Management's Reporting on Internal Control Over Financial Reporting, written by Audrey A. Gramling, Ph.D., CPA, CIA, of Coles College of Business, Kennesaw State University and Paul L. Walker, Ph.D., CPA, of McIntire School of Commerce at University of Virginia, focuses on management's responsibility for reporting on the effectiveness of internal control over financial reporting as mandated by Section 404 of the Sarbanes-Oxley Act of 2002. 

The Sarbanes-Oxley Act created a requirement that annual reports filed with the Securities and Exchange Commission contain management's report on the effectiveness of internal control over financial reporting.  

This Portfolio analyzes that requirement. It outlines a process that may be adopted by management to assess the effectiveness of internal control over financial reporting and includes a discussion on the interrelated activities of public company external auditors.  

Management's Reporting on Internal Control Over Financial Reporting is relevant to both accelerated and non-accelerated filers.The accelerated filer may use this Portfolio to reconsider aspects of the evaluation process that have been in place during the first years of compliance with Section 404.  

This fresh look should focus management's attention on the company's financial reporting risks, the controls that the company has designed and implemented to address those risks, testing strategies to determine the operating effectiveness of internal controls that have been implemented, and documentation levels necessary to support management's assessment of the effectiveness of internal controls over financial reporting.  

Management of the non-accelerated filer may utilize this information to integrate the information in this Portfolio into the company's planned approach as they design that approach for their first years of compliance with Section 404 reporting and auditing requirements. 

Management is reminded that the SEC provides the relevant guidance for management reporting on internal control over financial reporting, and management should refer to the appropriate literature on assessing the effectiveness of internal control over financial reporting. 

This Portfolio also provides a historical perspective on voluntary and mandated reporting on internal control over financial reporting, including information on internal control reports filed with the SEC under the requirements of Sarbanes-Oxley §404, and discusses widely accepted internal control frameworks, including the Committee of Sponsoring Organizations' (COSO) framework of internal control, Internal Control—Integrated Framework and COSO's updated framework, Internal Control Over Financial Reporting—Guidance for Smaller Public Companies.

This Portfolio provides:  

• historical perspective on the development of voluntary and mandated reporting on internal control over financial reporting; 
• current internal control reporting and auditing requirements for public companies, as mandated by Sarbanes-Oxley §404; 
• information on internal control reports filed with the Securities and Exchange Commission (SEC) under the requirements of Sarbanes-Oxley §404; 
• widely accepted internal control frameworks, including the Committee of Sponsoring Organizations' (COSO) framework of internal control; 
• approaches for public company management to consider when implementing a process for evaluating the effectiveness of internal control over financial reporting; 
• the role of the external auditor in providing attestation on the effectiveness of a public company's internal controls over financial reporting; and 
• additional benefits that can be gained from management's evaluation of internal control over financial reporting.

Management's Reporting on Internal Control Over Financial Reporting allows you to benefit from:

• Hundreds of hours of original research on specific tax planning topics from leading practitioners in this area.
• Invaluable practice documents including tables, charts and lists.
• Guidance from world-class experts.
• Real-world and in-depth analysis that lets you explore various options.
• Time-saving access to relevant sections of tax laws, regulations, court cases, IRS documents and more.
• Alternative approaches to both common and unique tax scenarios.

This Portfolio is included in the Accounting Policy & Practice Series, a comprehensive series of titles which explain, explicate, and offer commentary on a wide range of accounting and financial management topics, including revenue recognition, income taxes, leasing, business combinations, debt instruments, risk management, internal controls and more. 

Detailed Analysis

I. Introduction and Scope of Portfolio

A. Introduction and Objectives of Portfolio

B. Relevant Authoritative Guidance

C. Scope of Portfolio

II. Development of Internal Control Reporting Requirements

A. Corporate Failures and Regulation-A Pattern of Change and Improvement

B. Prior Regulatory Attempts to Mandate Internal Control Over Financial Reporting (ICFR)

1. Foreign Corrupt Practices Act

2. Cohen Commission

3. SEC's Proposed 1979 Rule to Mandate Reporting on Internal Control

4. Treadway Commission

5. SEC's Proposed 1988 Rule to Mandate Reporting on Internal Control

C. Other Key Internal Control Dates and Documents

1. Federal Deposit Insurance Corporation Improvement Act of 1991

2. Committee of Sponsoring Organizations Issues the Internal Control-Integrated Framework

D. Voluntary Management Reporting on Internal Control

1. Raghunandan and Rama: Voluntary Reporting in 1993

2. Willis and Lightle: Voluntary Reporting in 1998

3. Voluntary Reporting in 2002 Immediately Preceding the Sarbanes-Oxley Act

4. Voluntary Reporting-Summary Comments

E. Fraud and Management Reports on Internal Control

F. The Demand for Internal Control Reporting

G. The Role of the Independent External Auditor in Internal Control Reports

H. Timeline for Mandated Internal Control Reporting and Auditing

1. Initial Years of Compliance With Sarbanes-Oxley § 404

2. Ongoing Compliance Efforts and Additional Guidance

I. Implications of Complying With Sarbanes-Oxley § 404

1. Costs

2. Section 404 Results and Summary Statistics

a. Material Weaknesses by Industry and Year

b. Material Weaknesses by Company Size

c. Average Material Weaknesses Per Reporting Company

d. Common Material Weaknesses

e. Accounting Application Failures

f. Foreign Registrants and Material Weaknesses

3. Sarbanes-Oxley Compliance Issues

4. The Debate Regarding Section 404 Requirements

III. Internal Control Reporting Requirements for Issuers

A. Requirements for Management's Assessment and the Auditor's Opinion on Internal Controls (Sarbanes-Oxley § 404)

1. Management's Requirement to Report on ICFR

a. Annual Reporting Requirement

b. Quarterly Certification Requirements

2. Auditor's Requirement to Report on ICFR

B. Key Terms

1. Internal Control Over Financial Reporting

2. Control Deficiencies and Effectiveness of ICFR

3. Material Weakness

4. Significant Deficiency

C. SEC Guidance for Management

D. PCAOB Guidance for Auditors

E. Compliance Dates and Exemptions

1. U.S. Issuer

a. Large Accelerated Filers

b. Accelerated Filers That Are Not Large Accelerated Filers

c. Non-Accelerated Filers

d. Newly Public Companies

2. Foreign Private Issuers

a. Foreign Private Issuers That Are Large Accelerated Filers

b. Foreign Private Issuers That Are Accelerated Filers But Not Large Accelerated Filers

c. Foreign Private Issuers That Are Non-Accelerated Filers

d. Foreign Private Issuers That Are Newly Public Companies

IV. Internal Control Frameworks

A. Criteria for Use of Frameworks to Assess ICFR

B. COSO Framework and Guidance

1. The COSO Internal Control-Integrated Framework

a. Control Environment

b. Risk Assessment

c. Information and Communication

d. Monitoring

e. Control Activities

2. COSO Guidance for Smaller Public Companies

a. The Three Volumes

b. Application of Guidance to Internal Control

C. Frameworks Other Than COSO

1. Australia and the Risk Management Standard

a. Australian Corporations Act, Australian Stock Exchange, and the Corporate Governance Statement

b. Statement of Corporate Governance- WorleyParsons Ltd.

c. Example of the Australian System: ASX Ltd.

2. South Africa and the King II Report

a. King II Report

b. Example of the South African System: DigiCore Holdings Ltd.

c. Example of the South African System: Santam Co.

3. United Kingdom and the Combined Code and Turnbull

a. The Combined Code and the London Stock Exchange

b. Turnbull

c. Example of the United Kingdom System: Rolls-Royce Group plc

4. Canada and Guidance on Control

a. Criteria of Control

b. Canadian Framework Requirement

D. Adopting a Non-U.S. Control Framework

E. The Proposed Framework of the IMA

F. The SEC View on an ERM Framework

G. Information Technology Frameworks

1. COSO Integrated Framework

2. Control Objectives for Information and Related Technology (COBIT)

3. Guide to the Assessment of IT General Controls Scope Based on Risk (GAIT)

4. International Organization for Standardization (ISO)

V. Management's Evaluation Process for Assessing and Reporting on the Effectiveness of Internal Control Over Financial Reporting (ICFR)

Introductory Material

A. Management's Responsibilities and SEC Guidance for Management

1. Management's Responsibilities Related to ICFR

2. Effort Necessary to Conduct an Evaluation of ICFR

3. Safe Harbor for Compliance With SEC's Guidance for Management

B. Evaluation and Assessment of ICFR: Two Broad Principles

C. Management's Evaluation Process

1. Overview of Management's Evaluation Process

2. Stage 1: Identifying Financial Reporting Risks and Controls Implemented to Mitigate Those Risks

a. Identifying Financial Reporting Risks

i. Identifying the Materiality Threshold

ii. Identifying Financial Reporting Risks

b. Identifying and Assessing the Design of Controls That Mitigate Financial Reporting Risks

i. Control Characteristics

ii. Entity-Level Controls

iii. Controls at the Transaction or Account Balance Level

iv. Information Technology Related Controls

c. Documenting Control Design and Design Effectiveness

3. Stage 2: Evaluating the Operating Effectiveness of ICFR

a. Determining the Sufficiency of Evidence Needed to Support the Assessment of Operating Effectiveness

b. Selecting Testing Procedures to Evaluate the Operating Effectiveness of ICFR

i. Nature of Testing

ii. Timing of Testing

iii. Extent of Testing

c. Deciding on Other Testing Considerations

i. Evaluating Operating Effectiveness of Entity-Level Controls

ii. Evaluating Operating Effectiveness of Automated Application Controls

iii. Evaluating Operating Effectiveness of General Computer Controls

iv. Multiple Location Considerations

d. Documenting Operating Effectiveness

4. Other Management Considerations in Evaluating ICFR Design and Operating Effectiveness

a. Material Acquisitions

b. Change in or Elimination of Controls

c. Outsourced Processes

5. Stage 3: Reporting on Effectiveness of ICFR by Management

a. Evaluating Control Deficiencies

b. Determining Reporting Options for Management

c. Providing Public Disclosures About Material Weaknesses

d. Inability to Assess Certain Aspects of ICFR

e. Impact of Restatement of Previously Issued Financial Statements

D. Coordinating With the External Auditor

1. Maximizing the External Auditor's Reliance on Management's and Others' Testing

2. Reporting on ICFR by the External Auditor

a. Information That Management Will Be Providing to the External Auditor

b. Non-Modified and Modified Reporting Options of the External Auditor

i. Non-Modified Reporting Options

ii. Elements of Management's Annual Report on Internal Control Are Incomplete or Improperly Presented

iii. There Is a Restriction on the Scope of the Engagement

iv. The Auditor Decides to Refer to the Report of Other Auditors as the Basis, in Part, for the Auditor's Own Report

v. There Is Other Information Contained in Management's Annual Report on ICFR

vi. Management's Annual Certification Pursuant to Section 302 of the Sarbanes-Oxley Act Is Misstated

VI. Additional Benefits Gained From Assessment of Internal Control Over Financial Reporting (ICFR)

Introductory Material

A. Improving Current Controls

B. Centralizing Operations

C. Analyzing Information Needs and Flows

D. Extending Internal Control Reporting Activities to Other Enterprise Risk Management Activities

Working Papers

TABLE OF WORKSHEETS

Worksheet 1 Sarbanes-Oxley Act of 2002, § 404

Worksheet 2 Treadway Commission Proposed Management Report

Worksheet 3 Baxter International's 1993 Management Responsibility for Financial Reporting Example

Worksheet 4 Baxter International's 1995 Management Responsibility for Financial Reporting Example

Worksheet 5 Management Report on Internal Control by First Union

Worksheet 6 Management Report on Internal Control by Chase

Worksheet 7 Changes in the External Audit Process Resulting From PCAOB AS 5 Superseding PCAOB AS 2

Worksheet 8 Summary of Compliance Dates for Section 404 Reporting

Worksheet 9 Section 404 Reporting: Effective Versus Not Effective Internal Controls

Worksheet 10 Section 404 Reporting: Material Weakness Reporting by Industry

Worksheet 11 Section 404 Reporting: Material Weakness Reporting by Company Size

Worksheet 12 Section 404 Reporting: Types of Reported Material Weaknesses in Year 2 for the 392 Companies That Reported a Material Weakness

Worksheet 13 WorleyParsons Corporate Governance Statement-Principle 4

Worksheet 14 WorleyParsons Corporate Governance Statement-Principle 7

Worksheet 15 Australia/New Zealand Management Standard-Risk Management Process-Overview

Worksheet 16 Australian Stock Exchange Limited Corporate Governance Statement Excerpt From 2006 Annual Report

Worksheet 17 Description of ASX's Risk Management Policy and Internal Compliance and Control System

Worksheet 18 DigiCore's Corporate Governance Disclosure

Worksheet 19 DigiCore's Risk Committee Disclosure

Worksheet 20 DigiCore's Internal Control Disclosure

Worksheet 21 DigiCore's Director's Responsibility for Financial Reporting

Worksheet 22 DigiCore's Report of the Directors (Excerpt)

Worksheet 23 Santam's 2005 Corporate Governance Disclosures (Excerpt)

Worksheet 24 Santam's Strategic Enterprise Risk Management Framework

Worksheet 25 Santam's 2005 Responsibility for and Approval of the Group Annual Financial Statements

Worksheet 26 Rolls-Royce Audit Committee Disclosures

Worksheet 27 Rolls-Royce Risk Committee

Worksheet 28 Rolls-Royce Internal Controls and Risk Management: Directors' Responsibilities

Worksheet 29 Rolls-Royce Organisation and Risk Management System

Worksheet 30 Rolls-Royce Systems of Internal Control

Worksheet 31 Rolls-Royce Independent Auditor's Report

Worksheet 32 Mapping of Internal Control Principles With the COSO Components of Internal Control

Worksheet 33 Steps Involved in Management's Evaluation of Internal Control Over Financial Reporting

Worksheet 34 Financial Statement Assertions

Worksheet 35 Nature, Timing, and Extent of Testing Based on Level of Risk Control Is Designed to Mitigate

Worksheet 36 Nature, Timing, and Extent of Testing Based on Risk of Control Failure

Worksheet 37 Illustrations of Approaches to Testing the Operating Effectiveness of Entity-Level Controls: Control Environment

Worksheet 38 Illustrations of Approaches to Testing the Operating Effectiveness of Entity-Level Controls: Risk Assessment

Worksheet 39 Illustrations of Approaches to Testing the Operating Effectiveness of Entity-Level Controls: Information and Communication

Worksheet 40 Illustrations of Approaches to Testing the Operating Effectiveness of Entity-Level Controls: Monitoring

Worksheet 41 Partially Completed Testing Matrix for Financial Reporting Element: Contract Revenue

Worksheet 42 Areas of Consideration for Management Before Deciding on Reporting Options

Worksheet 43 Management Report When Management Has Assessed Its Internal Control Over Financial Reporting as Effective

Worksheet 44 Management Report When Management Has Assessed Its Internal Control Over Financial Reporting as Ineffective: Example 1

Worksheet 45 Management Report When Management Has Assessed Its Internal Control Over Financial Reporting as Ineffective: Example 2

Worksheet 46 Summary of Management's Section 404 Reporting Options

Worksheet 47 Management's Disclosure of Remediation Efforts Related to Identified Material Weaknesses

Worksheet 48 Reporting on Whether a Previously Reported Material Weakness Continues to Exist

Worksheet 49 Illustrative Auditor's Report for a Continuing Auditor Expressing an Opinion That a Previously Reported Material Weakness No Longer Exists

Worksheet 50 Audit Opinion When the Auditor Has Assessed the Client's Internal Control Over Financial Reporting as Effective

Worksheet 51 Adverse Audit Opinion When the Auditor Has Assessed the Client's Internal Control Over Financial Reporting as Ineffective

Worksheet 52 Summary of Possible Non-Modified Reporting Options by Management and the External Auditor on the Effectiveness of Internal Control Over Financial Reporting

Worksheet 53 Canada's Criteria of Control

Worksheet 54 Canadian Criteria Regrouped Into COSO Components

Worksheet 55 COBIT Model

Worksheet 56 COBIT Domains Mapped to COSO Components

Worksheet 57 IT Compliance Road Map

Bibliography

OFFICIAL

Statutes

Cases

Legislative Materials

Securities and Exchange Commission

SEC Rules, Rule Amendments, and Orders

SEC Frequently Asked Questions and Other Guidance

SEC Staff Accounting Bulletins

SEC Filings

Other SEC Materials

Public Company Accounting Oversight Board

PCAOB Auditing Standards

PCAOB Interim Auditing Standards

PCAOB Adopting Releases

Other PCAOB Guidance

Government Accountability Office Reports

Financial Accounting Standards Board

FASB Statements of Financial Accounting Standards

FASB Statements of Financial Accounting Concepts

American Institute of Certified Public Accountants Statements on Auditing Standards

International Authorities

Other Annual Reports

UNOFFICIAL

BNA Portfolios

Periodicals

Books, Reports, and Miscellaneous