[Federal Register Volume 71, Number 248 (Wednesday, December 27, 2006)]
[Proposed Rules]
[Pages 77635-77653]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E6-22099]


=======================================================================
-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

17 CFR Parts 210, 240 and 241

[Release Nos. 33-8762; 34-54976; File No. S7-24-06]
RIN 3235-AJ58


Management's Report on Internal Control Over Financial Reporting

AGENCY: Securities and Exchange Commission.

ACTION: Proposed interpretation; Proposed rule.

-----------------------------------------------------------------------

SUMMARY: We are proposing interpretive guidance for management 
regarding its evaluation of internal control over financial reporting. 
The interpretive guidance sets forth an approach by which management 
can conduct a top-down, risk-based evaluation of internal control over 
financial reporting. The proposed guidance is intended to assist 
companies of all sizes to complete their annual evaluation in an 
effective and efficient manner and it provides guidance on a number of 
areas commonly cited as concerns over the past two years. In addition, 
we are proposing an amendment to our rules requiring management's 
annual evaluation of internal control over financial reporting to make 
it clear that an evaluation that complies with the interpretive 
guidance is one way to satisfy those rules. Further, we are proposing 
an amendment to our rules to revise the requirements regarding the 
auditor's attestation report on the assessment of internal control over 
financial reporting.

DATES: Comment Date: Comments should be received on or before February 
26, 2007.

ADDRESSES: Comments may be submitted by any of the following methods:

Electronic Comments

     Use the Commission's Internet comment form (http://www.sec.gov/rules/proposed.shtml); or
     Send an e-mail to [email protected]. Please include 
File Number S7-24-06 on the subject line; or
     Use the Federal eRulemaking Portal (http://www.regulations.gov). Follow the instructions for submitting comments.

Paper Comments

     Send paper comments in triplicate to Nancy M. Morris, 
Secretary, Securities and Exchange Commission, 100 F Street, NE., 
Washington, DC 20549-1090.

    All submissions should refer to File Number S7-24-06. This file 
number should be included on the subject line if e-mail is used. To 
help us process and review your comments more efficiently, please use 
only one method. The Commission will post all comments on the 
Commission's Internet Web site (http://www.sec.gov/rules/proposed.shtml). Comments are also available for public inspection and 
copying in the Commission's Public Reference Room, 100 F Street, NE., 
Washington, DC 20549. All comments received will be posted without 
change; we do not edit personal identifying information from 
submissions. You should submit only information that you wish to make 
available publicly.

FOR FURTHER INFORMATION CONTACT: Michael G. Gaynor, Professional 
Accounting Fellow, Office of the Chief Accountant, at (202) 551-5300, 
or N. Sean Harrison, Special Counsel, Division of Corporation Finance, 
at (202) 551-3430 U.S. Securities and Exchange Commission, 100 F 
Street, NE., Washington, DC 20549.

SUPPLEMENTARY INFORMATION: We are proposing amendments to Rule 13a-
15(c),\1\ and Rule 15d-15(c) \2\ under the Securities Exchange Act of 
1934 (the ``Exchange Act'');\ 3\ and Rules 1-02(a)(2) \4\ and 2-02(f) 
\5\ of Regulation S-X.\6\
---------------------------------------------------------------------------

    \1\ 17 CFR 240.13a-15(c).
    \2\ 17 CFR 240.15d-15(c).
    \3\ 15 U.S.C. 78a et seq.
    \4\ 17 CFR 210.1-02.
    \5\ 17 CFR 210.2-02(f).
    \6\ 17 CFR 210.1-01 et seq.
---------------------------------------------------------------------------

I. Background

    Section 404(a) of the Sarbanes-Oxley Act of 2002 \7\ (``Sarbanes-
Oxley'') directed the Commission to prescribe rules that require each 
annual report that a company, other than a registered investment 
company, files pursuant to Section 13(a) or 15(d) \8\ of the Exchange 
Act to contain an internal control report: (1) Stating management's 
responsibility for establishing and maintaining an adequate internal 
control structure and procedures for financial reporting; and (2) 
containing an assessment, as of the

[[Page 77636]]

end of the company's most recent fiscal year, of the effectiveness of 
the company's internal control structure and procedures for financial 
reporting. On June 5, 2003, the Commission adopted rules implementing 
Section 404 with regard to management's obligations to report on its 
internal control structure and procedures and, in so doing, created the 
term ``internal control over financial reporting'' (``ICFR'').\9\
---------------------------------------------------------------------------

    \7\ 15 U.S.C. 7262.
    \8\ 15 U.S.C. 78m(a) or 78o(d).
    \9\ See Release No. 33-8238 (June 5, 2003) [68 FR 36636] 
(hereinafter the ``Adopting Release''). See Release No. 33-8392 
(February 24, 2004) [69 FR 9722] for compliance dates applicable to 
accelerated filers. See Release No. 33-8760 (December 15, 2006) for 
compliance dates applicable to non-accelerated filers.
---------------------------------------------------------------------------

    The establishment and maintenance of internal accounting controls 
has been required of public companies since the enactment of the 
Foreign Corrupt Practices Act of 1977 (``FCPA'').\10\ The significance 
of Section 404 of Sarbanes-Oxley is that it re-emphasizes the important 
relationship between the maintenance of effective ICFR and the 
preparation of reliable financial statements. Effective ICFR can also 
help companies deter fraudulent financial accounting practices or 
detect them earlier and perhaps reduce their adverse effects. While 
controls are susceptible to manipulation, especially in instances of 
fraud involving the collusion of two or more people, including senior 
management, these are known limitations of internal control systems. 
Therefore, it is possible to design ICFR to reduce, though not 
eliminate, instances of fraud.
---------------------------------------------------------------------------

    \10\ Title I of Pub. L. 95-213 (1977). Under the FCPA, companies 
that have a class of securities registered under Section 12 of the 
Exchange Act, or that are required to file reports under Section 
15(d) of the Exchange Act, are required to (a) make and keep books, 
records, and accounts, which, in reasonable detail, accurately and 
fairly reflect the transactions and dispositions of the assets of 
the issuer; and (b) to devise and maintain a system of internal 
accounting controls sufficient to provide reasonable assurances 
that:
    (i) transactions are executed in accordance with management's 
general or specific authorization;
    (ii) transactions are recorded as necessary (1) to permit 
preparation of financial statements in conformity with generally 
accepted accounting principles or any other criteria applicable to 
such statements, and (2) to maintain accountability for assets;
    (iii) access to assets is permitted only in accordance with 
management's general or specific authorization; and
    (iv) the recorded accountability for assets is compared with the 
existing assets at reasonable intervals and appropriate action is 
taken with respect to any differences.
    The definition of internal control over financial reporting is 
consistent with the description of internal accounting controls 
under the FCPA.
---------------------------------------------------------------------------

    When the Commission adopted rules in June 2003 to implement Section 
404 of Sarbanes-Oxley, we emphasized two broad principles: (1) That the 
evaluation must be based on procedures sufficient both to evaluate the 
design and to test the operating effectiveness \11\ of ICFR; and (2) 
that the assessment, including testing, must be supported by reasonable 
evidential matter.\12\ Instead of providing specific guidance regarding 
the evaluation, we expressed our belief that the methods of conducting 
evaluations of ICFR will, and should, vary from company to company and 
will depend on the circumstances of the company and the significance of 
the controls.\13\ We continue to believe that it is impractical to 
prescribe a single methodology that meets the needs of every company.
---------------------------------------------------------------------------

    \11\ See Adopting Release at Section II.B.3.d.
    \12\ Id.
    \13\ Id.
---------------------------------------------------------------------------

    Since the Commission first adopted the ICFR requirements, companies 
and third parties have devoted considerable attention to the methods 
that management may use to evaluate ICFR. Efforts to comply with the 
Commission's rules have resulted in many public companies internally 
developing their own evaluation processes, while other companies have 
retained consultants or purchased commercial software and other 
products to establish or improve their ICFR evaluation process.\14\ 
Management must bring its own experience and informed judgment to bear 
in order to design an evaluation process that meets the needs of its 
company and that provides reasonable assurance for its assessment. This 
proposed guidance is intended to allow management the flexibility to 
design such an evaluation process.
---------------------------------------------------------------------------

    \14\ Exchange Act Rules 13a-15 and 15d-15 require management to 
evaluate the effectiveness of ICFR as of the end of the fiscal year. 
For purposes of this document, the term ``evaluation'' or 
``evaluation process'' refers to the methods and procedures that 
management implements to comply with these rules. The term 
``assessment'' is used in this document to describe the disclosure 
required by Item 308 of Regulations S-B and S-K [17 CFR 228.308 and 
229.308]. This disclosure must include discussion of any material 
weaknesses which exist as of the end of the most recent fiscal year 
and management's assessment of the effectiveness of ICFR, including 
a statement as to whether or not ICFR is effective. Management is 
not permitted to conclude that ICFR is effective if there are one or 
more material weaknesses in ICFR.
---------------------------------------------------------------------------

    In order to facilitate the comparability of the assessment reports 
among companies, our rules implementing Section 404 require management 
to base its assessment of a company's internal control on a suitable 
evaluation framework. While the establishment and maintenance of 
internal accounting controls have been required since the enactment of 
the FCPA, as discussed above, the Commission's rules implementing 
Section 404 required management for the first time to use a framework 
for evaluating ICFR. It is important to note that our rules do not 
mandate the use of a particular framework, since multiple viable 
frameworks exist and others may be developed in the future. However, in 
the release adopting the Section 404 requirements, the Commission 
identified the Internal Control--Integrated Framework created by the 
Committee of Sponsoring Organizations of the Treadway Commission 
(``COSO'') as an example of a suitable framework.15 16
---------------------------------------------------------------------------

    \15\ See COSO, Internal Control-Integrated Framework (1992). In 
1994, COSO published an addendum to the Reporting to External 
Parties volume of the COSO Report. The addendum discusses the issue 
of, and provides a vehicle for, expanding the scope of a public 
management report on internal control to address additional controls 
pertaining to safeguarding of assets. In 1996, COSO issued a 
supplement to its original framework to address the application of 
internal control over financial derivative activities.
    The COSO framework is the result of an extensive study of 
internal control to establish a common definition of internal 
control that would serve the needs of companies, independent public 
accountants, legislators, and regulatory agencies, and to provide a 
broad framework of criteria against which companies could evaluate 
and improve their control systems. The COSO framework divides 
internal control into three broad objectives: effectiveness and 
efficiency of operations, reliability of financial reporting, and 
compliance with applicable laws and regulations. Our rules relate 
only to reliability of financial reporting. Each of the objectives 
in the COSO framework is further broken down into five interrelated 
components: control environment, risk assessment, control 
activities, information and communication, and monitoring.
    \16\ In that release, we also cited the Guidance on Assessing 
Control published by the Canadian Institute of Chartered Accountants 
(``CoCo'') and the report published by the Institute of Chartered 
Accountants in England & Wales Internal Control: Guidance for 
Directors on the Combined Code (known as the Turnbull Report) as 
examples of other suitable frameworks that issuers could choose in 
evaluating the effectiveness of their internal control over 
financial reporting. We encourage companies to examine and select a 
framework that may be useful in their own circumstances; we also 
encourage the further development of alternative frameworks.
---------------------------------------------------------------------------

    While the COSO framework identifies the components and objectives 
of an effective system of internal control, it does not set forth an 
approach for management to follow in evaluating the effectiveness of a 
company's ICFR.\17\ We, therefore, distinguish between the COSO 
framework as a definition of what constitutes an effective system of 
internal control and guidance on how to evaluate ICFR for purposes of 
our rules. The guidance that we are proposing in

[[Page 77637]]

this release is not intended to replace or modify the COSO framework or 
any other suitable framework.
---------------------------------------------------------------------------

    \17\ On July 11, 2006, COSO issued guidance entitled ``Internal 
Control Over Financial Reporting--Guidance for Smaller Public 
Companies'' that was designed primarily to help management of 
smaller public companies with establishing and maintaining effective 
ICFR. The guidance includes evaluation tools; however, these tools 
are intended only to be illustrative.
---------------------------------------------------------------------------

    In determining the need for additional guidance to management on 
how to conduct its evaluation, it is important to consider the steps 
that have been taken by the Commission and others to provide guidance 
to companies and audit firms. The Commission held its first roundtable 
discussion about implementation of the internal control reporting 
provisions on April 13, 2005. The 2005 roundtable sought input to 
consider the impact of the implementation of the Section 404 reporting 
requirements in view of the fact that Section 404 resulted in a major 
change for management and auditors. A broad range of interested 
parties, including representatives of managements and boards of 
domestic and foreign public companies, auditors, investors, legal 
counsel, and board members of the Public Company Accounting Oversight 
Board (``PCAOB''), participated in the discussion. We also invited and 
received written submissions from the public regarding Section 404 in 
advance of the roundtable.
    Feedback obtained from the 2005 roundtable indicated that the 
internal control reporting requirements had led to an increased focus 
by management on ICFR. However, the feedback also identified particular 
areas which were in need of further clarification to reduce unnecessary 
costs and burdens while at the same time not jeopardizing the benefits 
of Section 404. In addition, feedback indicated that a number of the 
implementation issues arose from an overly conservative application of 
the Commission rules and PCAOB Auditing Standard No. 2, An Audit of 
Internal Control Over Financial Reporting Performed in Conjunction With 
an Audit of Financial Statements (``AS No. 2''), and the requirements 
of AS No. 2 itself, as well as questions regarding the appropriate role 
of the auditor in management's evaluation process.
    In response to this feedback, the Commission and its staff issued 
guidance on May 16, 2005,\18\ emphasizing that management, not the 
auditor, is responsible for determining the appropriate nature and form 
of internal controls for the company as well as their evaluation 
methods and procedures. The May 2005 Staff Guidance emphasized and 
clarified existing provisions of the rules and other Commission 
guidance relating to the exercise of professional judgment, the concept 
of reasonable assurance, and the permitted communications between 
management and auditors. Feedback has indicated that the May 2005 Staff 
Guidance was appropriate, and while we have incorporated certain 
sections of that guidance into the proposed interpretive guidance set 
forth in this release, the May 2005 Staff Guidance remains 
relevant.\19\
---------------------------------------------------------------------------

    \18\ Commission Statement on Implementation of Internal Control 
Reporting Requirements, Press Release No. 2005-74 (May 16, 2005); 
Division of Corporation Finance and Office of the Chief Accountant: 
Staff Statement on Management's Report on Internal Control Over 
Financial Reporting (May 16, 2005) (hereinafter ``May 2005 Staff 
Guidance'') available at http://www.sec.gov/spotlight/soxcom/.htm.
    Also on May 16, 2005, the PCAOB and its staff issued guidance to 
auditors on their audits under AS No. 2. The PCAOB's guidance 
focused on areas in which the efficiency of the audit could be 
substantially improved. Topics included the importance of the 
integrated audit, the role of risk assessment throughout the 
process, the importance of taking a top-down approach, and auditors' 
use of the work of others.
    \19\ The incorporation of our May 16, 2005 guidance into this 
guidance was generally supported in comments received in response to 
the Concept Release Concerning Management's Reports on Internal 
Control Over Financial Reporting, Release No. 34-54122 (July 11, 
2006) [71 FR 40866] available at http://www.sec.gov/rules/concept/2006/34-54122.pdf (hereinafter ``Concept Release'') . See, for 
example, letters received from the American Electronics Association, 
Computer Sciences Corporation, American Institute of Certified 
Public Accountants, Institute of Management Accountants and Schering 
AG (available at http://www.sec.gov/comments/s7-11-06/s71106.shtml).
---------------------------------------------------------------------------

    In its Final Report to the Commission, issued on April 23, 2006, 
the Commission's Advisory Committee on Smaller Public Companies 
(``Advisory Committee'') raised a number of concerns regarding the 
ability of smaller companies to comply cost-effectively with the 
requirements of Section 404. The Advisory Committee identified as an 
overarching concern the difference in how smaller and larger public 
companies operate. The Advisory Committee focused in particular on 
three characteristics: (1) The limited number of personnel in smaller 
companies, which constrains the companies' ability to segregate 
conflicting duties; (2) top management's wider span of control and more 
direct channels of communication, which increase the risk of management 
override; and (3) the dynamic and evolving nature of smaller companies, 
which limits their ability to have static processes that are well-
documented.\20\
---------------------------------------------------------------------------

    \20\ Final Report of the Advisory Committee on Smaller Public 
Companies to the United States Securities and Exchange Commission 
(April 23, 2006) at 35-36, available at http://www.sec.gov/info/smallbus/acspc/acspc-finalreport.pdf (hereinafter ``Advisory 
Committee Final Report'').
---------------------------------------------------------------------------

    The Advisory Committee suggested that these characteristics create 
unique differences in how smaller companies achieve effective ICFR that 
may not be adequately accommodated in AS No. 2 or other implementation 
guidance as currently applied in practice.\21\ In addition, the 
Advisory Committee noted serious ramifications for smaller public 
companies stemming from the cost of frequent documentation changes and 
sustained review and testing of controls perceived to be necessary to 
comply with the Section 404 requirements. Indeed, the Advisory 
Committee noted that costs in relation to revenue have been 
disproportionately borne by smaller public companies.\22\
---------------------------------------------------------------------------

    \21\ Id. at 37.
    \22\ Id. at 33.
---------------------------------------------------------------------------

    The Advisory Committee Final Report sets forth several 
recommendations for the Commission to consider regarding the 
application of the Section 404 requirements to smaller public 
companies. The Advisory Committee recommended partial or complete 
exemptions from the internal control reporting requirements for 
specified types of smaller public companies under certain conditions, 
unless and until a framework is developed for assessing ICFR that 
recognizes the characteristics and needs of those companies. The 
Advisory Committee also recommended, among other things, that the 
Commission, COSO and the PCAOB provide additional guidance to 
management to help facilitate the design and evaluation of ICFR and 
make processes related to internal control more cost-effective.\23\ In 
addition, some commenters on the Advisory Committee's exposure draft of 
its report suggested that the Commission reexamine the appropriate role 
of outside auditors in connection with the management assessment 
required by the rules implementing Section 404.\24\
---------------------------------------------------------------------------

    \23\ Id. at 52.
    \24\ See, e.g., letter from BDO Seidman, LLP (April 3, 2006), 
available at http://www.sec.gov/rules/other/265-23/bdoseidman9239.pdf.
---------------------------------------------------------------------------

    Further, in April 2006, the U.S. Government Accountability Office 
issued a Report to the Committee on Small Business and 
Entrepreneurship, U.S. Senate, entitled Sarbanes-Oxley Act, 
Consideration of Key Principles Needed in Addressing Implementation for 
Smaller Public Companies, which recommended that in considering the 
concerns of the Advisory Committee, the Commission should assess the 
available guidance for management to determine whether it is sufficient 
or whether additional action is needed. That report stated that 
management's implementation and evaluation efforts were largely driven 
by AS No. 2 because guidance was not available for

[[Page 77638]]

management.\25\ Further, the GAO Report recommended that the Commission 
coordinate with the PCAOB to help ensure that the Section 404-related 
audit standards and guidance are consistent with any additional 
management guidance issued.\26\
---------------------------------------------------------------------------

    \25\ United States Government Accountability Office Report to 
the Committee on Small Business and Entrepreneurship, U.S. Senate: 
Sarbanes-Oxley Act: Consideration of Key Principles Needed in 
Addressing Implementation for Smaller Public Companies (April 2006) 
at 52-53, available at http://www.gao.gov/new.items/d06361.pdf 
(hereinafter ``GAO Report'').
    \26\ Id. at 58.
---------------------------------------------------------------------------

    On May 10, 2006, the Commission and PCAOB conducted a second 
Roundtable on Internal Control Reporting and Auditing Provisions to 
solicit feedback on accelerated filers' second year of compliance with 
the Section 404 requirements. Several participants indicated that their 
evaluation processes had improved from year one, but that additional 
improvements were needed. Although some expressed concern about being 
required to change the evaluation processes they have already 
implemented, a number of the participants expressed, at the roundtable 
and in their written comments, the view that additional management 
guidance was needed.\27\
---------------------------------------------------------------------------

    \27\ See transcript of Roundtable Discussion on Second Year 
Experiences with Internal Control Reporting and Auditing Provisions, 
May 10, 2006, Panels 1, 2, 3, and 5; letter from The Institute of 
Internal Auditors (IIA) (May 1, 2006); letter from Institute of 
Management Accountants (IMA) (May 4, 2006); letter from Canadian 
Bankers Association (CBA) (April 28, 2006); letter from Deloitte & 
Touche LLP (May 1, 2006); letter from Ernst & Young LLP (May 1, 
2006); letter from KPMG LLP (May 1, 2006); letter from 
PricewaterhouseCoopers LLP (May 1, 2006) and letter from Pfizer Inc. 
(May 1, 2006), all available at http://www.sec.gov/news/press/4-511.shtml.
---------------------------------------------------------------------------

    On July 11, 2006, COSO published additional application guidance 
for its control framework, Internal Control over Financial Reporting--
Guidance for Smaller Public Companies. This guidance is intended to 
assist the management of smaller companies in understanding and 
applying the COSO framework. It outlines principles fundamental to the 
five components of internal control described in the COSO framework. 
Further, this guidance defines each of these principles and describes 
the attributes of each. It also lists a variety of approaches that 
smaller companies can use to apply the principles and includes examples 
of how smaller companies have applied the principles. The Commission 
anticipates that the guidance will help organizations of all sizes that 
use the COSO framework to better understand and apply it to ICFR.
    On July 11, 2006, the Commission issued a Concept Release to seek 
public feedback on the Commission's planned issuance of guidance 
regarding management's evaluation and assessment of the effectiveness 
of ICFR.\28\ The Concept Release sought specific feedback in three 
areas described below, as well as inquired about whether there were 
other areas where guidance should also be provided.
---------------------------------------------------------------------------

    \28\ See footnote 19 above for reference.
---------------------------------------------------------------------------

     Risk and control identification (such as how management 
considers entity-level controls, financial statement account and 
disclosure level considerations, as well as fraud risks); \29\
     The methods or approaches available to management to 
gather evidence to support its assessment, and factors management 
should consider in determining the nature, timing and extent of its 
evaluation procedures; and
     Documentation requirements, including overall objectives 
of the documentation and factors that might influence documentation 
requirements.
---------------------------------------------------------------------------

    \29\ The term ``entity-level controls'' as used in this document 
describes aspects of a system of internal control that have a 
pervasive effect on the entity's system of internal control such as 
controls related to the control environment (e.g., management's 
philosophy and operating style, integrity and ethical values, board 
or audit committee oversight; and assignment of authority and 
responsibility); controls over management override; the company's 
risk assessment process; centralized processing and controls, 
including shared service environments; controls to monitor results 
of operations; controls to monitor other controls, including 
activities of the internal audit function, the audit committee, and 
self-assessment programs; controls over the period-end financial 
reporting process; and policies that address significant business 
control and risk management practices. The term ``company-level'' is 
also commonly used to describe these controls.

The Commission received 167 comment letters in response to the Concept 
Release, a majority of which supported additional Commission guidance 
to management that is applicable to companies of all sizes and 
complexities.\30\ The Commission considered the feedback received in 
those comment letters in drafting this proposed interpretive guidance.
---------------------------------------------------------------------------

    \30\ The public comments we received are available for 
inspection in the Commission's Public Reference Room at 100 F 
Street, NE., Washington DC 20549 in File No. S7-11-06. They are also 
available on-line at http://www.sec.gov/comments/s7-11-06/s71106.shtml.
---------------------------------------------------------------------------

    Further, the Commission has also received feedback that its 
guidance and ICFR rules have been interpreted as applying to non-profit 
and non-public organizations. The Commission does not regulate such 
organizations, and none of the Commission's guidance or rules is 
intended to apply to such organizations.

II. Introduction

    To implement Section 404(a) of the Sarbanes-Oxley Act, the 
Commission adopted rules requiring that management annually issue a 
report that contains an assessment of the effectiveness of ICFR.\31\ An 
overall objective of ICFR is to foster the preparation of reliable 
financial statements. Reliable financial statements must be materially 
accurate. Therefore, the central purpose of the evaluation is to assess 
whether there is a reasonable possibility of a material misstatement in 
the financial statements not being prevented or detected on a timely 
basis by the company's ICFR.\32\
---------------------------------------------------------------------------

    \31\ Exchange Act Rules 13a-15(f) and 15d-15(f) [17 CFR 240.13a-
15(f) and 15d-15(b)] define internal control over financial 
reporting as:
    A process designed by, or under the supervision of, the issuer's 
principal executive and principal financial officers, or persons 
performing similar functions, and effected by the registrant's board 
of directors, management and other personnel, to provide reasonable 
assurance regarding the reliability of financial reporting and the 
preparation of financial statements for external purposes in 
accordance with generally accepted accounting principles and 
includes those policies and procedures that:
    (1) Pertain to the maintenance of records that in reasonable 
detail accurately and fairly reflect the transactions and 
dispositions of the assets of the registrant;
    (2) Provide reasonable assurance that transactions are recorded 
as necessary to permit preparation of financial statements in 
accordance with generally accepted accounting principles, and that 
receipts and expenditures of the registrant are being made only in 
accordance with authorizations of management and directors of the 
registrant; and
    (3) Provide reasonable assurance regarding prevention or timely 
detection of unauthorized acquisition, use or disposition of the 
registrant's assets that could have a material effect on the 
financial statements.
    \32\ There is a reasonable possibility of an event when the 
likelihood of the event is either ``reasonably possible'' or 
``probable'' as those terms are used in Financial Accounting 
Standards Board Statement No. 5, Accounting for Contingencies.
---------------------------------------------------------------------------

    Management's assessment is based on whether any material weaknesses 
exist as of the end of the fiscal year. A material weakness is a 
deficiency, or combination of deficiencies, in ICFR such that there is 
a reasonable possibility that a material misstatement of the company's 
annual or interim financial statements will not be prevented or 
detected on a timely basis by the company's ICFR.\33\
---------------------------------------------------------------------------

    \33\ Existing PCAOB auditing literature describes a material 
weakness as a control deficiency, or combination of control 
deficiencies, that result in more than a remote likelihood that a 
material misstatement of the company's annual or interim financial 
statements will not be prevented or detected. Our use of the phrase 
``reasonable possibility'' rather than ``more than remote'' to 
describe the likelihood of a material error is intended to more 
clearly communicate the likelihood element. We note that the PCAOB 
has indicated that it intends to revise its definitions to use the 
phrase ``reasonable possibility.'' AS No. 2 establishes that a 
control is deficient when the design or operation of a control does 
not allow management or employees, in the normal course of 
performing their assigned functions, to prevent or detect 
misstatements on a timely basis. The definition formulated here is 
intended to be consistent with its use in existing auditing 
literature and practice.

---------------------------------------------------------------------------

[[Page 77639]]

    Management should implement and conduct an evaluation that is 
sufficient to provide it with a reasonable basis for its annual 
assessment. Management should use its own experience and informed 
judgment in designing an evaluation process that aligns with the 
operations, financial reporting risks and processes of the company.\34\ 
If the evaluation process identifies material weaknesses that exist as 
of the end of the fiscal year, such weaknesses must be disclosed in 
management's annual report with a statement that ICFR is 
ineffective.\35\ If the evaluation identifies no internal control 
deficiencies that constitute a material weakness, management assesses 
ICFR as effective.\36\
---------------------------------------------------------------------------

    \34\ This point also is made in one of the publicly available 
and commonly used assessment tools--the third volume of the report 
by COSO, Internal Control--Integrated Framework: Evaluation Tools. 
That volume cautioned that ``because facts and circumstances vary 
between entities and industries, evaluation methodologies and 
documentation will also vary. Accordingly, entities may use 
different evaluation tools, or use other methodologies utilizing 
different evaluative techniques.''
    \35\ This focus on material weaknesses will lead to a better 
understanding by investors of internal control over financial 
reporting, as well as its inherent limitations. Further, the 
Commission's rules implementing Section 404, by providing for public 
disclosure of material weaknesses, concentrate attention on the most 
important internal control issues.
    \36\ If management's evaluation process identifies material 
weaknesses, but all material weaknesses are remediated by the end of 
the fiscal year, management may exclude disclosure of those from its 
assessment and state that ICFR is effective as of the end of the 
fiscal year. However, management should consider whether disclosure 
of the remediated material weaknesses is appropriate or required 
under Item 307 or Item 308 of Regulations S-K or S-B or other 
Commission disclosure rules.
---------------------------------------------------------------------------

    Management is required to assess as of the end of the fiscal year 
whether the company's ICFR is effective in providing reasonable 
assurance regarding the reliability of financial reporting.\37\ 
Management is not required by Section 404 of Sarbanes-Oxley to assess 
other internal controls, such as controls solely implemented to meet a 
company's operational objectives. Further, ``reasonable assurance'' 
does not mean absolute assurance. ICFR cannot prevent or detect all 
misstatements, whether unintentional errors or fraud. Rather, the 
``reasonable assurance'' referred to in the Commission's implementing 
rules relates to similar language in the FCPA. Exchange Act Section 
13(b)(7) defines ``reasonable assurance'' and ``reasonable detail'' as 
``such level of detail and degree of assurance as would satisfy prudent 
officials in the conduct of their own affairs.'' \38\ The Commission 
has long held that ``reasonableness'' is not an ``absolute standard of 
exactitude for corporate records.'' \39\ In addition, the Commission 
recognizes that while ``reasonableness'' is an objective standard, 
there is a range of judgments that an issuer might make as to what is 
``reasonable'' in implementing Section 404 and the Commission's rules. 
Thus, the terms ``reasonable,'' ``reasonably'' and ``reasonableness'' 
in the context of Section 404 implementation do not imply a single 
conclusion or methodology, but encompass the full range of appropriate 
potential conduct, conclusions or methodologies upon which an issuer 
may reasonably base its decisions.
---------------------------------------------------------------------------

    \37\ See Exchange Act Rules 13a-15 and 15d-15.
    \38\ 15 U.S.C. 78m(b)(7). The conference committee report on 
amendments to the FCPA also noted that the standard ``does not 
connote an unrealistic degree of exactitude or precision. The 
concept of reasonableness of necessity contemplates the weighing of 
a number of relevant factors, including the costs of compliance.'' 
Cong. Rec. H2116 (daily ed. April 20, 1988).
    \39\ Release No. 34-17500 (January 29, 1981) [46 FR 11544].
---------------------------------------------------------------------------

    This release proposes guidance regarding matters we believe will 
help management design and conduct its evaluation and assess the 
effectiveness of ICFR. The guidance assumes management has established 
and maintains a system of internal accounting controls as required by 
the FCPA. Further, it does not explain how management should design its 
ICFR to comply with the control framework it has chosen. To allow 
appropriate flexibility, the guidance does not provide a checklist of 
steps management should perform in completing its evaluation. Rather, 
it describes a top-down, risk-based approach that allows for the 
exercise of significant judgment so that management can design and 
conduct an evaluation that is tailored to its company's individual 
circumstances.40 41
---------------------------------------------------------------------------

    \40\ Because management is responsible for maintaining effective 
internal control over financial reporting, this proposed 
interpretive guidance does not specifically address the role of the 
board of directors or audit committee in a company's evaluation and 
assessment of ICFR. However, we would ordinarily expect a board of 
directors or audit committee, as part of its oversight 
responsibilities for the company's financial reporting, to be 
knowledgeable and informed about the evaluation process and 
management's assessment, as necessary in the circumstances.
    \41\ See footnote 42 below.
---------------------------------------------------------------------------

    The proposed guidance is organized around two broad principles. The 
first principle is that management should evaluate the design of the 
controls that it has implemented to determine whether they adequately 
address the risk that a material misstatement in the financial 
statements would not be prevented or detected in a timely manner. The 
guidance describes a top-down, risk-based approach to this principle, 
including the role of entity-level controls in assessing financial 
reporting risks and the adequacy of controls. The proposed guidance 
promotes efficiency by allowing management to focus on those controls 
that are needed to adequately address the risk of a material 
misstatement in its financial statements. There is no requirement in 
our guidance to identify every control in a process or document the 
business processes impacting ICFR. Rather, under the approach described 
herein, management focuses its evaluation process and the documentation 
supporting the assessment on those controls that it believes adequately 
address the risk of a material misstatement in the financial 
statements. For example, if management determines that the risks for a 
particular financial reporting element are adequately addressed by an 
entity-level control, no further evaluation of other controls is 
required.
    The second principle is that management's evaluation of evidence 
about the operation of its controls should be based on its assessment 
of risk. The proposed guidance provides an approach for making risk-
based judgments about the evidence needed for the evaluation. This 
allows management to align the nature and extent of its evaluation 
procedures with those areas of financial reporting that pose the 
greatest risks to reliable financial reporting (i.e., whether the 
financial statements are materially accurate). As a result, management 
may be able to use more efficient approaches to gathering evidence, 
such as self-assessments, in low-risk areas and perform more extensive 
testing in high-risk areas.
    By following these two principles, we believe companies of all 
sizes and complexities will be able to implement our rules effectively 
and efficiently.\42\ As smaller public companies generally have less 
complex internal control systems than larger public companies, this 
top-down, risk-based approach should enable smaller public companies in 
particular to scale and tailor their

[[Page 77640]]

evaluation methods and procedures to fit their own facts and 
circumstances.\43\ We encourage smaller public companies to take 
advantage of the flexibility and scalability of this approach to 
conduct an efficient evaluation of internal control over financial 
reporting.\44\ Further, we believe the proposed guidance will assist 
companies of all sizes in completing the annual evaluation of ICFR in 
an effective and efficient manner by addressing a number of the common 
areas of concern that have been identified over the past two years. For 
example, the proposed guidance:
---------------------------------------------------------------------------

    \42\ Commenters on the Concept Release were supportive of 
principles-based guidance that applies to all companies. See for 
example, letters regarding file number S7-11-06 of: Financial 
Executives International, Metlife, and Siemens AG at http://www.sec.gov/comments/s7-11-06/s71106.shtml.
    \43\ See Advisory Committee Final Report at 35-38.
    \44\ While a company's individual facts and circumstances should 
be considered in determining whether a company is a smaller public 
company, a company's market capitalization and annual revenues are 
useful indicators of its size and complexity. In light of the 
Advisory Committee Final Report and the SEC's rules defining 
``accelerated filers'' and ``large accelerated filers,'' companies 
with a market capitalization of approximately $700 million or less, 
with reported annual revenues of approximately $250 million or less, 
should be presumed to be ``smaller companies,'' with the smallest of 
these companies, with a market capitalization of approximately $75 
million or less, described as ``microcaps.''
---------------------------------------------------------------------------

     Explains how to vary approaches for gathering evidence to 
support the evaluation based on risk assessments;
     Explains the use of ``daily interaction,'' self-
assessment, and other on-going monitoring activities as evidence in the 
evaluation;
     Explains the purpose of documentation and how management 
has flexibility in approaches to documenting support for its 
assessment;
     Provides management significant flexibility in making 
judgments regarding what constitutes adequate evidence in low-risk 
areas; and
     Allows for management and the auditor to have different 
testing approaches.
    The information management gathers and analyzes from its evaluation 
process serves as the basis for its assessment on the effectiveness of 
its ICFR. The extent of effort required for a reasonable evaluation 
process will largely depend on the company's existing policies, 
procedures and practices. For example, in some situations management 
may determine that its existing activities, which may be undertaken for 
other reasons, provide information that is relevant to the assessment. 
In other situations, management may have to implement additional 
procedures to gather and analyze the information needed to provide a 
reasonable basis for its annual assessment.

III. Proposed Interpretive Guidance

    The proposed interpretive guidance addresses the following topics:

A. The Evaluation Process
    1. Identifying Financial Reporting Risks and Controls
    a. Identifying Financial Reporting Risks
    b. Identifying Controls that Adequately Address Financial Reporting 
Risks
    c. Consideration of Entity-level Controls
    d. Role of General Information Technology Controls
    e. Evidential Matter to Support the Assessment
    2. Evaluating Evidence of the Operating Effectiveness of ICFR
    a. Determining the Evidence Needed to Support the Assessment
    b. Implementing Procedures to Evaluate Evidence of the Operation of 
ICFR
    c. Evidential Matter to Support the Assessment
    3. Multiple Location Considerations

B. Reporting Considerations
    1. Evaluation of Control Deficiencies
    2. Expression of Assessment of Effectiveness of ICFR by Management 
and the Registered Public Accounting Firm
    3. Disclosures About Material Weaknesses
    4. Impact of a Restatement of Previously Issued Financial 
Statements on Management's Report on ICFR
    5. Inability to Assess Certain Aspects of ICFR

A. The Evaluation Process

    The objective of the evaluation of ICFR is to provide management 
with a reasonable basis for its annual assessment as to whether any 
material weaknesses in ICFR exist as of the end of the fiscal year. To 
meet this objective, management identifies the risks to reliable 
financial reporting, evaluates whether the design of the controls which 
address those risks is such that there is a reasonable possibility that 
a material misstatement in the financial statements would not be 
prevented or detected in a timely manner, and evaluates evidence about 
the operation of the controls included in the evaluation based on its 
assessment of risk. The evaluation process will vary from company to 
company; however, the approach we discuss is a top-down, risk-based 
approach which we believe is typically most efficient and effective.
    The evaluation process guidance is presented in two sections. The 
first section explains an approach to identifying financial reporting 
risks and evaluating whether the controls management has implemented 
are designed to address those risks. The second section describes an 
approach for making judgments about the methods and procedures for 
evaluating whether the operation of ICFR is effective. Both sections 
explain how entity-level controls \45\ impact the evaluation process as 
well as how management focuses its evaluation efforts on the greatest 
risks.
---------------------------------------------------------------------------

    \45\ See footnote 29 above.
---------------------------------------------------------------------------

    Under the Commission's rules, management's annual assessment must 
be made in accordance with a suitable control framework's definition of 
effective internal control.\46\ These control frameworks define 
elements of internal control that are expected to be present and 
functioning in an effective internal control system. In assessing 
effectiveness, management evaluates whether its ICFR includes policies, 
procedures and activities that address all of the elements of internal 
control that the applicable control framework describes as necessary 
for an internal control system to be effective. The framework elements 
describe the characteristics of an internal control system that may be 
relevant to individual areas of the company's ICFR, pervasive to many 
areas, or entity-wide. Therefore, management's evaluation process 
includes not only controls involving particular areas of financial 
reporting, but also the entity-wide and other pervasive elements of 
internal control that are defined by the control frameworks. This 
guidance is not intended to replace the elements of an effective system 
of internal control as defined within a control framework.
---------------------------------------------------------------------------

    \46\ For example, both the COSO framework and the Turnbull 
Report state that determining whether a system of internal control 
is effective is a subjective judgment resulting from an assessment 
of whether the five components (i.e., control environment, risk 
assessment, control activities, monitoring, and information and 
communication) are present and functioning effectively. Although 
CoCo states that an assessment of effectiveness be made against 
twenty specific criteria, it acknowledges that the criteria can be 
regrouped into different structures, and includes a table showing 
how the criteria can be regrouped into the five-component structure 
of COSO. Thus, these five components are also criteria for effective 
internal control.
---------------------------------------------------------------------------

1. Identifying Financial Reporting Risks and Controls
    The approach described herein allows management to identify 
controls and maintain supporting evidential matter for its controls in 
a manner that is tailored to a company's financial reporting risks (as 
defined below). Thus, management can avoid identifying and

[[Page 77641]]

documenting controls that are not important to achieving the objectives 
of ICFR. Management should assess whether its controls are designed to 
provide reasonable assurance regarding the reliability of financial 
reporting and the preparation of financial statements for external 
purposes in accordance with generally accepted accounting principles 
(``GAAP'').\47\ The evaluation begins with the identification and 
assessment of the risks to reliable financial reporting (i.e., 
materially accurate financial statements), including changes in those 
risks. Management then evaluates whether it has controls placed in 
operation that are designed to adequately address those risks. 
Management ordinarily would consider the company's entity-level 
controls in both its assessment of risk and in identifying which 
controls adequately address the risk. The controls that management 
identifies as adequately addressing the financial reporting risks are 
then subject to procedures to evaluate evidence of the operating 
effectiveness, as determined pursuant to Section III.A.2.
---------------------------------------------------------------------------

    \47\ Management of foreign private issuers that file financial 
statements prepared in accordance with home country generally 
accepted accounting principles or International Financial Reporting 
Standards with a reconciliation to U.S. GAAP should plan and conduct 
their evaluation process based on their primary financial statements 
(i.e., home country GAAP or IFRS) rather than the reconciliation to 
U.S. GAAP.
---------------------------------------------------------------------------

    The effort necessary to conduct an initial evaluation of financial 
reporting risks (as defined below) and the related controls will vary 
among companies, partly because this effort will depend on management's 
existing financial reporting risk assessment and monitoring 
activities.\48\ Even so, in subsequent years for most companies, 
management's effort should ordinarily be significantly less because 
subsequent evaluations should be more focused on changes in risks and 
controls rather than identification of all financial reporting risks 
and the related controls. Further, in each subsequent year, the 
evidence necessary to reasonably support the assessment will only need 
to be updated from the prior year(s), not recreated anew.
---------------------------------------------------------------------------

    \48\ Monitoring activities are those that assess the quality of 
internal control performance over time. These activities involve 
assessing the design and operation of controls on a timely basis and 
taking necessary corrective actions. This process is accomplished 
through on-going monitoring activities, separate evaluations by 
internal audit or personnel performing similar functions, or a 
combination of the two. On-going monitoring activities are often 
built into the normal recurring activities of an entity and include 
regular management and supervisory review activities.
---------------------------------------------------------------------------

a. Identifying Financial Reporting Risks
    Ordinarily, the identification of financial reporting risks begins 
with evaluating how the requirements of GAAP apply to the company's 
business, operations and transactions. Management must provide 
investors with financial statements that fairly present the company's 
financial position, results of operations and cash flows in accordance 
with GAAP. A lack of fair presentation involves material misstatements 
(including omissions) in one or more of the financial statement amounts 
or disclosures (``financial reporting elements'').
    Management uses its knowledge and understanding of the business, 
its organization, operations, and processes to consider the sources and 
potential likelihood of misstatements in financial reporting elements 
and identifies those that could result in a material misstatement to 
the financial statements (``financial reporting risks''). Internal and 
external risk factors that impact the business, including the nature 
and extent of any changes in those risks, may give rise to financial 
reporting risks. Financial reporting risks may also arise from sources 
such as the initiation, authorization, processing and recording of 
transactions and other adjustments that are reflected in financial 
reporting elements. Management's evaluation of financial reporting 
risks should also consider the vulnerability of the entity to 
fraudulent activity (e.g., fraudulent financial reporting, 
misappropriation of assets and corruption) and whether any of those 
exposures could result in a material misstatement of the financial 
statements.\49\
---------------------------------------------------------------------------

    \49\ See ``Management Antifraud Programs and Controls--Guidance 
to Help Prevent, Deter, and Detect Fraud,'' which was issued jointly 
by seven professional organizations and is included as an exhibit to 
AU Sec. 316, Consideration of Fraud in a Financial Statement Audit 
(as adopted on an interim basis by the PCAOB in PCAOB Rule 3200T).
---------------------------------------------------------------------------

    The methods and procedures for identifying financial reporting 
risks will vary based on the characteristics of the company.\50\ These 
characteristics include, among others, the size, complexity, and 
organizational structure of the company and its processes and financial 
reporting environment, as well as the control framework used by 
management. For example, to effectively identify financial reporting 
risks in larger businesses or in situations involving complex business 
processes, management's evaluation may need to involve employees with 
specialized knowledge who collectively have the necessary understanding 
of the requirements of GAAP, the underlying business transactions, the 
process activities, including the role of computer technology, that are 
required to initiate, authorize, record and process transactions, and 
the points within the process at which a material misstatement, 
including a misstatement due to fraud, may occur. In contrast, in a 
small company with less complex business processes that operate on a 
centralized basis and with little change in the risks or processes, 
management's daily involvement with the business may provide it with 
adequate knowledge to appropriately identify financial reporting risks.
---------------------------------------------------------------------------

    \50\ To provide management the flexibility needed to implement 
an evaluation process that best suits its particular circumstances; 
the guidance in this proposed interpretative release does not 
prescribe a particular methodology for the identification of risks 
and controls. While the May 2005 Staff Guidance used the term 
``significant account,'' which is used in AS No. 2, we are not 
requiring that companies use the guidance in the auditing literature 
to conduct their evaluation approach. The Commission encourages the 
development of methodologies and tools that meet the objectives of 
the ICFR evaluation.
---------------------------------------------------------------------------

b. Identifying Controls That Adequately Address Financial Reporting 
Risks
    Management should evaluate whether it has controls placed in 
operation (i.e., in use) that are designed to address the company's 
financial reporting risks.\51\ The determination of whether an 
individual control, or a combination of controls, adequately addresses 
a financial reporting risk involves judgments about both the likelihood 
and potential magnitude of misstatements arising from the financial 
reporting risk. For purposes of the evaluation of ICFR, the controls 
are not adequate when their design is such that there is a reasonable 
possibility that a misstatement in the related financial reporting 
element that could result in a material misstatement of the financial 
statements will not be prevented or detected on a timely basis.\52\ If 
management determines that

[[Page 77642]]

its controls are not adequately designed, a deficiency exists that must 
be evaluated to determine whether it is a material weakness. The 
guidance in Section III.B.1. is designed to assist management with that 
evaluation.\53\
---------------------------------------------------------------------------

    \51\ A control consists of a specific set of policies, 
procedures, and activities designed to meet an objective. A control 
may exist within a designated function or activity in a process. A 
control's impact on ICFR may be entity-wide or specific to a class 
of transactions or application. Controls have unique 
characteristics--they can be: automated or manual; reconciliations; 
segregation of duties; review and approval authorizations; 
safeguarding and accountability of assets, preventing error or fraud 
detection, or disclosure. Controls within a process may consist of 
financial reporting controls and operational controls (i.e., those 
designed to achieve operational objectives).
    \52\ The use of the phrase ``reasonable possibility that a 
misstatement in the related financial reporting element that could 
result in a material misstatement of the financial statements'' is 
intended solely to assist management in identifying matters for 
disclosure under Item 308 of Regulation S-K. It is not intended to 
interpret or describe management's responsibility under FCPA or 
modify a control framework's definition of what constitutes an 
effective system of internal control.
    \53\ A deficiency in the design of ICFR exists when (a) 
necessary controls are missing or (b) existing controls are not 
properly designed so that, even if the control operates as designed, 
the financial reporting risks would not be addressed. AS No. 2 
states that a deficiency in the design of ICFR exists when (a) a 
control necessary to meet the control objective is missing or (b) an 
existing control is not properly designed so that, even if the 
control operates as designed, the control objective is not always 
met. See AS No. 2 ] 8.
---------------------------------------------------------------------------

    Management may identify controls for a financial reporting element 
that are preventive, detective or a combination of both.\54\ It is not 
necessary to identify all controls that exist. Rather, the objective of 
this evaluation step is to identify controls that adequately address 
the risk of misstatement for the financial reporting element that could 
result in a material misstatement in the financial statements. To 
illustrate, management may determine for a financial reporting element 
that a control within the company's period-end financial reporting 
process (i.e., an entity-level control) is designed in a manner that 
adequately addresses the risk that a misstatement in interest expense, 
that could result in a material misstatement in the financial 
statements, may occur and not be detected. In such a case, management 
may not need to identify any additional controls related to interest 
expense.
---------------------------------------------------------------------------

    \54\ Preventive controls have the objective of preventing the 
occurrence of errors or fraud that could result in a misstatement of 
the financial statements. Detective controls have the objective of 
detecting errors or fraud that has already occurred that could 
result in a misstatement of the financial statements. Preventive and 
detective controls may be completely manual, involve some degree of 
computer automation, or be completely automated.
---------------------------------------------------------------------------

    Management may consider the efficiency with which evidence of the 
operation of a control can be evaluated when identifying the controls 
that adequately address the financial reporting risks. For example, 
when more than one control exists that individually addresses a 
particular risk (i.e., redundant controls), management may decide to 
select the control for which evidence of operating effectiveness can be 
obtained more efficiently. Moreover, when adequate general information 
technology (``IT'') controls exist, and management has determined the 
operation of such controls is effective, management may determine that 
automated controls may be more efficient to evaluate than manual 
controls. Considering the efficiency with which the operation of a 
control can be evaluated will often enhance the overall efficiency of 
the evaluation process.
    When identifying the controls that address financial reporting 
risks, management may learn information about the characteristics of 
the controls, such as the judgment required to operate them or their 
complexity, that are considered in its judgments about the risk that 
the control will fail to operate as designed. Section III.A.2. 
discusses how these characteristics are considered in determining the 
nature and extent of evidence of the operation of the control that 
management evaluates.
    At the end of this identification process, management will have 
identified for testing only those controls that are needed to 
adequately address the risk of a material misstatement in its financial 
statements and for which evidence about their operation can be obtained 
most efficiently.
c. Consideration of Entity-level Controls
    Management considers entity-level controls when identifying and 
assessing financial reporting risks and related controls for a 
financial reporting element. In doing so, it is important for 
management to consider the nature of the entity-level controls and how 
they relate to the financial reporting element.\55\ Some entity-level 
controls are designed to operate at the process, transaction or 
application level and might adequately prevent or detect on a timely 
basis misstatements in one or more financial reporting elements that 
could result in a material misstatement to the financial statements. On 
the other hand, an entity-level control may be designed to identify 
possible breakdowns in lower-level controls, but not in a manner that 
would, by itself, sufficiently address the risk that misstatements to 
financial reporting elements that could result in a material 
misstatement to the financial statements will be prevented or detected 
on a timely basis.
---------------------------------------------------------------------------

    \55\ Controls can be either directly or indirectly related to a 
financial reporting element. Controls that are designed to have a 
specific effect on a financial reporting element are considered 
directly related. For example, controls established to ensure that 
personnel are properly counting and recording the annual physical 
inventory relate directly to the existence of the inventory.
---------------------------------------------------------------------------

    The more indirect the relationship to a financial reporting 
element, the less effective a control may be in preventing or detecting 
a misstatement. Some entity-level controls, such as the control 
environment (e.g., tone at the top and entity-wide programs such as 
codes of conduct and fraud prevention), are indirectly related to a 
financial reporting element and may not, by themselves, be effective at 
preventing or detecting a misstatement in a financial reporting 
element. Therefore, while management ordinarily would consider entity-
level controls of this nature when assessing financial reporting risks 
and evaluating the adequacy of controls, it is unlikely management will 
identify only this type of entity-level control as adequately 
addressing a financial reporting risk identified for a financial 
reporting element.\56\
---------------------------------------------------------------------------

    \56\ Many commenters on the Concept Release requested 
clarification of the role of entity-level controls in management's 
evaluation. See for example, letters regarding file number S7-11-06 
of Aerospace Industries Association, Sprint Nextel Corporation, Unum 
Provident, Dupont, Deutsche Telekom, Ernst & Young LLP, Deloitte & 
Touche LLP, and Grant Thornton LLP at http://www.sec.gov/comments/s7-11-06/s71106.shtml. See Section III.A.2.a. for additional 
guidance on entity-level controls.
---------------------------------------------------------------------------

d. Role of General Information Technology Controls
    Controls that management identifies as addressing financial 
reporting risks may be automated (e.g., application controls that 
update accounts in the general ledger for subledger activity) or 
dependent upon IT functionality (e.g., a control that manually 
investigates items contained in a computer generated exception report). 
In these situations, management's evaluation process generally 
considers the design and operation of the automated or IT dependent 
controls management identifies and the relevant general IT controls 
over the applications providing the IT functionality. While general IT 
controls ordinarily do not directly prevent or detect material 
misstatements in the financial statements, the proper and consistent 
operation of automated or IT dependent controls depends upon effective 
general IT controls.
    Aspects of general IT controls that may be relevant to the 
evaluation of ICFR will vary depending upon a company's facts and 
circumstances. Ordinarily, management should consider whether, and the 
extent to which, general IT control objectives related to program 
development, program changes, computer operations, and access to 
programs and data apply to its facts and circumstances. For purposes of 
the evaluation of ICFR, management only needs to evaluate those general 
IT controls that are necessary to adequately address financial 
reporting risks.

[[Page 77643]]

e. Evidential Matter To Support the Assessment
    As part of its evaluation of ICFR, management must maintain 
reasonable support for its assessment.\57\ Documentation of the design 
of the controls management has placed in operation to adequately 
address the financial reporting risks is an integral part of the 
reasonable support. The form and extent of the documentation will vary 
depending on the size, nature, and complexity of the company. It can 
take many forms (e.g., paper documents, electronic, or other media) and 
it can be presented in a number of ways (e.g., policy manuals, process 
models, flowcharts, job descriptions, documents, internal memorandums, 
forms, etc). The documentation does not need to include all controls 
that exist within a process that impacts financial reporting. Rather, 
and more importantly, the documentation can be focused on those 
controls that management concludes are adequate to address the 
financial reporting risks.\58\
---------------------------------------------------------------------------

    \57\ See instructions to Item 308 of Regulations S-K and S-B.
    \58\ Commenters on the Concept Release were supportive of 
guidance regarding the form, nature, and extent of documentation. 
See for example letters regarding file number S7-11-06 of EDS, 
Controllers' Leadership Roundtable, Sasol Group, New York State 
Society of Certified Public Accountants, Grant Thornton LLP, and 
Financial Executives International at http://www.sec.gov/comments/s7-11-06/s71106.shtml. Section III.A.2.c also provides 
guidance with regard to the documentation required to support 
management's evaluation of operating effectiveness.
---------------------------------------------------------------------------

    In addition to providing support for the assessment of ICFR, 
documentation of the design of controls also supports other objectives 
of an effective system of internal control. For example, it serves as 
evidence that controls within ICFR, including changes to those 
controls, have been identified, are capable of being communicated to 
those responsible for their performance, and are capable of being 
monitored by the company. The documentation also provides the 
foundation for appropriate communication concerning responsibilities 
for performing controls and for the company's evaluation and monitoring 
of the operation of controls.
    Management should also consider the need to maintain evidential 
matter, including documentation, of the entity-wide and other pervasive 
elements of its ICFR that it believes address the elements of internal 
control that its chosen control framework prescribes as necessary for 
an effective system of internal control.\59\
---------------------------------------------------------------------------

    \59\ Id.
---------------------------------------------------------------------------

2. Evaluating Evidence of the Operating Effectiveness of ICFR
    Management should evaluate evidence of the effective operation of 
ICFR. A control operates effectively when it is performed in a manner 
consistent with its design by individuals with the necessary authority 
and competency. Management ordinarily focuses its evaluation of the 
operation of controls on those areas of ICFR that pose the highest risk 
to reliable financial reporting. The evaluation procedures that 
management uses to gather evidence about the effective operation of 
ICFR should be tailored to its assessment of the risk characteristics 
of both the individual financial reporting elements and the related 
controls (collectively, ICFR risk). Management's assessment of ICFR 
risk also considers the impact of entity-level controls, such as the 
relative strengths and weaknesses of the control environment, which may 
influence management's judgments about the risks of failure for 
particular controls. Management varies the nature, timing and extent of 
the evaluation methods it implements in response to its judgments about 
ICFR risk.
    Evidence about the effective operation of controls may be obtained 
from direct-testing of controls and on-going monitoring activities. The 
nature, timing and extent of evaluation procedures necessary for 
management to obtain sufficient evidence of the effective operation of 
a control depends on the assessed ICFR risk. In determining whether the 
evidence obtained is sufficient to provide a reasonable basis for its 
evaluation of the operation of ICFR, management should consider not 
only the quantity of evidence (e.g., sample size) but also qualitative 
characteristics of the evidence. The qualitative characteristics of the 
evidence include the nature of the evaluation procedures performed, the 
period of time to which the evidence relates, the objectivity of those 
evaluating the controls, and, in the case of monitoring controls, the 
extent of validation through direct testing of underlying controls. For 
any individual control, different combinations of the nature, timing, 
and extent of evaluation procedures may provide sufficient evidence. 
The sufficiency of evidence is not determined by any of these 
attributes individually.
a. Determining the Evidence Needed To Support the Assessment
    Management should evaluate the ICFR risk of the controls identified 
in Section III.A.1. to determine the evidence needed to support the 
assessment. The risk assessment should consider the impact of the 
characteristics of the financial reporting elements to which the 
controls relate and the characteristics of the controls themselves. 
This concept is demonstrated in the following diagram.

[[Page 77644]]

[GRAPHIC] [TIFF OMITTED] TP27DE06.115

    Characteristics of the financial reporting element that management 
considers include both the materiality of the financial reporting 
element and the susceptibility of the underlying account balances, 
transactions or other supporting information to material misstatement. 
As the materiality of the financial reporting element increases in 
relation to the amount of misstatement that would be considered 
material to the financial statements, management's assessment of risk 
generally would correspondingly increase. In addition, financial 
reporting elements would generally have higher risk when they include 
transactions, account balances or other supporting information that is 
prone to misstatement. For example, elements which: (1) Involve 
judgment in determining the recorded amounts; (2) are susceptible to 
fraud; (3) have complexity in the underlying accounting requirements; 
or (4) are subject to environmental factors, such as technological and/
or economic developments, would generally be assessed as higher risk.
    Management also considers the likelihood that a control might fail 
to operate effectively. That likelihood may depend on, among other 
things, the type of control (i.e., manual or automated), the complexity 
of the control, the risk of management override, the judgment required 
to operate the control, the nature and materiality of misstatements 
that the control is intended to prevent or detect, and the degree to 
which the control relies on the effectiveness of other controls (e.g., 
general IT controls). For example, management's risk assessment would 
be higher for a financial reporting element that involves controls 
whose operation requires significant judgment than for a financial 
reporting element that involves non-complex controls requiring little 
judgment on behalf of management.
    Certain financial reporting elements, such as those involving 
significant accounting estimates,\60\ related party transactions, or 
critical accounting policies \61\ generally would be assessed as having 
higher risk for both the risk of material misstatement to the financial 
reporting element and the risk of control failure. When the controls 
related to these financial reporting elements are subject to the risk 
of management override, involve significant judgment, or are complex, 
they should generally be assessed as having higher ICFR risk.
---------------------------------------------------------------------------

    \60\ ``Significant accounting estimates'' referred to here 
relate to accounting estimates or assumptions where the nature of 
the estimates or assumptions is material due to the levels of 
subjectivity and judgment necessary to account for highly uncertain 
matters or the susceptibility of such matters to change; and the 
impact of the estimates and assumptions on financial condition or 
operating performance is material. See Interpretation: Commission 
Guidance Regarding Management's Discussion and Analysis of Financial 
Condition and Results of Operations. Release No. 33-8350 (December 
19, 2003).
    \61\ ``Critical accounting policies'' are defined as those 
policies that are most important to the financial statement 
presentation, and require management's most difficult, subjective, 
or complex judgments, often as the result of a need to make 
estimates about the effect of matters that are inherently uncertain. 
See Action: Cautionary Advice Regarding Disclosure About Critical 
Accounting Policies. Release No. 33-8040 (December 12, 2001).
---------------------------------------------------------------------------

    When a combination of controls is required to adequately address 
the risks of a financial reporting element, management should analyze 
the risk characteristics of each control. This is because the controls 
associated with a given financial reporting element may not necessarily 
share the same risk characteristics. For example, a financial reporting 
element involving significant estimation may require a combination of 
automated controls that accumulate source data and manual controls that 
require highly judgmental determinations of assumptions. In this case, 
the automated controls may be subject to a system that is stable (i.e., 
has not undergone significant change) and is supported by effective 
general controls and are therefore assessed as lower risk, whereas the 
manual controls would be assessed as higher risk.
    The existence of entity-level controls (e.g., controls within the 
control environment) may influence management's determination of the 
evidence needed to sufficiently support its assessment. For example, 
management's judgment about the likelihood that a control fails to 
operate effectively may be influenced by a highly effective control 
environment and thereby impact the evidence evaluated for that control. 
However, a strong control environment would not eliminate the need for 
evaluation procedures that consider the effective operation of the 
control in some manner.\62\
---------------------------------------------------------------------------

    \62\ See references at footnote 56 to comments received related 
to the role of entity-level controls within management's evaluation.
---------------------------------------------------------------------------

b. Implementing Procedures To Evaluate Evidence of the Operation of 
ICFR
    The methods and procedures management uses to gather evidence about 
the effective operation of controls are based on its assessment of the 
ICFR risk. Therefore, the methods and procedures, including the timing 
of when they are performed, are a function of the evidence that 
management considers necessary to provide reasonable support for its 
assessment of ICFR based on the assessment of ICFR risk. These 
procedures may be integrated with the daily responsibilities

[[Page 77645]]

of its employees or implemented specifically for purposes of the ICFR 
evaluation. Evidence that is relevant to the assessment may come from 
activities that are performed for other reasons (e.g., day-to-day 
activities to manage the operations of the business). Further, 
activities performed to meet the monitoring objectives of the control 
framework will provide evidence to support the assessment.\63\
---------------------------------------------------------------------------

    \63\ Many commenters on the Concept Release requested guidance 
clarifying that evidence relevant to supporting the evaluation may 
come from activities that are integrated into management's daily 
activities or performed for other reasons. See, for example, letters 
regarding file number S7-11-06 of EDS, American Electric Power and 
the Hundred Group of Finance Directors at http://www.sec.gov/comments/s7-11-06/s71106.shtml.
---------------------------------------------------------------------------

    The evidence management evaluates may come from a combination of 
on-going monitoring and direct testing of controls. On-going monitoring 
includes activities that provide information about the operation of 
controls and may be obtained, for example, through self-assessment \64\ 
procedures and the analysis of performance measures designed to track 
the operation of controls.\65\ Direct tests of controls are tests 
performed periodically to provide evidence as of a point in time and 
may provide information about the reliability of on-going monitoring 
activities.
---------------------------------------------------------------------------

    \64\ Self-assessment is a broad term that refers to different 
types of procedures performed by various parties. It includes an 
assessment made by the same personnel who are responsible for 
performing the control. However, self-assessment may also be used to 
refer to assessments and tests of controls performed by persons who 
are members of management but are not the same personnel who are 
responsible for performing the control. In this manner, an 
assessment may be carried out with varying degrees of objectivity. 
The sufficiency of the evidence derived from self-assessment depends 
on how it is implemented and the objectivity of those performing the 
assessment. COSO's 1992 framework defines self-assessments as 
``evaluations where persons responsible for a particular unit or 
function will determine the effectiveness of controls for their 
activities.''
    \65\ Management's evaluation process may also consider the 
results of key performance indicators (``KPI's'') in which 
management reconciles operating and financial information with its 
knowledge of the business. While these KPI's may indicate a 
potential misstatement in a financial reporting element and 
therefore are relevant to meeting the objectives of ICFR, they 
generally do not monitor the effective operation of other controls. 
The procedures that management implements pursuant to this section 
should evaluate the effective operation of these KPI type controls 
when they are identified pursuant to Section III.A.1.b. as 
addressing financial reporting risk.
---------------------------------------------------------------------------

    The risk assessments discussed in Section III.A.2.a. can assist 
management in determining the evaluation procedures that provide 
reasonable support for the assessment. As the assessed risk increases, 
management will ordinarily adjust the nature of the evidence that is 
obtained. For example, management can vary the nature of evidence from 
on-going monitoring by adjusting the extent of validation through 
periodic direct testing of the underlying controls and/or adjusting the 
objectivity of those performing the self-assessments. Management can 
also vary the nature of evidence obtained by adjusting the period of 
time covered by direct testing. When ICFR risk is assessed as high, 
management's evaluation would ordinarily include evidence obtained from 
direct testing. Further, management's evaluation would ordinarily 
consider evidence from a reasonable period of time during the year, 
including the fiscal year-end. For lower risk areas, management may 
conclude that evidence from on-going monitoring is sufficient and that 
no direct testing is required.\66\
---------------------------------------------------------------------------

    \66\ Commenters on the Concept Release were supportive of 
guidance on factors that should be considered in using a risk-based 
evaluation. See, for example, letters regarding file number S7-11-06 
of Aerospace Industries Association, American Institute of Certified 
Public Accountants, American Electric Power, Edison Electric 
Institute, and PricewaterhouseCoopers LLP at http://www.sec.gov/comments/s7-11-06/s71106.shtml. Section III.A.2.a. also provides 
guidance on a risked-based evaluation.
---------------------------------------------------------------------------

    In smaller companies, management's daily interaction with its 
controls may provide it with sufficient knowledge about their operation 
to evaluate the operation of ICFR. Knowledge from daily interaction 
includes information obtained by those responsible for evaluating the 
effectiveness of ICFR through their on-going direct knowledge and 
direct supervision of control operation. Management should consider its 
particular facts and circumstances when determining whether or not its 
daily interaction with controls provides sufficient evidence for the 
evaluation. For example, daily interaction may provide sufficient 
evidence when the operation of controls is centralized and the number 
of personnel involved in their operation is limited. Conversely, daily 
interaction in companies with multiple management reporting layers or 
operating segments would generally not provide sufficient evidence 
because those responsible for assessing the effectiveness of ICFR would 
not ordinarily be sufficiently knowledgeable about the operation of the 
controls. In these situations, management would ordinarily utilize 
direct testing or on-going monitoring type evaluation procedures to 
have reasonable support for the assessment.\67\
---------------------------------------------------------------------------

    \67\ Commenters on the Concept Release were supportive of 
guidance on how management's daily interaction can support the 
evaluation. See, for example, letters regarding file number S7-11-06 
of U.S. Oncology, Inc., EDS, American Electric Power, MetLife, Texas 
Society of Certified Public Accountants, and the Controllers' 
Leadership Roundtable at http://www.sec.gov/comments/s7-11-06/s71106.shtml.
---------------------------------------------------------------------------

    Management evaluates the evidence it gathers to determine whether 
the operation of a control is effective. This evaluation considers 
whether the control operated as designed and includes matters such as 
how the control was applied, the consistency with which it was applied, 
and whether the person performing the control possesses the necessary 
authority and competence to perform the control effectively. If 
management determines that the operation of the control is not 
effective, a deficiency exists that must be evaluated to determine 
whether it is a material weakness.
c. Evidential Matter To Support the Assessment
    Management's assessment must be supported by evidential matter that 
provides reasonable support for its assessment. The nature of the 
evidential matter may vary based on the assessed level of risk of the 
underlying controls and other circumstances, but we would expect 
reasonable support for an assessment to include the basis for 
management's assessment, including documentation of the methods and 
procedures it utilizes to gather and evaluate evidence. The evidential 
matter may take many forms and will vary depending on the assessed 
level of risk for controls over each of its financial reporting 
elements. For example, management may document its overall strategy in 
a comprehensive memorandum that establishes the evaluation approach, 
the evaluation procedures, and the basis for conclusions for each 
financial reporting element. Management may determine that it is not 
necessary to separately maintain copies of the evidence it evaluates; 
however, the evidential matter within the company's books and records 
should be sufficient to provide reasonable support for its assessment. 
For example, in smaller companies, where management's daily interaction 
with its controls provides the basis for its assessment, management may 
have limited documentation created specifically for the evaluation of 
ICFR. However, in these instances, management should consider whether 
reasonable support for its assessment would include documentation of 
how its interaction provided it with sufficient evidence. This 
documentation might include memoranda, e-mails, and

[[Page 77646]]

instructions or directions from management to company employees.\68\
---------------------------------------------------------------------------

    \68\ See footnote 58 for references to Concept Release comment 
letters requesting guidance on documentation.
---------------------------------------------------------------------------

    Further, management should also consider the degree of complexity 
of the control, the level of judgment required to operate the control, 
and the risk of misstatement in the financial reporting element that 
could result in a material misstatement in the financial statements in 
determining the nature of supporting evidential matter. As these 
factors increase, management may determine that evidential matter 
supporting the assessment should be separately maintained.\69\ For 
example, management may decide that separately maintained documentation 
will assist the audit committee in exercising its oversight of the 
company's financial reporting.
---------------------------------------------------------------------------

    \69\ Id.
---------------------------------------------------------------------------

    If management believes that the operation of the entity-wide and 
other pervasive elements of its ICFR address the elements of internal 
control that its applicable framework describes as necessary for an 
effective system, then the evidential matter constituting reasonable 
support for management's assessment would ordinarily include 
documentation of how management formed that belief.\70\
---------------------------------------------------------------------------

    \70\ Id.
---------------------------------------------------------------------------

3. Multiple Location Considerations \71\
---------------------------------------------------------------------------

    \71\ Guidance in this area was requested in numerous comments 
received in response to the Concept Release. See, for example, 
letters regarding file number S7-11-06 of Eli Lilly, Deloitte & 
Touche LLP, Ernst & Young LLP, Sasol Group, and the Institute of 
Management Accountants at http://www.sec.gov/comments/s7-11-06/s71106.shtml.
---------------------------------------------------------------------------

    Management's consideration of financial reporting risks generally 
includes all of its locations or business units.\72\ Management may 
determine that financial reporting risks are adequately addressed by 
controls which operate centrally, in which case the evaluation approach 
is similar to that of a business with a single location or business 
unit. When the controls necessary to address financial reporting risks 
operate at more than one location or business unit, management would 
generally evaluate evidence of the operation of the controls at the 
individual locations or business units.
---------------------------------------------------------------------------

    \72\ Consistent with the guidance in Section III.A.1., 
management may determine when identifying financial reporting risks 
that some locations are so insignificant that no further evaluation 
procedures are needed.
---------------------------------------------------------------------------

    In situations where management determines that the ICFR risk of the 
controls (as determined through Section III.A.2.a) that operate at 
individual locations or business units is low, management may determine 
that evidence gathered through self-assessment routines or other on-
going monitoring activities, when combined with the evidence derived 
from a centralized control that monitors the results of operations at 
individual locations, may constitute sufficient evidence for the 
evaluation. In other situations, management may determine that, because 
of the complexity or judgment in the operation of the controls at the 
individual location, the risks of the controls are high, and therefore 
more evidence is needed about the effective operation of the controls 
at the location.
    When performing its evaluation of the risk characteristics of the 
controls identified, management should consider whether there are 
location-specific risks that might impact the risk that a control might 
fail to operate effectively. Additionally, there may be pervasive 
factors at a given location that cause all controls, or a majority of 
controls, at that location to be considered higher risk. Management 
should generally consider the risk characteristics of the controls for 
each financial reporting element, rather than making a single judgment 
for all controls at that location when deciding whether the nature and 
extent of evidence is sufficient.

B. Reporting Considerations

1. Evaluation of Control Deficiencies
    In order to determine whether a control deficiency, or combination 
of control deficiencies, is a material weakness, management evaluates 
each control deficiency that comes to its attention.\73\ Control 
deficiencies that are determined to be a material weakness must be 
disclosed in management's annual report on its assessment of the 
effectiveness of ICFR.\74\ Management may not disclose that it has 
assessed ICFR as effective if there is one or more control deficiencies 
determined to be a material weakness in ICFR. As part of the evaluation 
of ICFR, management considers whether the deficiencies, individually or 
in combination, are material weaknesses as of the end of the fiscal 
year. Multiple control deficiencies that affect the same financial 
statement account balance or disclosure increase the likelihood of 
misstatement and may, in combination, constitute a material weakness if 
there is a reasonable possibility \75\ that a material misstatement to 
the financial statements would not be prevented or detected in a timely 
manner, even though such deficiencies may be individually 
insignificant. Therefore, management should evaluate individual control 
deficiencies that affect the same account balance, disclosure, relevant 
assertion, or component of internal control, to determine whether they 
collectively result in a material weakness.\76\
---------------------------------------------------------------------------

    \73\ Because of the importance to investors of the 
reconciliation to U.S. GAAP, when management of foreign private 
issuers that file in home country GAAP or IFRS determine the 
severity of an identified control deficiency, management should 
consider the impact of the control deficiency to the U.S. GAAP 
reconciliation disclosure. Hence, management should take into 
consideration both the amounts reported in the primary financial 
statements and the amounts reported in the reconciliation to U.S. 
GAAP in evaluating the severity of the control deficiency. For 
example, it would be inappropriate to determine, without further 
consideration, that a control deficiency associated with an item 
included in the reconciliation to U.S. GAAP, is not material to the 
primary financial statements, and therefore cannot be, by 
definition, a material weakness.
    \74\ Pursuant to Rules 13a-14 and 15d-14 management discloses to 
the auditors and to the audit committee of the board of directors 
(or persons fulfilling the equivalent function) all significant 
deficiencies in the design or operation of internal controls which 
could adversely affect the issuer's ability to record, process, 
summarize and report financial data and have identified for the 
issuer's auditors any material weaknesses in internal controls. The 
interaction of qualitative considerations that affect ICFR with 
quantitative considerations ordinarily results in deficiencies in 
the following areas being at least significant deficiencies in 
internal control over financial reporting: Controls over the 
selection and application of accounting policies that are in 
conformity with generally accepted accounting principles; antifraud 
programs and controls; controls over non-routine and non-systematic 
transactions; and controls over the period-end financial reporting 
process. If management determines that the deficiency would prevent 
prudent officials in the conduct of their own affairs from 
concluding that they have reasonable assurance that transactions are 
recorded as necessary to permit the preparation of financial 
statements in conformity with generally accepted accounting 
principles, then management should deem the deficiency to be at 
least a significant deficiency.
    \75\ See footnote 32.
    \76\ A similar approach to aggregating individually 
insignificant control deficiencies was used by the AICPA in 
Statement on Auditing Standard No. 112.
---------------------------------------------------------------------------

    The evaluation of a control deficiency should include both 
quantitative and qualitative factors. Management can evaluate a 
deficiency in ICFR by considering the likelihood that the company's 
ICFR will fail to prevent or detect a misstatement of a financial 
statement element, or component thereof, on a timely basis; and the 
magnitude of the potential misstatement resulting from the deficiency 
or deficiencies. This evaluation is based on whether the company's 
controls will fail to prevent or detect a misstatement on a timely 
basis, not necessarily on whether a misstatement actually has occurred.
    Several factors affect the likelihood that a deficiency, or a 
combination of deficiencies, will result in a misstatement in a 
financial reporting element not being prevented or detected on a timely 
basis. The factors include, but are not limited to, the following:

[[Page 77647]]

     The nature of the financial statement elements, or 
components thereof, involved (e.g., suspense accounts and related party 
transactions involve greater risk);
     The susceptibility of the related asset or liability to 
loss or fraud (i.e., greater susceptibility increases risk);
     The subjectivity, complexity, or extent of judgment 
required to determine the amount involved (i.e., greater subjectivity, 
complexity, or judgment, like that related to an accounting estimate, 
increases risk);
     The interaction or relationship of the control with other 
controls (i.e., the interdependence or redundancy of the control);
     The interaction of the deficiencies (i.e., when evaluating 
a combination of two or more deficiencies, whether the deficiencies 
could affect the same financial statement accounts and assertions); and
     The possible future consequences of the deficiency.
    Management should evaluate how the controls interact with other 
controls when evaluating the likelihood that the company's controls 
will fail to prevent or detect on a timely basis a misstatement that is 
material to the company's financial statements. There are controls, 
such as general IT controls, on which other controls depend. Some 
controls function together as a group of controls. Other controls 
overlap, in the sense that more than one control may individually 
achieve the same objective.
    Several factors affect the magnitude of the misstatement that might 
result from a deficiency or deficiencies in controls. The factors 
include, but are not limited to, the following:
     The financial statement amounts or total of transactions 
exposed to the deficiency; and
     The volume of activity in the account balance or class of 
transactions exposed to the deficiency that has occurred in the current 
period or that is expected in future periods.
    In evaluating the magnitude of the potential misstatement to the 
company's financial statements as a whole, management should recognize 
that the maximum amount that an account balance or total of 
transactions can be overstated is the recorded amount, while 
understatements could be larger. Moreover, in many cases, the 
probability of a small misstatement will be greater than the 
probability of a large misstatement. For example, if the deficiency is 
that errors identified during an account reconciliation are not being 
investigated in a timely manner, management should consider the 
possibility that larger errors are more likely to be investigated or 
identified through other controls than smaller ones.
    Management should evaluate the effect of compensating controls \77\ 
when determining whether a control deficiency or combination of 
deficiencies is a material weakness. When evaluating a deficiency in 
ICFR, management also should determine the level of detail and degree 
of assurance that would satisfy prudent officials in the conduct of 
their own affairs that they have reasonable assurance that transactions 
are recorded as necessary to permit the preparation of financial 
statements in conformity with GAAP.
---------------------------------------------------------------------------

    \77\ Compensating controls are controls that serve to accomplish 
the objective of another control that did not function properly, 
helping to reduce risk to an acceptable level. To have a mitigating 
effect, the compensating control should operate at a level of 
precision that would prevent or detect a misstatement that was 
material.
---------------------------------------------------------------------------

    The following circumstances are strong indicators that a material 
weakness in ICFR exists:
     An ineffective control environment. Circumstances that may 
indicate that the company's control environment is ineffective include, 
but are not limited to:
--Identification of fraud of any magnitude on the part of senior 
management.
--Significant deficiencies that have been identified and remain 
unaddressed after some reasonable period of time.
--Ineffective oversight of the company's external financial reporting 
and ICFR by the company's audit committee.\78\
---------------------------------------------------------------------------

    \78\ If no audit committee exists, all references to the audit 
committee apply to the entire board of directors of the company. 
When a company is not required by law or applicable listing 
standards to have independent directors on its audit committee, the 
lack of independent directors at these companies is not indicative, 
by itself, of a control deficiency. In all cases, management should 
interpret the terms ``board of directors'' and ``audit committee'' 
as being consistent with provisions for the use of those terms as 
defined in relevant SEC rules.
---------------------------------------------------------------------------

     Restatement of previously issued financial statements to 
reflect the correction of a material misstatement.


    Note: The correction of a material misstatement includes 
misstatements due to error or fraud; it does not include 
retrospective application of a change in accounting principle to 
comply with a new accounting principle or a voluntary change from 
one generally accepted accounting principle to another generally 
accepted accounting principle.


     Identification by the auditor of a material misstatement 
in financial statements in the current period under circumstances that 
indicate the misstatement would not have been discovered by the 
company's ICFR.
     For complex entities in highly regulated industries, an 
ineffective regulatory compliance function. This relates solely to 
those aspects of the ineffective regulatory compliance function in 
which associated violations of laws and regulations could have a 
material effect on the reliability of financial reporting.
2. Expression of Assessment of Effectiveness of ICFR by Management and 
the Registered Public Accounting Firm
    Management should disclose a clear expression of its assessment 
related to the effectiveness of ICFR and, therefore, should not qualify 
its assessment by saying that the company's ICFR is effective subject 
to certain qualifications or exceptions or express similar positions. 
For example, management should not state that the company's controls 
and procedures are effective except to the extent that certain material 
weakness(es) have been identified. In addition, if a material weakness 
exists, management may not state that the company's ICFR is effective. 
However, management may state that controls are ineffective due solely 
to, and only to the extent of, the identified material weakness(es). 
Prior to making this statement, however, management should consider the 
nature and pervasiveness of the material weakness. In addition, 
management may disclose any remediation efforts to the identified 
material weakness(es) in Item 9A of Form 10-K, Item 15 of Form 20-F, or 
General Instruction B of Form 40-F.
3. Disclosures About Material Weaknesses
    The Commission's rule implementing Section 404 was intended to 
bring information about material weaknesses in ICFR into public view. 
Because of the significance of the disclosure requirements surrounding 
material weaknesses beyond specifically stating that the material 
weaknesses exist, companies should also consider including the 
following in their disclosures: \79\
---------------------------------------------------------------------------

    \79\ Significant deficiencies in ICFR are not required to be 
disclosed in management's annual report on its evaluation of ICFR 
required by Item 308(a).
---------------------------------------------------------------------------

     The nature of any material weakness,
     Its impact on financial reporting and the control 
environment, and
     Management's current plans, if any, for remediating the 
weakness.
    Disclosure of the existence of a material weakness is important, 
but there is other information that also may be material and necessary 
to form an

[[Page 77648]]

overall picture that is not misleading.\80\ There are many different 
types of material weaknesses and many different factors that may be 
important to the assessment of the potential effect of any particular 
material weakness. While management is required to conclude and state 
in its report that ICFR is ineffective when there is one or more 
material weaknesses, companies should also consider providing 
disclosure that allows investors to understand the root cause of the 
control deficiency and to assess the potential impact of each 
particular material weakness. This disclosure will be more useful to 
investors if management differentiates the potential impact and 
importance to the financial statements of the identified material 
weaknesses, including distinguishing those material weaknesses that may 
have a pervasive impact on ICFR from those material weaknesses that do 
not. The goal underlying all disclosure in this area is to provide an 
investor with disclosure and analysis beyond the mere existence of a 
material weakness.
---------------------------------------------------------------------------

    \80\ See Exchange Act Rule 12b-20 [17 CFR 240.12b-20].
---------------------------------------------------------------------------

4. Impact of a Restatement of Previously Issued Financial Statements on 
Management's Report on ICFR
    Item 308 of Regulation S-K requires disclosure of management's 
assessment of the effectiveness of the company's ICFR as of the end of 
the company's most recent fiscal year. When a material misstatement in 
previously issued financial statements is discovered, a company is 
required to restate those financial statements. However, the 
restatement of financial statements does not, by itself, necessitate 
that management consider the effect of the restatement on the company's 
prior conclusion related to the effectiveness of ICFR.
    While there is no requirement for management to reassess or revise 
its conclusion related to the effectiveness of ICFR, management should 
consider whether its original disclosures are still appropriate and 
should modify or supplement its original disclosure to include any 
other material information that is necessary for such disclosures not 
to be misleading in light of the restatement. The company should also 
disclose any material changes to ICFR, as required by Item 308(c) of 
Regulation S-K.
    Similarly, while there is no requirement that management reassess 
or revise its conclusion related to the effectiveness of its disclosure 
controls and procedures, management should consider whether its 
original disclosures regarding effectiveness of disclosure controls and 
procedures need to be modified or supplemented to include any other 
material information that is necessary for such disclosures not to be 
misleading. With respect to the disclosures concerning ICFR and 
disclosure controls and procedures, the company may need to disclose in 
this context what impact, if any, the restatement has on its original 
conclusions regarding effectiveness of ICFR and disclosure controls and 
procedures.
5. Inability To Assess Certain Aspects of ICFR
    In certain circumstances, management may encounter difficulty in 
assessing certain aspects of its ICFR. For example, management may 
outsource a significant process to a service organization and determine 
that evidence of the operating effectiveness of the controls over that 
process is necessary. However, the service organization may be 
unwilling to provide either a Type 2 SAS 70 report or to provide 
management access to the controls in place at the service organization 
so that management could assess effectiveness.\81\ Finally, management 
may not have compensating controls in place that allow a determination 
of the effectiveness of the controls over the process in an alternative 
manner. The Commission's disclosure requirements state that 
management's annual report on ICFR must include a statement as to 
whether or not ICFR is effective and do not permit management to issue 
a report on ICFR with a scope limitation.\82\ Therefore, management 
must determine whether the inability to assess controls over a 
particular process is significant enough to conclude in its report that 
ICFR is not effective.
---------------------------------------------------------------------------

    \81\ AU Sec. 324, Service Organizations (as adopted on an 
interim basis by the PCAOB in PCAOB Rule 3200T), defines a report on 
controls placed in operation and test of operating effectiveness, 
commonly referred to as a ``Type 2 SAS 70 report.'' This report is a 
service auditor's report on a service organization's description of 
the controls that may be relevant to a user organization's internal 
control as it relates to an audit of financial statements, on 
whether such controls were suitably designed to achieve specified 
control objectives, on whether they had been placed in operation as 
of a specific date, and on whether the controls that were tested 
were operating with sufficient effectiveness to provide reasonable, 
but not absolute, assurance that the related control objectives were 
achieved during the period specified.
    \82\ See Item 308 of Regulations S-K and S-B [17 CFR 
229.308(a)(3) and 228.308(a)(3)].
---------------------------------------------------------------------------

Request for Comment

    We request and encourage any interested parties to submit comments 
on the proposed interpretive guidance. In addition to seeking general 
feedback on the proposed interpretive guidance, the Commission seeks 
comments on the following:
     Will the proposed interpretive guidance be helpful to 
management in completing its annual evaluation process? Does the 
proposed guidance allow for management to conduct an efficient and 
effective evaluation? If not, why not?
     Are there particular areas within the proposed 
interpretive guidance where further clarification is needed? If yes, 
what clarification is necessary?
     Are there aspects of management's annual evaluation 
process that have not been addressed by the proposed interpretive 
guidance that commenters believe should be addressed by the Commission? 
If so, what are those areas and what type of guidance would be 
beneficial?
     Do the topics addressed in the existing staff guidance 
(May 2005 Staff Guidance and Frequently Asked Questions (revised 
October 6, 2004)) continue to be relevant or should such guidance be 
retracted? If yes, which topics should be kept or retracted?
     Will the proposed guidance require unnecessary changes to 
evaluation processes that companies have already established? If yes, 
please describe.
     Considering the PCAOB's proposed new auditing standards, 
An Audit of Internal Control Over Financial Reporting that is 
Integrated with an Audit of Financial Statements and Considering and 
Using the Work of Others In an Audit, are there any areas of 
incompatibility that limit the effectiveness or efficiency of an 
evaluation conducted in accordance with the proposed guidance? If so, 
what are those areas and how would you propose to resolve the 
incompatibility?
     Are there any definitions included in the proposed 
interpretive guidance that are confusing or inappropriate and how would 
you change the definitions so identified?
     Will the guidance for disclosures about material 
weaknesses result in sufficient information to investors and if not, 
how would you change the guidance?
     Should the guidance be issued as an interpretation or 
should it, or any part, be codified as a Commission rule?
     Are there any considerations unique to the evaluation of 
ICFR by a foreign private issuer that should be addressed in the 
guidance? If yes, what are they?

[[Page 77649]]

IV. Proposed Rule Amendments

    Exchange Act Rules 13a-15(c) and 15d-15(c) require the management 
of each issuer subject to the Exchange Act reporting requirements, 
other than a registered investment company, to evaluate, with the 
participation of the issuer's principal executive and principal 
financial officers, or persons performing similar functions, the 
effectiveness, as of the end of each fiscal year, of the issuer's 
ICFR.\83\ We are proposing to amend these rules to state that, although 
there are many different ways to conduct an evaluation of the 
effectiveness of ICFR to meet the requirement in the rule, an 
evaluation conducted in accordance with the interpretive guidance 
issued by the Commission, if the Commission adopts the interpretive 
guidance in final form, would satisfy the annual management evaluation 
required by those rules.\84\ The proposed amendments would not limit 
the ability of management to use its judgment to determine a method of 
evaluation that is appropriate for its company. The proposed amendments 
would be similar to a non-exclusive safe-harbor in that they would not 
require management to conduct the evaluation in accordance with the 
interpretive guidance, but would provide certainty to management that 
chooses to follow the guidance that it has satisfied its obligation to 
conduct an evaluation for purposes of the requirements in Rules 13a-
15(c) and 15d-15(c).
---------------------------------------------------------------------------

    \83\ We recently adopted amendments that, among other things, 
provide a transition period for newly public companies before they 
become subject to the ICFR requirements. Under the new amendments, a 
newly public company will not become subject to the ICFR 
requirements until it either had been required to file an annual 
report for the prior fiscal year with the Commission or had filed an 
annual report with the Commission for the prior fiscal year. See 
Release No. 33-8760 (December 15, 2006) available at http://www.sec.gov/rules/final.shtml.
    \84\ See proposed revisions to Rules 13a-15(c) and 15d-15(c).
---------------------------------------------------------------------------

    Our rules implementing Section 404(b) of Sarbanes-Oxley require 
every registered public accounting firm that issues or prepares an 
audit report on a company's financial statements for inclusion in an 
annual report that contains an assessment by management of the 
effectiveness of the registrant's ICFR to attest to, and report on, 
such assessment. Pursuant to Rule 2-02(f), the accountant's attestation 
report must clearly state the ``opinion of the accountant as to whether 
management's assessment of the effectiveness of the registrant's ICFR 
is fairly stated in all material respects.'' Over the past three years 
we have received feedback that the current form of the auditor's 
opinion may not effectively communicate the auditor's responsibility in 
relation to management's evaluation process. Therefore, we are 
proposing to revise Rule 2-02(f) to require the auditor to express an 
opinion directly on the effectiveness of ICFR. In addition, we are 
proposing revisions to Rule 2-02(f) to clarify the circumstances in 
which we would expect that the accountant cannot express an opinion.
    We are also proposing conforming revisions to the definition of 
attestation report in Rule 1-02(a)(2) of Regulation S-X. We believe 
this opinion necessarily conveys whether management's assessment is 
fairly stated. We understand the PCAOB will be proposing a conforming 
revision to its auditing standard to reflect this revision as well.

Request for Comment

    We request and encourage any interested person to submit comments 
on the proposed revision to Exchange Act Rules 13a-15(c) and 15d-15(c) 
and Rules 1-02 and 2-02 of Regulation S-X. In addition to seeking 
general feedback on the proposed rule revision, the Commission seeks 
comments on the following:
     Should compliance with the interpretive guidance, if 
issued in final form, be voluntary, as proposed, or mandatory?
     Is it necessary or useful to amend the rules if the 
proposed interpretive guidance is issued in final form, or are rule 
revisions unnecessary?
     Should the rules be amended in a different manner in view 
of the proposed interpretive guidance?
     Is it appropriate to provide the proposed assurance in 
Rules 13a-15 and 15d-15 that an evaluation conducted in accordance with 
the interpretive guidance will satisfy the evaluation requirement in 
the rules?
     Does the proposed revision offer too much or too little 
assurance to management that it is conducting a satisfactory evaluation 
if it complies with the interpretive guidance?
     Are the proposed revisions to Exchange Act Rules 13a-15(c) 
and 15d-15(c) sufficiently clear that management can conduct its 
evaluation using methods that differ from our interpretive guidance?
     Do the proposed revisions to Rules 1-02(a)(2) and 2-02(f) 
of Regulation S-X effectively communicate the auditor's responsibility? 
Would another formulation better convey the auditor's role with respect 
to management's assessment and/or the auditor's reporting obligation?
     Should we consider changes to other definitions or rules 
in light of these proposed revisions?
     The proposed revision to Rule 2-02(f) highlights that 
disclaimers by the auditor would only be appropriate in the rare 
circumstance of a scope limitation. Does this adequately convey the 
narrow circumstances under which an auditor may disclaim an opinion 
under our proposed rule? Would another formulation provide better 
guidance to auditors?

V. Paperwork Reduction Act

    Certain provisions of our ICFR requirements contain ``collection of 
information'' requirements within the meaning of the Paperwork 
Reduction Act of 1995 (``PRA''). We submitted these collections of 
information to the Office of Management and Budget (``OMB'') for review 
in accordance with the PRA and received approval for the collections of 
information. We do not believe the rule amendments that we are 
proposing in this release will impose any new recordkeeping or 
information collection requirements, or other collections of 
information requiring OMB's approval.

VI. Cost-Benefit Analysis

A. Background

    Section 404(a) of Sarbanes-Oxley directed the Commission to 
prescribe rules to require each annual report that a company, other 
than a registered investment company, files pursuant to Exchange Act 
Section 13(a) or 15(d) to contain an internal control report: (1) 
Stating management's responsibilities for establishing and maintaining 
an adequate internal control structure and procedures for financial 
reporting; and (2) containing an assessment, as of the end of the 
company's most recent fiscal year, of the effectiveness of the 
company's internal control structure and procedures for financial 
reporting. On June 5, 2003, the Commission adopted final rules 
implementing the requirements of Section 404(a).\85\
---------------------------------------------------------------------------

    \85\ See footnote 9 above for reference.
---------------------------------------------------------------------------

    The final rules did not prescribe any specific method or set of 
procedures for management to follow in performing its evaluation of 
ICFR. This gave managers some flexibility, while leaving it to 
management's judgment about what constitutes ``reasonable support'' for 
its assessment of internal controls. In the absence of specific 
guidance, managers of many companies have relied upon AS No. 2. This 
choice reflected the pressure on managers to meet the expectations of 
the auditors who were charged with

[[Page 77650]]

attesting to the effectiveness of the company's ICFR and management's 
annual assessment of ICFR. The limited alternative guidance available 
to management has not given it the information that is necessary to 
assuage its concerns about the risk of being unable to satisfy the 
expectations of its auditor under AS No. 2.
    The proposed interpretive guidance is intended to enable management 
to conduct a more effective and efficient evaluation of ICFR. Further, 
under the proposed rule amendments, the auditor would express only a 
single opinion on the effectiveness of the company's internal controls 
in its attestation report rather than expressing separate opinions 
directly on the effectiveness of the company's ICFR and on management's 
assessment.
    Managers may choose to rely on the interpretive guidance, as an 
alternative to what is provided in existing auditing standards or 
elsewhere, for two key reasons. First, we are proposing a rule that 
would give managers who follow the interpretive guidance comfort that 
they have conducted a sufficient ICFR evaluation. Second, elimination 
of the auditor's opinion on management's assessment of ICFR in the 
auditor's attestation report should significantly lessen, if not 
eliminate, the pressures that managers have felt to look to auditing 
standards for guidance in performing those evaluations.
    While the focus of the Cost-Benefit Analysis in this release is on 
the costs and benefits related to the rule amendments that we are 
proposing in this release, rather than the costs and benefits of the 
proposed interpretive guidance that we describe in this release,\86\ in 
view of the fact that the effect of the proposed rule amendments will 
be to endorse the interpretive guidance as one approach to compliance, 
we also have considered the effect that the proposed guidance may have 
on evaluation costs.
---------------------------------------------------------------------------

    \86\ To reduce the costs of implementation, we developed 
proposed interpretive guidance to aid management in the planning and 
performance of an evaluation of ICFR. In connection with this 
interpretive guidance, we are proposing an amendment to Exchange Act 
Rules 13a-15(c) and 15d-15(c) that would make it clear that an 
evaluation that is conducted in accordance with the interpretive 
guidance is one way to satisfy the annual management evaluation 
requirement in those rules and forms. In addition, we are proposing 
revisions to Rule 2-02(f) of Regulation S-X to indicate that an 
auditor should only express a single opinion directly on the 
effectiveness of a company's ICFR, rather than an opinion on the 
effectiveness and a separate opinion on management's assessment. We 
are also proposing conforming revisions to Rule 1-02(a)(2) of 
Regulation S-X which defines the term ``attestation report on 
management's assessment of internal control over financial 
reporting.''
---------------------------------------------------------------------------

    By encouraging managers to rely on guidance that is less 
prescriptive and better aligned with the objectives of Section 404, the 
proposed rule should reduce management's effort relative to current 
practice under existing auditing standards. The expenditure of effort 
by audit firms also may decline, in response, relative to what would 
occur otherwise. We are thus soliciting comments on how the proposed 
guidance and the proposed new auditing standard will affect the 
expenditure of effort, and division of labor, between the managers and 
employees of public companies and their audit firms.
    The benefits and costs of the proposed rule amendments will be 
affected by the number of companies that choose to follow the 
interpretive guidance. Managers will be free to weigh the benefits and 
costs to shareholders in choosing whether to follow the guidance or 
some other approach. This feature does not apply to the proposed 
revisions to Regulation S-X, however, because compliance with these 
amendments will be mandatory.

B. Benefits

    As explained above, the proposed amendments would state that an 
evaluation by management of ICFR that is conducted in accordance with 
the interpretive guidance is one of many ways to satisfy the evaluation 
requirement in Exchange Act Rules 13a-15(c) and 15d-15(c), and would 
clarify that the auditor should only express an opinion directly on the 
effectiveness of a company's ICFR. We expect the primary benefits of 
the proposed rule amendments to Exchange Act Rules 13a-15(c) and 15d-
15(c) to be two-fold. First, there will be a greater likelihood that 
management choosing to follow the guidance will more effectively detect 
material weaknesses. Second, there should be a reduction in the costs 
of excessive testing and documentation that have arisen from management 
aversion to risk in determining the level and type of effort that is 
sufficient to conduct an evaluation of ICFR. We believe the proposed 
revisions to Rule 2-02(f) of Regulation S-X should better communicate 
to investors the nature of the assurance provided to them through the 
work performed by the auditor.
    The proposed amendments to Rules 13a-15(c) and 15d-15(c) are 
similar to a non-exclusive safe-harbor in that they would not require 
management to comply with the evaluation requirement in a particular 
manner (i.e., by following the interpretive guidance), but would 
provide certainty to management choosing to follow the guidance that 
management has satisfied its obligation to conduct an evaluation in an 
appropriate manner.
    The proposed rule amendments are intended to make implementation of 
the internal control reporting requirements more efficient and cost-
effective for all registrants. We believe that benefits to investors 
will arise from the following potential consequences of the proposed 
rule amendments:
     Management can choose to follow guidance that is an 
efficient and effective means of satisfying the evaluation requirement;
     All public companies, especially smaller public companies, 
that choose to follow the guidance would be afforded considerable 
flexibility to scale and tailor their evaluation methods and procedures 
to fit their own facts and circumstances;
     Management would have the comfort that an evaluation that 
complies with our interpretive guidance is one way to satisfy the 
evaluation required by Exchange Act Rule 13a-15(c) and Exchange Act 
Rule 15d-15(c), and reduce any second-guessing as to whether 
management's process was adequate;
     There may be reduced risk of costly and time-consuming 
disagreement between the auditor and management regarding the extent of 
documentation and testing needed to satisfy the ICFR evaluation 
requirement;
     Companies are likely to save costs and reduce the amount 
of effort and resources associated with an evaluation by relying on a 
set of guidelines that clarify the nature, timing and extent of 
management's procedures and that recognizes the many different types of 
evidence-gathering methods available to management (such as direct 
interaction with control components); \87\ and
---------------------------------------------------------------------------

    \87\ See, e.g., transcript of Roundtable Discussion on Second 
Year Experiences with Internal Control Reporting and Auditing 
Provisions, May 10, 2006, available at http://www.sec.gov/spotlight/soxcomp.htm.
---------------------------------------------------------------------------

     Management would have greater clarity regarding the 
Commission's expectations concerning an evaluation of ICFR.
    Improved implementation of the ICFR requirements could facilitate a 
more timely flow of information within the company and, ultimately, to 
investors and the marketplace. We believe that an effective internal 
control evaluation would help management to better identify potential 
weaknesses and inefficiencies that could result in cost-savings in a 
company's operations.

[[Page 77651]]

C. Costs

    Some larger public companies may face a transitory increase in 
compliance costs if they choose to follow the guidance. This is because 
many of the larger companies that have already evaluated their internal 
controls have reported cost reductions, or the anticipation of cost 
reductions, in the second and subsequent years of compliance with the 
internal control reporting provisions. For companies that choose to 
follow the interpretive guidance, the proposed rule amendments may 
cause some accelerated and large accelerated filers who have completed 
one or more evaluations of their ICFR to adjust their evaluation 
procedures in order to take advantage of the proposed rule amendments 
which could lead to an increase in the compliance costs.\88\
---------------------------------------------------------------------------

    \88\ Presumably such companies would only adjust their 
evaluation methods if they perceived the benefit of the proposed 
amendments would exceed the increased compliance cost.
---------------------------------------------------------------------------

    In addition, the benefits of the proposed amendments may be 
partially offset if the company's auditor obtains more audit evidence 
directly itself rather than using evidence generated by management's 
evaluation process, which could lead to an increase in audit costs.\89\
---------------------------------------------------------------------------

    \89\ Any near term increase in audit costs may be mitigated if 
the PCAOB's proposed new auditing standards, An Audit of Internal 
Control Over Financial Reporting that is Integrated with an Audit of 
Financial Statements and Considering and Using the Work of Others In 
an Audit, are approved.
---------------------------------------------------------------------------

D. Request for Comment

    We request comment on the nature of the costs and benefits of the 
proposed amendments, including the likely responses of public companies 
and auditors concerning the introduction of new management guidance. We 
seek evidentiary support for the conclusions on the nature and 
magnitude of those costs and benefits, including data to quantify the 
costs and the value of the benefits described above. We seek estimates 
of these costs and benefits, as well as any costs and benefits not 
already identified, that may result from the adoption of these proposed 
amendments and issuance of interpretive guidance. With increased 
reliance on management judgment, will there be unintended consequences? 
We also request qualitative feedback and related evidentiary support 
relating to any benefits and costs we may have overlooked.

VII. Consideration of Impact on the Economy, Burden on Competition and 
Promotion of Efficiency, Competition and Capital Formation

    For purposes of the Small Business Regulatory Enforcement Fairness 
Act of 1996, or ``SBREFA,'' \90\ we solicit data to determine whether 
the proposed rule amendments constitute a ``major'' rule. Under SBREFA, 
a rule is considered ``major'' where, if adopted, it results or is 
likely to result in:
---------------------------------------------------------------------------

    \90\ 5 U.S.C. 603.
---------------------------------------------------------------------------

     An annual effect on the economy of $100 million or more 
(either in the form of an increase or a decrease);
     A major increase in costs or prices for consumers or 
individual industries; or
     Significant adverse effects on competition, investment or 
innovation.
    Section 3(f) of the Exchange Act \91\ requires the Commission, 
whenever it engages in rulemaking, and is required to consider or 
determine if an action is necessary or appropriate in the public 
interest, also to consider whether the action will promote efficiency, 
competition, and capital formation. Section 23(a)(2) of the Exchange 
Act \92\ also requires us, when adopting rules under the Exchange Act, 
to consider the impact that any new rule would have on competition. In 
addition, Section 23(a)(2) prohibits us from adopting any rule that 
would impose a burden on competition not necessary or appropriate in 
furtherance of the purposes of the Exchange Act.
---------------------------------------------------------------------------

    \91\ 15 U.S.C. 78c(f).
    \92\ 15 U.S.C. 78w(a)(2).
---------------------------------------------------------------------------

    We believe the proposed amendments, if adopted, would promote 
competition, efficiency, and capital formation. Under the Sarbanes-
Oxley Act, all companies, except registered investment companies, are 
subject to the requirement to conduct an evaluation of their ICFR. 
Compliance with the proposed amendments to Exchange Act Rules 13a-15 
and 15d-15, however, would be voluntary rather than mandatory and, as 
such, companies could choose whether or not to follow the interpretive 
guidance. The rule therefore should not impose any new cost. 
Accordingly, companies that have already completed one or more 
evaluations can continue to use their existing procedures to satisfy 
the evaluation required by our rules, or companies can choose to follow 
the guidance.
    The proposed rule amendments should increase the efficiency with 
respect to the effort and resources associated with an evaluation of 
ICFR and facilitate more efficient allocation of resources within a 
company. The guidance is also designed to be scalable depending on the 
size of the company. Reducing the potentially disproportionate costs to 
smaller companies required to comply with the evaluation requirements 
should also increase efficiency. Finally, the rules may promote 
competition among companies in developing the most efficient means to 
satisfy the evaluation requirement.
    Capital formation may be promoted in the following ways. To the 
extent the cost of compliance with the evaluation requirement is 
lowered to a more economically feasible threshold, smaller private 
companies may be able to access public capital markets earlier in their 
growth. They may therefore obtain enhanced sources of capital at lower 
cost.
    The proposed amendments may also introduce new competition from 
outside professionals and software vendors in the supply of services 
and products to assist the managers of public companies in their 
evaluations of ICFR. We seek comment on whether the proposed guidance 
and accompanying rule would stimulate new entry into any such market.
    We request comment on the potential impact of the proposed 
amendments on the U.S. economy on an annual basis, any potential 
increase in costs or prices for consumers or individual industries, and 
any potential effect on competition, investment or innovation. We also 
request comment on whether the proposed amendments would promote 
efficiency, competition, and capital formation. Commenters are 
requested to provide empirical data and other factual support for their 
view to the extent possible.

VIII. Initial Regulatory Flexibility Analysis

    This Initial Regulatory Flexibility Analysis (``IRFA'') has been 
prepared in accordance with the Regulatory Flexibility Act.\93\ This 
IRFA involves proposed amendments to Exchange Act Rules 13a-15(c) and 
15d-15(c) and Rules 1-02(a)(2) and 2-02(f) of Regulation S-X. These 
rules require the management of an Exchange Act reporting company, 
other than registered investment companies, to prepare an annual 
evaluation of the company's ICFR, and that the registered public 
accounting firm that issues an audit report on the company's financial 
statements to attest to, and report on, management's assessment. The 
proposed rule amendments would

[[Page 77652]]

clarify that an evaluation that is conducted in accordance with the 
interpretive guidance would satisfy the annual management evaluation of 
the company's ICFR.\94\
---------------------------------------------------------------------------

    \93\ 5 U.S.C. 601.
    \94\ In connection with the proposed rule amendments, we are 
also proposing interpretive guidance for management to use in 
conducting an annual evaluation of the company's internal control 
over financial reporting. The proposed interpretive guidance itself 
is not subject to the Regulatory Flexibility Act. Accordingly, for 
purposes of the IRFA, our analysis is focused on the proposed rule 
amendments.
---------------------------------------------------------------------------

A. Reasons for the Proposed Action

    We are proposing rule amendments that would make it clear that an 
evaluation conducted in accordance with our interpretive guidance is 
one of many ways to satisfy the requirements of Exchange Act Rules 13a-
15(c) and 15d-15(c), clarify the auditor report required Rule 2-02(f) 
of Regulation S-X, and revise the definition of the term attestation 
report in Rule 1-02(a)(2) of Regulation S-X.

B. Objectives

    The proposed rule amendments are intended to make implementation of 
the internal control reporting requirements more efficient and cost-
effective by reducing ambiguities that have arisen due to the lack of 
certainty available to companies on how to conduct an annual evaluation 
of ICFR.

C. Legal Basis

    We are issuing the proposed rule amendments under the authority set 
forth in Sections 12, 13, 15 and 23 of the Exchange Act, and Sections 
3(a) and 404 of the Sarbanes-Oxley Act of 2002.

D. Small Entities Subject to the Proposed Revisions

    The proposed amendments would affect some issuers that are small 
entities. Exchange Act Rule 0-10(a) \95\ defines an issuer, other than 
an investment company, to be a ``small business'' or ``small 
organization'' if it had total assets of $5 million or less on the last 
day of its most recent fiscal year. We estimate that there are 
approximately 2,500 issuers, other than registered investment 
companies, that may be considered small entities. The proposed 
amendments would apply to any small entity that is subject to Exchange 
Act reporting requirements.
---------------------------------------------------------------------------

    \95\ 17 CFR 240.0-10(a).
---------------------------------------------------------------------------

E. Reporting, Recordkeeping, and Other Compliance Requirements

    The proposed rule amendments would not impose any new reporting, 
recordkeeping or compliance requirements. The amendments provide a 
voluntary, non-exclusive certainty, in the nature of a safe-harbor.

F. Duplicative, Overlapping, or Conflicting Federal Rules

    The proposed amendments do not duplicate, overlap, or conflict with 
other federal rules.

G. Significant Alternatives

    The Regulatory Flexibility Act directs us to consider alternatives 
that would accomplish our stated objectives, while minimizing any 
significant adverse impact on small entities. In connection with the 
proposed extension, we considered the following alternatives:
     Establishing different compliance or reporting 
requirements or timetables that take into account the resources 
available to small entities;
     Clarifying, consolidating or simplifying compliance and 
reporting requirements under the rules for small entities;
     Using performance rather than design standards; and
     Exempting small entities from all or part of the 
requirements.
    The proposed rule amendments should allow a company to conduct an 
evaluation of internal control with greater certainty that it has 
satisfied our rule. We believe the proposed rule change would affect 
both large and small entities equally. The proposed rule amendments set 
forth primarily performance standards to aid companies in conducting an 
evaluation of ICFR. The purpose of the proposed amendments is to give 
comfort that following the clarified, consolidated and simplified 
guidance will satisfy the evaluation requirement. The proposed rule is 
designed to afford small entities that choose to rely on the 
interpretive guidance the flexibility to scale and tailor their 
evaluation methods to fit their particular circumstances. We are not 
proposing an exemption for small entities, because we are not persuaded 
at this time that an exemption would further the primary goal of the 
Sarbanes-Oxley Act to enhance the quality of reporting and increasing 
investor confidence in the fairness and integrity of the securities 
markets.

H. Solicitation of Comments

    We encourage the submission of comments with respect to any aspect 
of this Initial Regulatory Flexibility Analysis. In particular, we 
request comments regarding:
     The number of small entity issuers that may be affected by 
the proposed extension;
     The existence or nature of the potential impact of the 
proposed amendments on small entity issuers discussed in the analysis; 
and
     How to quantify the impact of the proposed amendments.
    Respondents are asked to describe the nature of any impact and 
provide empirical data supporting the extent of the impact. Such 
comments will be considered in the preparation of the Final Regulatory 
Flexibility Analysis, if the proposed rule amendments are adopted, and 
will be placed in the same public file as comments on the proposed 
amendments themselves.

IX. Statutory Authority and Text of Proposed Rule Amendments

    The amendments described in this release are being proposed under 
the authority set forth in Sections 12, 13, 15, 23 of the Exchange Act, 
and Sections 3(a) and 404 of the Sarbanes-Oxley Act.

List of Subjects

17 CFR Part 210

    Accountants, Accounting, Reporting and recordkeeping requirements, 
Securities.

17 CFR Part 240

    Reporting and recordkeeping requirements, Securities.

17 CFR Part 241

    Securities.

Text of Amendments

    For the reasons set out in the preamble, the Commission proposes to 
amend title 17, chapter II, of the Code of Federal Regulations as 
follows:

PART 210--FORM AND CONTENT OF AND REQUIREMENTS FOR FINANCIAL 
STATEMENTS, SECURITIES ACT OF 1933, SECURITIES EXCHANGE ACT OF 
1934, PUBLIC UTILITY HOLDING COMPANY ACT OF 1935, INVESTMENT 
COMPANY ACT OF 1940, INVESTMENT ADVISERS ACT OF 1940, AND ENERGY 
POLICY AND CONSERVATION ACT OF 1975

    1. The authority citation for Part 210 is revised to read as 
follows:

    Authority: 15 U.S.C. 77f, 77g, 77h, 77j, 77s, 77z-2, 77z-3, 
77aa(25), 77aa(26), 78c, 78j-1, 78l, 78m, 78n, 78o(d), 78q, 78u-5, 
78w(a), 78ll, 78mm, 80a-8, 80a-20, 80a-29, 80a-30, 80a-31, 80a-
37(a), 80b-3, 80b-11, 7202 and 7262, unless otherwise noted.

    2. Amend Sec.  210.1-02 by revising paragraph (a)(2) to read as 
follows:


Sec.  210.1-02  Definition of terms used in Regulation S-X (17 CFR part 
210).

* * * * *
    (a)(1) * * *
    (2) Attestation report on management's assessment of internal

[[Page 77653]]

control over financial reporting. The term attestation report on 
management's assessment of internal control over financial reporting 
means a report in which a registered public accounting firm expresses 
an opinion, either unqualified or adverse, as to whether the registrant 
maintained, in all material respects, effective internal control over 
financial reporting (as defined in Sec.  240.13a-15(f) or 240-15d-
15(f)), except in the rare circumstance of a scope limitation that 
cannot be overcome by the registrant or the registered public 
accounting firm which would result in the accounting firm disclaiming 
an opinion.
* * * * *
    3. Amend Sec.  210.2-02 by revising paragraph (f) to read as 
follows:


Sec.  210.2-02  Accountants' reports and attestation reports.

* * * * *
    (f) Attestation report on management's assessment of internal 
control over financial reporting. Every registered public accounting 
firm that issues or prepares an accountant's report for a registrant, 
other than an investment company registered under section 8 of the 
Investment Company Act of 1940 (15 U.S.C. 80a-8), that is included in 
an annual report required by section 13(a) or 15(d) of the Securities 
Exchange Act of 1934 (15 U.S.C. 78a et seq.) containing an assessment 
by management of the effectiveness of the registrant's internal control 
over financial reporting must attest to, and report on, such 
assessment. The attestation report on management's assessment of 
internal control over financial reporting shall be dated, signed 
manually, identify the period covered by the report, indicate that the 
accountant has audited management's assessment, and clearly state the 
opinion of the accountant, either unqualified or adverse, as to whether 
the registrant maintained, in all material respects, effective internal 
control over financial reporting, except in the rare circumstance of a 
scope limitation that cannot be overcome by the registrant or the 
registered public accounting firm which would result in the accounting 
firm disclaiming an opinion. The attestation report on management's 
assessment of internal control over financial reporting may be separate 
from the accountant's report.
* * * * *

PART 240--GENERAL RULES AND REGULATIONS, SECURITIES EXCHANGE ACT OF 
1934

    4. The authority citation for Part 240 continues to read as 
follows:

    Authority: 15 U.S.C. 77c, 77d, 77g, 77j, 77s, 77z-2, 77z-3, 
77eee, 77ggg, 77nnn, 77sss, 77ttt, 78c, 78d, 78e, 78f, 78g, 78i, 
78j, 78j-1, 78k, 78k-1, 78l, 78m, 78n, 78o, 78p, 78q, 78s, 78u-5, 
78w, 78x, 78ll, 78mm, 80a-20, 80a-23, 80a-29, 80a-37, 80b-3, 80b-4, 
80b-11, and 7201 et seq., and 18 U.S.C. 1350, unless otherwise 
noted.
* * * * *
    5. Amend Sec.  240.13a-15 by revising paragraph (c) to read as 
follows:


Sec.  240.13a-15  Controls and procedures.

* * * * *
    (c) The management of each such issuer, that either had been 
required to file an annual report pursuant to section 13(a) or 15(d) of 
the Act (15 U.S.C. 78m(a) or 78o(d)) for the prior fiscal year or 
previously had filed an annual report with the Commission for the prior 
fiscal year, other than an investment company registered under section 
8 of the Investment Company Act of 1940, must evaluate, with the 
participation of the issuer's principal executive and principal 
financial officers, or persons performing similar functions, the 
effectiveness, as of the end of each fiscal year, of the issuer's 
internal control over financial reporting. The framework on which 
management's evaluation of the issuer's internal control over financial 
reporting is based must be a suitable, recognized control framework 
that is established by a body or group that has followed due-process 
procedures, including the broad distribution of the framework for 
public comment. Although there are many different ways to conduct an 
evaluation of the effectiveness of internal control over financial 
reporting to meet the requirements of this paragraph, an evaluation 
that is conducted in accordance with the interpretive guidance issued 
by the Commission in Release No. 34-XXXXX will satisfy the evaluation 
required by this paragraph.
* * * * *
    6. Amend Sec.  240.15d-15 by revising paragraph (c) to read as 
follows:


Sec.  240.15d-15  Controls and procedures.

* * * * *
    (c) The management of each such issuer, that either had been 
required to file an annual report pursuant to section 13(a) or 15(d) of 
the Act (15 U.S.C. 78m(a) or 78o(d)) for the prior fiscal year or 
previously had filed an annual report with the Commission for the prior 
fiscal year, other than an investment company registered under section 
8 of the Investment Company Act of 1940, must evaluate, with the 
participation of the issuer's principal executive and principal 
financial officers, or persons performing similar functions, the 
effectiveness, as of the end of each fiscal year, of the issuer's 
internal control over financial reporting. The framework on which 
management's evaluation of the issuer's internal control over financial 
reporting is based must be a suitable, recognized control framework 
that is established by a body or group that has followed due-process 
procedures, including the broad distribution of the framework for 
public comment. Although there are many different ways to conduct an 
evaluation of the effectiveness of internal control over financial 
reporting to meet the requirements of this paragraph, an evaluation 
that is conducted in accordance with the interpretive guidance issued 
by the Commission in Release No. 34-XXXXX will satisfy the evaluation 
required by this paragraph.
* * * * *

PART 241--INTERPRETATIVE RELEASES RELATING TO THE SECURITIES 
EXCHANGE ACT OF 1934 AND GENERAL RULES AND REGULATIONS THEREUNDER

    7. Part 241 is amended by adding Release No. 34-XXXXX and the 
release date of December XX, 2006 to the list of interpretative 
releases.

    Dated: December 20, 2006.

    By the Commission.
Nancy M. Morris,
Secretary.
 [FR Doc. E6-22099 Filed 12-26-06; 8:45 am]
BILLING CODE 8011-01-P