Guide to the Sarbanes-Oxley Act: Internal Controls Reporting Requirements

Total Page:16

File Type:pdf, Size:1020Kb

Guide to the Sarbanes-Oxley Act: Internal Controls Reporting Requirements GUIDE TO THE SARBANES-OXLEY ACT: Internal Control Reporting Requirements Frequently Asked Questions Regarding Section 404 Fourth Edition Table of Contents Page No. Introduction .............................................................................................................................. 1 Applicability of Section 404 Requirements ...............................................................................3 1. Which companies are subject to the requirements of Section 404? .................................................................3 2.* Are foreign companies subject to the requirements of Section 404? ................................................................3 3.* Does Section 404 apply to small-business issuers? ............................................................................................3 4. Are unlisted companies with public debt required to comply with Section 404?.............................................4 5. Are municipal utilities or universities that sell bonds required to comply with Section 404? .........................4 6. Do insured depository institutions (e.g., banks and savings associations) that are already complying with the requirements of the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) have to comply with Section 404?.................................................................................4 7. What is the distinction between the requirements of FDICIA and the requirements of Section 404? ................ 5 8. Does Section 404 apply to registered investment companies? ..........................................................................5 9. Does Section 404 apply to U.S. divisions or units of foreign-based companies? .............................................6 10. Does Section 404 apply to not-for-profit entities? ............................................................................................6 11. Does Section 404 apply to asset-backed issuers? ...............................................................................................6 12. Does Section 404 apply to forward-looking financial information? .................................................................6 13. Does Section 404 apply to the MD&A disclosures? ..........................................................................................7 What Is Section 404 and How Does It Relate to Sections 302 and 906? ..................................7 14.* What does Section 404 require companies to do annually? .............................................................................7 15.* What does Section 404 require companies to do quarterly? ............................................................................8 16. How often must management assess internal control over financial reporting? .............................................8 17. Is Section 404 limited to public reports for which executive certification requirements are required? ................ 9 18.* What does Section 302 of the Sarbanes-Oxley Act require companies to do?.................................................9 19. What does Section 906 of the Sarbanes-Oxley Act require companies to do?...............................................10 20.* How are the requirements under Section 404 and the requirements under Sections 302 and 906 of the Sarbanes-Oxley Act related? ..................................................................................................................11 21. How does the Section 404 assessment enhance the Section 302 executive certification process? ................12 22.* Is there a value proposition from a controls assessment process beyond compliance with Section 404? ............ 12 When Is Section 404 Effective for Different Companies? .........................................................13 23.* When do companies have to comply with the Section 404 requirements? ....................................................13 24.* Why did the SEC defer the effective date of Section 404 compliance? .........................................................14 25. What happens if an issuer that is currently not an accelerated filer qualifies as an accelerated filer because of an increase in market capitalization? When does the issuer have to file an internal control report? ................................................................................................................................. 15 * Indicates new or substantially revised material (in comparison to the third edition of this resource guide) • i Table of Contents (continued) Page No. 26.* Assume Company A, which reports on a calendar year, plans to go public this year and is expecting a capitalization below the $75 million accelerated filer threshold. When must it comply with Section 404? ............................................................................................................................. 15 27.* When is the internal control report due? ........................................................................................................15 28.* Does the independent accounting firm express an opinion on management’s assertions regarding internal control over financial reporting? ........................................................................................................15 29. As of what date is management’s annual assessment conducted? ....................................................................16 30. Is a quarterly assessment required of internal control over financial reporting? ...........................................16 31. If management is not required to assess internal control over financial reporting until the first internal control report is issued, what about the references to such internal controls in the quarterly executive certifications required by Section 302? ............................................................................16 What Is Meant by “Internal Control Over Financial Reporting” and “Disclosure Controls and Procedures”? ..................................................................................................... 17 32. What is “internal control over financial reporting”? ......................................................................................17 33. What are “disclosure controls and procedures,” a key component of the certification requirements under Section 302? ............................................................................................................17 34. What are examples of disclosure controls and procedures that generate required disclosures? ...................18 35. How should management design the disclosure controls and procedures so that the disclosure process will not become simply a ritual? .........................................................................................................21 36. What should the certifying officers do when evaluating disclosure controls and procedures on a quarterly basis? ..........................................................................................................................................21 37. How is internal control over financial reporting distinguished from disclosure controls and procedures? ................................................................................................................................................23 38. Are there examples of internal control over financial reporting that fall outside the realm of disclosure controls and procedures? ................................................................................................................24 The COSO Internal Control – Integrated Framework ...............................................................25 39. What is COSO? ................................................................................................................................................25 40. What is the Internal Control – Integrated Framework? .................................................................................25 41. How is the COSO framework applied at the entity level during the Section 404 assessment process? ...........................................................................................................................................26 42.* How is the COSO framework applied at the activity or process level during the Section 404 assessment process? ...........................................................................................................................................29 43. Must the Section 404 compliance team address each of the five COSO elements in each critical process affecting a significant financial reporting element? ............................................................................33 44. Since the COSO framework includes internal controls over operational effectiveness and efficiency and over compliance with applicable laws and regulations, to what extent must management evaluate these controls to support the internal control report? ............................................. 34 45. If a company already uses the COSO framework, is there anything more it needs to do to comply with Section 404? ....................................................................................................................................35 46. Will the COSO framework on enterprise risk management affect the Section 404 assessment? .................35 * Indicates new or substantially revised material (in comparison to the third edition of this
Recommended publications
  • Preliminary Recommendations Proposed by the Accounting Standards Subcommittee of the SEC Advisory Committee on Smaller Public Companies
    Preliminary Recommendations Proposed by the Accounting Standards Subcommittee of the SEC Advisory Committee on Smaller Public Companies Summary of Preliminary Recommendations The Accounting Standards Subcommittee submits the following preliminary recommendations, listed in order of importance, to the full Advisory Committee for their consideration:∗ 1. MicroCap companies should be permitted to apply the same effective dates that the FASB provides for private companies in implementing new accounting standards. 2. The SEC should implement a de minimis provision in the application of independence rules. 3. The SEC should consider additional guidance for all pubic companies with respect to materiality related to previously issued financial statements. 4. The SEC should change the requirements for Smaller Public Companies, including MicroCap companies, from reporting three years of financial information to reporting two years of financial information. 5. The SEC should formally encourage the FASB to pursue objectives-based accounting standards. In addition, simplicity and the ease of application should be important considerations when new accounting standards are established. 6. The SEC should develop a “safe-harbor” protocol for accounting for transactions that would protect well-intentioned preparers from regulatory or legal action when the process is appropriately followed. 7. The SEC and the PCAOB should promote competition among audit firms by using their influence to include non-Big 4 firms in committees, public forums, etc. that would increase the awareness of these firms in the marketplace. The PCAOB should also consider minimum annual continuing professional education requirements covering topics specific to SEC matters for firms who wish to practice before the SEC. 8. The PCAOB should monitor the impact of its May 2005 guidance regarding the interaction between the auditor and its clients through the spring of 2006 reporting season.
    [Show full text]
  • 3354:1-20-07.1 Tax-Exempt Debt Compliance Procedure
    3354:1-20-07.1 Tax-Exempt Debt Compliance Procedure (A) Tax-Exempt Debt The use of tax-exempt debt plays an important role in funding a significant portion of the College’s capital projects. As a result, the College realizes the importance of complying with federal and institutional requirements regarding the issuance and ongoing management of its tax-exempt debt. This procedure is intended to define compliance practices including compliance actions, records management, and process continuity within the Administration and Finance Department. (B) Definitions Post-Issuance Debt Compliance: The activities undertaken following the issuance of tax-exempt debt in order to comply with federal guidelines. Failure to comply with federal guidelines could potentially render the interest of debt as taxable to investors. Tax-Exempt Debt (Bonds) Issued by the College: Debt issued and managed (1) by the College; or (2) by a State authority at the request of the College and for which the College pays its pro-rata share of the debt service. (C) Maintaining Tax-Exempt Status Tax-exempt bonds are valid debt obligations used by the College to finance construction of facilities, permanent improvements, and to receive funds in anticipation of the collection of tax receipts. This tax-exempt status remains throughout the life of the debt provided that all applicable federal tax laws are satisfied. Post-issuance tax compliance begins with the debt issuance process itself and provides for a continuing focus on investments of debt proceeds and use of debt-financed property. In order to maintain the debt status as tax-exempt, the College must comply with post-issuance debt requirements.
    [Show full text]
  • Financial Reporting: Who Does What? FUTURE of AUDIT FINANCIAL REPORTING: WHO DOES WHAT?
    ICAEW THOUGHT LEADERSHIP FUTURE OF AUDIT Financial reporting: who does what? FUTURE OF AUDIT FINANCIAL REPORTING: WHO DOES WHAT? This publication explains in simple terms who does what in the financial reporting system for UK companies with full main market listings. It is intended to serve as background reading for our 2019/20 ‘The future of audit’ thought leadership essays. They, inter alia, are designed to inform the various inquiries relevant to audit and regulation in progress at the time of writing, including by Sir Donald Brydon, Sir John Kingman, the CMA and BEIS. We hope this background paper will help directors, politicians, investors and policymakers understand the complex relationships between boards, auditors, shareholders and others, and the regulatory regime within which those relationships operate. © ICAEW 2019 All rights reserved. If you want to reproduce or redistribute any of the material in this publication, you should first get ICAEW’s permission in writing. ICAEW will not be liable for any reliance you place on the information in this publication. You should seek independent advice. 2 FUTURE OF AUDIT FINANCIAL REPORTING: WHO DOES WHAT? Financial statements: at the heart of the financial reporting system Financial reporting needs to improve, and everyone involved – preparers, auditors, audit committees, shareholders – needs to do more. This is no mere exhortation: all of these players are required by law, regulation and various codes to play an active part in ensuring that the financial statements, which sit at the heart of the system, pass the test required of them by law, which is that they give a ‘true and fair’ view.
    [Show full text]
  • Internal Auditing Around the World®
    ROBOTICS ARTIFICIAL INTELLIGENCE DIGITAL DATA TRANSFORMATION ANALYTICS MACHINE LEARNING TAKING ON DIGITAL INTERNAL AUDITING AROUND THE WORLD® VOLUME XIV Internal Audit, Risk, Business & Technology Consulting PROTIVITI.COM Foreword by Brian Christensen and Jonathan Wyatt Digital Transformation: A Golden Opportunity for Internal Audit Digital transformation has permeated every Organizations must be wary of their potential industry. Businesses embarking on digitally inability to respond to digital disruption and transforming processes and operations are not drive change in four key areas: improving the just embracing technological advancements. quality of customer engagement; digitizing They are also opening the door to more a product or service and thereby disrupting creativity, ingenuity and innovation. They aim an existing business model; making better, to get ahead of the curve and even perhaps data-driven decisions in near real time; and find a way to upend their entire industry. improving operational performance. While digital transformation presents Organizations undergoing digital transforma- businesses with new opportunities, it also tion typically have multiple initiatives cutting creates risks. The most profound risk is across some or all of these areas simultane- innovative disruption — namely, the threat ously. Their journey is often very complicated, INTERNAL AUDITING AROUND THE WORLD THE AROUND AUDITING INTERNAL of newer “born digital” companies grabbing arduous and long, and thus, difficult to current customers and market share thanks to manage. Ultimately, only one business their ability to transform digitally in an agile function is inherently capable of serving as manner. In many organizations, that risk is an objective guide to the board and executive compounded by resistance to change that management as they seek to understand, may impede digital transformation initiatives.
    [Show full text]
  • In Chart 1, Our Benchmarking Shows That Many Companies Significantly
    October 2015 In Chart 1, our benchmarking shows that many companies significantly underestimate the risk of a default to their company compared to S&P’s experience of its ratings’ default rates. Also, it is our experience that many companies trivialize a technical default, thinking it is of no real consequence. Legally, any default is a default, and starts a chain of consequences that is hard to control, as Chart 2 shows. Borrowers have a legal obligation to review their compliance with all of their covenants of all of their debt agreements on at least a quarterly basis. In addition, to justify classifying the debt as long-term per ASC 470-10, companies must verify that the debt has no covenant violations, no matter how insignificant. For public companies, such verification is a necessary SOX control. Some 80% of the 350 companies who reported complying with Sarbanes-Oxley in the 2012 AFP Debt Compliance Benchmarking done with DCS, and in our 2015 Debt Compliance Benchmarking, include debt compliance as an explicit part of their SOX process. Please see Chart 3. Charts 4 and 5 show the magnitude of the task: there are many covenants that can only be adequately reviewed by Subject Matter Experts (SMEs) outside of Treasury. Yet for many companies, debt compliance is an insular, silo process within Treasury. Fully 50% of the companies in both studies did not have a debt compliance policy. Lacking a policy can have these consequences: 1. An incomplete and inadequate process with no debt compliance objectives, no assignment of responsibilities, and no documentation of compliance 2.
    [Show full text]
  • Equity Method Investees — SEC Reporting Considerations
    A Roadmap to SEC Reporting Considerations for Equity Method Investees October 2020 This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. The services described herein are illustrative in nature and are intended to demonstrate our experience and capabilities in these areas; however, due to independence restrictions that may apply to audit clients (including affiliates) of Deloitte & Touche LLP, we may be unable to provide certain services based on individual facts and circumstances. As used in this document, “Deloitte” means Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Tax LLP, and Deloitte Financial Advisory Services LLP, which are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Copyright © 2020 Deloitte Development LLC. All rights reserved. Publications in Deloitte’s Roadmap Series Business Combinations Business Combinations — SEC Reporting Considerations Carve-Out Transactions Comparing IFRS Standards
    [Show full text]
  • KPMG Internal Audit
    Top 10 key risks in 2015 KPMG Internal Audit kpmg.ch The role of an effective internal audit (IA) function today is much more than simply compliance. Competing in a rapidly changing business world, companies must grapple with emerging challenges seemingly every day: new and complex regulations, cyber threats, increased reliance on data and analytics, mergers and acquisitions, expanding international operations, outsourcing, and more. IA needs to stay current with these wide-ranging business issues as they emerge so it can remain relevant to the organization. These business trends carry new risks, and IA needs to continually monitor these risks and their potential effects on the organization. To provide the greatest value, IA must find opportunities to challenge the status quo to reduce risk, improve controls, and identify potential efficiencies and cost benefits across the organization. To help IA functions achieve these goals, KPMG LLP (KPMG) has surveyed its professionals and IA departments from companies in multiple industries. The result is KPMG Internal Audit: Top 10 key risks in 2015, which outlines areas where IA can improve its focus so it can more effectively add value across the organization and maximize its influence, including allocating its resources in those areas of highest impact to the organization. Top 10 key risks in 2015 1 Cybersecurity 2 Regulatory compliance 3 Antibribery/Anticorruption 4 International operations 5 Third-party relationships 6 Mergers, acquisitions, and divestitures 7 Strategic alignment 8 Integrated
    [Show full text]
  • Vol. 15: Next-Gen Internal Audit
    Internal Audit, Risk, Business & Technology Consulting next-gen internal audit ARE YOU READY? VOL. Internal Auditing XV Around the World® Internal Auditing Around the World® Vol. XV Next-Generation Internal Audit: Catch the Wave BRIAN CHRISTENSEN ANDREW STRUTHERS-KENNEDY Protiviti Executive Vice President Protiviti Managing Director Global Internal Audit Global IT Audit Leader Experiment. Learn. Repeat. A critical mass of factors has led internal audit functions to a watershed moment: They must disrupt or be disrupted. At Protiviti, we refer to the innovation and transformation internal audit functions must pursue as next-generation internal audit.1 These efforts — already underway in a growing number of companies — vary. But they share an agile, holistic approach centering on new directions for governance, methodology and technology that deliver efficiency improvements, stronger assurance and more valuable business insights. For compelling reasons, chief audit executives (CAEs) are urging their teams to embrace an entrepreneurial spirit. Boards of directors and audit committees are raising their expectations regarding internal audit’s role. Directors no longer view internal audit as a place where a simple command of controls is sufficient. They and management want internal audit to address corporate culture, sustainability strategies, and other, still-unfolding and less tangible sources of organizational value. 1 The Next Generation of Internal Auditing — Are You Ready? Catch the Innovation Wave, November 2018, Protiviti: www.protiviti.com/ auditnextgen. Internal audit’s expanding role also demands keeping pace with business partners that are implementing transformation at breakneck speed. They are overhauling traditional business models and processes to enhance the customer experience, digitizing more offerings, and fortifying data-driven decision-making to boost operational performance.
    [Show full text]
  • Metropolitan Council Internal Audit Charter A
    METROPOLITAN COUNCIL INTERNAL AUDIT CHARTER A. AUDIT COMMITTEE PURPOSE: The Metropolitan Council has established a special committee of the Council to be called the Metropolitan Council Audit Committee. The purpose of the Committee is to assist the Metropolitan Council in fulfilling its oversight responsibility for the integrity of the Council’s financial and operational results, compliance with legal and regulatory requirements, and the performance of internal audit and external auditors. AUTHORITY: The Audit Committee has authority to conduct or authorize special audits and investigations into any matters within its scope of responsibility. It is empowered to: Approve the Chief Audit Executive’s Audit Plan. Resolve any disagreements between management and the internal/external auditors regarding financial or operational control and reporting. Review and accept external auditors’ reports along with management’s written responses when appropriate. Obtain information from employees or external parties as part of its review. Council employees are directed to cooperate with Audit Committee requests. Meet with Council employees, external auditors, legal counsel, or others as necessary. Be consulted regarding changes in the Chief Audit Executive’s duties. Be informed of all matters that impair the conduct of an audit or review. However, where feasible such matters shall be first brought to the attention of the Regional Administrator for resolution before communicating them to the Audit Committee. Make periodic reports to the Council or appropriate standing committee established by the Council. RESPONSIBILITIES: Financial and Operational Review Oversight Review significant accounting, operational and reporting issues and understand their impact on the financial and operating results on the Metropolitan Council’s system of internal control.
    [Show full text]
  • Internal Control and the Board: What Is All the Fuss About?
    The Deloitte Academy June 2021 Stakeholders Societal licence Shareholders Responsible business Transparency Corporate governance Viability Company purposeAudit committee Culture Strategy Viability Internal control KPIs Audit quality Remuneration Sustainability Trust Shareholders Strategy Assurance KPIs Reputation Capability Stakeholders Company purpose Viability Internal control and the board: What is all the fuss about? Headlines • The UK Corporate Governance Code already establishes a clear responsibility on the whole board to establish a framework of prudent and effective controls – however, behind the UK proposals for a US style internal control attestation are very real questions as to whether responsibilities go far enough and whether there is sufficient guidance for boards, together with sufficiently detailed information from management, to meet these responsibilities effectively. • In particular the guidance does not address the pervasiveness of technology in detail, and boards may not be obtaining sufficient assurance over the effectiveness of IT controls given the complexity and interdependency of the IT infrastructure which exists in many companies today. • The extent of work performed by external auditors is also not well understood - careful questioning of auditors in relation to their audit scope and approach could reveal much about the control environment. • In summary, boards should not wait for further announcements from the Government or FRC/ARGA before taking action in this area, particularly if they are not able to answer the questions which we raise throughout this publication. Internal control and the board: What is all the fuss about? A reminder of the current UK Corporate Governance Code requirements • Overarching board responsibility from Code Principle C: The board should establish a framework of prudent and effective controls, which enable risk to be assessed and managed.
    [Show full text]
  • Auditor Selection Guidance 2020
    STATE OF FLORIDA AUDITOR GENERAL AUDITOR SELECTION AND AUDITOR SELECTION COMMITTEE GUIDANCE EFFECTIVE FOR AUDITS FOR FISCAL YEARS ENDED SEPTEMBER 30, 2021, AND THEREAFTER SEPTEMBER 2021 Table of Contents Auditor Selection Law ....................................................................................................... 1 Auditor Selection Committee Composition and Size ...................................................... 1 Legal Requirements .................................................................................................. 1 Nonmandatory Guidance ........................................................................................... 2 Small Government Considerations ............................................................................ 3 Auditor Selection Committee Responsibilities................................................................. 3 Legal Requirements .................................................................................................. 3 Nonmandatory Guidance .......................................................................................... 3 • Establishment of the Auditor Selection Committee ........................................ 3 • Auditor Selection Committee Responsibilities ................................................ 4 • Communications with the Auditor Selection Committee ................................. 6 Small Government Considerations ............................................................................ 6 Audit Proposal Evaluation Factors ..................................................................................
    [Show full text]
  • View Management Consulting Flyer Now!
    MENDOZA COLLEGE of BUSINESS MANAGEMENT & Undergraduate Undergraduate Enrollment Career ORGANIZATION (Spring 2020) Outcomes MCOB “From empathy 65 95% and human- MGTC MAJORS centered design, (JUNIORS & SENIORS) PLACEMENT RATE to effective communication 143 and teamwork, $65,000 INNOVATION & ENTREPRENEURSHIP AVERAGE STARTING to deeply MINORS SALARY analytical and technical RECENT PLACEMENTS STUDENT ORGANIZATIONS skills, the 84.51 Business Action in Social Accenture Entrepreneurship Management ALDI Design for America Consulting Arizona Coyotes Organization Entrepreneurship Society Undergraduate Studies Avanade Notre Dame Venture Capital and curriculum Booz Allen Hamilton Entrepreneurship Group truly immerses Capital One Unleashed (Impact Investing M&O MAJOR Chicago Bears initiative) Leadership. Innovation and design thinking. students in Credit Suisse The Management Consulting (MGTC) major prepares the world of Dallas Wings Problem solving to create strategic solutions students to manage people and processes in both large Deloitte ACADEMIC CENTERS that have a positive impact on the people you and small organizations and to consult with organizations business and E&J Gallo Center for Ethics and Religious Values on these issues. The major includes courses in international eviCore Healthcare work with, the stakeholders you serve and the in Business management, business problem solving and strategic HR enables them EY Notre Dame Deloitte Center for Ethical greater human community. management, as well as the opportunity to learn leading- to holistically
    [Show full text]