The next wave of regulation

For most U.S. public companies, the Sarbanes-Oxley Act of 2002 has been the legal equivalent of a giant seismic disturbance in the middle of the ocean. Since Sarbanes-Oxley was enacted in July 2002, wave after wave of compliance challenges have been rolling onto the beaches of corporate America.

In 2004, the biggest Sarbanes-Oxley wave to hit the beach will likely involve “internal control over financial reporting.” And this is not going to be just another wave. Internal control over financial reporting may turn out to be the granddaddy of all waves spawned by Sarbanes-Oxley.

What are internal controls?

Internal control over financial reporting are those processes and procedures of a company that provide assurance that the company’s financial statements are reliable and are prepared in accordance with Generally Accepted Accounting Principles. For example, the procedures that require accounting review of modifications to a company’s customer contracts to assess whether the modifications affect the timing or amount of revenue recognized under the contracts are part of the company’s internal control over financial reporting.

Internal controls are not new. In 1977, the Foreign Corrupt Practices Act codified existing auditing standards that required U.S. public companies to maintain a system of internal accounting controls. In 1985, the Treadway Commission, a private-sector initiative formed to study the financial reporting system in the United States, recommended that public companies develop a common framework to evaluate the effectiveness of a company’s internal controls. In 1992, the Committee of Sponsoring Organizations of the Treadway Commission, known as COSO, issued a report proposing a definition of internal controls and identifying criteria that companies can use to evaluate their internal controls.

In 1994, the American Institute of Certified Public Accountants incorporated the definition of internal controls in the COSO Report into Accounting Standards No. 78.

What does Sarbanes-Oxley require regarding internal control over financial reporting?

Section 404 of Sarbanes-Oxley requires that each public company subject to 404 include an “internal control report” in its Form 10-K filed annually with the SEC. The final rules under 404, which became effective Aug. 14, 2003, require that an annual control report include management’s assessment of the effectiveness of the company’s internal controls at the end of its most recent fiscal year.

Under the new rules, management may not state that the company’s internal controls are effective if there is any material weakness in the internal controls at year-end. The company’s independent auditor must issue an “attestation” report on management’s assessment of the company’s internal controls.

The auditor’s attestation report must be included in the company’s 10-K and annual report.

Why are internal controls likely to be a hot topic in 2004?

For companies that qualify as “accelerated filers” (public companies with a public float of more than $75 million), the final rules under 404 apply for 10-Ks filed for fiscal years ending after June 15, 2004.

As a result, a company that qualifies as an accelerated filer with a Dec. 31 year-end will be busy in 2004 evaluating its internal controls so management can make the required statements regarding the effectiveness of the company’s internal controls in the 10-K filed in early 2005 for the fiscal year ending Dec. 31, 2004. For other companies subject to 404, the final rules apply for 10-Ks filed for fiscal years ending after April 15, 2005.

What should you do now to prepare for the Sarbanes-Oxley 404 requirements?

Public companies subject to 404 should already be well underway in taking steps to comply with Sarbanes-Oxley 404, particularly companies that qualify as accelerated filers. While there is no one-size-fits-all solution under 404, there are some steps that each company should consider in preparing for Sarbanes-Oxley 404.

* Sarbanes-Oxley 404 creates significant new rules relating to internal controls. Develop a complete understanding of the new rules so that your 404 plan will comply with all applicable requirements. Make sure you understand the role of your independent auditor under 404.

* Develop a written description of your internal controls, the purpose of each control and the officers and employees who are responsible for the effective operation of each control. Make sure your officers and employees understand their responsibilities with respect to the company’s internal controls.

* Management should set the tone for the company and emphasize the importance of effective internal controls. Use the 404 process to improve your internal controls and to implement “best practices” applicable to your business.

* Develop a process to evaluate whether your internal controls both comply with Sarbanes-Oxley 404 and are consistent with the process used by your independent auditor. Create a process to resolve on a timely basis any significant deficiencies or material weaknesses discovered in your internal controls.

* Develop a plan to prepare and maintain the documentation to support management’s finding that the design and operation of the company’s internal controls are effective as required by Sarbanes-Oxley 404.

* Review Sarbanes-Oxley 404 with your board of directors. Make sure the audit committee is familiar with each aspect of your plan so that it will be prepared to approve the annual control report and approve any proposed changes in the company’s internal controls.

* Get started early. Complete an evaluation of your internal controls and deliver a draft of your internal control report to your independent auditor before your year-end. Ask your auditor to advise you before year-end whether the auditor can issue the attestation. Save time in your process to make any changes in your internal controls necessary to correct deficiencies and weaknesses.

Can you get help from your independent auditor to design and evaluate your internal control over financial reporting?

Effective communication with your independent auditor is essential to complying with 404 on a timely basis. Meet with your independent auditor and discuss your plan to evaluate the company’s internal controls. Sarbanes-Oxley 404 permits a company to coordinate with its auditor the process used to evaluate internal controls.

In addition, a company can seek the assistance of the independent auditor in documenting the evaluation of internal controls.

There will be limits on the help that you can receive from your independent auditor. Keep in mind that one of the basic principles of Sarbanes-Oxley is auditor independence. Under the final rules, there will likely be an independence issue if you engage your auditor to design the internal controls that the auditor will later audit. In addition, under the final rules, you cannot engage your auditor to perform the evaluation of the company’s internal controls required by 404.

What processes will your independent auditor follow to attest to the effectiveness of your internal control over financial reporting?

Sarbanes-Oxley directs the Public Company Accounting Oversight Board to establish professional standards governing an independent auditor’s attestation of management’s assessment of the effectiveness of the company’s internal controls. The PCAOB released for comment a proposed auditing standard on Oct. 7, 2003.

The final audit standard will likely require that your independent auditor perform significant work to issue an attestation under 404. The proposed standard requires that an auditor test the effectiveness of the design and operation of the company’s internal controls, rather than just test the processes used by management to evaluate internal controls.

In addition, the proposed standard requires that an auditor obtain directly the “principal evidence” about the effectiveness of the company’s internal controls on which the auditor relies in issuing its attestation, which may limit significantly the ability of the auditor to rely on information obtained from the company’s internal auditor and other reliable sources.

The proposed standard also requires that an independent auditor evaluate the audit committee’s compliance with applicable listing standards regarding independence and oversight responsibility. The proposed standard provides that an ineffective audit committee should be considered a significant deficiency in internal controls and a strong indicator that a material weakness may exist.

Internal control over financial reporting is the bedrock of a company’s ability to prevent and detect financial fraud. Given the context in which Congress enacted Sarbanes-Oxley, public companies subject to 404 should not be surprised by the significant focus in Sarbanes-Oxley on internal control over financial reporting or the challenges they will face in complying with 404.

The big wave is coming, and now is the time to get ready. Jack Capers is a partner in the Atlanta office of King & Spalding LLP, where he is a member of the Corporate Practice Group. Reach him at (404) 572-4658 or www.kslaw.com.