Share |
Article Categories Advertising, Marketing & Trademark Antitrust and Trade Regulation Bank & Finance China Construction Corporate & Securities Electronic Discovery Resources Employment & Labor Energy Family Law Government Relations Health Law Immigration Intellectual Property Internal Investigations International Internet, Technology &
E–Commerce Life Sciences Litigation Non-Competes & Trade Secrets Real Estate Shareholder Disputes Tax Planning & Business Organization Trusts & Estates White Collar & Regulatory Defense
 
Erik E. Malinowski

Erik E. Malinowski Securities

emalinowski@fredlaw.com
612.492.7360
Printable Version

Internal Controls over Financial Reporting for Non-Accelerated Filers

By: ERIK E. MALINOWSKI

October 2008

Under Section 404 of the Sarbanes-Oxley Act (Section 404), public companies are required to include both an assessment of management with regard to their internal controls over financial reporting (ICFR) and an auditor’s attestation report regarding ICFR. For non-accelerated filers – smaller public companies with a public float under $75 million – the Securities and Exchange Commission (SEC) has delayed, on multiple occasions, the implementation of these requirements. However, while a further delay with respect to the auditor attestation requirement was recently approved,1 the 2007 annual filing marked the first time a non-accelerated filer’s management was required to report its assessment of the company’s ICFR in its annual report.  

Compliance with Section 404 can be difficult and expensive, particularly for smaller public companies. In light of the compliance requirement for last year’s annual report, non-accelerated filers should already have key controls in place, strengthened internal audit processes and documented their existing financial controls adequately. If a non-accelerated filer does not have adequate controls in place, or has not taken steps to implement such controls, the company may suffer due to negative reports arising from the required disclosure of its status relative to such controls.

During the summer of 2007, the SEC adopted final interpretive guidance with respect to management assessment of ICFR.2 This guidance, with its “top-down, risk based” focus, is intended to assist management in conducting its assessment of the effectiveness of a company’s ICFR. It allows smaller companies to develop their own assessment procedures and practices that address specific circumstances, rather than mandating the use of a singular – and potentially burdensome – evaluation process.

Developing Controls


Developing adequate controls over financial reporting depends both on the company and its exposure to various types and degrees of financial risks. Management should identify those areas of risk, including industry- and company-specific risks and transaction recording risks, that could lead to errors or misstatements in financial statements. Management needs to understand the United States generally accepted accounting principles (GAAP) and how GAAP requirements apply to the company’s business in order to identify areas of risk for financial misstatements. As part of its determination of risk, management should also address the potential for fraud within the company’s financial reporting process.

Once management identifies areas of risk, it should then identify and evaluate the controls that address such risks. Management should consider certain control characteristics during their identification process, such as whether a control is automated versus manual. If a control is manual, management should ascertain the potential and opportunity for human error or fraud. If a control is automated, the question arises whether appropriate technological and informational controls exist – including general information technology controls – and whether the same control addresses multiple risks.

Evaluating Controls


After controls have been identified and developed, management should evaluate whether the controls are effective in practice. Such evaluation requires gathering of evidence to demonstrate the control is working to address its corresponding risks. If a specific control has a greater chance of failure, more evidence will be necessary to determine whether the control is operating effectively.

Gathering evidence requires time and resources. Larger companies with greater resources may assign separate personnel to gather evidence related to financial controls. Smaller companies are likely less able to designate special employees, yet if they face higher risks of failure of certain controls, even more data and evidence are needed to evaluate such controls, increasing the burden. In certain circumstances, however, smaller company management can rely on its own supervision and knowledge of internal controls in an effort to minimize costs.

Determination of Effectiveness


After all the evidence is gathered and compiled regarding internal controls, management must determine whether the controls are effective or suffer from deficiencies. Management should determine how the control is applied, whether it functions as designed, if the company’s personnel are adequately trained and authorized to apply the control, and whether the control has operated in a consistent manner. If a control has deficiencies sufficient to create a reasonable possibility of a material misstatement or omission on the company’s financial statements, then the control has a “material weakness,” and management cannot deem the control to be effective.

If management does determine that a control suffers a material weakness, the control and the material weakness must be described in management’s assessment of ICFR in the company’s annual report. Management should also include a discussion of the potential impact of the material weakness on the company’s financial statements and what steps the company has taken or intends to take to remedy the material weakness.

Documentation


Companies are also required to document and keep records of the control evaluation process to support management’s determination. No single method or medium is required for documentation, but companies and management should maintain written records regarding control design, evidence gathering, control evaluation and other support for management’s determination of effectiveness.

Consultants and Auditors


For non-accelerated filers, the ICFR evaluation process and bringing the company into Section 404 compliance can require significant resources and time. Management may consider engaging third-party consultants to assist the company in addressing its internal controls and ICFR reporting. While, pursuant to the Sarbanes-Oxley Act, the company’s auditors cannot assist with the ICFR evaluation and problem resolution processes, management should begin interfacing with the company’s outside auditors to establish a timeline to allow the auditors to test controls in advance of their attestation requirement. When developing a timeline, management should consider including sufficient time and resources to allow for any identified deficiencies or disagreements regarding controls to be resolved. Non-accelerated filers have been given additional time to undertake the process necessary to provide an auditor attestation report regarding ICFR in its annual report, as the SEC recently approved a further one-year extension (mandating it for fiscal years ending on or after December 15, 2009).

If you have any questions or desire additional information, please contact Erik Malinowski or any member of Fredrikson & Byron’s Securities Group.

Takeaway


Despite additional delays of the auditors’ assessment of internal controls over financial reporting, management needs to assess such controls and report its findings in each annual report.

________________________

1 Securities Act Release No. 33-8934 (June 26, 2008).

2 SEC Interpretive Release No. 33-8810 (June 27, 2007).