May 17, 2006
Section 404 Changes - Are we having fun yet?
Did anyone say that internal controls over financial reporting was boring? Hah! Two major events happened today:
1. Proposed Bill in Congress - "To reduce the burdens of the implementation of section 404 of the Sarbanes-Oxley Act of 2002." This bill (also known as the "COMPETE Act (S. 1020)") is sponsored by a collection of Republicans and a lone Democrat. Their objective according to a number of sources is to get this bill passed in 2007 once both Senator Sarbanes and Congressman Oxley retire in late 2006 and are not in their influential positions on various Banking and Finance committees.
Key pieces of the proposed bill are:
1. Proposed Bill in Congress - "To reduce the burdens of the implementation of section 404 of the Sarbanes-Oxley Act of 2002." This bill (also known as the "COMPETE Act (S. 1020)") is sponsored by a collection of Republicans and a lone Democrat. Their objective according to a number of sources is to get this bill passed in 2007 once both Senator Sarbanes and Congressman Oxley retire in late 2006 and are not in their influential positions on various Banking and Finance committees.
Key pieces of the proposed bill are:
- Exemption from Section 404 altogether (although you could volunteer) if you are one of the following: 1) market capitalization of less then $700 million, or 2) Annual revenue of less than $ 125 million, or 3) have fewer than 1,500 beneficial shareholders, or 4) have been subject to Section 14 (a) and 15(d) of the Securities Act of 1934 for a period of less than 12 months, or 5) the issuer has not filed, or is not required to file, and annual report under 13 (a) or 15 (d) of the Securities Act of 1934
- Random Audits - Basically after the first year of external auditor reviews, 10% of all filers above the exempted ones listed above would have to go through a random external auditor attestation of 404 each year moving forward. (Wow! Kind of like winning the lottery. Just more work. I wonder how you would negotiate audit fees under these circumstances!)
- Standards - Clearer definition as to what the terms "reasonable", "significant", and "sufficient" mean in the context of internal control over financial reporting
- British Accounting System Study - The SEC and PCAOB will be asked to study and compare Section 404 and the "principle-based" Turnbull Guidance under the securities laws of Great Britain (Note: only apply to LSE-listed, not to AIM listings). This proposed report would be due within one year of the passing of this proposed Act. (Note: The Brits are probably running scared at this point. This blogger has done some research on the effects of Turnbull and there is nominal evidence documented, and minimal statistics, by the Turnbull group to support its effectivity or to what extent external auditors take issue with internal controls over LSE-based issuers. Does anyone disagree or have facts to the contrary? Please tell me.)
2. SEC and PCAOB Announcements - Several hours later today both the SEC and PCAOB made the following announcements - click here:
- Guidance for companies with respect to management's assessment of internal controls over financial reporting (Section 404 (a)) will consider the following: 1) Concept Release on Management's assessment and the review by the External Auditor, and 2) Consideration of additional guidance from COSO in particular to help smaller companies with 404 (a), and 3) Consideration of the need to issue additional guidance to management on the undertaking of a more risk-based, top-down approach to evaluating internal controls over financial reporting (thus potentially reducing some of the perceived non-value added process-level activities)
- Revision to Audit Standard 2 - The PCAOB announced today that it would: 1) seek to ensure that auditors undertake more integrated audits and that they focus more on areas of materiality, and 2) incorporate key areas of the guidance issued on May 16, 2005 formally into AS2 thus reducing some of the Jekyll and Hyde behavior (described in a blog entry last week) currently associated with review of internal controls, and 3) revisit and clarify, what, if any role, the external auditor should have in evaluating the company's process for evaluating the effectiveness of internal controls over financial reporting (note: the "externals" would still have to conduct their own review of the effectiveness of ICFR)
- SEC Oversight of PCAOB Inspection Program - Basically the SEC inspectors will inspect the PCAOB inspectors inspections of the audit community. (Note: I guess the pendulum had to swing back against the auditors).
- Extension of Compliance for Non-Accelerated Filers - If your market cap is $ 75 million or less (check the SEC calculation/effectivity dates) then they are now proposing that you will have to provide your Management assessment and certification of internal controls over financial reporting ( Section 404 (a)) for fiscal years beginning on or after December 16, 2006. The happy news for those of you who do not like Section 404 (b), the external auditors attestation of internal controls, is that there is no formal date for phasing the auditors work back-in. However, it appears that the SEC will consider the above items before re-implementing the external auditor attestation. In this fashion the legislation seems quiet similar to the proposed Canadian rules on the same topic found in CSA notice 52-313.
So, what does today mean if you are a publicly-traded firm governed by SEC rules?. My best guess is as follows:
- Politics is in the air - 2006 is an election year. There is a fair amount of posturing all around. Things can change.
- Management of smaller filers are still going to have to sign-off on internal controls over financial reporting - Think about it. Section 302 already goes part of the way on internal controls and CEO/CFO certifications. If the business community resists the management report portion of 404, you might start to wonder as to the validity of 302 certifications. Big can of worms! Even bigger Pandora's box.
- Some smaller filers have bought a little bit of time - If your fiscal year-end as a smaller filer is between July 31st and November 30th you gained a few months. Everyone else is in the same shape as before. Everyone (which means about 5900 companies according to the SEC) is still going to have to file a management report and certification on internal control starting with those that have fiscal year ends of Dec 31, 2007 (the bulk of the group which will experience no timing change).
- External auditor attestation - Potentially it will be streamlined for all filers by improving AS 2 and that portion of the auditor's work that evaluates management's evaluation of internal controls over financial reporting could be eliminated. Too early to tell.
- Get on with business - The fact that the SEC is responding so quickly to the Proposed Bill is a sign that Smaller companies in particular should take note of. Internal controls are here to stay. Take the public's money and you will have to meet a common compliance standard.
Good night and good compliance.
