| Reporting
on Internal Control Over Financial Reporting
By
Abdel M. Agami
NOVEMBER 2006 - In
the wake of the business failures and corporate scandals that
began with Enron in 2001, the U.S. Congress passed the Sarbanes-Oxley
Act of 2002 (SOX). The objective of SOX was to introduce corporate
governance reforms aimed at restoring investors’ confidence
in the capital markets. SOX created the Public Company Accounting
Oversight Board (PCAOB) and gave it the power to establish
auditing, quality-control, ethics, and independence standards;
enforce compliance with these standards; inspect the extent
to which each registered public accounting firm adheres to
SOX; and submit an annual report to the SEC as to SOX compliance.
Section
404 of SOX requires management to assess the effectiveness
of its internal control over financial reporting (ICOFR)
as of the company’s fiscal year-end, and requires
the independent auditor to report on management’s
assessment and on the effectiveness of the company’s
ICOFR. Even though internal control system review has always
been an important component of an external audit, the requirement
of formal reports by both management and the auditor is
new.
Many
companies, especially small companies and foreign private
issuers, have complained that, in addition to the huge implementation
costs of SOX, guidance for management to apply when discharging
its responsibilities is lacking. They have stressed that
they need additional guidance about identifying an internal
control deficiency, deciding on the significance of a deficiency,
and defining what comprises a material weakness in the internal
control system. They have also had questions about how the
existence of material weakness in the internal control system
affects the auditor’s report on ICOFR, the company’s
financial statements, and the capital markets’ reaction
to the existence of material weakness in ICOFR.
Evaluation
of ICOFR
In
its Auditing Standard 2 (AS 2), the PCAOB defined ICOFR
as a process designed by management to provide reasonable
assurance regarding the reliability of financial reporting
and the preparation of financial statements in accordance
with GAAP. ICOFR is a subset of internal control specific
to financial reporting objectives. It does not encompass
the elements that relate to the effectiveness and efficiency
of a company’s operations or a company’s compliance
with applicable laws and regulations, with the exception
of compliance with the applicable laws and regulations directly
related to the preparation of financial statements.
The
PCAOB’s definition requires ICOFR to provide reasonable
assurance regarding the reliability of financial reporting
and the preparation of financial statements. Reasonable
assurance represents a high level of assurance, but it is
not absolute. It recognizes that, even when ICOFR is effective,
misstatements may occur, being neither prevented nor detected
on a timely basis.
In
deciding whether the ICOFR is effective, AS 2 requires that
a company’s management and its independent auditor
consider the likelihood and magnitude of a potential misstatement.
As Exhibit
1 shows, when an internal control deficiency is identified,
management and the auditor should decide whether this deficiency
is a significant deficiency or whether it is a material
weakness in ICOFR. If the likelihood of a misstatement is
more than remote and its magnitude is more than inconsequential
but less than material, the control deficiency is deemed
to be significant. If the control deficiency’s likelihood
of causing a material misstatement is more than remote,
it is considered a material weakness in the ICOFR.
The
PCAOB requires that management and auditors base their assessment
of the effectiveness of the company’s ICOFR on a suitable,
recognized control framework. AS 2’s performance and
reporting directions are based on the 1992 framework published
by the Committee of Sponsoring Organizations (COSO) of the
Treadway Commission, “Internal Control—Integrated
Framework.” Most companies have adopted the COSO internal
control framework as a basis for their assessment of ICOFR;
however, many companies are using the Control Objectives
for Information and Related Technology (COBIT) framework
as the basis for assessing control for their information
system management.
Reports
on ICOFR
If
a material weakness in ICOFR exists, management and the
auditor must conclude that ICOFR is not effective. All identified
material weaknesses that exist at year-end must be disclosed
in the reports on ICOFR. Deficiencies that are less than
material weaknesses are required to be disclosed to the
audit committee or the board of directors, and management
may disclose them in its report on ICOFR.
The
SEC requires management to disclose the following information
in its report on ICOFR:
-
A statement of management’s responsibility for establishing
and maintaining adequate ICOFR;
-
A statement identifying the framework used by management
to evaluate the effectiveness of ICOFR;
-
Management’s assessment of the effectiveness of
the company’s ICOFR as of the end of its most recent
fiscal year, including an explicit statement as to whether
that control is effective, and disclosure of any material
weakness identified;
-
A statement that the registered public accounting firm
that audited the financial statements has also issued
an attestation report on management’s internal control
assessment.
Exhibit
2 illustrates the different types of ICOFR reports,
the circumstances under which each type is required, and
the information to be included in the report.
The
auditor’s report on ICOFR includes two opinions:
-
Management’s assessment of the effectiveness of
ICOFR; and
-
The auditor’s independent assessment of the effectiveness
of the company’s ICOFR.
As
Exhibit
3 illustrates, the auditor will issue an unqualified
opinion on management’s assessment of the effectiveness
of ICOFR under two circumstances:
-
If the auditor did not find material weakness in ICOFR;
or
-
If the auditor and management have both identified material
weakness in ICOFR.
On
the other hand, if the auditor found material weakness in
ICOFR and management did not, the auditor must issue an
adverse opinion on management’s assessment of the
effectiveness of ICOFR.
The
auditor must also report on its independent assessment of
the effectiveness on ICOFR. The auditor may issue one of
three opinions, depending on this assessment:
-
An unqualified opinion on the assessment of the effectiveness
of ICOFR if there were no material weaknesses in ICOFR,
or ICOFR was effective;
-
An adverse opinion on the assessment of the effectiveness
of ICOFR if there are one or more material weaknesses
in ICOFR; or
- A
disclaimer if management has in any way restricted the
auditor’s scope of work needed to assess the effectiveness
of ICOFR.
Impact
on the Auditor’s Report
A company
can receive an unqualified (clean) opinion on its financial
statements from an independent auditor even if management
or the auditor identifies a material weakness in ICOFR.
If a material weakness in ICOFR is found, management and
the auditor should take the necessary steps to compensate
for the material weakness in the financial statement preparation
process by expanding the scope of testing account balances
or altering the audit approach and procedures in the area
of weakness. If, after expanding the scope of the audit,
the auditor can conclude that the financial statements are
fairly stated, the auditor may issue an unqualified opinion
on the financial statements.
Impact
on Capital Markets
In
many corporations management is concerned with how the capital
markets would react to the report, by management, the independent
auditor, or both, of material weakness in ICOFR. An article
in the Wall Street Journal on November 3, 2004,
discussed management concerns about a reaction to the reporting
of material weakness in ICOFR on the stock market. According
to this article, the stock prices of companies that disclosed
material weakness in ICOFR experienced declines of 5% to
10%. A study by the Stanford Law School, sponsored by Financial
Executives International (www.fei.org), which looked at
141 companies that disclosed material weakness in ICOFR
between November 2003 and October 2004, found that companies
which gave detailed disclosures regarding the material weakness
in their ICOFR experienced less of a decrease in stock price
than those that did not.
In
October 2004, Moody’s published Section 404 Reports
on Internal Control on Ratings. In this report, Moody’s
distinguished between material weaknesses in control over
specific account balances, which it calls Category A weakness,
and material weaknesses in company-level control such as
weaknesses in the control environment or the financial reporting
process, which it calls Category B weakness. Moody’s
indicated that it would give companies that disclose Category
A material weaknesses the benefit of the doubt and not take
any rating action, assuming management takes corrective
action to remedy the material weakness in a timely manner.
On the other hand, Category B material weaknesses may result
in a referral of the case to a rating committee for the
purpose of determining whether a rating action is needed.
Abdel
M. Agami, PhD, CPA, is a professor of accounting
at the American University in Cairo, Cairo, Egypt.
|