07/10/07

  

Revised Rules and Guidance Governing Management's Report on Internal Control over Financial Reporting and An Audit Thereof

Frank C. Bonaventure
410-347-7305
fcbonaventure@ober.com

Penny Somer-Greif
410-347-7341
psomergreif@ober.com


The Securities and Exchange Commission ("Commission") has published interpretive guidance directed to the management of public companies with respect to their evaluation of internal control over financial reporting ("ICFR") pursuant to the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 and the Commission's rules adopted thereunder.1 The Commission simultaneously adopted amendments to its rules to clarify that an evaluation that complies with the interpretive guidance will satisfy the requirement that management conduct an evaluation of the effectiveness of its company's ICFR.

The Commission also adopted amendments to its rules governing public companies auditors' attestation report on management's assessment of ICFR. Under the amendments, auditors are required to evaluate and report on the effectiveness of their client company's ICFR, but are no longer required to attest to management's evaluation of ICFR. The Commission has also adopted amendments to define the term "material weakness" and proposed amendments to define the term "significant deficiency."

In addition, the Commission has released for comment the Public Company Accounting Oversight Board's ("PCAOB") Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated With an Audit of Financial Statements ("AS5"), which upon adoption will replace Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements ("AS2"). The PCAOB has also adopted amendments to its requirements with respect to audit committee pre-approval of certain non-audit services. Both are subject to public comment and Commission approval prior to becoming effective.

The Commission and the PCAOB worked together to coordinate the interpretive guidance and AS5, with the goal that the audit process can be coordinated with management's evaluation process. As a result, many of the concepts discussed in the guidance and AS5, such as scalability to size and complexity of the company and utilization of a top-down, risk-based approach to testing ICFR, are consistent.

This memorandum provides a general overview of the Commission's guidance and the related amended rules, proposed rules, and AS5.2 We urge you to review the text of these provisions as applicable to your company, in particular, the Commission's guidance with respect to management's report on ICFR.

  1. Guidance Regarding Management's Report on ICFR
    1. Background of ICFR Requirements

      Commission rules under the Securities Exchange Act of 1934 ("Exchange Act") require that management of Commission reporting companies maintain ICFR that provides reasonable assurance regarding the reliability of financial reporting and the preparation of the company's financial statements for external purposes in accordance with generally accepted accounting principles. Commission rules require management of each reporting company to conduct an annual evaluation of the effectiveness of the company's ICFR as of the end of its fiscal year and include in the company's annual report on Form 10-K or 10-KSB management's report on ICFR that includes an assessment of the effectiveness of the ICFR, including a statement as to whether or not the ICFR is effective. The report must disclose any material weaknesses in ICFR management identified, and management may not conclude that ICFR is effective if one or more material weaknesses exist. Management must maintain evidential matter, including documentation, to provide reasonable support for its assessment.

      Companies that are accelerated filers and large accelerated filers as defined in the Exchange Act have been subject to these requirements for several years. Small business issuers and other non-accelerated filers have been exempt from the requirements with respect to management's evaluation and the related auditor attestation, but will be required to comply with the management's evaluation requirement for fiscal years ending on or after December 15, 2007. Therefore, such companies with a December 31 year-end will be required to include the management's report in their annual reports on Form 10-K or 10-KSB for the year ended December 31, 2007, which will be filed in March 2008. The requirement that such companies' auditors conduct their own evaluation of ICFR, discussed in Section III below, will be applicable to small business issuers and other non-accelerated filers for years ending on or after December 15, 2008.

    2. Overview

      Management's evaluation of ICFR must be based on a "suitable, recognized control framework." The most recognized example of such a framework is the Internal Control — Integrated Framework (1992) developed by the Committee of Sponsoring Organizations of the Treadway Commission ("COSO"). The rule amendments the Commission adopted state, and the guidance itself emphasizes, that compliance with the interpretive guidance is one way, but not the only way, to comply with this evaluation requirement. Therefore companies may now use the guidance in place of the COSO or another suitable framework. Companies that are already subject to the requirements and have developed procedures to evaluate ICFR, however, need not revise their procedures to comply with the guidance as long as such procedures otherwise comply with Commission requirements governing management's evaluation and report on ICFR.

      The Commission's interpretive guidance provides a top-down, risk-based approach to conducting the annual evaluation of ICFR, as further outlined below. While applicable to companies of all sizes, the guidance stresses that procedures will vary among companies and that an evaluation of ICFR should be tailored to a company's individual facts and circumstances including, among other things, its size and complexity, and that companies should take advantage of the flexibility and scalability of the guidance in developing an effective evaluation process. For these reasons, the guidance will be particularly useful to small business issuers and other non-accelerated filers that may not yet have developed their evaluation procedures.

      The Commission believes that "the guidance will enable companies of all sizes and complexities to comply with [its] rules [applicable to ICFR] effectively and efficiently," in particular, by focusing the evaluation on those areas of greatest risk. The guidance is principles-based rather than prescriptive to avoid a "check the box" mentality and encourage management to conduct an evaluation making use "of all available facts and information to make reasonable judgments about the evaluation methods and procedures that are necessary to have a reasonable basis for the assessment of the effectiveness of ICFR and the evidential matter maintained in support of such assessment." The guidance is designed to be flexible and have management use its own knowledge and experience in designing an evaluation that provides a reasonable basis for its assessment of ICFR.

      Importantly, the guidance is designed to build on prior years' evaluations, so that in subsequent years the ICFR evaluation and assessment process should take less time and effort, since, for example, management's efforts to identify reporting risks and controls will be more focused on changes in risks and controls rather than identification of all such risks and controls that will take place in the initial year of compliance.

      Perhaps most importantly, the guidance specifically allows for management and the company's auditors to have different testing approaches with respect to their evaluations and assessments of ICFR. Without Commission guidance, the PCAOB standard for an audit of ICFR in many cases has become the de facto standard for management's ICFR evaluation.

      The guidance is effective as of June 27, 2007.

      While some constituencies have requested that the Commission implement additional postponements of the applicability of the required management ICFR evaluation and auditor attestation requirements to non-accelerated filers, the Commission has made clear that it does not currently intend to implement additional extensions. Therefore, companies that have not begun preparing for compliance with the requirements for management's evaluation and assessment of ICFR in their next annual report should begin to do so immediately.

    3. The Evaluation Process

      The purpose of management's evaluation of ICFR is to "provide management with a reasonable basis for its assessment as to whether any material weaknesses in ICFR exist as of the end of the fiscal year." To that end, the guidance is organized around two broad principles. First, that management should evaluate whether it has implemented controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner. Second, that management's evaluation of evidence about the operation of the company's controls should be based on its assessment of risk. Rather than needing to test and document every control, the guidance directs management to focus on those controls necessary to adequately address the risk of a material misstatement in the financial statements. Areas of lower risk will thus require less extensive testing and documentation.

      There are two steps in the evaluation process: (1) identifying financial reporting risks and evaluating whether the controls management has implemented adequately address those risks; and (2) evaluating evidence about the operation of the controls included in the evaluation based on the risk assessment. In each case, management should focus on the areas of highest risk to reliable financial reporting. The guidance also discusses considerations with respect to entity-level controls, information technology general controls, and multiple locations that we do not detail in this memorandum.

      1. 1) Identifying Financial Reporting Risks and Controls

        Under the guidance, management's evaluation process begins with an evaluation of whether it has implemented controls that will achieve the objective of ICFR (that is, providing reasonable assurance regarding the reliability of financial reporting). This is a two-step process involving, first, management's identification and assessment of the risks to reliable financial reporting, and second, management's evaluation of whether the controls it has put in place adequately address those risks.

        1. Identifying Financial Reporting Risks

          The guidance explains how management should go about identifying "those risks of misstatement that could, individually or in combination with others, result in a material misstatement of the financial statements." This includes evaluating how generally accepted accounting principles apply to the company's business and using management's knowledge and understanding about the business to identify potential sources of misstatements. The methods and procedures for identifying such risks will vary based on a company's individual circumstances, including its size, complexity, organizational structure, processes and financial reporting environment, among other things. For example, the guidance notes that in a small company with little complexity, management's daily involvement with the business may provide an adequate basis to identify financial reporting risks.

          The guidance enumerates potential areas of misstatement risks, including risk factors that impact the business, any changes in such risks, and the initiation, authorization, processing and recording of transactions and other adjustments. The guidance suggests that management may want to consider "what could go wrong within a financial reporting element" to help identify potential sources of material financial statement misstatements.

          Finally, the guidance exhorts management to consider the risk of fraud in this analysis and cautions that management should recognize that "the risk of material misstatement due to fraud ordinarily exists in any organization."

        2. Identifying Controls that Adequately Address Financial Reporting Risks

          Next under the guidance, management evaluates whether it has operating controls that adequately address the company's financial reporting risks. This "involves judgments about whether the controls, if operating properly, can effectively prevent or detect misstatements that could result in material misstatements in the financial statements." If a deficiency is determined to exist, management must evaluate, as detailed in part I.D below, whether a material weakness exists.

          Controls to address reporting risks may be designed to prevent errors and fraud or detect such errors and fraud after they occur, or a combination of both. Controls can address more than one reporting risk, or multiple controls may address a single risk. Management does not have to identify all existing controls – if management identifies a control that adequately addresses a particular risk, it need not identify other controls that also address the same risk. In this case, management might consider selecting the control that will be easiest to evaluate, for example, an automated control as opposed to a manual one.

          At the end of this process, management should have identified for evaluation those controls needed to provide reasonable assurance that the company's financial statements are reliable and for which evidence about their operation can be obtained most efficiently.

        3. Evidential Matter to Support the Assessment

          Commission rules require that management maintain reasonable support for its assessment of ICFR. As part of this support, management should document the design of the controls to address financial statement risk that it has identified during the process discussed in this section. The guidance notes that such documentation can take many forms, including paper, electronic and other media, and be presented in a number of ways, such as policy manuals, process models, flowcharts, job descriptions, documents, internal memos and forms.

      2. 2) Evaluating Evidence of the Operating Effectiveness of ICFR

        Next, management evaluates the effectiveness of the controls identified in step (1) above as being those that are most important to providing reasonable assurance of reliable financial reporting. Evaluating the effectiveness of a control considers both whether the control is operating as intended and whether the person performing the control has both the necessary authority and competence to perform the control effectively.

        The evaluation procedures should be based on management's determination of the risk characteristics of both the individual financial reporting elements and the related controls. As previously indicated, the evaluation should focus most on those areas of highest risk.

        1. Determining Evidence Needed to Support the Assessment

          In order to determine the evidence it needs to support its assessment, management must first evaluate the ICFR risk of the controls it identified in Section C(1)(b) above as adequately addressing financial reporting risk. In determining ICFR risk, management evaluates the risk characteristics of both (i) the financial reporting element itself and (ii) the control or controls over that financial reporting element. These two types of risk together make up ICFR risk.

          Evaluation of the risk of a financial reporting element includes both the materiality of the element and the susceptibility of the underlying account balances, transactions or other supporting information to a misstatement that could be material to the financial statements. As the materiality of a financial reporting element increases in relation to the amount of misstatement that would be considered material in the financial statements, management's assessment of misstatement risk for that element would increase. Further, the more the financial reporting element (i) involves judgment, (ii) is susceptible to fraud, (iii) has complex accounting requirements, (iv) experiences fluctuations in the nature or volume of the underlying account transactions, or (v) is sensitive to changes in environmental factors, the higher management would generally judge the risk of material misstatement with respect to that financial reporting element.

          With respect to the evaluation of the risk characteristics of the control itself (that is, the risk that the control would fail to operate as intended), management should consider, among other things: (i) whether the control is manual or automated and how often it operates; (ii) its complexity; (ii) management override risk; (iv) the judgment required to operate the control; (v) the competence of the persons who execute or monitor the control; (vi) any changes in key personnel who execute or monitor the control; (vii) the nature and materiality of misstatements that the control is designed to prevent or detect; (viii) the degree to which the control relies on the effectiveness of other controls; and (ix) evidence of the operation of the control from prior years.

          Applying the evaluation outlined above, the guidance therefore states that financial reporting elements involving related party transactions, critical accounting policies and critical accounting estimates generally would be assessed as having a higher misstatement risk. In addition, when controls related to these elements are subject to potential management override, involve significant judgment, or are complex, they should be generally assessed as having a higher ICFR risk.

        2. Implementing Procedures to Evaluate Evidence of the Operation of ICFR

          Management should then use its evaluation of ICFR risk (discussed in Section (2)(a) above) to determine the evaluation methods and procedures necessary to obtain sufficient evidence to provide a reasonable basis for its assessment of the operating effectiveness of the controls it has identified (as discussed in Section (1)(b) above) to adequately address financial reporting risks.

          These methods and procedures need not necessarily be performed solely for the purpose of conducting the ICFR evaluation. The evaluation methods and procedures may be performed along with the day-to-day operation of the business, as part of periodic or ongoing monitoring of controls, or as part of other activities if they provide the necessary evidence to support management's assessment of ICFR. Particularly in a small company, management's daily interaction with the company's controls, whether through direct involvement in their operation or through supervision of personnel involved, may provide it with sufficient evidence about their operation to conduct its evaluation of ICFR.

          Like all steps in the guidance, a company's particular facts and circumstances, including its assessed ICFR risk level, will dictate the nature and quantity of the evidence management needs for its assessment and the evaluation methods and procedures necessary to gather that evidence. Whether this evidence comes from direct testing of controls (i.e. periodic testing performed as of a certain point in time by persons with a high degree of objectivity with respect to the controls being tested), on-going monitoring activities, or both, will depend on, for example, whether the control is centralized or dispersed, involves a limited number of personnel or multiple management levels, and the nature of the persons involved in the day-to-day operation and/or oversight of the control (i.e. their objectivity with respect to the control and whether such personnel are responsible for conducting the assessment). In some cases, such as when there is a low level of objectivity with respect to the persons operating the control, direct testing can corroborate evidence gathered from on-going monitoring.

          Finally, management evaluates the evidence it gathers to determine whether the operation of a control is effective, including: (i) whether the control operates as designed; (ii) how the control was applied; (iii) the consistency with which the control was applied; and (iv) whether the persons operating the control possess the necessary authority and competency to do so effectively. If management determines that a control is not operating effectively, management must evaluate whether that deficiency constitutes a material weakness that must be reported, as further discussed in Section D(1) below.

        3. Evidential Matter to Support the Assessment

          Management's assessment of ICFR must be supported by evidential matter that provides reasonable support for its assessment including the basis for its assessment, documentation of the methods and procedures used to gather and evaluate evidence, and documentation of how management formed its conclusion about the effectiveness of ICFR. The nature of the evidential matter will vary depending on the individual circumstances of both the company and the control being evaluated, including the assessed level of the control's ICFR risk, its complexity, and the judgment involved in its operation. Such evidential matter can take many forms, including memos discussing the evaluation and basis for management's conclusions. If management determines that the company's books and records contain sufficient evidential matter to support its assessment, it may determine not to maintain separate copies of the information it evaluates. The guidance provides an example of a smaller company in which management's daily interactions with its controls provide the basis for its assessment. In such case, however, management should still consider documenting how its interaction provided it with sufficient evidence, such as through memoranda, e-mails or instructions or directions to and from management, as to be an adequate basis for its assessment. Further, daily interaction as a source of evidence for the operation of controls only suffices as evidential matter when the members of management responsible for assessing ICFR gain that knowledge directly from their on-going direct knowledge and supervision of controls. Therefore, we believe that management's obtaining sub-certifications with respect to the operation and effectiveness of such controls by the persons responsible for their day-to-day operation will not, by itself, constitute appropriate evidentiary matter to support its assessment.

    4. Reporting Considerations

      Pursuant to Item 308(a) of Regulation S-K and Regulation S-B, reporting companies must include in their annual reports on Form 10-K or 10-KSB a management's report on ICFR. The report must include management's assessment of the effectiveness of the company's ICFR as of the end of its fiscal year, including a statement as to whether or not ICFR is effective. The report must include disclosure of any material weaknesses in ICFR that management has identified. This section of the guidance discusses management's evaluation of the control deficiencies identified as part of the evaluation discussed in Section C(2)(b) above and other considerations with respect to management's assessment and report.

      In addition to the issues discussed below, the guidance also discusses the potential impact of a financial statement restatement on management's report on ICFR and the inability to assess certain aspects of ICFR, such as when certain processes are outsourced. In the latter case, the guidance reiterates that there are no exceptions to the assessment requirements in such instances, and states that management must determine whether its inability to assess particular controls is significant enough to prevent it from concluding that the company's ICFR is effective.

      We note that the assessment must be reported as of the end of the company's fiscal year. Therefore, we suggest that companies that will be completing the evaluation and assessment process for the first time conduct a "dry run" of the process early so that any material weaknesses can be identified and remediated prior to the end of the fiscal year. While any such changes to ICFR will likely have to be reported pursuant to Commission rules, this will at least give the company an opportunity to avoid disclosure that ICFR was not effective as of the end of the fiscal year.

      1. 1) Evaluation of Control Deficiencies

        According to the guidance, management must evaluate the severity of each control deficiency that comes to its attention in order to determine whether a control deficiency, or a combination of control deficiencies, constitutes a material weakness that must be reported. Deficiencies that are considered significant deficiencies, but do not rise to the level of a material weakness, must be reported to the outside auditors and the audit committee of the company's board of directors.3

        According to the guidance, management should consider whether each control deficiency, individually or in combination with others, is a material weakness as of the end of the company's fiscal year. Deficiencies that may not constitute a material weakness by themselves may in combination with others, particularly when multiple deficiencies relate to the same financial statement amount or disclosure or component of ICFR; therefore, management should evaluate such deficiencies collectively to determine whether they result in a material weakness.

        According to the guidance, "management evaluates the severity of a deficiency in ICFR by considering whether there is a reasonable possibility that the company's ICFR will fail to prevent or detect a material misstatement of a financial statement amount or disclosure; and the magnitude of the potential misstatement resulting from the deficiency or deficiencies." Management should consider both quantitative and qualitative factors in this evaluation. Whether a material misstatement actually occurred, however, is irrelevant; it is the risk that the company's ICFR would fail to prevent such a potential misstatement that is important.

        The guidance notes that risk factors will affect whether there is a reasonable possibility that a deficiency or combination thereof will result in a material financial statement misstatement. These risks include, but are not limited to: (i) the nature of the financial reporting element involved; (ii) the susceptibility of the related asset or liability to loss or fraud; (iii) the subjectivity, complexity or extent of judgment required to determine the amount involved; (iv) the interaction or relationship of the control with other controls, including whether they are interdependent or redundant; (v) the interaction of the deficiencies (i.e. whether they could affect the same financial statement amounts); and (vi) possible future consequences of the deficiency. The guidance also lists the amounts exposed to the deficiency and the volume of activity in the account balances or classes of transactions exposed to the deficiency as factors that might affect the magnitude of the misstatement that might result from a deficiency or combination of deficiencies.

        While emphasizing that management must consider all relevant information in determining whether a deficiency or combination of deficiencies constitute a material weakness, it lists several potential indicators of a material weakness, including identification of fraud on the part of senior management and previous restatements to correct a material misstatement.

      2. 2) Expression of Assessment of Effectiveness and Additional Disclosures

        The guidance indicates that while management may not qualify its assessment of ICFR, for example, by stating that ICFR is effective subject to certain qualifications, it may state the specific reasons that controls are ineffective.

        Further, the guidance suggests that in addition to the required disclosure about the existence of material weaknesses, companies consider disclosing (i) the nature of any material weaknesses, (ii) their impact on the company's ICFR and financial reporting, and (iii) any plans or actions undertaken to remediate such material weaknesses.

  2. "Material Weakness" and "Significant Deficiency"

    Currently, Commission rules that use the terms "material weakness" and "significant deficiency" simply refer to the definitions of such terms in generally accepted auditing standards. The Commission has now adopted amendments to its rules to define the term "material weakness" and proposed rule amendments to define the term "significant deficiency." The definitions are consistent with those adopted by the PCAOB in AS5. The amendments applicable to the definition of "material weakness" will be effective August 27, 2007.

    Under the amended rules, a material weakness is defined as "a deficiency, or combination of deficiencies, in internal control over financial reporting such that there is a reasonable possibility that a material misstatement of the [company's] annual or interim financial statements will not be prevented or detected on a timely basis." Most significantly, this definition replaces the term "more than remote" that exists under the current standards with "reasonable possibility." While the technical meanings of these terms are the same, it is believed that the term "reasonable possibility" is clearer and will be better understood.

    Under the proposed amendments, the term significant deficiency means "a deficiency, or combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of a [company's] financial reporting."

  3. Auditors' Evaluation of ICFR
    1. Auditors to Opine Solely on Effectiveness of ICFR

      Under current Commission and PCAOB rules, a company's outside auditors are required to express an opinion on both the effectiveness of the company's ICFR and management's assessment thereof. Under the Commission's amended rules, which correspond to the same change adopted by the PCAOB in AS5, a company's auditors are required only to express a single opinion directly on the effectiveness of ICFR. While the Commission's rule amendments will be effective August 27, 2007, auditors will be required under PCAOB rules to issue the dual opinions until AS5 is effective. However, the Commission and PCAOB anticipate that AS5 will be effective for audits for years ending on or after November 15, 2007.

    2. Auditing Standard No. 5 and Audit Committee Pre-Approval
      1. 1) Auditing Standard No. 5

        On May 24, 2007, the PCAOB approved new AS5 to replace existing standard AS2 which governs a public company's auditors' audit of the company's ICFR.

        The new standard is principles-based and designed to eliminate unnecessary procedures as compared with audits that have been conducted pursuant to AS2. In that regard, the new standard states that the auditors' ICFR audit should be integrated with its financial statements audit, and reiterates that it is not necessary to test every control or, in general, redundant controls. Compared to AS2, the new standard is both more risk-based and scalable for companies of various sizes and complexities.

        Like the Commission guidance discussed in Section I above, AS5 encourages auditors to take a top-down, risk-based approach to their audit of ICFR. In fact, the new standard states that risk assessment should "under[lie] the entire audit process" and that the amount of attention auditors focus on a particular area of a company's ICFR should be directly related to the amount of risk that a material weakness could exist in that area. The new standard directs auditors to test those controls that are designed to sufficiently address assessed risks of material financial statements misstatements, as opposed to all controls that make up a company's ICFR.

        According to the PCAOB, the new standard is designed to achieve four objectives:

        • Focus the ICFR audit on the most important matters. The new standard, similar to the Commission guidance discussed in Part I above, focuses auditors on those areas that present the greatest risk that a company's ICFR will fail to prevent or detect a material misstatement in its financial statements and related disclosures.
        • Eliminate procedures that are unnecessary to achieve the intended benefits. For example, the new standard eliminates the requirement that the auditors evaluate management's own evaluation of ICFR and refocuses the multi-location direction on risk rather than coverage by removing the requirement that the auditors test a "large portion" of the company's operations or financial position.
        • Make the audit clearly scalable to fit the size and complexity of any company. The new standard explains how to tailor audits of ICFR to the size and complexity of the company being audited. The PCAOB anticipates issuing guidance on auditing ICFR in smaller companies later this year that will further develop this area.
        • Simplify the text of the standard. AS5 and easier to read than AS2.

        While the standard requires, as part of the ICFR audit, that the auditors' procedures achieve the objectives of a properly performed walkthrough, AS5 provides flexibility in this area by not actually requiring that a walkthrough be performed.4 AS2 requires that auditors perform a walkthrough of each major class of transactions within a significant process. In addition, the new standard emphasizes that auditors need not scope the audit to find deficiencies that, individually or in the aggregate, do not constitute material weaknesses. AS5 also expressly permits auditors to use testing and other internal control work of persons in addition to the company's internal auditors5 in conducting their ICFR audit, including both company personnel and outside parties working under management's or the audit committee's direction, and allows auditors to consider knowledge obtained from past audits of ICFR in determining the testing necessary in the current year.

        AS5 also requires that auditors review the control environment of the company whose ICFR they are evaluating. This includes:

        • whether management's philosophy and operating style promote effective ICFR;
        • whether the company, particularly top management, develops and understands sound integrity and ethical values; and
        • whether the board or audit committee understands and exercises oversight responsibility of ICFR.

        Finally, although AS5 does not require that the auditors opine on management's evaluation of ICFR, it continues to require that auditors "evaluate the presentation of the elements that management is required, under the [Commission's] rules, to present in its annual report on [ICFR]" and, if the auditors determine that any such elements are improperly presented or incomplete, to discuss their reasons for such determination in the auditors' report on ICFR.

        The Commission must approve AS5 before it can become effective; we don't expect, however, that there will be significant changes between the standard as adopted by the PCAOB and the final standard as approved by the Commission. AS5 was published in the Federal Register on June 12, 2007, with comments due July 12, 2007.

      2. 2) Audit Committee Pre-Approval

        Also on May 24, 2007 the PCAOB adopted related Rule 3525, Audit Committee Pre-Approval of Non-Audit Services Related to Internal Control Over Financial Reporting. Under Rule 3525, in connection with seeking audit committee pre-approval to perform a permissible non-audit service related to a client public company's ICFR, the auditors must (i) describe to the audit committee in writing the scope of the service, (ii) discuss with the audit committee the potential effects of the service on the audit firm's independence, and (iii) document the substance of its discussion with the audit committee.

    This Memorandum contains only a general summary of the guidance, rules and proposals discussed herein and should not be construed as providing legal advice. Again, we urge those involved in their company's ICFR processes to review the Commission's guidance and the new and amended rules. We also suggest such persons consider reviewing AS5 to gain a better understanding of what the auditors will be required to do in connection with their audit of the company's ICFR. If you have any questions about the information in this Memorandum, please contact Frank C. Bonaventure at (410) 347-7305 or Penny Somer-Greif at (410) 347-7341.

    Notes

    1SEC Release Nos. 33-8810, 34-55929 (June 20, 2007); available at http://www.sec.gov/rules/interp/2007/33-8810.pdf.

    2The adopting release for the amended rules is available at http://www.sec.gov/rules/final/2007/33-8809.pdf and the proposing release for the proposed definition of "significant deficiency" is available at http://www.sec.gov/rules/proposed/2007/33-8811.pdf. AS5 is available at http://www.sec.gov/rules/pcaob/2007/34-55876fr.pdf.

    3The terms "material weakness" and "significant deficiency" are discussed in Part II of this memorandum.

    4To perform a walkthrough, the auditor "follows a transaction from origin through the company's processes … until it is reflected in the company's financial records, using the same documents and information technology that company personnel use. … Walkthroughs usually consist of a combination of inquiry of appropriate personnel, observation of the company's operations, inspection of relevant documentation, and re-performance of the control."

    5The PCAOB's current standard AU sec. 322, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements also continues to apply to the use of the work of internal auditors in an integrated audit of ICFR and the financial statements.

 

 

Ober, Kaler, Grimes & Shriver

Maryland
120 East Baltimore Street, Baltimore, MD 21202
Telephone 410-685-1120, Fax 410-547-0699

Washington, D.C.
1401 H Street, NW, Suite 500, Washington, DC 20005
Telephone 202-408-8400, Fax 202-408-0640

Virginia
407 North Washington Street, Suite 105, Falls Church, VA 22046
Telephone 703-237-0126, Fax 202-408-0640