The Buzz

The SEC required companies with market capitalization equal to or greater than $75 million (accelerated filers) to comply with section 404 of Sarbanes Oxley for fiscal years ending after November 15, 2004. Accordingly, in 2005 about 3,700 companies underwent the first wave of internal control audits. Of them, about one in seven reported material weaknesses.

Nonaccelerated filers will commence compliance for fiscal years ending after July 15, 2007. No one knows exactly how many eventually will comply, but about 12,000 companies are listed on various national exchanges. In addition, banking and insurance companies are discussing adopting “Sarbanes-Oxley-like” initiatives for nonpublic entities. Some states have enacted tougher regulations on not-for-profits and nonpublic broker-dealers soon may face increased regulation.

The auditors of public companies have to comply with PCAOB Auditing Standard no. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements, which provides guidance for a section 404 audit. The performance and reporting directions are based on the framework developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. COSO’s 1992 report Internal Control—Integrated Framework describes five key components of internal control (the control environment, risk assessment, control activities, information and communication and monitoring) and provides businesses with evaluation tools.

The SEC requires that companies’ management design an internal control system that can substantiate every assertion in their financial statements. To do that, management has to analyze the company’s system of internal control over financial reporting and provide evidence sufficient to support its conclusions.

The external auditor’s responsibility is to do the following:

• Critically evaluate management’s assessment process.
• Evaluate both the design and effectiveness of the internal control system.
• Perform independent testing.
• Form an opinion on the internal control system.
• Communicate significant deficiencies and material weaknesses to both management and the audit committee.

Both management and the external auditor must evaluate any internal control deficiencies that exist and quantify their severity. Auditing Standard no. 2 prescribes a much lower deficiency threshold than previous audit guidance, which includes three definitions. First, an internal control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned duties, to prevent or detect misstatements on a timely basis. Second, a significant deficiency is a single deficiency or combination of deficiencies that results in a more than remote likelihood that a misstatement of the annual or interim financial statements that is more than inconsequential will not be prevented or detected. Finally, a material weakness is a significant deficiency or combination of significant deficiencies that results in a more than remote likelihood that a material misstatement in the annual or interim financial statements will not be prevented or detected.