls and procedures” at the
end of the period covered by the report (tying in to Item
They disclosed any change in internal control over financial
reporting that occurred during the quarter that materially
affected or is reasonably likely to materially affect,
the internal control over financial reporting [corresponding
to Item 308(c)].
They disclosed to the auditors and the audit committee
every quarter all significant deficiencies and material
weaknesses in the design or operation of internal control
over financial reporting which are reasonably likely to
adversely affect the ability to record, process, summarize,
and report financial information. Furthermore, they disclosed
any fraud, whether or not material, that involves management
or other employees who have a significant role in the
company’s internal control over financial reporting.
is clear that the certification and the requirements of
section 404 as well as the SEC release must be a fully integrated
activity of management. No single part of these rules can
be complied with in isolation.
the SEC release, the section 302 certification was located
immediately after the signature section in the report. Now
these certifications must be filed as Exhibit 31 of Regulations
S-K and S-B, Item 601 [Rules 13a-14(a)/15d-14(a)]. PCAOB
Standard 2 (paragraphs 200–206) describes the work
that auditors must perform regarding management’s
certifications. Section 906 of the Sarbanes-Oxley Act requires
a second certification for periodic reports containing financial
statements that are filed with the SEC. Before the release,
the section 906 certification had to “accompany”
the SEC report, and it was usually filed as Exhibit 99.
Now the certification is required as Exhibit 32 of Regulations
S-K and S-B, Item 601 [Rules 13a-14(b)/15d-14(b)].
certification says that the report fully complies with the
requirements of section 13(a) or 15(d) of the 1934 Act and
that the information contained in the report fairly presents,
in all material respects, the financial condition and results
of operations of the company. It should be noted that mere
compliance with GAAP does not ensure that a periodic report
meets the “fairly presents” standard.
the section 302 exhibit that is “filed” with
the SEC, the section 906 exhibit is “furnished”
to the SEC, which means that the section 906 certification
does not subject signatories to any liability for material
misstatements or omission of fact in connection with the
filed report under section 18 of the 1934 Act. Nor is it
automatically incorporated by reference into a registration
statement under the 1933 Act, which would then subject the
company to section 11 civil liabilities on account of a
false registration statement, unless the company takes specific
steps to include the certification in the registration statement.
906 refers to “periodic reports containing financial
statements”; however, the SEC’s final rules
do not require section 906 certifications in Form 6-K (the
report of a foreign issuer under Rules 13a-16 and 15d-16),
Form 8-K [the current report under section 13 or 15(d)],
or Form 11-K [annual reports of employee stock purchase,
savings, and similar plans under Section 15(d)].
a failure to furnish the section 906 certifications violates
section 13(a) of the 1934 Act, and any periodic report filed
without the certification is considered incomplete. Because
section 906 is administered by the Department of Justice,
management may be subject to criminal penalties for false
is a federal crime, punishable by a fine of up to $1 million
or imprisonment for up to 10 years, or both, for any officer
to file a section 906 certificate “knowing”
that the Form 10-Q/SB or 10-K/SB does not comply with the
requirements of the 1934 Act. In addition, any officer convicted
of “willfully” making a certification knowing
that it is false (i.e., knowing that the report does not
comply with the 1934 Act) would be subject to a fine of
up to $5 million or imprisonment for up to 20 years, or
both. Violations of section 302 are subject to civil penalties.
accelerated filers have already worked through the planning,
documentation, internal testing, and remediation phases
of section 404 compliance. Through the balance of this year,
auditors will continue, or begin to independently test the
internal controls and both management and the auditors will
form their opinions and write their reports. But for issuers
that have not yet begun the process, there is one most important
date: today. If issuers start preparing now, they
will be able to identify their internal control processes
and control deficiencies and, most important, will be able
to correct them before having to report them. If management
does not immediately begin the process of compliance, evaluation,
and documentation, they may find themselves facing a huge
mountain to climb and the embarrassment of having material
weaknesses to report and a qualified auditor’s opinion.
has a lot of reading and work to do. They need to understand
all the new rules; understand COSO and its components; apply
COSO to their significant business units and understand
the control environment; document, identify, and test the
key controls; and fix all the problems they discover. Management
also needs to plan ahead and get the help they need with
all these activities without violating the independence
of their auditors.
new rules can also be viewed as a great opportunity. Management
can direct their attention to a great variety of risks in
the company in addition to those involving disclosures and
financial information. They have an opportunity to determine
what does not work in the company and institute best practices,
and at the same time improve corporate governance. These
new rules give management a much-needed push forward and
a tool to gain control over the company’s future.
N. Waxman, CPA, with Corporate Finance Advisory,
New York, N.Y., is chair of the NYSSCPA’s International
Accounting and Auditing Committee.