|
December 6, 2002 Via E-mail - rule-comments@sec.gov Attention: Jonathan G. Katz, Secretary Re: File No. S7-40-02 Ladies and Gentlemen: This letter is submitted on behalf of the Committee on Federal Regulation of Securities and the Committee on Law and Accounting (collectively, the "Committees")* of the American Bar Association's Section of Business Law in response to the request of the Securities and Exchange Commission (the "Commission") for comments on its October 22, 2002 release entitled Disclosure Required by Sections 404, 406 and 407 of the Sarbanes-Oxley Act of 2002, Release Nos. 33-8138; 34-46701; IC-25775 (the "Release").1 This letter addresses only the proposals related to Section 404 of the Sarbanes-Oxley Act of 2002 (the "Act"). We will comment separately on the proposals related to Sections 406 and 407 of the Act. The comments expressed in this letter represent the views of the Committees only and have not been approved by the American Bar Association's House of Delegates or Board of Governors and therefore do not represent the official position of the Association. In addition, this letter does not represent the official position of the ABA Section of Business Law; nor does it necessarily reflect the views of all members of the Committees. For ease of reference, please note that the topics discussed in this letter appear in the following order: A. Introduction B. Definition of "Internal Controls and Procedures for Financial Reporting" C. Relationship between "Internal Controls and Procedures for Financial Reporting" and "Disclosure Controls and Procedures" D. Evaluating Internal Controls and Procedures for Financial Reporting E. Disclosure of Significant Deficiencies and Material Weaknesses F. Disclosure of Significant Changes to Internal Controls and Procedures for Financial Reporting G. Management's Internal Control Report H. Standards for "Effective" Internal Controls and Procedures for Financial Reporting I. Implementation J. Specific Questions in the Release A. Introduction Section 404 of the Act requires the Commission to implement rules requiring each annual report filed with the Commission pursuant to Section 13(a) or 15(d) of the Securities Exchange Act of 1934, as amended (the "Exchange Act"), to contain a management internal control report, in which management states its responsibility for establishing an adequate internal control structure and procedures for financial reporting and assesses their effectiveness. Section 404 also requires an issuer's "registered public accounting firm" to attest to, and report on, management's assessment. The Release proposes rules to implement Section 404 and, in tandem, proposes rules to revise the certification rules implementing Section 302 of the Act. While the proposals primarily take the form of disclosure requirements, before any disclosure can be made, most, if not all, issuers will have to develop and implement new or additional systems and procedures which can be documented so that management and outside auditors are able to render separate reports. Thus, disclosure will only be the end product of an enhanced internal control process. We support the Commission's rulemaking efforts both to implement the provisions of the Act, itself a monumental task, and to pursue its reform agenda to improve and modernize corporate disclosure and financial reporting. To facilitate and support these efforts, we believe that the goals of this rulemaking should be to implement Section 404 in a manner that balances the needs of investor protection on the one hand with unnecessary additional exposure to liability and compliance costs, in terms of both time and expense, on the other. Moreover, the rulemaking should complement, rather than conflict with, current auditing literature and recently adopted rules of the Commission. We believe that the proposals do not fully realize these goals in a number of respects and recommend revisions to enhance their effectiveness and to reduce unnecessary burdens. In particular, the Release leaves many important issues open to interpretation. Without a common terminology or basis of understanding acceptable to public companies, "registered public accounting firms," as defined in the Act, the Commission and the Public Company Accounting Oversight Board (the "Oversight Board"), the proposed rules cannot be implemented effectively. Public companies, their management and auditors unnecessarily would need to spend money and time to develop new standards or attempt to develop a consensus on auditing standards rather than improve their own systems, which is what this rulemaking should encourage. Open issues include: · The definition of "internal controls and procedures for financial reporting"; · The relationship between "internal controls and procedures for financial reporting" and the "disclosure controls and procedures" required by Rules 13a-15 and 15d-15 of the Exchange Act; · The scope and scale of evaluation required for quarterly reports as compared to for annual reports; · The scope of the certification required by existing Rules 13a-14 and 15d-14 under the Exchange Act and by the proposed amendments to these rules; · The content of management's internal control report; and · The standard or measure by which management is able to determine whether internal controls and procedures for financial reporting are "effective." Some of these open issues are addressed in the integrated framework for internal control established by the Committee of Sponsoring Organizations of the Treadway Commission ("COSO") in 1992.2 The COSO Report provides a definition of internal control that is now adopted in the auditing literature3 and a framework for internal control as well as tools for the evaluation of internal control. Certain depository institutions and bank holding companies subject to the FDIC Improvements Act of 1991 ("FDICIA") have had experience under FDICIA in applying the COSO framework of internal control in connection with their managements' evaluation and report on internal control.4 Indeed, although the proposed rules represent new disclosure requirements under the federal securities laws, the concept of management reporting on internal controls is supported in the COSO Report and the attestation literature and is well-established in practice.5 Because the COSO Report supplies the terms, criteria and methodologies applicable to management reporting on internal control - and because of the experience with the COSO Report in connection with FDICIA - our recommendation is that the Commission either adopt the framework established in the COSO Report for evaluating and reporting on internal controls and procedures for financial reporting or give companies the option of using that framework for evaluating and reporting on internal controls and procedures for financial reporting.6 So doing could result in cost-effective compliance for issuers and their outside auditors. In this letter, we address each of the open issues identified above and answer the specific questions posed in the Release to the extent they are not previously addressed. B. Definition of "Internal Controls and Procedures for Financial Reporting" Section 404 uses the undefined term, "internal control structure and procedures for financial reporting." The Release would replace this term with "internal controls and procedures for financial reporting," which would be defined as the "controls that pertain to the preparation of financial statements for external purposes that are fairly presented in conformity with generally accepted accounting principles as addressed by the Codification of Statements on Auditing Standards § 319 ["AU Section 319"] or any superseding definition or other literature that is issued or adopted by the Public Company Accounting Oversight Board."7 AU Section 319 defines internal control as a process "effected by the board of directors, management, and other personnel [and] designed to provide reasonable assurance" regarding the achievement of three objectives: reliability of financial reporting; effectiveness and efficiency of operations; and compliance with applicable laws and regulations. The Commission's proposed term covers only those controls relevant to the preparation of financial statements and therefore appears to focus only on the "reliability of financial reporting" objective of internal control. Hence, "internal controls and procedures for financial reporting" is a subset of internal control, as defined in AU Section 319 and in the COSO Report.8 We support an effort to define the proposed term because the rules implementing Section 404 should be clear as to which controls are required to be evaluated and reported on. Further, we support the focus of the proposed term on the internal controls that pertain to the preparation of financial statements for external purposes, which is consistent with the focus of Section 302 of the Act and the COSO Report's guidelines on management reporting on internal control, which deal exclusively with the internal controls over the preparation of published financial statements. Moreover, evaluating and reporting on controls over financial reporting are well-developed disciplines. Therefore, the costs of compliance should not have to include creating new systems of standards and procedures. In comparison, "[i]f the scope of [management] reporting is extended to operations and compliance objectives ... efforts and related costs [would] increase very substantially... ."9 We have two principal comments with respect to the proposed term: First, the definition of "internal controls and procedures for financial reporting" relies upon AU Section 319, rather than the COSO Report, which is the basis for AU Section 319.10 Titled "Consideration of Internal Control in a Financial Statement Audit," AU Section 319 is directed to supporting the outside auditor's "understanding" of internal controls "sufficient to plan the audit," which means understanding the design of the relevant controls and determining whether they have been placed in operation.11 In contrast, Section 404 of the Act requires management to evaluate and determine whether internal controls are "effective" and the outside auditor to attest to, and report on, management's assertions in its internal control report. The difference between AU Section 319 and Section 404 can be illustrated by the fact that, although management and outside auditors already review internal controls in conjunction with the annual audit, the Release states that "in many cases such reviews may not be as thorough or as detailed as the proposed rules would require."12 Compared to AU Section 319, the COSO Report provides a broader context for "internal control," one that is part of an integrated framework of internal control that also includes guidance with respect to management reporting on internal control. Because of the relevance and applicability of this framework to Section 404, we believe that the COSO Report is a preferable alternative to AU Section 319 as the basis for the definition of internal controls and procedures for financial reporting. Second, the Release states that one of the three objectives of internal controls and procedures for financial reporting is to provide reasonable assurance that assets are safeguarded against unauthorized or improper use, an objective which seems to be in tension with the definition of internal controls and procedures for financial reporting. Although we recognize that the safeguarding of assets controls can sometimes be viewed, depending on how the issuer structures its internal control system, as falling under the financial reporting objective, and not the operations objective, of internal control as defined in AU Section 319 and the COSO Report,13 we believe that the rules, as adopted, should make clear that internal controls and procedures for financial reporting do not include those controls aimed at providing reasonable assurance that assets are safeguarded against unauthorized or improper use. The language of Section 404 does not require management to evaluate or report on the safeguarding of assets controls; and issuers are already obligated to maintain these controls pursuant to Section 13(b)(2) of the Exchange Act. C. Relationship between "Internal Controls and Procedures for Financial Reporting" and "Disclosure Controls and Procedures" The Release proposes to use the proposed new term in the Section 302 certification, thereby replacing "internal controls" with "internal controls and procedures for financial reporting." The current relationship between "internal controls" and "disclosure controls and procedures" is unclear because "internal controls," as embodied in Section 13(b)(2)(B) of the Exchange Act, pertains to an issuer's financial reporting and control of its assets. At issue is the scope and content of the officer certifications. Some believe that internal controls are a subset of disclosure controls and procedures because financial and non-financial disclosures cannot be presented in periodic reports without effective internal controls. Others believe that internal controls overlap with, or intersect with, disclosure controls and procedures with respect to the financial reporting controls, but not with respect to the safeguarding of assets controls. The Release states that periodic evaluations of internal controls are not required by existing Commission rules; this leads to the conclusion that internal controls are not a part of disclosure controls and procedures, which are required to be evaluated periodically.14 Elsewhere in the Release, with respect to the proposed term, the Commission states that "a significant portion of internal controls and procedures for financial reporting are included in disclosure controls and procedures,"15 but neither the Release nor the proposed terms specify which portion of internal controls and procedures for financial reporting are not included.16 The Commission should clarify this uncertainty as it applies to existing Rules 13a-14 and 15d-14 for certifications in reports for periods ending on or after August 29, 2002. This uncertainty is significant given the potential liability for a false certification: CEOs and CFOs may face personal liability, and their companies may face Section 11 liability when the periodic reports are incorporated by reference into registration statements on Form S-3. Moreover, the Commission should clearly distinguish between the proposed term, "internal controls and procedures for financial reporting," and disclosure controls and procedures.17 No good purpose can be served by not clarifying the distinction between, or the boundaries of, terms about which the principal executive and finance officers would be certifying.18 We suggest that one way that the Commission could clarify the distinction is as follows: the internal controls necessary to reasonably assure that revenues and expenses are recorded properly would not be part of disclosure controls and procedures, whereas the internal controls necessary to reasonably assure that the financial statements are prepared properly using the revenue and expense information that has been recorded would be part of disclosure controls and procedures. D. Evaluating Internal Controls and Procedures for Financial Reporting When the Commission adopted rules under Section 302 of the Act, there was confusion as to when management is required to evaluate internal controls. Section 404 requires only an annual evaluation of internal controls, and current Commission rules do not require quarterly evaluations of internal controls.19 However, Rules 13a-15 and 15d-15 require quarterly evaluations of disclosure controls and procedures and, as the Release states, a "significant [albeit undefined] portion of internal controls and procedures for financial reporting are included in disclosure controls and procedures." This statement calls into question which internal controls and procedures are included and therefore require quarterly evaluation by management. In addition, to make meaningful their quarterly certifications with respect to internal controls - e.g., that they have disclosed significant changes to internal controls since the date of the evaluation in the periodic report - the CEO and CFO must necessarily evaluate internal controls on a quarterly basis to some extent.
The proposed amendments to Rules 13a-14 and 15d-14, and to Rules 13a-15 and 15d-15, would require management to evaluate internal controls and procedures for financial reporting for each quarterly and annual report and to certify as to internal controls and procedures to the same extent as to disclosure controls and procedures.20 Although these proposals would clarify somewhat the confusion created by the rules implementing Section 302, we do not believe that management should be required to separately evaluate and certify to internal controls and procedures for financial reporting for each periodic report. A quarterly evaluation of all aspects of internal controls and procedures tantamount to an annual evaluation would be extremely burdensome, expensive21 and difficult to perform under the time constraints of quarterly reporting, particularly as the accelerated filing deadlines for quarterly reports take effect. As the Release states, "companies and accounting firms likely will need additional time to actually perform these activities."22 We suggest that the Commission clarify the extent to which internal controls and procedures for financial reporting must be evaluated to support current certification requirements, but not require a separate quarterly evaluation of, or certification of, internal controls and procedures for financial reporting until the Commission has evaluated compliance with the existing certification rules and experience has been gained under the rules implementing Section 404. Indeed, we believe that there has not been enough experience to justify expanding the scope of the Section 302 certification to include "internal controls and procedures for financial reporting," the rules for which were just adopted by the Commission in August 2002. These certification requirements have not yet been applicable for the annual report filing season for issuers whose fiscal year is the calendar year. Such information could be invaluable to both the Commission and the Oversight Board and also to those required to comply with the proposed requirements. If the Commission determines to require a separate quarterly evaluation of internal controls and procedures for financial reporting, the rules, as adopted, should address the type of evaluation that management should conduct for a quarterly report as compared to an annual report. For issuers and their management to be able to comply with the proposed rules, as well as to comply with the existing rules with respect to certification, there is an imperative need for the Commission to clarify in its rules the differences between quarterly and annual evaluations. In the absence of any specific rules, the inference could be drawn that there is no difference and that management must engage in the same extensive evaluation for every periodic report, with the same time, effort and expense devoted to a quarterly as to an annual evaluation. Given the different quantum of information required for quarterly reports as compared to annual reports, and the different time periods in which to prepare quarterly reports as compared to annual reports, internal controls should not be evaluated to the same extent for a quarterly report as compared to an annual report. Because the internal control report and the attestation report are required only for the annual report, we believe that the annual evaluation should be different in degree and scope than the quarterly evaluation in a manner analogous to the difference between the audit of the annual financial statements and the SAS-71 review undertaken for interim financial information.23 A quarterly evaluation should be viewed as an update of the annual evaluation, just as the quarterly report on Form 10-Q is an update of the annual report on Form 10-K. Serving as a predicate for the annual evaluation, the quarterly evaluation would assess any significant changes or events that cause the issuer to doubt the accuracy of the conclusion from the previous evaluation of internal controls and procedures for financial reporting. If the Commission should adopt rules requiring the separate quarterly evaluation of internal controls and procedures, we suggest that the proposal be changed as follows: Assuming that the quarterly evaluation differs from the annual evaluation as we suggest, the disclosure with respect to the conclusions of the CEO and CFO on the effectiveness of internal controls and procedures for financial reporting as of the end of the period covered by the quarterly or annual report, as required by proposed Item 307(a) of Regulations S-K and S-B, should reflect that difference. Management should be permitted to state that the conclusion in a quarterly report that internal controls and procedures are "effective" is based upon an updating of the procedures and documentation relied upon in the annual evaluation and has a different meaning than a similar statement contained in the annual internal control report and attested to by the registered public accounting firm. We further believe that the Commission should state that the disclosure with respect to effectiveness of internal controls and procedures on a quarterly basis should reflect the procedures that were performed under the time constraints and circumstances of a quarterly review. E. Disclosure of Significant Deficiencies and Material Weaknesses The Release proposes to revise the text of the certifications with respect to the CEO's and CFO's evaluation of internal controls. Currently, the CEO and CFO certify that "based on our most recent evaluation," they have reported to the outside auditors and to the audit committee all significant deficiencies and material weaknesses in internal controls and any fraud, whether or not material, that involves management or other employees with a significant role in internal controls.24 The proposals would remove the "based on our most recent evaluation" qualification so that the CEO and CFO would certify, as of the filing date of the report, that all significant deficiencies and material weaknesses in internal controls, and any fraud involving management or employees with a significant role in internal controls, have been disclosed to the audit committee and the outside auditors. Without the "based on our most recent evaluation" language, there is no time limitation or cut-off date to the certification so the CEO and CFO will need to conduct a "bring-down" evaluation of internal controls and procedures to the date of the filing of the report. Moreover, the bring-down evaluation would have to be conducted in a manner so that the CEO and CFO can disclose relevant findings to the outside auditors and audit committee in a timely fashion. If adopted as proposed, this disclosure requirement could add significant cost to the filing process, with little benefit, and could increase the potential for delaying filing of the report. Consider that the CEO and CFO would already have evaluated internal controls and procedures for financial reporting as of the end of the period, and any significant deficiencies and material weaknesses, or any instances of fraud, would subsequently be communicated to the outside auditors and the audit committee. Given the timeliness of these procedures, there is little benefit in requiring the CEO and CFO to conduct a bring-down evaluation to the filing date of the report. Moreover, the benefit of any such evaluation will be reduced as filing deadlines are accelerated and the bring-down period is consequently shortened. Accordingly, we believe that proposed Rules 13a-14(b)(4)(v) and 15d-14(b)(4)(v) should be revised as follows: "Disclosed to the registrant's auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function), based on our evaluation as of the Evaluation Date:" (emphasis added).25 F. Disclosure of Significant Changes to Internal Controls and Procedures for Financial Reporting Item 307(b) of Regulations S-K and S-B currently requires an issuer to disclose whether or not there were "significant changes in the registrant's internal controls or in other factors that could significantly affect these controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses" (emphasis added). The Release would amend Item 307(b) to require the disclosure of all "significant changes to the registrant's internal controls and procedures for financial reporting made during the period covered" by the report, including "any actions taken to correct significant deficiencies and material weaknesses" (emphasis added). Correspondingly, proposed Rules 13a-14 and 15d-14 would require the CEO and CFO to certify that they have indicated in the report any significant changes in "internal controls and procedures for financial reporting or in other factors that could significantly affect internal controls and procedures for financial reporting," including any "actions taken to correct significant deficiencies and material weaknesses in the registrant's internal controls and procedures for financial reporting."26 We have two principal comments with respect to this proposed disclosure requirement. First, "significant changes" is not a defined term. If the Commission intends "significant" to be a lower threshold than "material," it could result in disclosure of changes that could create an unwarranted sense of alarm among investors that internal controls are not effective when, in fact, the company may simply be addressing enhancements to reflect new operations, evolutions in its technological ability to institute and monitor controls, the development or perception of new internal or external risks or the emergence of best practices in the industry. We suggest that instead of disclosing significant changes in internal controls and procedures for financial reporting, issuers should be required to disclose only "material weaknesses" in internal controls and procedures for financial reporting, which is a defined term in the auditing literature and goes directly to the reliability of the financial statements and the ability of the outside auditor to render an opinion on internal controls. Second, we believe that disclosing all significant changes to the registrant's internal controls and procedures made "during the period" is inconsistent with the requirement that management determine the effectiveness of internal controls and procedures for financial reporting based on an evaluation "as of the end of the period." The proposed disclosure requirement does not indicate whether those controls and procedures are effective, since, under the proposal, effectiveness is a state or condition of the internal control process at a point in time.27 Not only would this requirement be burdensome and expensive, there is no reason for investor protection to require disclosures about changes to internal controls and procedures that have already been made. In this context, meaningful disclosure is information that alerts investors to existing problems with internal controls and procedures that could affect the issuer's ability to prepare financial statements in the future.28 Since the Release proposes to amend Item 307(a) to require disclosure of the conclusion of the CEO and CFO about the effectiveness of the internal controls and procedures for financial reporting as of the end of each period, Item 307(b) should be limited to disclosing only those material weaknesses which are outstanding and have not been corrected as of the end of the period. Correspondingly, the language in the certification with respect to making such disclosures in the periodic report should be similarly corrected.29 G. Management's Internal Control Report The Release does not specify the content of the management report for the stated purpose of deterring "boilerplate responses of little value."30 While we agree that specifying the exact form of management report would be inappropriate, we believe that the Commission should provide guidance as to the topics to be addressed in the management report or, better still, state that a report prepared in accordance with the guidelines in the COSO Report would be acceptable. Because the report is an "assertion" made by management that will have to be attested to by the registered public accounting firm, standards or conditions for such reports will necessarily have to be developed to satisfy the attestation requirements established by the Oversight Board. Moreover, consistent standards for such reports may help investors to understand and compare the quality of various management internal control reports. If the Commission does not provide such guidance, it may not deter boilerplate responses, and standards for the content of the management report may be developed without the Commission's input. As stated above, if the Commission decides to provide guidance, it could either adopt guidelines for the management report or, better still, state that the guidelines for the content of management reports set forth in the COSO Report provide acceptable bases for compliance. These guidelines include disclosing the following items: · Category of controls being addressed; · Statement about the inherent limitations of internal controls; · Statement about the existence of mechanisms for monitoring and responding to deficiencies; · Frame of reference for reporting - i.e., the identification of criteria against which the system is measured; · Date as of which the conclusion is made; and · Conclusion on effectiveness of internal controls and procedures for financial reporting.
H. Standards for "Effective" Internal Controls and Procedures for Financial Reporting Neither the Release nor AU Section 319 provides any measure or standard by which management can determine that internal controls and procedures for financial reporting are "effective," nor do they define the meaning of "effective" internal controls and procedures for financial reporting. Without such evaluation criteria or definition of effectiveness, we believe that the proposed rules cannot be implemented effectively. The COSO Report contains evaluation metrics for management for each component of internal controls and a definition of "effectiveness," both of which have been used successfully by depository institutions and bank holding companies in complying with the management reporting on internal control requirements of FDICIA since 1993. Accordingly, we suggest that the Commission either adopt the COSO Report's guidance with respect to these open issues or deem the COSO Report as an acceptable method of compliance. The advantage of adopting the COSO Report to implement Section 404 is particularly acute because the COSO Report's criteria for evaluating internal control over financial reporting are acknowledged to be "suitable" under the current standards for auditor attestation of management internal control reports. Suitability means that the criteria were established by groups of experts that follow due process - i.e., exposing the proposed criteria for public comment - and have the following required attributes: objectivity, measurability, completeness and relevance. Although we do not know whether the standards for auditor attestation engagements to be adopted by the Oversight Board will require "suitable" evaluation criteria, if there is such a requirement, then any criteria adopted by the Commission or the Oversight Board would need to meet the standards of suitability. With respect to the definition of "effectiveness," the Release's proposed term, "internal controls and procedures for financial reporting," has no direct equivalent in the COSO Report. Based on the COSO Report's existing definition of effectiveness for internal control, we propose that "effectiveness" for internal controls and procedures for financial reporting be defined as follows:
The statement that internal controls and procedures for financial reporting can provide only reasonable assurance of achieving an entity's control objectives is critical to understanding what "effectiveness" means and the limitations of those controls and procedures. I. Implementation Section 404 sets no date by which rules must be adopted. However, the Release proposes a deadline of fiscal years ending on or after September 15, 2003. We believe that this deadline is unrealistic. These proposed rules require the participation of the Oversight Board, particularly with respect to the auditor attestation standards. The Oversight Board should be given an opportunity to review and, if necessary, suggest revisions to the rules implementing Section 404, subject to an appropriate comment period. We suggest that the Commission defer adopting final rules to implement Section 404 until the Oversight Board establishes the standards for attesting to management's internal control report. Currently, the Statement on Standards for Attestation Engagements No. 10, Attestation Standards: Revision and Recodification ("SSAE 10"), provides guidance to outside auditors who are engaged to examine and report on management's written assertions about the effectiveness of an entity's internal control structure over financial reporting. Since Section 404 charges the Oversight Board with the responsibility to establish attestation standards, SSAE 10 may or may not be continued. Nonetheless, it is worth noting that SSAE 10 instructs outside auditors to examine and report on management's assertion about the effectiveness of an internal control structure only if certain conditions are met. Hence, the conditions under which registered public accounting firms are permitted to render an attestation could affect the manner in which management evaluates internal controls and procedures for financial reporting, so the rules under Rule 404 will need to be in alignment with the attest standards. Also, in light of all of the various provisions of the Act required to be implemented by Commission rulemaking in the next year, with responsive actions by issuers and their advisors and auditors taken to comply with the new provisions, such as developing disclosure controls and procedures, it seems unnecessarily hasty to also require issuers to begin complying with Section 404 for fiscal years after September 15, 2003, particularly since the proposed rules would affect quarterly reports in addition to annual reports.31 J. Specific Questions in the Release We have addressed all of the questions posed in the Release with respect to Section 40432 except for the questions related to registered investment companies33 and the following question: "Should the company have to file the attestation report as part of the annual report? If so, should the report have to appear in a particular part of the annual report? Where?" We believe that issuers should be permitted to summarize the content of the attestation report, but not be required to include such reports in their annual reports. If the Commission decides to require the attestation report to be filed with the annual report, we recommend that it be filed next to management's internal control report and not as an exhibit to the report. * * * We appreciate the opportunity to submit comments. We are available to meet with the Commission or the Staff and to respond to any questions. Respectfully submitted, /s/ Thomas Riesenberg Drafting Committee: John J. Huber, Chair Linda L. Griggs Thomas J. Kim Simon M. Lorne Richard H. Rowe cc: Hon. Harvey L. Pitt Hon. Paul Atkins Hon. Roel Campos Hon. Cynthia A. Glassman Hon. Harvey Goldschmid Alan L. Beller Giovanni P. Prezioso Jackson Day Acting Chief Accountant * References in this letter to "we" and "our" refer to the Committees. 1 Proposed Rule: Disclosure Required by Sections 404, 406 and 407 of the Sarbanes-Oxley Act of 2002, Release Nos. 33-8138; 34-46701; IC-25775, 67 Fed. Reg. 66,208 (Oct. 30, 2002). 2 In 1992, COSO issued its final report on internal control, in which it described a framework for internal control that has subsequently been accepted in the auditing literature. See COSO, Internal Control - Integrated Framework (1994)(the "COSO Report"). The framework is "designed to accommodate most viewpoints and provide a starting point for individual entities' assessments of internal control, for future initiatives of rule-making bodies and for education." The COSO Report also includes a section on management reporting on internal controls. See COSO Report, "Reporting to External Parties." In 1994, COSO issued an addendum to its section on management reporting on internal controls. 3 The definition of internal control set forth in the COSO Report is codified in SAS No. 78, Consideration of Internal Control in a Financial Statement Audit: An Amendment to SAS 55 ("SAS 78"), which was adopted in 1995. SAS 78 is one of the bases for the Codification of Statements on Auditing Standards, Section 319. 4 The Federal Deposit Insurance Corporation's rules also require the institution's outside auditor to examine, and attest to, management's assertions concerning the effectiveness of the institution's internal controls over financial reporting. See Annual Independent Audits and Reporting Requirements, 58 Fed. Reg. 31,332 (July 2, 1993)(codified at 12 C.F.R. 363.3). As the Release acknowledges, FDICIA offers a comparable framework to Section 404. See Release, 67 Fed. Reg. at 66,222. 5 Approximately 60% of the Fortune 500 companies already include such a report in their annual shareholders reports, although the content of these reports varies widely. See Handbook of Accounting and Auditing B4-50 (Barry J. Epstein ed., 2003-1 ed.); COSO Report. 6 Although the Release mentions the COSO Report, the Release does not follow or even recognize the guidance contained in the COSO Report, particularly with respect to its guidance on external reporting on internal control and its discussion of the criteria against which to assess the effectiveness of internal control systems. 7 See proposed Rules 13a-14(d) and 15d-15(d). 8 Although Section 404 is directed only to the reliability of financial reporting objective of internal control, we note that the other objectives of internal control - providing reasonable assurance as to the effectiveness and efficiency of operations and to the compliance with applicable laws and regulations - are equally important, although more difficult to evaluate. The effectiveness and efficiency of operations objective can help an entity achieve its performance and profitability targets and prevent loss of resources. The compliance objective can help to ensure that the enterprise complies with laws and regulations, thereby avoiding damage to its reputation and other consequences. Although we focus our comments on the Release and on Section 404, we are mindful of these other important objectives of internal control. Accordingly, we recommend that there be a "Preliminary Note" to the rules implementing Section 404 reminding issuers of their obligation to maintain internal controls pursuant to Section 13(b)(2) of the Exchange Act. 9 See COSO Report, "Reporting to External Parties." 10 AU Section 319 is based on SAS 78, which codified the definition of internal controls set forth in the COSO Report and also replaced the three elements of the internal control structure identified in SAS 55 with the five components in the COSO Report. 11 See AU Section 319.02. 12 See Release, 67 Fed. Reg. at 66,223. 13 See COSO Report, Addendum to "Reporting to External Parties." The COSO Report states that some of the safeguarding of assets controls can be viewed as part of the financial reporting controls because "[c]ontrols over safeguarding of assets against unauthorized acquisition, use or disposition relate to the prevention or timely detection of unauthorized transactions and unauthorized access to assets that could result in losses that are material to the financial statements." 14 See Release, 67 Fed. Reg. at 66,221. 15 See Release, Section III, Paperwork Reduction Act, 67 Fed. Reg. at 66,224. 16 In its assessment of the number of hours required to comply with the new requirements, the Commission has considered only the "added incremental burden imposed on companies by the evaluation of that portion of internal controls and procedures for financial reporting that is not subsumed by the disclosure controls and procedures evaluation." Although the Commission stated that it has no data to support its estimates, the Commission believes that each issuer will require 5 hours to evaluate disclosure controls and procedures for each periodic report, with an additional 5 hours to evaluate that portion of internal controls and procedures for financial reporting not included in disclosure controls and procedures for each periodic report. Id. The Commission, however, provides no adequate guidance as to which portions of "internal controls and procedures for financial reporting" are not included in "disclosure controls and procedures." 17 Clarification may not be important if periodic evaluations of internal controls and procedures for financial reporting are required, but until that time, if ever, the clarification is necessary. 18 The Commission could state that the distinction between the two sets of controls and procedures is left to each issuer to decide, based on the way in which it has structured its internal control system and its disclosure controls and procedures. We believe that this alternative is unsatisfactory, although it is consistent with the Commission's directive in its release adopting the rules implementing Section 302 of the Act that "we are not requiring any particular procedures for conducting the required review and evaluation. Instead, we expect each issuer to develop a process that is consistent with its business and internal management and supervisory practices." See Final Rule: Certification of Disclosure in Companies' Quarterly and Annual Reports, Release Nos. 33-8124, 34-46427, IC-25722 (Aug. 28, 2002). 19 See Release, 67 Fed. Reg. at 66,221. 20 See proposed Rules 13a-14(b)(4)(iii)-(iv) and 15d-14(b)(4)(iii)-(iv), and proposed Rules 13a-15(b)-(c) and 15d-15(b)-(c). By treating "disclosure controls and procedures" and "internal controls and procedures for financial reporting" as separate and equal terms in the Section 302 certification - e.g., the CEO and CFO are responsible for establishing and maintaining disclosure controls and procedures and internal controls and procedures for financial reporting - the Release skips over the conceptual difficulty of defining the boundaries between them. 21 Issuers have already incurred significant costs in establishing and maintaining disclosure controls and procedures, and will incur additional costs to comply with Section 404. The Release states that "we expect that companies and their auditors will require substantial time to develop processes under relevant standards and to train appropriate personnel to ensure compliance with these requirements imposed by the Sarbanes-Oxley Act." See Release, 67 Fed. Reg. at 66,223. 22 See id. 23 See Statement on Auditing Standards No. 71, Interim Financial Information ("SAS 71"). The Auditing Standards Board has adopted Statement on Auditing Standards No. 100, Interim Financial Information ("SAS 100"), which revises and supersedes SAS 71. The provisions of SAS 100 will be effective for interim periods within fiscal years beginning after December 15, 2002. Earlier applications of SAS 100 are permitted. 24 See Rules 13a-14(b)(5) and 15d-14(b)(5). 25 In addition, in proposed Rules 13a-14 (b)(4)(v)(A) and 15d-14(b)(4)(v)(A), "All" should be changed to "Any" to conform to the similar usage of "Any" in (b)(4)(v)(B) and to negate the inference that there have been some. 26 See proposed Rules 13a-14(b)(4)(vi) and 15d-14(b)(4)(vi). 27 Cf. COSO Report, "Executive Summary." 28 The Commission should make clear, however, that the proposed disclosure requirement would not require issuers to disclose that existing problems may represent unadjudicated violations of law. See U.S. v. Matthews, 787 F.2d 38, 49 (2nd Cir. 1986)(holding that so long as uncharged criminal conduct is not required to be disclosed by any rule lawfully promulgated by the SEC, nondisclosure of such conduct cannot be the basis of a criminal prosecution). 29 See proposed Rules 13a-14(b)(4)(vi) and 15d-14(b)(4)(vi). 30 See Release, 67 Fed. Reg. at 66,219. 31 Although the Commission estimates that the burden of compliance will be five hours, we anticipate that compliance will take considerably longer than five hours. Rules should not be adopted that do not result in an efficient and effective system of internal control evaluation or that impose undue compliance burdens on issuers. Cost-effective methods to accomplish the objectives of Section 404 should be explored, which balance the needs of investor protection with the cost of compliance. 32 The comments responsive to the Commission's requests for comment can be found as follows: "Should we propose a definition of internal controls and procedures for financial reporting?" See the letter at Section B. "Should we define the term using AICPA's Codification of Statements on Auditing Standards Section 319 definition?" See the letter at Section B. "Should we propose specific disclosure criteria and standards for the management report?" See the letter at Section G. "If we adopt the proposed amendments before the PCAOB is operational, should we delay effectiveness of the rules until such time as attestation engagement standards are issued or adopted by the PCAOB?" See the letter at Section I. "Should we propose change to Exchange Act Rules 13a-14, 13a-15, 15d-14 and 15d-15 to require periodic evaluations of both the company's disclosure controls and procedures and its internal controls and procedures for financial reporting?" See the letter at Section D. "What transition period do companies and registered public accounting firms need to prepare to perform these undertakings?" See the letter at Section I. 33 See Release, 67 Fed. Reg. at 66,223. ____________________________ |