[Federal Register Volume 72, Number 123 (Wednesday, June 27, 2007)]
[Rules and Regulations]
[Pages 35310-35322]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E7-12298]



[[Page 35309]]

-----------------------------------------------------------------------

Part II





Securities and Exchange Commission





-----------------------------------------------------------------------



17 CFR Parts 210, 228, 229 and 240



 Amendments to Rules Regarding Management's Report on Internal Control 
Over Financial Reporting; Final Rule

  Federal Register / Vol. 72, No. 123 / Wednesday, June 27, 2007 / 
Rules and Regulations  

[[Page 35310]]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

17 CFR Parts 210, 228, 229 and 240

[Release Nos. 33-8809; 34-55928; FR-76; File No. S7-24-06]
RIN 3235-AJ58


Amendments to Rules Regarding Management's Report on Internal 
Control Over Financial Reporting

AGENCY: Securities and Exchange Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: We are adopting an amendment to our rules to clarify that an 
evaluation which complies with the Commission's interpretive guidance 
published in this issue of the Federal Register in Release No. 34-55929 
is one way to satisfy the requirement for management to evaluate the 
effectiveness of the issuer's internal control over financial 
reporting. We are also amending our rules to define the term material 
weakness and to revise the requirements regarding the auditor's 
attestation report on the effectiveness of internal control over 
financial reporting. The amendments are intended to facilitate more 
effective and efficient evaluations of internal control over financial 
reporting by management and auditors.

DATES: Effective Date: August 27, 2007, except the amendment to Sec.  
210.2-02T is effective from August 27, 2007 until June 30, 2009.

FOR FURTHER INFORMATION CONTACT: N. Sean Harrison, Special Counsel, 
Division of Corporation Finance, at (202) 551-3430, or Josh K. Jones, 
Professional Accounting Fellow, Office of the Chief Accountant, at 
(202) 551-5300, U.S. Securities and Exchange Commission, 100 F Street, 
NE., Washington, DC 20549-6628.

SUPPLEMENTARY INFORMATION: We are adopting amendments to Rules 13a-
15(c),\1\ 15d-15(c),\2\ and 12b-2\3\ under the Securities Exchange Act 
of 1934 (the ``Exchange Act''),\4\ Rules 1-02,\5\ 2-02 \6\ and 2-02T 
\7\ of Regulation S-X,\8\ and Item 308 of Regulations S-B and S-K.\9\
---------------------------------------------------------------------------

    \1\ 17 CFR 240.13a-15(c).
    \2\ 17 CFR 240.15d-15(c).
    \3\ 17 CFR 240.12b-2.
    \4\ 15 U.S.C. 78a et seq.
    \5\ 17 CFR 210.1-02.
    \6\ 17 CFR 210.2-02.
    \7\ 17 CFR 210.2-02T.
    \8\ 17 CFR 210.1-01 et seq.
    \9\ 17 CFR 228.308 and 229.308.
---------------------------------------------------------------------------

    In a companion release issued in today's Federal Register, we are 
issuing interpretive guidance to assist companies of all sizes in 
completing top-down, risk-based evaluations of internal control over 
financial reporting.\10\ In addition, we are issuing a release to 
request additional comment on the definition of the term ``significant 
deficiency.'' \11\
---------------------------------------------------------------------------

    \10\ Release No. 34-55929 (Jun. 20, 2007) (hereinafter 
``Interpretive Guidance'').
    \11\ Release No. 34-55930 (Jun. 20, 2007).
---------------------------------------------------------------------------

Table of Contents

I. Background
II. Discussion of Amendments
    A. Exchange Act Rules 13a-15(c) and 15d-15(c)
    1. Proposal
    2. Comments on the Proposal
    3. Final Rule
    B. Rules 1-02 and 2-02 of Regulation S-X and Item 308 of 
Regulations S-B and S-K
    1. Proposal
    2. Comments on the Proposal
    3. Final Rule
    C. Definition of Material Weakness
    1. Proposal
    2. Comments on the Proposal
    3. Final Rule
III. Transition Issues
IV. Background to Regulatory Analyses
V. Paperwork Reduction Act
VI. Cost-Benefit Analysis
VII. Effect on Efficiency, Competition and Capital Formation
VIII. Final Regulatory Flexibility Analysis
IX. Statutory Authority and Text of Rule Amendments

I. Background

    In implementing Section 404(a) of the Sarbanes-Oxley Act of 2002 
\12\ (``Sarbanes-Oxley''), the Commission adopted amendments to 
Exchange Act Rules 13a-15 and 15d-15 to require companies, other than 
registered investment companies, to include in their annual reports 
filed pursuant to Section 13(a) or 15(d) \13\ of the Exchange Act a 
report by management on the company's internal control over financial 
reporting (``ICFR'') and a registered public accounting firm's 
attestation report on ICFR. Rules 13a-15 and 15d-15 also require 
management of each company to evaluate the effectiveness, as of the end 
of each fiscal year, of the company's ICFR.\14\
---------------------------------------------------------------------------

    \12\ 15 U.S.C. 7262.
    \13\ 15 U.S.C. 78m(a) or 78o(d).
    \14\ Release No. 33-8238 (June 5, 2003) [68 FR 36636] 
(hereinafter ``Adopting Release''). See Release No. 33-8392 (Feb. 
24, 2004) [69 FR 9722] for compliance dates applicable to 
accelerated filers. See Release No. 33-8760 (Dec. 15, 2006) [71 FR 
76580] for compliance dates applicable to non-accelerated filers.
---------------------------------------------------------------------------

    On December 20, 2006, the Commission issued a proposing release 
that contained interpretive guidance for management (``Proposed 
Interpretive Guidance'') regarding its required evaluation of ICFR and 
amendments to Exchange Act Rules 13a-15(c) and 15d-15(c) to make it 
clear that an evaluation conducted in accordance with the Proposed 
Interpretive Guidance was one way to satisfy the annual management 
evaluation required by those rules. In addition, we proposed amendments 
to Rule 2-02(f) of Regulation S-X to require that the registered public 
accounting firm's attestation report on ICFR express a single opinion 
directly on the effectiveness of ICFR, and to clarify the circumstances 
in which we would expect that the accountant cannot express an opinion 
on ICFR. We also proposed amendments to Rule 1-02(a)(2) of Regulation 
S-X to revise the definition of attestation report to conform it to the 
proposed changes to Rule 2-02(f).\15\
---------------------------------------------------------------------------

    \15\ Release Nos. 33-8762; 34-54976 (Dec. 20, 2006) [71 FR 
77635] (hereinafter ``Proposing Release'').
---------------------------------------------------------------------------

    We received over 200 comment letters in response to our Proposing 
Release.\16\ These letters came from corporations, professional 
associations, large and small accounting firms, law firms, consultants, 
academics, investors and other interested parties. Of these, 
approximately 70 respondents commented on the proposed rule amendments. 
We have reviewed and considered all of the comments that we received on 
the proposed rule amendments. The adopted rules reflect changes made in 
response to many of these comments. We discuss our conclusions with 
respect to each proposed rule amendment and the related comments in 
more detail throughout this release.
---------------------------------------------------------------------------

    \16\ The comment letters are available for inspection in the 
Commission's Public Reference Room at 100 F Street, NE., Washington, 
DC 20549 in File No. S7-24-06, or may be viewed at http://www.sec.gov/comments/s7-24-06/s72406.shtml.
---------------------------------------------------------------------------

II. Discussion of Amendments

A. Exchange Act Rules 13a-15(c) and 15d-15(c)

1. Proposal
    Exchange Act Rules 13a-15(c) and 15d-15(c) require the management 
of each issuer subject to the Exchange Act reporting requirements, 
other than a registered investment company, to evaluate the 
effectiveness of the issuer's ICFR as of the end of each fiscal year. 
We proposed to amend these rules to state that, although there are many 
different ways to conduct an evaluation of the effectiveness of ICFR, 
an evaluation conducted in accordance with the Proposed Interpretive 
Guidance would satisfy the evaluation requirement in those rules.

[[Page 35311]]

2. Comments on the Proposal
    While many commenters supported the proposed amendments to Rules 
13a-15 and 15d-15,\17\ some expressed the view that although the 
guidance is appropriately principles-based, the nature of the 
requirements set forth in the Proposed Interpretive Guidance is not 
well-suited to the type of safe-harbor protection intended by the 
amendments.\18\ For instance, three commenters suggested that the 
Proposed Interpretive Guidance does not contain specific, objective 
criteria that a company's management could use to demonstrate that its 
evaluation complies with the requirements of the Proposed Interpretive 
Guidance.\19\ Consequently, two of these commenters went on to conclude 
that the amendments may eventually lead to the Interpretive Guidance 
being viewed as an exclusive evaluation approach. In light of these and 
similar concerns, one commenter suggested broadening the amended rule 
language to explicitly indicate that an evaluation provides a 
reasonable basis for management's ICFR assessment if it includes: (1) 
An identification of the risks that are reasonably likely to result in 
a material misstatement of the company's financial statements; (2) an 
evaluation of whether the company has placed controls in operation that 
are designed to address those risks; and (3) a risk-based process for 
gathering and evaluating evidence regarding the effective operation of 
those controls.\20\
---------------------------------------------------------------------------

    \17\ See, for example, letters from America's Community Bankers 
(ACB), BP p.l.c. (BP), Business Roundtable, Enbridge Inc., European 
Association of Listed Companies, Hudson Financial Solutions 
(Hudson), ING Group N.V. (ING), PPL Corporation (PPL), Silicon 
Valley Leadership Group (SVLG), The Hundred Group of Finance 
Directors (100 Group), and UnumProvident Corporation 
(UnumProvident).
    \18\ See, for example, letters from American Electronics 
Association (AeA), James J. Angel, Cleary Gottlieb Steen & Hamilton 
LLP (Cleary), Financial Reporting Committee of the Association of 
the Bar of the City of New York (NYC Bar), and U.S. Chamber of 
Commerce (Chamber).
    \19\ See, for example, letters from Cleary, NYC Bar, and Reznick 
Group, P.C.
    \20\ See letter from Cleary.
---------------------------------------------------------------------------

    One commenter opposed both the Proposed Interpretive Guidance and 
the proposed rule amendments and expressed the view that management 
will, as a result of the nature of the Proposed Interpretive Guidance, 
claim the protection afforded by the amendments for deficient 
evaluations.\21\ Another commenter expressed the view that the proposed 
rule amendments could result in a ``minimalist'' attitude towards the 
internal control evaluation on the part of management.\22\
---------------------------------------------------------------------------

    \21\ See joint letter from Consumer Federation of America, 
Consumer Action, and U.S. Public Interest Research Group.
    \22\ See letter from Tatum LLC.
---------------------------------------------------------------------------

3. Final Rule
    After consideration of the comments that we received, we have 
determined to adopt the amendments to Rules 13a-15(c) and 15d-15(c) as 
proposed. The amended rules state that there are many different ways to 
conduct an evaluation that will satisfy the evaluation requirement in 
the rules, and the Interpretive Guidance clearly states that compliance 
with the guidance is voluntary. Therefore, concerns that the amendments 
may cause confusion as to whether compliance with the Interpretive 
Guidance is mandatory or may result in an exclusive standard are 
unfounded. We understand that many companies already complying with the 
Section 404 requirements have established an ICFR evaluation process 
that may differ from the approach described in the Interpretive 
Guidance. There is no requirement for these companies to alter their 
procedures to align them with the Interpretive Guidance.
    We have decided not to broaden the amended rule language to include 
factors to consider in determining whether alternative methods satisfy 
the standard primarily because we think this type of ``broadening'' may 
actually limit the potential universe of acceptable evaluation methods. 
For example, while we believe the Interpretive Guidance's top-down, 
risk-based approach will result in both effective and efficient 
evaluations of the effectiveness of ICFR, management may choose to 
establish an alternative evaluation approach. An alternative approach 
may be deemed preferable if it complements a company's existing quality 
improvement processes or enterprise risk management methodologies and 
still provides management with a reasonable basis for its assessment of 
ICFR effectiveness. Therefore, we do not think it is appropriate or 
necessary to mandate the approach set forth in the Interpretive 
Guidance.
    Regarding the comments expressing concern that the principles-based 
nature of the Proposed Interpretive Guidance may not easily lend itself 
to the safe-harbor type provisions, we acknowledge that the amendments 
to Rules 13a-15 and 15d-15 are of a somewhat different nature from 
other safe-harbor provisions, which typically prescribe very specific 
conditions that must be met before a company or person may claim 
protection under the safe-harbor. Nonetheless, we believe establishing 
the Interpretive Guidance as one way to satisfactorily evaluate ICFR 
will serve the important purpose of communicating the objectives and 
requirements of the ICFR evaluation. Moreover, most commenters 
preferred that the guidance for conducting an evaluation of ICFR be 
issued on an interpretive basis rather than codified as a rule.\23\ 
Accordingly, a direct reference in the rules to the Interpretive 
Guidance will help ensure that companies are aware of the guidance.
    We are issuing the Interpretive Guidance, and taking a series of 
other steps, to improve and strengthen implementation of the ICFR 
requirements. Regardless of whether management uses the Interpretive 
Guidance, we remain committed to a strong implementation of the ICFR 
requirements and to ensuring that issuers perform a sufficient 
evaluation. As is currently the case, the sufficiency of an evaluation 
will be determined based on each issuer's particular facts and 
circumstances.

B. Rules 1-02 and 2-02 of Regulation S-X and Item 308 of Regulations S-
B and S-K

1. Proposal
    Rule 2-02(f) of Regulation S-X requires the registered public 
accounting firm's attestation report on management's assessment of ICFR 
to clearly state the ``opinion of the accountant as to whether 
management's assessment of the effectiveness of the registrant's ICFR 
is fairly stated in all material respects.'' The term ``assessment'' as 
used in Rule 2-02(f) refers to management's disclosure of its 
conclusion about the effectiveness of the company's ICFR, not the 
efficacy of the process followed by management to arrive at its 
conclusion. To more effectively communicate the auditor's 
responsibility in relation to management's assessment, we proposed to 
revise Rule 2-02(f) to require the auditor to express an opinion 
directly on the effectiveness of ICFR. We believe this opinion 
necessarily conveys whether the disclosure of management's assessment 
is fairly stated. In addition, we proposed revisions to Rule 2-02(f) to 
clarify the rare circumstances in which the accountant would be unable 
to express an opinion.
---------------------------------------------------------------------------

    \23\ Approximately thirty-three commenters directly responded to 
the question about whether the guidance should be issued as an 
interpretation or codified as a Commission rule. Approximately 70% 
of such respondents indicated that the guidance should be issued as 
an interpretation.

---------------------------------------------------------------------------

[[Page 35312]]

    We also proposed conforming revisions to the definition of 
attestation report in Rule 1-02(a)(2) of Regulation S-X. The PCAOB 
proposed a conforming revision to its auditing standard to reflect this 
revision as well.\24\
---------------------------------------------------------------------------

    \24\ PCAOB Release No. 2006-007: Proposed Auditing Standard--An 
Audit of Internal Control Over Financial Reporting that is 
Integrated with an Audit of Financial Statements. See http://www.pcaobus.org/Rules/Docket_021/index.aspx (hereinafter ``Proposed 
Auditing Standard'').
---------------------------------------------------------------------------

2. Comments on the Proposal
    We received comments on the proposed revisions to Rules 1-02(a)(2) 
and 2-02(f) of Regulation S-X to require the expression of a single 
opinion directly on the effectiveness of ICFR by the auditor in the 
attestation report on ICFR. Those who commented on this proposed 
amendment were equally divided, with approximately one-half supporting 
the Commission's proposal to eliminate the auditor's opinion on 
management's assessment of the effectiveness of ICFR,\25\ and the other 
half expressing the view that, although the reduction to one opinion by 
the auditor was preferable, the opinion retained would limit 
improvements in the efficiency of the 404 process.\26\
---------------------------------------------------------------------------

    \25\ See, for example, letters from Banco Ita[uacute] Holding 
Financeira SA, BP, Cisco Systems, Inc. (Cisco), Computer Sciences 
Corporation (CSC), Eli Lilly and Company (Eli Lilly), Frank 
Consulting, PLLP, Grant Thornton LLP, Kimball International 
(Kimball), Lubrizol Corporation (Lubrizol), MetLife, Inc. (MetLife), 
NYC Bar, PPG Industries, Inc. (PPG), The Procter & Gamble Company 
(P&G), and RAM Energy Resources, Inc.
    \26\ See, for example, letters from 100 Group, Alamo Group, 
Association of Chartered Certified Accountants (ACCA), BHP Billiton 
Limited (BHP), European Federation of Accountants (FEE), The 
Financial Services Roundtable (FSR), Hess Corporation (Hess), 
Hutchinson Technology Inc. (Hutchinson), Institute of Internal 
Auditors (IIA), Institute of Management Accountants (IMA), Institut 
Der Wirtschaftsprufer [Institute of Public Auditors in Germany] 
(IDW), Ian D. Lamdin (I. Lamdin), Matthew Leitch, Nasdaq Stock 
Market, Inc. (Nasdaq), National Venture Capital Association (NVCA), 
Nike, Inc. (Nike), Robert F. Richter (R. Richter), Rod Scott, 
Southern Company (Southern), and SVLG.
---------------------------------------------------------------------------

    Commenters who supported the Commission's proposal believe that an 
auditor's opinion directly on the effectiveness of a company's ICFR 
provides investors with a higher level of assurance than the opinion 
only on management's assessment. These commenters also suggested that 
an audit opinion directly on the effectiveness of ICFR was a clearer 
expression of the scope of the auditor's work. However, those who 
opposed the Commission's proposal argued that an audit opinion directly 
on the effectiveness of ICFR would require duplicative, unnecessary and 
excessive testing by auditors and would therefore lead to higher audit 
costs.\27\ These commenters suggested the auditor's work should be 
limited to evaluating management's assessment process and the testing 
performed by management and internal audit. They acknowledged that the 
auditor would need to test at least some controls directly in addition 
to evaluating and testing management's assessment process; however, 
they expected that the auditor's own testing could be significantly 
reduced from the scope required to render an opinion directly on the 
effectiveness of ICFR.\28\ Additionally, commenters were concerned that 
the proposed rule change was in direct conflict with Section 404(b) of 
Sarbanes-Oxley, which explicitly calls for the auditor to issue an 
attestation report on management's assessment of the effectiveness of 
ICFR.\29\
---------------------------------------------------------------------------

    \27\ See, for example, letters from 100 Group, ACCA, Hess, 
Nasdaq, Nike, and Southern.
    \28\ See, for example, letters from BHP and NVCA.
    \29\ See, for example, letters from FEE, FSR, Hutchinson, IDW, 
IIA, IMA, I. Lamdin, and R. Richter.
---------------------------------------------------------------------------

    In view of the proposal to require only one opinion by the auditor 
in its report on the effectiveness of a company's ICFR, commenters 
thought that continued references in Rules 1-02(a)(2) and 2-02(f) of 
Regulation S-X to an ``attestation report on management's assessment of 
internal control over financial reporting'' would be confusing.\30\ 
These commenters suggested that we eliminate these references and refer 
to the auditor's report only as an ``attestation report on internal 
control over financial reporting.''
---------------------------------------------------------------------------

    \30\ See, for example, letters from 100 Group, BDO Seidman LLP, 
Cleary, Financial Executives International Committee on Corporate 
Reporting (FEI CCR), Manulife Financial (Manulife), Microsoft 
Corporation (MSFT), Neenah Paper, Inc (Neenah), and NYC Bar.
---------------------------------------------------------------------------

3. Final Rule
    After consideration of the comments, we have decided to adopt the 
proposed amendments to Rules 1-02(a)(2) and 2-02(f) of Regulation S-X 
to require the expression of a single opinion directly on the 
effectiveness of ICFR by the auditor in its attestation report on ICFR 
because it more effectively communicates the auditor's responsibility 
in relation to management's process and necessarily conveys whether 
management's assessment is fairly stated. In view of this decision, we 
agree with commenters that Rules 1-02(a)(2) and 2-02(f) of Regulation 
S-X will be clearer if they refer to the auditor's report as an 
``attestation report on internal control over financial reporting'' 
rather than an ``attestation report on management's assessment of 
internal control over financial reporting.'' We, therefore, have made 
this change. We also have made conforming changes to Rule 2-02T of 
Regulation S-X and Item 308 of Regulations S-B and S-K.\31\
---------------------------------------------------------------------------

    \31\ Item 308 sets forth the ICFR disclosure that must be 
included in a company's annual and quarterly reports.
---------------------------------------------------------------------------

    Despite the fact that the revised rules no longer require the 
auditor to separately express an opinion concerning management's 
assessment of the effectiveness of the company's ICFR, auditors 
currently are required under Auditing Standard No. 2 (``AS No. 
2''),\32\ and would continue to be required under the Proposed Auditing 
Standard, to evaluate whether management has included in its annual 
ICFR assessment report all of the disclosures required by Item 308 of 
Regulations S-B and S-K. Both AS No. 2 and the Proposed Auditing 
Standard would require the auditor to modify its audit report on the 
effectiveness of ICFR if the auditor determines that management's 
assessment of ICFR is not fairly stated. Consequently, the revisions 
are fully consistent with, and will continue to achieve, the objectives 
of Section 404(b) of Sarbanes-Oxley.
---------------------------------------------------------------------------

    \32\ An Audit of Internal Control Over Financial Reporting 
Performed in Conjunction With an Audit of Financial Statements.
---------------------------------------------------------------------------

    In considering the concerns raised by commenters about the scope of 
auditor testing that is required to render an opinion directly on the 
effectiveness of ICFR, the Commission believes that an auditing process 
that is restricted to evaluating what management has done would not 
necessarily provide the auditor with a sufficient level of assurance to 
render an independent opinion as to whether management's assessment 
(that is, conclusion) about the effectiveness of ICFR is correct. 
Moreover, the PCAOB's auditing standards with respect to a company's 
ICFR derive from both Section 103(a)(2)(A)(iii) and Section 404(b) of 
Sarbanes-Oxley. Section 404(b) of Sarbanes-Oxley requires the auditor 
to ``attest to, and report on, the assessment made by the management of 
the issuer.'' Section 103(a)(2)(A)(iii) of Sarbanes-Oxley requires that 
each audit report describe the scope of the auditor's testing of the 
internal control structure and procedures and present, among other 
information: (1) The findings of the auditor from such testing; (2) an 
evaluation of whether such internal control structure and procedures 
provide reasonable assurance that transactions are recorded as 
necessary to

[[Page 35313]]

permit preparation of financial statements in accordance with generally 
accepted accounting principles; and (3) a description of material 
weaknesses in such internal controls.\33\
---------------------------------------------------------------------------

    \33\ Section 103(a)(2)(A)(iii) states that ``each registered 
public accounting firm shall--describe in each audit report the 
scope of the auditor's testing of the internal control structure and 
procedures of the issuer, required by section 404(b), and present 
(in such report or in a separate report)--
    (I.) The findings of the auditor from such testing;
    (II.) An evaluation of whether such internal control structure 
and procedures--
    (aa) Include maintenance of records that in reasonable detail 
accurately and fairly reflect the transactions and dispositions of 
the assets of the issuer;
    (bb) Provide reasonable assurance that transactions are recorded 
as necessary to permit preparation of financial statements in 
accordance with generally accepted accounting principles, and that 
receipts and expenditures of the issuer are being made only in 
accordance with authorizations of management and directors of the 
issuer; and
    (III.) A description, at a minimum, of material weaknesses in 
such internal controls, and of any material noncompliance found on 
the basis of such testing.''
---------------------------------------------------------------------------

    The Commission believes that an audit opinion directly on the 
effectiveness of ICFR is consistent with both Section 404 and Section 
103 of Sarbanes-Oxley. Further, the Commission believes that the 
expression of a single opinion directly on the effectiveness of ICFR 
clarifies that an auditor is not responsible for issuing an opinion on 
management's process for evaluating ICFR.

C. Definition of Material Weakness

1. Proposal
    The Proposed Interpretive Guidance defined a material weakness as a 
deficiency, or combination of deficiencies, in ICFR such that there is 
a reasonable possibility that a material misstatement of the company's 
annual or interim financial statements will not be prevented or 
detected on a timely basis by the company's ICFR. Further, we indicated 
that the definition formulated in the proposal was intended to be 
consistent with its use in existing auditing literature and 
practice.\34\
---------------------------------------------------------------------------

    \34\ The PCAOB's Proposed Auditing Standard provided the 
following definition of material weakness: ``a control deficiency, 
or combination of control deficiencies, such that there is a 
reasonable possibility that a material misstatement of the company's 
annual or interim financial statements will not be prevented or 
detected.''
---------------------------------------------------------------------------

2. Comments on the Proposal
    Commenters expressed concern about differences between our proposed 
definition of material weakness and that proposed by the PCAOB in its 
Proposed Auditing Standard and requested that the two definitions be 
aligned.\35\ Commenters also suggested that a single definition of 
material weakness be established for use by both auditors and 
management. They further thought that we should codify the definition 
in our rules.\36\
---------------------------------------------------------------------------

    \35\ See, for example, letters from Edison Electric Institute 
(EEI), FEI CCR, Financial Executives International Small Public 
Company Task Force (FEI SPCTF), The Institute of Chartered 
Accountants in England and Wales (ICAEW), Nina Stofberg, and SVLG.
    \36\ See, for example, letters from FEE and ICAEW.
---------------------------------------------------------------------------

    In addition, commenters pointed out that while the Proposed 
Interpretive Guidance referred to significant deficiencies, the 
Commission did not include a definition of significant deficiency 
within the Proposed Interpretive Guidance.\37\ Despite the fact that 
the Proposed Interpretive Guidance did not include a definition of 
significant deficiency, commenters on this topic provided feedback 
about both the Commission's proposed definition of material weakness 
and the definition of significant deficiency as proposed by the 
PCAOB.\38\ Certain commenters indicated that the Commission should 
include a definition of significant deficiency in the Interpretive 
Guidance.\39\
---------------------------------------------------------------------------

    \37\ See, for example, letters from Cardinal Health, Inc. 
(Cardinal), EEI, and Protiviti.
    \38\ The PCAOB's Proposed Auditing Standard provided the 
following definition of significant deficiency: ``a control 
deficiency, or combination of control deficiencies, such that there 
is a reasonable possibility that a significant misstatement of the 
company's annual or interim financial statements will not be 
prevented or detected.'' A significant misstatement was defined as 
``a misstatement that is less than material yet important enough to 
merit attention by those responsible for oversight of the company's 
financial reporting.''
    \39\ See, for example, letters from Cardinal and Protiviti.
---------------------------------------------------------------------------

    Commenters also provided feedback on the probability language in 
the definition of material weakness. Commenters expressing support for 
the ``reasonable possibility'' standard in the proposed definition \40\ 
noted that this language improves the clarity of the existing 
definition and will reduce time spent evaluating deficiencies.\41\ In 
contrast, other commenters felt that the probability standard should be 
changed.\42\ These commenters noted that the meaning of ``reasonably 
possible'' was the same as ``more than remote'' and therefore would not 
reduce the effort devoted to identifying and analyzing deficiencies. 
Two of these commenters suggested the Commission use a ``reasonable 
likelihood'' standard,\43\ and another suggested the Commission change 
to a ``greater than fifty-percent'' standard.\44\ Commenters also 
requested additional guidance about how the concept of ``materiality'' 
impacted the definition.\45\
---------------------------------------------------------------------------

    \40\ See, for example, letters from Cisco, FEI CCR, Hudson, 
MetLife, MSFT, and P&G.
    \41\ See, for example, letters from Cisco, Committee on Capital 
Markets Regulation (CCMR), FEI SPCTF, Hudson, MetLife, MSFT, Nike, 
P&G, and TechNet.
    \42\ See, for example, letters from the American Bar 
Association's Committees on Federal Regulation of Securities and Law 
and Accounting of the Section of Business Law (ABA), ACCA, Cardinal 
Health, Inc., Chamber, CSC, IIA, Kimball, and NYC Bar.
    \43\ See letters from NYC Bar and Cleary.
    \44\ See letter from ABA.
    \45\ See, for example, letters from ABA, CCMR, CSC, Independent 
Community Bankers of America, ISACA and IT Governance Institute, 
P&G, and Rockwood Holdings, Inc.
---------------------------------------------------------------------------

    Most of the commenters who addressed the reference to interim 
financial statements in the definition of material weakness indicated 
that the word ``interim'' should be removed from the definition,\46\ 
with only one commenter expressing the view that the reference to 
interim financial statements should remain in the definition.\47\ Some 
commenters who suggested removal of ``interim'' expressed the view that 
because Section 404 of Sarbanes-Oxley mandates an annual assessment of 
ICFR, the deficiency evaluation should also be based on the impact to 
the annual financial statements. Others stated that the removal of 
``interim'' would allow management and auditors to better focus on the 
annual financial statements when evaluating the materiality of control 
deficiencies.
---------------------------------------------------------------------------

    \46\ See, for example, letters from ABA, Cisco, Deloitte & 
Touche LLP, EEI, Eli Lilly, FEI CCR, FEI SPCTF, Ford Motor Company, 
MSFT, P&G, and PPL.
    \47\ See letter from MetLife.
---------------------------------------------------------------------------

3. Final Rule
    After consideration of the comments received, we have determined 
that it is appropriate for the Commission's rules to include the 
definition of material weakness since it is an integral term associated 
with Sarbanes-Oxley and the Commission's implementing rules. 
Management's disclosure requirements with respect to ICFR are 
predicated upon the existence of a material weakness; therefore, we 
agree with the commenters' suggestion that our rules should define this 
term, rather than refer to auditing literature. As a result, we are 
amending Exchange Act Rule 12b-2 and Rule 1-02 of Regulation S-X to 
define the term material weakness.
    We have decided to adopt the material weakness definition 
substantially as proposed. The Commission has determined that the 
proposed material weakness definition appropriately describes those 
conditions in ICFR that, if they exist, should be disclosed to 
investors and should preclude a conclusion that ICFR is effective. 
Therefore, our final rules define a material weakness as a

[[Page 35314]]

deficiency, or a combination of deficiencies, in ICFR such that there 
is a reasonable possibility that a material misstatement of the 
registrant's annual or interim financial statements will not be 
prevented or detected on a timely basis.\48\ We anticipate that the 
PCAOB's auditing standards will also include this definition of 
material weakness.
---------------------------------------------------------------------------

    \48\ Exchange Act Rule 12b-2 and Rule 1-02(p) of Regulation S-X.
---------------------------------------------------------------------------

    After consideration of the proposed alternatives to the 
``reasonable possibility'' standard in the proposed definition of 
material weakness, we decided not to change the proposed standard. 
Revisions that have the effect of increasing the likelihood (that is, 
risk) of a material misstatement in a company's financial reports that 
can exist before being disclosed could give rise to questions about the 
meaning of a disclosure that ICFR is effective and whether the 
threshold for ``reasonable assurance'' is being lowered. Moreover, we 
do not believe improvements in efficiency arising from revisions to the 
likelihood element would be significant to the overall ICFR evaluation 
effort, due, in part, to our view that the effort evaluating 
deficiencies would be similar under the alternative standards (for 
example, ``reasonable possibility'' as compared to ``reasonable 
likelihood''). Lastly, we do not believe the volume of material 
weakness disclosures, which has declined each year since the initial 
implementation of Section 404 of Sarbanes-Oxley, is too high such that 
investors would benefit from a reduction in disclosures that would 
result from a higher likelihood threshold.
    Regarding the reference to interim financial statements in the 
definition of material weakness, while we believe annual materiality 
considerations are appropriate when making judgments about the nature 
and extent of evaluation procedures, we believe that the judgments 
about whether a control is adequately designed or operating effectively 
should consider the requirement to provide investors reliable annual 
and quarterly financial reports. Moreover, if management's annual 
evaluation identifies a deficiency that poses a reasonable possibility 
of a material misstatement in the company's quarterly reports, we 
believe management should disclose the deficiency to investors and not 
assess ICFR as effective. As such, we have not removed the reference to 
interim financial statements from the definition of material weakness.
    In response to the comments regarding the need for the Commission 
to define the term ``significant deficiency,'' we are seeking 
additional comment on a definition of that term as part of a separate 
release issued in the Federal Register.

III. Transition Issues

    Although the amendments to Rules 1-02 and 2-02 of Regulation S-X 
will no longer require the auditor to separately express an opinion 
concerning management's assessment of the effectiveness of the 
company's ICFR, audits conducted under AS No. 2 will continue to result 
in a separate opinion on management's assessment until the PCAOB's 
expected new auditing standard replacing AS No. 2 becomes effective and 
is required for all audits. Until such time, companies may file 
whichever report they receive from their independent auditor (that is, 
either one that contains both opinions under AS No. 2 or the single 
opinion under the expected new auditing standard).

IV. Background to Regulatory Analyses

    Congress enacted the Sarbanes-Oxley Act in July 2002. Section 404 
of the Act directed the Commission to prescribe rules requiring each 
issuer required to file an annual report under Section 13(a) or 15(d) 
of the Exchange Act \49\ to prepare an internal control report. The 
only Exchange Act reporting companies that Congress exempted from the 
Section 404 requirements were investment companies registered under 
Section 8 of the Investment Company Act.\50\
---------------------------------------------------------------------------

    \49\ 15 U.S.C. 78m or 78o(d).
    \50\ 15 U.S.C. 80a-8.
---------------------------------------------------------------------------

    To fulfill its statutory mandate, the Commission adopted rules in 
June 2003 to require all Exchange Act reporting companies other than 
registered investment companies, regardless of their size, to include 
in their annual reports a report of management, and an accompanying 
auditor's report, on the effectiveness of the company's internal 
control over financial reporting (``ICFR'').\51\
---------------------------------------------------------------------------

    \51\ Release No. 33-8238 (June 5, 2003) (68 FR 36636).
---------------------------------------------------------------------------

    Although the Commission adopted rules in 2003 creating the 
obligation for all reporting companies to include ICFR reports in their 
annual reports, it provided a lengthy compliance period for non-
accelerated filers, which are smaller public companies with a public 
float below $75 million.\52\ Under the compliance dates that the 
Commission originally established, non-accelerated filers would not 
have become subject to the ICFR requirements until they filed an annual 
report for a fiscal year ending on or after April 15, 2005. In 
contrast, accelerated filers and large accelerated filers--companies 
with a public float of $75 million or more--became subject to the 
Section 404 requirements with respect to annual reports that they filed 
for fiscal years ending on or after November 15, 2004.
---------------------------------------------------------------------------

    \52\ Although the term ``non-accelerated filer'' is not defined 
in Commission rules, we use it to refer to an Exchange Act reporting 
company that does not meet the Exchange Act Rule 12b-2 definition of 
either an ``accelerated filer'' or a ``large accelerated filer.''
---------------------------------------------------------------------------

    The Commission provided this lengthy compliance period for non-
accelerated filers in light of both the substantial time and resources 
needed by accelerated filers to properly implement the rules. In 
addition, it believed that a corresponding benefit to investors would 
result from an extended transition period that allowed companies to 
carefully implement the new requirements. After each of the first two 
years accelerated-filers implemented the Section 404 requirements, the 
Commission held a roundtable discussion, and solicited comment on 
issues that arose during implementation.\53\
---------------------------------------------------------------------------

    \53\ As a result of which, the Commission and its staff issued 
guidance to assist companies in implementing these requirements.
---------------------------------------------------------------------------

    Since the initial extension period, the Commission has further 
extended the compliance dates for non-accelerated filers. The 
Commission adopted the most recent compliance date extension for non-
accelerated filers in December 2006.\54\ This extension was based, in 
part, on a recommendation from the Commission's Advisory Committee on 
Smaller Public Companies (``Advisory Committee''). In its Final Report, 
issued on April 23, 2006, the Advisory Committee raised a number of 
concerns regarding the ability of smaller companies to comply cost-
effectively with the requirements of Section 404. The Advisory 
Committee identified as an overarching concern the difference in how 
smaller and larger public companies operate.
---------------------------------------------------------------------------

    \54\ Release No. 33-8760 (Dec. 15, 2006) (71 FR 77635).
---------------------------------------------------------------------------

    It focused in particular on three characteristics: (1) The limited 
number of personnel in smaller companies, which constrains the 
companies' ability to segregate conflicting duties; (2) top 
management's wider span of control and more direct channels of 
communication, which increase the risk of management override; and (3) 
the dynamic and evolving nature of smaller companies, which limits 
their ability to have static processes that are well-documented.\55\
---------------------------------------------------------------------------

    \55\ Final Report of the Advisory Committee on Smaller Public 
Companies to the United States Securities and Exchange Commission 
(Apr. 23, 2006) (``Advisory Committee Report'') available at http://www.sec.gov/info/smallbus/acspc/acspc-finalreport.pdf.

---------------------------------------------------------------------------

[[Page 35315]]

    The Advisory Committee suggested that these characteristics create 
unique differences in how smaller companies achieve effective ICFR that 
may not be adequately accommodated in Auditing Standard No. 2 or other 
implementation guidance as currently applied in practice. In addition, 
the Advisory Committee noted serious ramifications for smaller public 
companies stemming from the cost of frequent documentation changes and 
sustained review and testing of controls perceived to be necessary to 
comply with the Section 404 requirements.
    The Commission also granted the December 2006 extension in view of 
a series of actions that the Commission and the PCAOB each announced on 
May 17, 2006 that they intended to take to improve the implementation 
of the Section 404 requirements. These actions included:
     Issuance of a Concept Release soliciting comment on a 
variety of issues that might be included in future Commission guidance 
for management to assist in its performance of a top-down, risk-based 
assessment of ICFR;
     Consideration of additional guidance from COSO on 
understanding and applying the COSO framework; \56\
---------------------------------------------------------------------------

    \56\ On July 11, 2006, COSO issued guidance entitled ``Internal 
Control Over Financial Reporting--Guidance for Smaller Public 
Companies'' that was designed primarily to help management of 
smaller public companies with establishing and maintaining effective 
ICFR.
---------------------------------------------------------------------------

     Revisions to Auditing Standard No. 2;
     Reinforcement of auditor efficiency through PCAOB 
inspections and Commission oversight of the PCAOB's audit firm 
inspection program;
     Development, or facilitation of development, of 
implementation guidance for auditors of smaller public companies; and
     Continuation of PCAOB forums on auditing in the small 
business environment.
    Pursuant to the most recent extension of the compliance dates, non-
accelerated filers are scheduled to begin including a management report 
on ICFR in their annual reports filed for a fiscal year ending on or 
after December 15, 2007, and an auditor's report on ICFR for a fiscal 
year ending on or after December 15, 2008. It was our intention that 
non-accelerated filers would be able to complete their assessment of 
internal control without engaging an independent auditor during the 
first year. In addition, to eliminate second-guessing of management 
that might result from separating the management and auditor reports, 
the rules provide that the management report included in a non-
accelerated filer's annual report during the first year of compliance 
is deemed to be ``furnished'' rather than ``filed.'' \57\
    The December 2006 extension of the management report requirement 
was intended to provide the non-accelerated filers with the benefit of 
both the Commission's management guidance and the COSO guidance for 
smaller companies before planning and conducting their initial ICFR 
assessments. The extension of the auditor report requirement was 
intended to:
     Afford non-accelerated filers and their auditors the 
benefit of anticipated changes to the PCAOB's Auditing Standard No. 2, 
and any implementation guidance issued by the PCAOB for auditors of 
non-accelerated filers;
     Save non-accelerated filers the costs of the auditor 
attestation to, and report on, management's initial assessment of ICFR;
     Enable management of non-accelerated filers to more 
gradually prepare for full compliance with the Section 404 requirements 
and to gain some efficiencies in the process of reviewing and 
evaluating the effectiveness of ICFR before becoming subject to the 
requirement that the auditor report on ICFR (and to permit investors to 
see and evaluate the results of management's first compliance efforts); 
and
     Provide the Commission with the flexibility to consider 
any comments it received on the Concept Release and the proposed 
guidance for management in response to questions related to the 
appropriate role of the auditor in evaluating management's internal 
control assessment process.
    On July 11, 2006, we issued a Concept Release to seek public 
comment on the issues to be addressed in our guidance for management on 
how to assess ICFR.\58\ The Commission received approximately 167 
comment letters in response to the Concept Release, a majority of which 
supported additional Commission guidance to management that is 
applicable to companies of all sizes and complexities. The Commission 
considered the feedback received in those comment letters in drafting 
its Interpretive Guidance.
    In conjunction with issuance of the Interpretive Guidance, in this 
release we are adopting amendments to the existing requirements of 
Exchange Act Rules 13a-15(c) and 15d-15(c) that management of each 
company subject to the Exchange Act periodic reporting requirements 
evaluate, as of the end of each fiscal year, the effectiveness of the 
company's ICFR. The amendments state that an evaluation that complies 
with the Interpretive Guidance will satisfy the annual evaluation 
requirement in Rules 13a-15(c) and 15d-15(c).
    We are also adopting amendments to Rules 1-02 and 2-02 of 
Regulation S-X, and Item 308 of Regulations S-B and S-K, to state that 
the company's auditor must express only one opinion on a company's 
ICFR. This is a direct opinion by the auditor on the effectiveness of 
the company's ICFR. Prior to the amendments, auditors expressed two 
separate opinions: one on the effectiveness of a company's ICFR and 
another on management's assessment of the effectiveness of the 
company's ICFR. Finally, we are adopting an amendment to Exchange Act 
Rule 12b-2, and a corresponding amendment to Rule 1-02 of Regulation S-
X, to define the term material weakness.

V. Paperwork Reduction Act

    Certain provisions of our ICFR requirements contain ``collection of 
information'' requirements within the meaning of the Paperwork 
Reduction Act of 1995 (``PRA''). We submitted these collections of 
information to the Office of Management and Budget (``OMB'') for review 
in accordance with the PRA and received approval for the collections of 
information. We do not believe the rule amendments in this release will 
impose any new recordkeeping or information collection requirements, or 
other collections of information requiring OMB's approval.
---------------------------------------------------------------------------

    \57\ Management's report is not deemed to be filed for purposes 
of Section 18 of the Exchange Act [15 U.S.C. 78r] or otherwise 
subject to the liabilities of that section, unless the issuer 
specifically states that the report is to be considered ``filed'' 
under the Exchange Act or incorporates it by reference into a filing 
under the Securities Act or the Exchange Act.
    \58\ Release No. 34-54122 (July 11, 2006).
---------------------------------------------------------------------------

VI. Cost-Benefit Analysis

    The rule amendments and the Interpretive Guidance that we are 
adopting are intended to facilitate more effective and efficient 
evaluations of ICFR by management and auditors. Rules 13a-15 and 15d-
15, as initially adopted, and as amended, do not mandate any specific 
method for management to follow in performing an evaluation of ICFR. 
Instead, the rules recognize that the methods of conducting evaluations 
of ICFR will, and should, vary from company to company. Commenters have 
asserted that the lack of specific direction in

[[Page 35316]]

either Section 404 of the Sarbanes-Oxley Act or the implementing rules 
on how management should conduct an evaluation of ICFR may have 
resulted in the auditing standards becoming the de facto standard for 
management's evaluation in many cases, which likely contributed to 
excessive documentation and testing of internal controls by management 
in initial compliance efforts.
    The benefits and costs to investors of the rule amendments and 
Interpretive Guidance are directly related to the extent to which 
issuers choose to rely on the Interpretive Guidance. In part, this is 
because compliance is voluntary. In addition, companies already subject 
to the reporting requirement have gained some efficiencies in the 
evaluation process,\59\ and other sources have provided guidance on how 
to conduct an ICFR evaluation.\60\ The very purpose of the rule 
amendments and the Interpretive Guidance is to ease the compliance 
burden created by Section 404 of the Sarbanes-Oxley Act. Because of 
this, and because the use of Interpretive Guidance is voluntary, it is 
unlikely that it could result in additional incremental cost to 
issuers. Issuers that choose to use Interpretive Guidance will likely 
do so because it reduces their overall compliance burden.

A. Benefits

    Our issuance of specific Interpretive Guidance for management on 
how to conduct an ICFR evaluation should significantly lessen the 
pressures on management to look to the auditing standards for guidance 
as to how to conduct its evaluation.\61\ To the extent that these 
pressures have led to excessive testing and documentation in the past, 
the Interpretive Guidance and rule amendments should lead management to 
avoid excessive costs and aid them in determining the level of effort 
necessary to evaluate a company's ICFR.
    The extent of the benefits of the rule amendments depends on a 
company's experience conducting an ICFR evaluation. As explained in the 
release setting forth the Interpretive Guidance, the effort necessary 
to conduct an initial evaluation of ICFR will vary depending on 
management's existing financial reporting risk assessment and control 
monitoring activities. After the first year of compliance, management's 
effort to identify financial reporting risks and controls should 
ordinarily be less because subsequent evaluations should be more 
focused on changes in risks and controls rather than identification of 
all financial reporting risks and the related controls. Further, in 
each subsequent year, the documentation of risks and controls will only 
need to be updated from the prior year or years, not recreated anew.
    Through the risk and control identification process, management 
will have identified for testing only those controls that are needed to 
meet the objective of ICFR (that is, to provide reasonable assurance 
regarding the reliability of financial reporting) and for which 
evidence about their operation can be obtained most efficiently. The 
nature and extent of procedures implemented to evaluate whether those 
controls continue to operate effectively can be tailored to the 
company's unique circumstances, thereby avoiding unnecessary compliance 
costs.
    In addressing a number of the commonly identified areas of 
concerns, the Interpretive Guidance:
     Explains how to vary approaches for gathering evidence to 
support the evaluation based on risk assessments;
     Explains the use of ``daily interaction,'' self-
assessment, and other on-going monitoring activities as evidence in the 
evaluation;
     Explains the purpose of documentation and how management 
has flexibility in approaches to documenting support for its 
assessment;
     Provides management significant flexibility in making 
judgments regarding what constitutes adequate evidence in low-risk 
areas; and
     Allows for management and the auditor to have different 
testing approaches.
    The Interpretive Guidance is organized around two broad principles. 
The first principle is that management should evaluate whether it has 
implemented controls that adequately address the risk that a material 
misstatement of the financial statements would not be prevented or 
detected in a timely manner. The guidance describes a top-down, risk-
based approach to this principle, including the role of entity-level 
controls in assessing financial reporting risks and the adequacy of 
controls. The guidance promotes efficiency by allowing management to 
focus on those controls that are needed to adequately address the risk 
of a material misstatement in its financial statements.
---------------------------------------------------------------------------

    \59\ Commenters on the Concept Release Concerning Management's 
Reports on Internal Control Over Financial Reporting, Release No. 
34-54122 (Jul. 11, 2006) [71 FR 40866], available at http://www.sec.gov/rules/concept/2006/34-54122.pdf, expressed similar 
views. See, for example, letters from the American Institute of 
Certified Public Accountants, Crowe Chizek and Company LLC, and 
Kreischer Miller, all available at http://www.sec.gov/comments/s7-11-06/s71106.shtml.
    \60\ See, for example, The Institute of Internal Auditor's 
Sarbanes-Oxley Section 404: A Guide for Management by Internal 
Control Practitioners, May 2006.
    \61\ We are taking this action in conjunction with the PCAOB's 
elimination of the auditor's requirement to evaluate the efficacy of 
management's evaluation process.
---------------------------------------------------------------------------

    The second principle is that management's evaluation of evidence 
about the operation of its controls should be based on its assessment 
of risk. The guidance provides an approach for making risk-based 
judgments about the evidence needed for the evaluation. This allows 
management to align the nature and extent of its evaluation procedures 
with those areas of financial reporting that pose the highest risks to 
reliable financial reporting (that is, whether the financial statements 
are materially accurate). As a result, management may be able to use 
more efficient approaches to gathering evidence, such as self-
assessments in low-risk areas, and perform more extensive testing in 
high-risk areas. By following these two principles, companies of all 
sizes and complexities will be able to implement the rules effectively 
and efficiently.
    The Interpretive Guidance reiterates the Commission's position that 
management should bring its own experience and informed judgment to 
bear in order to design an evaluation process that meets the needs of 
its company and that provides a reasonable basis for its annual 
assessment of whether ICFR is effective. This allows management 
sufficient and appropriate flexibility to design such an evaluation 
process. Smaller public companies, which generally have less complex 
internal control systems than larger public companies, can scale and 
tailor their evaluation methods and procedures to fit their own facts 
and circumstances.\62\ Applying the Interpretive Guidance may thus 
assist management of these companies in scaling and tailoring its 
evaluation methods and procedures to fit their own unique facts and 
circumstances in ways that may not be appropriate for larger companies 
with more complex internal control systems. Through the rule 
amendments, smaller companies can take advantage of the flexibility and 
scalability in Interpretive Guidance to conduct an evaluation of ICFR 
that is both efficient and effective at identifying material 
weaknesses.
---------------------------------------------------------------------------

    \62\ Advisory Committee Report at pp. 39-40.
---------------------------------------------------------------------------

    By applying the principles set forth in the Interpretive Guidance, 
companies of all sizes and complexities will be able to comply with the 
rules more

[[Page 35317]]

effectively and efficiently. The total benefit to investors of the 
Interpretive Guidance and rule amendments depends on the number of 
companies that implement these principles and the extent to which their 
practices under these principles depart from the principles and 
practices that they would otherwise follow.
    Given that non-accelerated filers have not yet been required to 
conduct an evaluation of ICFR, their use of Interpretive Guidance in 
their first year of conducting an ICFR evaluation may enable them to 
avoid some of the initial compliance costs and efforts that were 
incurred by larger public companies during their early years of 
compliance with Section 404's requirements. In this respect, investors 
in non-accelerated filers may benefit more from the amended rules and 
Interpretive Guidance than investors in larger public companies that 
already have been required to conduct an evaluation.
    The amendments to Exchange Act Rules 13a-15(c) and 15d-15(c) 
provide for a non-exclusive safe-harbor in that they do not require 
management to follow the Interpretive Guidance, but still provide 
assurance to management regarding its compliance obligations. Some of 
the commenters on the Proposal questioned the benefits of these rule 
amendments. As noted earlier in this release, three commenters 
suggested that the Interpretive Guidance does not contain specific, 
objective criteria that a company's management could use to demonstrate 
that its evaluation complies with the requirements of the Interpretive 
Guidance.\63\ The Office of Advocacy of the Small Business 
Administration also stated in its comment letter that some of the 
participants in a roundtable it hosted on the Section 404 requirements 
asked for more details as to how the safe harbor protection could be 
claimed and what type of liability protection it would afford.
---------------------------------------------------------------------------

    \63\ See, for example, letters from Cleary, NYC Bar, and Reznick 
Group, P.C.
---------------------------------------------------------------------------

    The rule amendments are intended to provide those choosing to 
follow the Interpretive Guidance with greater clarity and transparency 
about their obligations relative to Section 404. For example, the 
amendments to Exchange Act Rules 13a-15(c) and 15d-15(c) add a specific 
reference to the Interpretive Guidance in the rules and thereby make 
the guidance more visible and accessible to the managers of companies 
subject to the ICFR evaluation requirement. When a company's management 
relies on the Interpretive Guidance to conduct its evaluation, the 
company does not have to take any special action to ``claim'' the 
assurance provided by the rule amendments. In addition, the 
transparency of the guidance may benefit investors by reducing costly 
second-guessing about the sufficiency of management's evaluation raised 
by any party, including the company's independent auditor. The 
Interpretive Guidance is specific enough to enable a company to 
demonstrate that its management followed the principles set forth in 
the Interpretive Guidance in conducting its ICFR evaluation to gain the 
assurance afforded by these rule amendments.
    The rule amendments encourage the use of the Interpretive Guidance 
because it advises management to focus on the controls that address the 
highest risk of material misstatement. This will benefit investors by 
reducing the amount of testing and documentation conducted by 
management and thus reducing the cost of compliance.\64\ The rule 
amendments can remove obstacles by giving management clearer 
information about its obligations and by reducing undue pressures from 
auditors.
---------------------------------------------------------------------------

    \64\ Commenters expressed similar views. See, for example, 
letters from BHP, Employees' Retirement System of Rhode Island, 
Financial Services Forum, KPMG LLP, McGladrey & Pullen LLP, MSFT, 
and State Street Corporation.
---------------------------------------------------------------------------

    The Commission did not receive any comments on the dollar magnitude 
of the likely reduction in compliance costs from the rule amendments in 
connection with the Proposal. However, the Commission did receive 
historical estimates of total Section 404 compliance costs from the 
early years of adoption. These estimates were obtained from surveys of 
companies with a public float above $75 million in connection with our 
May 2006 Roundtable on Internal Control Reporting and Auditing 
Provisions. These historical estimates of the early compliance costs 
incurred by the relatively larger companies ranged from $860,000 to 
$5.4 million per company, depending on the survey.\65\ The management 
cost that is the focus of the rule amendments appears to account for 
the majority of this estimate. One commenter indicated in its comment 
letter on the Proposal that it is especially important to reduce 
management costs, as these costs are the most significant costs 
associated with the Section 404 requirements, and can account for 70-
75% of the total compliance costs.\66\ Thus, even if the percentage 
decline in compliance cost under the rule amendment is small, companies 
and their investors could experience a substantial dollar benefit in 
terms of lower costs of compliance.
---------------------------------------------------------------------------

    \65\ See, for example, Financial Executives International Survey 
on Sarbanes-Oxley Section 404 Implementation (March, 2006) and CRA 
International Sarbanes-Oxley Section 404 Costs and Implementation 
Issues: Spring 2006 Survey Update.
    \66\ See letter from The Committee on Capital Markets 
Regulation.
---------------------------------------------------------------------------

    Commenters expressed the view that the rule amendments and 
Interpretive Guidance will result in more efficient and effective 
evaluations of internal control relative to what would otherwise occur. 
In commenting on the amendments, one commenter provided a quantitative 
estimate of the expected reduction in compliance costs. This commenter 
estimated that implementation of the Proposed Interpretive Guidance 
could result in a reduction in company compliance costs of 
approximately 10% in the first year of implementation (net of first 
year costs of implementation of the Interpretive Guidance). The 
commenter further estimated that implementation could result in an 
additional 15-20% cost reduction over costs incurred in the initial 
compliance year based on its own experience in conducting an evaluation 
of internal control and its assessment of the potential efficiencies to 
be gained from the Interpretive Guidance.\67\ The available qualitative 
and quantitative evidence is consistent with our view that issuers will 
implement the Interpretive Guidance to the benefit of investors.\68\
---------------------------------------------------------------------------

    \67\ See letter from CSC.
    \68\ Commenters, however, requested that we conduct an analysis 
of the costs and benefits of the amendments after implementation and 
assess whether the amendments and the Interpretive Guidance result 
in cost reductions. See, for example, letters from Biotechnology 
Industry Organization (BIO) and NVCA. We are sensitive to the costs 
and benefits of our Section 404 rules, and we intend to monitor the 
impact of the rule amendments and Interpretive Guidance.
---------------------------------------------------------------------------

    We anticipate that the amendments to Exchange Act Rule 12b-2 and 
Rule 1-02 of Regulation S-X to define the term ``material weakness'' 
will benefit companies and investors. Companies will now be able to 
refer to the definition in the Commission rules requiring management to 
conduct an ICFR evaluation, rather than having to refer to the 
definition in the audit standard. We believe that the definition 
appropriately describes the ICFR conditions that, if they exist, should 
be disclosed to investors and preclude a conclusion that ICFR is 
effective.
    Commenters suggested that the rule amendments and Proposed 
Interpretive Guidance will not significantly reduce costs as long as 
there are significant differences between our management guidance and 
the Proposed Auditing

[[Page 35318]]

Standard.\69\ To address these comments and enhance the benefit of the 
rule amendments, we coordinated with the PCAOB to align our 
Interpretive Guidance and the PCAOB's new auditing standard.
---------------------------------------------------------------------------

    \69\ See, for example, letters from Allstate Corporation, 
Hudson, ICAEW, Minn-Dak Farmers Cooperative, Nasdaq, Supervalu Inc., 
and UnumProvident.
---------------------------------------------------------------------------

B. Costs

    As stated above, the obligation for all companies, regardless of 
size, to comply with the ICFR requirements was established in 2002 when 
Congress directed the Commission to adopt rules to implement Section 
404. The rule amendments and Interpretive Guidance are designed to 
reduce the burden of compliance with those requirements. The rule 
amendments and Interpretive Guidance do not impose any new compliance 
obligations on any reporting company. Because compliance with the 
Interpretive Guidance is voluntary, it is likely that companies and 
their management will choose to comply with the guidance only if they 
determine that the benefits exceed the costs.
    Companies that have already completed one or more evaluations may 
choose to continue to use their existing procedures if they are 
satisfied with the effectiveness and efficiency of those procedures. 
Alternatively, a company that already has been complying with the ICFR 
requirements could choose to follow the Interpretive Guidance and to 
make adjustments to conform its evaluation procedures to the guidance. 
In that case, some commenters expressed the view that while changing 
from the current evaluation approaches to the top-down, risk-based 
approach laid out in the Interpretive Guidance could result in short-
term cost increases, it would promote a cost-effective approach in the 
long-term.\70\ It is reasonable to conclude that companies will not 
elect to follow the Interpretive Guidance if, from a cost standpoint, 
they determine that is not in their long-term interest to do so.
---------------------------------------------------------------------------

    \70\ See, for example, letters from Ace Limited, Hutchinson, and 
Neenah.
---------------------------------------------------------------------------

    For smaller public companies that have not been required to comply 
with the ICFR requirements, the costs that they will incur are a direct 
result of the imposition by the Congress of the statutory requirements 
of Section 404 of the Sarbanes-Oxley Act on them. They may be able to 
reduce their first-time evaluation costs by using the Interpretive 
Guidance as compared to what those costs would have been.
    The Interpretive Guidance advises management on how to conduct an 
efficient evaluation of ICFR, which could result in management doing 
less work, and therefore produce cost savings for the company. Those 
cost savings, however, could be offset if a company's auditor does not 
choose to use management's work to the same extent it did before, due 
to management choosing to follow the Interpretive Guidance and doing 
less work as a result.\71\ Because use of the Interpretive Guidance is 
voluntary, it is reasonable to conclude that management would choose to 
reduce the extent and cost of its work only to the degree that it did 
not result in an increase in the overall costs of complying with 
Section 404, including auditor costs.\72\ On the other hand, the rule 
amendments and Interpretive Guidance could increase the possibility 
that the auditor will, during the Section 404 audit, perform additional 
testing of internal controls beyond that which management performed in 
reliance on the Interpretive Guidance.\73\
---------------------------------------------------------------------------

    \71\ See, for example, letters from Heritage Financial 
Corporation, MSFT and Neenah.
    \72\ This cost-benefit analysis does not address the costs 
associated with the ICFR audit standard itself because the rule 
amendments do not affect the ICFR audit standard.
    \73\ See letter from UnumProvident.
---------------------------------------------------------------------------

VII. Effect on Efficiency, Competition and Capital Formation

    Section 3(f) of the Exchange Act \74\ requires the Commission, 
whenever it engages in rulemaking and is required to consider or 
determine if an action is necessary or appropriate in the public 
interest, also to consider whether the action will promote efficiency, 
competition, and capital formation. Section 23(a)(2) of the Exchange 
Act \75\ also requires the Commission, when adopting rules under the 
Exchange Act, to consider the impact that any new rule would have on 
competition. In addition, Section 23(a)(2) prohibits the Commission 
from adopting any rule that would impose a burden on competition not 
necessary or appropriate in furtherance of the purposes of the Exchange 
Act.
---------------------------------------------------------------------------

    \74\ 15 U.S.C. 78c(f).
    \75\ 15 U.S.C. 78w(a)(2).
---------------------------------------------------------------------------

    The rule amendments and Interpretive Guidance will promote 
efficiency, and capital formation. The Interpretive Guidance and 
related rule amendments promote efficiency by allowing management to 
focus on those controls that are needed to adequately address the risk 
of a material misstatement of the company's financial statements. The 
guidance does not require management to identify every control in a 
process or to document the business practices affecting ICFR. Rather, 
management can focus its evaluation process and the documentation 
supporting the assessment on those controls that it determines 
adequately address the risk of a material misstatement of the financial 
statements.
    One commenter expressed the view that the Section 404 requirements 
have provided significant benefits to investors and business by 
increasing the reliability of financial statements, strengthening 
internal controls, improving the efficiency of business operations and 
helping to reduce the risk of fraud.\76\ To the extent that the rule 
amendments and Interpretive Guidance make the management evaluation 
process more efficient, these benefits can all be retained at a lower 
cost.
---------------------------------------------------------------------------

    \76\ See letter from The Committee on Capital Market Regulation.
---------------------------------------------------------------------------

    Under the Sarbanes-Oxley Act, all companies, except registered 
investment companies, are subject to the requirement to conduct an 
evaluation of their ICFR. Compliance with the amendments to Exchange 
Act Rules 13a-15 and 15d-15 and Interpretive Guidance, however, will be 
voluntary rather than mandatory and, as such, companies will be able to 
choose whether or not to follow the Interpretive Guidance. The 
amendments therefore will not impose any costs on companies that they 
do not choose to incur. Presumably, companies will only choose to rely 
on the Interpretive Guidance if they think that the benefits of using 
the guidance outweigh the costs.
    The rule amendments will encourage use of the Interpretive Guidance 
and thereby increase the efficiency with respect to the effort and 
resources associated with an evaluation of internal control over 
financial reporting and facilitate more efficient allocation of 
resources within a company. The guidance is designed to be scalable 
depending on the size of the company, which should reduce the potential 
for internal control reporting requirements to impose a higher cost 
burden on smaller companies relative to revenues.
    Capital formation may be promoted to the extent the cost of 
compliance with the evaluation requirement is lowered. Smaller private 
companies may be able to access public capital markets earlier in their 
growth and at lower cost.
    We do not believe the rule amendments or the Interpretive Guidance 
will impact competition. One commenter was concerned that the 
Interpretive Guidance could become the

[[Page 35319]]

exclusive method by which companies would conduct an evaluation of ICFR 
over time, and could discourage the development of future alternative 
evaluation frameworks.\77\ However, the rules explicitly acknowledge 
that there are many different ways to conduct an evaluation and the 
Interpretive Guidance is not exclusive.
---------------------------------------------------------------------------

    \77\ See letter from NYC Bar.
---------------------------------------------------------------------------

VIII. Final Regulatory Flexibility Analysis

    This Final Regulatory Flexibility Analysis (``FRFA'') has been 
prepared in accordance with the Regulatory Flexibility Act.\78\ This 
FRFA relates to amendments to Exchange Act Rules 13a-15(c), 15d-15(c), 
and 12b-2, Rules 1-02 and 2-02 of Regulation S-X, and Item 308 of 
Regulations S-B and S-K. These rules require the management of an 
Exchange Act reporting company, other than a registered investment 
company, to evaluate, as of the company's fiscal year-end, the 
effectiveness of the company's ICFR. Furthermore, these rules also 
require the public accounting firm that issues an audit report on the 
company's financial statements to attest to, and report on, 
management's assessment of the company's ICFR. We are amending these 
rules to: (1) Provide companies with the assurance that an evaluation 
that complies with our Interpretive Guidance will satisfy the annual 
management ICFR evaluation requirement; (2) require a company's auditor 
to express only one opinion on the effectiveness of the company's ICFR; 
and (3) define the term ``material weakness.'' An Initial Regulatory 
Flexibility Analysis was prepared in accordance with the Regulatory 
Flexibility Act and included in the release proposing these 
amendments.\79\ The Proposing Release solicited comments on this 
analysis.
---------------------------------------------------------------------------

    \78\ 5 U.S.C. 601.
    \79\ 5 U.S.C. 603.
---------------------------------------------------------------------------

A. Need for the Amendments

    The amendments are designed to facilitate more effective and 
efficient evaluations of ICFR by sanctioning the Interpretive Guidance 
as a method that can be used by management to conduct an ICFR 
evaluation. Companies already have a legal obligation to establish and 
maintain an adequate system of ICFR and to evaluate and report annually 
on those financial reporting controls. Our current rules do not 
prescribe a method or set of procedures for management to follow in 
performing an evaluation of ICFR. Commenters have asserted that the 
lack of direction in either Section 404 of the Sarbanes-Oxley Act or 
implementing rules on conducting this type of evaluation has led many 
companies to look to auditing standards as a guide to conducting the 
evaluation. This has likely contributed to excessive documentation and 
testing of ICFR.
    While the rule amendments and Interpretive Guidance are designed to 
make ICFR evaluations by management more cost-effective for all 
reporting companies subject to the Section 404 requirements, they will 
be particularly useful to smaller public companies that have a public 
float below $75 million. These companies have not yet been required to 
comply with the Section 404 requirements. The rule amendments and 
Interpretive Guidance will encourage managements of smaller companies 
to scale and tailor their evaluation methods and procedures to fit 
their companies' own particular facts and circumstances.

B. Significant Issues Raised by Public Comments

    In the Proposing Release, we requested comment on any aspect of the 
IRFA, including the number of small entities that would be affected by 
the proposed amendments, and the quantitative and qualitative nature of 
the impact. Commenters addressed several aspects of the proposed rule 
amendments and the Proposed Interpretive Guidance that could 
potentially affect small entities. They expressed concern that the 
proposed amendments would not provide certainty for management because 
the Proposed Interpretive Guidance was too vague, did not provide 
adequate guidance for small companies to scale their evaluation 
procedures, and was inconsistent with several aspects of the PCAOB's 
Proposed Auditing Standard.\80\
---------------------------------------------------------------------------

    \80\ See, for example, letters from AeA, BIO, IMA and U.S. Small 
Business Administration's Office of Advocacy (SBA).
---------------------------------------------------------------------------

    In response to these comments, including comments submitted by the 
Office of Advocacy of the Small Business Administration, we have 
coordinated with the PCAOB to harmonize the Interpretive Guidance and 
rule amendments with the proposed new auditing standard. We also have 
made revisions to our Proposed Interpretive Guidance to add clarity 
while still maintaining a principles-based approach. Other comments 
that we received are discussed below.
    Smaller public companies and their investors could realize benefits 
from the rule amendments that, measured in proportion to their 
revenues, are greater than the benefits that would accrue to larger 
companies and their investors. This is because, as commenters on the 
Proposal and on previous Commission releases related to the Section 404 
requirements pointed out, the burden of internal control reporting 
compliance costs is ``disproportionately high'' for smaller public 
companies compared to larger ones.\81\ To the extent that Interpretive 
Guidance and the rule amendments reduce the cost of compliance with the 
requirements of Section 404, these cost savings will be 
disproportionately greater for smaller public companies and their 
investors.\82\
---------------------------------------------------------------------------

    \81\ See, for example, the letter from the Office of Advocacy of 
the Small Business Administration, citing the Advisory Committee 
Report at p. 33.
    \82\ Nearly 5,000 companies already are subject to the Section 
404 requirements. Larger companies may also be able to perform more 
efficient ICFR evaluations based on the Interpretive Guidance, and 
gain assurance that changes they make in their evaluation procedures 
still comply with Commission rules.
---------------------------------------------------------------------------

C. Small Entities Subject to the Final Amendments

    The amendments will affect some issuers that are ``small 
entities.'' Exchange Act Rule 0-10(a) \83\ defines an issuer, other 
than an investment company, to be a ``small business'' or ``small 
organization'' if it had total assets of $5 million or less on the last 
day of its most recent fiscal year. We estimate that there are 
approximately 1,110 issuers, other than investment companies, that may 
be considered small entities. The amendments will apply to any small 
entity, other than a registered investment company, that is subject to 
Exchange Act reporting requirements.
---------------------------------------------------------------------------

    \83\ 17 CFR 240.0-10(a).
---------------------------------------------------------------------------

    Overall, approximately 6,000 smaller public companies that are 
subject to the Exchange Act reporting requirements, but have a public 
float below $75 million, will be required to comply with these 
requirements for the first time in their annual reports for fiscal 
years ending on or after December 15, 2007. The Interpretive Guidance 
and rule amendments are intended to reduce the cost of compliance for 
these companies. Overall, more than half of the reporting companies 
subject to the Section 404 requirements are smaller public companies 
that should benefit from the rule amendments and Interpretive Guidance.

D. Reporting, Recordkeeping, and Other Compliance Requirements

    The rule amendments and Interpretive Guidance are designed to 
alleviate reporting and compliance burdens. They do not impose any new

[[Page 35320]]

reporting, recordkeeping or compliance requirements on small entities. 
The amendments are designed to make compliance with existing 
requirements more efficient. Many factors contribute to the cost of 
compliance, including the size and complexity of the company and the 
rigor of its controls. The degree to which the rule amendments will 
reduce compliance costs will depend on these factors and on the 
company's prior experience and access to information about alternative 
methods of compliance with the Section 404 requirements. Therefore, it 
is difficult to quantify the benefits of the amendments for small 
entities.

E. Agency Action To Minimize Effect on Small Entities

    The Regulatory Flexibility Act directs us to consider alternatives 
that would accomplish our stated objectives, while minimizing any 
significant adverse impact on small entities. In connection with the 
rule amendments and Interpretive Guidance, we considered alternatives, 
including establishing different compliance or reporting requirements 
that take into account the resources available to small entities, 
clarifying or simplifying compliance and reporting requirements under 
the rules for small entities, using design rather than performance 
standards, and exempting small entities from all or part of the 
Interpretive Guidance and rule amendments.
    Regarding the first alternative, the Commission has effectively 
established different compliance requirements for smaller entities by 
making the Interpretive Guidance scalable in order to take into account 
the resources available to smaller public companies, including those 
that are small entities. Regarding the second alternative, the 
Interpretive Guidance and rule amendments clarify and simplify the 
Section 404 reporting requirements for all reporting companies, 
including small entities. The final rules create a principles-based set 
of guidelines for management that will produce more effective and 
efficient evaluations of ICFR for small entities, as well as other 
reporting companies subject to the Section 404 requirements.
    The Interpretive Guidance describes a top-down, risk-based approach 
to evaluating ICFR. It promotes efficiency for companies of all sizes 
by allowing management to focus its efforts on those controls that are 
needed to adequately address the risk of a material misstatement in a 
company's financial statements.
    Regarding the third alternative, the rule amendments and 
Interpretive Guidance set forth primarily performance rather than 
design standards, in particular to aid the management of non-
accelerated filers (including small entities) in conducting an 
evaluation of ICFR. The amendments provide assurance that compliance 
with the Interpretive Guidance will satisfy the management evaluation 
requirement in Exchange Act Rules 13a-15 and 15d-15. The rule 
amendments and Interpretive Guidance afford companies choosing to 
follow the Interpretive Guidance considerable flexibility to scale and 
tailor their evaluation methods to fit the particular circumstances of 
the company. This flexibility is especially beneficial to non-
accelerated filers (including small entities).
    For example, in many smaller companies senior management is more 
involved in the day-to-day operations of the company. The Interpretive 
Guidance describes how management's daily interaction, as well as other 
forms of on-going monitoring activities, can provide evidence in the 
evaluation process. This flexibility should enable smaller companies to 
keep costs of compliance with the management evaluation requirement as 
low as possible.
    The rule amendments explicitly state that a company's management 
does not need to comply with the Interpretive Guidance. The amendments 
provide assurance, however, to a company choosing to follow the 
guidance that it has satisfied management's obligation to conduct an 
evaluation of internal control in an appropriate manner. Small entities 
should be able to reduce the amount of testing and documentation by 
relying on the Interpretive Guidance rather than auditing standards to 
plan and conduct their evaluations of ICFR.
    Regarding the final alternative, we believe that an exclusion of 
small entities from the Interpretive Guidance and the rule amendments 
would discourage small entities from using the principles-based 
Interpretive Guidance and would be inconsistent with our goal of 
developing a more effective and flexible ICFR evaluation process that 
is scaled and tailored to meet the small entity's particular 
circumstances.

IX. Statutory Authority and Text of Rule Amendments

    The amendments described in this release are being adopted under 
the authority set forth in Sections 12, 13, 15, 23 of the Exchange Act, 
and Sections 3(a) and 404 of the Sarbanes-Oxley Act.

List of Subjects

17 CFR Part 210

    Accountants, Accounting, Reporting and recordkeeping requirements, 
Securities.

17 CFR Parts 228, 229 and 240

    Reporting and recordkeeping requirements, Securities.

Text of Amendments

0
For the reasons set out in the preamble, the Commission amends title 
17, chapter II, of the Code of Federal Regulations as follows:

PART 210--FORM AND CONTENT OF AND REQUIREMENTS FOR FINANCIAL 
STATEMENTS, SECURITIES ACT OF 1933, SECURITIES EXCHANGE ACT OF 
1934, PUBLIC UTILITY HOLDING COMPANY ACT OF 1935, INVESTMENT 
COMPANY ACT OF 1940, INVESTMENT ADVISERS ACT OF 1940, AND ENERGY 
POLICY AND CONSERVATION ACT OF 1975

0
1. The authority citation for part 210 continues to read as follows:

    Authority: 15 U.S.C. 77f, 77g, 77h, 77j, 77s, 77z-2, 77z-3, 
77aa(25), 77aa(26), 78c, 78j-1, 78l, 78m, 78n, 78o(d), 78q, 78u-5, 
78w(a), 78ll, 78mm, 80a-8, 80a-20, 80a-29, 80a-30, 80a-31, 80a-
37(a), 80b-3, 80b-11, 7202 and 7262, unless otherwise noted.

0
2. Amend Sec.  210.1-02 by:
0
a. revising paragraph (a)(2);
0
b. redesignating paragraphs (p) through (bb) as paragraphs (q) through 
(cc); and
0
c. adding new paragraph (p).
    The revision and additions read as follows:


Sec.  210.1-02  Definition of terms used in Regulation S-X (17 CFR part 
210).

* * * * *
    (a) * * *
    (2) Attestation report on internal control over financial 
reporting. The term attestation report on internal control over 
financial reporting means a report in which a registered public 
accounting firm expresses an opinion, either unqualified or adverse, as 
to whether the registrant maintained, in all material respects, 
effective internal control over financial reporting (as defined in 
Sec.  240.13a-15(f) or 240.15d-15(f) of this chapter), except in the 
rare circumstance of a scope limitation that cannot be overcome by the 
registrant or the registered public accounting firm which would result 
in the accounting firm disclaiming an opinion.
* * * * *
    (p) Material weakness. The term material weakness is a deficiency, 
or a

[[Page 35321]]

combination of deficiencies, in internal control over financial 
reporting (as defined in Sec.  240.13a-15(f) or 240.15d-15(f) of this 
chapter) such that there is a reasonable possibility that a material 
misstatement of the registrant's annual or interim financial statements 
will not be prevented or detected on a timely basis.
* * * * *

0
3. Amend Sec.  210.2-02 by revising paragraph (f) to read as follows:


Sec.  210.2-02  Accountants' reports and attestation reports.

* * * * *
    (f) Attestation report on internal control over financial 
reporting. Every registered public accounting firm that issues or 
prepares an accountant's report for a registrant, other than an 
investment company registered under section 8 of the Investment Company 
Act of 1940 (15 U.S.C. 80a-8), that is included in an annual report 
required by section 13(a) or 15(d) of the Securities Exchange Act of 
1934 (15 U.S.C. 78a et seq.) containing an assessment by management of 
the effectiveness of the registrant's internal control over financial 
reporting must clearly state the opinion of the accountant, either 
unqualified or adverse, as to whether the registrant maintained, in all 
material respects, effective internal control over financial reporting, 
except in the rare circumstance of a scope limitation that cannot be 
overcome by the registrant or the registered public accounting firm 
which would result in the accounting firm disclaiming an opinion. The 
attestation report on internal control over financial reporting shall 
be dated, signed manually, identify the period covered by the report 
and indicate that the accountant has audited the effectiveness of 
internal control over financial reporting. The attestation report on 
internal control over financial reporting may be separate from the 
accountant's report.
* * * * *

0
4. Amend Sec.  210.2-02T by revising the section heading to read as 
follows:


Sec.  210.2-02T  Accountants' reports and attestation reports on 
internal control over financial reporting.

* * * * *

PART 228--INTEGRATED DISCLOSURE FOR SMALL BUSINESS ISSUERS

0
5. The authority citation for part 228 continues to read, in part, as 
follows:

    Authority: 15 U.S.C. 77e, 77f, 77g, 77h, 77j, 77k, 77s, 77z-2, 
77z-3, 77aa(25), 77aa(26), 77ddd, 77eee, 77ggg, 77hhh, 77jjj, 77nnn, 
77sss, 78l, 78m, 78n, 78o, 78u-5, 78w, 78ll, 78mm, 80a-8, 80a-29, 
80a-30, 80a-37, 80b-11, and 7201 et seq.; and 18 U.S.C. 1350.
* * * * *

0
6. Amend Sec.  228.308 by revising paragraphs (a)(4) and (b) to read as 
follows:


Sec.  228.308  (Item 308) Internal control over financial reporting.

    (a) * * *
    (4) A statement that the registered public accounting firm that 
audited the financial statements included in the annual report 
containing the disclosure required by this Item has issued an 
attestation report on the small business issuer's internal control over 
financial reporting.
    (b) Attestation report of the registered public accounting firm. 
Provide the registered public accounting firm's attestation report on 
the small business issuer's internal control over financial reporting 
in the small business issuer's annual report containing the disclosure 
required by this Item.
* * * * *

PART 229--STANDARD INSTRUCTIONS FOR FILING FORMS UNDER SECURITIES 
ACT OF 1933, SECURITIES EXCHANGE ACT OF 1934 AND ENERGY POLICY AND 
CONSERVATION ACT OF 1975--REGULATION S-K

0
7. The authority citation for part 229 continues to read, in part, as 
follows:

    Authority: 15 U.S.C. 77e, 77f, 77g, 77h, 77j, 77k, 77s, 77z-2, 
77z-3, 77aa(25), 77aa(26), 77ddd, 77eee, 77ggg, 77hhh, 77iii, 77jjj, 
77nnn, 77sss, 78c, 78i, 78j, 78l, 78m, 78n, 78o, 78u-5, 78w, 78ll, 
78mm, 80a-8, 80a-9, 80a-20, 80a-29, 80a-30, 80a-31(c), 80a-37, 80a-
38(a), 80a-39, 80b-11, and 7201 et seq.; and 18 U.S.C. 1350, unless 
otherwise noted.
* * * * *

0
8. Amend Sec.  229.308 by revising paragraphs (a)(4) and (b) to read as 
follows:


Sec.  229.308  (Item 308) Internal control over financial reporting.

    (a) * * *
    (4) A statement that the registered public accounting firm that 
audited the financial statements included in the annual report 
containing the disclosure required by this Item has issued an 
attestation report on the registrant's internal control over financial 
reporting.
    (b) Attestation report of the registered public accounting firm. 
Provide the registered public accounting firm's attestation report on 
the registrant's internal control over financial reporting in the 
registrant's annual report containing the disclosure required by this 
Item.
* * * * *

PART 240--GENERAL RULES AND REGULATIONS, SECURITIES EXCHANGE ACT OF 
1934

0
9. The authority citation for part 240 continues to read, in part, as 
follows:

    Authority: 15 U.S.C. 77c, 77d, 77g, 77j, 77s, 77z-2, 77z-3, 
77eee, 77ggg, 77nnn, 77sss, 77ttt, 78c, 78d, 78e, 78f, 78g, 78i, 
78j, 78j-1, 78k, 78k-1, 78l, 78m, 78n, 78o, 78p, 78q, 78s, 78u-5, 
78w, 78x, 78ll, 78mm, 80a-20, 80a-23, 80a-29, 80a-37, 80b-3, 80b-4, 
80b-11, and 7201 et seq., and 18 U.S.C. 1350, unless otherwise 
noted.
* * * * *

0
10. Amend Sec.  240.12b-2 by adding the definition of ``Material 
weakness'' in alphabetical order to read as follows:


Sec.  240.12b-2  Definitions.

* * * * *
    Material weakness. The term material weakness is a deficiency, or a 
combination of deficiencies, in internal control over financial 
reporting such that there is a reasonable possibility that a material 
misstatement of the registrant's annual or interim financial statements 
will not be prevented or detected on a timely basis.
* * * * *

0
11. Amend Sec.  240.13a-15 by revising paragraph (c) to read as 
follows:


Sec.  240.13a-15  Controls and procedures.

* * * * *
    (c) The management of each such issuer, that either had been 
required to file an annual report pursuant to section 13(a) or 15(d) of 
the Act (15 U.S.C. 78m(a) or 78o(d)) for the prior fiscal year or 
previously had filed an annual report with the Commission for the prior 
fiscal year, other than an investment company registered under section 
8 of the Investment Company Act of 1940, must evaluate, with the 
participation of the issuer's principal executive and principal 
financial officers, or persons performing similar functions, the 
effectiveness, as of the end of each fiscal year, of the issuer's 
internal control over financial reporting. The framework on which 
management's evaluation of the issuer's internal control over financial 
reporting is based must be a suitable, recognized control framework 
that is established by a body or group that has followed due-process 
procedures, including the broad distribution of the framework for 
public comment. Although there are many different ways to conduct an 
evaluation of the effectiveness of internal control over financial 
reporting to meet the

[[Page 35322]]

requirements of this paragraph, an evaluation that is conducted in 
accordance with the interpretive guidance issued by the Commission in 
Release No. 34-55929 will satisfy the evaluation required by this 
paragraph.
* * * * *

0
12. Amend Sec.  240.15d-15 by revising paragraph (c) to read as 
follows:


Sec.  240.15d-15  Controls and procedures.

* * * * *
    (c) The management of each such issuer, that either had been 
required to file an annual report pursuant to section 13(a) or 15(d) of 
the Act (15 U.S.C. 78m(a) or 78o(d)) for the prior fiscal year or 
previously had filed an annual report with the Commission for the prior 
fiscal year, other than an investment company registered under section 
8 of the Investment Company Act of 1940, must evaluate, with the 
participation of the issuer's principal executive and principal 
financial officers, or persons performing similar functions, the 
effectiveness, as of the end of each fiscal year, of the issuer's 
internal control over financial reporting. The framework on which 
management's evaluation of the issuer's internal control over financial 
reporting is based must be a suitable, recognized control framework 
that is established by a body or group that has followed due-process 
procedures, including the broad distribution of the framework for 
public comment. Although there are many different ways to conduct an 
evaluation of the effectiveness of internal control over financial 
reporting to meet the requirements of this paragraph, an evaluation 
that is conducted in accordance with the interpretive guidance issued 
by the Commission in Release No. 34-55929 will satisfy the evaluation 
required by this paragraph.
* * * * *

    By the Commission.

    Dated: June 20, 2007.
 Nancy M. Morris,
Secretary.
 [FR Doc. E7-12298 Filed 6-26-07; 8:45 am]
BILLING CODE 8010-01-P