Guide to the Sarbanes-Oxley Act: Internal Controls Reporting Requirements
Total Page:16
File Type:pdf, Size:1020Kb
GUIDE TO THE SARBANES-OXLEY ACT: Internal Control Reporting Requirements Frequently Asked Questions Regarding Section 404 Fourth Edition Table of Contents Page No. Introduction .............................................................................................................................. 1 Applicability of Section 404 Requirements ...............................................................................3 1. Which companies are subject to the requirements of Section 404? .................................................................3 2.* Are foreign companies subject to the requirements of Section 404? ................................................................3 3.* Does Section 404 apply to small-business issuers? ............................................................................................3 4. Are unlisted companies with public debt required to comply with Section 404?.............................................4 5. Are municipal utilities or universities that sell bonds required to comply with Section 404? .........................4 6. Do insured depository institutions (e.g., banks and savings associations) that are already complying with the requirements of the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) have to comply with Section 404?.................................................................................4 7. What is the distinction between the requirements of FDICIA and the requirements of Section 404? ................ 5 8. Does Section 404 apply to registered investment companies? ..........................................................................5 9. Does Section 404 apply to U.S. divisions or units of foreign-based companies? .............................................6 10. Does Section 404 apply to not-for-profit entities? ............................................................................................6 11. Does Section 404 apply to asset-backed issuers? ...............................................................................................6 12. Does Section 404 apply to forward-looking financial information? .................................................................6 13. Does Section 404 apply to the MD&A disclosures? ..........................................................................................7 What Is Section 404 and How Does It Relate to Sections 302 and 906? ..................................7 14.* What does Section 404 require companies to do annually? .............................................................................7 15.* What does Section 404 require companies to do quarterly? ............................................................................8 16. How often must management assess internal control over financial reporting? .............................................8 17. Is Section 404 limited to public reports for which executive certification requirements are required? ................ 9 18.* What does Section 302 of the Sarbanes-Oxley Act require companies to do?.................................................9 19. What does Section 906 of the Sarbanes-Oxley Act require companies to do?...............................................10 20.* How are the requirements under Section 404 and the requirements under Sections 302 and 906 of the Sarbanes-Oxley Act related? ..................................................................................................................11 21. How does the Section 404 assessment enhance the Section 302 executive certification process? ................12 22.* Is there a value proposition from a controls assessment process beyond compliance with Section 404? ............ 12 When Is Section 404 Effective for Different Companies? .........................................................13 23.* When do companies have to comply with the Section 404 requirements? ....................................................13 24.* Why did the SEC defer the effective date of Section 404 compliance? .........................................................14 25. What happens if an issuer that is currently not an accelerated filer qualifies as an accelerated filer because of an increase in market capitalization? When does the issuer have to file an internal control report? ................................................................................................................................. 15 * Indicates new or substantially revised material (in comparison to the third edition of this resource guide) • i Table of Contents (continued) Page No. 26.* Assume Company A, which reports on a calendar year, plans to go public this year and is expecting a capitalization below the $75 million accelerated filer threshold. When must it comply with Section 404? ............................................................................................................................. 15 27.* When is the internal control report due? ........................................................................................................15 28.* Does the independent accounting firm express an opinion on management’s assertions regarding internal control over financial reporting? ........................................................................................................15 29. As of what date is management’s annual assessment conducted? ....................................................................16 30. Is a quarterly assessment required of internal control over financial reporting? ...........................................16 31. If management is not required to assess internal control over financial reporting until the first internal control report is issued, what about the references to such internal controls in the quarterly executive certifications required by Section 302? ............................................................................16 What Is Meant by “Internal Control Over Financial Reporting” and “Disclosure Controls and Procedures”? ..................................................................................................... 17 32. What is “internal control over financial reporting”? ......................................................................................17 33. What are “disclosure controls and procedures,” a key component of the certification requirements under Section 302? ............................................................................................................17 34. What are examples of disclosure controls and procedures that generate required disclosures? ...................18 35. How should management design the disclosure controls and procedures so that the disclosure process will not become simply a ritual? .........................................................................................................21 36. What should the certifying officers do when evaluating disclosure controls and procedures on a quarterly basis? ..........................................................................................................................................21 37. How is internal control over financial reporting distinguished from disclosure controls and procedures? ................................................................................................................................................23 38. Are there examples of internal control over financial reporting that fall outside the realm of disclosure controls and procedures? ................................................................................................................24 The COSO Internal Control – Integrated Framework ...............................................................25 39. What is COSO? ................................................................................................................................................25 40. What is the Internal Control – Integrated Framework? .................................................................................25 41. How is the COSO framework applied at the entity level during the Section 404 assessment process? ...........................................................................................................................................26 42.* How is the COSO framework applied at the activity or process level during the Section 404 assessment process? ...........................................................................................................................................29 43. Must the Section 404 compliance team address each of the five COSO elements in each critical process affecting a significant financial reporting element? ............................................................................33 44. Since the COSO framework includes internal controls over operational effectiveness and efficiency and over compliance with applicable laws and regulations, to what extent must management evaluate these controls to support the internal control report? ............................................. 34 45. If a company already uses the COSO framework, is there anything more it needs to do to comply with Section 404? ....................................................................................................................................35 46. Will the COSO framework on enterprise risk management affect the Section 404 assessment? .................35 * Indicates new or substantially revised material (in comparison to the third edition of this